Ah, yes, the (2**64 - 1) + 1 problem.
The fact max allowed remaining is (2**64 - 2) is perhaps surprising...
should we clamp? or warn?
userspace has:
if (cb->entry->id == O_REMAIN) info->remain++;
should this error out in userspace if we end up at zero?
+-m quota --quota 18446744073709551615
From: Chenbo Feng
Introduces some iptables tests for the new --remain option in xt_quota
module. Add a breif description for how to use the --remain option in
the iptables-extension man page.
Signed-off-by: Chenbo Feng
---
extensions/libxt_quota.man | 4
extensions/libxt_quota.t | 11
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zero the tail area after the ->matchsize and
->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for
x_tables")
Signed-off-by: Pablo Neira
Structure layout is different, therefore a new struct xt_option_entry is
needed.
Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2")
Signed-off-by: Pablo Neira Ayuso
---
extensions/libxt_cgroup.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git
Pedretti Fabio wrote:
> Hi, I tried iptables 1.8 with the new nf_tables back-end using the
> Debian 1.8.0-1~exp1 package with my firewall script.
>
> It seems to properly load most rules, however I am getting an error
> when negating an interface and using protocol ports, which works fine
> with
Hi, I tried iptables 1.8 with the new nf_tables back-end using the
Debian 1.8.0-1~exp1 package with my firewall script.
It seems to properly load most rules, however I am getting an error
when negating an interface and using protocol ports, which works fine
with classic iptables.
Specifically
On Tue, 9 Oct 2018 at 08:19, Pablo Neira Ayuso wrote:
>
> Hi Taehee,
>
Hi Pablo,
Thank you for your review!
> I can reproduce it, so this is a bug :-). Still one question below:
>
> On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
> [...]
> > diff --git