-off-by: Florian Westphal
---
Pablo,
this will unfortunately result in a nf-next merge conflict
due to *rover removal in nf-next.
I can send a patch vs. nf-next instead if you prefer.
net/netfilter/nf_nat_proto_common.c | 26 ++
1 file changed, 22 insertions(+), 4
Xiaozhou Liu wrote:
> > + for (i = 0; i < attempts; ++off) {
> > *portptr = htons(min + off % range_size);
> > - if (++i != range_size && nf_nat_used_tuple(tuple, ct))
> > + if (nf_nat_used_tuple(tuple, ct))
> > continue;
> > if
, then try ever smaller
number of adjacent port numbers, until either the limit is reached or a
useable port was found. This results in at most 248 attempts
(128 + 64 + 32 + 16 + 8, i.e. 4 restarts with new search offset)
instead of 64000+,
Signed-off-by: Florian Westphal
---
Pablo
Pablo Neira Ayuso wrote:
> Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg.
>
> # nft add table arp x
> # nft add chain arp x y { type filter hook input priority 0\; }
> # nft add rule arp x y arp ip-saddr 192.168.2.1 counter
'arp {ip,ether} {s,d}addr' would create ambiguities?
-by: Florian Westphal
---
include/net/netfilter/nf_conntrack.h | 5 +
net/netfilter/nf_conntrack_proto_udp.c | 16 +---
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h
b/include/net/netfilter/nf_conntrack.h
index 7e012312cd61
conntracks 'timewait' default timeout value.
Signed-off-by: Florian Westphal
---
Documentation/networking/nf_conntrack-sysctl.txt | 4 ++--
net/netfilter/nf_conntrack_proto_udp.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Documentation/networking/nf_conntrack
(unreplied) timeout. Its enough for DNS request/response traffic, even
if two request/reply packets are involved.
ASSURED is still set, else conntrack (and thus a possible
NAT mapping ...) might get zapped in case conntrack table runs full.
Signed-off-by: Florian Westphal
---
include/net/netfilter
.
Reported-by: Neel Mehta
Reported-by: Shane Huntley
Reported-by: Heather Adkins
Signed-off-by: Florian Westphal
---
diff --git a/net/netfilter/nf_conntrack_seqadj.c
b/net/netfilter/nf_conntrack_seqadj.c
index a975efd6b8c3..9da303461069 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net
Pavel Melnik wrote:
> We were asked to implement functionality to drop fragmented IPv6 packets,
> addressed to local interface, on device based 3.12 kernel
Urgh.
I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw
table.
> But we observed the 'same' issue if try to use
If libxtables is not even installed, build fails due to to missing
include file.
ifdef LIBXTABLES guard fixes the first error, but results in two
followup failures:
1. missing IFNAMSIZ definition
2. dereference of unknown struct.
Signed-off-by: Florian Westphal
---
src/xt.c | 5 +
1 file
Phil Sutter wrote:
> When e.g. ebtables-nft detects an incompatible table, a stray '.' was
> printed as last line of output:
>
> | # ebtables-nft -L
> | table `filter' is incompatible, use 'nft' tool.
> | .
>
> This comes from ebtables' own exit_err callback. Instead use the common
> one which
Phil Sutter wrote:
> > If user doesn't want it cleared at nftnl_chain_free() time they can
> > always allocate a new nftnl_rule_list and splice to that list.
>
> Good point. What do you think about the simple approach of introducing:
>
> | struct nftnl_rule_list *nftnl_chain_get_rule_list(const
Phil Sutter wrote:
> In order to improve performance in 'nft -f' as well as xtables-restore
> with very large rulesets, we need to store rules by chain they belong
> to. In order to avoid pointless code duplication, this should be
> supported by libnftnl.
Unfortunately we still need to change
Phil Sutter wrote:
> Relevant code for this was already present (short option '-c'), just the
> long option definition was missing.
Applied, thanks.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/nf_conntrack_proto_gre.h | 13 +
net/netfilter/nf_conntrack_proto_gre.c | 14 +-
net/netfilter/nfnetlink_cttimeout.c | 8 ++--
3 files changed, 20 insertions(+), 15 deletions(-)
diff
Baruch Siach wrote:
> Pablo Neira Ayuso writes:
> >> > This is updating a cached copy of the kernel headers, we basically
> >> > copy kernel headers and place in the userspace tree to make sure that
> >> > iptables compiles standalone, without the need for kernel-headers to
> >> > be installed in
Taehee Yoo wrote:
> register_{netdevice/inetaddr/inet6addr}_notifier returns value that
> could be error value. so that error handling code are needed.
Nothing should break without those notifiers in place though.
> /* check if the notifier was already set */
> if
Pablo Neira Ayuso wrote:
> # nft list chain x y
> Error: No such file or directory; did you mean table ‘x’ in family ‘inet’?
> list chain x y
Perhaps make this
"...; did you mean 'inet x'?"
Other than this nit, this looks like a good improvement, thanks!
parser
too.
arptables-legacy prints (-L) the jump target first, i.e.:
-j MARK -d 0.0.0.0/8 --h-length 6 ...
... so keep that here too.
Signed-off-by: Florian Westphal
---
extensions/libarpt_standard.t | 4 +-
iptables/nft-arp.c| 92 ---
2 files c
Baruch Siach wrote:
> Commit 7c8791edac3 ("xtables-monitor: fix build with older glibc")
> changed the code to use GNU style tcphdr fields. Unfortunately, musl
> libc requires _GNU_SOURCE definition to expose these fields.
>
> Fix the following build failure:
Applied, thanks.
Tom Cook wrote:
> For a `struct ipt_entry` that I have retrieved using iptc_next_rule
[..]
Please don't do this, use ip(6)tables-restore instead.
You can pipe input to it and you can use --noflush option for
batch processing, including multiple deletes/adds/inserts etc.
libiptc doesn't do some
Baruch Siach wrote:
> glibc older than 2.19 require _BSD_SOURCE to expose BSD style fields of
> struct tcphdr. Fix the following build failure:
>
> xtables-monitor.c: In function 'trace_print_packet':
> xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named
> 'th_sport'
>
Hi!
The Netfilter project proudly presents:
iptables 1.8.2
This release contains the following fixes and enhancements:
iptables-nft:
- fix bogus handling of '-s 0.0.0.0/8' and the like.
- fix the '-f' option
- fix wildcard interface matching
ebtables-nft:
- add support for 'arpreply'
put().
This can be easily reproduced by adding msleep() before
nft_match_destroy() returns.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for
x_tables")
Reported-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 5 +++--
Phil Sutter wrote:
> Boolean AND was applied instead of binary one, causing the exclamation
> mark to be printed whenever info->bitmask was non-zero. In practice,
> this leads to incorrect output if e.g. --among-src was given with an
> inverted match as well as --among-dst with a non-inverted
Doesn't affect iptables-translate, but nft (when built with
xtables support).
Current nftables may print the buffer withput checking if
the ->xlate() callback returned 0, so ->data with garbage/random
content can be printed.
Signed-off-by: Florian Westphal
---
libxtables/xtables.c |
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/iptables/xtables-arp.c b
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index bde35e5dcb9c..6a095bfd1629 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -233,12
-( ]
Signed-off-by: Florian Westphal
---
extensions/libarpt_CLASSIFY.t | 4
extensions/libarpt_MARK.t | 4
extensions/libarpt_mangle.t | 5 +
extensions/libarpt_standard.t | 14 ++
4 files changed, 27 insertions(+)
create mode 100644 extensions/libarpt_CLASSIFY.t
1. check both address and mask, not just first byte of mac
2. use add_addr() for this so mask is also handled via bitwise expr.
3. use the correct offsets.
4. add dissector so we can reverse translate the payload expressions
generated for this.
Signed-off-by: Florian Westphal
---
iptables
Signed-off-by: Florian Westphal
---
iptables-test.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/iptables-test.py b/iptables-test.py
index 34a040422ce7..532dee7c9000 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -17,10 +17,12 @@ import argparse
umptions in several spots, so this should be fine from
compatibility point of view.
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index a791ecceb88b..bde35e5dcb9c 100644
--- a/iptables
arptables -D fails most of the time, as we compared
source mask with target mask.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index f9352297d83b..675f0eb9daa6 100644
--dst-ip checks the first four octets of the target mac.
Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip
So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 5
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 20 ++--
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 34 +++---
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git a/iptables/xtables
arptables classic doesn't have arptables-save, it only has a perl
script that attempts to emulate iptables-save. It supports no options,
and thus has no way to dump counters. Add -c option, like iptables to
enable this.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 17
igned-off-by: Florian Westphal
---
extensions/libarpt_mangle.c | 6 +
extensions/libxt_CLASSIFY.c | 47 ++---
iptables/nft-arp.c | 33 +++---
3 files changed, 43 insertions(+), 43 deletions(-)
diff --git a/extensions/libarpt_mangle.c b/e
This series adds test cases for arptables-nft and fixes various bugs that
got uncovered here.
extensions/libarpt_CLASSIFY.t |4 +
extensions/libarpt_MARK.t |4 +
extensions/libarpt_mangle.c |6 +
extensions/libarpt_mangle.t |5 +
extensions/libarpt_standard.t | 14
0x%x %s0 ", info->mask, ...
~^~~
so add the required casts or fixup format strings as needed.
libxt_conntrack also passed an unneeded argument (port), so remove that.
Signed-off-by: Florian Westphal
---
extensions/libebt_mark_m.c | 8 ---
Phil Sutter wrote:
> The first two deal with incorrect/unexpected error messages, only the
> last one fixes a "real" issue.
>
> Phil Sutter (3):
> xtables: Fix typo in do_command() error message
> xtables: Clarify error message when deleting by index
> xtables: Fix error return code in
rds compat reasons.
Signed-off-by: Florian Westphal
---
extensions/libebt_802_3.c| 4 ++--
extensions/libebt_802_3.t| 2 +-
extensions/libebt_arp.c | 14 +++---
extensions/libebt_arp.t | 9 +
extensions/libebt_ip.c | 16
extensions/l
The 'original' ebtables-save was a perl script that supported no option.
Add minimal options, like ip(6)tables save.
Retain the old way of formatiing counters via environment variable,
but allow overriding this using the -c option.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c
Felix Jia wrote:
> From: Jason Rippon
>
> This ensures that port range masquerade rules work with the ftp alg.
> Previously the tfp data flow was not following the iptables rules.
The data connections are supposed to inherit the NAT transformation
of the master connection (connection created
When building without libxtables, nft would just silently omit any presence
of nft_compat in the output.
This adds ifdef-ry to at least print name of target/match involved when
libxtables isn't available for decoding.
Signed-off-by: Florian Westphal
---
include/xt.h| 13 +
src
We can't use it when no translation is available as libxtables will
use plain printf(), but when translation is available we can.
Signed-off-by: Florian Westphal
---
include/xt.h| 5 +++--
src/statement.c | 2 +-
src/xt.c| 6 +++---
3 files changed, 7 insertions(+), 6 deletions
Currently when building nftables without xtables support, then
any nft_compat expression is silently skipped.
This adds minimal support so we will at least be able to print
out that an xtables match is in use in a rule.
Example:
oifname "eth0" # xt_policy counter packets 0 bytes 0 accept
for a
passing ->tos as uintmax_t will clear adjacent fields in the structure,
including invflags.
Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension")
Signed-off-by: Florian Westphal
---
extensions/libebt_ip.c | 9 ++---
extensions/libebt_ip.t | 1 +
2 files changed,
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Florian Westphal
---
extensions/libebt_ip6.c | 2 +-
extensions/libebt_ip6.t | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_i
Florian Westphal wrote:
> Argh. I'll see about that.
This already works, it uses a different code path
(INPUT 42 is CMD_ZERO_NUM, not CMD_ZERO, and that was
implemented already).
So only thing that did not work correctly was -Z FOO, and that
is corrected here.
Pablo Neira Ayuso wrote:
> On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote:
> > -Z doesn't just zero base counters, it zeroes out all rule
> > counters, or, optionally, all counters of a chain (-Z FOO).
>
> Looks good.
>
> But I think we need to ext
-Z doesn't just zero base counters, it zeroes out all rule
counters, or, optionally, all counters of a chain (-Z FOO).
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1286
Signed-off-by: Florian Westphal
---
iptables/nft.c | 81 --
1 file
Signed-off-by: Florian Westphal
---
doc/primary-expression.txt | 25 -
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 761f50bc1392..5846898e170e 100644
--- a/doc/primary-expression.txt
+++ b/doc
ature"
by only checking for the POSITION attribute on insert operations.
Fixes: 5e94846686d0 ("netfilter: nf_tables: add insert operation")
Signed-off-by: Florian Westphal
---
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index dd577e7d100c..e496030fd
This changes ebtables-nft to consistently print mac
address with two characters, i.e.
00:01:02:03:04:0a, not 0:1:2:3:4:a.
Will require another bump of vcurrent/vage.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
extensions/libebt_arp.c | 13 ++---
extensions
in the binary
representation, whereas the rule we obtained from translating
nftables netlink back to ebtables' binary represenation doesn't.
Fix it by ignoring 'CONTINUE' on parser side.
Signed-off-by: Florian Westphal
---
extensions/libebt_standard.t | 1 +
iptables/nft-bridge.c| 26
Signed-off-by: Florian Westphal
---
extensions/libebt_redirect.c | 2 +-
extensions/libebt_redirect.t | 4
2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644 extensions/libebt_redirect.t
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index
Signed-off-by: Florian Westphal
---
extensions/libebt_802_3.t | 3 +++
extensions/libebt_arp.t | 11 +++
extensions/libebt_ip.t | 10 ++
extensions/libebt_ip6.t | 12
extensions/libebt_log.t | 6 ++
extensions/libebt_mark.t| 5
now that we have ebtables-save, lets add test cases for ebtables-nft
as well.
Signed-off-by: Florian Westphal
---
extensions/libebt_standard.t | 6 ++
iptables-test.py | 13 ++---
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644 extensions
This series fixes a few smaller bugs in ebtables-nft,
adds the 'arpreply' target and adds initial testcases for
all ebtables extensions ebtables-nft is supposed to support.
It also adds the 'arpreply' target to ebtables-nft.
Florian Westphal (6):
tests: add basic ebtables test support
Unlike ip(6)tables, the ebtables nat table has no special properties.
This bug causes 'ebtables -A' to fail when using a target such as
'snat' (ebt_snat target sets ".table = "nat"'). Targets that have
no table restrictions work fine.
Signed-off-by: Florian Westphal
---
-by: Florian Westphal
---
extensions/libip6t_ipv6header.t | 4
extensions/libxt_standard.t | 4
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 10 +++---
4 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/extensions/libip6t_ipv6header.t b
it was incremented already.
Fixes: 0cbc06b3faba7 ("netfilter: nf_tables: remove synchronize_rcu in commit
phase")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 9 +++--
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_
ilter: nf_tables: do not skip inactive chains during generation update")
sooner.
Signed-off-by: Florian Westphal
---
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/netfilter/Makefile| 6 ++
tools/testing/selftests/netfilter/config | 2 +
...
Pablo Neira Ayuso wrote:
> On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> > conn_free() holds lock with spin_lock(). and it is called by both
> > nf_conncount_lookup() and nf_conncount_gc_list().
> > nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> > is
Florian Westphal wrote:
> Lars Wendler wrote:
> > > In file included from ../iptables/nft.h:5,
> > > from libxt_limit.c:18:
> > > ../iptables/nft-shared.h:6:10: fatal error: libnftnl/rule.h: No such
&g
Hi,
please consider reverting
commit 84379c9afe011020e797e3f50a662b08a6355dcf
netfilter: ipv6: nf_defrag: drop skb dst before queueing
It causes kernel crash for locally generated ipv6 fragments
when netfilter ipv6 defragmentation is used.
The faulty commit is not essential for -stable, it
In file included from ../iptables/nft.h:5, from libxt_limit.c:18:
libnftnl/rule.h: No such file or directory
Reported-by: Lars Wendler
Fixes: 02b80972c43 ("ebtables: Merge libebt_limit.c into libxt_limit.c")
Signed-off-by: Florian Westphal
---
extensions/libxt_limit.c | 1 -
iptables
Hi!
The Netfilter project proudly presents:
iptables 1.8.1
This release contains fixes and following new features:
* add arp & ebtables-save/restore for nf_tables backend
* new cgroup match revision with reduced memory footprint
Noteable nft backend fixes:
- don't print rule
this release also adds xtables_getether* functions to libxtables, so
current and age are incremented as well.
Signed-off-by: Florian Westphal
---
configure.ac | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 07e32064489b..1da8555e65f3
Oleh Danilovskyi wrote:
> I have implemented a custom extension for conntrack. It is basically
> extra pointer which resides in "struct nf_conn".
> The pointer references a slab buffer and it is used/modified in custom
> netfilter match extension.
> I'm not sure whether it is possible that
ily it expects to match, so
we can just use the real state family rather than the hook family.
so change it as suggested above.
Reported-by: Eyal Birger
Suggested-by: Eyal Birger
Fixes: 6c47260250fc6 ("netfilter: nf_tables: add xfrm expression")
Signed-off-by: Florian Westphal
---
The expre
Pedretti Fabio wrote:
> Hi, I tried iptables 1.8 with the new nf_tables back-end using the
> Debian 1.8.0-1~exp1 package with my firewall script.
>
> It seems to properly load most rules, however I am getting an error
> when negating an interface and using protocol ports, which works fine
> with
Fernando Fernandez Mancera wrote:
> @@ -31,4 +31,5 @@ noinst_HEADERS =cli.h \
> rule.h \
> rt.h\
> utils.h \
> + xfrm.h \
> xt.h
Alexandre Connat wrote:
> 1) FIRST QUESTION:
> Would you be interested in such a contribution? Nothing was previously done
> on GRE, specifically, I suppose. I wonder why there is no target module out
> there that let you set any arbitrary data within the raw packet, at a certain
> offset?
Phil Sutter wrote:
> Patch 1 contains a fix for parser_bison.y to accept 'out' as priority
> name (again a keyword vs. string issue).
>
> The remaining patches deal with flaws in the test case itself, including
> the whopping 38s it took to complete on my testing VM.
Applied, thanks Phil.
Phil Sutter wrote:
> On Tue, Sep 25, 2018 at 12:18:50PM +0200, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> > > so remove it.
> >
> > It should be used, "spnum"
Phil Sutter wrote:
> In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> so remove it.
It should be used, "spnum" parsing is missing.
Phil Sutter wrote:
> - use snprintf(),
> - use strlcpy() from libbsd or
> - introduce a poor-man's strlcpy() macro/function.
>
> What would you prefer? Leave everything as-is, one of the above or
> something completely different? :)
I don't really care that much, I'd avoid adding new dependency
Phil Sutter wrote:
> Make sure destination buffers are NULL-terminated by replacing strcpy()
> with strncat() (if destination is guaranteed to be zeroed) or explicitly
> set last byte in buffer to zero.
I'm sorry, but i don't like this at all.
> - strcpy(cs->target->t->u.user.name,
Christian Göttsche wrote:
> Adding a new keyword "secmark_raw" seems to do the trick a bit.
> But somewhere it is still unsupported:
>
> $ nft --debug=netlink add rule inet filter output meta secmark_raw set
> ct secmark_raw
> inet filter output
> [ ct load secmark => reg 1 ]
> [ meta set
Christian Göttsche wrote:
> I am trying to get a connsecmark equivalent working.
>
> How can I implement the secmark pushing from the ct state to the package?
Good question. Should we even allow setting it from register context
or should we enforce strict ct->secmark = skb->secmark?
> $ nft
Christian Göttsche wrote:
> I think it was a bug of mine, sorted it out:
> https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
>
> Now I'll focus on connsecmark and testing :-)
Great. You should be able to remove the secmark data type as well:
[NFT_META_SECMARK]
Christian Göttsche wrote:
> Now the following works:
>
> $ nft add secmark inet filter sshtag
> \"system_u:object_r:ssh_server_packet_t:s0\"
> $ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
> $ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
> $
Christian Göttsche wrote:
> I stuck a bit with the nft cli coding.
>
> By now the following works:
>
> $ nft add map inet filter secmapping { type inet_service : secmark \; }
> $ nft add rule inet filter input tcp dport 21 secmark
> \"system_u:object_r:ftp_server_packet_t:s0\"
> $ nft add rule
Christian Göttsche wrote:
> Hi,
> after I found a nice tutorial [1], I started to hack some code [2].
> Is it the correct approach to introduce a new kernel module and a new
> nftables statement?
Yes and no :-)
The problem is that current nft_meta.c uses the 32bit secmark id,
which, as far as i
lit -- they are now the same so we can use single l4proto
struct for each protocol, rather than two.
The EXPORT_SYMBOLs can be removed as all these object files are
part of nf_conntrack with no external references.
Signed-off-by: Florian Westphal
---
change since v1:
- fix build erro
Phil Sutter wrote:
> This series fixes a number of potential issues identified by Coverity
> tool.
Applied, thanks.
Phil Sutter wrote:
> This series contains a number of fixes for JSON output code indicated by
> failing testcases in tests/py. In one instance, testcase's JSON
> equivalent had to be adjusted.
Series applied, thanks Phil.
All higher l4proto numbers are handled by the generic tracker; the
l4proto lookup function already returns generic one in case the l4proto
number exceeds max size.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_proto.c
Its unused, next patch will remove l4proto->l3proto number to simplify
l4 protocol demuxer lookup.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_proto.c | 5 ++---
net/netfilter/nf_conntrack_proto_dccp.c
lit -- they are now the same so we can use single l4proto
struct for each protocol, rather than two.
The EXPORT_SYMBOLs can be removed as all these object files are
part of nf_conntrack with no external references.
Signed-off-by: Florian Westphal
---
include/net/netfilter/ipv4/nf_conntrack_ipv4.h |
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 5 -
net/netfilter/nf_conntrack_core.c| 6 --
net/netfilter/nf_conntrack_proto_dccp.c | 17 ++-
net/netfilter/nf_conntrack_proto_generic.c | 20 ++--
net/netfilter/nf_conntrack_proto_gre.c
-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 13 ++---
net/netfilter/nf_conntrack_core.c| 43 +++-
net/netfilter/nf_conntrack_proto_icmp.c | 8 ++
net/netfilter/nf_conntrack_proto_icmpv6.c| 10 +++
4 files changed, 52
tch.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto_dccp.c | 98 +++--
net/netfilter/nf_conntrack_proto_sctp.c | 67 +++---
net/netfilter/nf_conntrack_proto_tcp.c | 32 ---
3 files changed, 91 insertions(+), 106 deletions(-)
d
d call them from ->packet() instead.
As the error() callback can call checksum functions that write to
skb->csum*, the const qualifier has to be removed as well.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_proto_dccp.
Phil Sutter wrote:
> Passing --wait option to iptables-nft-restore led to program abort
> because the flag parameter was not skipped. Mimick iptables-restore
> behaviour when encountering --wait or --wait-interval options (but still
> ignore the parameter).
Thanks for submitting a test case too,
Phil Sutter wrote:
> The logic to replicate 'iptables-restore --noflush' behaviour of
> flushing custom chains if listed in the dump was broken for chains being
> referenced. A minimal dump reproducing the issue is:
Applied.
Phil Sutter wrote:
> Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
> fixed for compatibility checking to extend over all chains, not just the
> relevant ones. This patch does the same for rules: Make sure only rules
> belonging to the relevant table are being considered.
1 - 100 of 1651 matches
Mail list logo