From: Liping Zhang
The limit token is independent between each rules, so there's no
need to use a global spinlock.
Signed-off-by: Liping Zhang
---
net/netfilter/nft_limit.c | 10 +-
net/netfilter/xt_limit.c | 11 ++-
2 files changed, 11 insertions(+), 10 deletions(-)
diff --g
From: Liping Zhang
After inputting the following nft command, set->keytype is not initialized
but we try to destroy it, so NULL pointer dereference will happen:
# nft add set t s
Segmentation fault (core dumped)
#0 dtype_free (dtype=0x0) at datatype.c:1049
#1 set_datatype_destroy (dtype
Hi,
On Fri, Mar 10, 2017 at 07:07:25PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Mar 10, 2017 at 06:13:52PM +0100, Phil Sutter wrote:
> [...]
> > diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload
> > index f5258165384dc..e928a19649133 100644
> > --- a/tests/py/inet/fib.t.paylo
---
doc/ulogd.sgml | 4 ++--
output/ulogd_output_GPRINT.c | 2 +-
output/ulogd_output_LOGEMU.c | 2 +-
output/ulogd_output_NACCT.c | 2 +-
output/ulogd_output_OPRINT.c | 2 +-
5 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/ulogd.sgml b/doc/ulogd.sgml
index 65a63c
---
ulogd.logrotate | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ulogd.logrotate b/ulogd.logrotate
index b3fb6d1..8470811 100644
--- a/ulogd.logrotate
+++ b/ulogd.logrotate
@@ -1,4 +1,4 @@
-/var/log/ulogd.log /var/log/ulogd.syslogemu /var/log/ulogd.pktlog
/var/log/ulogd.pca
On Wed, Mar 08, 2017 at 05:56:43PM +0100, Jan Engelhardt wrote:
> On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote:
>
> >On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote:
> >> A long-standing problem has been that `iptables -s any_host_here`
> >> could yield multiple rules with
I can place this doc updates now, even if the fib part will be out of
sync for a little while until you follow up with the requested
changes. Or keep it back for a little while until we get this in sync.
Either way, I'll be fine, so let me know what you prefer.
Thanks.
--
To unsubscribe from this
On Fri, Mar 10, 2017 at 06:13:52PM +0100, Phil Sutter wrote:
[...]
> diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload
> index f5258165384dc..e928a19649133 100644
> --- a/tests/py/inet/fib.t.payload
> +++ b/tests/py/inet/fib.t.payload
> @@ -20,3 +20,13 @@ __map%d test-ip 0
> i
On Fri, Mar 10, 2017 at 06:13:48PM +0100, Phil Sutter wrote:
> The following patch series implements a boolean datatype for use in a
> boolean expression as right-hand side of a relational. Based upon that,
> header existence matches are implemented for IPv6 extension and TCP
> option headers as we
Signed-off-by: Phil Sutter
---
doc/nft.xml | 134
1 file changed, 134 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 990b93684c9c4..de86d2a18258f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1329,6 +1329,110 @@ filter out
This allows to check for existence of an IPv6 extension or TCP
option header by using the following syntax:
| exthdr frag exists
| tcpopt window exists
Signed-off-by: Phil Sutter
---
include/exthdr.h| 2 ++
src/evaluate.c | 3 ++
src/exthdr.c
Signed-off-by: Phil Sutter
---
include/datatype.h | 2 ++
src/datatype.c | 19 +++
src/parser_bison.y | 20
src/scanner.l | 3 +++
4 files changed, 44 insertions(+)
diff --git a/include/datatype.h b/include/datatype.h
index b78d76f78f76c..e614b96e8
This allows to check whether a FIB entry exists for a given packet by
comparing the expression with a boolean keyword like so:
| fib daddr oif exists
The implementation requires introduction of a generic expression flag
EXPR_F_BOOLEAN which allows relational expression to signal it's LHS
that a b
This allows to have custom flags in exthdr expression, which is
necessary for upcoming existence checks (of both IPv6 extension headers
as well as TCP options).
Signed-off-by: Phil Sutter
---
include/expression.h | 1 +
include/exthdr.h | 2 +-
include/tcpopt.h | 3 ++-
The following patch series implements a boolean datatype for use in a
boolean expression as right-hand side of a relational. Based upon that,
header existence matches are implemented for IPv6 extension and TCP
option headers as well as an existence match of a FIB entry.
Phil Sutter (5):
Introduc
Actually it is just to be ignored so it's presence doesn't mess up the
op printer.
Signed-off-by: Phil Sutter
---
include/linux/netfilter/nf_tables.h | 1 +
src/expr/fib.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables
Instead of the actual interface index or name, set destination register
to just 1 or 0 depending on whether the lookup succeeded or not if
NFTA_FIB_F_PRESENT was set in userspace.
Signed-off-by: Phil Sutter
---
include/net/netfilter/nft_fib.h | 2 +-
include/uapi/linux/netfilter/nf_tab
The tech committee would like to announce a new accepted talk along one
of the main themes of netdev 2.1: DDOS.
Alexander Krizhanovsky will be talking about a Kernel HTTP
implementation designed to deal with HTTP DDoS attacks titled
"Kernel HTTP/TCP/IP stack for HTTP DDoS mitigation"
The descrip
This warning has been there for long time, and the example files we
provide already come with the right syntax, so remove this old chunk.
Signed-off-by: Pablo Neira Ayuso
---
src/read_config_yy.y | 23 ---
1 file changed, 23 deletions(-)
diff --git a/src/read_config_yy.y b/s
This patch introduces a new evaluate() function that can be used to spot
inconsistent configurations.
Don't allow CommitTimeout with DisableExternalCache On since this
results in EINVAL errors. CommitTimeout makes no sense with no external
cache.
Signed-off-by: Pablo Neira Ayuso
---
include/con
On Wed, Mar 01, 2017 at 04:58:41PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Hi Greg,
> >
> > Please cherry-pick this into 4.9.
> >
> > commit e5072053b09642b8ff417d47da05b84720aea3ee
> > Author: Florian Westphal
> > Date: Wed Jan 18 02:01:22 2017 +0100
> >
> > netfil
21 matches
Mail list logo
