On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote:
> When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
> is called and that checks whether interface index of offload and
> index of link down interface is same. but only interface index checking
> is not enough
On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> But only netdevice notifier handler can set that.
> Hence priv->oif is always -1 until notifier handler is called.
>
> Fixes: 22265a5c3c10 ("netfilter:
On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote:
> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> index 2c8d313ae216..6ccabe6f74a6 100644
> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -59,7 +59,6 @@
Adding new elements result in a confusing "Success" error message.
# nft add element x y { 0-3 }
Error: interval overlaps with an existing one
add element x y { 0-3 }
^^^
Error: Could not process rule: Success
add element x y { 0-3 }
Eyal says:
doesn't the use of nft_pf(pkt) in this context limit the matching of
encapsulated packets to the same family?
IIUC when an e.g. IPv6-in-IPv4 packet is matched, the nft_pf(pkt) will
be the decapsulated packet family - IPv6 - whereas the state may be
IPv4. So this check would
Add range to the list of matching elements.
Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing
elements")
Signed-off-by: Pablo Neira Ayuso
---
src/segtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/segtree.c b/src/segtree.c
index
Just a simple wrapper function, replace it by direct call to
mnl_nft_rule_del().
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/netlink.c | 10 --
src/rule.c| 2 +-
3 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/include/netlink.h
We can remove alloc_nftnl_set() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 18 +++--
include/netlink.h | 14 ++--
src/mnl.c | 192 ++
src/netlink.c | 176
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/netlink.c | 5 -
src/rule.c| 3 +--
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index e27d75ead855..b7e2232f4bd9 100644
--- a/include/netlink.h
+++
Lieber Freund,
Ich bin Herr Tayeb Souami, New Jersey, Vereinigte Staaten von Amerika, der
Mega-Gewinner von $ 315million In Mega Millions Jackpot, spende ich an 5
zufällige Personen, wenn Sie diese E-Mail erhalten, dann wurde Ihre E-Mail nach
einem Spinball ausgewählt.Ich habe den größten
We can remove alloc_nftnl_rule() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 11 ---
include/netlink.h | 9 --
src/mnl.c | 90 ---
src/netlink.c | 76
On Tue, Oct 09, 2018 at 04:47:20PM -0700, Maciej Żenczykowski wrote:
> Ah, yes, the (2**64 - 1) + 1 problem.
>
> The fact max allowed remaining is (2**64 - 2) is perhaps surprising...
> should we clamp? or warn?
>
> userspace has:
> if (cb->entry->id == O_REMAIN) info->remain++;
> should this
On Tue, Oct 09, 2018 at 04:14:40PM -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduces some iptables tests for the new --remain option in xt_quota
> module. Add a breif description for how to use the --remain option in
> the iptables-extension man page.
Applied, thanks Chenbo.
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1:initial patch
v2:v2: code correctness and fix the "~" typo.
v3:make priv->ttl = ttl; optional and priv->ttl default value is now 0.
v4:delete "if (ttl_check != -1)" branch
---
nft_osf no longer supports "output" hook as xt_osf doesn't either.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint
module in nft_osf")
Signed-off-by: Fernando Fernandez Mancera
---
net/netfilter/nft_osf.c | 10 ++
1 file changed, 10 insertions(+)
diff
15 matches
Mail list logo