In nf_tables_set_alloc_name function, remove get_zeroed_page
find_first_zero_bit and set_bit functions. Instead use ida_simple_get
function as it simplifies the code.
Signed-off-by: Varsha Rao
---
Changes in v2:
- Modified the upper limit of page size.
net/netfilter/nf_tables_api.c | 31 +++
Hi guys,
As a new kernel module developer, I need to develop a module which would
redirect traffic when matching some rules transparently. Say I want all the
traffic to IP address 1.1.1.1 actually goes to 2.2.2.2. This sounds like
some kind of DNAT, and I can get it work using iptables, like "ipta
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on v4.16-rc7]
[cannot apply to nf-next/master next-20180329]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
http
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on v4.16-rc7]
[cannot apply to nf-next/master next-20180329]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
http
this makes following failing test case work:
ip6 dscp vmap { 0x04, ..
problem was that the 6bit dscp value spans a byte boundary,
so payload postprocessing increases the size to a 2 byte access
(plus a binop mask operation to discard the unwanted bits).
But because set key size was already set
On Sat, Mar 31, 2018 at 08:30:28PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Mar 31, 2018 at 08:19:41PM +0530, Harsha Sharma wrote:
> > updates from latest stable release of libgmp to get in sync with them
>
> Nice.
>
> Applied, thanks Harsha.
Hm, I just downloaded:
https://gmplib.org/download/
On Sat, Mar 31, 2018 at 09:04:55PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Cc'ing Arturo, he added the ebtables-compat layer so he probably
> > remember more details on this.
> >
> > On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote:
> > > This (haycky) patch
On Sat, Mar 31, 2018 at 01:52:32PM +0530, Harsha Sharma wrote:
> This patch allows to add, list and delete connection tracking timeout
> policy via nft objref infrastructure.
>
> Signed-off-by: Harsha Sharma
> ---
> include/net/netfilter/nf_conntrack_timeout.h | 1 +
> include/uapi/linux/netfi
Pablo Neira Ayuso wrote:
> Cc'ing Arturo, he added the ebtables-compat layer so he probably
> remember more details on this.
>
> On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote:
> > This (haycky) patch translates 'ebtables --mark' to a native 'meta mark'
> > and dissects meta mar
On Sat, Mar 31, 2018 at 01:47:08PM +0530, Harsha Sharma wrote:
> Add, list and delete ct timeout objects from specified table
>
> Usage e.g.:
> % ./nft-ct-timeout-add ip filter some-name tcp
> % ./nft-ct-timeout-get ip filter
> table filter name some-name use 0 [ ct_timeout family 2 protocol 6
> p
On Sat, Mar 31, 2018 at 08:57:21PM +0200, Pablo Neira Ayuso wrote:
> Cc'ing Arturo, he added the ebtables-compat layer so he probably
> remember more details on this.
>
> On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote:
> > This (haycky) patch translates 'ebtables --mark' to a nat
On Sat, Mar 31, 2018 at 08:54:44PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t
> > > index 26c3704316ae..41f0e98aa6fb 100644
> > > --- a/tests/py/ip/masquerade.t
> > > +++ b/tests/py/ip/masquerade.t
> > > @@ -27,4
Cc'ing Arturo, he added the ebtables-compat layer so he probably
remember more details on this.
On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote:
> This (haycky) patch translates 'ebtables --mark' to a native 'meta mark'
> and dissects meta mark back to the ebt_mark_m binary repres
Pablo Neira Ayuso wrote:
> > diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t
> > index 26c3704316ae..41f0e98aa6fb 100644
> > --- a/tests/py/ip/masquerade.t
> > +++ b/tests/py/ip/masquerade.t
> > @@ -27,4 +27,4 @@ ip saddr 10.1.1.1 masquerade drop;fail
> > # masquerade with sets
>
On Sat, Mar 31, 2018 at 06:15:44PM +0200, Florian Westphal wrote:
> nft-test.py has a bug where it won't check beginning of rule when
> a set is used, i.e.
>
> foo { set } bar;ok; baz { set } bar
>
> passes, because we only check after {.
> Fixing that revealed two issues, fixed in first two patc
On Sat, Mar 31, 2018 at 06:15:47PM +0200, Florian Westphal wrote:
> nft-test.py currently fails to properly compare tests involving a set,
> after that bug is fixed these lines would fail, so fix this up before.
>
> Signed-off-by: Florian Westphal
> ---
> tests/py/ip/masquerade.t| 2
Hi Florian,
Sorry I overlook this review, one comment below.
On Sat, Mar 31, 2018 at 06:13:49PM +0200, Florian Westphal wrote:
> Fernando Fernandez Mancera wrote:
>
> > +struct xt_osf_opt {
> > +__u16 kind, length;
> > +struct xt_osf_wcwc;
> > +};
>
>
Please, send your patches via git-send-email.
> diff --git a/include/linux/netfilter/nf_osf.h
> b/include/linux/netfilter/nf_osf.h
> new file mode 100644
> index ..5f2871fcde42
> --- /dev/null
> +++ b/include/linux/netfilter/nf_osf.h
This one needs to be in uapi because...
> @@ -0,0
On Sat, 2018-03-31 at 20:28 +0200, Pablo Neira Ayuso wrote:
> Hi Joe,
Hi Pablo.
> On Sat, Mar 31, 2018 at 12:05:19AM -0700, Joe Perches wrote:
> > Remove the local consts and use the new globals.
>
> This one is already upstream:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
On Sat, Mar 31, 2018 at 08:19:41PM +0530, Harsha Sharma wrote:
> updates from latest stable release of libgmp to get in sync with them
Nice.
Applied, thanks Harsha.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Hi Joe,
On Sat, Mar 31, 2018 at 12:05:19AM -0700, Joe Perches wrote:
> Remove the local consts and use the new globals.
This one is already upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/commit/?id=9124a20d8794663a396b5d6f91f66903848a042b
I can see you're using is_b
This (haycky) patch translates 'ebtables --mark' to a native 'meta mark'
and dissects meta mark back to the ebt_mark_m binary representation when
parsing back nftables rules.
Plan is to do this for all the ebt matches/watchers/targets so that
1. 'nft list ruleset' shows correct/expected output
2.
We special case rules with sets ({}) so set members are sorted properly.
But we failed to check start of rule:
input: meta mark { 1, 2 } bar
expect: meta mark { 1, 2 } bar
We made sure 'bar' is equal in both input and expected output,
but we did not check start (before {).
This causes a gazilli
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal
---
tests/py/any/ct.t | 4 ++--
tests/py/any/meta.t | 50 +-
2 files ch
Forgot to include '!=', this doesn't trigger at the moment due to
a bug in nft-test.py, so fix this before fixing our test script.
Signed-off-by: Florian Westphal
---
tests/py/ip6/mh.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t
index
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal
---
tests/py/ip/masquerade.t| 2 +-
tests/py/ip/redirect.t | 4 ++--
tests/py/ip/redirect.t.paylo
nft-test.py has a bug where it won't check beginning of rule when
a set is used, i.e.
foo { set } bar;ok; baz { set } bar
passes, because we only check after {.
Fixing that revealed two issues, fixed in first two patches.
Rest fixes up test suite to avoid false positives (the expected
test output
ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080}
is printed as
redirect to :tcp dport map { 22 : 8000, 80 : 8080}
but that input yields:
Error: transport protocol mapping is only valid after transport protocol match
so kill dependencies beforehand so nft won't remove it.
Signe
old:
add @set5{ ip6 saddr . ip6 daddr}
new:
add @set5 { ip6 saddr . ip6 daddr}
Signed-off-by: Florian Westphal
---
src/statement.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/statement.c b/src/statement.c
index b8e0b036b9eb..f81e0123adda 100644
--- a/src/statement.c
+
Fernando Fernandez Mancera wrote:
> +struct xt_osf_opt {
> +__u16 kind, length;
> +struct xt_osf_wcwc;
> +};
Please leave xt_foo things in the xt_osf header.
> +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family,
> +int hooknum, st
Hi Fernando,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Fernando-Fernandez-Mancera/netfilter-nf_osf-implementation-nf_osf_ttl-and-nf_osf_match/20180331-225302
base: https://git.kernel.org/pub
Hi Fernando,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Fernando-Fernandez-Mancera/netfilter-nf_osf-implementation-nf_osf_ttl-and-nf_osf_match/20180331-225302
base: https://git.kernel.org
updates from latest stable release of libgmp to get in sync with them
Signed-off-by: Harsha Sharma
---
include/mini-gmp.h | 8 +-
src/mini-gmp.c | 436 +
2 files changed, 245 insertions(+), 199 deletions(-)
diff --git a/include/mini-gmp.
This patch allows to add, list and delete connection tracking timeout
policy via nft objref infrastructure.
Signed-off-by: Harsha Sharma
---
include/net/netfilter/nf_conntrack_timeout.h | 1 +
include/uapi/linux/netfilter/nf_tables.h | 15 ++-
net/netfilter/nft_ct.c
Add, list and delete ct timeout objects from specified table
Usage e.g.:
% ./nft-ct-timeout-add ip filter some-name tcp
% ./nft-ct-timeout-get ip filter
table filter name some-name use 0 [ ct_timeout family 2 protocol 6
policy = {SYN_SENT = 120,SYN_RECV = 60,ESTABLISHED = 432000,
FIN_WAIT = 120,CL
Add support for ct timeout objects, used to assign connection tracking
timeout policies.
Signed-off-by: Harsha Sharma
---
include/libnftnl/Makefile.am| 3 +-
include/libnftnl/cttimeout.h| 88 +++
include/libnftnl/object.h | 8 +
include/linux/netfilter/nf_table
Add support for ct timeout objects, used to assign connection
tracking timeout policies and examples.
Harsha Sharma (2):
src: add ct timeout support
examples: add nft-ct-timeout-{add,del,get}
examples/Makefile.am| 12 +
examples/nft-ct-timeout-add.c | 140
Remove the local consts and use the new globals.
Signed-off-by: Joe Perches
---
net/bridge/netfilter/ebt_stp.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 3140eb912d7e..2b7479cc0140 100644
--- a/n
There are many local static and non-static arrays that are used for
Ethernet broadcast address output or comparison.
Centralize the array into a single separate file and remove the local
arrays.
Joe Perches (12):
ethernet: Add generic ether__addr addresses
treewide/net: Rename eth_stp_addr to
39 matches
Mail list logo