From: Pablo Neira Ayuso
Date: Fri, 10 Aug 2018 13:16:14 +0200
> The following batch contains netfilter updates for your net-next tree:
>
> 1) Expose NFT_OSF_MAXGENRELEN maximum OS name length from the new OS
>passive fingerprint matching extension, from Fernando Fernandez.
>
> 2) Add extens
If l3 protocol value is not specified for ct timeout object then use the
value from nft_ctx protocol family.
Signed-off-by: Harsha Sharma
---
net/netfilter/nft_ct.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 4
I think we should place osf_init in nfnl_osf.h so this way we don't need to
include osf.h in rule.c. If you agree I will send another patchset iteration.
Thanks.
El 10 de agosto de 2018 15:02:00 CEST, Fernando Fernandez Mancera
escribió:
>Import iptables/utils/nfnl_osf.c into nftables tree wit
This series fixes a nasty bug in ebtables-nft in patch 1. Patches 2 and
3 are cleanups in the same area.
Phil Sutter (3):
xtables: Use native nftables limit expression
ebtables: Merge libebt_limit.c into libxt_limit.c
arptables: Drop extensions/libxt_mangle.c
extensions/libebt_limit.c
This was merely an outdated duplicate of extensions/libarpt_mangle.c.
Signed-off-by: Phil Sutter
---
extensions/libxt_mangle.c | 396 --
1 file changed, 396 deletions(-)
delete mode 100644 extensions/libxt_mangle.c
diff --git a/extensions/libxt_mangle.c b/ex
The original issue was that for a rule with limit match added by
ebtables-nft, the kernel might attempt to use xt_limit instead of
ebt_limit (and fail due to that). This happens if xt_limit.ko is loaded
but ebt_limit.ko is not, because the kernel prefers the
family-independent variants.
There are
Both extensions were very similar already, but now that they both are
translated into native nftables code, their actual difference (i.e.
match size) doesn't matter anymore.
This change comes with one caveat: Since ebtables limit match is not in
its own file anymore, match preloading automatically
Usage:
./nft-rule-ct-timeout-add ip filter input some-name
./nft-rule-get ip filter
ip filter input 4
[ objref type 7 name some-name ]
nft list ruleset
...
chain input {
ct timeout set "some-name"
}
Signed-off-by: Harsha Sharma
---
Changes in v6:
- No changes
Changes in v5:
- No chan
Add, list and delete ct timeout objects from specified table
Usage e.g.:
% ./nft-ct-timeout-add ip filter some-name tcp
% ./nft-ct-timeout-get ip filter
table filter name some-name use 0 [ ct_timeout family 2 protocol 6
policy = {ESTABLISHED = 111,CLOSE_WAIT = 14, CLOSE = 16}]
% ./nft-ct-timeout-
Add support for ct timeout objects, used to assign connection tracking
timeout policies.
Signed-off-by: Harsha Sharma
---
Changes in v6:
- Remove includes from header file which are not required
- other minor changes
Changes in v5:
- Remove nftnl_timeout_policy_attr_set_u32
- remove NFTNL_OBJ
On Fri, Aug 10, 2018 at 02:01:25PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 02, 2018 at 10:44:14PM +0300, Oleg wrote:
> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
> > IMHO, this can be easier implemented with help of userspace.
> > This can be nfq-based program(something
Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order
to load OS fingerprints automatically from pf.os file.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nfnetlink_osf.h | 119 +++
include/nfnl_osf.h | 6 +
include/osf.
As we are going to use the function nft_mnl_talk() from the incoming
nftnl_osf.c, we make it public.
Signed-off-by: Fernando Fernandez Mancera
---
include/mnl.h | 4
src/mnl.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/mnl.h b/include/mnl.h
index cb131
As we are going to need pf.os file to load OS fingerprints from the incoming
nfnl_osf.c, we copy it into the nftables tree directory "files/osf/".
Signed-off-by: Fernando Fernandez Mancera
---
files/osf/pf.os | 709
1 file changed, 709 insertions(
On Thu, Aug 02, 2018 at 10:44:14PM +0300, Oleg wrote:
> On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
> > Dear all,
> >
> >
> > Some of my friends and I have decided to work on Linux community, and
> > add a new feature to the networking subsystem. We have concluded that
> > UR
Hi Harsha,
This looks mostly good, a few comments, see below.
On Fri, Aug 10, 2018 at 01:02:16AM +0530, Harsha Sharma wrote:
[...]
> diff --git a/include/libnftnl/Makefile.am b/include/libnftnl/Makefile.am
> index d846a57..a94f414 100644
> --- a/include/libnftnl/Makefile.am
> +++ b/include/libnft
Hi David,
The following batch contains netfilter updates for your net-next tree:
1) Expose NFT_OSF_MAXGENRELEN maximum OS name length from the new OS
passive fingerprint matching extension, from Fernando Fernandez.
2) Add extension to support for fine grain conntrack timeout policies
from
From: Harsha Sharma
As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from
nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout.
Signed-off-by: Harsha Sharma
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_timeout.h | 1 +
net/netfilter
From: Fernando Fernandez Mancera
As no "genre" on pf.os exceed 16 bytes of length, we reduce
NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ.
Signed-off-by: Fernando Fernandez Mancera
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 1 +
The timeout policy is currently embedded into the nfnetlink_cttimeout
object, move the policy into an independent object. This allows us to
reuse part of the existing conntrack timeout extension from nf_tables
without adding dependencies with the nfnetlink_cttimeout object layout.
Signed-off-by: P
Enable conntrack if the user defines a helper to be used from the
ruleset policy.
Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_ct.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/net/netfilter/nft_ct
From: Fernando Fernandez Mancera
xt_osf_window_size_options was originally part of
include/uapi/linux/netfilter/xt_osf.h, restore it.
Fixes: bfb15f2a95cb ("netfilter: extract Passive OS fingerprint infrastructure
from xt_osf")
Signed-off-by: Fernando Fernandez Mancera
Signed-off-by: Pablo Neir
Simplify this, include it inconditionally in this structure layout as we
do with ctnetlink.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h
b/include/net/netfilter
From: Harsha Sharma
This patch allows to add, list and delete connection tracking timeout
policies via nft objref infrastructure and assigning these timeout
via nft rule.
%./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp
Ruleset:
table ip raw {
ct timeout cttime {
protocol tc
From: Wei Yongjun
Fixes the following sparse warning:
net/netfilter/nfnetlink_osf.c:274:24: warning:
Using plain integer as NULL pointer
Signed-off-by: Wei Yongjun
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
Recently, transparent proxy support has been added to nf_tables so that
this document should be updated with the new information.
- Nft commands are added as alternatives to iptables ones.
- The link for a patched iptables is removed as it is already part of
the mainline iptables implementation
Phil Sutter wrote:
> This is actually quite a mess: xtables-eb.c defines names for bits in
> 'flags' variable of do_commandeb(), though these tend to clash with bit
> names defined in xshared.h due to the same 'OPT_' prefix. Therefore
> checking for bits OPT_NUMERIC and OPT_VERBOSE is syntacticall
This is actually quite a mess: xtables-eb.c defines names for bits in
'flags' variable of do_commandeb(), though these tend to clash with bit
names defined in xshared.h due to the same 'OPT_' prefix. Therefore
checking for bits OPT_NUMERIC and OPT_VERBOSE is syntactically correct,
but semantically
Thanks for the info.
Probably then, if I want to do development, its better I should do it
for nftables. It would give more fruitful results!
Thanks once again.
On Fri, 10 Aug 2018, Akshat Kakkar wrote:
> > No, that's a totally wrong way. ipset is independent from
> > iptables/ip6tables: you cannot refer to a match/target/chain from
> > ipset. It also makes no sense to reimplement those in ipset.
>
> Yes. Thats obvious that iptables need to do decision
30 matches
Mail list logo
