On 03/11/2018 05:21 PM, Pablo Neira Ayuso wrote:
On Sun, Mar 11, 2018 at 05:12:09PM -0500, Gustavo A. R. Silva wrote:
Hi Pablo,
On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote:
On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
In preparation to enabling -Wvla, remove VLA
Hi Pablo,
On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote:
On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.
Looks good but...
Signed-off-by: Gustavo A. R. Silva
Arushi Singhal wrote:
> On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso
> wrote:
>
> > Hi Joe,
> >
> > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> > > >
On Mon, Mar 12, 2018 at 03:56:15AM +0530, Arushi Singhal wrote:
> On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso
> wrote:
>
> > Hi Joe,
> >
> > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> >
On Sun, Mar 11, 2018 at 05:12:09PM -0500, Gustavo A. R. Silva wrote:
> Hi Pablo,
>
> On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote:
> > On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
> > > In preparation to enabling -Wvla, remove VLA and replace it
> > > with dynamic
On Sun, Mar 11, 2018 at 11:04:22PM +0100, Matthias Schiffer wrote:
> On 03/11/2018 10:14 PM, Pablo Neira Ayuso wrote:
> > On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote:
> >> We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP
> >> matches in the same way.
On 03/11/2018 10:14 PM, Pablo Neira Ayuso wrote:
> On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote:
>> We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP
>> matches in the same way.
>>
>> Signed-off-by: Matthias Schiffer
>>
On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
Looks good but...
> Signed-off-by: Gustavo A. R. Silva
> ---
> net/netfilter/nfnetlink_cttimeout.c | 12
On Tue, Feb 27, 2018 at 11:04:14AM +0100, Ahmed Abdelsalam wrote:
> Segment Routing Header "SRH" is new type of IPv6 Routing extension
> header (type 4).
>
> SRH contains a list of segments (each is represented as an IPv6 address)
> to be visited by packets during the journey from source to
On Tue, Feb 27, 2018 at 07:25:14AM +0100, Ahmed Abdelsalam wrote:
> Type 0 and 2 of the IPv6 Routing extension header are not handled
> properly by exthdr_init_raw() in src/exthdr.c
>
> In order to fix the bug, we extended the "enum nft_exthdr_op" to
> differentiate between rt, rt0, and rt2.
>
>
On Thu, Mar 08, 2018 at 05:01:26PM +0200, Serhey Popovych wrote:
> Eric Dumazet wrote:
> >
> >
> > On 03/08/2018 02:08 AM, Serhey Popovych wrote:
> >> We can't use skb_reset_transport_header() together with skb_put() to set
> >> skb->transport_header field because skb_put() does not touch
On Sun, Mar 04, 2018 at 03:29:51PM -0800, Yi-Hung Wei wrote:
> Remove parameter 'family' in nf_conncount_count() and count_tree().
> It is because the parameter is not useful after commit 625c556118f3
> ("netfilter: connlimit: split xt_connlimit into front and backend").
Applied, thanks.
--
To
On Sun, Mar 04, 2018 at 03:29:52PM -0800, Yi-Hung Wei wrote:
> Currently, nf_conncount_count() counts the number of connections that
> matches key and inserts a conntrack 'tuple' with the same key into the
> accounting data structure. This patch supports another use case that only
> counts the
On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote:
> We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP
> matches in the same way.
>
> Signed-off-by: Matthias Schiffer
> ---
> include/uapi/linux/netfilter_bridge/ebt_ip.h |
Hi Varsha,
On Sat, Feb 17, 2018 at 12:19:18AM +0530, Varsha Rao wrote:
> In nf_tables_set_alloc_name function, remove get_zeroed_page
> find_first_zero_bit and set_bit functions. Instead use ida_simple_get
> function as it simplifies the code.
>
> Signed-off-by: Varsha Rao
Hi Alban,
On Tue, Jan 23, 2018 at 11:44:22AM +0100, Alban Vidal wrote:
> Package: iptables
>
> Dear Maintainers,
>
> Please find attached a suggest patch to add functionality in iptables-save.
>
> ---
>
> 1) Adding
On Tue, Feb 27, 2018 at 07:24:58AM +0100, Ahmed Abdelsalam wrote:
> Type 0 and 2 of the IPv6 Routing extension header are not handled
> properlyby exthdr_init_raw() in src/exthdr.c
>
> In order to fix the bug, we extended the "enum nft_exthdr_op" to
> differentiate between rt, rt0, and rt2.
>
>
Hi Joe,
On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote:
> On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> > Using pr_() is more concise than
> > printk(KERN_).
> > Replace printks having a log level with the appropriate
> > pr_*() macros.
> >
> > Signed-off-by: Arushi
Hi Bernie,
A few comments below.
On Tue, Feb 27, 2018 at 10:58:35AM +1300, Bernie Harris wrote:
> This patch is part of a proposal to add a string filter to
> ebtables, which would be similar to the string filter in
> iptables.
>
> Like iptables, the ebtables filter uses the xt_string module,
>
On Thu, Mar 08, 2018 at 12:54:19PM +0100, Florian Westphal wrote:
> The last rule in the blob has next_entry offset that is same as total size.
> This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
Also applied, thanks.
--
To unsubscribe from this list: send the line
On Sat, Mar 10, 2018 at 01:15:45AM +0100, Florian Westphal wrote:
> recent and hashlimit both create /proc files, but only check that
> name is 0 terminated.
>
> This can trigger WARN() from procfs when name is "" or "/".
> Add helper for this and then use it for both.
Applied, thanks Florian.
On Fri, Mar 09, 2018 at 02:27:31PM +0100, Florian Westphal wrote:
> ebt_among is special, it has a dynamic match size and is exempt
> from the central size checks.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Otherwise we leak this array.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 558593e6a0a3..c4acc7340eb1 100644
---
On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote:
> Using pr_() is more concise than
> printk(KERN_).
> Replace printks having a log level with the appropriate
> pr_*() macros.
>
> Signed-off-by: Arushi Singhal
> ---
> changes in v2
> *in v1 printk() were
Using pr_() is more concise than
printk(KERN_).
Replace printks having a log level with the appropriate
pr_*() macros.
Signed-off-by: Arushi Singhal
---
changes in v2
*in v1 printk() were replaced with netdev_*()
net/netfilter/nf_conntrack_acct.c | 2 +-
Toralf Förster wrote:
> On 03/10/2018 10:16 PM, Florian Westphal wrote:
> > Toralf Förster wrote:
> >> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this
> >> rule:
> >>
> >> /sbin/iptables -A OUTPUT -p tcp --destination-port
On 03/10/2018 10:16 PM, Florian Westphal wrote:
> Toralf Förster wrote:
>> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this
>> rule:
>>
>> /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match
>> connlimit --connlimit-above 3000
On 03/10/2018 10:16 PM, Florian Westphal wrote:
> You could check via conntrack -L.
# conntrack -L | wc -l
conntrack v1.4.2 (conntrack-tools): 39698 flow entries have been shown.
39698
Many lines ...
--
Toralf
PGP C4EACDDE 0076E94E
--
To unsubscribe from this list: send the line "unsubscribe
Signed-off-by: Florian Westphal
---
doc/nft.xml | 81 +++--
1 file changed, 79 insertions(+), 2 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index f7cf077..d3765fa 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -912,6
Correct one typo for parsing set handles.
Signed-off-by: Harsha Sharma
---
src/set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/set.c b/src/set.c
index 0889b00..d2a7589 100644
--- a/src/set.c
+++ b/src/set.c
@@ -368,7 +368,7 @@ void
Arushi Singhal wrote:
> I''ll resend the patch according your suggestions.
>
> Just for curiosity wanted to ask why not netdev_*().
netfilter is not a network driver.
> > > register_net_sysctl(net, "net/netfilter", table);
> > > if
31 matches
Mail list logo