[PATCH lnfct 0/2] fix - src: add support for IPv6 NAT

Hi, This patch series fixes commit: 73ad642ba462d0992e1903012eee4ebfec89ed69 f5e51ad64d9e5597e8880b652abe261585c2563d Conditions in getobjopt_is_snat() / getobjopt_is_dnat() has been changed in the commit above and fixed by this, but I do not understand proper way to check a nfct

[PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition

>From 9e8aa4ed079b526faf190b69a2c1032f22776602 Mon Sep 17 00:00:00 2001 From: Ken-ichirou MATSUZAWA Date: Tue, 28 Feb 2017 11:34:29 +0900 Subject: [PATCH 2/2] conntrack: revert getobjopt_is_nat condition Signed-off-by: Ken-ichirou MATSUZAWA ---

[PATCH lnfct 1/2] conntrack: fix missing break

Signed-off-by Ken-ichirou MATSUZAWA --- src/conntrack/objopt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c index 119a83a..fb43d6c 100644 --- a/src/conntrack/objopt.c +++ b/src/conntrack/objopt.c @@ -81,6 +81,7 @@

[PATCH nft 3/4] src: support zone set statement with optional direction

From: Florian Westphal nft automatically understands 'ct zone set 1' but when a direction is specified too we get a parser error since they are currently only allowed for plain ct expressions. This permits the existing syntax ('ct original zone') for all tokens with an optional

[PATCH nft 2/4] ct: refactor print function so it can be re-used for ct statement

From: Florian Westphal Once directional zone support is added we also need to print the direction of the statement, so factor the common code to re-use this helper from the statement print function. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira

[PATCH nft 4/4] tests: add test entries for conntrack zones

From: Florian Westphal Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- Just a rebase on top of series to store byteorder for set data in NFTA_SET_USERDATA. tests/py/any/ct.t | 13 +

[PATCH nft 1/4] src: add conntrack zone support

From: Florian Westphal This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set

Re: [PATCH iptables] xtables: Remove unused macro

Hi, 2017-02-28 4:33 GMT+08:00 Subash Abhinov Kasiviswanathan : > Minor change to remove the unused macro added as part of commit > e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval > option for xtables lock wait") [...] > -#define BASE_MICROSECONDS

[PATCH nft 1/4] evaluate: set byteorder as lhs expression context in stmt_evaluate_arg()

stmt_evaluate_arg() needs to take the lhs map expression byteorder in order to evaluate the lhs of mappings accordingly. Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 24 +++- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git

[PATCH nft 4/4] src: store byteorder for set data

Add new UDATA_SET_DATABYTEORDER attribute for NFTA_SET_UDATA to store the datatype byteorder. This is required if integer_type is used on the rhs of the mapping given that this datatype comes with no specific byteorder. Signed-off-by: Pablo Neira Ayuso --- include/rule.h |

[PATCH nft 2/4] src: rename set_keytype_alloc() to set_datatype_alloc()

This function can be used either side of the map, so rename it to something generic. Signed-off-by: Pablo Neira Ayuso --- include/datatype.h | 4 ++-- src/datatype.c | 6 +++--- src/evaluate.c | 2 +- src/netlink.c | 2 +- src/rule.c | 2 +- 5 files

[PATCH nft 3/4] netlink: rework NFTNL_SET_USERDATA to accomodate new attributes

Rework the NFTNL_SET_USERDATA in netlink_delinearize_set() to accomodate rhs datatype byteorder in mappings. Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 50 ++ 1 file changed, 18 insertions(+), 32 deletions(-) diff

Re: per flow stats collection using libnetfilter_conntrack

On 02/27/2017 05:12 PM, Florian Westphal wrote: Tarun Khanna wrote: Is it possible to register for callbacks so that a user application is updated on a regular basis when the packet or bytes counts change for flows? No, update to packet/byte count doesn't trigger an event

per flow stats collection using libnetfilter_conntrack

Is it possible to register for callbacks so that a user application is updated on a regular basis when the packet or bytes counts change for flows? I can poll the stats using something similar to "conntrack -L". However, I was wondering if it's possible to be notified regularly on updates. --

[PATCH iptables] xtables: Remove unused macro

Minor change to remove the unused macro added as part of commit e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 ("xtables: Add an interval option for xtables lock wait") Signed-off-by: Subash Abhinov Kasiviswanathan --- iptables/xshared.c | 1 - 1 file changed, 1 deletion(-)

[PATCH iptables] extensions: libxt_hashlimit: Add translation to nft

Hashlimit has similar functionality to flow tables in nftables. Some usage examples are: $ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \ --hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip \ --hashlimit-name https --hashlimit-dstmask 24 -m state --state

[PATCH nft 6/7] src: allow listing all ct helpers

this implements nft list ct helpers table filter table ip filter { ct helper ftp-standard { .. Signed-off-by: Florian Westphal --- include/rule.h | 1 + src/evaluate.c | 1 + src/parser_bison.y | 19 +++ src/rule.c | 2 ++ 4 files changed,

[PATCH nft 3/7] netlink: BUG when object type is unknown

This will only trigger during development when adding new object types to the parser. The BUG() gives a clear hint where the serialization code needs to go. Signed-off-by: Florian Westphal --- src/netlink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/netlink.c

Re: [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null

On Mon, Feb 27, 2017 at 03:56:09PM +0100, Florian Westphal wrote: > If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. > In this case we must not set NFTNL_OBJ_TYPE flag, else we later get > crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. > > Signed-off-by:

[PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null

If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal --- src/object.c | 5 - 1 file changed,

[PATCH nft 4/7] src: add initial ct helper support

This adds initial support for defining conntrack helper objects which can then be assigned to connections using the objref infrastructure: table ip filter { ct helper ftp-standard { type "ftp" protocol tcp } chain y { tcp dport 21 ct helper set "ftp-standard" } }

Re: [PATCH libnftnl 2/2] object: fix crash when object ops is null

On Mon, Feb 27, 2017 at 03:56:10PM +0100, Florian Westphal wrote: > when debugging nft with invalid object type (during development), > this will crash here with null deref. Print (unknown) instead > if obj->ops is null. > > Signed-off-by: Florian Westphal Acked-by: Pablo Neira

[PATCH nft 5/7] evaluate: refactor CMD_OBJ_QUOTA/COUNTER handling

... to make adding CMD_OBJ_CT_HELPER support easier. Signed-off-by: Florian Westphal --- src/evaluate.c | 32 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 87da2fd83597..4ac55e177d54 100644

[PATCH libnftnl 0/2] object: fix crashes with out-of-tree nft

While working on ct helper object support I encountered crashes in libnftnl. This occurs when nft sets unknown object types not supported by libnftnl. The two patches avoid segfaults in case unsupported types are requested. -- To unsubscribe from this list: send the line "unsubscribe

[PATCH nft 7/7] src: implement add/create/delete for ct helper objects

Signed-off-by: Florian Westphal --- include/rule.h | 4 src/evaluate.c | 4 src/parser_bison.y | 63 -- src/rule.c | 22 +++ 4 files changed, 91 insertions(+), 2 deletions(-) diff

[PATCH libnftnl 2/2] object: fix crash when object ops is null

when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal --- src/object.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git

[PATCH libnftnl 2/7] src: ct helper support

add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal --- include/libnftnl/object.h | 6 ++ include/linux/netfilter/nf_tables.h | 12 ++- include/obj.h

[PATCH libnftnl 1/7] object: extend set/get api for u8/u16 types

Signed-off-by: Florian Westphal --- include/libnftnl/object.h | 4 src/libnftnl.map | 8 src/object.c | 26 ++ 3 files changed, 38 insertions(+) diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index

Re: [4.9.10] ip_route_me_harder() reading off-slab

On 17 February 2017 at 15:39, Florian Westphal wrote: > Daniel J Blueman wrote: > > [ CC nf-devel, pablo ] > >> When booting a VM in libvirt/KVM attached to a local bridge and KASAN >> enabled on 4.9.10, we see a stream of KASAN warnings about off-slab >> access

Re: [PATCH 0/6] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Mon, 27 Feb 2017 12:35:36 +0100 > The following patchset contains netfilter fixes for you net tree, > they are: > > 1) Missing ct zone size in the nft_ct initialization path, patch >from Florian Westphal. > > 2) Two patches for netfilter

ANNOUNCE: Netdev 2.1 update Feb 27

A few announcements: 1) The CFP is now officially closed. Thanks to everyone who submitted. 2) We are extending the early registration to March 5. Register early so we can plan better (and so you can save some $$). https://onlineregistrations.ca/netdev21/ - hotel (If you can get the hotel

[PATCH 5/6] netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.

From: Jarno Rajahalme Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns void") inadvertently changed the successful return value of nf_ct_expect_related_report() from 0 to 1 due to __nf_ct_expect_check() returning 1 on success. Prevent this regression

[PATCH 2/6] uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h

From: "Dmitry V. Levin" linux/netfilter.h is the last uapi header file that includes linux/sysctl.h but it does not depend on definitions provided by this essentially dead header file. Suggested-by: Eric W. Biederman Signed-off-by: Dmitry V. Levin

[PATCH 4/6] netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success.

From: Jarno Rajahalme Commit 4dee62b1b9b4 ("netfilter: nf_ct_expect: nf_ct_expect_insert() returns void") inadvertently changed the successful return value of nf_ct_expect_related_report() from 0 to 1, which caused openvswitch conntrack integration fail in FTP test cases. Fix

[PATCH 0/6] Netfilter fixes for net

Hi David, The following patchset contains netfilter fixes for you net tree, they are: 1) Missing ct zone size in the nft_ct initialization path, patch from Florian Westphal. 2) Two patches for netfilter uapi headers, one to remove unnecessary sysctl.h inclusion and another to fix

[PATCH 6/6] netfilter: nft_set_bitmap: incorrect bitmap size

priv->bitmap_size stores the real bitmap size, instead of the full struct nft_bitmap object. Fixes: 665153ff5752 ("netfilter: nf_tables: add bitmap set type") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1

[PATCH 1/6] netfilter: nft_ct: fix random validation errors for zone set support

From: Florian Westphal Dan reports: net/netfilter/nft_ct.c:549 nft_ct_set_init() error: uninitialized symbol 'len'. Reported-by: Dan Carpenter Fixes: edee4f1e924582 ("netfilter: nft_ct: add zone id set support") Signed-off-by: Florian Westphal

[PATCH 3/6] uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error

From: "Dmitry V. Levin" Include like some of uapi/linux/netfilter/xt_*.h headers do to fix the following linux/netfilter/xt_hashlimit.h userspace compilation error: /usr/include/linux/netfilter/xt_hashlimit.h:90:12: error: 'NAME_MAX' undeclared here (not in a function)