On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso wrote:
> Looking at ctnetlink, it should be possible to make it via
> CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation,
> the helper is set to this new connection too.
>
> See line 1086 in
From: Gao Feng
There are already some GRE_* macros in kernel, so it is unnecessary
to define these macros. And remove some useless macros
Signed-off-by: Gao Feng
---
v2: Split the original patch to review easily
v1: Intial patch
From: Gao Feng
There are already some GRE_* macros in kernel, so it is unnecessary
to define these macros. And remove some useless macros
Signed-off-by: Gao Feng
---
v2: Split the original patch to review easily
v1: Intial patch
From: Gao Feng
There are two existing strutures which defines the GRE and PPTP header.
So use these two structures instead of the ones defined by netfilter to
keep consitent with other codes.
Signed-off-by: Gao Feng
---
v2: Split the original patch to review
iptables-restore was missing -n, -T and -M from the
usage message, added them to match the man page.
Signed-off-by: Brian Haley
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 9393924..dc0acb0 100644
--- a/iptables/ip6tables-restore.c
+++
On Mon, Aug 22, 2016 at 11:34:15PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We should keep existing syntax unchanged, and this was emphasized
> in the commit 850f0a56b6ad ("src: add 'to' for snat and dnat")'s
> commit log: "Existing syntax is still
Hi Carlos,
One of this test fails... so please send me a follow up to fix it.
W: [FAILED] ./testcases/rule_management/0010delete-by-desc_0
This chunk also looks a bit strange to me.
set +e; # Next commands can return 0
REMAINS_RULE2DEL=$($NFT list -a ruleset | grep -c "$RULE2DEL")
On Mon, Aug 22, 2016 at 11:43:53PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Reject expr is only valid in input/forward/output chain,
> and if user can add reject expr in prerouting chain, kernel
> panic will happen.
>
> So add a simple test case to cover
On Sun, Aug 21, 2016 at 11:22:07PM +0200, Carlos Falgueras GarcĂa wrote:
> This patch separates the rule identification from the rule localization, so
> the logic moves from the evaluator to the parser. This allows to revert the
> patch "evaluate: improve rule managment checks"
>
On Mon, Aug 22, 2016 at 12:17:26PM +0200, Florian Westphal wrote:
> When dumping labels in rule list we try to print a symbolic name.
> If we don't find one, we print the bit number instead.
>
> This changes nft to also allow use of the number instead of a name
> when adding ct label rules so
From: Liping Zhang
Reject expr is only valid in input/forward/output chain,
and if user can add reject expr in prerouting chain, kernel
panic will happen.
So add a simple test case to cover this situation.
Signed-off-by: Liping Zhang
Hi Laura,
[auto build test WARNING on nf-next/master]
[also build test WARNING on v4.8-rc3 next-20160822]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
[Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for
convenie
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by
From: Liping Zhang
"meta pkttype set" is only supported on prerouting chain with bridge
family and ingress chain with netdev family.
But the validate check is incomplete, and the user can add the nft
rules on input chain with bridge family, for example:
# nft add
From: Liping Zhang
cttimeout and acct objects are deleted from the list while traversing
it, so use list_for_each_entry is unsafe here.
Signed-off-by: Liping Zhang
---
net/netfilter/nfnetlink_acct.c | 6 +++---
From: Liping Zhang
KASAN reported this bug:
BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at
addr 880002db08c8
Read of size 4 by task lt-nf-queue/19041
Call Trace:
[] dump_stack+0x63/0x88
[] kasan_report_error+0x528/0x560
From: Liping Zhang
We forget to call nf_ct_l4proto_put when replacing the existing
timeout policy. Acctually, there's no need to get ct l4proto
before doing replace, so we can move it to a later position.
Signed-off-by: Liping Zhang
---
Hi!
The Netfilter project presents:
nfacct 1.0.2
nfacct is the command line tool to create/retrieve/delete accounting
objects.
See ChangeLog that comes attached to this email for more details.
You can download it from:
ftp://ftp.netfilter.org/pub/nfacct/
Hi!
The Netfilter project presents:
libnetfilter_acct 1.0.3
libnetfilter_acct is the userspace library providing interface to
extended accounting infrastructure.
See ChangeLog that comes attached to this email for more details.
You can download it from:
Hi!
The Netfilter project presents:
libnetfilter_conntrack 1.0.6
libnetfilter_conntrack is a userspace library providing a programming
interface (API) to the in-kernel connection tracking state table. The
library libnetfilter_conntrack has been previously known as
libnfnetlink_conntrack
If quotes are escaped, nft -f is unable to parse and load the translated
ruleset.
Signed-off-by: Pablo M. Bermudo Garay
---
Changes in v2:
- Do not use strcmp against 'program_name' global, propagate 'bool restore'
argument instead.
iptables/nft-ipv4.c | 6
The comment_xlate function was not supporting this option that is
necessary in some situations.
Signed-off-by: Pablo M. Bermudo Garay
---
Changes in v2:
- Ensure that the comment string is null-terminated.
extensions/libxt_comment.c | 11 ++-
iptables/nft-ipv4.c
When dumping labels in rule list we try to print a symbolic name.
If we don't find one, we print the bit number instead.
This changes nft to also allow use of the number instead of a name
when adding ct label rules so that such dumps can also be restored
again.
This is similar to other cases,
... and add test cases for ct label.
Currently this dumped 'label 0x2', now 'label 1' would be shown.
This makes add/list behave the same.
Signed-off-by: Florian Westphal
---
src/ct.c | 2 +-
tests/py/any/ct.t | 4
tests/py/any/ct.t.payload | 11
On Sun, Aug 21, 2016 at 08:10:26PM +0200, Pablo M. Bermudo Garay wrote:
> This patch adds a verification of the compatibility between the nft
> ruleset and iptables. If the nft ruleset is not compatible with
> iptables, the execution stops and an error message is displayed to the
> user.
Please,
On Thu, Aug 18, 2016 at 12:13:13PM +0200, Laura Garcia Liebana wrote:
> Add support for the number generator expression in netfilter.
Applied, thanks.
I have rewritten the description to something larger. Writing larger
description is good for the record, specifically it is good to
indicate
On Fri, Aug 19, 2016 at 11:01:34PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> There are two structures which define the GRE header and PPTP
> header. So it is unneccessary to define duplicated structures in
> netfilter again.
Please, split this change in smaller
Hi Pablo,
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nft_dynset-allow-to-invert-match-criteria/20160819-114223
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-rhel
On Mon, Aug 22, 2016 at 05:10:02PM +0800, kbuild test robot wrote:
> Hi Laura,
>
> [auto build test ERROR on nf-next/master]
> [also build test ERROR on v4.8-rc3 next-20160822]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the
Hi Laura,
[auto build test ERROR on nf-next/master]
[also build test ERROR on v4.8-rc3 next-20160822]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
[Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for
convenience) to rec
Eric Dumazet wrote:
> On Fri, 2016-08-19 at 18:04 +0200, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote:
> > >
> > > > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock,
31 matches
Mail list logo