Top of the day to you, this is in respect of a very beneficial transaction
which you would not want to let go reply for more details,
Regards,
Lee
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo
Add tests for listing specific object for a given table name and all
objects of a table.
Signed-off-by: Harsha Sharma
---
tests/shell/testcases/listing/0013objects_0 | 33 +
tests/shell/testcases/listing/0014objects_0 | 24 +
2 files changed, 57
In order to restrict element number of each set, member ->size is used.
that used to be given by user-space. if user-space don't specify ->size,
number of element is unlimited. so that overflow can occurred.
After this patch,
If user-space don't specify ->size, 65535 is set.
all types of set have
This patch fixes below.
1. check null pointer of rb_next.
rb_next can return null. so null check routine should be added.
2. add rcu_barrier in destroy routine.
GC uses call_rcu to remove elements. but all elements should be
removed before destroying set and chains. so that rcu_barrier is
GC of set uses call_rcu() to destroy elements.
So that elements would be destroyed after destroying sets and chains.
But, elements should be destroyed before destroying sets and chains.
In order to wait calling call_rcu(), a rcu_barrier() is added.
In order to test correctly, below patch should
This patch series fixes nft_set_hash and nft_set_rbtree bugs.
First patch adds rcu_barrier in the nft_rhash_destroy() to wait completion of
call_rcu by GC.
Second patch fixes bugs in nft_set_rbtree.c
- add null check routine
- add rcu_barrier in destroy routine
Last patch adds default
In some cases module selects depend on IPV6, but this means that they
select another module even if eg. NF_TABLES_IPV6 is not set in which
case the selected module is useless due to the lack of IPv6 nf_tables
functionality.
The same applies for IP6_NF_IPTABLES and iptables.
Joint work with: Arnd
Pablo Neira Ayuso wrote:
> Florian, do you think it's worth placing this somewhere at
> netfilter.org?
No idea, but i wouldn't mind placing/moving this thing to nf.org.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
On Tue, Jul 10, 2018 at 01:41:31PM +0200, Máté Eckl wrote:
> On Tue, Jul 10, 2018 at 01:26:41PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jul 10, 2018 at 01:19:21PM +0200, Máté Eckl wrote:
[...]
> > > I planned to add this to Documentation/networking/tproxy.txt. Should I do
> > > it in
> > >
On 10 July 2018 at 13:37, Pablo Neira Ayuso wrote:
> On Mon, Jul 02, 2018 at 04:52:14PM +0200, Martynas Pumputis wrote:
>> This patch enables the clash resolution for NAT (disabled in
>> "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
>> and a protocol allows it.
>>
>>
On Tue, Jul 10, 2018 at 01:26:41PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jul 10, 2018 at 01:19:21PM +0200, Máté Eckl wrote:
> > On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > > > Please, could you describe how you have tested the nft tproxy
> > > > >
On Mon, Jul 02, 2018 at 04:52:14PM +0200, Martynas Pumputis wrote:
> This patch enables the clash resolution for NAT (disabled in
> "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
> and a protocol allows it.
>
> The clash might happen for a connections-less protocol
On Tue, Jul 10, 2018 at 01:23:01PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > I see, so this is just solving the conflict for a specific usecase
> > with NAT in place, ie. get_unique_tuple() returns same tuple...
> >
> > But how so? With NAT in place, the packet losing race
On 10 July 2018 at 13:23, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
>> I see, so this is just solving the conflict for a specific usecase
>> with NAT in place, ie. get_unique_tuple() returns same tuple...
>>
>> But how so? With NAT in place, the packet losing race will eventually
>> get
On Tue, Jul 10, 2018 at 01:19:21PM +0200, Máté Eckl wrote:
> On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > > > Please, could you describe how you have tested the nft tproxy
> > > > datapath? Did you run any example configuration to make sure things
> > > > are
Pablo Neira Ayuso wrote:
> I see, so this is just solving the conflict for a specific usecase
> with NAT in place, ie. get_unique_tuple() returns same tuple...
>
> But how so? With NAT in place, the packet losing race will eventually
> get a different tuple, given the tuple that the first packet
On Tue, Jul 10, 2018 at 12:54:24PM +0200, Pablo Neira Ayuso wrote:
[...]
> > > Please, could you describe how you have tested the nft tproxy
> > > datapath? Did you run any example configuration to make sure things
> > > are working? If so, please slightly describe.
> > >
> > > Thanks.
> >
> > I
On Mon, Jul 09, 2018 at 08:42:17PM +0200, Martynas Pumputis wrote:
> On 9 July 2018 at 20:12, Pablo Neira Ayuso wrote:
[...]
> >> The idea of this patch is to resolve the conflict only among packets
> >> with the same mangling (= with matching tuples). The mangling happens
> >> before the
On Tue, Jul 10, 2018 at 12:52:25PM +0200, Máté Eckl wrote:
[...]
> Destination nat (dnat/dstnat) is a well-known expression among sysadmins and
> netadmins so I think this is better than prenat which just seems to be a new
> word for the same thing.
ack.
--
To unsubscribe from this list: send the
On Tue, Jul 10, 2018 at 12:39:54PM +0200, Máté Eckl wrote:
> On Mon, Jul 09, 2018 at 05:40:38PM +0200, Pablo Neira Ayuso wrote:
> > Hi Máté,
> >
> > On Thu, Jun 28, 2018 at 06:42:58PM +0200, Máté Eckl wrote:
> > > v2:
> > > - address or port is now compulsory
> > > - nf_defrag_ipv{4,6}_enable
On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Mon, Jul 09, 2018 at 04:44:53PM +0200, Máté Eckl wrote:
> [...]
> > Example:
> > nft> add table ip x
> > nft> add chain ip x y { type filter hook prerouting priority raw; }
> > nft> add chain ip x z { type filter hook
On Mon, Jul 09, 2018 at 05:40:38PM +0200, Pablo Neira Ayuso wrote:
> Hi Máté,
>
> On Thu, Jun 28, 2018 at 06:42:58PM +0200, Máté Eckl wrote:
> > v2:
> > - address or port is now compulsory
> > - nf_defrag_ipv{4,6}_enable called in init
> > - nft_tproxy now selects NF_DEFRAG_IPV4/6
> > - Add
On Sun, Jul 08, 2018 at 12:41:03PM +0200, Harsha Sharma wrote:
> For e.g.
>
> %nft list ct helper ip raw cthelp1
> table ip filter {
> }
> table ip raw {
> ct helper cthelp1 {
> type "ftp" protocol tcp
> l3proto ip
> }
> }
> With this patch, print only
On Fri, Jul 06, 2018 at 01:47:58AM +0200, Harsha Sharma wrote:
> This patch allows to add, list and delete connection tracking timeout
> policies via nft objref infrastructure and assigning these timeout
> via nft rule.
>
> Ruleset:
>
> table ip raw {
>ct timeout cttime {
>protocol
On Mon, Jul 09, 2018 at 01:07:59PM +0530, Arushi Singhal wrote:
> Add test for testing if iptables configuration is restored and saved.
Applied, thanks.
BTW, I think it may be a good idea to move these tools to the root
directory, instead of using the iptables folder. I can just make it
here if
Hi,
On Mon, Jul 09, 2018 at 04:44:53PM +0200, Máté Eckl wrote:
[...]
> Example:
> nft> add table ip x
> nft> add chain ip x y { type filter hook prerouting priority raw; }
> nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
Nice stuff.
> nft> add chain ip x w { type
Jan Engelhardt wrote:
> >nf_tables commandline tools:
> >ip6tables-nft-save ip6tables-nft-restore ip6tables-nft
> >iptables-nft-save iptables-nft-restore iptables-nft
>
> With the distro hat on, I found that the "arptables" and "ebtables"
> programs in iptables.git could perhaps be named
On Friday 2018-07-06 11:32, Florian Westphal wrote:
>iptables 1.8
>
>This release introduces a more prominent distinction between the
>'classic' iptables and 'new' iptables front-end that internally uses the
>nf_tables API to talk to the kernel.
>
>legacy commandline tools:
2018-07-09 22:56 GMT+09:00 Pablo Neira Ayuso :
> On Sun, Jul 01, 2018 at 08:43:16PM +0900, Taehee Yoo wrote:
>> This patch series fixes nft_set_hash and nft_set_rbtree bugs.
>>
>> First patch adds nft_rhash_iterate_destroy().
>> it walks and destroys all elements.
>>
>> Second patch adds
2018-07-09 22:48 GMT+09:00 Pablo Neira Ayuso :
> On Tue, Jul 03, 2018 at 11:40:06PM +0900, Taehee Yoo wrote:
>> 2018-07-03 19:20 GMT+09:00 Pablo Neira Ayuso :
>> > On Sun, Jul 01, 2018 at 08:44:52PM +0900, Taehee Yoo wrote:
>> >> This patch fixes below.
>> >> 1. check null pointer of rb_next.
>>
On Mon, Jul 09, 2018 at 11:35:09PM +0200, Arnd Bergmann wrote:
> It is now possible to build the nft_socket module as built-in when
> NF_TABLES_IPV6 is disabled, and have NF_SOCKET_IPV6=m set manually.
>
> In this case, the NF_SOCKET_IPV6 functionality will be useless according
> to the
31 matches
Mail list logo
