On 2019-10-15, at 10:32:52 +0200, Pablo Neira Ayuso wrote:
> On Tue, Sep 24, 2019 at 08:40:54AM +0100, Jeremy Sowden wrote:
> > By default, continue to use libreadline, but if
> > `--with-cli=linenoise` is passed to configure, build the linenoise
> > implementation instead.
>
> Applied, thanks Jere
On Wed, Oct 16, 2019 at 11:55:02AM +0100, Jeremy Sowden wrote:
> On 2019-10-15, at 10:32:52 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Sep 24, 2019 at 08:40:54AM +0100, Jeremy Sowden wrote:
> > > By default, continue to use libreadline, but if
> > > `--with-cli=linenoise` is passed to configure, b
Use a list of hooks per device instead an array.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 8 +-
net/netfilter/nf_tables_api.c | 253 +++---
2 files changed, 158 insertions(+), 103 deletions(-)
diff --git a/include/net/netfilt
Rise the maximum limit of devices per flowtable up to 256. Rename
NFT_FLOWTABLE_DEVICE_MAX to NFT_NETDEVICE_MAX in preparation to reuse
the netdev hook parser for ingress basechain.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_api.c |
Hardware offload needs access to the priority field, store this field in
the nf_flowtable object.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 1 +
include/net/netfilter/nf_tables.h | 2 --
net/netfilter/nf_tables_api.c | 10 +-
3 files chang
Hi,
The following patchset update the flowtable control plane for nf_tables:
1) Move the priority field to nf_flowtable.
2) Dynamically allocate hooks per net_device.
3) Return EEXIST if a netdevice is twice or more from the same flowtable.
4) Rise limit from 8 to 256 netdevices per flowtable.
Allow netdevice only once per flowtable, otherwise hit EEXIST.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0e0e35876b53..80ded807d529
Add nft_flow_block_chain() helper function.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter/nf_tables_offload.c
index e546f759b7a7..4554b
Hi,
This patchset extends the netdev family to allow for hooking multiple
devices to basechains, eg.
nft add table netdev x
nft add chain netdev x y { \
type filter hook ingress devices = { eth0, eth1 } priority 0\; }
Hence you can apply the same policy to packet coming in from eth0 and
This allows to reuse nft_setup_cb_call() from callback unbind path.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter/nf_tables_offload.c
index 455
This patch allows you to register one netdev basechain to multiple
devices. This adds a new NFTA_HOOK_DEVS netlink attribute to specify
the list of netdevices. Basechains store a list of hooks.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 4 +-
include/uapi/l
After unbinding the list of flow_block callbacks, iterate over it to
remove the existing rules in the netdevice that has just been
unregistered.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 26 +-
1 file changed, 13 insertions(+), 13 deletions(
Add helper function to set up the flow_cls_offload object.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 37 -
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter/nf_tabl
On 2019-10-16, at 14:19:30 +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 16, 2019 at 11:55:02AM +0100, Jeremy Sowden wrote:
> > On 2019-10-15, at 10:32:52 +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Sep 24, 2019 at 08:40:54AM +0100, Jeremy Sowden wrote:
> > > > By default, continue to use libread
Hello Dear IPTABLES/Netfilter Devs.
Thank you very much for your efforts.
I am strongĀ believer, that if you don't do something yourself - it wont
be done.
With that said, I am no coder.(No C coder and not a competent by any
stretch of imagination)
I have come across a situation where I ne
This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout:
Avoid array overrun in timeout_parse_attr_data()") which fixed array out
of bounds access but missed the logic behind it:
The nested attribute type values are incremented by one when being
transferred between kernel and usersp
Commit a9b0c385a1d5e ("rule: print space between policy and timeout")
changed spacing in ct timeout objects but missed to adjust related test
case.
Fixes: a9b0c385a1d5e ("rule: print space between policy and timeout")
Signed-off-by: Phil Sutter
---
tests/monitor/testcases/object.t | 2 +-
1 file
This reverts commit 9b032cd6477b847f48dc8454f0e73935e9f48754.
While it is true that a cache exists, we still need to capture new sets
and their elements if they are anonymous. This is because the name
changes and rules will refer to them by name.
Given that there is no easy way to identify the an
These shouldn't happen in practice and printing to stderr is not the
right thing either, but fix this anyway.
Fixes: f9563c0feb24d ("src: add events reporting")
Signed-off-by: Phil Sutter
---
src/monitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/monitor.c b/src/mo
Echo/monitor testsuite failed for multiple reasons. With this series
applied and a libnftnl with the recently submiited NFTA_CT_TIMEOUT_DATA
parser fix in place, testsuite finally passes again.
Phil Sutter (4):
monitor: Add missing newline to error message
Revert "monitor: fix double cache upd
Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout")
removed an extra semicolon at end of line, but thereby broke single line
output. The correct fix is to use opts->stmt_separator which holds
either newline or semicolon chars depending on output mode.
Fixes: 43ae7a48ae3de ("rule: d
21 matches
Mail list logo
