Re: AUDIT_NETFILTER_PKT message format

On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > So while I'm not advocating this is what should be done and I'm trying > to establish bounds to the scope of this feature, but would it be > reasonable to simply not log packets that were transiting this machine >

Re: [PATCH] net: fix description of skb_find_text() according to removed functionality

How about you make edits to this interface when you add an in-tree user as we mentioned in our responses to your previous patch? Thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH] net: fix description of skb_find_text() according to removed functionality

Textsearch state parameter was moved to local scope of the function. This eliminates usage of textsearch_next() to find subsequent occurrences. Fixes: 59a2440fd3cf ("net: Remove state argument from skb_find_text()") Signed-off-by: Igor Pylypiv --- net/core/skbuff.c | 5

Re: [PATCH nf-next v2,1/2] netfilter: nft_exthdr: Add support for existence check

Hi, On Tue, Feb 07, 2017 at 09:20:27PM +0100, Pablo Neira Ayuso wrote: > From: Phil Sutter > > If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field > data into *dest, but instead set it to 1 if the header is found and 0 > otherwise. > > Signed-off-by: Phil Sutter

Re: [PATCH nf-next v2,2/2] netfilter: nft_exthdr: add TCP option matching

On Tue, Feb 07, 2017 at 09:20:28PM +0100, Pablo Neira Ayuso wrote: > From: Manuel Messner > > This patch implements the kernel side of the TCP option patch. > > Signed-off-by: Manuel Messner > Reviewed-by: Florian Westphal > Signed-off-by:

Re: [RFC PATCH] audit: normalize NETFILTER_PKT

On 2017-02-06 14:41, Paul Moore wrote: > On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote: > > On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote: > >> I'm still trying to understand what purpose this record actually > >> serves, and what requirements may exist. In

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-20 09:49, Steve Grubb wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: > > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs > > wrote: > > > On 2017-01-18 07:32, Paul Moore wrote: > > >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs

[PATCH nf-next v2,1/2] netfilter: nft_exthdr: Add support for existence check

From: Phil Sutter If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field data into *dest, but instead set it to 1 if the header is found and 0 otherwise. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- @Phil: I have

[PATCH nf-next v2,2/2] netfilter: nft_exthdr: add TCP option matching

From: Manuel Messner This patch implements the kernel side of the TCP option patch. Signed-off-by: Manuel Messner Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- v2: Rebase on top of Phil's update. I

Re: [PATCH] Revert "net: Remove state argument from skb_find_text()"

On Sat, Feb 04, 2017 at 09:48:30PM -0800, Igor Pylypiv wrote: > This reverts commit 059a2440fd3cf4ec57735db2c0a90401cde84fca. > > Textsearch state parameter should be passed by pointer because > its resulting value is needed for call to textsearch_next(). You're right this renders

Re: [PATCH nftables 5/9] src: add host byte order integer type

On Tue, Feb 07, 2017 at 12:58:56PM +0100, Pablo Neira Ayuso wrote: > On Mon, Feb 06, 2017 at 11:33:01PM +0100, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote: > > > > diff --git a/include/datatype.h

Re: [PATCH nftables 5/9] src: add host byte order integer type

On Mon, Feb 06, 2017 at 11:33:01PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote: > > > diff --git a/include/datatype.h b/include/datatype.h > > > index 9f127f2954e3..8c1c827253be 100644 > > >