On Thu, Oct 18, 2018 at 11:00 AM Pablo Neira Ayuso wrote:
>
> Hi!
>
> On Wed, Oct 17, 2018 at 12:32:54PM -0700, Matt Turner wrote:
> > Rolf Eike Beer reported that nft-expr_quota-test fails
> > with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
> > that and fixes additional
We are getting bug reports lately from the netns path, add a new option
to exercise this path.
Signed-off-by: Pablo Neira Ayuso
---
This is crashing the kernel in a few spots, will retest with recent fixes to
see if we are address all existing problems.
iptables-test.py | 54
On Thu, Oct 18, 2018 at 11:42:20PM +0530, Harsha Sharma wrote:
> Add documentation for creating ct timeout objects and assigning timeout
> policies via rules.
Applied, thanks Harsha.
Add documentation for creating ct timeout objects and assigning timeout
policies via rules.
Signed-off-by: Harsha Sharma
---
Changes in v2:
- correct bold font for "ct timeout" title
- update example script
doc/libnftables-json.adoc | 52 ++---
On Wed, Oct 17, 2018 at 12:32:53PM -0700, Matt Turner wrote:
> All tests are now run with make check.
Applied, thanks.
On Wed, Oct 17, 2018 at 12:32:52PM -0700, Matt Turner wrote:
> The existing test-script.sh does not check the return values of the
> tests so it is not very good for automated testing.
Also applied, thanks.
xt_rateest_net_exit() was added to check whether rules are flushed
successfully. but ->net_exit() callback is called earlier than
->destroy() callback.
So that ->net_exit() callback can't check that.
test commands:
%ip netns add vm1
%ip netns exec vm1 iptables -t mangle -I PREROUTING -p udp
From: Chieh-Min Wang
For bridge(br_flood) or broadcast/multicast packets, they could clone skb with
unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is never
shared.
With nfqueue running on my system, the race can be easily reproduced with
following
warning calltrace:
/include/net/netfilter/nfnetlink_log.h file is empty.
so that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nfnetlink_log.h | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 include/net/netfilter/nfnetlink_log.h
diff --git a/include/net/netfilter/nfnetlink_log.h
On Wed, Oct 17, 2018 at 06:34:22PM +0200, Pablo Neira Ayuso wrote:
> Hi Greg,
>
> Could you enqueue the following patch for -stable 4.9.x?
>
> commit ab6dd1beac7be3c17f8bf3d38bdf29ecb7293f1e
> Author: Xin Long
> Date: Thu Aug 10 10:22:24 2017 +0800
>
> netfilter: check for seqadj ext
Hi Pablo,
On Thu, Oct 18, 2018 at 1:53 PM Pablo Neira Ayuso wrote:
>
> Hi Alin,
>
> On Thu, Oct 18, 2018 at 01:27:01PM +0200, Alin Nastac wrote:
> > From: Alin Nastac
> >
> > nf_conntrack_proto_generic refuse to handle grev6 packets when
> > NF_CT_PROTO_GRE is enabled, resulting in grev6
Hi Alin,
On Thu, Oct 18, 2018 at 01:27:01PM +0200, Alin Nastac wrote:
> From: Alin Nastac
>
> nf_conntrack_proto_generic refuse to handle grev6 packets when
> NF_CT_PROTO_GRE is enabled, resulting in grev6 packets being
> categorized as INVALID.
IIRC, this depends on the pptp helper, right?
From: Chieh-Min Wang
For bridge or multicast packets, they could cloned skb with unconfirmed
conntrack
which break the rule unconfirmed skb->nfct is never shared. With nfqueue
running
on my system, the race can be easily reproduced with following warning
calltrace:
[13257.707525] CPU: 0
From: Alin Nastac
nf_conntrack_proto_generic refuse to handle grev6 packets when
NF_CT_PROTO_GRE is enabled, resulting in grev6 packets being
categorized as INVALID.
---
net/netfilter/nf_conntrack_proto_gre.c | 49 +-
1 file changed, 48 insertions(+), 1
Il giorno mar 9 ott 2018 alle ore 16:39 Florian Westphal
ha scritto:
>
> Pedretti Fabio wrote:
> > Hi, I tried iptables 1.8 with the new nf_tables back-end using the
> > Debian 1.8.0-1~exp1 package with my firewall script.
> >
> > It seems to properly load most rules, however I am getting an
From: Chieh-Min Wang
For bridge or multicast packets, they could cloned skb with unconfirmed
conntrack
which break the rule unconfirmed skb->nfct is never shared. With nfqueue
running
on my system, the race can be easily reproduced with following warning
calltrace:
[13257.707525] CPU: 0
16 matches
Mail list logo