Arnd Bergmann wrote:
> and that resulted in a new build failure:
>
> net/netfilter/nf_conntrack_proto.o:(.rodata+0x788): undefined
> reference to `nf_conntrack_l4proto_icmpv6'
> net/ipv6/netfilter/nf_conntrack_reasm.o: In function `nf_ct_frag6_expire':
> nf_conntrack_reasm.c:(.text+0x2320): undef
Arnd Bergmann wrote:
> Now that the conntrack module contains code for ipv6, we can no longer
> have it built-in while IPv6 itself is a loadable module:
>
> net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
> nf_conntrack_proto.c:(.text+0x88c): undefined reference to
> `nf_de
Pablo Neira Ayuso wrote:
> On Fri, Jul 06, 2018 at 02:53:25PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote:
> > > > iptables-nft never requests these, but explicitly reject thi
Pablo Neira Ayuso wrote:
> On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote:
> > iptables-nft never requests these, but explicitly reject this.
> >
> > If it were requested, kernel will oops as ->target is NULL.
> >
> > Signed-off-by: Florian
Hi!
The Netfilter project proudly presents:
iptables 1.8
This release contains fixes and following new features:
- The ipv6 'srh' match can now match previous/next/last sid
- CONNMARK target now supports bit-shifting for restore,set and save-mark.
- DNAT now supports shifted portmap ranges.
A
] ? ns_capable_common+0x6e/0x110
[ ... ]
Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow table names of up to 255
chars")
Signed-off-by: Taehee Yoo
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 2 +-
1 file
iptables-nft never requests these, but explicitly reject this.
If it were requested, kernel will oops as ->target is NULL.
Signed-off-by: Florian Westphal
---
net/netfilter/nft_compat.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/netfilter/nft_compat.c b/net/netfil
nft_compat relies on xt_request_find_match to increment
refcount of the module that provides the match/target.
The (builtin) icmp matches did't set the module owner so it
was possible to rmmod ip(6)tables while icmp extensions were still in use.
Signed-off-by: Florian Westphal
---
v2:
Pablo Neira Ayuso wrote:
> On Wed, Jul 04, 2018 at 07:52:18PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Wed, Jul 04, 2018 at 07:39:54PM +0200, Pablo Neira Ayuso wrote:
> > > > On Thu, Jun 28, 2018 at 05:55:49PM +0200, Florian Westphal wrot
Pablo Neira Ayuso wrote:
> On Wed, Jul 04, 2018 at 07:39:54PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Jun 28, 2018 at 05:55:49PM +0200, Florian Westphal wrote:
> > > nft_compat relies on xt_request_find_match/target to increment
> > > refcount of the module tha
Pablo Neira Ayuso wrote:
> On Wed, Jul 04, 2018 at 07:34:54PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Jun 28, 2018 at 01:34:42PM +0200, Máté Eckl wrote:
> > > This patch fixes a silent out-of-bound read possibility that was present
> > > because of the misuse of this function.
> > >
> > > Mos
limit http-traffic { rate 1/second } gets printed as
limit http-traffic { rate 1/second burst 5 packets }
caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0
to return 'DUMP FAIL'.
Signed-off-by: Florian Westphal
---
src/rule.c | 2 +-
1 file changed, 1
Pablo Neira Ayuso wrote:
> Default not to print the service name as we discussed during the NFWS.
>
> # nft list ruleset
> table ip x {
> chain y {
> ...
> tcp dport 22 counter packets 0 bytes 0
> }
> }
>
> Still, if you want it to be displayed, y
Currently nft uses inlined variants for common operations
such as 'ip saddr 1.2.3.4' instead of an indirect call.
Also handle meta get operations and lookups without indirect call,
both are builtin.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_tables_core.h | 7 ++
Máté Eckl wrote:
> Signed-off-by: Máté Eckl
Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
lways
printing the longer form.
Later on, we could start to print deprecation warning if needed.
NB: Patch causes gazillion of test case warnings, I would fix those
up of course.
Signed-off-by: Florian Westphal
---
doc/nft.xml | 2 +-
src/meta.c | 33 ++---
2
it significantly increases risk of collisions with actual keywords,
e.g. one of the removed services is 'tproxy', which might soon be an
actual token when TPROXY support for nftables is merged.
Signed-off-by: Florian Westphal
---
src/servic
Taehee Yoo wrote:
> 2018-07-02 20:38 GMT+09:00 Florian Westphal :
> > Taehee Yoo wrote:
> >> set->nelems is increased when set->size is given.
> >> so that checking set->size routine should be added.
> >
> > Does it make sense to have sets with no
Yi-Hung Wei wrote:
> This patch series apply the following techniques to optimize nf_conncount
> performance.
>
> * Early exit for garbage collection
> In order to reduce gc time, we skip traversing the full list on
> every node when doing garbage collection, since it is enough to zap
> a couple
Yi-Hung Wei wrote:
> From: Florian Westphal
>
> This patch adds list lock to 'struct nf_conncount_list' so that we can
> alter the lists containing the individual connections without holding the
> main tree lock. It would be useful when we only need to add/remove
Florian Westphal wrote:
> Jan Engelhardt wrote:
> > Well yeah there is, I tried it, and then thought,
> > gee, I am a German, I should be solving the issue thoroughly
> > rather than just bandaiding an old Makefile.
> Ok, I see, your series supersedes that 'bandaid
Arushi Singhal wrote:
> Shell prompt ends with:
> "%", indicates a C shell.
> "$", indicates shell that's compatible with the Bash.
> "#", indicates shell is running as the system's root.
> So, "%" is replaced with "$" or "#".
Applied.
--
To unsubscribe from this list: send the line "unsubscribe
Taehee Yoo wrote:
> In order to destroy elements of set, a rhashtable_free_and_destroy()
> is used. the rhashtable_free_and_destroy() cancels a re-hash deferred work
> then walks and destroys elements. at this moment, some elements are
> still in a future_tbl. that elements are not destroyed.
Wai
Taehee Yoo wrote:
> set->nelems is increased when set->size is given.
> so that checking set->size routine should be added.
Does it make sense to have sets with no upper size?
I think it makes more sense to enforce an upper bound
so that set->size is always nonzero.
--
To unsubscribe from this l
Martynas Pumputis wrote:
> This patch enables the clash resolution for NAT (disabled in
> "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
> and a protocol allows it.
>
> In this case it is safe to perform the resolution, as the losing CT
> describes the same mangling as
Máté Eckl wrote:
> v2:
> - tproxy statement without arguments is not supported
> - Add transport protocol matching criterion to address evaluation.
> - Specify network layer protocol in inet tables
Looks good to me, thanks.
Pablo, I plan to apply this once kernel patch is accepted.
--
To uns
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal
---
extensions/libebt_stp.c | 391
iptables/xtables-eb.c | 1 +
2 files changed, 392 insertions(+)
create mode 100644 extensions/libebt_stp.c
diff --git a
Mimic firewalld startup, i.e. "iptables-restore -n" use.
First script is normal startup,
second script restores ruleset, then re-runs first one (i.e., with
existing rules rather than non-existent tables).
Signed-off-by: Florian Westphal
---
.../testcases/firewalld-restore/0001-f
directory): rule in chain PREROUTING
Signed-off-by: Florian Westphal
---
iptables/ip6tables.c | 2 +-
iptables/iptables.c | 2 +-
iptables/nft.c | 14 +-
iptables/xtables.c | 2 +-
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/iptables/ip6tables.c b/i
Máté Eckl wrote:
> For example:
> table ip x {
> chain y {
> type filter hook prerouting priority -150; policy
> accept;
> # Now I print this:
> ip protocol tcp tproxy ip to 1.1.1.1
> # but I'd like this:
> ip p
Jan Engelhardt wrote:
> On Friday 2018-06-29 12:11, Pablo Neira Ayuso wrote:
>
> >On Fri, Jun 29, 2018 at 12:05:12PM +0200, Jan Engelhardt wrote:
> >> So does that mean we're not going to address the build failure
> >> experienced by Duncan Roe and the tomato project?
> >
> >I think we agreed the
Pablo Neira Ayuso wrote:
> On Fri, Jun 29, 2018 at 11:32:11AM +0200, Jan Engelhardt wrote:
> >
> > On Friday 2018-06-29 11:19, Pablo Neira Ayuso wrote:
> > >Not sure this is worth this change.
> > >
> > >I would prefer conversion to autotools is just as transparent as
> > >possible.
> >
> > And
Handle it in the core instead.
ipv6_skip_exthdr() is built-in even if ipv6 is a module, i.e. this
doesn't create an ipv6 dependency.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 8 --
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 30 ---
Handle the common cases (tcp, udp, etc). in the core and only
do the indirect call for the protocols that need it (GRE for instance).
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_core.c| 8 +++-
net
Its simpler to just handle it directly in nf_ct_invert_tuple().
Also gets rid of need to pass l3proto pointer to resolve_conntrack().
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 1 -
include/net/netfilter/nf_conntrack_l3proto.h | 7 ---
net/ipv4
Handle common protocols (udp, tcp, ..), in the core and only
do the call if needed by the l4proto tracker.
Signed-off-by: Florian Westphal
---
v2: avoid a sparse warning in nf_ct_get_tuple(),
no change in generated code.
net/netfilter/nf_conntrack_core.c | 16 +++-
net
ipv6 module this
is feasible, reducing complexity and code size.
The patches first get rid of the l3proto indirections by merging
them into the core, then remove the l3 trackers themselves.
After this is becomes possible to simplify the l4proto
protocols as well.
Florian Westphal (8
art with ctnetlink, then move on to packet-path ones.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 6 +-
include/net/netfilter/nf_conntrack_l3proto.h | 8 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 47 -
net/ipv6/netfil
nf_conntrack.ko
19K nf_conntrack_ipv4.ko
19K nf_conntrack_ipv6.ko
179K nf_conntrack.ko
after:
textdata bss dec hex filename
79277 13937 236 93450 16d0a nf_conntrack.ko
191K nf_conntrack.ko
Signed-off-by: Florian Westphal
---
v2: add a missing IS_ENABLED to fix a build
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 7 -
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 17 ---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18
net/netfilter/nf_conntrack_core.c | 39
Not needed, we can have the l4trackers fetch it themselvs.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 8 ++--
include/net/netfilter/nf_conntrack_timeout.h | 18 --
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 16
no plans to support daemon mode, so remove this.
Signed-off-by: Florian Westphal
---
iptables/xtables-eb.c | 87 +--
1 file changed, 7 insertions(+), 80 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 9460a91a36ee
Signed-off-by: Florian Westphal
---
.../shell/testcases/ebtables/0001-ebtables-basic_0 | 52 ++
1 file changed, 52 insertions(+)
create mode 100755
iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
diff --git a/iptables/tests/shell/testcases/ebtables/0001
In both cases the argument is optional, in both cases
the argument wasn't evaluated.
Signed-off-by: Florian Westphal
---
iptables/xtables-eb.c | 17 ++---
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index a88bf62
Signed-off-by: Florian Westphal
---
iptables/xtables-eb.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index e22181eebe60..9460a91a36ee 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -208,6 +208,9
Not needed, we can have the l4trackers fetch it themselvs.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 8 ++--
include/net/netfilter/nf_conntrack_timeout.h | 18 --
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 16
nf_conntrack.ko
19K nf_conntrack_ipv4.ko
19K nf_conntrack_ipv6.ko
179K nf_conntrack.ko
after:
textdata bss dec hex filename
79277 13937 236 93450 16d0a nf_conntrack.ko
191K nf_conntrack.ko
Signed-off-by: Florian Westphal
---
include/net/netfilter/ipv4
Handle it in the core instead.
ipv6_skip_exthdr() is built-in even if ipv6 is a module, i.e. this
doesn't create an ipv6 dependency.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 8 --
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 30 ---
Its simpler to just handle it directly in nf_ct_invert_tuple().
Also gets rid of need to pass l3proto pointer to resolve_conntrack().
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 1 -
include/net/netfilter/nf_conntrack_l3proto.h | 7 ---
net/ipv4
Handle the common cases (tcp, udp, etc). in the core and only
do the indirect call for the protocols that need it (GRE for instance).
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_core.c| 8 +++-
net
Handle common protocols (udp, tcp, ..), in the core and only
do the call if needed by the l4proto tracker.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_core.c | 12 +++-
net/netfilter/nf_conntrack_proto_dccp.c | 17 -
net/netfilter
art with ctnetlink, then move on to packet-path ones.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 6 +-
include/net/netfilter/nf_conntrack_l3proto.h | 8 ---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 47 -
net/ipv6/netfil
.
The patches first get rid of the l3proto indirections by merging
them into the core, then remove the l3 trackers themselves.
After this is becomes possible to simplify the l4proto
protocol handling as well.
Florian Westphal (8):
netfilter: conntrack: remove ctnetlink callbacks from l3
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 7 -
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 17 ---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18
net/netfilter/nf_conntrack_core.c | 39
Jan Engelhardt wrote:
> Prepare for autoconf-based substitution of macros in the file.
It breaks make install.
Not a big deal, after pulling wholse series make seems to create
a static build by default, make install DESTDIR=/tmp/foo results
in all the ebt_foo.so files being omitted, instead they
Jan Engelhardt wrote:
> Calling /usr/bin/install with -o/-g will attempt to chown, and fail
> if unsuccessful, which makes an unprivileged install with DESTDIR a
> futile attempt always.
>
> Drop it, because /usr/bin/install chowns to the current running user
> *anyway*, which means when root cal
Máté Eckl wrote:
> I don't really know autoconfig, but isn't that possible to prioritize the
> alternatives? For example, use docbook2x-man if available, if it is not, use
> db2x-docbook2man, if neither of them is present, use docbook2man? And of
> course
> fail, if none of them is present.
I t
nft_compat relies on xt_request_find_match/target to increment
refcount of the module that provides the match/target.
The builtin modules/targets currently did't set the module owner so it
was possible to rmmod ip(6)tables while extensions were still in use.
Signed-off-by: Florian Wes
Máté Eckl wrote:
> On Thu, Jun 28, 2018 at 12:05:17PM +0200, Pablo Neira Ayuso wrote:
> > Then, we can probably switch other "if IPV6" dependencies in the
> > Kconfig file I think, in a single patch.
>
> Ok, I'll look after similar cases. This seems to be useful for XT_* and NFT
> modules as they
Arushi Singhal wrote:
> README added
Sorry, you will need to rebase this on top of current iptables.git
master.
> +Before each call to the test-files, `kernel_cleanup' will be called.
I removed 'kernel_cleanup' in favor of running tests in a temporary
netns.
> +Also, test-files will receive th
e the constant expression, so never do this if we have
an invalid expression in the current eval context.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1265
Signed-off-by: Florian Westphal
---
src/evaluate.c| 3 +++
tests/shell/testcases
Jan Engelhardt wrote:
> Commands, options, filenames, and possibly references to other
> manpages, should always use the minus. (Important for copy-n-paste
> and e.g. following manpage links.) Everything else can do with the
> dash.
Applied, thank you.
--
To unsubscribe from this list: send the l
Jan Engelhardt wrote:
>
> The following changes since commit 56993546c80576986930f9bae7ae4ba744b1e508:
>
> extensions: fix build failure on fc28 (2018-06-06 14:22:25 +0200)
>
> are available in the Git repository at:
>
> https://github.com/jengelh/ebtables master
>
> for you to fetch chan
Florian Westphal wrote:
> This adds a clear distinction between old iptables (formerly
> xtables-multi, now xtables-legacy-multi) and new iptables
> (formerly xtables-compat-multi, now xtables-nft-multi).
>
> Users will get the ip/ip6tables names via symbolic links, having
&g
Pablo Neira Ayuso wrote:
> On Mon, Jun 18, 2018 at 03:12:51PM +0200, Máté Eckl wrote:
> > - NFT_SOCKET selected NF_SOCKET based on the wrong criterion.
> > IPV6 itself does not guarantee that ipv6 functionality is available in
> > nft.
> > - NETFILTER_XT_MATCH_SOCKET now selects NF_SOCKET
> >
eparation updating netfilter to check if the
> socket netns matches before use it.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jan Engelhardt wrote:
[ sorry for duplicate ]
> On Wednesday 2018-06-27 13:33, Florian Westphal wrote:
>
> >This adds a clear distinction between old iptables (formerly
> >xtables-multi, now xtables-legacy-multi) and new iptables
> >(formerly xtables-compat-mult
to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal
---
iptables-test.py | 6 +-
/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20
Signed-off-by: Florian Westphal
fail"
exit 1
Much simpler, imo. This was inherited from nft shell tests
though and changing it there is rather intrusive so use same scheme for
now.
Signed-off-by: Florian Westphal
---
iptables/tests/shell/run-tests.sh | 94 +-
.../tests/shell/testca
DROP policies.
A better fix would be to add the policy setting to the chain cache
but it seems we'll need a chain abstraction with refcounting first.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal
---
iptables/nft.c | 6 ++
John Crispin wrote:
> Currently traffic that hits the SW offloading path is not accounted for
> and the conntrack counters will only show the first packet of the flow.
> This patch adds a small helper function that gets called from the nf_hooks,
> updating the accounting counters.
Not sure this i
Hi.
Please consider applying
47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups")
and its followup commit:
cede24d1b21d ("netfilter: ip6t_rpfilter: provide input interface for route
lookup")
to 4.14.y.
For 4.16.y and 4.17.y, please consider applying
cede24d1b21d ("netfilter: ip6t_
These versions deal with the l3proto/l4proto details internally.
It removes only caller of nf_ct_get_tuple, so make it static.
After this, l3proto->get_l4proto() can be removed in a followup patch.
Signed-off-by: Florian Westphal
---
No changes since v1.
This is a preparation patch to rem
similar to previous change, this also allows to remove it
from nf_ipv6_ops and avoid the indirection.
It also removes the bogus dependency of nf_conntrack_ipv6 on ipv6 module:
ipv6 checksum functions are built into kernel even if CONFIG_IPV6=m,
but ipv6/netfilter.o isn't.
Signed-off-by: Fl
allows to make nf_ip_checksum_partial static, it no longer
has an external caller.
Signed-off-by: Florian Westphal
---
no changes since v1.
include/linux/netfilter_ipv4.h | 11 -
net/ipv4/netfilter.c | 53
net/netfilter/utils.c
Máté Eckl wrote:
> On Thu, Jun 21, 2018 at 04:31:48PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > > This looks like its subtly broken, inherited from xt_TPROXY.
> > > > Above skb_header_pointer uses sizeof(udphdr) only, but
> > > >
Máté Eckl wrote:
> > This looks like its subtly broken, inherited from xt_TPROXY.
> > Above skb_header_pointer uses sizeof(udphdr) only, but nf_tproxy_get_sock_v4
> > assumes it gets tcphdr (it checks th->doff, and that might be garbage).
>
> I thought about why iptables uses udphdr consequently
ttit
Reported-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
v2: rework this.
In the second case, still count such an entry, and also prevent
it from being added a second time, i.e. set addit to false after
compare.
This isn't ideal either but at the moment i have no better idea
ex
9f40c5c7 inet filter input verdict continue
trace id 9f40c5c7 inet filter input policy drop
Reported-by: v...@gmx.net
Signed-off-by: Florian Westphal
---
src/netlink.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/netlink.c b/src/netlink.
Florian Westphal wrote:
> ѽ҉ᶬḳ℠ wrote:
> kernel part of the bug:
>
> nft_trace_packet(&info, basechain, NULL, NFT_TRACETYPE_POLICY);
>
> if (static_branch_unlikely(&nft_counters_enabled))
> nft_upda
Máté Eckl wrote:
> On Wed, Jun 20, 2018 at 01:29:51PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > This patch is built on the commit not applied yet with the title:
> > > evaluate: Detect address family in inet context
> >
> > You can
ѽ҉ᶬḳ℠ wrote:
moving to nf-devel.
> Having this very simple setup icmp is not getting through at the target
> machine. Flushing the nft ruleset the icmp traffic is getting through.
Yes, this set
> table inet filter {
> chain input {
> type filter hook input priority 0; policy drop;
Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
>
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > + struct nft_regs *regs,
> >
Máté Eckl wrote:
> There are some changes compared to the iptables implementation:
> - tproxy statement is not terminal here
> - no transport protocol criterion is necessary to set target ip address
> + const struct nft_tproxy *priv = nft_expr_priv(expr);
> + struct sk_buff *skb = pkt->
Máté Eckl wrote:
> This patch is built on the commit not applied yet with the title:
> evaluate: Detect address family in inet context
You can add this ...
> Example ruleset:
> table inet x {
> chain y {
> type filter hook prerouting priority -150;
rule inet x y tproxy to 1.1.1.1
> Error: Could not resolve hostname: Address family for hostname not
> supported
> add rule inet x y tproxy to 1.1.1.1
I see no problem here, so
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfil
Arushi Singhal wrote:
> typos/Grammatical errors are corrected.
Applied, thanks everyone.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Provide a hint that iptables isn't showing all rules because
its using nfnetlink rather than old set/getsockopt.
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 29 +
iptables/nft-shared.h | 1 +
iptables/xtables-save.c
(nf_tables)
Suggested-by: Harald Welte
Signed-off-by: Florian Westphal
---
iptables/ip6tables-restore.c | 2 +-
iptables/ip6tables-save.c| 9 -
iptables/ip6tables.c | 2 +-
iptables/iptables-restore.c | 2 +-
iptables/iptables-save.c | 9 -
iptables/iptables.c
t-pfx
1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal
---
Changes since v1:
- allow filtering for ip(6)tables, but also allow listing both
ipv4/ipv6 events
- add fallback for nft-style events for base chains (hook prios etc)
- change to -N/-X for us
napi got moved around).
This most likely also fixes an xt_connlimit imbalance earlier reported
by Dmitry Andrianov.
Cc: Dmitry Andrianov
Reported-by: Justin Pettit
Reported-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
Only compile tested so far, sending it now to illustrate
idea and so
t-pfx
1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal
---
iptables/Makefile.am| 3 +-
iptables/xtables-compat-multi.c | 1 +
iptables/xtables-monitor.c | 639
iptables/xtables-multi.c| 1 -
nft meta expr enables the nfnetlink based trace infrastruvture, so
prefer to use that rather than xt_TRACE.
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 65 +--
iptables/nft-shared.h | 5
iptables/nft.c| 25
needed to get the TRACE definition.
Signed-off-by: Florian Westphal
---
include/linux/netfilter.h | 15 +-
include/linux/netfilter/nf_tables.h | 680 +++-
include/linux/netfilter/nfnetlink.h | 16 +
3 files changed, 703 insertions(+), 8 deletions(-)
diff
Phil Sutter wrote:
> Previous patch adding libnftables man page missed a backslash.
applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.ht
This is one of the very few external callers of ->get_timeouts(),
We can use a fixed timeout instead, conntrack core will refresh this in
case a new packet comes within this period.
Use of ESTABLISHED timeout seems way too huge anyway.
Signed-off-by: Florian Westphal
---
net/netfil
Florian Westphal wrote:
> enum ip_conntrack_info ctinfo;
> struct nf_nat_hook *nat_hook;
> - unsigned int dataoff, status;
> + unsigned int status;
> struct nf_conn *ct;
> + int dataoff;
nf_conntrack_in() needs same change, else get_l4proto return
Its simpler to just handle it directly in nf_ct_invert_tuple().
Also gets rid of need to pass l3proto pointer to resolve_conntrack().
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_core.h | 1 -
include/net/netfilter/nf_conntrack_l3proto.h | 7 ---
net/ipv4
Handle it in the core instead.
ipv6_skip_exthdr() is built-in even if ipv6 is a module, i.e. this
doesn't create an ipv6 dependency.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l3proto.h | 8 --
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 30 ---
901 - 1000 of 2623 matches
Mail list logo