Reduces repetition, follow patch adds back suppression of
src/dst mac when it was not given.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c | 77 ---
1 file changed, 24 insertions(+), 53 deletions(-)
diff --git a/iptables/nft-bridge.c b
They don't exist in the legacy ABI, so don't pretend otherwise.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c | 10 +-
iptables/xshared.h| 3 ---
2 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 162a87e0bb
Allow checking for an all-zero mac address by replacing checks on the
address with a check on the option flag.
Its set when '-d' or '-s' appears on the command line and when seeing
a linklayer payload request for ether s/daddr.
Same for -p: s this flag gets removed during getopt when 'p' is encou
kernel would reject such syntax as it enforces
-p and --ip(6)-protocol, so add those as well, no point in testing
something the kernel would not accept
(This doesn't affect the translations).
Signed-off-by: Florian Westphal
---
extensions/libebt_ip.txlate | 18 +-
extensions/li
Signed-off-by: Florian Westphal
---
iptables/xtables-eb-translate.c | 40
iptables/xtables-eb.c | 39 +++
2 files changed, 23 insertions(+), 56 deletions(-)
diff --git a/iptables/xtables-eb-translate.c b/iptab
before:
Bridge chain: OUTPUT, entries: 4, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out notlogout -j CONTINUE
--logical-out logout -j CONTINUE
after:
Bridge chain: OUTPUT, entries: 5, policy: ACCEPT
-o ! noout -j CONTINUE
-o out -j CONTINUE
--logical-out ! notlogout -j CON
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c | 44 ++--
1 file changed, 26 insertions(+), 18 deletions(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 1887586c8428..5f9a02c297cb 100644
--- a/iptables/nft-bridge.c
+++ b/ipta
Use iptables_command_state instead.
This allows to re-use code from the ip(6)tables layer and
reduces cop&pasted code.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c | 190
iptables/nft-bridge.h | 56 +---
iptables/
This always uses xtables_ipv4 (which is same as _ipv6).
Pass the correct skeleton instead, this is needed to handle ebtables
correctly from xt-translate, as it doesn't use ip/ip6 tables.
Signed-off-by: Florian Westphal
---
iptables/xtables-restore.c | 41 +--
This patch set fixes various bugs in xtables bridge netfilter:
- interface wildcard matching was broken
- interface negation did not work
- a all-zero mask was ignored rather than tested.
This also removes duplicated code by reusing ipt command state.
extensions/libebt_ip.txlate | 18 -
if (outiface[len] == '\0')
is always true. 'eth+' is stored as 'eth' with length 3, so
"eth"[3] == 0.
'eth' is stored as 'eth\0' with length 4, so "eth\0"[4] is also true.
Add a helper for this, then use it.
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 44
On Sun, May 06, 2018 at 06:45:31PM +0100, Al Viro wrote:
> On Sun, May 06, 2018 at 08:19:49PM +0300, Alexey Dobriyan wrote:
> > @@ -62,9 +62,9 @@ struct proc_dir_entry {
> > umode_t mode;
> > u8 namelen;
> > #ifdef CONFIG_64BIT
> > -#define SIZEOF_PDE_INLINE_NAME (192-139)
> > +#defin
On Wed, May 09, 2018 at 04:03:39PM +0200, Phil Sutter wrote:
> As discussed before, this patch series introduces 'handle' keyword to
> add/insert rule commands as a more intuitive and consistent alternative
> to 'position'.
>
> On top of that, adding/inserting rules at an absolute position is
> im
On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> Group the audit parameters for each task into one structure.
> In particular, remove the loginuid and sessionid values and the audit
> context pointer from the task structure, replacing them with an audit
> task information structure to c
On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> The audit-related parameters in struct task_struct should ideally be
> collected together and accessed through a standard audit API.
>
> Collect the existing loginuid, sessionid and audit_context together in a
> new struct audit_task_info
On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> Recognizing that the audit context is an internal audit value, use an
> access function to retrieve the audit context pointer for the task
> rather than reaching directly into the task struct to get it.
>
> Signed-off-by: Richard Guy Brig
On Tue, May 8, 2018 at 9:34 PM, Richard Guy Briggs wrote:
> On 2018-05-04 16:54, Richard Guy Briggs wrote:
>> Use a macro, "AUDIT_SID_UNSET", to replace each instance of
>> initialization and comparison to an audit session ID.
>>
>> Signed-off-by: Richard Guy Briggs
>
> There's a minor issue with
On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> Recognizing that the loginuid is an internal audit value, use an access
> function to retrieve the audit loginuid value for the task rather than
> reaching directly into the task struct to get it.
>
> Signed-off-by: Richard Guy Briggs
>
Combine it with 0002insertposition_0 due to the many similarities,
extend it to test 'handle' and 'index' parameters as well and rename the
testcase accordingly.
Also add a new 0002addinsertlocation_1 which tests that wrong argument
to all of the location parameters fails.
Signed-off-by: Phil Sut
Instead, use 'handle' keyword for the same effect since that is more
consistent with respect to replace/delete commands. The old keyword is
still supported for backwards compatibility and also listed in man page
along with a hint that it shouldn't be used anymore.
Signed-off-by: Phil Sutter
---
As discussed before, this patch series introduces 'handle' keyword to
add/insert rule commands as a more intuitive and consistent alternative
to 'position'.
On top of that, adding/inserting rules at an absolute position is
implemented via the new 'index' keyword.
Phil Sutter (4):
Deprecate add/
Allow to specify an absolute rule position in add/insert commands like
with iptables. The translation to rule handle takes place in userspace,
so no kernel support for this is needed. Possible undesired effects are
pointed out in man page to make users aware that this way of specifying
a rule locat
This allows to make error messages point to the right part of the
command after handles were merged.
Signed-off-by: Phil Sutter
---
src/rule.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/rule.c b/src/rule.c
index 2f0123b7a4a58..f0c6048cc0479 100644
--- a/
On Wed, May 09, 2018 at 01:22:56PM +0100, Colin King wrote:
> From: Colin Ian King
>
> Currently the -EBUSY error return path is not free'ing resources
> allocated earlier, leaving a memory leak. Fix this by exiting via the
> error exit label err5 that performs the necessary resource clean
> up.
From: Colin Ian King
Currently the -EBUSY error return path is not free'ing resources
allocated earlier, leaving a memory leak. Fix this by exiting via the
error exit label err5 that performs the necessary resource clean
up.
Detected by CoverityScan, CID#1432975 ("Resource leak")
Fixes: 9744a6f
On 2018-05-09 12:07, Tobin C. Harding wrote:
> On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to set the audit context pointer for the task
> > rather than reaching directly into the t
Signed-off-by: Florian Westphal
---
tests/py/any/ct.t | 7 +--
tests/py/any/ct.t.payload | 19 ---
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index ce6d51a40115..5ed3b4a0f090 100644
--- a/tests/py/any/ct.t
+++
Not usable yet, as the set timeout netlink output isn't captured so far,
but it adds groundwork to add this as a follow-up.
Set definition syntax changes a little, if you want to
add multiple elements they now have to be separated by "," just
like in nftables.
Signed-off-by: Florian Westphal
---
On 9 May 2018 at 10:45, Pablo Neira Ayuso wrote:
> CC read_config_lex.o
> read_config_lex.c: In function ‘yy_get_next_buffer’:
> read_config_lex.c:2101:18: warning: comparison between signed and unsigned
> integer expressions [-Wsign-compare]
>for ( n = 0; n < max_size && \
>
On 1 May 2018 at 14:16, Andreas Jaggi wrote:
> Extend the JSON output plugin so that the generated JSON stream can be
> sent to a remote host via TCP/UDP or to a local unix socket.
>
> Signed-off-by: Andreas Jaggi
> ---
> output/ulogd_output_JSON.c | 225 +
>
CC read_config_lex.o
read_config_lex.c: In function ‘yy_get_next_buffer’:
read_config_lex.c:2101:18: warning: comparison between signed and unsigned
integer expressions [-Wsign-compare]
for ( n = 0; n < max_size && \
^
read_config_lex.c:3016:3: note: in expansion of ma
On Wed, May 09, 2018 at 03:12:54AM -0500, Ahmed Abdelsalam wrote:
> This patch add some testcases for psid, nsid, and lsid matches
> into libip6t_srh.t
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.o
Eckl, Máté wrote:
> > > --- a/src/meta.c
> > > +++ b/src/meta.c
> > > @@ -439,6 +439,8 @@ static const struct meta_template meta_templates[]
> = {
> > > BYTEORDER_BIG_ENDIAN), /*
> avoid conversion; doesn't have endianess */
> > > [NFT_META_SECPA
This patch add some testcases for psid, nsid, and lsid matches
into libip6t_srh.t
Signed-off-by: Ahmed Abdelsalam
---
extensions/libip6t_srh.t | 2 ++
1 file changed, 2 insertions(+)
diff --git a/extensions/libip6t_srh.t b/extensions/libip6t_srh.t
index 08897d5..07b5403 100644
--- a/extensions/
> > --- a/src/meta.c
> > +++ b/src/meta.c
> > @@ -439,6 +439,8 @@ static const struct meta_template meta_templates[]
= {
> > BYTEORDER_BIG_ENDIAN), /*
avoid conversion; doesn't have endianess */
> > [NFT_META_SECPATH] = META_TEMPLATE("secpath
Thanks for the comments Florian.
(Sorry I missed the mailing list form my first response.)
Florian Westphal ezt írta (időpont: 2018. máj. 7., H, 23:23):
> Máté Eckl wrote:
> > I have been working on a skeleton for socket matching which is required
by
> > tproxy support.
> >
> > See the WIP pat
36 matches
Mail list logo