[PATCH] nft: doc: Fixed all the typos in asciidoc

Correct all the typo mistakes done while converting man page source to asciidoc. Signed-off-by: Arushi Singhal --- doc/data-types.txt | 2 +- doc/nft.txt| 7 +++ doc/primary-expression.txt | 2 +- doc/statements.txt | 6 +++--- 4 files changed, 8

[PATCH] nft: doc: fix make distcheck

fix make distcheck for conversion to asciidoc. Signed-off-by: Arushi Singhal --- doc/Makefile.am | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index 291bcc8..4d8cd98 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -17,11

[PATCH v2] nft: doc: changes in configure file for PDF creation

changes in package dependencies for PDF creation (nft.pdf) from asciidoc. Signed-off-by: Arushi Singhal --- changes in v2 -remove duplicacy of code configure.ac | 10 +- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index c1c9035..11e1ebb

[PATCH nf-next] netfilter: nfnetlink_osf: add missing enum in nfnetlink_osf uapi header

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nfnetlink_osf.h | 12 include/uapi/linux/netfilter/nfnetlink_osf.h | 13 + include/uapi/linux/netfilter/xt_osf.h| 1 + 3 files changed, 14 insertions(+), 12 deletions(-) diff --git

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue 07-08-18 20:23:55, Florian Westphal wrote: > Michal Hocko wrote: > > Subject: [PATCH] netfilter/x_tables: do not fail xt_alloc_table_info too > > easilly > > [..] > > > - /* __GFP_NORETRY is not fully supported by kvmalloc but it should > > -* work reasonably well if sz is too

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

Michal Hocko wrote: > Subject: [PATCH] netfilter/x_tables: do not fail xt_alloc_table_info too > easilly [..] > - /* __GFP_NORETRY is not fully supported by kvmalloc but it should > - * work reasonably well if sz is too large and bail out rather > - * than shoot all processes

Re: [PATCH nft] doc: Add comment possibility to man page

On Tue, Aug 07, 2018 at 12:20:37PM +1000, Duncan Roe wrote: > On Mon, Aug 06, 2018 at 08:58:21PM +0200, Máté Eckl wrote: > > Commenting is really useful in complex rulesets, however it is not > > documented that they can be added to any rule. > > > > This patch adds commenting possibility to the

Re: [PATCH] doc: user niggles

On Tue, Aug 07, 2018 at 01:54:01PM +1000, Duncan Roe wrote: > - data-types.txt: "user space" -> userspace to match usage in statements.txt > & >data-types.txt > - nft.txt: "an user-defined" sounds odd to a native English speaker (trust > me) >so change to "a user-defined" > > These

Re: [PATCH nft] doc: fix syntax for RULES

On Tue, Aug 07, 2018 at 12:10:56PM +1000, Duncan Roe wrote: > On Mon, Aug 06, 2018 at 08:58:19PM +0200, Máté Eckl wrote: > > [] means optional but 'add' or 'insert' is not optional one of them is > > required > > which is usually signed with {} braces. > > > Acked-by: Duncan Roe > >

[PATCH nft] parser_bison: allow to use new osf expression from assignment statement

So the following rule to set the conntrack mark based on the OS passive recognition works: # nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 } Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching") Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y

Re: [PATCH libnftnl] expr: osf: modify _snprintf_default function

On Tue, Aug 07, 2018 at 11:42:15AM +0200, Fernando Fernandez Mancera wrote: > Signed-off-by: Fernando Fernandez Mancera > --- > src/expr/osf.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/src/expr/osf.c b/src/expr/osf.c > index 1541390..ac7a6f3 100644 > ---

Re: [PATCH 1/2 nft v2] src: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ in osf.c

On Tue, Aug 07, 2018 at 11:44:06AM +0200, Fernando Fernandez Mancera wrote: > As no "genre" in pf.os exceed 16 bytes of length, we reduce > NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH nf-next v2] netfilter: nft_osf: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ

On Tue, Aug 07, 2018 at 11:43:02AM +0200, Fernando Fernandez Mancera wrote: > As no "genre" on pf.os exceed 16 bytes of length, we reduce > NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Looks good, applied thanks. -- To unsubscribe from this list: send the line

Re: [PATCH libnftnl v4 1/3] src: add ct timeout support

Hi Harsha, On Sun, Aug 05, 2018 at 02:49:22PM +0530, Harsha Sharma wrote: [...] > diff --git a/include/libnftnl/cttimeout.h b/include/libnftnl/cttimeout.h > new file mode 100644 > index 000..6f0ef75 > --- /dev/null > +++ b/include/libnftnl/cttimeout.h > @@ -0,0 +1,39 @@ > +#ifndef

[PATCH nf-next 4/4] netfilter: nft_ct: add ct timeout support

From: Harsha Sharma This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp Ruleset: table ip raw { ct timeout cttime { protocol

[PATCH nf-next 2/4] netfilter: cttimeout: decouple timeout policy from nfnetlink_cttimeout object

The timeout policy is currently embedded into the nfnetlink_cttimeout object, move the policy into an independent object. This allows us to reuse part of the existing conntrack timeout extension from nf_tables without adding dependencies with the nfnetlink_cttimeout object layout. Signed-off-by:

[PATCH nf-next 1/4,v5] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

From: Harsha Sharma As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout. Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso --- v5: no changes, just a rebase on top of nf-next.

[PATCH nf-next 3/4] netfilter: remove ifdef around cttimeout in struct nf_conntrack_l4proto

Simplify this, include it inconditionally in this structure layout as we do with ctnetlink. Signed-off-by: Pablo Neira Ayuso --- Originally, part of v11 to add nft_ct timeout support. include/net/netfilter/nf_conntrack_l4proto.h | 2 -- 1 file changed, 2 deletions(-) diff --git

Re: url filtering with netfiler

On Tue, Aug 07, 2018 at 03:16:22PM +0200, Laura Garcia wrote: > >> > Do you think this feature will be useful now? For example, filtering uri > >> > in > >> > https isn't possible and http using is decreasing now. > > There are some components in the kernel to decrypt HTTPS, so > software-based

Re: url filtering with netfiler

On Tue, Aug 7, 2018 at 3:26 PM, Saber Rezvani wrote: > Do you know who exactly working on this feature in nft? could you possibly > introduce me to him/her? > You know we have decided to work on this issue. So It is a best practice to > get in touch with running development team who works on this

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue, Aug 07, 2018 at 01:31:21PM +0200, Vlastimil Babka wrote: > On 08/07/2018 01:26 PM, Michal Hocko wrote: > > On Tue 07-08-18 13:19:26, Florian Westphal wrote: > >> Michal Hocko wrote: > I can't reproduce it anymore. > If i understand correctly this way memory allocated will be >

Re: url filtering with netfiler

On 08/07/2018 05:46 PM, Laura Garcia wrote: On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote: On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: On 08/03/2018 12:14 AM, Oleg wrote: On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: Dear all, Some of my friends and I

Re: url filtering with netfiler

On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote: > On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: >> On 08/03/2018 12:14 AM, Oleg wrote: >> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: >> >> Dear all, >> >> >> >> >> >> Some of my friends and I have decided to work

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue 07-08-18 13:30:13, Florian Westphal wrote: > Michal Hocko wrote: > > On Tue 07-08-18 13:19:26, Florian Westphal wrote: > > > Michal Hocko wrote: > > > > > I can't reproduce it anymore. > > > > > If i understand correctly this way memory allocated will be > > > > > accounted to kmem of

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue 07-08-18 13:29:15, Vlastimil Babka wrote: > On 08/02/2018 10:50 AM, Michal Hocko wrote: > > On Wed 01-08-18 19:03:03, Georgi Nikolov wrote: > >> > >> *Georgi Nikolov* > >> System Administrator > >> www.icdsoft.com > >> > >> On 08/01/2018 11:33 AM, Michal Hocko

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 08/07/2018 01:26 PM, Michal Hocko wrote: > On Tue 07-08-18 13:19:26, Florian Westphal wrote: >> Michal Hocko wrote: I can't reproduce it anymore. If i understand correctly this way memory allocated will be accounted to kmem of this cgroup (if inside cgroup). >>> >>>

Re: [iptables PATCH] xtables: Spelling fixes in xtables-monitor

Phil Sutter wrote: > Fix a few minor spelling issues in xtables-monitor help output and man > page. While being at it, change 'ipv4' and 'ipv6' to 'IPv4' and 'IPv6', > respectively. Applied, thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

Michal Hocko wrote: > On Tue 07-08-18 13:19:26, Florian Westphal wrote: > > Michal Hocko wrote: > > > > I can't reproduce it anymore. > > > > If i understand correctly this way memory allocated will be > > > > accounted to kmem of this cgroup (if inside cgroup). > > > > > > s@this@caller's@ > >

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 08/02/2018 10:50 AM, Michal Hocko wrote: > On Wed 01-08-18 19:03:03, Georgi Nikolov wrote: >> >> *Georgi Nikolov* >> System Administrator >> www.icdsoft.com >> >> On 08/01/2018 11:33 AM, Michal Hocko wrote: >>> On Wed 01-08-18 09:34:23, Vlastimil Babka wrote: On

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue 07-08-18 13:19:26, Florian Westphal wrote: > Michal Hocko wrote: > > > I can't reproduce it anymore. > > > If i understand correctly this way memory allocated will be > > > accounted to kmem of this cgroup (if inside cgroup). > > > > s@this@caller's@ > > > > Florian, is this patch

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

Michal Hocko wrote: > > I can't reproduce it anymore. > > If i understand correctly this way memory allocated will be > > accounted to kmem of this cgroup (if inside cgroup). > > s@this@caller's@ > > Florian, is this patch acceptable I am no mm expert. Should all longlived GFP_KERNEL

[iptables PATCH] xtables: Spelling fixes in xtables-monitor

Fix a few minor spelling issues in xtables-monitor help output and man page. While being at it, change 'ipv4' and 'ipv6' to 'IPv4' and 'IPv6', respectively. Signed-off-by: Phil Sutter --- iptables/xtables-monitor.8.in | 8 iptables/xtables-monitor.c| 6 +++--- 2 files changed, 7

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Tue 07-08-18 14:02:00, Georgi Nikolov wrote: > On 08/06/2018 11:42 AM, Georgi Nikolov wrote: > > On 08/02/2018 11:50 AM, Michal Hocko wrote: > >> In other words, why don't we simply do the following? Note that this is > >> not tested. I have also no idea what is the lifetime of this allocation.

[iptables PATCH] xtables: Improve xtables-monitor first impression

First time users are likely to call 'xtables-monitor --help' to see what's going on. Make this situation a bit more pleasant for them: * When complaining about illegal arguments, add a final newline character to the error message. * Actually support '--help' long option as an alias to '-h'.

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 08/06/2018 11:42 AM, Georgi Nikolov wrote: > On 08/02/2018 11:50 AM, Michal Hocko wrote: >> In other words, why don't we simply do the following? Note that this is >> not tested. I have also no idea what is the lifetime of this allocation. >> Is it bound to any specific process or is it a

[iptables PATCH] xtables: Fix for wrong counter format in -S output

Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between

[PATCH 2/2 nft v2] tests: improve test cases for osf

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 5 - tests/py/inet/osf.t.payload | 12 +++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t index 4db20b7..6533b84 100644 --- a/tests/py/inet/osf.t

[PATCH 1/2 nft v2] src: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ in osf.c

As no "genre" in pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_tables.h | 1 + src/osf.c | 4 +--- 2 files changed, 2

[PATCH nf-next v2] netfilter: nft_osf: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ

As no "genre" on pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_osf.c | 8 +++- 2 files

[PATCH libnftnl] expr: osf: modify _snprintf_default function

Signed-off-by: Fernando Fernandez Mancera --- src/expr/osf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/expr/osf.c b/src/expr/osf.c index 1541390..ac7a6f3 100644 --- a/src/expr/osf.c +++ b/src/expr/osf.c @@ -91,11 +91,10 @@ nftnl_expr_osf_parse(struct nftnl_expr