Hi Harsha,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352
base:
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128
base:
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352
base:
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128
base:
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nf_osf-add-nf_osf_match_one/20180714-051307
base:
IPV6=m
DEFRAG_IPV6=m
CONNTRACK=y yields:
net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
net/netfilter/nf_conntrack_proto.c:802: undefined reference to
`nf_defrag_ipv6_enable'
net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to
As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from
nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout.
Signed-off-by: Harsha Sharma
---
include/net/netfilter/nf_conntrack_timeout.h | 1 +
net/netfilter/nf_conntrack_timeout.c | 17 +
This patch allows to add, list and delete connection tracking timeout
policies via nft objref infrastructure and assigning these timeout
via nft rule.
Ruleset:
table ip raw {
ct timeout cttime {
protocol tcp
established 111 close 13
l3proto ip
}
chain output {
This new function allows us to check if there is TCP syn packet matching
with a given fingerprint that can be reused from the upcoming new
nf_osf_find() function.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
net/netfilter/nf_osf.c | 207
Wrap context that allow us to guess the OS into a structure.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
net/netfilter/nf_osf.c | 105 +
1 file changed, 62 insertions(+), 43 deletions(-)
diff --git a/net/netfilter/nf_osf.c
This new function returns the OS genre as a string. Plan is to use to
from the new nft_osf extension.
Note that this doesn't yet support ttl options, but it could be easily
extended to do so.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
include/linux/netfilter/nf_osf.h | 3 +++
On Fri, Jul 13, 2018 at 02:38:19PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > But that means that this solution cannot support bridge family at all. Or
> > BRNF
> > stands for something that can be interpreted as filter?
>
> Currently bridge family has no special hooks, they are all
Máté Eckl wrote:
> But that means that this solution cannot support bridge family at all. Or BRNF
> stands for something that can be interpreted as filter?
Currently bridge family has no special hooks, they are all 'filter'.
So it would be fine to only support numbers in my opinion.
We can
On Fri, Jul 13, 2018 at 12:59:14PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 13, 2018 at 12:45:34PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > > > > BTW, srcnat only makes sense from postrouting, I think
Pablo Neira Ayuso wrote:
> On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > > possible to reject things that make no sense from there, like srcnat
> > > > with prerouting as in the example above.
> > >
On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > possible to reject things that make no sense from there, like srcnat
> > > with prerouting as in the example above.
> >
> > I'll look after this.
>
> What
> > BTW, srcnat only makes sense from postrouting, I think it would it be
> > possible to reject things that make no sense from there, like srcnat
> > with prerouting as in the example above.
>
> I'll look after this.
What do you think about this compatibility "matrix"?
static bool
17 matches
Mail list logo
