On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb wrote:
> On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
>> At this point I think it would be good to hear what requirements exist
>> for per-packet auditing. Steve, are there any current Common Criteria
>> (or
On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
> On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs wrote:
> > On 2017-01-18 07:32, Paul Moore wrote:
> >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs
wrote:
> >> > On 2017-01-17 21:34,
From: Arturo Borrero Gonzalez
In the inet family, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table
From: Feng
When something failed in nf_tables_table_enable, it would unregister
the chains. But the rollback codes are same as nf_tables_table_disable
almostly, except there is one counter check.
Now create one wrapper function to eliminate the duplicated codes.
Signed-off-by:
On Fri, Jan 20, 2017 at 8:30 PM, Feng Gao wrote:
> Hi Liping,
>
> On Fri, Jan 20, 2017 at 6:57 PM, Liping Zhang wrote:
>> 2017-01-20 15:42 GMT+08:00 Feng Gao :
>> [...]
>>> In v2 patch, I copied your recommend codes "if (cnt &&
The flush operation needs to modify set and element objects, so let's
deconstify this.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 6 +++---
net/netfilter/nf_tables_api.c | 24
net/netfilter/nft_set_hash.c | 2
Add missing set->ndeact update on each deactivated element from the set
flush path. Otherwise, sets with fixed size break after flush since
accounting breaks.
# nft add set x y { type ipv4_addr\; size 2\; }
# nft add element x y { 1.1.1.1 }
# nft add element x y { 1.1.1.2 }
# nft flush set x
From: Liping Zhang
Currently, if the user add a stateful object with the name size exceed
NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
This is not friendly, furthermore, this will cause duplicated stateful
objects when the first 31 characters of the
In the inet family, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table inet t {
chain c {
icmpv6
Hi Liping,
On Fri, Jan 20, 2017 at 6:57 PM, Liping Zhang wrote:
> 2017-01-20 15:42 GMT+08:00 Feng Gao :
> [...]
>> In v2 patch, I copied your recommend codes "if (cnt && --cnt == 0)".
>> Today I think it is not right to use "--cnt", it should use
2017-01-20 15:42 GMT+08:00 Feng Gao :
[...]
> In v2 patch, I copied your recommend codes "if (cnt && --cnt == 0)".
> Today I think it is not right to use "--cnt", it should use "cnt--".
> Because when the cnt is 1, the "--cnt" would break directly.
> So I send the v3 patch.
11 matches
Mail list logo