Re: [RFC] netfilter: cttimeout: remove VLA in ctnl_timeout_parse_policy

On 03/11/2018 05:21 PM, Pablo Neira Ayuso wrote: On Sun, Mar 11, 2018 at 05:12:09PM -0500, Gustavo A. R. Silva wrote: Hi Pablo, On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote: On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote: In preparation to enabling -Wvla, remove VLA

Re: [RFC] netfilter: cttimeout: remove VLA in ctnl_timeout_parse_policy

Hi Pablo, On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote: On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote: In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. Looks good but... Signed-off-by: Gustavo A. R. Silva

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

Arushi Singhal wrote: > On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso > wrote: > > > Hi Joe, > > > > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote: > > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > > > >

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

On Mon, Mar 12, 2018 at 03:56:15AM +0530, Arushi Singhal wrote: > On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso > wrote: > > > Hi Joe, > > > > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote: > > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > >

Re: [RFC] netfilter: cttimeout: remove VLA in ctnl_timeout_parse_policy

On Sun, Mar 11, 2018 at 05:12:09PM -0500, Gustavo A. R. Silva wrote: > Hi Pablo, > > On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote: > > On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote: > > > In preparation to enabling -Wvla, remove VLA and replace it > > > with dynamic

Re: [PATCH nf-next 1/2] ebtables: add support for matching ICMP type and code

On Sun, Mar 11, 2018 at 11:04:22PM +0100, Matthias Schiffer wrote: > On 03/11/2018 10:14 PM, Pablo Neira Ayuso wrote: > > On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote: > >> We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP > >> matches in the same way.

Re: [PATCH nf-next 1/2] ebtables: add support for matching ICMP type and code

On 03/11/2018 10:14 PM, Pablo Neira Ayuso wrote: > On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote: >> We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP >> matches in the same way. >> >> Signed-off-by: Matthias Schiffer >>

Re: [RFC] netfilter: cttimeout: remove VLA in ctnl_timeout_parse_policy

On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote: > In preparation to enabling -Wvla, remove VLA and replace it > with dynamic memory allocation. Looks good but... > Signed-off-by: Gustavo A. R. Silva > --- > net/netfilter/nfnetlink_cttimeout.c | 12

Re: [nft] nftables: Adding support for segment routing header 'srh'

On Tue, Feb 27, 2018 at 11:04:14AM +0100, Ahmed Abdelsalam wrote: > Segment Routing Header "SRH" is new type of IPv6 Routing extension > header (type 4). > > SRH contains a list of segments (each is represented as an IPv6 address) > to be visited by packets during the journey from source to

Re: [nft] nftables: Fixing Bug 1219 - handle rt0 and rt2 properly

On Tue, Feb 27, 2018 at 07:25:14AM +0100, Ahmed Abdelsalam wrote: > Type 0 and 2 of the IPv6 Routing extension header are not handled > properly by exthdr_init_raw() in src/exthdr.c > > In order to fix the bug, we extended the "enum nft_exthdr_op" to > differentiate between rt, rt0, and rt2. > >

Re: [PATCH nf-next 1/2] netfilter: SYNPROXY: set transport header properly

On Thu, Mar 08, 2018 at 05:01:26PM +0200, Serhey Popovych wrote: > Eric Dumazet wrote: > > > > > > On 03/08/2018 02:08 AM, Serhey Popovych wrote: > >> We can't use skb_reset_transport_header() together with skb_put() to set > >> skb->transport_header field because skb_put() does not touch

Re: [PATCH nf-next v2 1/2] netfilter: Refactor nf_conncount

On Sun, Mar 04, 2018 at 03:29:51PM -0800, Yi-Hung Wei wrote: > Remove parameter 'family' in nf_conncount_count() and count_tree(). > It is because the parameter is not useful after commit 625c556118f3 > ("netfilter: connlimit: split xt_connlimit into front and backend"). Applied, thanks. -- To

Re: [PATCH nf-next v2 2/2] nf_conncount: Support count only use case

On Sun, Mar 04, 2018 at 03:29:52PM -0800, Yi-Hung Wei wrote: > Currently, nf_conncount_count() counts the number of connections that > matches key and inserts a conntrack 'tuple' with the same key into the > accounting data structure. This patch supports another use case that only > counts the

Re: [PATCH nf-next 1/2] ebtables: add support for matching ICMP type and code

On Sun, Mar 04, 2018 at 09:28:53AM +0100, Matthias Schiffer wrote: > We already have ICMPv6 type/code matches. This adds support for IPv4 ICMP > matches in the same way. > > Signed-off-by: Matthias Schiffer > --- > include/uapi/linux/netfilter_bridge/ebt_ip.h |

Re: [PATCH nf-next] net: netfilter: nf_tables_api: Use id allocation.

Hi Varsha, On Sat, Feb 17, 2018 at 12:19:18AM +0530, Varsha Rao wrote: > In nf_tables_set_alloc_name function, remove get_zeroed_page > find_first_zero_bit and set_bit functions. Instead use ida_simple_get > function as it simplifies the code. > > Signed-off-by: Varsha Rao

Re: iptables-save - suggest patch to add functionality

Hi Alban, On Tue, Jan 23, 2018 at 11:44:22AM +0100, Alban Vidal wrote: > Package: iptables > > Dear Maintainers, > > Please find attached a suggest patch to add functionality in iptables-save. > > --- > > 1) Adding

Re: [nf-next] netfilter: nf_tables: Fixing Bug 1219 - handle rt0 and rt2 properly

On Tue, Feb 27, 2018 at 07:24:58AM +0100, Ahmed Abdelsalam wrote: > Type 0 and 2 of the IPv6 Routing extension header are not handled > properlyby exthdr_init_raw() in src/exthdr.c > > In order to fix the bug, we extended the "enum nft_exthdr_op" to > differentiate between rt, rt0, and rt2. > >

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

Hi Joe, On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote: > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > > Using pr_() is more concise than > > printk(KERN_). > > Replace printks having a log level with the appropriate > > pr_*() macros. > > > > Signed-off-by: Arushi

Re: [PATCH 2/2] ebtables: Add string filter

Hi Bernie, A few comments below. On Tue, Feb 27, 2018 at 10:58:35AM +1300, Bernie Harris wrote: > This patch is part of a proposal to add a string filter to > ebtables, which would be similar to the string filter in > iptables. > > Like iptables, the ebtables filter uses the xt_string module, >

Re: [PATCH nf] netfilter: ebtables: fix erroneous reject of last rule

On Thu, Mar 08, 2018 at 12:54:19PM +0100, Florian Westphal wrote: > The last rule in the blob has next_entry offset that is same as total size. > This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. Also applied, thanks. -- To unsubscribe from this list: send the line

Re: [PATCH nf] netfilter: x_tables: add and use xt_check_proc_name

On Sat, Mar 10, 2018 at 01:15:45AM +0100, Florian Westphal wrote: > recent and hashlimit both create /proc files, but only check that > name is 0 terminated. > > This can trigger WARN() from procfs when name is "" or "/". > Add helper for this and then use it for both. Applied, thanks Florian.

Re: [PATCH nf v5] netfilter: bridge: ebt_among: add more missing match size checks

On Fri, Mar 09, 2018 at 02:27:31PM +0100, Florian Westphal wrote: > ebt_among is special, it has a dynamic match size and is exempt > from the central size checks. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

[PATCH nf] netfilter: nf_tables: release flowtable hooks

Otherwise we leak this array. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 558593e6a0a3..c4acc7340eb1 100644 ---

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > Using pr_() is more concise than > printk(KERN_). > Replace printks having a log level with the appropriate > pr_*() macros. > > Signed-off-by: Arushi Singhal > --- > changes in v2 > *in v1 printk() were

[PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

Using pr_() is more concise than printk(KERN_). Replace printks having a log level with the appropriate pr_*() macros. Signed-off-by: Arushi Singhal --- changes in v2 *in v1 printk() were replaced with netdev_*() net/netfilter/nf_conntrack_acct.c | 2 +-

Re: connlimit modul doesn't works as expected

Toralf Förster wrote: > On 03/10/2018 10:16 PM, Florian Westphal wrote: > > Toralf Förster wrote: > >> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this > >> rule: > >> > >> /sbin/iptables -A OUTPUT -p tcp --destination-port

Re: connlimit modul doesn't works as expected

On 03/10/2018 10:16 PM, Florian Westphal wrote: > Toralf Förster wrote: >> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this >> rule: >> >> /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match >> connlimit --connlimit-above 3000

Re: connlimit modul doesn't works as expected

On 03/10/2018 10:16 PM, Florian Westphal wrote: > You could check via conntrack -L. # conntrack -L | wc -l conntrack v1.4.2 (conntrack-tools): 39698 flow entries have been shown. 39698 Many lines ... -- Toralf PGP C4EACDDE 0076E94E -- To unsubscribe from this list: send the line "unsubscribe

[PATCH 1/1] doc: add set information and example for run-time blackhole

Signed-off-by: Florian Westphal --- doc/nft.xml | 81 +++-- 1 file changed, 79 insertions(+), 2 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index f7cf077..d3765fa 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -912,6

[PATCH] src: fix parsing for set handle attributes

Correct one typo for parsing set handles. Signed-off-by: Harsha Sharma --- src/set.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/set.c b/src/set.c index 0889b00..d2a7589 100644 --- a/src/set.c +++ b/src/set.c @@ -368,7 +368,7 @@ void

Re: [PATCH Netfilter] net: netfilter: Replace printk() with more standardize output format.

Arushi Singhal wrote: > I''ll resend the patch according your suggestions. > > Just for curiosity wanted to ask why not netdev_*(). netfilter is not a network driver. > > > register_net_sysctl(net, "net/netfilter", table); > > > if