Hi Jozsef,
Sorry for the slow answer.
So if one could guarantee that your library alone communicates to the
ip_set module in the kernel, then it makes sense to pass the indices at
listing and cache them. However that cannot be guaranteed.
It's indeed the main use case of this library. You
Use of payload expression to match against IPv6 nexthdr field does not
work if extension headers are present. A simple example for that is
matching for fragmented icmpv6 traffic. Instead, generate a 'meta
l4proto' expression which works even if extension headers are present.
For consistency,
Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.
Unfortunately, there are
Hi Jozsef,
On Fri, 17 Aug 2018 22:47:56 +0200 (CEST)
Jozsef Kadlecsik wrote:
> Hi,
>
> On Fri, 17 Aug 2018, Stefano Brivio wrote:
>
> > There doesn't seem to be any reason to restrict MAC address
> > matching to source MAC addresses in set types bitmap:ipmac,
> > hash:ipmac and hash:mac. With
On Sat, Aug 18, 2018 at 12:00:59PM +1000, Duncan Roe wrote:
> Commit c8a0e8c90 added #include but that header
> needs
> the definition of IFNAMSIZ from
> Sample build failure:
>
> CC evaluate.lo
> In file included from ../include/linux/netfilter_bridge.h:10:0,
> from