On Wed, Mar 08, 2017 at 03:33:04PM +0100, Pablo Neira Ayuso wrote:
> Originally reported as a iptables-translate problem, but this also
> affects iptables and ip6tables.
>
> $ iptables-translate -A INPUT -s localhost -j ACCEPT
>
> gives duplicated rules:
>
> nft add rule ip filter INPUT ip
On Wed, Mar 08, 2017 at 02:16:09PM +0100, Pablo Neira Ayuso wrote:
> After this patch:
>
> # iptables-translate -I INPUT -s yahoo.com
> nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
> nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
> nft insert rule ip filter
On Tue, Mar 07, 2017 at 12:45:04PM +0100, Florian Westphal wrote:
> as comment says, the function is always called with rcu read lock held.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
On Fri, Mar 03, 2017 at 09:44:00PM +0100, Florian Westphal wrote:
> Andrey reports syzkaller splat caused by
>
> NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
>
> in ipv4 nat. But this assertion (and the comment) are wrong, this function
> does see fragments when IP_NODEFRAG setsockopt is used.
>
Hi,
I have an application that acts as a transparent proxy for tcp flows. I
need to get packet and byte counters for these tcp flows on both sides
of the proxy application. I looked at pulling the counters from the
kernel using libnetfilter_conntrack. However I noticed that the
conntrack
On Sat, Mar 04, 2017 at 06:00:02PM +0800, Ying Xue wrote:
> Regarding RFC 792, the first 64 bits of the original SCTP datagram's
> data could be contained in ICMP packet, such as:
>
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote:
>On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote:
>> A long-standing problem has been that `iptables -s any_host_here`
>> could yield multiple rules with the same address if the DNS was
>> indeed so populated.
>
>When did
On Wed, Mar 08, 2017 at 05:26:57PM +0100, Jan Engelhardt wrote:
> ares->ai_canonname is never used, so there is no point in requesting
> that piece of information with AI_CANONNAME.
I already had one like this here that derived from my previous patch,
anyway. Applied.
--
To unsubscribe from this
On Wed, Mar 08, 2017 at 05:26:56PM +0100, Jan Engelhardt wrote:
> The error path already terminally returns from the function, so there
> is no point in having an explicit else block.
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
On Wed, Mar 08, 2017 at 04:48:42PM +0100, Florian Westphal wrote:
> This adds support to set the conntrack helper from nftables, using
> nft set ct helper "foo" syntax.
>
> Helpers are defined through the objref infrastructure.
>
> Open question: should NFT_MSG_GETOBJ_RESET get rejected for this
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt
---
libxtables/xtables.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index
A long-standing problem has been that `iptables -s any_host_here`
could yield multiple rules with the same address if the DNS was
indeed so populated.
Signed-off-by: Jan Engelhardt
---
libxtables/xtables.c | 44
1 file changed, 32
The error path already terminally returns from the function, so there
is no point in having an explicit else block.
Signed-off-by: Jan Engelhardt
---
libxtables/xtables.c | 54 +++-
1 file changed, 24 insertions(+), 30
A long-standing problem has been that `iptables -s any_host_here`
could yield multiple rules with the same address if the DNS was
indeed so populated.
Signed-off-by: Jan Engelhardt
---
libxtables/xtables.c | 44
1 file changed, 32
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt
---
libxtables/xtables.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index
(Of course that send went wrong.. with github and all that, I hardly
had to use git-send-email ever since.)
The right set follows.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Wed, 2017-03-08 at 13:49 +0100, Florian Westphal wrote:
> These patches remove the percpu untracked objects, they get replaced
> with a new (kernel internal) ctinfo state.
>
> This avoids reference counter operations for untracked packets and
> removes the need to check a conntrack for the
From: Harout Hedeshian
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set
Pablo wrote:
>libc seem to need if we have 127.0.0.1 and ::1
>entries in /etc/hosts that are common in many distros.
I was trying to imply that this problem is not specific to localhost,
but could happen with any host name. Testing the memory contents for
for just htonl(INADDR_LOOPBACK) does not
This is the same as commit v1.4.15-12-g8a988f6.
If no id option is given, the extensions only match packets with a
zero-valued identification field. This behavior deviates from what it
used to do back in v1.4.10-273-g6944f2c^.
Signed-off-by: Jan Engelhardt
---
This adds support to set the conntrack helper from nftables, using
nft set ct helper "foo" syntax.
Helpers are defined through the objref infrastructure.
Open question: should NFT_MSG_GETOBJ_RESET get rejected for this new type?
A future patch could extend the attributes so we can also handle
this allows to assign connection tracking helpers to
connections via nft objref infrastructure.
The idea is to first specifiy a helper object:
table ip filter {
ct helper some-name {
type "ftp"
protocol tcp
l3proto ip
}
}
and then assign it via
nft add ... ct helper
this is needed by the upcoming ct helper object type --
we'd like to be able use the table family (ip, ip6, inet) to figure
out which helper has to be requested.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 7
On Wed, Mar 08, 2017 at 04:43:25PM +0100, Phil Sutter wrote:
> This originally came up when accidentally calling iptables-translate as
> unprivileged user - nft_compatible_revision() then fails every time,
> making the translator fall back to using revision 0 only which often
> leads to failed
This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).
The bottom line is there
From: Liping Zhang
Currently, there are two different methods to store an u16 integer to
the u32 data register. For example:
u32 *dest = >data[priv->dreg];
1. *dest = 0; *(u16 *) dest = val_u16;
2. *dest = val_u16;
For method 1, the u16 value will be stored like this,
Originally reported as a iptables-translate problem, but this also
affects iptables and ip6tables.
$ iptables-translate -A INPUT -s localhost -j ACCEPT
gives duplicated rules:
nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept
nft add rule ip filter INPUT ip saddr 127.0.0.1
On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote:
>
>If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
>are returned in the list pointed to by res only if the local system has
>at least one IPv4 address configured, and IPv6 addresses are only
>returned if the local
On Wed, Mar 08, 2017 at 02:38:42PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote:
> > On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote:
> > > On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote:
> > > > On Tue, Mar 07, 2017
On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote:
> Oh man, I just found the cause: I was running iptables-translate as
> unprivileged user. Calling it with sudo magically makes everything work.
>
> I'll have a look whether it's possible to communicate the received
> -EPERM back to the
On Wed, Mar 08, 2017 at 02:56:24PM +0100, Jan Engelhardt wrote:
>
> On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote:
> >
> >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
> >are returned in the list pointed to by res only if the local system has
> >at least one IPv4
These patches remove the percpu untracked objects, they get replaced
with a new (kernel internal) ctinfo state.
This avoids reference counter operations for untracked packets and
removes the need to check a conntrack for the UNTRACKED status bit
before setting connmark, labels, etc.
I checked
We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
insert rule ip filter INPUT ip saddr 98.138.253.109 counter
According to man getaddrinfo(3):
If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
are returned in the list pointed to by res only if the local system has
at least one IPv4 address configured, and IPv6 addresses are only
returned if the local system has at least one IPv6
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
The organizing committee is happy to announce Verizon Labs as our
second Platinum sponsor.
Verizon Labs has been a solid supporter of the netdev community from the
very first conference. We appreciate you!
cheers,
jamal
--
To unsubscribe from this list: send the line "unsubscribe
This function is now obsolete and always returns false,
change has no effect on generated code.
Signed-off-by: Florian Westphal
---
include/net/ip_vs.h | 4 ++--
include/net/netfilter/nf_conntrack.h | 5 -
On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote:
> > On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote:
> > > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote:
> > > > On Tue, Mar 07, 2017
On Wed, Mar 08, 2017 at 10:55:32AM +0100, Pablo Neira Ayuso wrote:
>
> This is actually a generic problem:
>
> # iptables -I INPUT -p tcp -s localhost
>
> results in:
>
> # iptables-save
> # Generated by iptables-save v1.6.1 on Wed Mar 8 10:53:07 2017
> *filter
> :INPUT ACCEPT [13:1628]
>
On Wed, Mar 08, 2017 at 12:28:13AM +0100, Alexander Alemayhu wrote:
> $ iptables-translate -A INPUT -p tcp -s localhost --dport 8000 -j ACCEPT
>
> gives
>
> nft add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 8000 counter accept
> add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport
On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote:
> On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote:
> > > On Tue, Mar 07, 2017 at 05:20:55PM +0100, Pablo Neira Ayuso wrote:
> > > > On Tue, Mar 07, 2017
On Wed, Mar 08, 2017 at 02:06:14AM +0100, Phil Sutter wrote:
> Translate addrtype match into fib expression:
>
> $ iptables-translate -A INPUT -m addrtype --src-type LOCAL
> nft add rule ip filter INPUT fib saddr type local counter
>
> $ iptables-translate -A INPUT -m addrtype --dst-type LOCAL
>
42 matches
Mail list logo