Question on match pid owner

Hi there, recently I started working on developing a userspace packet inspection daemon for personal use via netfilter queues. However, I want to validate the identity of the originating process and I've seen that the --pid-owner option is not available any more. That means that I will

Re: [PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

On Fri, 2016-12-09 at 06:24 -0800, Eric Dumazet wrote: > It looks that you want a seqcount, even on 64bit arches, > so that CPU 2 can restart its loop, and more importantly you need > to not accumulate the values you read, because they might be old/invalid. Untested patch to give general idea. I

Re: [PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

On Fri, 2016-12-09 at 11:24 +0100, Pablo Neira Ayuso wrote: > Hi Paul, Hi Pablo Given that bytes/packets counters are modified without cmpxchg64() : static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv, struct nft_regs *regs,

[PATCH libnftnl 1/7] include: fetch stateful object updates for nf_tables.h cache copy

This patch includes updates for the named stateful expressions. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_tables.h | 64 + 1 file changed, 64 insertions(+) diff --git a/include/linux/netfilter/nf_tables.h

[PATCH libnftnl 7/7] quota: support for consumed bytes

This patch extends the quota support to account for consumed bytes. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/expr.h | 1 + src/expr/quota.c| 26 +++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git

[PATCH libnftnl 5/7] set_elem: add NFTNL_SET_ELEM_OBJREF attribute

This new attribute allows us to attach stateful objects to elements for map lookups. This new attribute identifies the object through its name. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/set.h | 1 + include/set_elem.h | 1 + src/set_elem.c | 27

[PATCH libnftnl 6/7] expr: objref: add support for stateful object maps

If the NFT_SET_OBJECT flag is set, then this set stores a mapping between any random user-defined arbitrary key and one stateful object. Very useful for performance lookups. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/expr.h | 3 +++ src/expr/objref.c | 72

[PATCH libnftnl 4/7] set: add NFTNL_SET_OBJ_TYPE attribute

This new attribute specifies the stateful object type this set stores. Similar to data type, but specific to store objects. You must set the NFT_SET_OBJECT flag to use this. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/set.h | 1 + include/set.h | 1 +

[PATCH libnftnl 2/7] src: support for stateful objects

This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso --- examples/Makefile.am | 12 + examples/nft-obj-add.c | 123 ++ examples/nft-obj-del.c |

[PATCH libnftnl 3/7] expr: add stateful object reference expression

This patch adds a new "objref" expression that you can use to refer to stateful objects from rules. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/expr.h | 5 + src/Makefile.am | 1 + src/expr/objref.c| 215

[PATCH] libxtables: xtables.c: Use getnameinfo()

Use getnameinfo() instead of deprecated gethostbyaddr() Signed-off-by: Shyam Saini --- libxtables/xtables.c | 25 - 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index 921dfe9..338e325

Re: [PATCH 37/50] netfilter: nf_tables: atomic dump and reset for stateful objects

Hi Paul, On Thu, Dec 08, 2016 at 07:40:14PM -0500, Paul Gortmaker wrote: > On Wed, Dec 7, 2016 at 4:52 PM, Pablo Neira Ayuso wrote: > > This patch adds a new NFT_MSG_GETOBJ_RESET command perform an atomic > > dump-and-reset of the stateful object. This also comes with add