When trying to redirect bridged frames to the bridge device itself
via the ebtables nat-prerouting chain and the dnat target then this
currently fails:
The ethernet destination of the frame is dnat'ed to the MAC address of
the bridge itself just fine and the correctly altered frame can even
be
From: Gao Feng
Because its caller nfnl_cthelper_new has already checked the tb[NFCTH_TUPLE],
so it is unnecessary to check it again in nfnl_cthelper_create.
Signed-off-by: Gao Feng
---
net/netfilter/nfnetlink_cthelper.c | 2 +-
1 file changed, 1 insertion(+),
Florian Westphal wrote:
[ nft .. ct eventmask set ...]
ahem. I did not mean to submit this yet as the kernel
patch assumes that the untracked object doesn't exist anymore (which
is why I haven't submitted it yet).
I will not push this patch until the kernel patch is in
Signed-off-by: Florian Westphal
---
doc/nft.xml | 28 +++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index de86d2a18258..8ea280417742 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3347,6 +3347,7 @@ ip6 filter
Signed-off-by: Florian Westphal
---
include/rule.h | 4
src/evaluate.c | 4
src/parser_bison.y | 63 --
src/rule.c | 22 +++
4 files changed, 91 insertions(+), 2 deletions(-)
diff
useful for the 'ct zone set' statement, it has to be done before
the conntrack lookup but preferrably after the defragmention hook.
In iptables, the functionality resides in the CT target which is
restricted to the raw table. This provides the skeleton for nft.
Signed-off-by: Florian Westphal
needs minor tweak to nft-test.py so we don't zap the ';' within the {}
before attempting to add the rule/ct helper object.
Signed-off-by: Florian Westphal
---
tests/py/ip/objects.t | 4
tests/py/ip/objects.t.payload | 14 ++
tests/py/nft-test.py
Signed-off-by: Florian Westphal
---
include/datatype.h| 1 +
include/linux/netfilter/nf_conntrack_common.h | 80 ++-
include/linux/netfilter/nf_tables.h | 2 +
src/ct.c | 30
Signed-off-by: Florian Westphal
---
doc/nft.xml | 71 +
1 file changed, 71 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 8ea280417742..ffca6cc9322e 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -950,6
this implements
nft list ct helpers table filter
table ip filter {
ct helper ftp-standard {
..
Signed-off-by: Florian Westphal
---
include/rule.h | 1 +
src/evaluate.c | 1 +
src/parser_bison.y | 19 +++
src/rule.c | 2 ++
4 files changed,
... to make adding CMD_OBJ_CT_HELPER support easier.
Signed-off-by: Florian Westphal
---
src/evaluate.c | 32
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 7ddbb658f96f..ae30bc9bb3b9 100644
This series adds the frontend/nft support to define and
assign connection tracking helpers.
Example:
table inet myhelpers {
ct helper ftp-standard {
type "ftp"
protocol tcp
}
chain prerouting {
type filter hook prerouting priority 0;
tcp dport 21 ct helper set
add support for ct helper objects, these are used to assign helpers to
connections, similar to iptables -j CT --set-helper target.
Signed-off-by: Florian Westphal
---
include/libnftnl/object.h | 6 ++
include/linux/netfilter/nf_tables.h | 12 ++-
include/obj.h
Signed-off-by: Florian Westphal
---
include/libnftnl/object.h | 4
src/libnftnl.map | 4
src/object.c | 26 ++
3 files changed, 34 insertions(+)
diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index
This adds libnftnl support to define connection tracking helpers.
Frontend (nft) support will follow soon.
include/libnftnl/object.h | 10 +
include/linux/netfilter/nf_tables.h | 12 +-
include/obj.h |6 +
src/Makefile.am |1
On Tue, Mar 14, 2017 at 10:44:43PM +0800, Liping Zhang wrote:
> Hi Pablo,
> 2017-03-14 20:19 GMT+08:00 Pablo Neira Ayuso :
> [...]
> > Another possibility is to simply regard desc->size over the memory
> > scalability notation when provided. I think this just needs an update
>
Hi Pablo,
2017-03-14 20:19 GMT+08:00 Pablo Neira Ayuso :
[...]
> Another possibility is to simply regard desc->size over the memory
> scalability notation when provided. I think this just needs an update
> from nft userspace. Look, bitmap and hashtable are both described as
>
On Mon, Mar 13, 2017 at 05:53:53PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Mar 13, 2017 at 05:01:53PM +0100, Phil Sutter wrote:
> [...]
> > The nftables numgen expression works differently:
>
> Phil, if you think we need a 1:1 mapping so iptables users moving to
> nftables don't get confused,
On Tue, Mar 14, 2017 at 11:21:31AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Mar 14, 2017 at 05:04:17PM +0800, Liping Zhang wrote:
> > 2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso :
> > [...]
> > > Anyway, I'll be fine if this triggers some discussions on the set
> > > backend
The tech committee would like to announce a new accepted talk.
Lawrence Brakmo will talk about Netesto tool suite
Details are as follows:
-
Netesto (NEtwork TESting TOolkit) is a suite of tools for running
multi-host network experiments that supports the collection and display
of
Peter Marczis wrote:
> I mean we destroy the sockets, we used two very basic python script to
> open and close TCP sockets between the WAN and LAN interface.
Then my guess wrt. nf_ct_iterate_cleanup is certainly wrong.
--
To unsubscribe from this list: send
Hi,
I mean we destroy the sockets, we used two very basic python script to
open and close TCP sockets between the WAN and LAN interface.
Thanks for the hint, I will try those !
Br,
Peter
On Tue, Mar 14, 2017 at 11:33 AM, Florian Westphal wrote:
> Peter Marczis
Peter Marczis wrote:
> Hello developers,
> I'm seeking some help to debug and solve one of my issues.
>
> We observed that if we create 30k connections, everything works as
> expected, but when we start to disconnect them,
> conntrack (well not confirmed yet
On Tue, Mar 14, 2017 at 05:55:50PM +0900, Lorenzo Colitti wrote:
> Currently the iptables lock is hardcoded as "/run/xtables.lock".
> Allow users to change this path using the --with-xt-lock-name
> option to ./configure option. This is useful on systems like
> Android which do not have /run.
>
>
On Tue, Mar 14, 2017 at 05:04:17PM +0800, Liping Zhang wrote:
> 2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso :
> [...]
> > Anyway, I'll be fine if this triggers some discussions on the set
> > backend selection at some point, as well as more detailed performance
> > evaluation.
Hello developers,
I'm seeking some help to debug and solve one of my issues.
At GreenWave I'm working on a "SOHO" Router product, and of course we
use linux / netfilter.
We observed that if we create 30k connections, everything works as
expected, but when we start to disconnect them,
conntrack
Hi Pablo,
2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso :
[...]
> I would like this only describes the representation that is exposed to
> the packet path, not the real memory consumption of it. I know I'm
> kind of cheating, but with this I'm also giving this bitmap an
>
Currently the iptables lock is hardcoded as "/run/xtables.lock".
Allow users to change this path using the --with-xt-lock-name
option to ./configure option. This is useful on systems like
Android which do not have /run.
Tested on Ubuntu, as follows:
1. By default, the lock is placed in
Hi Palbo,
On Tue, Mar 14, 2017 at 4:29 PM, wrote:
> From: Gao Feng
>
> Because these two functions return the nf_ct_helper_expectfn pointer
> which should be protected by rcu lock. So it should makes sure the
> caller should hold the rcu lock, not inside
From: Gao Feng
The helper module permits the helper modules register expectfn, and
it could be hold by external caller. But when the module is unloaded,
there may be some pending expect nodes which still hold the function
reference. It may cause unexpected behavior, even panic.
30 matches
Mail list logo