Yi-Hung Wei and Justin Pettit found a race in the garbage collection scheme
used by nf_conncount.
When doing list walk, we lookup the tuple in the conntrack table.
If the lookup fails we we remove this tuple from our list because
the conntrack entry is gone.
This is the common cause, but turns
policy type is erronously handled via verdict, this is wrong.
It is a different event type and needs to be handled as such.
before:
trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 ..
trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1
(verdict
Hi Máté,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-Add-native-tproxy-support-for-nf_tables/20180620-222749
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Máté Eckl wrote:
> On Wed, Jun 20, 2018 at 01:29:51PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > This patch is built on the commit not applied yet with the title:
> > > evaluate: Detect address family in inet context
> >
> > You can add this ...
> >
> > > Example ruleset:
> >
ѽ҉ᶬḳ℠ wrote:
moving to nf-devel.
> Having this very simple setup icmp is not getting through at the target
> machine. Flushing the nft ruleset the icmp traffic is getting through.
Yes, this set
> table inet filter {
> chain input {
> type filter hook input priority 0; policy drop;
On Wed, Jun 20, 2018 at 01:29:51PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > This patch is built on the commit not applied yet with the title:
> > evaluate: Detect address family in inet context
>
> You can add this ...
>
> > Example ruleset:
> > table inet x {
> >
The original arptables tool is now the legacy version, let's rename it.
A more uptodate client of the arptables tool is provided in the iptables
tarball. The new tool was formerly known as arptables-compat.
The new -legacy binary should have no problem if called via a symlink.
Signed-off-by:
On Wed, Jun 20, 2018 at 02:40:09PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > A few comments on top of Florian's.
> >
> > On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> > [...]
> > > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > > +static void
Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> >
On Wed, Jun 20, 2018 at 02:21:18PM +0200, Máté Eckl wrote:
> On Wed, Jun 20, 2018 at 01:40:45PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Jun 18, 2018 at 11:57:10AM +0200, Máté Eckl wrote:
> > > Signed-off-by: Máté Eckl
> > > ---
> > > src/evaluate.c | 20 ++--
> > > 1 file
On Wed, Jun 20, 2018 at 01:40:45PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 18, 2018 at 11:57:10AM +0200, Máté Eckl wrote:
> > Signed-off-by: Máté Eckl
> > ---
> > src/evaluate.c | 20 ++--
> > 1 file changed, 18 insertions(+), 2 deletions(-)
> >
> > diff --git
A few comments on top of Florian's.
On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
[...]
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct
Hi!
This looks good, but some comments.
On Tue, Jun 19, 2018 at 11:50:24AM +0200, Máté Eckl wrote:
> v3:
> - no tokens are used for priority names, lookup is used instead
> - names and values are moved out to a structure
> - the helper function became unnecessary, thus I removed it
>
> -- 8<
On Wed, Jun 20, 2018 at 10:10:34AM +0200, Phil Sutter wrote:
> Hi Eric,
>
> On Tue, Jun 19, 2018 at 11:46:56PM +0200, Eric Leblond wrote:
> > Move import and use explicit parameter in object creation.
> > ---
> > tests/py/nft-test.py | 7 +--
> > 1 file changed, 5 insertions(+), 2
On Mon, Jun 18, 2018 at 11:57:10AM +0200, Máté Eckl wrote:
> Signed-off-by: Máté Eckl
> ---
> src/evaluate.c | 20 ++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/src/evaluate.c b/src/evaluate.c
> index d6aff61..0564b44 100644
> --- a/src/evaluate.c
>
Máté Eckl wrote:
> There are some changes compared to the iptables implementation:
> - tproxy statement is not terminal here
> - no transport protocol criterion is necessary to set target ip address
> + const struct nft_tproxy *priv = nft_expr_priv(expr);
> + struct sk_buff *skb =
Signed-off-by: Máté Eckl
---
tests/py/inet/tproxy.t | 11 +++
tests/py/inet/tproxy.t.payload | 59 ++
tests/py/ip/tproxy.t | 12 +++
tests/py/ip/tproxy.t.payload | 24 ++
tests/py/ip6/tproxy.t | 13
Máté Eckl wrote:
> This patch fixes address evaluation in inet context.
>
> Outside of an ip table, the address type before evaluation was set to
> ipv6 address by default, which caused error when adding ipv4 address to
> an inet table.
>
> Example:
> # nft add rule inet x y tproxy to
This patch is built on the commit not applied yet with the title:
netfilter: Move nf_tproxy_assign_sock to nf_tproxy.h
-- 8< --
A great portion of the code is taken from xt_TPROXY.c
There are some changes compared to the iptables implementation:
- tproxy statement is not terminal here
This patch is built on the commit not applied yet with the title:
evaluate: Detect address family in inet context
-- 8< --
This patch adds support for transparent proxy functionality which is
supported in ip, ip6 and inet tables.
The syntax is the following:
tproxy [to [][:]]
Signed-off-by: Máté Eckl
---
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 16 +++
src/Makefile.am | 1 +
src/expr/tproxy.c | 206
src/expr_ops.c | 2 +
5 files
The following patches introduce transparent proxy support for nf_tables.
This is just a coverletter for those commits, the details are in the individual
commit messages.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
22 matches
Mail list logo