this approach, this call is
coming too late, in the evaluation phase, after the cache_update()
invocation.
Be careful with NFT_CACHE_UPDATE, this flags needs to be left it in
place if NFT_CACHE_FLUSHED is set on.
Signed-off-by: Pablo Neira Ayuso
---
include/cache.h | 2 ++
include/rule.h | 3
On Tue, Jul 23, 2019 at 03:11:42PM +0200, Phil Sutter wrote:
> On Mon, Jul 22, 2019 at 11:25:56PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Jul 21, 2019 at 08:50:40PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso wrote:
> > > > On Sun, Jul 21, 2019 at 02:1
On Tue, Jul 23, 2019 at 05:06:44PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Mon, Jul 22, 2019 at 09:53:21PM +0200, Pablo Neira Ayuso wrote:
> > On Sat, Jul 20, 2019 at 05:15:02PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Fri, Jul 19, 2019 at
On Tue, Jul 23, 2019 at 03:27:52PM +0200, Phil Sutter wrote:
> nft_meta_get_eval()'s tendency to bail out setting NFT_BREAK verdict in
> situations where required data is missing leads to unexpected behaviour
> with inverted checks like so:
>
> | meta iifname != eth0 accept
>
> This rule will nev
On Mon, Jul 22, 2019 at 12:16:17PM +0200, Phil Sutter wrote:
> This series started as a fix to program names mentioned in *-save
> outputs and ended in merging ebtables-save and arptables-save code into
> xtables_save_main used by ip{6,}tables-nft-save.
Applied, thanks Phil.
On Sun, Jul 21, 2019 at 02:14:07AM +0200, Florian Westphal wrote:
> This makes nft behave like 0.9.0 -- the ruleset
>
> flush ruleset
> table inet filter {
> }
> table inet filter {
> chain test {
> counter
> }
> }
>
> loads again without generating an error message.
> I've adde
On Sun, Jul 21, 2019 at 02:14:05AM +0200, Florian Westphal wrote:
> This should never happen (we should pass valid locations to the error
> reporting functions), but in case we screw up we will segfault during
> error reporting.
>
> cat crash
> table inet filter {
> }
> table inet filter {
>
On Tue, Jul 23, 2019 at 01:36:49PM -0400, Brett Mastbergen wrote:
> ops has been removed, and etype has been added
Applied, thanks Brett.
On Sun, Jul 21, 2019 at 09:24:15PM +0200, Fernando Fernandez Mancera wrote:
> Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)),
> osf produces following warnings:
>
> -Wformat-truncation warning have been introduced in the version 7.1 of gcc.
> Also, remove a unneeded addr
On Wed, Jul 24, 2019 at 12:33:06AM +0200, Florian Westphal wrote:
[...]
> If we change things now (set ifindex 0 / "" name), I do not think
> we can't revert it later.
OK, let's start simple as you propose, with iif/oif/iifname/oifname
and we revisit this later on.
Thanks for explaining.
On Tue, Jul 23, 2019 at 03:27:52PM +0200, Phil Sutter wrote:
> nft_meta_get_eval()'s tendency to bail out setting NFT_BREAK verdict in
> situations where required data is missing leads to unexpected behaviour
> with inverted checks like so:
>
> | meta iifname != eth0 accept
>
> This rule will nev
On Tue, Jul 23, 2019 at 03:27:53PM +0200, Phil Sutter wrote:
> The label is used just once and the code it points at is not reused, no
> point in keeping it.
Also applied, thanks.
Florian Westphal
Acked-by: Pablo Neira Ayuso
Thanks Florian.
On Wed, Jul 24, 2019 at 05:32:09PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> In the action store tun_id to reg in a host endian. But the
> nft_cmp action get the user data in a net endian which lead
> match failed.
>
> nft --debug=netlink add rule netdev firewall aclin ip daddr 10.0.0.7
>
On Thu, Jul 25, 2019 at 03:43:53PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> In the action store tun_id to reg in a host endian.
This is correct.
> But the nft_cmp action get the user data in a net endian which lead
> match failed.
>
> nft --debug=netlink add rule netdev firewall aclin i
This patch adds support to attach tunnel metadata.
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 15 +++
src/evaluate.c | 23
src/mnl.c | 38 +++
src/netlink.c | 77
This patch allows you to match on tunnel metadata.
Signed-off-by: Pablo Neira Ayuso
---
include/Makefile.am | 4 ++-
include/expression.h | 6
include/tunnel.h | 33 +
src/Makefile.am | 1 +
src/evaluate.c| 7 +
src
On Sun, Jul 07, 2019 at 09:37:29PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> This patch provide a meta vlan to set the vlan tag of the packet.
>
> for q-in-q outer vlan id 20:
> meta vlan set 0x88a8:20
>
> set the default 0x8100 vlan type with vlan id 20
> meta vlan set 20
Support for pu
On Wed, Jul 24, 2019 at 09:31:14AM +0200, Fernando Fernandez Mancera wrote:
> Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)),
> osf produces following warnings:
>
> -Wformat-truncation warning have been introduced in the version 7.1 of gcc.
> Also, remove a unneeded addr
On Tue, Jul 23, 2019 at 08:52:40PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> The nft_setup_cb_call and ndo_setup_tc callback should be under rtnl lock
>
> or it will report:
> kernel: RTNL: assertion failed at
> drivers/net/ethernet/mellanox/mlx5/core/en_rep.c (635)
>
> Signed-off-by: wen
Hi,
There are reports
https://github.com/openwrt/openwrt/pull/2266#issuecomment-514681715
This report might not be your fault, but you can probably help fixing
bugs before we move on anywhere else.
On Tue, Jul 23, 2019 at 08:52:39PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> There will be zero one or serval actions for some expr. such as
> payload set and immediate
>
> Signed-off-by: wenxu
> ---
> include/net/netfilter/nf_tables.h | 7 ++-
> include/net/netfilter/nf_tabl
On Thu, Jul 25, 2019 at 12:09:39PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> Add new NFTA_TUNNEL_KEY_RELEASE action for future offload
> feature
How is hardware using this?
On Thu, Jul 25, 2019 at 05:46:04PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> This series support tunnel meta match offload and
> tunnel_obj ation offload. This series depends on
> http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=120961
Oh, you sent a v2 and I was spending t
On Mon, Jul 22, 2019 at 06:02:37PM +0200, Fernando Fernandez Mancera wrote:
> diff --git a/include/rule.h b/include/rule.h
> index 67c3d33..c6e8716 100644
[...]
>+const struct datatype priority_type = {
Please, add here something like on top of the definition:
/* This datatype is not registered v
On Mon, Jul 22, 2019 at 06:02:39PM +0200, Fernando Fernandez Mancera wrote:
> This patch introduces the use of nft input files variables in chain policy.
> e.g.
>
> define default_policy = "accept"
>
> add table ip foo
> add chain ip foo bar {type filter hook input priority filter; policy
> $def
On Thu, Jul 25, 2019 at 05:19:13PM +0200, Phil Sutter wrote:
> When trying to flush a non-existent chain, errno gets set in
> nft_xtables_config_load(). That is an unintended side-effect and when
> support for xtables.conf is later removed, iptables-nft will emit the
> generic "Incompatible with th
On Thu, Jul 25, 2019 at 05:19:14PM +0200, Phil Sutter wrote:
> As decided upon at NFWS2019, drop support for configurable nftables base
> chains to use with iptables-nft.
Applied, thanks.
Extract mask from bitwise operation and store it into the corresponding
context register so the cmp instruction can set the mask accordingly.
Signed-off-by: Pablo Neira Ayuso
---
eg. ip saddr 1.2.3.0/24
net/netfilter/nft_bitwise.c | 19 +++
1 file changed, 19 insertions
On Mon, Jul 29, 2019 at 05:58:10PM +0200, Florian Westphal wrote:
> ebtables doesn't include the base chain policies in the rule count,
> so we need to add them manually when we call into the x_tables core
> to allocate space for the comapt offset table.
>
> This lead syzbot to trigger:
> WARNING:
On Mon, Jul 29, 2019 at 09:33:51PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to apply the next patches to the nf tree:
>
> - When the support of destination MAC addresses for hash:mac sets was
> introduced, it was forgotten to add the same functionality to hash:ip,mac
> t
ow_bug.cgi?id=1354
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
Thanks!
On Tue, Jul 23, 2019 at 03:23:11PM +0200, Phil Sutter wrote:
> Eliminate as many bison warnings emitted since bison-3.3 as possible.
> Sadly getting bison, flex and automake right is full of pitfalls so on
> one hand this series does not fix for deprecated %name-prefix statement
> and on the other
needs to be defined
(it could be a structure whose first field specifies the expression
type and an union with the specific fields for this expression,
encapsulated in the TLV).
Pablo Neira Ayuso (2):
parser: add typeof keyword for declarations
src: restore typeof datatype when listin
Add a typeof keyword to automatically use the correct type in set and map
declarations.
table filter {
set blacklist {
typeof ip saddr
}
chain input {
ip saddr @blacklist counter drop
}
}
Signed-off-by: Pablo Neira Ayuso
---
src
int into the buffer is a quick and
dirty hack.
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 3 +++
src/mnl.c | 27 +++
src/netlink.c | 9 -
src/rule.c | 9 +++--
4 files changed, 45 insertions(+), 3 deletions(-)
diff --git a/include/rule.
On Tue, Jul 30, 2019 at 04:03:54PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Tue, Jul 30, 2019 at 02:41:06PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jul 23, 2019 at 03:23:11PM +0200, Phil Sutter wrote:
> > > Eliminate as many bison warnings emitted since bison-3.3
Hi Chris,
On Mon, Jul 15, 2019 at 11:58:55AM -0400, Chris PeBenito wrote:
[...]
> diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
> index 9aed80a0..eaf34d65 100644
> --- a/include/libiptc/libip6tc.h
> +++ b/include/libiptc/libip6tc.h
> @@ -12,6 +12,10 @@
> #include
> #inclu
On Tue, Jul 30, 2019 at 04:41:41PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > This is a proof-of-concept.
> >
> > The idea behind this patch is to store the typeof definition
> > so it can be restored when listing it back.
> >
> > Bett
off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
v2: original patch v1 is: "src: fix flush chain cache flag"
do force empty cache when flushing specific table/chain
src/cache.c| 1 -
tests/shell/testcases/cac
On Sat, Jul 27, 2019 at 07:24:24PM +0200, michael-...@fami-braun.de wrote:
[...]
> I used nft list ruleset to generate /etc/nftables.conf. In case too
> few statements are killed, nftables.conf becomes a bit longer but it
> is still correct and parseable although not minimal. In case too
> many sta
On Tue, Jul 30, 2019 at 04:37:31PM +0200, Florian Westphal wrote:
[...]
> diff --git a/include/rule.h b/include/rule.h
> index ee881b9ccd17..dfb6b5482a1c 100644
> --- a/include/rule.h
> +++ b/include/rule.h
> @@ -277,8 +277,7 @@ extern struct rule *rule_lookup_by_index(const struct
> chain *chain,
On Wed, Jul 31, 2019 at 06:39:14PM +0200, Phil Sutter wrote:
@@ -565,6 +574,8 @@ static const struct option options[] = {
> {.name = "counters", .has_arg = false, .val = 'c'},
> {.name = "trace", .has_arg = false, .val = 't'},
> {.name = "event", .has_arg = false, .val = 'e'},
>
-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_offload.h | 1 +
net/netfilter/nft_immediate.c | 24 +---
2 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables_offload.h
b/include/net/netfilter
On Thu, Aug 01, 2019 at 02:02:31PM +0200, Phil Sutter wrote:
> This is a leftover, the file does not exist in fresh clones.
>
> Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Thu, Jul 25, 2019 at 09:33:58PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> Currently the nft_offload_reg is only can be used for match condition.
> Can not be used for action. Add nft_offload_reg_type to make nft_offload_reg
> can be used for action also.
I think this patch provides what
On Thu, Aug 01, 2019 at 02:00:48PM +0200, Phil Sutter wrote:
> On Thu, Aug 01, 2019 at 01:20:50PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jul 31, 2019 at 06:39:14PM +0200, Phil Sutter wrote:
> > @@ -565,6 +574,8 @@ static const struct option options[] = {
> > > {.nam
On Thu, Aug 01, 2019 at 02:30:40PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Aug 01, 2019 at 02:00:48PM +0200, Phil Sutter wrote:
> > On Thu, Aug 01, 2019 at 01:20:50PM +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jul 31, 2019 at 06:39:14PM +0200, Phil Sutter wrote:
>
On Thu, Aug 01, 2019 at 02:41:07PM +0200, Phil Sutter wrote:
> Hi,
>
> On Thu, Aug 01, 2019 at 02:30:40PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Aug 01, 2019 at 02:00:48PM +0200, Phil Sutter wrote:
[...]
> > I think users will end up using --arp and --bridge for this.
On Thu, Aug 01, 2019 at 02:58:00PM +0200, Phil Sutter wrote:
> On Thu, Aug 01, 2019 at 02:47:38PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Aug 01, 2019 at 02:41:07PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Thu, Aug 01, 2019 at 02:30:40PM +0200,
On Tue, Jul 16, 2019 at 01:22:43PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Jul 10, 2019 at 12:05:59PM +0200, Fernando Fernandez Mancera wrote:
> > After introduce "mss_encode" field in the synproxy_options struct the field
> > "mss" is a little confusing.
On Mon, Aug 05, 2019 at 09:28:14AM +0200, Michael Braun wrote:
> Currently, there is no vlan information (e.g. when used with a vlan aware
> bridge) passed to userspache, HWHEADER will contain an 08 00 (ip) suffix
> even for tagged ip packets.
>
> Therefore, add an extra netlink attribute that pas
On Mon, Aug 05, 2019 at 11:26:49AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 05, 2019 at 09:28:14AM +0200, Michael Braun wrote:
> > Currently, there is no vlan information (e.g. when used with a vlan aware
> > bridge) passed to userspache, HWHEADER will contain an 08 00 (ip)
On Tue, Jul 30, 2019 at 02:57:18PM +0200, Florian Westphal wrote:
> 'flow offload' expression should not offload flows that will be subject
> to ipsec, but it does.
>
> This results in a connectivity blackhole for the affected flows -- first
> packets will go through (offload happens after establi
On Tue, Jul 30, 2019 at 02:57:19PM +0200, Florian Westphal wrote:
> This makes the previously added 'encap test' pass.
> Because its possible that the xfrm dst entry becomes stale while such
> a flow is offloaded, we need to call dst_check() -- the notifier that
> handles this for non-tunneled traf
On Mon, Aug 05, 2019 at 12:35:16PM +0200, Florian Westphal wrote:
> Michael Braun wrote:
> > Currently, there is no vlan information (e.g. when used with a vlan aware
> > bridge) passed to userspache, HWHEADER will contain an 08 00 (ip) suffix
> > even for tagged ip packets.
> >
> > Therefore, ad
On Tue, Aug 06, 2019 at 12:29:45PM +0200, Fernando Fernandez Mancera wrote:
> I have been thinking of a way to update a quota object. i.e raise or lower the
> quota limit of an existing object. I think it would be ideal to implement the
> operations of updating objects in the API in a generic way.
On Tue, Aug 06, 2019 at 05:57:50PM -0700, Dirk Morris wrote:
> On 8/6/19 5:34 PM, Florian Westphal wrote:
>
> >
> > This is unexpected, as the id function is only supposed to be called
> > once the conntrack has been confirmed, at which point all NAT side
> > effects are supposed to be done.
> >
On Wed, Aug 07, 2019 at 08:01:57PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > @Florian: by mangling this patch not to use ct->ext, including Dirk's
> > update, conntrackd works again (remember that bug we discussed during
> > NFWS).
>
> B
Store symbol tables in context object instead.
Signed-off-by: Pablo Neira Ayuso
---
include/ct.h | 3 ++-
include/datatype.h | 4 +---
include/meta.h | 2 --
include/nftables.h | 18 --
src/ct.c | 17 -
src/datatype.c | 16
This object stores the dynamic symbol tables that are loaded from files.
Pass this object to datatype parse functions, although this is not used
yet.
Signed-off-by: Pablo Neira Ayuso
---
include/datatype.h | 14 +++---
include/nftables.h | 8
src/ct.c | 3 ++-
src
On Mon, Aug 05, 2019 at 11:49:17PM +0200, Florian Westphal wrote:
> Calling nft_ctx_new() a second time leaks memory, and calling
> nft_ctx_free a second time -- on a different context -- causes
> double-free.
>
> This patch won't work in case we assume libnftables should be
> thread-safe, in such
On Fri, Aug 02, 2019 at 12:12:06PM +0200, Fernando Fernandez Mancera wrote:
> This patch series introduces the use of variables in chain priority and policy
> specification. It also contains tests for invalid cases.
Series applied, thanks Fernando.
> Closes: https://bugzilla.netfilter.org/show_bu
Hi brett,
On Tue, Jul 30, 2019 at 08:28:18AM -0400, Brett Mastbergen wrote:
> This change allows map expressions on the left side of comparisons:
>
> nft add rule foo bar ip saddr map @map_a == 22 counter
>
> It also allows map expressions as the left side expression of other
> map expressions:
948336] ---[ end trace cebbb9dcbed3b56f ]---
Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit
path")
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 9 +++--
net/netfilter/nf_tables_api.c | 15 ++-
2 files changed, 17
.
Fixes: ac2a5e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_core.c | 17 ++---
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c
b/net
pport for sending flows
back to the slow path")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_flow_table_core.c | 34 +-
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c
b/net/netfilter/nf_flow_table_co
=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0
secctx=null use=2
Signed-off-by: Pablo Neira Ayuso
---
conntrack.8 | 4 ++--
include/conntrack.h | 7 ---
include/linux/netfilter/nf_conntrack_common.h | 24
Print [OFFLOAD] tag when listing entries via snprintf() interface.
Signed-off-by: Pablo Neira Ayuso
---
.../linux_nf_conntrack_common.h| 24 --
src/conntrack/snprintf_default.c | 6 --
2 files changed, 26 insertions(+), 4 deletions
Rule that fails to be added while holding a bound set triggers
user-after-free from the abort path.
Signed-off-by: Pablo Neira Ayuso
---
tests/shell/testcases/transactions/0050rule_1 | 17 +
1 file changed, 17 insertions(+)
create mode 100755 tests/shell/testcases/transactions
Move new chain tests for variable priority and policy to chain folder.
Signed-off-by: Pablo Neira Ayuso
---
.../{nft-f/0021priority_variable_0 => chains/0031priority_variable_0} | 0
.../{nft-f/0022priority_variable_0 => chains/0032priority_variable_0} | 0
.../
Refresh it to fetch what we have in 5.3-rc1.
Remove NFT_OSF_F_VERSION definition, this is already available in
include/linux/netfilter/nf_tables.h
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nf_tables.h | 21 +
include/osf.h | 2 --
2
On Fri, Aug 02, 2019 at 09:12:33AM +0200, Ander Juaristi wrote:
> diff --git a/include/net/netfilter/nf_tables.h
> b/include/net/netfilter/nf_tables.h
> index 9b624566b82d..f635b9c2e221 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -2,6 +2,7 @@
>
Rule that fails to be added while holding a bound set triggers
user-after-free from the abort path.
Signed-off-by: Pablo Neira Ayuso
---
v2: This one reproduces the crash here.
tests/shell/testcases/transactions/0050rule_1 | 19 +++
1 file changed, 19 insertions(+)
create mode
On Sun, Aug 11, 2019 at 12:16:03PM +0200, michael-...@fami-braun.de wrote:
> From: "M. Braun"
>
> This fixes
>
> ERROR: did not find JSON equivalent for rule 'ether type vlan ip
> protocol 1 accept'
>
> when running
>
> ./nft-test.py -j bridge/vlan.t
Applied, thanks.
inconsistent to the user for a connection
that is actually already closed.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_flow_offload.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index
On Mon, Aug 12, 2019 at 01:40:04PM +0200, Florian Westphal wrote:
> seen during boot:
> BUG: spinlock bad magic on CPU#2, swapper/0/1
> lock: nf_connlabels_lock+0x0/0x60, .magic: , .owner: /-1,
> .owner_cpu: 0
> Call Trace:
> do_raw_spin_lock+0x14e/0x1b0
> nf_connlabels_get+0x15/0x40
>
On Fri, Aug 02, 2019 at 09:29:23AM +0200, Ander Juaristi wrote:
> Signed-off-by: Ander Juaristi
> ---
> include/linux/netfilter/nf_tables.h | 6 ++
> src/expr/meta.c | 5 -
This looks good.
Please, in your next round, add the prefix to tell what tree this is
for. I in
inconsistent to the user for a connection
that is actually already closed.
Signed-off-by: Pablo Neira Ayuso
---
v2: use skb_header_pointer() - Eric Dumazet.
net/netfilter/nft_flow_offload.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter
On Thu, Aug 08, 2019 at 01:57:51PM -0700, Dirk Morris wrote:
> Change ct id hash calculation to only use invariants.
>
> Currently the ct id hash calculation is based on some fields that can
> change in the lifetime on a conntrack entry in some corner cases. The
> current hash uses the whole tuple
On Thu, Aug 01, 2019 at 10:01:22PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> Add new two NFT_TUNNEL_SRC/DST_IP match in nft_tunnel
>
> Signed-off-by: wenxu
> ---
> v3: no change
>
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_tunnel.c | 46
>
On Tue, Aug 13, 2019 at 08:38:19PM +0200, Ander Juaristi wrote:
[...]
> diff --git a/include/net/netfilter/nf_tables.h
> b/include/net/netfilter/nf_tables.h
> index 9b624566b82d..aa33ada8728a 100644
> --- a/include/net/netfilter/nf_tables.h
> +++ b/include/net/netfilter/nf_tables.h
> @@ -2,6 +2,7
Just a few nitpicks and we go :-)
On Tue, Aug 13, 2019 at 08:38:20PM +0200, Ander Juaristi wrote:
> diff --git a/include/uapi/linux/netfilter/nf_tables.h
> b/include/uapi/linux/netfilter/nf_tables.h
> index 82abaa183fc3..67ae55e08518 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b
On Tue, Aug 13, 2019 at 08:44:06PM +0200, Florian Westphal wrote:
> table bla {
> chain foo { }
> chain bar { jump foo }
> }
> }
>
> Fails to restore on big-endian platforms:
> jump.nft:5:2-9: Error: Could not process rule: No such file or directory
> jump foo
>
> nft passes a 0-length name
On Tue, Aug 13, 2019 at 08:44:07PM +0200, Florian Westphal wrote:
> tests/shell/testcases/flowtable/0001flowtable_0
> tests/shell/testcases/nft-f/0008split_tables_0
> fail the 'dump compare' on s390x.
> The priority (10) turns to 0, and accept turned to drop.
>
> Problem is that '$1' is a 64bit va
> overrun the tiny buffer size set due to this bug.
>
> Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size")
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
On Tue, Aug 13, 2019 at 08:44:09PM +0200, Florian Westphal wrote:
> tests/shell/testcases/transactions/0049huge_0
>
> still fails with ENOBUFS error after endian fix done in
> previous patch. Its enough to increase the scale factor (4)
> on s390x, but rather than continue with these "guess the pr
On Tue, Aug 13, 2019 at 09:34:39PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > char chain[NFT_CHAIN_MAXNAMELEN];
> >
> > Probably:
> >
> > chat chain[NFT_CHAIN_MAXNAMELEN + 1] = {};
>
>
> > to ensure space f
On Tue, Aug 13, 2019 at 09:36:29PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > diff --git a/src/mnl.c b/src/mnl.c
> > > index 97a2e0765189..0c7a4c1fa63f 100644
> > > --- a/src/mnl.c
> > > +++ b/src/mnl.c
> > > @@ -311,6 +311
Get this header in sync with 5.3-rc1.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nf_tables.h | 124
1 file changed, 82 insertions(+), 42 deletions(-)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
Just pushed out this so you don't have to bother with this in your
next patchset for libnftnl :-)
http://git.netfilter.org/libnftnl/commit/?id=239fabea9a436aaa7b787f389d80dfb57f7b893c
On Fri, Jul 05, 2019 at 09:16:35PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> nft add table bridge firewall
> nft add chain bridge firewall zones { type filter hook prerouting priority -
> 300 \; }
> nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1,
> 200 : 2 }
l_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
>
> v2: call setsockopt unconditionally, then increase on error.
>
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
0f154c78 ("src: invalid read when importing chain name")
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
51b2351 ("src: allow variables in the chain priority
> specification")
> Fixes: dba4a9b4b5fe ("src: allow variable in chain policy")
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
Hi Jeremy,
On Wed, Aug 14, 2019 at 06:05:49AM +0800, kbuild test robot wrote:
> tree:
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> head: 105333435b4f3b21ffc325f32fae17719310db64
> commit: 2a475c409fe81a76fb26a6b023509d648237bbe6 [14/17] kbuild: remo
On Wed, Aug 14, 2019 at 02:59:36PM +0800, we...@ucloud.cn wrote:
> From: wenxu
>
> This can match the the pvid and vlan_proto of ibr
This allows you to match the bridge pvid and vlan protocol, for
instance:
> nft add rule bridge firewall zones meta ibrvproto 0x8100
> nft add rule bridge firewal
On Wed, Aug 14, 2019 at 03:54:03PM +0800, wenxu wrote:
>
> On 8/14/2019 2:19 AM, Pablo Neira Ayuso wrote:
> > On Thu, Aug 01, 2019 at 10:01:22PM +0800, we...@ucloud.cn wrote:
> >> From: wenxu
> >>
> >> Add new two NFT_TUNNEL_SRC/DST_IP match in nf
On Tue, Aug 13, 2019 at 08:58:49AM +0200, Ander Juaristi wrote:
> This patch implements the delete operation from the ruleset.
>
> It implements a new delete() function in nft_set_rhash. It is simpler
> to use than the already existing remove(), because it only takes the set
> and the key as argum
On Wed, Aug 14, 2019 at 10:00:37AM +0200, Pablo Neira Ayuso wrote:
[...]
> > >> @@ -86,6 +110,8 @@ static int nft_tunnel_get_init(const struct nft_ctx
> > >> *ctx,
> > >> len = sizeof(u8);
> > >> break;
> >
901 - 1000 of 7402 matches
Mail list logo