Hi,
This patch series fixes commit:
73ad642ba462d0992e1903012eee4ebfec89ed69
f5e51ad64d9e5597e8880b652abe261585c2563d
Conditions in getobjopt_is_snat() / getobjopt_is_dnat() has
been changed in the commit above and fixed by this, but I do
not understand proper way to check a nfct
>From 9e8aa4ed079b526faf190b69a2c1032f22776602 Mon Sep 17 00:00:00 2001
From: Ken-ichirou MATSUZAWA
Date: Tue, 28 Feb 2017 11:34:29 +0900
Subject: [PATCH 2/2] conntrack: revert getobjopt_is_nat condition
Signed-off-by: Ken-ichirou MATSUZAWA
---
Signed-off-by Ken-ichirou MATSUZAWA
---
src/conntrack/objopt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c
index 119a83a..fb43d6c 100644
--- a/src/conntrack/objopt.c
+++ b/src/conntrack/objopt.c
@@ -81,6 +81,7 @@
From: Florian Westphal
nft automatically understands 'ct zone set 1' but when a direction is
specified too we get a parser error since they are currently only
allowed for plain ct expressions.
This permits the existing syntax ('ct original zone') for all tokens with
an optional
From: Florian Westphal
Once directional zone support is added we also need to print the
direction of the statement, so factor the common code to re-use
this helper from the statement print function.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
Just a rebase on top of series to store byteorder for set data in
NFTA_SET_USERDATA.
tests/py/any/ct.t | 13 +
From: Florian Westphal
This enables zone get/set support.
As the zone can be optionally tied to a direction as well we need a new
token for this (unless we turn reply/original into tokens in which case
we could handle zone via STRING).
There was some discussion on how zone set
Hi,
2017-02-28 4:33 GMT+08:00 Subash Abhinov Kasiviswanathan
:
> Minor change to remove the unused macro added as part of commit
> e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval
> option for xtables lock wait")
[...]
> -#define BASE_MICROSECONDS
stmt_evaluate_arg() needs to take the lhs map expression byteorder in
order to evaluate the lhs of mappings accordingly.
Signed-off-by: Pablo Neira Ayuso
---
src/evaluate.c | 24 +++-
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git
Add new UDATA_SET_DATABYTEORDER attribute for NFTA_SET_UDATA to store
the datatype byteorder. This is required if integer_type is used on the
rhs of the mapping given that this datatype comes with no specific
byteorder.
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h |
This function can be used either side of the map, so rename it to
something generic.
Signed-off-by: Pablo Neira Ayuso
---
include/datatype.h | 4 ++--
src/datatype.c | 6 +++---
src/evaluate.c | 2 +-
src/netlink.c | 2 +-
src/rule.c | 2 +-
5 files
Rework the NFTNL_SET_USERDATA in netlink_delinearize_set() to accomodate
rhs datatype byteorder in mappings.
Signed-off-by: Pablo Neira Ayuso
---
src/netlink.c | 50 ++
1 file changed, 18 insertions(+), 32 deletions(-)
diff
On 02/27/2017 05:12 PM, Florian Westphal wrote:
Tarun Khanna wrote:
Is it possible to register for callbacks so that a user application is
updated on a regular basis when the packet or bytes counts change for flows?
No, update to packet/byte count doesn't trigger an event
Is it possible to register for callbacks so that a user application is
updated on a regular basis when the packet or bytes counts change for
flows? I can poll the stats using something similar to "conntrack -L".
However, I was wondering if it's possible to be notified regularly on
updates.
--
Minor change to remove the unused macro added as part of commit
e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval
option for xtables lock wait")
Signed-off-by: Subash Abhinov Kasiviswanathan
---
iptables/xshared.c | 1 -
1 file changed, 1 deletion(-)
Hashlimit has similar functionality to flow tables in nftables. Some
usage examples are:
$ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \
--hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip \
--hashlimit-name https --hashlimit-dstmask 24 -m state --state
this implements
nft list ct helpers table filter
table ip filter {
ct helper ftp-standard {
..
Signed-off-by: Florian Westphal
---
include/rule.h | 1 +
src/evaluate.c | 1 +
src/parser_bison.y | 19 +++
src/rule.c | 2 ++
4 files changed,
This will only trigger during development when adding new object types to
the parser.
The BUG() gives a clear hint where the serialization code needs to go.
Signed-off-by: Florian Westphal
---
src/netlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/netlink.c
On Mon, Feb 27, 2017 at 03:56:09PM +0100, Florian Westphal wrote:
> If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
> In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
> crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
>
> Signed-off-by:
If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
Signed-off-by: Florian Westphal
---
src/object.c | 5 -
1 file changed,
This adds initial support for defining conntrack helper objects
which can then be assigned to connections using the objref infrastructure:
table ip filter {
ct helper ftp-standard {
type "ftp"
protocol tcp
}
chain y {
tcp dport 21 ct helper set "ftp-standard"
}
}
On Mon, Feb 27, 2017 at 03:56:10PM +0100, Florian Westphal wrote:
> when debugging nft with invalid object type (during development),
> this will crash here with null deref. Print (unknown) instead
> if obj->ops is null.
>
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira
... to make adding CMD_OBJ_CT_HELPER support easier.
Signed-off-by: Florian Westphal
---
src/evaluate.c | 32
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 87da2fd83597..4ac55e177d54 100644
While working on ct helper object support I encountered crashes in libnftnl.
This occurs when nft sets unknown object types not supported by libnftnl.
The two patches avoid segfaults in case unsupported types are requested.
--
To unsubscribe from this list: send the line "unsubscribe
Signed-off-by: Florian Westphal
---
include/rule.h | 4
src/evaluate.c | 4
src/parser_bison.y | 63 --
src/rule.c | 22 +++
4 files changed, 91 insertions(+), 2 deletions(-)
diff
when debugging nft with invalid object type (during development),
this will crash here with null deref. Print (unknown) instead
if obj->ops is null.
Signed-off-by: Florian Westphal
---
src/object.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
add support for ct helper objects, these are used to assign helpers to
connections, similar to iptables -j CT --set-helper target.
Signed-off-by: Florian Westphal
---
include/libnftnl/object.h | 6 ++
include/linux/netfilter/nf_tables.h | 12 ++-
include/obj.h
Signed-off-by: Florian Westphal
---
include/libnftnl/object.h | 4
src/libnftnl.map | 8
src/object.c | 26 ++
3 files changed, 38 insertions(+)
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index
On 17 February 2017 at 15:39, Florian Westphal wrote:
> Daniel J Blueman wrote:
>
> [ CC nf-devel, pablo ]
>
>> When booting a VM in libvirt/KVM attached to a local bridge and KASAN
>> enabled on 4.9.10, we see a stream of KASAN warnings about off-slab
>> access
From: Pablo Neira Ayuso
Date: Mon, 27 Feb 2017 12:35:36 +0100
> The following patchset contains netfilter fixes for you net tree,
> they are:
>
> 1) Missing ct zone size in the nft_ct initialization path, patch
>from Florian Westphal.
>
> 2) Two patches for netfilter
A few announcements:
1) The CFP is now officially closed. Thanks to everyone who submitted.
2) We are extending the early registration to March 5.
Register early so we can plan better (and so you can save some $$).
https://onlineregistrations.ca/netdev21/
- hotel (If you can get the hotel
From: Jarno Rajahalme
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1 due to
__nf_ct_expect_check() returning 1 on success. Prevent this
regression
From: "Dmitry V. Levin"
linux/netfilter.h is the last uapi header file that includes
linux/sysctl.h but it does not depend on definitions provided
by this essentially dead header file.
Suggested-by: Eric W. Biederman
Signed-off-by: Dmitry V. Levin
From: Jarno Rajahalme
Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert()
returns void") inadvertently changed the successful return value of
nf_ct_expect_related_report() from 0 to 1, which caused openvswitch
conntrack integration fail in FTP test cases.
Fix
Hi David,
The following patchset contains netfilter fixes for you net tree,
they are:
1) Missing ct zone size in the nft_ct initialization path, patch
from Florian Westphal.
2) Two patches for netfilter uapi headers, one to remove unnecessary
sysctl.h inclusion and another to fix
priv->bitmap_size stores the real bitmap size, instead of the full
struct nft_bitmap object.
Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_bitmap.c | 2 +-
1 file changed, 1 insertion(+), 1
From: Florian Westphal
Dan reports:
net/netfilter/nft_ct.c:549 nft_ct_set_init()
error: uninitialized symbol 'len'.
Reported-by: Dan Carpenter
Fixes: edee4f1e924582 ("netfilter: nft_ct: add zone id set support")
Signed-off-by: Florian Westphal
From: "Dmitry V. Levin"
Include like some of uapi/linux/netfilter/xt_*.h
headers do to fix the following linux/netfilter/xt_hashlimit.h
userspace compilation error:
/usr/include/linux/netfilter/xt_hashlimit.h:90:12: error: 'NAME_MAX' undeclared
here (not in a function)
38 matches
Mail list logo