Hello,
currently in iptables i can set NOTRACK (-j CT --notrack) only for
OUTPUT and PREROUTING. Because the routing decision is made after the
conntracking.
I need stateful firewall on INPUT, but conntrack on FORWARD is
performance drawback for me. And i can imagine that someone might have
And by "disguise" i've meant "distinguish" :-)
T.
Dne 2016-12-06 06:54, mudru...@spoje.net napsal:
Hello,
currently in iptables i can set NOTRACK (-j CT --notrack) only for
OUTPUT and PREROUTING. Because the routing decision is made after the
conntracking.
I need stateful firewall on INPUT,
nft describe displays, to the user, which values are available for a selector,
then the values should be in host byte order.
Reported-by: Pablo Neira Ayuso
Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-by: Elise Lennion
Willem de Bruijn wrote:
> While we're discussing the patch, another question, about revisions: I
> tested both modified and original iptables binaries on both standard
> and modified kernels. It all works as expected, except for the case
> where both binaries are
On Mon, Dec 5, 2016 at 6:29 PM, Willem de Bruijn wrote:
> On Mon, Dec 5, 2016 at 6:22 PM, Pablo Neira Ayuso wrote:
>> On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote:
>> [...]
>>> Eric also suggests a private variable to avoid being
On Mon, Dec 5, 2016 at 6:22 PM, Pablo Neira Ayuso wrote:
> On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote:
> [...]
>> Eric also suggests a private variable to avoid being subject to
>> changes to PATH_MAX. Then we can indeed also choose an arbitrary lower
>>
On Mon, Dec 05, 2016 at 06:06:05PM -0500, Willem de Bruijn wrote:
[...]
> Eric also suggests a private variable to avoid being subject to
> changes to PATH_MAX. Then we can indeed also choose an arbitrary lower
> length than current PATH_MAX.
Good.
> FWIW, there is a workaround for users with
On Mon, Dec 5, 2016 at 6:00 PM, Pablo Neira Ayuso wrote:
> On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote:
>> On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote:
>> > Eric Dumazet wrote:
>> > > On Mon, 2016-12-05 at
On Mon, Dec 05, 2016 at 02:59:09PM -0800, Eric Dumazet wrote:
> On Mon, 2016-12-05 at 23:40 +0100, Florian Westphal wrote:
>
> > Fair enough, I have no objections to the patch.
>
> An additional question is about PATH_MAX :
>
> Is it guaranteed to stay at 4096 forever ?
>
> To be safe, maybe
On Mon, Dec 05, 2016 at 11:34:15PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> > > > From: Willem de Bruijn
Hi Willem,
On 12/05/2016 09:28 PM, Willem de Bruijn wrote:
From: Willem de Bruijn
Add support for attaching an eBPF object by file descriptor.
The iptables binary can be called with a path to an elf object or a
pinned bpf object. Also pass the mode and path to the kernel
Pablo Neira Ayuso wrote:
> On Mon, Dec 05, 2016 at 10:30:01PM +0100, Florian Westphal wrote:
> > Eric Dumazet wrote:
> > > On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> > > > From: Willem de Bruijn
> > > >
> > > >
You can use this new command to remove all existing elements in a set:
# nft flush set filter xyz
After this command, the set 'xyz' in table 'filter' becomes empty.
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 2 ++
src/evaluate.c| 3 +++
src/netlink.c
This patch adds support for set flushing, that consists of walking over
the set elements if the NFTA_SET_ELEM_LIST_ELEMENTS attribute is set.
This patch requires the following changes:
1) Add set->ops->deactivate_one() operation: This allows us to
deactivate an element from the set element
Context is not modified by nft_trans_alloc(), so constify it.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index
This new function allows us to deactivate one single element, this is
required by the set flush command that comes in a follow up patch.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_set_hash.c | 24 +---
net/netfilter/nft_set_rbtree.c | 11
Please, add a description to this patch.
Thanks.
On Mon, Dec 05, 2016 at 08:58:38PM +0900, Kohei Suzuki wrote:
> ---
> src/scanner.l | 36
> +--
> tests/shell/testcases/include/0005glob_0 | 32
>
Hi!
I have quite loaded NAT server (approx 17Gbps of traffic) where periodic
"conntrack -L" might trigger once per day kernel panic.
I am not definitely sure it is triggered exactly at running tool, or
just by enabling events.
Here is panic message:
[221287.380762] general protection fault:
Eric Dumazet wrote:
> On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> > From: Willem de Bruijn
> >
> > Add support for attaching an eBPF object by file descriptor.
> >
> > The iptables binary can be called with a path to an elf object or
On Mon, 2016-12-05 at 15:28 -0500, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Add support for attaching an eBPF object by file descriptor.
>
> The iptables binary can be called with a path to an elf object or a
> pinned bpf object. Also pass the mode and path to
From: Willem de Bruijn
Add support for attaching an eBPF object by file descriptor.
The iptables binary can be called with a path to an elf object or a
pinned bpf object. Also pass the mode and path to the kernel to be
able to return it later for iptables dump and save.
21 matches
Mail list logo