It is safe to place a flow that is coming from IPSec into the flowtable.
So decapsulated can benefit from the flowtable fastpath.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Steffen Klassert
---
I'm recovering this patch, this enables faster flowtable forwarding from
ingress. Florian has
When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
is called and that checks whether interface index of offload and
index of link down interface is same. but only interface index checking
is not enough because flowtable is not pernet list.
So that, if other netns's
parameter net of nf_flow_table_cleanup() is not used.
So that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 2 +-
net/netfilter/nf_flow_table_core.c| 2 +-
net/netfilter/nft_flow_offload.c | 2 +-
3 files changed, 3 insertions(+), 3
Those were forgotten when renaming meta secpath to meta ipsec.
Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec")
Signed-off-by: Phil Sutter
---
tests/py/inet/meta.t.json| 8 +---
tests/py/inet/meta.t.json.output | 15 +++
2 files changed, 20 insertions(+),
Monitor output is supposed to be single lined without tabs, but ct
object were printed with newlines and tabs hard-coded. Fixing this
wasn't too hard given that there is 'stmt_separator' to also include
semi-colons where required if newline was removed.
A more obvious mistake was position of
This series essentially moves nft monitor JSON output to libnftables (in
patch 7). Patch 8 enhances tests/monitor to get that tested as well (via
passing '-j' parameter to run-tests.sh). The leading six patches are
more or less prerequisites for the later ones.
Phil Sutter (8):
tests/py: Add
This switches 'nft monitor' JSON output from using libnftnl's to
libnftables' implementation.
Signed-off-by: Phil Sutter
---
include/json.h | 51 +
src/json.c | 57 ++
src/monitor.c | 281 +
src/rule.c | 2 -
4 files
Since libnftnl doesn't support XML formatting, pretending to do so in
nft monitor is pointless.
Signed-off-by: Phil Sutter
---
src/monitor.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/src/monitor.c b/src/monitor.c
index 4310c3b8dc434..d75410888e3d0 100644
--- a/src/monitor.c
+++
Add support for printing and parsing ct timeout objects to JSON API.
Signed-off-by: Phil Sutter
---
src/json.c | 29 ++
src/parser_json.c | 82 +-
tests/py/ip/objects.t.json | 7
3 files changed, 117 insertions(+), 1
Enhance monitor test suite to test check JSON output as well. Note that
for now there is no support for --echo output testing with JSON.
Signed-off-by: Phil Sutter
---
tests/monitor/README | 27 +++-
tests/monitor/run-tests.sh | 45
This seems like a left-over from day 1: Said function is static in
json.c, so there is no point in providing a stub when compiling with
JSON disabled.
Signed-off-by: Phil Sutter
---
include/json.h | 6 --
1 file changed, 6 deletions(-)
diff --git a/include/json.h b/include/json.h
index
Oleh Danilovskyi wrote:
> I have implemented a custom extension for conntrack. It is basically
> extra pointer which resides in "struct nf_conn".
> The pointer references a slab buffer and it is used/modified in custom
> netfilter match extension.
> I'm not sure whether it is possible that
I have implemented a custom extension for conntrack. It is basically
extra pointer which resides in "struct nf_conn".
The pointer references a slab buffer and it is used/modified in custom
netfilter match extension.
I'm not sure whether it is possible that different skbs with the same
nf_conn can
On Thu, 11 Oct 2018 at 19:17, Pablo Neira Ayuso wrote:
>
Hi Pablo,
> On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> > > checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> > > But only
This is a partial revert of commit 9f075031a1973 ("Combine
parse_target() and command_jump() implementations"): Upstream prefers to
reduce max chain name length of arptables by two characters instead of
the introduced struct xtables_globals field which requires to bump
library API version.
Fixes:
On Thu, 11 Oct 2018 at 03:09, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote:
> > When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
> > is called and that checks whether interface index of offload
On Thu, 11 Oct 2018 at 02:32, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote:
> > diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > index 2c8d313ae216..6ccabe6f74a6 100644
> >
On Wed, Oct 10, 2018 at 09:57:13AM +0200, Fernando Fernandez Mancera wrote:
> Add ttl option support to the nftables "osf" expression.
Applied, thanks.
I have mangled the patch to:
netfilter: nft_osf: usage from output path is not valid
This never meant to work there actually, to make
On Sun, Oct 07, 2018 at 12:09:18AM +0900, Taehee Yoo wrote:
> TEE netdevice notifier handler checks only interface name. however
> each netns can have same interface name. hence other netns's interface
> could be selected.
>
> test commands:
>%ip netns add vm1
>%iptables -I INPUT -p icmp
On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote:
> On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> > checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> > But only netdevice notifier handler can set that.
> > Hence priv->oif is always -1
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zeroes the tail area after the ->matchsize
and ->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for
x_tables")
Reported-by: Florian
info area in match is always available, and remove unneeded variables.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_osf.c | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index bf7bba80e24c..7a103553d10d 100644
22 matches
Mail list logo