9f40c5c7 inet filter input verdict continue
trace id 9f40c5c7 inet filter input policy drop
Reported-by: v...@gmx.net
Signed-off-by: Florian Westphal
---
src/netlink.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/netlink.c b/src/netlink.
Máté Eckl wrote:
> On Wed, Jun 20, 2018 at 01:29:51PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > This patch is built on the commit not applied yet with the title:
> > > evaluate: Detect address family in inet context
> >
> > You can
ѽ҉ᶬḳ℠ wrote:
moving to nf-devel.
> Having this very simple setup icmp is not getting through at the target
> machine. Flushing the nft ruleset the icmp traffic is getting through.
Yes, this set
> table inet filter {
> chain input {
> type filter hook input priority 0; policy drop;
Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> >
Máté Eckl wrote:
> There are some changes compared to the iptables implementation:
> - tproxy statement is not terminal here
> - no transport protocol criterion is necessary to set target ip address
> + const struct nft_tproxy *priv = nft_expr_priv(expr);
> + struct sk_buff *skb =
add rule inet x y tproxy to 1.1.1.1
> Error: Could not resolve hostname: Address family for hostname not
> supported
> add rule inet x y tproxy to 1.1.1.1
I see no problem here, so
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe net
Arushi Singhal wrote:
> typos/Grammatical errors are corrected.
Applied, thanks everyone.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Provide a hint that iptables isn't showing all rules because
its using nfnetlink rather than old set/getsockopt.
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 29 +
iptables/nft-shared.h | 1 +
iptables/xtables-save.c | 20
(nf_tables)
Suggested-by: Harald Welte
Signed-off-by: Florian Westphal
---
iptables/ip6tables-restore.c | 2 +-
iptables/ip6tables-save.c| 9 -
iptables/ip6tables.c | 2 +-
iptables/iptables-restore.c | 2 +-
iptables/iptables-save.c | 9 -
iptables/iptables.c
t-pfx
1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal
---
Changes since v1:
- allow filtering for ip(6)tables, but also allow listing both
ipv4/ipv6 events
- add fallback for nft-style events for base chains (hook prios etc)
- change to -N/-X for us
got moved around).
This most likely also fixes an xt_connlimit imbalance earlier reported
by Dmitry Andrianov.
Cc: Dmitry Andrianov
Reported-by: Justin Pettit
Reported-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
Only compile tested so far, sending it now to illustrate
idea and so
t-pfx
1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal
---
iptables/Makefile.am| 3 +-
iptables/xtables-compat-multi.c | 1 +
iptables/xtables-monitor.c | 639
iptables/xtables-multi.c| 1 -
nft meta expr enables the nfnetlink based trace infrastruvture, so
prefer to use that rather than xt_TRACE.
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 65 +--
iptables/nft-shared.h | 5
iptables/nft.c| 25
needed to get the TRACE definition.
Signed-off-by: Florian Westphal
---
include/linux/netfilter.h | 15 +-
include/linux/netfilter/nf_tables.h | 680 +++-
include/linux/netfilter/nfnetlink.h | 16 +
3 files changed, 703 insertions(+), 8 deletions(-)
diff
Phil Sutter wrote:
> Previous patch adding libnftables man page missed a backslash.
applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
This is one of the very few external callers of ->get_timeouts(),
We can use a fixed timeout instead, conntrack core will refresh this in
case a new packet comes within this period.
Use of ESTABLISHED timeout seems way too huge anyway.
Signed-off-by: Florian Westphal
---
net/netfil
Its simpler to just handle it directly in nf_ct_invert_tuple().
Also gets rid of need to pass l3proto pointer to resolve_conntrack().
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 1 -
include/net/netfilter/nf_conntrack_l3proto.h | 7 ---
net/ipv4
Handle it in the core instead.
ipv6_skip_exthdr() is built-in even if ipv6 is a module, i.e. this
doesn't create an ipv6 dependency.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 8 --
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 30 ---
net
art with ctnetlink, then move on to packet-path ones.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 6 +-
include/net/netfilter/nf_conntrack_l3proto.h | 8 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 47 -
net/ipv6/netfil
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 7 -
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 17 ---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18
net/netfilter/nf_conntrack_core.c | 39
similar to previous change, this also allows to remove it
from nf_ipv6_ops and avoid the indirection.
It also removes the bogus dependency of nf_conntrack_ipv6 on ipv6 module:
ipv6 checksum functions are built into kernel even if CONFIG_IPV6=m,
but ipv6/netfilter.o isn't.
Signed-off-by: Florian
These versions deal with the l3proto/l4proto details internally.
After this, l3proto->get_l4proto() can be removed in a followup patch.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 7 ---
net/netfilter/nf_conntrack_core.c | 3 +--
net/openvswi
allows to make nf_ip_checksum_partial static, it no longer
has an external caller.
Signed-off-by: Florian Westphal
---
include/linux/netfilter_ipv4.h | 11 -
net/ipv4/netfilter.c | 53
net/netfilter/utils.c | 55
This patch series does some initial preparation work with the
(eventual) goal to remove nf_conntrack_ipv{4,6} and replace it
with a builtin inet tracker than handles both protocols.
The first two patches move nf_ip_checksum handling out of
ipv4/ip6. This is to get rid of the (unneeded)
Pablo Neira Ayuso wrote:
> > Unrelated to your patch: I think timeout handling is braindead
> > in current conntrack, we should revisit this.
>
> By now, I think it's fine as is, I mean using the template, so
> Harsha/someone else can have a look at this in a second step.
Yes, sure. Its on my
This needs to use xt_unregister_targets, else new revision is left
on the list which then causes list to point to a target struct that has been
free'd.
Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for
CONNMARK & MARK targets.")
Signed-off-by: Florian West
Harsha Sharma wrote:
> +ctnl_timeout_parse_policy(void *timeouts,
> + const struct nf_conntrack_l4proto *l4proto,
> + struct net *net, const struct nlattr *attr)
> +{
> + int ret = 0;
> + struct nlattr **tb;
> +
> + if
Dan Carpenter points out that deref occurs after NULL check, we should
re-fetch the pointer and check that instead.
Fixes: 2c205dd3981f7 ("netfilter: add struct nf_nat_hook and use it")
Reported-by: Dan Carpenter
Signed-off-by: Florian Westphal
---
Not even compile tested, patch is v
Taehee Yoo wrote:
> When depth of chain is bigger than NFT_JUMP_STACK_SIZE,
> the nft_do_chain crashes.
> But there is no need to crash hard here.
Thanks a lot for follwing up.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-deve
Taehee Yoo wrote:
> The level of struct nft_ctx is updated by nf_tables_check_loops().
[..]
> [ 168.803743] kernel BUG at net/netfilter/nf_tables_core.c:186!
Could you also send a followup patch to replace this BUG_ON with
WARN_ON_ONCE+ return NF_DROP?
There is no need to crash hard here.
--
care of cleanup work.
We also need to make sure the netdev hook type gets removed
before netns ops removal, else notifier might be invoked with device
event for a netns where net->nft was never initialised (because
pernet ops was removed beforehand).
Signed-off-by: Florian Westphal
---
ill registered.
Change netns exit path of nf_tables to make sure any incompleted
transaction gets removed on exit.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 12 +---
net/netfilter/nfnetlink.c | 10 +++---
2 files changed, 16 insertions(+), 6 deleti
Máté Eckl wrote:
> I've been working on implementing tproxy matching to nftables, and I'd like
> you
> to comment on the planned syntax and possibilities.
>
> Basically I have planned an interface similar to nat statements with some
> restrictions.
>
> tproxy [][:]
>
> The restrictions
Hi!
The Netfilter project proudly presents:
nftables 0.9.0
This release contains fixes and following 'future features'
that will be available with upcoming 4.18 kernel:
- support to check if packet matches an existing socket.
This work is done as part of the "Summer of code" program and
Hi!
The Netfilter project proudly presents:
libnftnl 1.1.1
libnftnl is a userspace library providing a low-level netlink
programming interface (API) to the in-kernel nf_tables subsystem.
This library is currently used by the nft command line tool.
There are only a few changes since 1.1.0. Full
Pablo Neira Ayuso wrote:
> Can we avoid having the same script twice for iptables and ip6tables?
Yes, please.
> I mean, call the same script setting $IPTABLES to iptables or
> ip6tables.
We'll also want to use other frontends in the future, e.g. arptables,
ebtables, iptables-compat, etc. so its
ded there.
Reported-by: syzbot+da4494182233c23a5...@syzkaller.appspotmail.com
Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension
runs from nft_compat")
Signed-off-by: Florian Westphal
---
net/bridge/netfilter/ebtables.c | 2 ++
net/ipv4/netfilter/ip_tables.c |
Phil Sutter wrote:
> Previously, this triggered a program abort:
>
> | # nft add table ip t
> | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval
> ; }'
> | # nft add element ip t my_set '{10.0.0.1 . tcp }'
> | BUG: invalid range expression type concat
> | nft:
Jan Engelhardt wrote:
> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
> again and import a new ebtables.h
> from the kernel tree that has the "revision" field.
>
> With this, include/ebtables.h is (again) used by no source file, and
> so can be removed.
Looks good,
have AF_BRIDGE specific wrappers on kernel side.
Reported-by: syzbot+2b43f681169a2a0d3...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal
---
net/bridge/netfilter/ebtables.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge
will consider these as jumps.
Therefore reject any target found due to unspec fallback.
Reported-by: syzbot+2b43f681169a2a0d3...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal
---
net/bridge/netfilter/ebtables.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/net/bridge/netfilter
Phil Sutter wrote:
> First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
> addition to that, parameter 'type' expects an icmp*_code type, not
> icmp*_type. The respective table column was already correct, but in
> synopsis it was wrong.
Applied, thanks.
--
To unsubscribe from
Fernando Fernandez Mancera wrote:
> The correct name is "docbook2x-man" not "docbookx2-man".
applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
drops the nfnl mutex (for request_module) and the abort of this old
transaction is still pending.
The list is kept -- we need a way to iterate chains even if hash resize is
in progress without missing an entry.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_tables.h | 7 ++-
net
Máté Eckl wrote:
> On Fri, Jun 01, 2018 at 08:59:07PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > > index d03bc5a01a70..24802a2a9a90 100644
> > > --- a/net/ipv4/netfilter/Kc
Máté Eckl wrote:
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index d03bc5a01a70..24802a2a9a90 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -29,7 +29,13 @@ config NF_SOCKET_IPV4
> tristate "IPv4 socket lookup support"
>
Máté Eckl wrote:
> On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> > > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > > >
Máté Eckl wrote:
> On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > > > > I just wanted to make sure that the only accepted values are 0
Máté Eckl wrote:
> Transparent socket check is already implemented in nf_socket.h.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vg
Pablo Neira Ayuso wrote:
> I suspect you're missing some code in the evaluation phase?
>
> So you get left->len 1 and right->len 4?
Yes, meta template sets len of 1, where as RHS is 8 bit.
This can be fixed up during delinearization, in this case
we can know that kernel actually stores 1 byte.
Máté Eckl wrote:
> Not all of the ocurances are covered as this information is not
> available in the scope where the error message is printed.
Looks good to me, I'll apply in a few hours in case there are no further
comments.
--
To unsubscribe from this list: send the line "unsubscribe
Máté Eckl wrote:
> On Mon, May 28, 2018 at 05:43:18PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > > +const struct socket_template socket_templates[] = {
> > > > + [NFT_SOCKET_TRANSPARENT
gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> The helper and timeout strings are from user-space, we need to make
> sure they are null terminated. If not, evil user could make kernel
Looks good to me, thank you.
Acked-by: Florian Westphal
--
To unsubscribe from this list: s
Rosysong wrote:
> I met a strange issue on nftables when I ran my commands on Linux (mips
> target, linux-4.9.102).
> Using specific ip address can not restrict the traffic flow while using
> broadcast address is ok (The ip for my machine is 192.168.2.223). Anybody
> can tell my why
othy Redaelli
Signed-off-by: Florian Westphal
---
tests/shell/testcases/cache/0001_cache_handling_0 | 4
1 file changed, 4 insertions(+)
diff --git a/tests/shell/testcases/cache/0001_cache_handling_0
b/tests/shell/testcases/cache/0001_cache_handling_0
index 20c19117033d..77afdf8d9072 100755
---
phase")
Signed-off-by: Florian Westphal
Please consider squashing this.
---
net/netfilter/nf_tables_core.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index c3315aa855f8..03dce8ff6f0d 100644
--- a/net
kbuild test robot wrote:
> >> include/linux/rcupdate.h:686:9: sparse: context imbalance in
> >> 'nft_netlink_dump_start_rcu' - unexpected unlock
Yep, i forgot to mention this in change log.
I don't know how to fix this.
nft_netlink_dump_start_rcu() is called with rcu read lock held.
But we
ed error
reporting").
Signed-off-by: Florian Westphal
---
iptables/nft.c | 56 +---
1 file changed, 37 insertions(+), 19 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index e33d00f4259c..6c68600fd979 100644
--- a/iptables/nft.c
+
its same as omitting it, so instead of generating
invalid compare-with-0-sized-register, just ignore it.
Reported-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/iptables/nft
xes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255
chars")
Acked-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Taehee Yoo <ap420...@gmail.com> wrote:
> The comment and trace_loginfo are not used anymore.
Indeed, thanks for fixing this up.
Acked-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the bo
Alin Nastac wrote:
Whats wrong exactly?
64bit kernel should be able to understand this without
userspace kludges (see net/bridge/netfilter/ebt_mark_m.c,
mark_mt_compat_from_user()).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
Máté Eckl wrote:
> > +const struct socket_template socket_templates[] = {
> > + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent",
> > + .dtype = _type,
> > + .len = 1 * BITS_PER_BYTE,
>
> I
Phil Sutter wrote:
> A meter size of 0x is the default, so regardless of whether it was
> explicitly specified by user or not, don't print it. This is in line
> with nft's tendency of shortening rules down to the minimal required
> form.
I think it should be printed to not
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 528766cfd0a0..ab306e169d36 100644
--- a/net/net
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9454c7fc1978..528766cfd0a0 100644
--- a/net/net
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 879807f6015b..d0cfce2fb72b 100644
--- a/net/net
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d0cfce2fb72b..9454c7fc1978 100644
--- a/net/net
,put-ref
sequence.
The helper will be reused for all dumps in the followup patches.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 28
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_a
This callback just fetches the current base sequence,
there is no need to serialize this with nfnl nft mutex.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_a
just convert the callbacks to .call_rcu to have nfnetlink
not grab the subsystem mutex in the first place.
The patches are repetitive, as the same pattern is applied to all
get callbacks.
I splitted them up into smaller chunks to make this more dissectable.
Florian Westphal (8):
netfilter
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e87faf5ea10c..879807f6015b 100644
--- a/net/net
in nf_tables not depend on the
nfnl mutex anymore.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nf_tables_api.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c22795
abort batch processing and return so task can exit faster.
Otherwise even SIGKILL has no immediate effect.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nfnetlink.c | 8
1 file changed, 8 insertions(+)
diff --git a/net/netfilter/nfnetlink.c b/net/net
base
types)
nf_tables_api.c:3538:55: warning: incorrect type in argument 3 (different base
types)
Signed-off-by: Florian Westphal <f...@strlen.de>
---
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ab306e169d36..6bffbe9d5d87 100644
--- a/net/net
Just use .call_rcu instead. We can drop the rcu read lock
after obtaining a reference and re-acquire on return.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nft_compat.c | 29 ++---
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git
that such table exists.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/nft.c | 62 +
iptables/nft.h | 1 -
iptables/xtables-save.c | 7 --
iptables/xtables.c | 6 -
4 files changed, 27 insertions(
This is used by a followup patch to avoid continuing the 'dump everything
and then ignore what we don't need' model.
Places that know they only need a particular table
'iptables-save -t filter' can ask the kernel to limit this for us.
Signed-off-by: Florian Westphal <f...@strlen
that.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
iptables/nft.c | 175 +++--
iptables/nft.h | 5 ++
iptables/xtables-restore.c | 1 +
3 files changed, 159 insertions(+), 22 deletions(-)
diff --git a/iptables/n
Sabrina Dubroca wrote:
> Commit 6979625686ec ("relational: Eliminate meta OPs") introduced some
> bugs when printing bitmask types.
>
> First, during the post-processing phase of delinearization, the
> expression for "tcp flags syn" (PAYLOAD & flag != 0) gets converted to
>
can be incremented.
nft_do_chain() will either continue to use the current generation
(in case loop was invoked right before increment), or the new one.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
include/net/netfilter/nf_ta
commit phase is slow as it can invoke synchronize_rcu twice (depending
on the batch).
Remove the unconditional synchronize_rcu() by storing rcu-protected
array of the active rules.
After this, nft_do_chain always gets a consistent snapshot and no longer
needs to examine the rule struct to decide
we
perform all actions that could return an error before
we increment the generation counter and the base seq.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/nfnetlink.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlin
No need to have those available as extra modules; make it
part of nat core and nat_ipv4/ip6, respectively.
kconfig options are turned into implicit dependencies.
No changes vs. v1 except a rebase on nf-next.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
7245 872 881251fbd net/ipv4/netfilter/nf_nat_ipv4.ko
9165 848 12 100252729 net/ipv6/netfilter/nf_nat_ipv6.ko
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/netfilter/Kconfig | 5 +
net/ipv4/netfilter/Makefile
792 02028 7ec net/netfilter/nf_nat_redirect.ko
after:
2034015084138 259866582 net/netfilter/nf_nat.ko
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/netfilter/Kconfig | 6 +-
net/netfilter/Makefile | 2 +-
net/net
ormation
if we can't find an expression (e.g. added by newer version).
Signed-off-by: Florian Westphal <f...@strlen.de>
---
src/netlink_delinearize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 8f4035a291f4..9db
no translation yet, might be doable with raw payload expressions though.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
extensions/libebt_arp.c | 490
iptables/xtables-eb.c | 1 +
2 files changed, 491 insertions(+)
create mode 100644 exte
No translation. The kernel match will alter packet type
(meta set pkttype), but also replace dst mac with the bridges' mac address,
however nft currently doesn't allow to retrieve this at runtime.
So just add this without the xlate part for now.
Signed-off-by: Florian Westphal <f...@strlen
adds snat and dnat.
Translation for snat isn't complete, the --snat-arp switch isn't supported so
far.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
extensions/libebt_dnat.c | 134 ++
extensions/libebt_dnat.txlate | 8 ++
extensions/libebt_
Greg Kroah-Hartman wrote:
> On Thu, May 17, 2018 at 12:42:00PM +0200, Jan Engelhardt wrote:
> >
> > On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
> > >> > --- a/net/netfilter/x_tables.c
> > >> > +++ b/net/netfilter/x_tables.c
> > >> > @@ -1183,11 +1183,10 @@
Máté Eckl wrote:
> This sereis of patches fix or supplement files related to python tests that I
> have met during my first test case.
>
> Máté Eckl (7):
> test: Specify python version in nft-test.py
> test: Small typo fixes in the python tests README
> test/py: Updated
Phil Sutter wrote:
> Bridge family allows reject statement in prerouting and input chains
> only. Users can't know without looking at kernel code.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Máté Eckl wrote:
> +socket_stmt : SOCKET EXISTS /* with the actual
> implementation we cannot match abscence */
I think we should go for a native expression.
I'll leave it up to you what you'd like to do next.
There are a few options:
1. First go for TPROXY
Taehee Yoo <ap420...@gmail.com> wrote:
> In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
> But correct type is u8. so that sometimes incorrect value is dereferenced.
Acked-by: Florian Westphal <f...@strlen.de>
--
To unsubscribe from this list: send the
Máté Eckl wrote:
> Originally I also added the following lines but it made the print too slow for
> the test to pass.
>
> It printed the following warning:
> inet/socket.t: WARNING: line 8: 'add rule ip sockip4 sockchain socket
> exists': 'socket exists' mismatches
r ftp {
> type "ftp" protocol tcp
> }
> chain input {
> type filter hook input priority 4;
> ct helper set "ftp"
> }
>}
Acked-by: Florian Westphal <f...@strlen.de>
--
To
Máté Eckl wrote:
> Hi all,
>
> I've been trying to write a python test for socket matching I am about to
> introduce, but I cannot generate a payload file for it. Florian told me that
> if
> I provide an empty payload file, it will be autogenerated, but it does not.
Works
Geert Uytterhoeven <ge...@linux-m68k.org> wrote:
> On Tue, May 8, 2018 at 9:17 AM, Florian Westphal <f...@strlen.de> wrote:
> > Stephen Rothwell <s...@canb.auug.org.au> wrote:
> >> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell <s...@canb.auug.org.au>
This uncovered broken translation of ethernet + mask.
Signed-off-by: Florian Westphal <f...@strlen.de>
---
extensions/generic.txlate | 15 ++
iptables/nft-bridge.c | 73 +++
2 files changed, 57 insertions(+), 31 deletions(-)
diff
301 - 400 of 1651 matches
Mail list logo