On Thu, Jul 21, 2016 at 12:51:17PM +0200, Florian Westphal wrote:
> xt_connlabel is the only user so move it.
>
> Signed-off-by: Florian Westphal
> ---
> include/net/netfilter/nf_conntrack_labels.h | 2 --
> net/netfilter/nf_conntrack_labels.c | 17 -
>
On Thu, Jul 21, 2016 at 05:26:47PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
Please, add description to your patches.
Cc'ing netfilter-devel@vger.kernel.org is sufficient for netfilter
patches unless you really want to attract attention from other netdev
developers, and
On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote:
> +/* recursively invokes nf_hook_slow (again), skipping already-called
> + * hooks (< NF_BR_PRI_BRNF).
> + *
> + * Called with rcu read lock held.
> + */
> +int br_nf_hook_thresh(unsigned int hook, struct net *net,
> +
On Tue, Jul 12, 2016 at 11:32:20AM -0400, Aaron Conole wrote:
> From: Florian Westphal
>
> This makes things simpler because we can store the head of the list
> in the nf_state structure without worrying about concurrent add/delete
> of hook elements from the list.
This is
On Tue, Jul 12, 2016 at 11:32:21AM -0400, Aaron Conole wrote:
> The netfilter hook list never uses the prev pointer, and so can be
> trimmed to be a smaller singly-linked list.
>
> In addition to having a more light weight structure for hook traversal,
> struct net becomes 5568 bytes (down from
On Thu, Jul 14, 2016 at 12:52:18PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote:
> > > Allow users to use a simpler way to specify probalistic matching, e. g.:
> >
On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote:
> Some translations included escaped quotes when they were called from
> nft:
>
> $ sudo nft list ruleset
> table ip mangle {
> chain FORWARD {
> type filter hook forward priority -150; policy accept;
> ct
Adapt this code to the new interface that introduces
struct xt_xlate_{mt,tg}_params.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
src/xt.c | 20 +++-
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/xt.c b/src/xt.c
index afcc836..0777d9c
Hi James,
I'm looking what is missing to add l2tp for nftables, after a quick
glance this is what I found.
The L2TPv3 over IP (after quick reading of the RFC) seems easy to add.
I'm attaching a patch for the header layout definition (still parser
side is missing, so this patch is incomplete).
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
extensions/libip6t_DNAT.c | 6 ++---
exte
On Sat, Jul 30, 2016 at 01:20:59PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> In iptables, "-i eth+" means match all in ifname with the prefix "eth".
> But in nftables, this was changed to "iifname eth*". So we should handle
> this subtle difference.
>
>
On Tue, Jul 26, 2016 at 03:14:22PM +0100, Sami Kerola wrote:
> The footnote clarification to option argument documentation, so keep the
> indentation level same as for the arguments.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Slightly larger than Florian's fix but we get rid of the goto here that
gcc consider branches with gotos as unlikely.
net/netfilter/nft_rbtree.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/net
nft already assumes that passing NULL as data_len is valid, otherwise
it crashes. Fix this by leave data_len unset in this specific case.
Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute
length")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org&g
On Wed, Jul 27, 2016 at 04:17:33AM +0200, Florian Westphal wrote:
> During NFWS we discussed reducing the number of keywords in nftables.
>
> Obviously keywords are required for the parser to know what to expect.
>
> But always requiring the 'meta' keyword would allow us to handle
> iif, oif,
On Wed, Jul 27, 2016 at 02:43:13AM +0200, Florian Westphal wrote:
> This allows nft to display payload set operations if the
> header isn't byte aligned or has non-byte divisible sizes.
>
> Signed-off-by: Florian Westphal
> ---
> src/netlink_delinearize.c | 165
>
On Wed, Jul 27, 2016 at 02:43:12AM +0200, Florian Westphal wrote:
> 'ip6 ecn set 1' will generate a zero-sized write operation.
> Just like when matching on bit-sized header fields we need to
> round up to a byte-sized quantity and add a mask to retain those
> bits outside of the header bits that
rors here:
warning: 2 lines add whitespace errors
Please, amend these and other nitpicks and push these series, we can
later on refine them if needed.
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilte
On Tue, Jul 26, 2016 at 06:22:49PM +0200, Pablo M. Bermudo Garay wrote:
> 2016-07-25 17:31 GMT+02:00 Pablo Neira Ayuso <pa...@netfilter.org>:
> > On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote:
> >> Some translations included escaped quotes wh
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Aug 11, 2016 at 09:23:14AM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
> new file mode 100644
> index 000..eb05527
> --- /dev/null
> +++ b/net/netfilter/nft_hash.c
> @@ -0,0 +1,136 @@
> +/*
> + * Copyright (c) 2016 Laura Garcia
Please, remove "Jenkins" from the title.
And it would be good to add a test under the tests/ directory.
On Tue, Aug 09, 2016 at 04:03:51PM +0200, Laura Garcia Liebana wrote:
> diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
> index 6aa7756..811c254 100644
> ---
On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote:
> > The following series aims at fixing a number of issues identified by
> > Coverity tool. Due to limited familiarity with the whole code layout, I
>
On Fri, Aug 12, 2016 at 01:33:37AM +0200, Phil Sutter wrote:
> time() may return -1 which is then assigned to an unsigned integer type
> and used as sequence number. The following code increments that number
> multiple times, so it may overflow and get libmnl confused. To avoid
> this, fall back
Four tests to cover file inclusion using:
1) Absolute path.
2) Relative path.
3) Default include directory path.
And one more test to cover endless file inclusion loop.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
tests/shell/testcases/include/0001absolute_0
he use refcnt is still 1, then the
memory will be leaked forever.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Anders K. Pedersen <a...@akp.dk>
---
net/netfilter/nft_rbtree.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index 6473936..ffe9ae0 1006
h...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_expect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_expect.c
b/net/netfilter/nf_conntrack_expect.c
index 9e36931..f8dbac
liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c
b/net/netfilter/nf_conntrack_netlink.c
index b9bfe64..fdfc71f 100644
-
uot;)
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Reviewed-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_queue.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net
MFT_REG32_01 is a typo, rename this to NFT_REG32_01.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/net
From: Laura Garcia Liebana <nev...@gmail.com>
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Pablo Neira Ayuso (2):
netfilter: nf_tables: s/MFT_REG32_01/NFT_REG32_01
netfilter: nft_rbtree: ignore inactive matching element with no
descendants
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_h323_main.c
-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Anders K. Pedersen <a...@akp.dk>
---
net/netfilter/nft_rbtree.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index 6473936..ffe9ae0 1006
From: Laura Garcia Liebana <nev...@gmail.com>
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Wed, Aug 10, 2016 at 11:48:55AM +0200, Carlos Falgueras García wrote:
> This patch implements the function 'bool nftnl_rule_cmp(const struct
> nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.
>
> Expressions within rules need to be compared, so also has been created the
>
On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote:
> Deleted wrong braces that cause unwanted behaviour.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo
On Mon, Aug 08, 2016 at 10:07:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
> request when the portid is not same with the initial portid(maybe
> from another process).
Applied, thanks.
--
On Fri, Aug 12, 2016 at 02:44:58AM +0200, Phil Sutter wrote:
> On Fri, Aug 12, 2016 at 01:42:02AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote:
> > > From: Phil Sutter <psut...@redhat.com>
> > &
On Sat, Aug 13, 2016 at 05:25:19PM +0200, Carlos Falgueras García wrote:
> Another possible solution is something like this:
>
> static const char *element2str(uint32_t element) {
> - if (element < MAX_ELEMENT)
> + if (element < MAX_ELEMENT ||
On Mon, Aug 15, 2016 at 12:27:37PM +0200, Carlos Falgueras García wrote:
Please always add a description to your patches, even if it is only
one line to explain why we need this.
Thanks.
> Signed-off-by: Carlos Falgueras García
> ---
> src/expr/cmp.c | 2 +-
> 1 file
On Mon, Aug 15, 2016 at 12:27:36PM +0200, Carlos Falgueras García wrote:
> --- a/src/utils.c
> +++ b/src/utils.c
> @@ -23,6 +23,7 @@
> #include
>
> static const char *const nftnl_family_str[NFPROTO_NUMPROTO] = {
> + [NFPROTO_UNSPEC]= "unknown",
> [NFPROTO_INET] =
On Mon, Aug 15, 2016 at 12:51:02PM +0200, Carlos Falgueras García wrote:
> Checks array limits before access it and adds a missed translation.
>
> Signed-off-by: Carlos Falgueras García
> ---
> src/utils.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff
On Sat, Jul 30, 2016 at 07:42:53PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
> nf_conntrack proc read and hash resize") introdue the
> nf_conntrack_get_ht, so there's no need to check
On Thu, Aug 11, 2016 at 06:02:07PM +0200, Laura Garcia Liebana wrote:
> This patch adds a new hash expression, this provides jhash support but
> this can be extended to support for other hash functions.
>
> The modulus and seed already comes embedded into this new expression.
>
> Use case
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 10, 2016 at 11:48:56AM +0200, Carlos Falgueras García wrote:
> This patch separates the rule identification from the rule localization, so
> the logic moves from the evaluator to the parser. This allows to revert the
> patch "evaluate: improve rule managment checks"
>
to what I observed on the netfilter user mailing list.
So let's get rid of this.
Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do
not need to be exported as symbol anymore.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack_l4p
On Wed, Aug 10, 2016 at 03:23:07PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> The xt_bpf module applies BPF bytecode to the packet. Depending on
> where the module is invoked, the kernel may pass a packet with or
> without link layer header. Iptables has no
On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote:
> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso <pa...@netfilter.org>:
[...]
> >
> > I think it is a good time to kill compat /proc/net/ip_conntrack*. That
> > has been there for so long already. So
On Sat, Jul 30, 2016 at 07:44:12PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> IP header checksum will be recalculated at ip_local_out, so
> there's no need to calculated it here, remove it. Also update
> code comments to illustrate it, and delete the
On Fri, Aug 12, 2016 at 02:39:50PM +0200, Phil Sutter wrote:
> From: Phil Sutter
>
> Apart from being a bad idea in general, the return statement contained
> in that macro in some cases leads to returning from functions without
> properly cleaning up, thereby causing memory
On Sat, Jul 23, 2016 at 07:21:47PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> We only need first 4 bytes instead of 8 bytes to get the ports of
> tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function.
Applied, thanks.
--
To unsubscribe from this list: send the line
On Wed, Aug 03, 2016 at 03:21:28PM +0200, Florian Westphal wrote:
> Once timer is removed from nf_conn struct we cannot open-code
> the removal sequence anymore.
@Simon and other IPVS folks: I'm going to take this patch since
Florian needs this merged for follow up patches.
So I'm dealing with
On Fri, Aug 12, 2016 at 10:17:19PM +0200, Carlos Falgueras García wrote:
> Changes random values for macros because the conversion to string of these
> values are performed by accessing to an array of strings.
Then, we should fix the functions to return "unknown" for out of bound
access of the
Applied, thanks.
On Fri, Aug 12, 2016 at 10:17:20PM +0200, Carlos Falgueras García wrote:
> Signed-off-by: Carlos Falgueras García
> ---
> tests/nft-expr_masq-test.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tests/nft-expr_masq-test.c
y many people in the user community
according to what I observed on the netfilter user mailing list.
So let's get rid of this.
Note that nf_conntrack_max do not need to be exported as symbol
anymore.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
v2: nf_conntrack_htabl
On Wed, Aug 10, 2016 at 05:12:05PM +0200, Carlos Falgueras García wrote:
> An error at Makefile.am has caused that the tests
> 'nft-expr_immediate-test.c' and 'nft-expr_lookup-tests.c' have not been
> compiled since they were created. This patch fix that error and some errors
> in both tests.
igit 0 or not.
Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_sip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/
od_timer_pending here to fix this problem.
Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout")
Cc: Gao Feng <f...@ikuai8.com>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
netfilter: nfnetlink_queue: fix memory leak when attach expectation
successfully
netfilter: nfnetlink_queue: reject verdict request from different portid
netfilter: ctnetlink: reject new conntrack request with different l4proto
Pablo Neira Ayuso (2):
netfilter: nf_tables: s
liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c
b/net/netfilter/nf_conntrack_netlink.c
index b9bfe64..fdfc71f 100644
-
uot;)
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Reviewed-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nfnetlink_queue.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net
he use refcnt is still 1, then the
memory will be leaked forever.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_netlink.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
On Tue, Aug 09, 2016 at 01:42:17PM +0200, Carlos Falgueras García wrote:
> Iterators do not modify objects which they iterate, so input pointer must
> be const.
Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
MFT_REG32_01 is a typo, rename this to NFT_REG32_01.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/net
igit 0 or not.
Signed-off-by: Christophe Leroy <christophe.le...@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_conntrack_sip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/
od_timer_pending here to fix this problem.
Fixes: 96d1327ac2e3 ("netfilter: h323: Use mod_timer instead of
set_expect_timeout")
Cc: Gao Feng <f...@ikuai8.com>
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
On Wed, Aug 10, 2016 at 05:29:34PM +0200, Laura Garcia Liebana wrote:
> The following patchset adds a check during the load of an u32 value
> into an u8 attribute which can cause an overflow.
Could you collapse them all in one single patch?
You can probably use this title:
netfilter:
On Mon, Aug 08, 2016 at 01:17:56PM +0200, Carlos Falgueras García wrote:
> diff --git a/src/expr/dynset.c b/src/expr/dynset.c
> index 0eaa409..fa8b8d5 100644
> --- a/src/expr/dynset.c
> +++ b/src/expr/dynset.c
> @@ -370,6 +370,23 @@ static void nftnl_expr_dynset_free(const struct
> nftnl_expr *e)
On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote:
> From: Phil Sutter
>
> This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains
> a return statement and if that triggers, the function returns without
> freeing the iterator object. Therefore
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 10, 2016 at 05:12:04PM +0200, Carlos Falgueras García wrote:
> Deleted wrong braces that cause unwanted behaviour.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info
On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote:
> Allow users to use a simpler way to specify probalistic matching, e. g.:
>
> meta probability 0.5 (match approx. every 2nd packet)
> meta probability 0.001(match approx. once every 1000 packets)
>
> nft
On Thu, Jul 21, 2016 at 10:03:01AM +0200, jalvarez wrote:
> Here are the changes then.
> I didn't put it in nft-rule-get.c at first to avoid breaking the expected
> behavior of the example.
Thanks.
Problem with this patch: You MUA seems to mangle it, so both patch -p1
< patch and git am tell me
Please, send me your Signed-off-by: and a couple of lines with a
description.
No need to resend this patch, I'll amend this myself. But please
include it next time. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
This patch title is too long, no more than 80 chars please, when it
goes over that boundary it becomes a description ;)
More comments below.
On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> Signed-off-by: Gao Feng
> ---
>
On Thu, Jul 21, 2016 at 06:45:53PM +0200, Pablo Neira Ayuso wrote:
> > diff --git a/net/netfilter/nf_conntrack_core.c
> > b/net/netfilter/nf_conntrack_core.c
> > index 153e33f..634d592 100644
> > --- a/net/netfilter/nf_conntrack_core.c
> > +++ b/net/netfilter/nf_co
On Thu, Jul 21, 2016 at 12:23:13AM +0200, Florian Westphal wrote:
> Pablo suggested to print full config file path for connlabel.conf
> parsing errors.
>
> Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
> Signed-off-by: Florian Westphal <f...@strlen.de>
Acke
This patch title is too long, no more than 80 chars.
On Thu, Jul 21, 2016 at 10:09:19PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
Please, include a description here.
> Signed-off-by: Gao Feng
More comments below.
> ---
> v1: Initial Version
>
>
On Sat, Jul 16, 2016 at 08:12:51PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > On Sat, Jul 16, 2016 at 04:51:30PM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> > > >
The netfilter project regrets to have to suspend its core team member
Patrick McHardy from the core team. This is a grave step, definitely
the first in the projects history, and it is not one we take lightly.
Over many months, severe allegations have been brought forward against
the style of his
On Sun, Jul 17, 2016 at 12:41:59PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > On Sat, Jul 16, 2016 at 08:12:51PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> > > > On Sa
On Sat, Jul 16, 2016 at 11:18:01AM +0200, Florian Westphal wrote:
> Liping Zhang wrote:
> > From: Liping Zhang
> >
> > We only get nf_connlabels if the user add ct label set expr successfully,
> > but we will also put nf_connlabels if the user
If the table and/or chain attributes are set in a rule dump request,
we filter out the rules based on this selection.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
Compiled tested only.
net/netfilter/nf_tables_api.c | 39 +++
1 file chang
On Thu, Jul 14, 2016 at 05:51:26PM +0200, Florian Westphal wrote:
> After this change ruleset restore times get again close to what one
> gets when reverting 36472341017529e (~3 seconds on my workstation).
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe
On Mon, Jul 18, 2016 at 08:44:17PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> There's a similar problem in xt_NFLOG, and was fixed by commit 7643507fe8b5
> ("netfilter: xt_NFLOG: nflog-range does not truncate packets"). Only set
> copy_len here does not
On Mon, Jul 18, 2016 at 10:14:28PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> The nflog-size was introduced by commit 7070b1f3c88a ("extensions:
> libxt_NFLOG: nflog-range does not truncate packets"). Then make
> the nflog-range become deprecated, because it
On Mon, Jul 18, 2016 at 08:44:15PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Suppose that we specify the NFTA_LOG_PREFIX, then NFTA_LOG_LEVEL
> and NFTA_LOG_GROUP are specified together or nf_logger_find_get
> call returns fail, i.e. expr init fail, memory
On Mon, Jul 18, 2016 at 10:14:27PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> The following iptables rules have the different semantics:
> # iptables -A INPUT -j NFLOG
> # iptables -A INPUT -j NFLOG --nflog-size 0
>
> But they are all displayed as "-A
On Wed, Jul 20, 2016 at 08:31:13AM +0800, 高峰 wrote:
> Thanks Pablo.
>
> I had used the script "checkpatch.pl" to check the patch file.
> There was no indentation error reported.
>
> So could you give me more tails please or point one indentation error?
> Then I could correct it by myself next
On Wed, Jul 20, 2016 at 08:51:17AM +0800, Liping Zhang wrote:
> 2016-07-18 11:39 GMT+08:00 :
> > From: Gao Feng
> >
> > Add nf_ct_helper_init, nf_conntrack_helpers_register/unregister
> > functions to enhance the conntrack helper codes.
>
> I think this patch
From: Pablo Neira <pa...@netfilter.org>
If the table and/or chain attributes are set in a rule dump request,
we filter out the rules based on this selection.
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
net/netfilter/nf_tables_api.c | 38 +
On Wed, Jul 20, 2016 at 11:58:24AM +0200, Florian Westphal wrote:
> Pablo suggested to print full config file path for connlabel.conf
> parsing errors.
>
> Signed-off-by: Florian Westphal
> ---
> Pablo,
>
> I could also add the suggested nfct_labels_get_path() to lnf_conntrack
27-29: Error: /etc/nftables/connlabel.conf: could not parse
> conntrack label "foo"
>
> Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
> Signed-off-by: Florian Westphal <f...@strlen.de>
> ---
> src/Makefile.am | 2 ++
> src/ct.c
On Mon, Jul 11, 2016 at 06:17:39PM -0300, Marc Dionne wrote:
> Hi Pablo,
>
> Testing out your patch:
>
> 1) With no NAT in place, the clash resolution happens, with no side
> effects. No EPERM errors are seen.
>
> 2) With ip(6)table_nat loaded, the clash resolution fails and I get
> some EPERM
; > :1:28-32: Error: syntax error, unexpected saddr
> > filter input set update ip saddr timeout 10s @myset
> > ^
>
> I did a git bisect on this and found that it was broken by
>
> commit a3e60492a684be09374d0649735da42bdadc6b48
> Aut
From: Liping Zhang <liping.zh...@spreadtrum.com>
When user add a nft rule to set nftrace to zero, for example:
# nft add rule ip filter input nftrace set 0
We should set nf_trace to zero also.
Signed-off-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Pablo Nei
per-ct timer.
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/net/netfilter/nf_conntrack.h | 8
net/netfilter/nft_ct.c | 6 +-
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/inc
clash resolution on
insertion race")
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Tested-by: Marc Dionne <marc.c.dio...@gmail.com>
---
net/netfilter/nf_conntrack_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_
501 - 600 of 4688 matches
Mail list logo