Re: [PATCH][PING] Hide private symbols in libnfnetlink

On Thursday 2018-05-03 17:03, Yuri Gribov wrote: >Hi all, > >Here's the updated version of the patch. > >diff --git a/src/Makefile.am b/src/Makefile.am >index d0098cc..d91c9f7 100644 >--- a/src/Makefile.am >+++ b/src/Makefile.am >@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am >

Re: [PATCH iptables] extensions: libipt_DNAT: use size of nf_nat_range2 for rev2

On 03-05-18 21:40, Florian Westphal wrote: > DNAT tests fail on nf-next.git, kernel complains about target size > mismatch (40 vs 48), this fixes this for me. > > Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap > ranges") > Signed-off-by: Florian Westphal >

[PATCH iptables] extensions: libipt_DNAT: use size of nf_nat_range2 for rev2

DNAT tests fail on nf-next.git, kernel complains about target size mismatch (40 vs 48), this fixes this for me. Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap ranges") Signed-off-by: Florian Westphal --- extensions/libip6t_DNAT.c | 4 ++--

[PATCH net] ipvs: fix stats update from local clients

Local clients are not properly synchronized on 32-bit CPUs when updating stats (3.10+). Now it is possible estimation_timer (timer), a stats reader, to interrupt the local client in the middle of write_seqcount_{begin,end} sequence leading to loop (DEADLOCK). The same interrupt can happen from

[PATCH net] ipvs: fix refcount usage for conns in ops mode

Connections in One-packet scheduling mode (-o, --ops) are removed with refcnt=0 because they are not hashed in conn table. To avoid refcount_dec reporting this as error, change them to be removed with refcount_dec_if_one as all other connections. refcount_t hit zero at ip_vs_conn_put+0x31/0x40

[PATCH][PING] Hide private symbols in libnfnetlink

Hi all, Here's the updated version of the patch. -Y 0001-Hide-private-symbols-v4.patch Description: Binary data

[PATCH] netfilter: nf_queue: Replace conntrack entry

SKBs are assigned a conntrack entry before being passed to any NFQUEUEs, and if no entry is found then a new one is created. This behavior causes problems for some traffic patterns. For example, if two UDP packets to/from the same host (using the same ports) arrive at the "same" time, both are

[PATCH nf-next v5] netfilter: nf_osf: nf_osf_ttl() and nf_osf_match()

Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start the nftables OSF implementation. Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_osf.h | 29 include/uapi/linux/netfilter/nf_osf.h | 93 +++

Re: Silently dropped UDP packets on kernel 4.14

Hi Michal, Thanks for providing a nice summary of your experience when dealing with this problem. Always nice to know that I am not alone :) On Thu, May 3, 2018 at 11:42 AM, Michal Kubecek wrote: > One of the ideas I had was this: > > - keep also unconfirmed conntracks in

[PATCH nft 5/5] src: use location to display error messages

# nft add chain foo bar Error: Could not process rule: No such file or directory add chain foo bar ^^^ Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 156 ++--- 1 file changed, 94 insertions(+), 62

[PATCH nft 1/5] src: add table_spec

Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso --- include/rule.h| 7 ++- src/evaluate.c| 42 +- src/monitor.c | 4 ++-- src/netlink.c

[PATCH nft 3/5] src: add set_spec

Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso --- include/rule.h | 7 ++- src/evaluate.c | 36 ++-- src/expression.c| 4 ++-- src/netlink.c | 6 +++---

[PATCH nft 2/5] src: add chain_spec

Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso --- include/rule.h| 7 ++- src/evaluate.c| 4 ++-- src/netlink.c | 14 +++--- src/netlink_delinearize.c | 4 ++--

[PATCH nft 4/5] src: add obj_spec

Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso --- include/rule.h | 7 ++- src/evaluate.c | 4 ++-- src/netlink.c | 8 src/parser_bison.y | 6 -- src/rule.c | 18 +- 5

Re: Silently dropped UDP packets on kernel 4.14

On Thu, May 03, 2018 at 07:03:45AM +0200, Florian Westphal wrote: > Kristian Evensen wrote: > > I went for the early-insert approached and have patched > > I'm sorry for suggesting that. > > It doesn't work, because of NAT. > NAT rewrites packet content and changes

[arptables PATCH] arptables: cleanup sysvinit script

This file belong to downstream distributions. Also, it's unmaintained. Signed-off-by: Arturo Borrero Gonzalez --- Makefile |8 +--- arptables.sysv | 103 2 files changed, 2 insertions(+), 109 deletions(-)

Re: Silently dropped UDP packets on kernel 4.14

Hi Florian, On Thu, May 3, 2018 at 7:03 AM, Florian Westphal wrote: > I'm sorry for suggesting that. > > It doesn't work, because of NAT. > NAT rewrites packet content and changes the reply tuple, but the tuples > determine the hash insertion location. > > I don't know how to

Re: [ANNOUNCE] libnftnl 1.1.0 release

On Thu, May 03, 2018 at 01:08:36AM +1000, Duncan Roe wrote: > On Wed, May 02, 2018 at 10:09:04AM +0200, Pablo Neira Ayuso wrote: > > On Wed, May 02, 2018 at 11:32:13AM +1000, Duncan Roe wrote: > > > On Tue, May 01, 2018 at 11:33:33PM +0200, Florian Westphal wrote: > [...] > > > Hey Florian, > > >