nft_compat ops do not have static storage duration, unlike all other
expressions.
When nf_tables_expr_destroy() returns, expr->ops might have been
free'd already, so we need to store next address before calling
expression destructor.
For same reason, we can't deref match pointer after
Phil Sutter wrote:
> Boolean AND was applied instead of binary one, causing the exclamation
> mark to be printed whenever info->bitmask was non-zero. In practice,
> this leads to incorrect output if e.g. --among-src was given with an
> inverted match as well as --among-dst with a non-inverted
Doesn't affect iptables-translate, but nft (when built with
xtables support).
Current nftables may print the buffer withput checking if
the ->xlate() callback returned 0, so ->data with garbage/random
content can be printed.
Signed-off-by: Florian Westphal
---
libxtables/xtables.c | 1 +
1
Boolean AND was applied instead of binary one, causing the exclamation
mark to be printed whenever info->bitmask was non-zero. In practice,
this leads to incorrect output if e.g. --among-src was given with an
inverted match as well as --among-dst with a non-inverted one. Output
would then list
On Wed, Nov 07, 2018 at 12:32:34AM +0900, Taehee Yoo wrote:
> In this patch series, duplicate code in nf_flow_table_core.c are removed.
>
> First patch makes nf_flow_table_iterate() static because
> that is local function.
>
> Second patch makes nf_flow_offfload_gc_step() simplier.
> Both
On Mon, Nov 12, 2018 at 03:02:52PM +0100, Phil Sutter wrote:
> Documentation for add rule command might trick readers into believing
> the optional 'index' argument does not need to be that of an existing
> rule. This false assumption is fueled by the fact that iptables allows
> to insert with
These are very very (for long time unused) caching infrastructure
definition, remove then. They have nothing to do with the NFC subsystem.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter.h| 4
include/uapi/linux/netfilter_decnet.h | 10 --
On Sun, Nov 04, 2018 at 12:07:14PM +0100, Florian Westphal wrote:
> Its possible to set both HANDLE and POSITION when replacing a rule.
> In this case, the rule at POSITION gets replaced using the
> userspace-provided handle. Rule handles are supposed to be generated
> by the kernel only.
>
>
On Wed, Oct 31, 2018 at 06:26:19PM +0100, Florian Westphal wrote:
> This fixes a packet path vs. control plane race caused by
> a bogus optimization: When chain is going away we must not
> elide updating rules[next_generation]. If we do, then access
> to the 'next generation' really access an old
On Mon, Nov 05, 2018 at 03:42:45AM +0900, Taehee Yoo wrote:
> Three bugs in nf_conncount are fixed by this patch series.
>
> First patch fixes inconsistent lock state in conn_free().
> conn_free() is called both BH and process context. so that
> spin_lock_bh() should be used.
>
> Second patch
On Thu, Oct 25, 2018 at 11:55:48PM +0900, Taehee Yoo wrote:
> Two bugs in nf_conncount are fixed by this patch series.
>
> First patch fixes inconsistent lock state in conn_free().
> conn_free() is called both BH and process context. so that
> spin_lock_bh() should be used.
>
> Second patch
old: arptables vlibxtables.so.12 (nf_tables)
now: arptables 1.8.1 (nf_tables)
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index
You can run 'arptables-legacy -t foobar' and commands work fine,
as it still operates on filter table (the only table that exists).
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/iptables/xtables-arp.c
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index bde35e5dcb9c..6a095bfd1629 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -233,12
Unicast being shown as '00:00:00:00:00:00/01:00:00:00:00:00' looks like
broken output, however, arptables classic did not pretty-print either.
Also add test cases for all targets supported by the original
arptables tool:
-j CLASSIFY
-j MARK
-j mangle
[ yes, mangle target is lower-case 8-( ]
1. check both address and mask, not just first byte of mac
2. use add_addr() for this so mask is also handled via bitwise expr.
3. use the correct offsets.
4. add dissector so we can reverse translate the payload expressions
generated for this.
Signed-off-by: Florian Westphal
---
Signed-off-by: Florian Westphal
---
iptables-test.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/iptables-test.py b/iptables-test.py
index 34a040422ce7..532dee7c9000 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -17,10 +17,12 @@ import argparse
to check -s 1.2.3.4, we need to add the size of the hardware address
to the arp header to obtain the offset where the ipv4 address begins:
base_arphdr
HW_ADDR
IP_ADDR (src)
IP_ADDR (target)
In arptables-classic, the kernel will add dev->addr_len to the
arp header base address to obtain the
arptables -D fails most of the time, as we compared
source mask with target mask.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index f9352297d83b..675f0eb9daa6 100644
---
--dst-ip checks the first four octets of the target mac.
Format of ipv4 arp is:
arphdr (htype, ptype...)
src mac
src ip
target mac
target ip
So we need to add hlen (6 bytes) a second time
(arphdr + 6 + 4 + 6) to get correct offset.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 5
also handle negations in other cases.
Still to be resolved: mask handling for other options such as hlen.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 20 ++--
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
This isn't a missing feature in the -nft version,
neither plen and -m were ever implemented in arptables-legacy.
Signed-off-by: Florian Westphal
---
iptables/xtables-arp.c | 34 +++---
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git
arptables classic doesn't have arptables-save, it only has a perl
script that attempts to emulate iptables-save. It supports no options,
and thus has no way to dump counters. Add -c option, like iptables to
enable this.
Signed-off-by: Florian Westphal
---
iptables/nft-arp.c | 17
arptables-save will show
-A OUTPUT --h-length 6 --h-type 1 -j MARK --set-xmark 0x1/0x
as
--h-length 6 --h-type Ethernet -j MARK MARK set 0x1
Because it uses ->print() instead of ->save().
Switch it to use ->save, we can then also drop special handling of
CLASSIFY target.
Signed-off-by:
This series adds test cases for arptables-nft and fixes various bugs that
got uncovered here.
extensions/libarpt_CLASSIFY.t |4 +
extensions/libarpt_MARK.t |4 +
extensions/libarpt_mangle.c |6 +
extensions/libarpt_mangle.t |5 +
extensions/libarpt_standard.t | 14
Documentation for add rule command might trick readers into believing
the optional 'index' argument does not need to be that of an existing
rule. This false assumption is fueled by the fact that iptables allows
to insert with last rule number + 1 to actually append to a chain.
Change the relevant
This allows gcc to check format string vs. passed arguments.
Fix the fallout from this as well, typical warning produced is:
libebt_mark_m.c:112:28: warning: format '%x' expects argument of type 'unsigned
int', but argument 3 has type 'long unsigned int' [-Wformat=]
xt_xlate_add(xl, "and 0x%x
Phil Sutter wrote:
> The first two deal with incorrect/unexpected error messages, only the
> last one fixes a "real" issue.
>
> Phil Sutter (3):
> xtables: Fix typo in do_command() error message
> xtables: Clarify error message when deleting by index
> xtables: Fix error return code in
Trying to delete a rule by index from a non-existent chain leads to a
somewhat confusing error message:
| # iptables-nft -D foobar 1
| iptables: Index of deletion too big.
Fix this by performing chain existence checks for CMD_DELETE_NUM, too.
Signed-off-by: Phil Sutter
---
iptables/xtables.c
The first two deal with incorrect/unexpected error messages, only the
last one fixes a "real" issue.
Phil Sutter (3):
xtables: Fix typo in do_command() error message
xtables: Clarify error message when deleting by index
xtables: Fix error return code in nft_chain_user_rename()
If the chain to rename wasn't found, the function would return -1 which
got interpreted as success.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 4 ++--
iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 4
2 files changed, 6
This checks p->chain for existence, not cs->jumpto. Fixes this bogus
error message:
| # iptables-nft -t nat -A FORWARD -j ACCEPT
| iptables v1.8.1 (nf_tables): Chain 'ACCEPT' does not exist
Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables")
Signed-off-by: Phil Sutter
---
Hi,friend,
This is Daniel Murray and i am from Sinara Group Co.Ltd Group Co.,LTD in Russia.
We are glad to know about your company from the web and we are interested in
your products.
Could you kindly send us your Latest catalog and price list for our trial order.
Best Regards,
Daniel
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 26 +-
iptables/nft.h | 20 +++-
2 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index d098068e01ca..dab7fbe235d2 100644
--- a/iptables/nft.c
+++
in the iptables universe, we enforce extrapositioned negation:
! -i foo
"-i ! foo" is not even supported anymore.
At least make sure that ebtables prints the former syntax everywhere as
well so we don't have a mix of both ways.
Parsing of --option ! 42 will still work for backwards compat
The 'original' ebtables-save was a perl script that supported no option.
Add minimal options, like ip(6)tables save.
Retain the old way of formatiing counters via environment variable,
but allow overriding this using the -c option.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c |
So we can remove nft_chain_dump() and replace nftnl_chain_get_list().
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 27 +++
iptables/nft.h | 2 +-
iptables/xtables-restore.c | 2 +-
iptables/xtables-save.c| 6 +++---
4 files
On Mon, Nov 12, 2018 at 10:19:56AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 01, 2018 at 06:50:33AM +0100, Andreas Jaggi wrote:
> > Useful to only set a particular range of the conntrack mark while
> > leaving existing parts of the value alone, e.g. when updating
> > conntrack marks via
On Thu, Nov 01, 2018 at 06:50:33AM +0100, Andreas Jaggi wrote:
> Useful to only set a particular range of the conntrack mark while
> leaving existing parts of the value alone, e.g. when updating
> conntrack marks via netlink from userspace.
>
> For NFQUEUE it was already implemented in commit
>
On Sat, Oct 27, 2018 at 06:07:39PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to pull the next patches for nf-next:
>
> - Introduction of new commands and thus protocol version 7. The
> new commands makes possible to eliminate the getsockopt interface
> of ipset and use
40 matches
Mail list logo