Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.17-rc5]
[cannot apply to nf/master next-20180517]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote:
> On the rebase of the following commit on the new seccomp actions_logged
> function, one audit_context access was missed.
>
> commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
> ("audit: use inline function to get audit
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote:
> The audit-related parameters in struct task_struct should ideally be
> collected together and accessed through a standard audit API.
>
> Collect the existing loginuid, sessionid and audit_context together in a
> new
On Wed, May 16, 2018 at 7:55 AM, Richard Guy Briggs wrote:
> Recognizing that the loginuid is an internal audit value, use an access
> function to retrieve the audit loginuid value for the task rather than
> reaching directly into the task struct to get it.
>
> Signed-off-by:
Christoph Hellwig writes:
> On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote:
>> > struct pid_namespace *proc_pid_namespace(struct inode *inode)
>> > {
>> >// maybe warn on for s_magic not on procfs??
>> >return inode->i_sb->s_fs_info;
>> > }
>>
>> That
Máté Eckl wrote:
> This sereis of patches fix or supplement files related to python tests that I
> have met during my first test case.
>
> Máté Eckl (7):
> test: Specify python version in nft-test.py
> test: Small typo fixes in the python tests README
> test/py: Updated
Phil Sutter wrote:
> Bridge family allows reject statement in prerouting and input chains
> only. Users can't know without looking at kernel code.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Máté Eckl wrote:
> +socket_stmt : SOCKET EXISTS /* with the actual
> implementation we cannot match abscence */
I think we should go for a native expression.
I'll leave it up to you what you'd like to do next.
There are a few options:
1. First go for TPROXY
Taehee Yoo wrote:
> In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
> But correct type is u8. so that sometimes incorrect value is dereferenced.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe
In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
But correct type is u8. so that sometimes incorrect value is dereferenced.
Steps to reproduce:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 4\; }
%nft add rule ip
Máté Eckl wrote:
> Originally I also added the following lines but it made the print too slow for
> the test to pass.
>
> It printed the following warning:
> inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket
> exists': 'socket exists' mismatches
On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote:
>
> On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
> >> > --- a/net/netfilter/x_tables.c
> >> > +++ b/net/netfilter/x_tables.c
> >> > @@ -1183,11 +1183,10 @@ struct xt_table_info
> >> > *xt_alloc_table_info(unsigned int
Adding ARP example in order to dump the info in the form:
index= family= dst= lladdr=
state=
Signed-off-by: Laura Garcia Liebana
---
examples/rtnl/Makefile.am | 6 +-
examples/rtnl/rtnl-arp-dump.c | 161 ++
2 files changed, 166
On Fri, May 11, 2018 at 12:13:26AM +0200, Laura Garcia Liebana wrote:
> The following patches complete the implementation of map lookups
> using as a key the given number generator like incremental, random or
> the different hash algorithms supported. This is useful for load
> balancing use cases
On Tue, May 08, 2018 at 10:05:38AM +0200, Florian Westphal wrote:
> Stephen Rothwell says:
> today's linux-next build (x86_64 allmodconfig) produced this warning:
> ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type
> without #include
>
> Fix that up and also move
On Fri, May 11, 2018 at 09:55:39PM +0200, Florian Westphal wrote:
> nfnetlink tracing is available since nft 0.6 (June 2016).
> Remove old nf_log based tracing to avoid rule counter in main loop.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
In nfqueue, two consecutive skbuffs may race to create the conntrack
entry. Hence, the one that loses the race gets dropped due to clash in
the insertion into the hashes from the nf_conntrack_confirm() path.
This patch adds a new nf_conntrack_update() function which searches for
possible clashes
Move the nf_ct_destroy indirection to the struct nf_ct_hook.
Signed-off-by: Pablo Neira Ayuso
---
v3: no changes
include/linux/netfilter.h | 7 ++-
net/netfilter/core.c | 14 +++---
net/netfilter/nf_conntrack_core.c | 9 ++---
3 files
Move decode_session() and parse_nat_setup_hook() indirections to struct
nf_nat_hook structure.
Signed-off-by: Pablo Neira Ayuso
---
v3: Move nf_nat_hook definition to linux/netfilter.h to address kbuild robot
reports.
include/linux/netfilter.h| 21
On Wed, May 16, 2018 at 04:21:05PM +0200, Florian Westphal wrote:
> Taehee Yoo wrote:
> > In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
> > But if family is ipv6, priv->helper6 should be dereferenced.
> >
> > Steps to reproduces:
> >
> >#test.nft
On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
>> > --- a/net/netfilter/x_tables.c
>> > +++ b/net/netfilter/x_tables.c
>> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned
>> > int size)
>> > * than shoot all processes down before realizing there is
On Thu, May 17, 2018 at 02:55:42AM -0700, Eric Dumazet wrote:
>
>
> On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote:
> > When allocating a xt_table_info structure, we should be clearing out the
> > full amount of memory that was allocated, not just the "header" of the
> > structure. Otherwise
On 05/17/2018 02:34 AM, Greg Kroah-Hartman wrote:
> When allocating a xt_table_info structure, we should be clearing out the
> full amount of memory that was allocated, not just the "header" of the
> structure. Otherwise odd values could be passed to userspace, which is
> not a good thing.
>
>
When allocating a xt_table_info structure, we should be clearing out the
full amount of memory that was allocated, not just the "header" of the
structure. Otherwise odd values could be passed to userspace, which is
not a good thing.
Cc: stable
Signed-off-by: Greg
On Thu, May 17, 2018 at 10:59:51AM +0200, Michal Kubecek wrote:
> On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote:
> > When allocating a xt_table_info structure, we should be clearing out the
> > full amount of memory that was allocated, not just the "header" of the
> >
On Thu, May 17, 2018 at 10:44:42AM +0200, Greg Kroah-Hartman wrote:
> When allocating a xt_table_info structure, we should be clearing out the
> full amount of memory that was allocated, not just the "header" of the
> structure. Otherwise odd values could be passed to userspace, which is
> not a
When allocating a xt_table_info structure, we should be clearing out the
full amount of memory that was allocated, not just the "header" of the
structure. Otherwise odd values could be passed to userspace, which is
not a good thing.
Cc: stable
Signed-off-by: Greg
Originally I also added the following lines but it made the print too slow for
the test to pass.
It printed the following warning:
inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket
exists': 'socket exists' mismatches 'socke'
inet/socket.t: WARNING: line 9:
It is good to know that a log is generated even without browsing the
nft-test.py source code.
Also print_info function is introduced.
Signed-off-by: Máté Eckl
---
tests/py/README | 2 ++
tests/py/nft-test.py | 5 -
2 files changed, 6 insertions(+), 1 deletion(-)
This sereis of patches fix or supplement files related to python tests that I
have met during my first test case.
Máté Eckl (7):
test: Specify python version in nft-test.py
test: Small typo fixes in the python tests README
test/py: Updated test file structure descripion in README
test:
Socket matching is achieved using the nft_compat interface.
The list of known limitations of the current implementation are:
* The absence of a corresponding socket cannot be matched (`socket
missing`).
* Only transparent socket flag can be matched, nowildcard is not a flag,
it should be
The order of the table and chain definitions have changed in test files.
Now the name of the chain has to be specified in the definition of the
table, so their order is reverted.
Signed-off-by: Máté Eckl
---
tests/py/README | 18 +-
1 file changed, 9
/usr/bin/python is linked to different main version of python in
different distributions (eg. 2 on debian, 3 on arch linux).
Signed-off-by: Máté Eckl
---
tests/py/nft-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/py/nft-test.py
Signed-off-by: Máté Eckl
---
tests/py/README | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/tests/py/README b/tests/py/README
index 0e12dfa..ed5dc58 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -104,7 +104,30 @@ Line
Signed-off-by: Máté Eckl
---
tests/py/nft-test.py | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index b536e9c..edc0b4b 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -161,15 +161,13
Signed-off-by: Máté Eckl
---
tests/py/inet/socket.t | 10 ++
tests/py/inet/socket.t.payload | 8
2 files changed, 18 insertions(+)
create mode 100644 tests/py/inet/socket.t
create mode 100644 tests/py/inet/socket.t.payload
diff --git
Signed-off-by: Máté Eckl
---
tests/py/README | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/py/README b/tests/py/README
index 66f706f..005fe8e 100644
--- a/tests/py/README
+++ b/tests/py/README
@@ -77,7 +77,7 @@ Here, an example of a test file:
On Thu, May 17, 2018 at 12:28:01AM -0500, Eric W. Biederman wrote:
> > struct pid_namespace *proc_pid_namespace(struct inode *inode)
> > {
> > // maybe warn on for s_magic not on procfs??
> > return inode->i_sb->s_fs_info;
> > }
>
> That should work. Ideally out of line for the proc_fs.h
38 matches
Mail list logo