This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming
Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of
AF_INET was misleading when checking the proto family.
Same with AF_INET6.
Signed-off-by: Máté Eckl
---
src/evaluate.c| 6 +++---
src/netlink_delinearize.c | 4 ++--
2 files changed, 5 insertions(+), 5
On Wednesday 2018-06-06 13:40, Pablo Neira Ayuso wrote:
>On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote:
>> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
>> again and import a new ebtables.h
>> from the kernel tree that has the "revision" field.
>
On Wed, Jun 06, 2018 at 03:06:37PM +0200, Jason A. Donenfeld wrote:
> On Wed, Jun 6, 2018 at 3:01 PM Greg Kroah-Hartman
> wrote:
> > Wait, that commit id is not in Linus's tree yet. So I'm assuming it is
> > in DaveM's tree? If so, shouldn't it also go into 4.17.y? What about
> > 4.14.y or
From: Serhey Popovych
Inserting rule before one with SET target we get error with warning in
dmesg(1) output:
# iptables -A FORWARD -t mangle -j SET --map-set test src --map-prio
# iptables -I FORWARD 1 -t mangle -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
#
When listing sets with timeout support, there's a probability that
just timing out entries with "0" timeout value is listed/saved.
However when restoring the saved list, the zero timeout value means
permanent elelements.
The new behaviour is that timing out entries are listed with "timeout 1"
Due to the negative value condition in msecs_to_jiffies(), the real
max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC.
Neutron Soutmun proposed the proper fix, but an insufficient one was
applied, see https://patchwork.ozlabs.org/patch/400405/.
Signed-off-by: Jozsef
From: Florent Fourcot
Userspace `ipset` command forbids family option for hash:mac type:
ipset create test hash:mac family inet4
ipset v6.30: Unknown argument: `family'
However, this check is not done in kernel itself. When someone use
external netlink applications (pyroute2 python library for
Hi Pablo,
Please pull the next patches for nf git tree:
- Check hook mask for unsupported hooks instead of supported ones in xt_set.
(Serhey Popovych).
- List/save just timing out entries with "timeout 1" instead of "timeout 0":
zero timeout value means permanent entries. When restoring the
Jan Engelhardt wrote:
> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
> again and import a new ebtables.h
> from the kernel tree that has the "revision" field.
>
> With this, include/ebtables.h is (again) used by no source file, and
> so can be removed.
Looks good,
the ebtables evaluation loop expects targets to return
positive values (jumps), or negative values (absolute verdicts).
This is completely different from what xtables does.
In xtables, targets are expected to return the standard netfilter
verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
ebtables will
On Wednesday 2018-06-06 09:45, Duncan Roe wrote:
>
>ebtables would not build on my system and I submitted a patch to fix that which
>was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
Well then let's start there.
"" The cause of this failure is that the commit updated
Previously, this triggered a program abort:
| # nft add table ip t
| # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ;
}'
| # nft add element ip t my_set '{10.0.0.1 . tcp }'
| BUG: invalid range expression type concat
| nft: expression.c:1085: range_expr_value_low:
On Wed, Jun 06, 2018 at 12:14:56PM +0200, Florian Westphal wrote:
> the ebtables evaluation loop expects targets to return
> positive values (jumps), or negative values (absolute verdicts).
>
> This is completely different from what xtables does.
> In xtables, targets are expected to return the
the ebtables evaluation loop expects targets to return
positive values (jumps), or negative values (absolute verdicts).
This is completely different from what xtables does.
In xtables, targets are expected to return the standard netfilter
verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
ebtables will
On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote:
> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
> again and import a new ebtables.h
> from the kernel tree that has the "revision" field.
...ebtables$ git show 66a97018a31eed416c6a25d051ea172e4d65be1b
fatal:
Mein Name ist Friedrich Mayrhofer und ich habe eine Spende von 2.800.000 Euro.
Ich brauche Sie für mich. Kontaktieren Sie mich unter
friedrichmayrhofer.foundat...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Signed-off-by: Pablo Neira Ayuso
---
include/buffer.h| 1 +
include/libnftnl/expr.h | 5 +
include/linux/netfilter/nf_tables.h | 21 +++-
src/Makefile.am | 1 +
src/expr/connlimit.c| 207
Phil Sutter wrote:
> Previously, this triggered a program abort:
>
> | # nft add table ip t
> | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval
> ; }'
> | # nft add element ip t my_set '{10.0.0.1 . tcp }'
> | BUG: invalid range expression type concat
> | nft:
On Wed, Jun 06, 2018 at 11:13:35AM +0200, Máté Eckl wrote:
> Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of
> AF_INET was misleading when checking the proto family.
> Same with AF_INET6.
Yes, they are equivalent. But OK.
Applied.
--
To unsubscribe from this list: send the
Hi Pablo,
Okay, no problem.
Greg - disregard this, and expect to see something more detailed in a
few weeks when Linus pulls from Dave.
Jason
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info
Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
again and import a new ebtables.h
from the kernel tree that has the "revision" field.
With this, include/ebtables.h is (again) used by no source file, and
so can be removed.
Signed-off-by: Jan Engelhardt
---
On Wed, Jun 06, 2018 at 02:09:12PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please pull the next patches for nf git tree:
>
> - Check hook mask for unsupported hooks instead of supported ones in xt_set.
> (Serhey Popovych).
> - List/save just timing out entries with "timeout 1" instead
Hi Jan,
Can we step back for a minute and review exactly how this patch originated?
ebtables would not build on my system and I submitted a patch to fix that which
was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
Some days later, I received the message as you saw in
Phil Sutter wrote:
> First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
> addition to that, parameter 'type' expects an icmp*_code type, not
> icmp*_type. The respective table column was already correct, but in
> synopsis it was wrong.
Applied, thanks.
--
To unsubscribe from
Mein Name
ist Friedrich Mayrhofer und ich habe eine Spende von 2.800.000 Euro. Ich
brauche Sie für mich. Kontaktieren Sie mich unter
friedrichmayrhofer.foundat...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
On Wed, Jun 06, 2018 at 01:16:43PM +0200, Jan Engelhardt wrote:
>
> On Wednesday 2018-06-06 09:45, Duncan Roe wrote:
> >
> >ebtables would not build on my system and I submitted a patch to fix that
> >which
> >was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
>
> Well then let's
To support forwarding through neighbour layer from ingress.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/expr.h | 2 ++
include/linux/netfilter/nf_tables.h | 4 +++
src/expr/fwd.c | 60 ++---
3 files changed, 62
The parameter this doesn't have a flags value. so that it can't be
used by nft_rbtree_interval_end().
test commands:
%nft add table ip filter
%nft add set ip filter s { type ipv4_addr \; flags interval \; }
%nft add element ip filter s {0-1}
%nft add element ip filter s {2-10}
%nft
On Mon, Jun 04, 2018 at 11:58:17AM +0200, Máté Eckl wrote:
> File was updated from /usr/include/linux/netfilter_ipv4.h
Applied, thanks.
BTW, I remember native English speaker recomment we use present tense.
Telling this because I observe you use past. I think this is
documented somewhere in the
On Thu, May 31, 2018 at 08:06:16PM +0200, Máté Eckl wrote:
> For now it can only match sockets with IP(V6)_TRANSPARENT socket option
> set.
>
> Example:
> table inet sockin {
> chain sockchain {
> type filter hook prerouting priority -150; policy accept;
> socket
Oh, I overlook you already made tests, great.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Allow to forward packets through to explicit destination and interface.
nft add rule netdev x y fwd ip to 192.168.2.200 device eth0
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nf_tables.h | 4
include/statement.h | 4 +++-
src/evaluate.c
On Thu, Jun 07, 2018 at 02:05:12AM +0900, Taehee Yoo wrote:
> The parameter this doesn't have a flags value. so that it can't be
> used by nft_rbtree_interval_end().
>
> test commands:
>%nft add table ip filter
>%nft add set ip filter s { type ipv4_addr \; flags interval \; }
>%nft
v2:
- more comprehensive names
- expose basic priorities used by iptables
- use arithmetics with new names (+-)
- print friendly names with arithmetics with an epsilon of 10
-- 8< --
This patch adds the possibility to use textual names to set the chain priority
to basic values so that numeric
Hi Máté,
Thanks for working on this.
See comments below.
On Wed, Jun 06, 2018 at 09:33:56PM +0200, Máté Eckl wrote:
> v2:
> - more comprehensive names
> - expose basic priorities used by iptables
> - use arithmetics with new names (+-)
> - print friendly names with arithmetics with an epsilon
36 matches
Mail list logo