Re: [PATCH nf-next v9] netfilter: nft_ct: add ct timeout support

On Mon, Jul 23, 2018 at 11:13:39PM +0200, Harsha Sharma wrote: > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index c0fb2bcd30fe..3b98ceba002f 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -7233,6 +7233,10 @@ static int

Re: [PATCH nf-next v2 2/2] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

On Thu, Jul 19, 2018 at 02:12:27AM +0200, Harsha Sharma wrote: > diff --git a/include/net/netfilter/nf_conntrack_timeout.h > b/include/net/netfilter/nf_conntrack_timeout.h > index 80ceb3d0291d..edb3b5271ef5 100644 > --- a/include/net/netfilter/nf_conntrack_timeout.h > +++

[PATCH nf-next v9] netfilter: nft_ct: add ct timeout support

This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp Ruleset: table ip raw { ct timeout cttime { protocol tcp established

Re: [PATCH 1/3 nf-next v2] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

On Monday 2018-07-23 12:06, Pablo Neira Ayuso wrote: >On Fri, Jul 20, 2018 at 04:41:11PM +0200, Fernando Fernandez Mancera wrote: >> Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is >> the OSF infraestructure. >> >> Signed-off-by: Fernando Fernandez Mancera >> --- >>

Re: [PATCH nf-next v8] netfilter: nft_ct: add ct timeout support

On Fri, Jul 20, 2018 at 11:13:37PM +0200, Harsha Sharma wrote: > On Fri, Jul 20, 2018 at 3:21 PM, Pablo Neira Ayuso > wrote: > > On Thu, Jul 19, 2018 at 03:10:14PM +0200, Harsha Sharma wrote: > >> On Thu, Jul 19, 2018 at 2:33 AM, Pablo Neira Ayuso > >> wrote: > > [...] > >> >> diff --git

Re: [PATCH 3/3 nf-next v2] netfilter: nft_osf: implement Passive OS fingerprint module in nft_osf

On Fri, Jul 20, 2018 at 04:41:13PM +0200, Fernando Fernandez Mancera wrote: > Add basic module functions into nft_osf.[ch] in order to implement OSF > module in nf_tables. > > Signed-off-by: Fernando Fernandez Mancera > --- > include/uapi/linux/netfilter/nf_tables.h | 10 ++ >

Re: [PATCH 2/3 nf-next v2] netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c

On Fri, Jul 20, 2018 at 04:41:12PM +0200, Fernando Fernandez Mancera wrote: > Move nfnetlink osf subsystem from xt_osf.c to standalone module so we can > reuse it from the new nft_ost extension. > > Signed-off-by: Fernando Fernandez Mancera > --- > include/uapi/linux/netfilter/nfnetlink_osf.h |

Re: [PATCH 1/3 nf-next v2] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

On Fri, Jul 20, 2018 at 04:41:11PM +0200, Fernando Fernandez Mancera wrote: > Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is > the OSF infraestructure. > > Signed-off-by: Fernando Fernandez Mancera > --- > .../linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 2 +- >

Re: [PATCH] libnetfilter_conntrack: bsf.c: fix verdict

On Sat, Jul 21, 2018 at 01:55:00PM +0200, Florian Lehner wrote: > Hi, > > this patch fixes the check of the subsystem in bsf.c. > At the moment, NFCT_FILTER_ACCEPT is set, even if the comparison of the > subsystem and the expected subsystem returns false. Can you post you example code using the

Re: [PATCH v4 nf-next] netfilter: Add native tproxy support for nf_tables

On Fri, Jul 20, 2018 at 03:28:31PM +0200, Pablo Neira Ayuso wrote: > Hi Mate, > > A few comestic on the _init path, and one concern of probably missing > sanity check, also from the _init path see below. > > On Fri, Jul 20, 2018 at 09:34:14AM +0200, Máté Eckl wrote: > > A great portion of the