Re: AUDIT_NETFILTER_PKT message format

On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: >> At this point I think it would be good to hear what requirements exist >> for per-packet auditing. Steve, are there any current Common Criteria >> (or

Re: AUDIT_NETFILTER_PKT message format

On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs wrote: > > On 2017-01-18 07:32, Paul Moore wrote: > >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: > >> > On 2017-01-17 21:34,

[nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family

From: Arturo Borrero Gonzalez In the inet family, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table

[PATCH nf-next v4 1/1] netfilter: nf_tables: Eliminate duplicated codes in nf_tables_table_enable

From: Feng When something failed in nf_tables_table_enable, it would unregister the chains. But the rollback codes are same as nf_tables_table_disable almostly, except there is one counter check. Now create one wrapper function to eliminate the duplicated codes. Signed-off-by:

Re: [PATCH nf-next v2 1/1] netfilter: nf_tables: Eliminate duplicated codes in nf_tables_table_enable

On Fri, Jan 20, 2017 at 8:30 PM, Feng Gao wrote: > Hi Liping, > > On Fri, Jan 20, 2017 at 6:57 PM, Liping Zhang wrote: >> 2017-01-20 15:42 GMT+08:00 Feng Gao : >> [...] >>> In v2 patch, I copied your recommend codes "if (cnt &&

[PATCH 1/2 nf] netfilter: nf_tables: deconstify walk callback function

The flush operation needs to modify set and element objects, so let's deconstify this. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 6 +++--- net/netfilter/nf_tables_api.c | 24 net/netfilter/nft_set_hash.c | 2

[PATCH 2/2 nf] netfilter: nf_tables: bump set->ndeact on set flush

Add missing set->ndeact update on each deactivated element from the set flush path. Otherwise, sets with fixed size break after flush since accounting breaks. # nft add set x y { type ipv4_addr\; size 2\; } # nft add element x y { 1.1.1.1 } # nft add element x y { 1.1.1.2 } # nft flush set x

[PATCH nf V2] netfilter: nf_tables: validate the name size when possible

From: Liping Zhang Currently, if the user add a stateful object with the name size exceed NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently. This is not friendly, furthermore, this will cause duplicated stateful objects when the first 31 characters of the

[nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family

In the inet family, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table inet t { chain c { icmpv6

Re: [PATCH nf-next v2 1/1] netfilter: nf_tables: Eliminate duplicated codes in nf_tables_table_enable

Hi Liping, On Fri, Jan 20, 2017 at 6:57 PM, Liping Zhang wrote: > 2017-01-20 15:42 GMT+08:00 Feng Gao : > [...] >> In v2 patch, I copied your recommend codes "if (cnt && --cnt == 0)". >> Today I think it is not right to use "--cnt", it should use

Re: [PATCH nf-next v2 1/1] netfilter: nf_tables: Eliminate duplicated codes in nf_tables_table_enable

2017-01-20 15:42 GMT+08:00 Feng Gao : [...] > In v2 patch, I copied your recommend codes "if (cnt && --cnt == 0)". > Today I think it is not right to use "--cnt", it should use "cnt--". > Because when the cnt is 1, the "--cnt" would break directly. > So I send the v3 patch.