Re: Filtering invalid MAC addresses

Hi, On Sun, Nov 27, 2016 at 06:09:11PM -0800, jordi guri wrote: > I was wondering if the newer nftables is able to deal with invalid MAC > addresses. iptables I don't think can deal with these. For example I > have the following showing up in my log (from some anonymous proxy port >

Re: Filtering invalid MAC addresses

On Sun, Nov 27, 2016 at 06:09:11PM -0800, jordi guri wrote: > > I was wondering if the newer nftables is able to deal with invalid > MAC addresses. iptables I don't think can deal with these. For > example I have the following showing up in my log (from some > anonymous proxy port scanner): >

RE: BALANCE PAYMENT

Dear Sir/s, Please see attached. Thanks and regards, Accounts Department Al Omraniya Trading Co. LLC P.O. Box: 10757, Al Khabaisi Area, Deira 2, Dubai, U.A.E. Tel: +971 4 268 2730 / Fax: +971 4 268 4117 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body

[PATCH nft v2 2/2] datatype: Implement binary search in symbolic_constant_print()

Because a linear search is used, which is slower. This approach demands that the symbol_table have a variable with its size, also, it must be sorted by value. Signed-off-by: Elise Lennion --- v2: This patch has no v1. include/datatype.h | 2 ++ src/datatype.c |

[PATCH nft v2 1/2] datatype: Replace getnameinfo() by internal lookup table

To avoid exceeding the inputs number limit of the flex scanner used, when calling getnameinfo() in inet_service_type_print(). The new symbol_table was associated with inet_service_type, to enable listing all pre-defined services using nft command line tool. The listed services are all well-known

Re: [PATCH nf-next 1/2] netfilter: nf_tables: add chain to pktinfo structure

Pablo Neira Ayuso wrote: > This patch adds the chain object to the pktinfo structure. This > potentially allow us to know what basechain this packet is walking over > from the expression evaluation path. ... for what? Why...? Its not clear to me why these changes are made.

[PATCH nf-next 04/11] netfilter: nf_tables: add stateful object reference expression

This new expression allows us to refer to existing stateful objects from rules. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 17 - net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 +

[PATCH nf-next 02/11] netfilter: nft_counter: add stateful object type

Register a new percpu counter stateful object type into the stateful object infrastructure. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_counter.c | 116 --- 2 files

[PATCH nf-next 03/11] netfilter: nft_quota: add stateful object type

Register a new quota stateful object type into the new stateful object infrastructure. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_quota.c| 76 +++- 2 files changed, 65

[PATCH nf-next 11/11] netfilter: nf_tables: allow to filter stateful object dumps by type

This patch adds the netlink code to filter out dump of stateful objects, through the NFTA_OBJ_TYPE netlink attribute. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 49 +++ 1 file changed, 49 insertions(+) diff

[PATCH nf-next 07/11] netfilter: nft_quota: dump consumed quota

Add a new attribute NFTA_QUOTA_CONSUMED that displays the amount of quota that has been already consumed. This allows us to restore the internal state of the quota object between reboots as well as to monitor how wasted it is. This patch changes the logic to account for the consumed bytes,

[PATCH nf-next 05/11] netfilter: nf_tables: atomic dump and reset for stateful objects

This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic dump-and-reset of the stateful object. This also comes with add support for atomic dump and reset for counter and quota objects. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h

[PATCH nf-next 00/11] nf_tables: add stateful objects

This patchset adds support for nf_tables stateful objects. Two object types are supported at this stage: counters and quotas. Stateful objects are uniquely identified by a user-defined name and you have to attach them to tables. You can create a counter via: # nft add table filter # nft add

[PATCH nf-next 2/2] netfilter: nf_tables: add numeric expression type definitions

This patch adds numeric expression types, so we can refer to expressions using these numeric type instead of their string name. A new netlink attribute, NFTA_EXPR_TYPE, encapsulates the numeric expression type. This patch doesn't use enum so stringify works for module aliases. Signed-off-by:

[PATCH nf-next 10/11] netfilter: nft_objref: support for stateful object maps

This patch allows us to refer to stateful object dictionaries, the source register indicates the key data to be used to look up for the corresponding state object. We can refer to these maps through names or, alternatively, the map transaction id. This allows us to refer to both anonymous and

[PATCH nf-next 08/11] netfilter: nft_quota: add depleted flag for objects

Notify on depleted quota objects. The NFT_QUOTA_F_DEPLETED flag indicates we have reached overquota. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_quota.c| 33 2 files

[PATCH nf-next 1/2] netfilter: nf_tables: add chain to pktinfo structure

This patch adds the chain object to the pktinfo structure. This potentially allow us to know what basechain this packet is walking over from the expression evaluation path. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 17 +

[PATCH nf-next 09/11] netfilter: nf_tables: add stateful object reference to set elements

This patch allows you to refer to stateful objects from set elements. This provides the infrastructure to create maps where the right hand side of the mapping is a stateful object. This allows us to build dictionaries of stateful objects, that you can use to perform fast lookups using any

[PATCH nf-next 06/11] netfilter: nf_tables: notify internal updates of stateful objects

Introduce nf_tables_obj_notify() to notify internal state changes in stateful objects. This is used by the quota object to report depletion in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 4 net/netfilter/nf_tables_api.c

[PATCH iptables] extensions: LOG: add log flags translation to nft

From: Liping Zhang For example: # iptables-translate -A OUTPUT -j LOG --log-uid nft add rule ip filter OUTPUT counter log flags skuid # iptables-translate -A OUTPUT -j LOG --log-tcp-sequence \ --log-tcp-options nft add rule ip filter OUTPUT counter log flags tcp