Re: [PATCH ghak81 RFC V1 4/5] audit: use inline function to set audit context

On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote: > Recognizing that the audit context is an internal audit value, use an > access function to set the audit context pointer for the task > rather than reaching directly into the task struct to set it. > > Signed-off-by: Richard

Re: [PATCH ghak81 RFC V1 2/5] audit: convert sessionid unset to a macro

On 2018-05-04 16:54, Richard Guy Briggs wrote: > Use a macro, "AUDIT_SID_UNSET", to replace each instance of > initialization and comparison to an audit session ID. > > Signed-off-by: Richard Guy Briggs There's a minor issue with this patch, adding a header include to

[PATCH nft] src: support timeouts in milliseconds

currently the frontend uses seconds everywhere and multiplies/divides by 1000. Pass milliseconds around instead and extend the scanner to accept 'ms' in timestrings. Signed-off-by: Florian Westphal --- include/datatype.h| 2 +- src/datatype.c

Re: [PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

Hi Pablo, Sure thank you, Will do. Regards, Jack-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] parser: added missing semicolon

Máté Eckl wrote: > It did not make any harm, but it was certainly missing. Applied, thanks Máté. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [iptables v2] extensions: libip6t_srh: support matching previous, next and last SID

On Tue, 8 May 2018 14:36:32 +0200 Pablo Neira Ayuso wrote: > On Wed, Apr 25, 2018 at 05:30:47AM -0500, Ahmed Abdelsalam wrote: > > This patch extends the libip6t_srh shared library to support matching > > previous SID, next SID, and last SID. > > Applied, thanks. > >

Re: [PATCH net] ipvs: fix refcount usage for conns in ops mode

On Tue, May 08, 2018 at 02:16:23PM +0200, Pablo Neira Ayuso wrote: > On Mon, May 07, 2018 at 01:18:53PM +0200, Simon Horman wrote: > > On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote: > > > On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote: > > > > Connections in

Re: [PATCH libnftnl WIP 2/2] examples: Add test for assigning timeout objects via rule

On Tue, May 08, 2018 at 06:22:12PM +0530, Harsha Sharma wrote: > Usage: > ./nft-rule-ct-timeout-add ip filter input some-name > ./nft-rule-get ip filter > ip filter input 6 > [ objref type 5 name some-name ] > > nft list ruleset > > ... > chain input { >ct timeout set "some-name" > }

Re: [PATCH libnftnl 1/2] examples: Add test for assigning helper objects via rule

On Tue, May 08, 2018 at 06:21:14PM +0530, Harsha Sharma wrote: > Usage: > ./nft-rule-ct-helper-add ip filter input sip-5060 > ./nft-rule-get ip filter > ip filter input 7 6 > [ objref type 3 name sip-5060 ] > > nft list ruleset > > ... > chain input { >ct helper set "sip-5060" > }

[PATCH libnftnl WIP 2/2] examples: Add test for assigning timeout objects via rule

Usage: ./nft-rule-ct-timeout-add ip filter input some-name ./nft-rule-get ip filter ip filter input 6 [ objref type 5 name some-name ] nft list ruleset ... chain input { ct timeout set "some-name" } Signed-off-by: Harsha Sharma --- examples/Makefile.am

[PATCH libnftnl 1/2] examples: Add test for assigning helper objects via rule

Usage: ./nft-rule-ct-helper-add ip filter input sip-5060 ./nft-rule-get ip filter ip filter input 7 6 [ objref type 3 name sip-5060 ] nft list ruleset ... chain input { ct helper set "sip-5060" } Signed-off-by: Harsha Sharma --- examples/Makefile.am

Re: [PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

On Tue, Apr 24, 2018 at 02:58:57PM +1200, Jack Ma wrote: > This patch adds a new feature to iptables that allow bitshifting for > --restore,set and save-mark operations. This allows existing logic > operators (and, or and xor) and mask to co-operate with new bitshift > operations. > > The

Re: [iptables v2] extensions: libip6t_srh: support matching previous, next and last SID

On Wed, Apr 25, 2018 at 05:30:47AM -0500, Ahmed Abdelsalam wrote: > This patch extends the libip6t_srh shared library to support matching > previous SID, next SID, and last SID. Applied, thanks. Please, send us a patch to add tests for extensions/libip6t_srh.t -- To unsubscribe from this list:

Re: [PATCH libnftnl] expr: add map lookups for numgen statements

On Sun, Apr 22, 2018 at 11:04:56AM +0200, Laura Garcia Liebana wrote: > This patch introduces two new attributes for numgen to allow map > lookups where the number generator will be the key. > > Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and > NFTNL_EXPR_NG_SET_ID in order to

Re: [PATCH ebtables] Fix musl libc compatibility

On Fri, May 04, 2018 at 12:46:52PM +0300, Baruch Siach wrote: > Conflicting definitions of struct ethhdr between the kernel and musl > libc provides headers causes a build failure: > > In file included from .../usr/include/netinet/ether.h:8:0, > from useful_functions.c:28: >

Re: [PATCH nf] netfilter: nf_tables: nft_compat: fix refcount leak on xt module

On Wed, May 02, 2018 at 02:07:42PM +0200, Florian Westphal wrote: > Taehee Yoo reported following bug: > iptables-compat -I OUTPUT -m cpu --cpu 0 > iptables-compat -F > lsmod |grep xt_cpu > xt_cpu 16384 1 > > Quote: > "When above command is given, a netlink

Re: [PATCH net] bridge: netfilter stp fix reference to uninitialized data

On Fri, Apr 27, 2018 at 11:16:09AM -0700, Stephen Hemminger wrote: > The destination mac (destmac) is only valid if EBT_DESTMAC flag > is set. Fix by changing the order of the comparison to look for > the flag first. Applied, thanks Stephen. -- To unsubscribe from this list: send the line

Re: [PATCH net] ipvs: fix refcount usage for conns in ops mode

On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote: > On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote: > > Connections in One-packet scheduling mode (-o, --ops) are > > removed with refcnt=0 because they are not hashed in conn table. > > To avoid refcount_dec reporting

Re: [PATCH net] ipvs: fix refcount usage for conns in ops mode

On Mon, May 07, 2018 at 01:18:53PM +0200, Simon Horman wrote: > On Mon, May 07, 2018 at 01:17:40PM +0200, Simon Horman wrote: > > On Thu, May 03, 2018 at 10:01:40PM +0300, Julian Anastasov wrote: > > > Connections in One-packet scheduling mode (-o, --ops) are > > > removed with refcnt=0 because

Re: [PATCH net] ipvs: fix stats update from local clients

On Mon, May 07, 2018 at 01:18:26PM +0200, Simon Horman wrote: > On Thu, May 03, 2018 at 10:02:18PM +0300, Julian Anastasov wrote: > > Local clients are not properly synchronized on 32-bit CPUs when > > updating stats (3.10+). Now it is possible estimation_timer (timer), > > a stats reader, to

Re: [PATCH nf] netfilter: core: add missing __rcu annotation

On Fri, May 04, 2018 at 06:16:06PM +0200, Florian Westphal wrote: > removes following sparse error: > net/netfilter/core.c:598:30: warning: incorrect type in argument 1 (different > address spaces) > net/netfilter/core.c:598:30:expected struct nf_hook_entries **e >

Re: [PATCH nf] netfilter: x_tables: add module alias for icmp matches

On Sun, May 06, 2018 at 12:46:16AM +0200, Florian Westphal wrote: > The icmp matches are implemented in ip_tables and ip6_tables, > respectively, so for normal iptables they are always available: > those modules are loaded once iptables calls getsockopt() to fetch > available module revisions. >

Re: [PATCH nf] netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes

On Sun, May 06, 2018 at 12:45:43AM +0200, Florian Westphal wrote: > fixes these warnings: > 'nfnl_cthelper_create' at net/netfilter/nfnetlink_cthelper.c:237:2, > 'nfnl_cthelper_new' at net/netfilter/nfnetlink_cthelper.c:450:9: > ./include/linux/string.h:246:9: warning: '__builtin_strncpy'

Re: [PATCH nf 0/2] netfilter: nft_compat: prepare for indirect info storage

On Mon, May 07, 2018 at 03:22:34PM +0200, Florian Westphal wrote: > These two patches fix handling of large xtables matches from nft_compat. > > First patch just separates the match handling functions to not assume > matchinfo is stored in expr private area. > > Second patch is the actual fix.

[PATCH 2/2 nft] tests: shell: add size to meters

Otherwise, 65535 is used and testsuite reports dump mismatch. Signed-off-by: Pablo Neira Ayuso --- tests/shell/testcases/sets/0022type_selective_flush_0 | 2 +- tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft | 2 +- 2 files changed, 2

[PATCH nf] netfilter: nf_tables: bogus EBUSY in chain deletions

When removing a rule that jumps to chain and such chain in the same batch, this bogusly hits EBUSY. Add activate and deactivate operations to expression that can be called from the preparation and the commit/abort phases. Signed-off-by: Pablo Neira Ayuso ---

[nft PATCH v3 06/14] libnftables: Implement JSON output support

Although technically there already is support for JSON output via 'nft export json' command, it is hardly useable since it exports all the gory details of nftables VM. Also, libnftables has no control over what is exported since the content comes directly from libnftnl. Instead, implement JSON

[nft PATCH v3 05/14] libnftables: Introduce a few helper functions

This adds a bunch of functions for conversion of different values into string (and vice-versa). * log_level_parse(): A simple helper to turn log level string representation into log level value. * nat_etype2str(): Translate nat statement type into string

[nft PATCH v3 04/14] libnftables: Make some functions globally accessible

This removes static flag and adds header prototype for the following functions: * must_print_eq_op() from src/expression.c * fib_result_str() from src/fib.c * set_policy2str() and chain_policy2str from src/rule.c In fib.h, include linux/netfilter/nf_tables.h to make sure enum nft_fib_result is

[nft PATCH v3 10/14] tests/py: Reduce indenting level in nft-test.py

Signed-off-by: Phil Sutter --- tests/py/nft-test.py | 126 ++- 1 file changed, 65 insertions(+), 61 deletions(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index d4b22817d7665..f4ddc91b39291 100755 --- a/tests/py/nft-test.py +++

[nft PATCH v3 12/14] tests/py: Don't read expected payload for each table

When testing rule adding to different table families, expected payload was read for each tested family again. Instead, read it just once and just try to read a family-specific payload for each tested family. Signed-off-by: Phil Sutter --- tests/py/nft-test.py | 22

[nft PATCH v3 03/14] libnftables: Make some arrays globally accessible

This removes static flag and adds declarations in headers for the following arrays: * ct_templates from src/ct.c * mark_tbl from src/datatype.c * meta_templates and devgroup_tbl from src/meta.c * table_flags_name from src/rule.c * set_stmt_op_names from src/statement.c * tcpopthdr_protocols from

[nft PATCH v3 01/14] include/linux: Add required NFT_CT_MAX macro

This should be dropped for a real UAPI header update. Signed-off-by: Phil Sutter --- include/linux/netfilter/nf_tables.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index

[nft PATCH v3 13/14] tests/py: Highlight offending parts in differences warnings

Print the non-equal parts of the two rules in yellow when printing the differences warning. Signed-off-by: Phil Sutter --- tests/py/nft-test.py | 35 ++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/tests/py/nft-test.py

[nft PATCH v3 00/14] libnftables: JSON support

This series adds JSON input and output support to libnftables via libjansson. The first five patches prepare the existing code for the actual implementation which follows in patches 6 and 7. Patches 8 and 9 extend the simple Nftables Python class in py/nftables.py. The remaining ones deal with

[nft PATCH v3 09/14] py: Add JSON support to nftables Class

Signed-off-by: Phil Sutter --- py/nftables.py | 45 - 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/py/nftables.py b/py/nftables.py index eb81f5b2fdb9c..47ff14afc9741 100644 --- a/py/nftables.py +++ b/py/nftables.py @@

[nft PATCH v3 08/14] py: Add getter/setter for echo output option

Signed-off-by: Phil Sutter --- py/nftables.py | 25 + 1 file changed, 25 insertions(+) diff --git a/py/nftables.py b/py/nftables.py index c175975076982..eb81f5b2fdb9c 100644 --- a/py/nftables.py +++ b/py/nftables.py @@ -47,6 +47,13 @@ class Nftables:

[PATCH xtables-compat] xtables-compat-restore: flush table and its content with no -n

With no -n, semantics for *filter are to delete filter table and all its content. This restores the similar behaviour introduced in ca165845f7ec ("xtables-compat-restore: flush rules and delete user-defined chains"). Signed-off-by: Pablo Neira Ayuso --- iptables/nft.c |

[PATCH nf-next] netfilter: fix fallout from xt/nf osf separation

Stephen Rothwell says: today's linux-next build (x86_64 allmodconfig) produced this warning: ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type without #include Fix that up and also move kernel-private struct out of uapi (it was not exposed in any released kernel

Re: linux-next: build warning after merge of the netfilter-next tree

Stephen Rothwell wrote: > On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell > wrote: > > > > After merging the netfilter-next tree, today's linux-next build (x86_64 > > allmodconfig) produced this warning: > > > >