On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote:
> Recognizing that the audit context is an internal audit value, use an
> access function to set the audit context pointer for the task
> rather than reaching directly into the task struct to set it.
>
> Signed-off-by: Richard
On 2018-05-04 16:54, Richard Guy Briggs wrote:
> Use a macro, "AUDIT_SID_UNSET", to replace each instance of
> initialization and comparison to an audit session ID.
>
> Signed-off-by: Richard Guy Briggs
There's a minor issue with this patch, adding a header include to
currently the frontend uses seconds everywhere and
multiplies/divides by 1000.
Pass milliseconds around instead and extend the scanner to accept 'ms'
in timestrings.
Signed-off-by: Florian Westphal
---
include/datatype.h| 2 +-
src/datatype.c
Hi Pablo,
Sure thank you,
Will do.
Regards,
Jack--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Máté Eckl wrote:
> It did not make any harm, but it was certainly missing.
Applied, thanks Máté.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Tue, 8 May 2018 14:36:32 +0200
Pablo Neira Ayuso wrote:
> On Wed, Apr 25, 2018 at 05:30:47AM -0500, Ahmed Abdelsalam wrote:
> > This patch extends the libip6t_srh shared library to support matching
> > previous SID, next SID, and last SID.
>
> Applied, thanks.
>
>
On Tue, May 08, 2018 at 02:16:23PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 07, 2018 at 01:18:53PM +0200, Simon Horman wrote:
> > On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote:
> > > On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote:
> > > > Connections in
On Tue, May 08, 2018 at 06:22:12PM +0530, Harsha Sharma wrote:
> Usage:
> ./nft-rule-ct-timeout-add ip filter input some-name
> ./nft-rule-get ip filter
> ip filter input 6
> [ objref type 5 name some-name ]
>
> nft list ruleset
>
> ...
> chain input {
>ct timeout set "some-name"
> }
On Tue, May 08, 2018 at 06:21:14PM +0530, Harsha Sharma wrote:
> Usage:
> ./nft-rule-ct-helper-add ip filter input sip-5060
> ./nft-rule-get ip filter
> ip filter input 7 6
> [ objref type 3 name sip-5060 ]
>
> nft list ruleset
>
> ...
> chain input {
>ct helper set "sip-5060"
> }
Usage:
./nft-rule-ct-timeout-add ip filter input some-name
./nft-rule-get ip filter
ip filter input 6
[ objref type 5 name some-name ]
nft list ruleset
...
chain input {
ct timeout set "some-name"
}
Signed-off-by: Harsha Sharma
---
examples/Makefile.am
Usage:
./nft-rule-ct-helper-add ip filter input sip-5060
./nft-rule-get ip filter
ip filter input 7 6
[ objref type 3 name sip-5060 ]
nft list ruleset
...
chain input {
ct helper set "sip-5060"
}
Signed-off-by: Harsha Sharma
---
examples/Makefile.am
On Tue, Apr 24, 2018 at 02:58:57PM +1200, Jack Ma wrote:
> This patch adds a new feature to iptables that allow bitshifting for
> --restore,set and save-mark operations. This allows existing logic
> operators (and, or and xor) and mask to co-operate with new bitshift
> operations.
>
> The
On Wed, Apr 25, 2018 at 05:30:47AM -0500, Ahmed Abdelsalam wrote:
> This patch extends the libip6t_srh shared library to support matching
> previous SID, next SID, and last SID.
Applied, thanks.
Please, send us a patch to add tests for extensions/libip6t_srh.t
--
To unsubscribe from this list:
On Sun, Apr 22, 2018 at 11:04:56AM +0200, Laura Garcia Liebana wrote:
> This patch introduces two new attributes for numgen to allow map
> lookups where the number generator will be the key.
>
> Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and
> NFTNL_EXPR_NG_SET_ID in order to
On Fri, May 04, 2018 at 12:46:52PM +0300, Baruch Siach wrote:
> Conflicting definitions of struct ethhdr between the kernel and musl
> libc provides headers causes a build failure:
>
> In file included from .../usr/include/netinet/ether.h:8:0,
> from useful_functions.c:28:
>
On Wed, May 02, 2018 at 02:07:42PM +0200, Florian Westphal wrote:
> Taehee Yoo reported following bug:
> iptables-compat -I OUTPUT -m cpu --cpu 0
> iptables-compat -F
> lsmod |grep xt_cpu
> xt_cpu 16384 1
>
> Quote:
> "When above command is given, a netlink
On Fri, Apr 27, 2018 at 11:16:09AM -0700, Stephen Hemminger wrote:
> The destination mac (destmac) is only valid if EBT_DESTMAC flag
> is set. Fix by changing the order of the comparison to look for
> the flag first.
Applied, thanks Stephen.
--
To unsubscribe from this list: send the line
On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote:
> On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote:
> > Connections in One-packet scheduling mode (-o, --ops) are
> > removed with refcnt=0 because they are not hashed in conn table.
> > To avoid refcount_dec reporting
On Mon, May 07, 2018 at 01:18:53PM +0200, Simon Horman wrote:
> On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote:
> > On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote:
> > > Connections in One-packet scheduling mode (-o, --ops) are
> > > removed with refcnt=0 because
On Mon, May 07, 2018 at 01:18:26PM +0200, Simon Horman wrote:
> On Thu, May 03, 2018 at 10:02:18PM +0300, Julian Anastasov wrote:
> > Local clients are not properly synchronized on 32-bit CPUs when
> > updating stats (3.10+). Now it is possible estimation_timer (timer),
> > a stats reader, to
On Fri, May 04, 2018 at 06:16:06PM +0200, Florian Westphal wrote:
> removes following sparse error:
> net/netfilter/core.c:598:30: warning: incorrect type in argument 1 (different
> address spaces)
> net/netfilter/core.c:598:30:expected struct nf_hook_entries **e
>
On Sun, May 06, 2018 at 12:46:16AM +0200, Florian Westphal wrote:
> The icmp matches are implemented in ip_tables and ip6_tables,
> respectively, so for normal iptables they are always available:
> those modules are loaded once iptables calls getsockopt() to fetch
> available module revisions.
>
On Sun, May 06, 2018 at 12:45:43AM +0200, Florian Westphal wrote:
> fixes these warnings:
> 'nfnl_cthelper_create' at net/netfilter/nfnetlink_cthelper.c:237:2,
> 'nfnl_cthelper_new' at net/netfilter/nfnetlink_cthelper.c:450:9:
> ./include/linux/string.h:246:9: warning: '__builtin_strncpy'
On Mon, May 07, 2018 at 03:22:34PM +0200, Florian Westphal wrote:
> These two patches fix handling of large xtables matches from nft_compat.
>
> First patch just separates the match handling functions to not assume
> matchinfo is stored in expr private area.
>
> Second patch is the actual fix.
Otherwise, 65535 is used and testsuite reports dump mismatch.
Signed-off-by: Pablo Neira Ayuso
---
tests/shell/testcases/sets/0022type_selective_flush_0 | 2 +-
tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft | 2 +-
2 files changed, 2
When removing a rule that jumps to chain and such chain in the same
batch, this bogusly hits EBUSY. Add activate and deactivate operations
to expression that can be called from the preparation and the
commit/abort phases.
Signed-off-by: Pablo Neira Ayuso
---
Although technically there already is support for JSON output via 'nft
export json' command, it is hardly useable since it exports all the gory
details of nftables VM. Also, libnftables has no control over what is
exported since the content comes directly from libnftnl.
Instead, implement JSON
This adds a bunch of functions for conversion of different values into
string (and vice-versa).
* log_level_parse(): A simple helper to turn log level string
representation into log level value.
* nat_etype2str(): Translate nat statement type into string
This removes static flag and adds header prototype for the following
functions:
* must_print_eq_op() from src/expression.c
* fib_result_str() from src/fib.c
* set_policy2str() and chain_policy2str from src/rule.c
In fib.h, include linux/netfilter/nf_tables.h to make sure enum
nft_fib_result is
Signed-off-by: Phil Sutter
---
tests/py/nft-test.py | 126 ++-
1 file changed, 65 insertions(+), 61 deletions(-)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index d4b22817d7665..f4ddc91b39291 100755
--- a/tests/py/nft-test.py
+++
When testing rule adding to different table families, expected payload
was read for each tested family again. Instead, read it just once and
just try to read a family-specific payload for each tested family.
Signed-off-by: Phil Sutter
---
tests/py/nft-test.py | 22
This removes static flag and adds declarations in headers for the
following arrays:
* ct_templates from src/ct.c
* mark_tbl from src/datatype.c
* meta_templates and devgroup_tbl from src/meta.c
* table_flags_name from src/rule.c
* set_stmt_op_names from src/statement.c
* tcpopthdr_protocols from
This should be dropped for a real UAPI header update.
Signed-off-by: Phil Sutter
---
include/linux/netfilter/nf_tables.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index
Print the non-equal parts of the two rules in yellow when printing the
differences warning.
Signed-off-by: Phil Sutter
---
tests/py/nft-test.py | 35 ++-
1 file changed, 34 insertions(+), 1 deletion(-)
diff --git a/tests/py/nft-test.py
This series adds JSON input and output support to libnftables via
libjansson.
The first five patches prepare the existing code for the actual
implementation which follows in patches 6 and 7. Patches 8 and 9 extend
the simple Nftables Python class in py/nftables.py. The remaining ones
deal with
Signed-off-by: Phil Sutter
---
py/nftables.py | 45 -
1 file changed, 44 insertions(+), 1 deletion(-)
diff --git a/py/nftables.py b/py/nftables.py
index eb81f5b2fdb9c..47ff14afc9741 100644
--- a/py/nftables.py
+++ b/py/nftables.py
@@
Signed-off-by: Phil Sutter
---
py/nftables.py | 25 +
1 file changed, 25 insertions(+)
diff --git a/py/nftables.py b/py/nftables.py
index c175975076982..eb81f5b2fdb9c 100644
--- a/py/nftables.py
+++ b/py/nftables.py
@@ -47,6 +47,13 @@ class Nftables:
With no -n, semantics for *filter are to delete filter table and all its
content.
This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c |
Stephen Rothwell says:
today's linux-next build (x86_64 allmodconfig) produced this warning:
./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type
without #include
Fix that up and also move kernel-private struct out of uapi (it was not
exposed in any released kernel
Stephen Rothwell wrote:
> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell
> wrote:
> >
> > After merging the netfilter-next tree, today's linux-next build (x86_64
> > allmodconfig) produced this warning:
> >
> >
40 matches
Mail list logo