On Thu, Aug 23, 2018 at 02:28:24PM -0700, Doug Smythies wrote:
> On 2018.08.23 11:16 Pablo Neira Ayuso wrote:
> > On Wed, Aug 22, 2018 at 05:05:14PM -0700, Doug Smythies wrote:
> >> On 2018.08.22 11:26 Doug Smythies wrote:
> >>> On 2018.08.21 02:26 Florian Westphal wrote:
> >>>
> >>> ... [snip]
Doug Smythies wrote:
> > Could you try conntrack -F after removing your ruleset?
>
> ad1d697 + this patch:
>
> O.K. that eliminates the 1 minute wait, and the other ssh connections
> drop right away when I try to use them, after ruleset is loaded again.
> The ssh session I ran the commands from
On 2018.08.23 11:16 Pablo Neira Ayuso wrote:
> On Wed, Aug 22, 2018 at 05:05:14PM -0700, Doug Smythies wrote:
>> On 2018.08.22 11:26 Doug Smythies wrote:
>>> On 2018.08.21 02:26 Florian Westphal wrote:
>>>
>>> ... [snip] ...
>>>
Fix this by clearing maxwin of existing tcp connections on
On Wed, Aug 22, 2018 at 10:27:17AM +0200, Martin Willi wrote:
> The cluster match requires conntrack for matching packets. If the
> netns does not have conntrack hooks registered, the match does not
> work at all.
>
> Implicitly load the conntrack hook for the family, exactly as many
> other
On Wed, Aug 22, 2018 at 05:05:14PM -0700, Doug Smythies wrote:
> On 2018.08.22 11:26 Doug Smythies wrote:
> > On 2018.08.21 02:26 Florian Westphal wrote:
> >
> > ... [snip] ...
> >
> >> Fix this by clearing maxwin of existing tcp connections on register.
> >> While at it, lower timeout of existing
On Wed, Aug 22, 2018 at 03:10:17PM +0200, Ahmed Abdelsalam wrote:
[...]
> diff --git a/net/ipv6/netfilter/ip6t_SEG6.c b/net/ipv6/netfilter/ip6t_SEG6.c
> new file mode 100644
> index ..0adfb98ccaf2
> --- /dev/null
> +++ b/net/ipv6/netfilter/ip6t_SEG6.c
> @@ -0,0 +1,120 @@
> +/**
> + *
Use of this static variable causes trouble as it affects all instances
of this target. So calling xs_init_target() for one instance invalidates
all the others.
Moving the variable into target private data seems not possible since
that would change the target's size and therefore it wouldn't match
This nit was discovered when comparing do_commandeb() with
do_commandeb_xlate(): Since 'cs' is initialized upon declaration
already, initialization of field '.eb.bitmask' may be moved there as
well.
Signed-off-by: Phil Sutter
---
iptables/xtables-eb.c | 2 +-
1 file changed, 1 insertion(+), 1
This series of patches came together after I noticed xlate-test.py and
started using it. Most notably, this fixes ebtables-translate (which I
broke badly by accident in previous patches) but also improves
ebtables-save and -restore. Finally, there are a few fixes for
translations. With this series
Layer 4 protocol name "mobility-header" is not known by nft, so it's
neither printed nor accepted on input. Hence fix the test instead of
code.
Signed-off-by: Phil Sutter
---
extensions/libip6t_mh.txlate | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git
Aparently, this is a leftover from the compat->nft naming change in
created binary (symlinks).
Fixes: be70918eab26e ("xtables: rename xt-multi binaries to -nft, -legacy")
Signed-off-by: Phil Sutter
---
xlate-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
These fix reports for definitely lost blocks in valgrind. Not really
memleaks, but due to nft_handle going out of scope they're counted as
lost. Still worth fixing though since it reduces noise when auditing
code for real issues.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c | 2 +-
With audit logging being supported by nftables as a simple (fake) log
level, translating AUDIT target is easy. Especially since xt_AUDIT in
kernel doesn't quite care about --type parameter.
Signed-off-by: Phil Sutter
---
extensions/libxt_AUDIT.c | 11 +++
The xlate function sharing here does not quite work since in
ebtables-translate, extensions are supposed to append whitespace. Fix
this by introducing a simple wrapper.
Signed-off-by: Phil Sutter
---
extensions/libxt_limit.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff
Previous review of match/target lookup did not consider
xtables-eb-translate.c which contains the same code. Fix parsing of
target/match arguments there as well by introducing
ebt_command_default() which consolidates the previously duplicated code.
One notable quirk in comparison to the similar
Mostly to reduce noise from valgrind output, add missing calls to
destroy iterators in nft.c and add cleanup for the populated nft_handle
in xtables_eb_save_main().
Signed-off-by: Phil Sutter
---
iptables/nft.c | 8 ++--
iptables/xtables-save.c | 1 +
2 files changed, 7
On Thu, Aug 23, 2018 at 05:02:07PM +0200, Nicolas Boullis wrote:
> Hi,
>
> On Wed, Aug 22, 2018 at 06:38:49PM +0200, Nicolas Boullis wrote:
> >
> > On Wed, Aug 22, 2018 at 11:59:33AM +0200, Pablo Neira Ayuso wrote:
> > >
> > > Probably better way to go is to support this as a userspace helper in
Hi,
On Wed, Aug 22, 2018 at 06:38:49PM +0200, Nicolas Boullis wrote:
>
> On Wed, Aug 22, 2018 at 11:59:33AM +0200, Pablo Neira Ayuso wrote:
> >
> > Probably better way to go is to support this as a userspace helper in
> > conntrack-tools.
>
> Sorry for asking, but why would it be a “better way”
Pablo Neira Ayuso wrote:
> > > percpu template would allow us to combine both, I mean, to use the
> > > template as a scratchpad area. The template is only used from the same
> > > hook point to pass information between hook callbacks.
> >
> > I found no way to do this.
> >
> > Consider this:
>
On Thu, Aug 23, 2018 at 11:58:34AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > This patch reworks template policy to instead work with existing
> > > conntrack.
> > >
> > > As long as such conntrack has not yet been placed into the hash table
> > > (unconfirmed) we can still
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook
Pablo Neira Ayuso wrote:
> > This patch reworks template policy to instead work with existing conntrack.
> >
> > As long as such conntrack has not yet been placed into the hash table
> > (unconfirmed) we can still add the timeout extension.
> >
> > The only caveat is that we now need to
Hi Florian,
On Wed, Aug 22, 2018 at 05:18:36PM +0200, Florian Westphal wrote:
> Using a private template is problematic:
>
> 1. We can't handle conntrack is already assigned case
> 2. We can't assign both a zone and a timeout policy
>(zone assigns a conntrack template, so we hit problem 1)
24 matches
Mail list logo