Re: [PATCH 2/2 nft] ct: release ct_label table on exit

Pablo Neira Ayuso wrote: > Just like we do with other symbol tables. > > Signed-off-by: Pablo Neira Ayuso Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

[PATCH 3/3 v5 nft] Implement deleting rule by description

This patch introduces deletion in a similar fashion as in iptables, thus, we can delete the first rule that matches our description, for example: $ nft list -a ruleset table ip t { chain c { ip saddr 1.1.1.1 counter packets 0 bytes 0 #

[PATCH 1/3 v5 libnftnl] Implement rule comparison

This patch implements the function 'bool nftnl_rule_cmp(const struct nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison. Expressions within rules need to be compared, so also has been created the function 'nftnl_expr_cmp' which calls new field within 'nfntl_expr_': a function

[PATCH 2/3 v5 nft] Simplify parser rule_spec tree

This patch separates the rule identification from the rule localization, so the logic moves from the evaluator to the parser. This allows to revert the patch "evaluate: improve rule managment checks" (4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code. An specific error message is

[PATCH 1/2 nft] ct: add missing slash to connlabel path

If I configure nftables via: ./configure --prefix=/usr the connlabel path breaks due to missing slash, so append this after DEFAULT_INCLUDE_PATH. Signed-off-by: Pablo Neira Ayuso --- src/ct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH nft 01/10] src: quote user-defined strings when used from rule selectors

The following selectors display strings using quotes: * meta iifname * meta oifname * meta ibriport * meta obriport However, the following do not: * meta oif * meta iif * meta skuid * meta skgid * meta iifgroup * meta oifgroup * meta rtclassid * ct label Given they refer to user-defined

[PATCH nft 02/10] src: add 'to' for snat and dnat

This is extra syntaxtic sugar to get this consistent with other statements such as redirect, masquerade, dup and fwd that indicates where to go. Existing syntax is still preserved, but the listing shows the one including 'to'. Signed-off-by: Pablo Neira Ayuso ---

[PATCH nft 00/10 nft] syntax updates

Hi, The following patchset is addressing part of the syntax issues that we have discussed during the NFWS. 1) Quote user-defined strings from rule selectors. The current behaviour is inconsistent since some selectors are quoting user-defined strings and others do not, so let's quote them

Re: [PATCH 1/3 v5 libnftnl] Implement rule comparison

On Wed, Aug 17, 2016 at 01:00:08PM +0200, Carlos Falgueras García wrote: > This patch implements the function 'bool nftnl_rule_cmp(const struct > nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison. > > Expressions within rules need to be compared, so also has been created the >

libipset developer documentation?

Hi, Recently I attempted to work on a new libipset program and also tried to review something I wrote in the past (ssh-blocker). In order to find some "best practices" or a reference manual, I went to: http://ipset.netfilter.org/ but surprisingly, it has no developer resources even though

[PATCH nft 04/10] parser_bison: missing token string in QUOTED_ASTERISK and ASTERISK_STRING

:1:24-24: Error: syntax error, unexpected newline, expecting string or QUOTED_STRING or ASTERISK_STRING add rule x y log prefix ^ Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff

Re: [PATCH iptables 1/2] xtables-translate: add escape_quotes option to comment_xlate

On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote: > The comment_xlate function was not supporting this option that is > necessary in some situations. I have applied what I'm attaching to this email, that is more simple than this and makes sure buffer is nul-terminated (given

[PATCH nft 06/10] scanner: remove range expression

This expression is not used anywhere in this scanner code. Signed-off-by: Pablo Neira Ayuso --- src/scanner.l | 1 - 1 file changed, 1 deletion(-) diff --git a/src/scanner.l b/src/scanner.l index 6f497e8..b1420f3 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -110,7

[PATCH nft 10/10] parser_bison: redirect to :port for consistency with nat/masq statement

Use the colon port syntax for consistency with other statements. Existing syntax is still preserved but the output displays the colon. Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 9 + tests/py/ip/redirect.t | 24

[PATCH nft 03/10] src: support for RFC2732 IPv6 address format with brackets

The statement: dnat to 2001:838:35f:1:::80 is very confusing as it is not so easy to identify where address ends and the port starts. This even harder to read with ranges. So this patch adds squared brackets as RFC2732 to enclose the IPv6 address. Signed-off-by: Pablo Neira Ayuso

[PATCH nft 09/10] src: meta priority support using tc classid

This patch adds the missing bits to scan and parse the meta priority handle as expressed by tc classid major:minor syntax. The :minor syntax is not support for two reason: major is always >= 1 and this clashes with port syntax in nat. Here below, several example on how to match the packet

[PATCH nft 08/10] src: simplify classid printing using %x instead of %04x

No need to print this in iptables CLASSIFY target format, eg. 0004:1230, this is innecessarily large. And always print major and minor numbers. Signed-off-by: Pablo Neira Ayuso --- src/meta.c | 9 + 1 file changed, 1 insertion(+), 8 deletions(-) diff --git

Re: [PATCH v2 libnftnl] expr: add hash expression

On Sat, Aug 13, 2016 at 01:02:03AM +0200, Laura Garcia Liebana wrote: > Support for the nft hash expression in libnftnl. Applied, thanks Laura. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info

Re: [PATCH iptables 2/2] xtables-translate-restore: do not escape quotes

On Tue, Aug 16, 2016 at 07:44:33PM +0200, Pablo M. Bermudo Garay wrote: > If quotes are escaped, nft -f is unable to parse and load the translated > ruleset. > > Signed-off-by: Pablo M. Bermudo Garay > --- > iptables/xtables-translate.c | 11 +++ > 1 file changed, 11

Re: [nft PATCH 3/4] proto_find_num: Avoid potential null pointer dereference

On Fri, Aug 12, 2016 at 06:00:09PM +0200, Phil Sutter wrote: > When being called from stmt_evaluate_reset(), it seems that 'base' might > actually be NULL, so better make sure it is not in proto_find_num(). I would suggest you address this from stmt_evaluate_reset(). -- To unsubscribe from this

Re: [PATCH nf-next] netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name

On Sat, Aug 13, 2016 at 10:46:04PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules > to log packets to the userspace when we specify it with arp family, > such as: > > # nft add rule arp filter

[PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic

For non-IP traffic seen from the netdev family, set nft_pktinfo fields other the value of these fields is garbage. This patch sets transport protocol number to IPPROTO_RAW since 0 means IPPROTO_IP, then zero transport and fragment offsets. Reported-by: Florian Westphal

Re: [nft PATCH 2/4] netlink_delinearize: Avoid potential null pointer deref

On Fri, Aug 12, 2016 at 06:00:08PM +0200, Phil Sutter wrote: > As netlink_get_register() may return NULL, we must not pass the returned > data unchecked to expr_set_type() as that will dereference it. Since the > parser has failed at that point anyway, by returning early we can skip > the useless

Re: [PATCH libnetfilter_conntrack] src: Make the library compile under clang

On Sun, Aug 14, 2016 at 01:59:01PM -0700, Kevin Cernekee wrote: > clang treats "char buffer[size]" inside a union as VLAIS unless |size| > is const: > > src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable > length array in structure' extension will never be supported >

Re: [nft PATCH 1/4] evaluate: Fix datalen checks in expr_evaluate_string()

On Fri, Aug 12, 2016 at 06:00:07PM +0200, Phil Sutter wrote: > This part of the code is pretty weird due to suboptimal variable name > choice: 'data', 'len', 'datalen', 'data_len'. > > But even without understanding all of it, the code checking 'datalen - 1 > >= 0' assumes 'datalen - 1' may

Re: [PATCH 2/3 v5 nft] Simplify parser rule_spec tree

On Wed, Aug 17, 2016 at 01:00:09PM +0200, Carlos Falgueras García wrote: > diff --git a/include/parser.h b/include/parser.h > index 92beab2..41e5340 100644 > --- a/include/parser.h > +++ b/include/parser.h > @@ -27,6 +27,8 @@ struct parser_state { > > struct list_headcmds;

Re: [PATCH nf] netfilter: nf_tables_netdev: set nft_pktinfo field for non-IP traffic

On Wed, Aug 17, 2016 at 05:14:59PM +0200, Pablo Neira Ayuso wrote: > For non-IP traffic seen from the netdev family, set nft_pktinfo fields > other the value of these fields is garbage. Will send a v2. It seems we can leave unset field in bridge too for non-IP traffic. This should be a problem

Re: [PATCH nf] netfilter: conntrack: do not dump other netns's conntrack entries via proc

On Mon, Aug 15, 2016 at 09:50:35PM +0800, Liping Zhang wrote: > From: Liping Zhang > > We should skip the conntracks that belong to a different namespace, > otherwise other unrelated netns's conntrack entries will be dumped via > /proc/net/nf_conntrack. Applied to

Re: [PATCH V3 nf-next] netfilter: conntrack: simplify the code by using nf_conntrack_get_ht

On Sat, Aug 13, 2016 at 10:35:36PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between > nf_conntrack proc read and hash resize") introdue the > nf_conntrack_get_ht, so there's no need to check

Re: [PATCH v3] netfilter: nft_numgen: add number generator expression

On Mon, Aug 15, 2016 at 12:03:19AM +0800, kbuild test robot wrote: > Hi Laura, > > [auto build test ERROR on nf-next/master] > [also build test ERROR on v4.8-rc1 next-20160812] > [if your patch is applied to the wrong git tree, please drop us a note to > help improve the system] > > url: >

Re: [PATCH v2] netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes

On Sun, Aug 14, 2016 at 04:59:36PM +0200, Laura Garcia Liebana wrote: > diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c > index e25b35d..ca247e5 100644 > --- a/net/netfilter/nft_cmp.c > +++ b/net/netfilter/nft_cmp.c > @@ -84,8 +84,11 @@ static int nft_cmp_init(const struct nft_ctx

Re: kernel panic TPROXY , vanilla 4.7.1

On Wed, 2016-08-17 at 08:42 -0700, Eric Dumazet wrote: > On Wed, 2016-08-17 at 17:31 +0300, Denys Fedoryshchenko wrote: > > Hi! > > > > Tried to run squid on latest kernel, and hit a panic > > Sometimes it just shows warning in dmesg (but doesnt work properly) > > [ 75.701666] IPv4: Attempt to

[PATCH v4] netfilter: nft_numgen: add number generator expression

Add support for the number generator expression in netfilter. Signed-off-by: Laura Garcia Liebana --- Changes in V4: - Rename prandom state identifier include/uapi/linux/netfilter/nf_tables.h | 25 net/netfilter/Kconfig| 6 +

Re: kernel panic TPROXY , vanilla 4.7.1

On Wed, 2016-08-17 at 19:44 +0300, Denys Fedoryshchenko wrote: > Yes, everything fine after patch! > Thanks a lot Perfect, thanks for testing, I am sending the official patch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

[PATCH net] netfilter: tproxy: properly refcount tcp listeners

From: Eric Dumazet inet_lookup_listener() and inet6_lookup_listener() no longer take a reference on the found listener. This minimal patch adds back the refcounting, but we might do this differently in net-next later. Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener

ulogd plugin development question

I've got some questions about ulogd internals. I'm not sure this is the right list, but I can't find another that would seem to be any closer to the audience that I want to receive my questions. If anyone knows where a list more directly involved with ulogd developers is hosted, please point me

[PATCH 2/3 v4 libnftnl] tests: Use libnftnl comparators in all tests

Use 'nftnl_expr_cmp' and 'nftnl_rule_cmp' in all tests instead of custom comparator for each one. If objects differ both are printed. Signed-off-by: Carlos Falgueras García --- tests/libtest.c | 30 ++ tests/libtest.h

Re: [PATCH nf 1/2] netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct destroy

On Sat, Aug 13, 2016 at 11:13:01PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Suppose that we input the following commands at first: > # nfacct add test > # iptables -A INPUT -m nfacct --nfacct-name test > > And now "test" acct's refcnt is 2, but later

Re: [PATCH nf 2/2] netfilter: nfnetlink_acct: report overquota to the right netns

On Sat, Aug 13, 2016 at 11:13:02PM +0800, Liping Zhang wrote: > From: Liping Zhang > > We should report the over quota message to the right net namespace > instead of the init netns. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

Re: nfacct: setting quotas does not seem to work.

On Thu, Aug 11, 2016 at 04:00:37PM +0200, Josue Alvarez wrote: > Hi, > > I tried to play a little bit with the quota features of the extended > accounting infrastructure. > However, it seemed that the quotas were not registered when creating the > accounting objects. > > Example : > # nfacct add

Re: [PATCH net] netfilter: tproxy: properly refcount tcp listeners

On Wed, Aug 17, 2016 at 09:56:46AM -0700, Eric Dumazet wrote: > From: Eric Dumazet > > inet_lookup_listener() and inet6_lookup_listener() no longer > take a reference on the found listener. > > This minimal patch adds back the refcounting, but we might do > this differently

Re: [PATCH v4] netfilter: nft_numgen: add number generator expression

Mostly comestic changes, see below. On Wed, Aug 17, 2016 at 06:44:48PM +0200, Laura Garcia Liebana wrote: > diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile > index 6913454..81f22c3 100644 > --- a/net/netfilter/Makefile > +++ b/net/netfilter/Makefile > @@ -80,6 +80,7 @@

Re: [PATCH libnftnl] expr: hash: Add comparator to hash expression

Please ignore this patch. Pablo already added this chunk before. Sorry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[nf-next:master 8/9] ERROR: "nf_conntrack_htable_size" [net/netfilter/nfnetlink_cttimeout.ko] undefined!

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 92e47ba8839bacc185db89f3b11cd8036193e6a9 commit: adf0516845bcd0e626323c858ece28ee58c74455 [8/9] netfilter: remove ip_conntrack* sysctl compat code config: i386-allmodconfig (attached as .config) compiler:

[PATCH nf-next] netfilter: nf_tables: add quota expression

This patch adds the quota expression. This new stateful expression integrate easily into the dynset expression to build 'hashquota' flow tables. Arguably, we could use instead "counter bytes > 1000" instead, but this approach has several problems: 1) We only support for one single stateful