This patch is part of a proposal to add a string filter to
ebtables, which would be similar to the string filter in
iptables. Like iptables, the ebtables filter uses the xt_string
module.
Signed-off-by: Bernie Harris
---
net/netfilter/xt_string.c | 1 +
1 file
This patch is part of a proposal to add a string filter to
ebtables, which would be similar to the string filter in
iptables.
Like iptables, the ebtables filter uses the xt_string module,
however some modifications have been made for this to work
correctly.
Currently ebtables assumes that the
Currently ebtables assumes that the revision number of all match
modules is 0, which is an issue when trying to use existing
xtables matches with ebtables. The solution is to modify ebtables
to allow extensions to specify a revision number, similar to
iptables. This gets passed down to the kernel,
The xt_string module uses skb_find_text to match a pattern
against packet data. The current behaviour is that the offsets
are used as the range in which a match can start, with the 'to'
offset being included in that range. This means that to do an
exact match for a string at a specific offset, the
To make the test a bit clearer and to reduce object size a little.
Miscellanea:
o remove now unnecessary static const array
$ size ip_set_hash_mac.o*
textdata bss dec hex filename
228224619 64 275056b71 ip_set_hash_mac.o.allyesconfig.new
229324683
On Sun, Mar 04, 2018 at 09:28:52AM +0100, Matthias Schiffer wrote:
> I recently found myself in a situation that required me to filter IGMP
> packets of certain types on a bridge. Switching to nftables is
> unfortunately not an option at the moment because of hardware constraints,
> in particular
On Tue, Mar 20, 2018 at 10:53:22PM +0800, Yang Zheng wrote:
> nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the
> specified table.
>
> Examples:
> % ./nft-ct-helper-get ip filter
>
> % ./nft-ct-helper-add ip filter sip-5060 sip udp
> % ./nft-ct-helper-get ip
On Tue, Mar 20, 2018 at 10:53:22PM +0800, Yang Zheng wrote:
> nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the
> specified table.
>
> Examples:
> % ./nft-ct-helper-get ip filter
>
> % ./nft-ct-helper-add ip filter sip-5060 sip udp
> % ./nft-ct-helper-get ip
nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the
specified table.
Examples:
% ./nft-ct-helper-get ip filter
% ./nft-ct-helper-add ip filter sip-5060 sip udp
% ./nft-ct-helper-get ip filter
table filter name sip-5060 use 0 [ ct_helper name sip family 2
Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to
set elements")
Fixes: f25ad2e907f1 ("netfilter: nf_tables: prepare for expressions associated
to set elements")
Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
Signed-off-by: Florian Westphal
On Mon, Mar 19, 2018 at 04:39:33PM +0100, Florian Westphal wrote:
> kbuild test robot wrote:
> > -bool nf_tables_allow_nat_conflict(const struct net *net,
> > - const struct nf_hook_ops *ops)
> > +static bool nf_tables_allow_nat_conflict(const struct
On Wed, Mar 14, 2018 at 01:37:58PM +0100, Florian Westphal wrote:
> in nftables, 'meter' can be used to instantiate a hash-table at run
> time:
>
> rule add filter forward iif "internal" meter hostacct { ip saddr counter}
> nft list meter ip filter hostacct
> table ip filter {
> meter hostacct
On Sun, Mar 18, 2018 at 07:22:39PM +0100, Florian Westphal wrote:
> Sergei Trofimovich reported that restoring an nft ruleset doesn't work
> anymore unless old rule content is flushed first.
>
> The problem stems from a recent change designed to prevent multiple nat
> hooks at the same hook point
On Mon, Mar 12, 2018 at 06:36:29PM +0530, Arushi Singhal wrote:
> Using pr_() is more concise than printk(KERN_).
> This patch:
> * Replace printks having a log level with the appropriate
> pr_*() macros.
> * Define pr_fmt() to include relevant name.
> * Remove redundant prefixes from pr_*()
On Mon, Mar 12, 2018 at 07:21:38PM -0500, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
>
> From a security viewpoint, the use of Variable Length Arrays can be
> a vector for stack overflow attacks. Also, in general, as
On Mon, Mar 19, 2018 at 09:41:59AM +1300, Jack Ma wrote:
> This patch introduces a new feature that allows bitshifting (left
> and right) operations to co-operate with existing iptables options.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
On Wed, Mar 14, 2018 at 11:36:53PM +0900, Taehee Yoo wrote:
> xtables uses ADD_COUNTER macro to increase
> packet and byte count. ebtables also can use this.
Applied to nf-next, thanks.
Please, specify your tree target next time, ie.
[PATCH nf-next] blah
Thanks!
--
To unsubscribe from this
On Mon, Mar 12, 2018 at 10:16:17PM -0500, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
>
> From a security viewpoint, the use of Variable Length Arrays can be
> a vector for stack overflow attacks. Also, in general, as
On Mon, Mar 12, 2018 at 06:14:42PM -0500, Gustavo A. R. Silva wrote:
> In preparation to enabling -Wvla, remove VLA and replace it
> with dynamic memory allocation.
>
> From a security viewpoint, the use of Variable Length Arrays can be
> a vector for stack overflow attacks. Also, in general, as
On Tuesday 2018-03-20 12:47, Pablo Neira Ayuso wrote:
>Signed-off-by: Pablo Neira Ayuso
>---
> include/conntrackd.h | 4
> include/helper.h | 2 --
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
>diff --git a/include/conntrackd.h b/include/conntrackd.h
>index
On Sun, Mar 18, 2018 at 07:37:41PM +0100, Florian Westphal wrote:
> Sergei Trofimovich reports 'uninitialized bytes' warnings from nftables:
>
> Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
>at 0x55B9EFB: sendmsg (in /lib64/libc-2.25.so)
>by 0x43E658:
On Mon, Mar 19, 2018 at 06:02:01PM +0100, Phil Sutter wrote:
> This series is the result of me trying to get all tests in tests/shell
> to pass. Sadly I wasn't fully successful, these two still fail:
>
> - testcases/sets/0028autoselect_0
> - testcases/sets/0031set_timeout_size_0
These need
Pablo Neira Ayuso wrote:
> On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote:
> > I don't understand why push,ack is invalid in first place.
> > If we do not have a valid connection at this point then a pure
> > ack would have same effect (reset), no?
>
>
On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > The example rule in the iptables-extensions(8) manpage suggests:
> >
> > iptables -A INPUT -i eth0 -p tcp --dport 80
> > -m state --state UNTRACKED,INVALID
Signed-off-by: Pablo Neira Ayuso
---
include/conntrackd.h | 4
include/helper.h | 2 --
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/conntrackd.h b/include/conntrackd.h
index ece702543082..81dff221e96d 100644
--- a/include/conntrackd.h
+++
Back in 2008, there was no TCP flags support in the kernel, hence the
workaround was to infer the flags from the TCP state.
This patch is implicitly fixing a problem, since the existing RETRANS
and UNACK TCP conntrack states plus the _CLOSE_INIT flag that is bogusly
infered (to be frank, it was
Before this patch, if TCP state is < TIME_WAIT, we skip this logic.
Along time, we got new states over the TIME_WAIT value, such as
SYN_SENT2, RETRANS and UNACK, that can trigger this conntrack entry
reset, however this check was never updated.
My understanding is that we should only exercise the
Pablo Neira Ayuso wrote:
> The example rule in the iptables-extensions(8) manpage suggests:
>
> iptables -A INPUT -i eth0 -p tcp --dport 80
> -m state --state UNTRACKED,INVALID -j SYNPROXY
> --sack-perm --timestamp --mss 1460
The example rule in the iptables-extensions(8) manpage suggests:
iptables -A INPUT -i eth0 -p tcp --dport 80
-m state --state UNTRACKED,INVALID -j SYNPROXY
--sack-perm --timestamp --mss 1460 --wscale 9
This is allowing invalid PSH,ACK packets to enter
This patch exposes synproxy information per-conntrack. Moreover, send
sequence adjustment events once server sends us the SYN,ACK packet, so
we can synchronize the sequence adjustment too for packets going as
reply from the server, as part of the synproxy logic.
Signed-off-by: Pablo Neira Ayuso
On 19 March 2018 at 18:19, Yang Zheng wrote:
> nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the
> specified table.
>
It would be great if you extend a bit the commit message with your tests:
% ./nft-ct-helper-get
% ./nft-ct-helper-add
%
On 19 March 2018 at 18:02, Phil Sutter wrote:
> This series is the result of me trying to get all tests in tests/shell
> to pass. Sadly I wasn't fully successful, these two still fail:
>
> - testcases/sets/0028autoselect_0
> - testcases/sets/0031set_timeout_size_0
>
> I had a look at
32 matches
Mail list logo