The following ruleset:
add table ip filter
add chain ip filter input { type filter hook input priority 4; }
add chain ip filter ap
add rule ip filter input jump ap
add rule ip filter ap masquerade
results in a panic, because the masquerade extension should be rejected
from the filter chain.
On Wed, May 30, 2018 at 04:01:12PM +0200, Máté Eckl wrote:
> Not all of the ocurances are covered as this information is not
> available in the scope where the error message is printed.
>
> Signed-off-by: Máté Eckl
> ---
> src/netlink_delinearize.c | 18 +-
> 1 file changed, 13
Pablo Neira Ayuso wrote:
> I suspect you're missing some code in the evaluation phase?
>
> So you get left->len 1 and right->len 4?
Yes, meta template sets len of 1, where as RHS is 8 bit.
This can be fixed up during delinearization, in this case
we can know that kernel actually stores 1 byte.
Some drivers, such as vxlan and wireguard, use the skb's dst in order to
determine things like PMTU. They therefore loose functionality when flow
offloading is enabled. So, we ensure the skb has it before xmit'ing it
in the offloading path.
Signed-off-by: Jason A. Donenfeld
---
This allows us to forward packets from the netdev family via neighbour
layer, so you don't need an explicit link-layer destination when using
this expression from rules.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++
net/netfilter/nft_fwd_netdev.c
On Wed, May 30, 2018 at 08:54:41PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > I suspect you're missing some code in the evaluation phase?
> >
> > So you get left->len 1 and right->len 4?
>
> Yes, meta template sets len of 1, where as RHS is 8 bit.
>
> This can be fixed up
Well spotted indeed :-)
Here comes the next iteration.
Cheers
Andreas
Extend the JSON output plugin so that the generated JSON stream can be
sent to a remote host via TCP/UDP or to a local unix socket.
Signed-off-by: Andreas Jaggi
---
output/ulogd_output_JSON.c | 291
This allows us to forward packets from the netdev family via neighbour
layer, so you don't need an explicit link-layer destination when using
this expression from rules. The ttl/hop_limit field is decremented.
Signed-off-by: Pablo Neira Ayuso
---
v2: - Fix incorrect address source register
On Mon, May 28, 2018 at 05:43:18PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > > +const struct socket_template socket_templates[] = {
> > > + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent",
> > > +.dtype = _type,
> > > +
Send a v2 of your nft socket patch.
ie. collapse this fixup to your original patch and resend.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
Now it can only match the transparent flag of an ip/ipv6 socket.
Signed-off-by: Máté Eckl
---
include/uapi/linux/netfilter/nf_tables.h | 28 +
net/netfilter/Kconfig| 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_socket.c | 143
On Tue, 8 May 2018, Stefano Brivio wrote:
> Some hosts might not use /var/log/kern.log for kernel messages,
> so if we can't find a match there, try dmesg next.
>
> If no matches are found, don't let the shell terminate the
> script, so that we have a chance to try dmesg and actually echo
> "no
The following ruleset:
add table ip filter
add chain ip filter input { type filter hook input priority 4; }
add chain ip filter ap
add rule ip filter input jump ap
add rule ip filter ap masquerade
results in a panic, because the masquerade extension should be rejected
from the filter chain.
On Wed, May 30, 2018 at 12:06:47PM +0200, Máté Eckl wrote:
> On Wed, May 30, 2018 at 11:19:55AM +0200, Pablo Neira Ayuso wrote:
> > On Tue, May 29, 2018 at 10:02:14AM +0800, kbuild test robot wrote:
> > >
> > > Fixes: 809f719f9b3f ("netfilter: nft: add support for native socket
> > > matching")
On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> Now it can only match the transparent flag of an ip/ipv6 socket.
>
> Signed-off-by: Máté Eckl
> ---
> include/uapi/linux/netfilter/nf_tables.h | 28 +
> net/netfilter/Kconfig| 9 ++
> net/netfilter/Makefile
On Tue, May 29, 2018 at 10:02:14AM +0800, kbuild test robot wrote:
>
> Fixes: 809f719f9b3f ("netfilter: nft: add support for native socket matching")
> Signed-off-by: kbuild test robot
> ---
> nft_socket.c |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
On Wed, May 30, 2018 at 12:20:44PM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> > + if(!sk) {
> > + nft_reg_store8(dest, 0);
> > + return;
> > + }
> > +
> > + skb->sk = sk; // So that subsequent socket matching not to
Máté Eckl wrote:
> On Mon, May 28, 2018 at 05:43:18PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > > +const struct socket_template socket_templates[] = {
> > > > + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent",
> > > > +
On Wed, May 30, 2018 at 11:19:55AM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 29, 2018 at 10:02:14AM +0800, kbuild test robot wrote:
> >
> > Fixes: 809f719f9b3f ("netfilter: nft: add support for native socket
> > matching")
> > Signed-off-by: kbuild test robot
> > ---
> > nft_socket.c |
Signed-off-by: Máté Eckl
---
net/netfilter/nft_socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 5eb1069ac338..dd389b37334a 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@
gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> The helper and timeout strings are from user-space, we need to make
> sure they are null terminated. If not, evil user could make kernel
Looks good to me, thank you.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line
This extends log statement to support the behaviour achieved with
AUDIT target in iptables.
Audit logging is enabled via a pseudo log level 8. In this case any
other settings like log prefix are ignored since audit log format is
fixed.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Fix
The following ruleset:
add table ip filter
add chain ip filter input { type filter hook input priority 4; }
add chain ip filter ap
add rule ip filter input jump ap
add rule ip filter ap masquerade
results in a panic, because the masquerade extension should be rejected
from the filter chain.
On Wed, May 30, 2018 at 12:18:56PM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 30, 2018 at 12:06:47PM +0200, Máté Eckl wrote:
> > On Wed, May 30, 2018 at 11:19:55AM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, May 29, 2018 at 10:02:14AM +0800, kbuild test robot wrote:
> > > >
> > > > Fixes:
On arm64, ebt_entry_{match,watcher,target} structs are 40 bytes long
while on 32-bit arm these structs have a size of 36 bytes.
COMPAT_XT_ALIGN() macro cannot be used here to determine the necessary
padding for the CONFIG_COMPAT because it imposes an 8-byte boundary
alignment, condition that is
Hello Pablo Neira Ayuso,
This is a semi-automatic email about new static checker warnings.
The patch 2c205dd3981f: "netfilter: add struct nf_nat_hook and use
it" from May 23, 2018, leads to the following Smatch complaint:
net/netfilter/nf_conntrack_netlink.c:1449
Signed-off-by: Máté Eckl
---
tests/py/inet/socket.t | 7 +++
tests/py/inet/socket.t.payload | 15 +++
2 files changed, 22 insertions(+)
create mode 100644 tests/py/inet/socket.t
create mode 100644 tests/py/inet/socket.t.payload
diff --git a/tests/py/inet/socket.t
Now it can only match the transparent flag of an ip/ipv6 socket.
Signed-off-by: Máté Eckl
---
include/uapi/linux/netfilter/nf_tables.h | 28 +
net/netfilter/Kconfig| 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_socket.c | 144
Máté Eckl wrote:
> Not all of the ocurances are covered as this information is not
> available in the scope where the error message is printed.
Looks good to me, I'll apply in a few hours in case there are no further
comments.
--
To unsubscribe from this list: send the line "unsubscribe
29 matches
Mail list logo
