Re: Proposal: rename of arptables.git and ebtables.git

On Tuesday 2018-12-04 11:57, Pablo Neira Ayuso wrote: >On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: >> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: >> > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >> >> Hi, >> >> >> >> Now that the iptables.git repo

Re: iptables configure ignore "--disable-silent-rules"

On Tuesday 2018-11-27 12:56, Rolf Eike Beer wrote: >Hi, > >it seems to me that "--disable-silent-rules" has no effect on iptables >configure, i.e. I still have to pass V=1 to make to see what it is actually >doing. This is expected because automake is not used in every directory. But V=1 is

Re: [PATCH] doc: grammar fixes

On Tuesday 2018-11-13 12:18, Pablo Neira Ayuso wrote: >Looks good, may I include your Signed-off-by tag? Oh yeah, this is "kernel land" where it's needed ;-) Please also consider folding in Stefano's comment about one "an". Signed-off-by: Jan Engelhardt >On Tue,

[PATCH] doc: grammar fixes

--- Additional fixes on top of V. Skyttä's patch: lots of "a", "the", etc. missing, wrong prepositions addressed. Contractions are expanded for better write style. doc/data-types.txt | 6 +- doc/libnftables-json.adoc | 145 +++-- doc/libnftables.adoc

Re: [PATCH xtables] xtables-nft: make -Z option work

On Monday 2018-11-05 10:55, Pablo Neira Ayuso wrote: >On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote: >> -Z doesn't just zero base counters, it zeroes out all rule >> counters, or, optionally, all counters of a chain (-Z FOO). > >Looks good. > >But I think we need to extend this

Re: [iptables PATCH] xtables: Fix for deleting rules with comment

On Tuesday 2018-08-28 10:26, Phil Sutter wrote: >+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 >@@ -0,0 +1,10 @@ >+#!/bin/sh >+ >+set -e >+ >+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } [[ is not sh-compatible. Either #!/bin/bash or [

Re: [iptables] extensions: add support for 'SEG6' target

On Thursday 2018-08-16 16:52, Ahmed Abdelsalam wrote: >--- > extensions/libip6t_SEG6.c| 154 +++ > include/linux/netfilter_ipv6/ip6t_SEG6.h | 22 + >+#include I think this should be libxt_SEG6.c, linux/netfilter/xt_SEG6.h, as there is not really

Re: nft equivalent of -m time

On Monday 2018-08-13 19:34, Neal P. Murphy wrote: > >I changed Smoothwall Express to use -m time 4 years ago, and corrected a >couple bugs shortly after. In short, > - Set the BIOS clock to local time (the BIOS clock is for humans anyway). > - Run a modern ntpd to keep the system clock

Re: nft equivalent of -m time

On Monday 2018-08-13 13:03, Florian Westphal wrote: >Jan Engelhardt wrote: >> On Sunday 2018-08-12 23:05, Florian Westphal wrote: >> >> >Neal P. Murphy wrote: >> >> Does nftables have an equivalent of iptables' "-m time"? >> > >>

Re: nft equivalent of -m time

On Sunday 2018-08-12 23:05, Florian Westphal wrote: >Neal P. Murphy wrote: >> Does nftables have an equivalent of iptables' "-m time"? > >-m time is problematic (kernel has no idea what a timezone is). The kernel certainly does have a timezone (if only a limited understanding how to use it). In

Re: [PATCH 1/3 nf-next v2] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

On Monday 2018-07-30 14:23, Pablo Neira Ayuso wrote: > >Right, but we cannot assume users use iptables, they may develop their >own applications based on our binary interface. But if iptables does the file copy, and nftables does the same copy, then by that pattern, all applications, his own

Re: [iptables PATCH 03/23] xtables: Use correct built-in chain count

On Friday 2018-07-27 00:22, Phil Sutter wrote: >In nft_chain_builtin_init(), The wrong macro was used for iterating over >the built-in chains of a given table. That array's length is defined >using NF_INET_NUMHOOKS, not NF_IP_NUMHOOKS. Though this change is rather >cosmetic since both macros

Re: [PATCH 1/3 nf-next v2] netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c

On Monday 2018-07-23 12:06, Pablo Neira Ayuso wrote: >On Fri, Jul 20, 2018 at 04:41:11PM +0200, Fernando Fernandez Mancera wrote: >> Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is >> the OSF infraestructure. >> >> Signed-off-by: Fernando Fernandez Mancera >> --- >>

Re: [ANNOUNCE] iptables 1.8.0 release

On Friday 2018-07-06 11:32, Florian Westphal wrote: >iptables 1.8 > >This release introduces a more prominent distinction between the >'classic' iptables and 'new' iptables front-end that internally uses the >nf_tables API to talk to the kernel. > >legacy commandline tools:

Re: [PATCH 2/6] build: rename sed source files to .in

On Friday 2018-06-29 12:36, Florian Westphal wrote: > >My only concern is someone complaining/asking where the ebt_foo.so files >went. That's an easy part. — The hard part is conveying to, and convincing distro people that certain *new* files need to be in certain subpackages of theirs... ;-)

Re: [PATCH 2/6] build: rename sed source files to .in

On Friday 2018-06-29 12:11, Pablo Neira Ayuso wrote: >On Fri, Jun 29, 2018 at 12:05:12PM +0200, Jan Engelhardt wrote: >> So does that mean we're not going to address the build failure >> experienced by Duncan Roe and the tomato project? > >I think we agreed the proble

Re: [PATCH 2/6] build: rename sed source files to .in

On Friday 2018-06-29 11:45, Florian Westphal wrote: > >Yes, thanks for clarifying. I poorly worded my first reply about >integrating ebtables, I was only talking about >ebtables-using-nf_netlink. > >[...] So I'm leaning towards not applying this, sorry. So does that mean we're not going to

Re: [PATCH 2/6] build: rename sed source files to .in

On Friday 2018-06-29 11:19, Pablo Neira Ayuso wrote: >Not sure this is worth this change. > >I would prefer conversion to autotools is just as transparent as >possible. And that means what exactly, splitting the patch to that effect? >Having said this, as Florian mentioned already, modernizing

Re: [PATCH 2/6] build: rename sed source files to .in

On Thursday 2018-06-28 22:43, Florian Westphal wrote: >Jan Engelhardt wrote: >> Prepare for autoconf-based substitution of macros in the file. > >It breaks make install. > >Not a big deal, after pulling wholse series make seems to create >a static build by default, make

Re: [PATCH 1/2] iptables: tests: shell: Add README

On Thursday 2018-06-28 11:35, Arushi Singhal wrote: >README added > >Signed-off-by: Arushi Singhal >--- > iptables/tests/shell/README | 20 > 1 file changed, 20 insertions(+) > create mode 100644 iptables/tests/shell/README > >diff --git a/iptables/tests/shell/README

[PATCH] doc: fix some spellos and the dash escape

Commands, options, filenames, and possibly references to other manpages, should always use the minus. (Important for copy-n-paste and e.g. following manpage links.) Everything else can do with the dash. --- iptables/xtables-legacy.8 | 22 +++--- iptables/xtables-nft.8| 60

Re: ebtables: modernize build

On Thursday 2018-06-28 00:08, Florian Westphal wrote: >Jan Engelhardt wrote: >> >> The following changes since commit 56993546c80576986930f9bae7ae4ba744b1e508: >> >> extensions: fix build failure on fc28 (2018-06-06 14:22:25 +0200) >> >&

Re: [PATCH xtables 1/3] xtables: rename xt-multi binaries to -nft, -legacy

On Wednesday 2018-06-27 13:33, Florian Westphal wrote: >This adds a clear distinction between old iptables (formerly >xtables-multi, now xtables-legacy-multi) and new iptables >(formerly xtables-compat-multi, now xtables-nft-multi). > >Users will get the ip/ip6tables names via symbolic links,

[PATCH 6/6] build: move to automake

--- .gitignore| 23 +- INSTALL | 71 ++--- Makefile | 214 -- Makefile.am | 76 ++ autogen.sh| 4 + configure.ac | 23 ++ m4/.gitignore | 2 + 7 files changed, 149 insertions(+), 264

[PATCH 3/6] build: use autoconf-style placeholders in sed-ed files

--- Makefile | 8 ebtables-save.in | 2 +- ebtables.8.in| 6 +++--- ebtables.sysv.in | 38 +++--- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/Makefile b/Makefile index d0a12d6..7c70db0 100644 --- a/Makefile +++

[PATCH 4/6] extensions: use __attribute__((constructor)) for autoregistration

The ebtables initialization is easier, and, judging from the "static" recipe in Makefile, that calling ebt_*_register ahead of main is safe. This means that a static build won't need the pseudomain hack, and that -nostartfiles can also go away. --- Makefile| 34

[PATCH 5/6] Add .gitignore

--- .gitignore | 7 +++ 1 file changed, 7 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000..d2fc36e --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +*.o +*.so +/ebtables +/ebtables-restore +/ebtablesd +/ebtablesu +/static --

[PATCH 2/6] build: rename sed source files to .in

Prepare for autoconf-based substitution of macros in the file. --- Makefile | 14 +++--- ebtables-config => ebtables-config.in | 0 ebtables-save => ebtables-save.in | 0 ebtables.8 => ebtables.8.in | 0 ebtables.sysv => ebtables.sysv.in |

[PATCH 1/6] build: drop install -o/-g root

Calling /usr/bin/install with -o/-g will attempt to chown, and fail if unsuccessful, which makes an unprivileged install with DESTDIR a futile attempt always. Drop it, because /usr/bin/install chowns to the current running user *anyway*, which means when root calls `make install`, it will do the

ebtables: modernize build

to 21bd17f272b4e31fa5ef53dbd0620bd16873eb96: build: move to automake (2018-06-27 11:42:22 +0200) Jan Engelhardt (6): build: drop install -o/-g root build: rename sed source files to .in build: use autoconf-style placeholders in sed-ed files

Re: [PATCH] build: abandon KERNEL_INCLUDES variable

On Tuesday 2018-06-26 11:03, Máté Eckl wrote: >Isn't that an option to add these includes to CFLAGS variable? So that it would >be less redundant. Yes and no... No, because CFLAGS -- at least in the automake world, which I know ebtables is far from, but let's go with the thought anyway --

Re: [PATCH] ebtables: Use double quotes in #include statements for local headers

On Monday 2018-06-25 04:51, Duncan Roe wrote: > >With gcc configured as a cross-compiler, we now have a documented and >reproducable case where the use of angle brackets forces the use of headers in >system locations [...] >To reproduce: if necessary run up a Debian or Ubuntu VM (I used Ubuntu

Re: [nft PATCH] Makefile: Introduce Make_global.am

On Thursday 2018-06-21 20:00, Phil Sutter wrote: >On Thu, Jun 21, 2018 at 07:35:18PM +0200, Jan Engelhardt wrote: >> On Thursday 2018-06-21 17:05, Phil Sutter wrote: >> >> >> >+# This is _NOT_ the library release version, it's an API version. >> >>

Re: [nft PATCH] Makefile: Introduce Make_global.am

On Thursday 2018-06-21 17:05, Phil Sutter wrote: >> >> >+# This is _NOT_ the library release version, it's an API version. >> >> >+# Extracted from Chapter 6 "Library interface versions" of the libtool >> >> >docs. >> >> >> >> I don't know if this chapter 6 reference blurb really helps; >> >>

Re: [nft PATCH] Makefile: Introduce Make_global.am

On Monday 2018-06-18 12:30, Phil Sutter wrote: >> >Analogous to libnftnl's build system, define libnftables interface >> >version in a variable in Make_global.am. >> >+# This is _NOT_ the library release version, it's an API version. >> >+# Extracted from Chapter 6 "Library interface versions"

Re: [PATCH nft 8/8] doc: fix make distcheck

On Monday 2018-06-18 13:51, Eric Leblond wrote: >diff --git a/doc/Makefile.am b/doc/Makefile.am >index 9796d34..1ec3b3e 100644 >--- a/doc/Makefile.am >+++ b/doc/Makefile.am >@@ -9,19 +9,19 @@ endif > pdfdir=${docdir}/pdf > > .xml.pdf: >- ${AM_V_GEN}dblatex -q -t pdf -o $@ $< >+

Re: [nft PATCH] Makefile: Introduce Make_global.am

On Monday 2018-06-18 10:43, Phil Sutter wrote: >Analogous to libnftnl's build system, define libnftables interface >version in a variable in Make_global.am. > >Suggested-by: Pablo Neira Ayuso >Signed-off-by: Phil Sutter >--- > Make_global.am | 21 + > src/Makefile.am | 4

Re: [PATCH] build: update ebtables.h from kernel and drop local unused copy

On Wednesday 2018-06-06 13:40, Pablo Neira Ayuso wrote: >On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote: >> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use >> again and import a new ebtables.h >> from the kernel tree that has

[PATCH] build: update ebtables.h from kernel and drop local unused copy

Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use again and import a new ebtables.h from the kernel tree that has the "revision" field. With this, include/ebtables.h is (again) used by no source file, and so can be removed. Signed-off-by: Jan Engelhardt --

Re: [PATCH] iptables src: Use double quotes in #includes for local headers

On Wednesday 2018-06-06 09:45, Duncan Roe wrote: > >ebtables would not build on my system and I submitted a patch to fix that which >was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b. Well then let's start there. "" The cause of this failure is that the commit updated

Re: [PATCH] iptables src: Use double quotes in #includes for local headers

On Tuesday 2018-06-05 20:04, Duncan Roe wrote: >diff --git a/include/ip6tables.h b/include/ip6tables.h >index 5f1c5b6..d95953e 100644 >--- a/include/ip6tables.h >+++ b/include/ip6tables.h >@@ -2,8 +2,8 @@ > #define _IP6TABLES_USER_H > > #include >-#include >-#include >+#include "xtables.h"

Re: [PATCH v2] libmnl src: Use double quotes in #includes for non-system headers

On Tuesday 2018-06-05 08:20, Duncan Roe wrote: >libmnl carries a private copy of a number of system headers. These were mostly >still being included with angle brackets as though they were system headers. These headers are willingly used in exactly that context: they are system headers, just at

Re: [PATCH] src: Use double quotes in include statements for non-system headers

On Monday 2018-06-04 09:03, Máté Eckl wrote: >On Sun, May 27, 2018 at 02:54:11PM +1000, Duncan Roe wrote: >> ebtables carries a private copy of some system headers provided by the >> linux-headers package. These were mostly still being included with angle >> brackets as though they were system

Re: [PATCH v2] netfilter: properly initialize xt_table_info structure

On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: >> > --- a/net/netfilter/x_tables.c >> > +++ b/net/netfilter/x_tables.c >> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned >> > int size) >> > * than shoot all processes down before realizing there is

Re: [PATCH][PING] Hide private symbols in libnfnetlink

On Thursday 2018-05-03 17:03, Yuri Gribov wrote: >Hi all, > >Here's the updated version of the patch. > >diff --git a/src/Makefile.am b/src/Makefile.am >index d0098cc..d91c9f7 100644 >--- a/src/Makefile.am >+++ b/src/Makefile.am >@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am >

Re: [RFC][PATCH] Hide private symbols in libnfnetlink

On Saturday 2018-04-28 10:28, Yuri Gribov wrote: >>> AM_CPPFLAGS = -I$(top_srcdir)/include >>>-AM_CFLAGS = -Wall >>>+AM_CFLAGS = -Wall @VISFLAGS@ >> >> Only use @@ in .am files when you must (like, left-hand sides). >> Otherwise, just ${VISFLAGS}. > >Ok, thanks. LDSFLAGS probly have to keep using

Re: [RFC][PATCH] Hide private symbols in libnfnetlink

On Saturday 2018-04-28 00:29, Yuri Gribov wrote: >--- a/Make_global.am >+++ b/Make_global.am >@@ -5,4 +5,4 @@ > LIBVERSION=2:0:2 > > AM_CPPFLAGS = -I$(top_srcdir)/include >-AM_CFLAGS = -Wall >+AM_CFLAGS = -Wall @VISFLAGS@ Only use @@ in .am files when you must (like, left-hand sides).

Re: [nf-next PATCH] net: nftables: Make rule position deterministic

On Friday 2018-04-20 10:47, Pablo Neira Ayuso wrote: >> -if ((event != NFT_MSG_DELRULE) && (rule->list.prev != >rules)) { >> -prule = list_prev_entry(rule, list); >> -if (nla_put_be64(skb, NFTA_RULE_POSITION, >> - cpu_to_be64(prule->handle),

Re: [PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

On Monday 2018-04-16 18:04, Florian Westphal wrote: >+ u64 max = (u64)(~((u64)0)); >+ max = div_u64(max, NSEC_PER_MSEC); >+ if (ms >= max) Why opencode, is there a problem with UINT64_MAX? Just this: u64 max = div_u64(UINT64_MAX, NSEC_PER_MSEC); -- To unsubscribe from

Re: ipset 6.37

>commit 516600858cb54906fb728d04e5edf1131ee7b3b2 >Author: Jozsef Kadlecsik >Date: Tue Apr 10 20:48:35 2018 +0200 > >Fix parsing service names for ports > >Parsing is attempted both for numbers and service names and >the temporary stored error message

Re: [PATCH 1/2 conntrackd] src: add ARRAY_SIZE definition

On Tuesday 2018-03-20 12:47, Pablo Neira Ayuso wrote: >Signed-off-by: Pablo Neira Ayuso >--- > include/conntrackd.h | 4 > include/helper.h | 2 -- > 2 files changed, 4 insertions(+), 2 deletions(-) > >diff --git a/include/conntrackd.h b/include/conntrackd.h >index

Re: [PATCH RFC 0/4] net: add bpfilter

On Monday 2018-02-19 16:32, David Miller wrote: >From: Harald Welte >Date: Mon, 19 Feb 2018 16:23:21 +0100 > >> Also, as long as legacy ip_tables/x_tables is still in the kernel, you >> can still run your old userspace against that old implementation in the >> kernel. >

Re: [PATCH net] netfilter: xt_hashlimit: do not allow empty names

On Friday 2018-02-02 12:55, Pablo Neira Ayuso wrote: >On Fri, Feb 02, 2018 at 12:49:38PM +0100, Pablo Neira Ayuso wrote: >[...] >> bool net_valid_name(const char *name, size_t len) >> { >> ... >> } > >Am I missing anything in all these tricky string handling? Thanks! One will have to

Re: [netfilter-core] kernel panic: Out of memory and no killable processes... (2)

On Monday 2018-01-29 17:57, Florian Westphal wrote: >> > > vmalloc() once became killable by commit 5d17a73a2ebeb8d1 ("vmalloc: back >> > > off when the current task is killed") but then became unkillable by >> > > commit >> > > b8c8a338f75e052d ("Revert "vmalloc: back off when the current task

[PATCH] build: do install libipset/args.h

libipset/types.h includes args.h, therefore args.h must be installed too. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- include/libipset/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/include/libipset/Makefile.am b/include/libipset/Makefile.am index 3b47518..79a1357

Re: [ANNOUNCE] nftables 0.8.1 release

>nftables 0.8.1 > >This release contains mostly incremental fixes and documentation >updates, such as fixing up ./configure --with-mini-gmp for embedded >setups that don't have libgmp. Why is this now installing a libnftables.pc file when there is no library or headers to go with it?

Re: [xtables-addons][PATCH 0/2] Compatibility fixes for linux 4.14 and 4.15

On Thursday 2018-01-04 18:50, Marcelo Henrique Cerri wrote: >The following patches fix the build against 4.14 and 4.15 kernels. Added. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [nft PATCH] Make libnftables a local static library

On Thursday 2017-11-30 18:11, Phil Sutter wrote: >This changes Makefiles so that libnftables is built into a static >library which is not installed. This allows for incompatible changes >while still providing a library to link to for testing purposes. > >diff --git a/src/Makefile.am

Re: [RFC]: Is there any reason libnetfilter_queue 1.0.3 is not released yet?

On Monday 2017-11-13 16:21, Pablo Neira Ayuso wrote: >On Mon, Nov 13, 2017 at 05:54:06PM +1100, Duncan Roe wrote: >> The nftables Wiki page >> https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace >> refers >> to using nfqnl_test with its numeric queue argument, but this only

Re: [ANNOUNCE] libnftnl 1.0.8 release

On Friday 2017-10-13 01:41, Pablo Neira Ayuso wrote: > >libnftnl 1.0.8 Here's a buffer overflow reported by gcc: expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2

Re: [ulog2 PATCH] Non-arbitrary malloc for SQL queries + string length limit

On Thursday 2017-09-21 19:00, Jean Weisbuch wrote: > >   - For strings, SQL_STRINGSIZE now defines the max length of values (before > being escaped), longer values will be truncated and the double of > SQL_STRINGSIZE is allocated in case all characters would have to be escaped > > I am not sure

Re: netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

On Wednesday 2017-09-13 15:24, Shmulik Ladkani wrote: > >One way to fix is to have iptables open the object (using the stored >xt_bpf_info_v1->path), gaining a new process local fd for the object, >just after getting the rules from IPT_SO_GET_ENTRIES. >However we didn't see any other extensions

Re: [nft PATCH RFC] Convert man page source to asciidoc

On Wednesday 2017-09-06 16:02, Phil Sutter wrote: >> Knowing that, people just avoid them most of the time for groff - and if I >> may >> say so, it has not reduced the document quality. > >Right now, nft.8 makes extensive use of tables which is why I considered >proper table support an

Re: [nft PATCH RFC] Convert man page source to asciidoc

On Wednesday 2017-09-06 13:58, Phil Sutter wrote: > >Regarding reStructuredText, did you look at how tables are written >there? If not, see here[2]. I really think that speaks for itself. Markup is the least problem. Tables, when rendered, have a tendency to quickly grow too large for the

Re: [nft PATCH RFC] Convert man page source to asciidoc

On Wednesday 2017-09-06 11:56, Arturo Borrero Gonzalez wrote: > >Regarding the separation of text in different includes, why not creating >different manpages? Netfilter did this in the past with iptables(8) and >iptables-extensions(8). The split into iptables-extensions.8 happened not because of

Re: [PATCH] netfilter: xt_TEE: Fix potential deadlock when TEE target is inserted

On Sunday 2017-09-03 16:30, Taehee Yoo wrote: >When xt_TEE target is inserted, lockdep warns about possible >DEADLOCK situation. to avoid deadlock situation >the register_netdevice_notifier() should be called by only init routine. > >+#include > > struct xt_tee_tginfo { > union

Re: [nft PATH 01/16] libnftables: introduce library

On Saturday 2017-08-19 10:43, Eric Leblond wrote: >>> Hence I defined a global init and deinit. But maybe it does not >>> really make sense and could be attached to each context or init >>> could be done at first usage. >> >> My idea was to implement simple reference counting to see whether >>

Re: RFC: Synopsis syntax change in nft.8

On Friday 2017-08-11 00:44, Jan Engelhardt wrote: >Some history for the mail archives: {} is not specified, but follows from >prominent use of | inside [] and the desire to have some kind of grouping for >non-optional things. I will — cautiously — claim that {} was an idea of mine >

Re: RFC: Synopsis syntax change in nft.8

On Thursday 2017-08-10 20:29, Phil Sutter wrote: > >With no prior knowlege of how this syntax works, we start parsing the >line from left to right and find out that something like: > >| {foo | bar} > >probably means "either 'foo' or 'bar'", no big deal. Next comes 'table' in >bold font. What does

Re: [netfilter-core] Heap overflow in xt_geoip.c

On Wednesday 2017-06-21 18:16, Pablo Neira Ayuso wrote: >Hi Loic, > >On Tue, Jun 20, 2017 at 08:31:26PM +0200, Loic wrote: >> Hi, >> >> I think there is a problem in the geoip code because I detect this: >> >> grep -ar "cicus.162_313 max" /usr/src/xtables-addons-2.12/extensions/ >>

Re: [PATCH xtables-addons] build: support for Linux 4.12

On Sunday 2017-05-14 18:16, Ralph Sennhauser wrote: >As a result of commit cc41c84b7e7f ("netfilter: kill the fake untracked >conntrack objects") the helper nf_ct_is_untracked always returns false >and commit ab8bc7ed864b ("netfilter: remove nf_ct_is_untracked") removes >it all together.

Re: Changing destination ip and port of TEE'ed udp

On Tuesday 2017-05-09 00:22, Sergey Yermakov wrote: > Hello, > > 1. Sorry if this has been already asked before ( couldn't find the answer in > the archives) or the wrong list. > > 2. Changing the destination ip and port of TEE'ed udp datagrams seems doable > and I was just wondering if there are

Re: [PATCH iptables] extensions: libxt_hashlimit: fix 64-bit printf formats

On Saturday 2017-04-08 22:29, Pablo Neira Ayuso wrote: >> @@ -262,7 +262,7 @@ static uint64_t parse_burst(const char *burst, int >> revision) >> if (v > max) >> xtables_error(PARAMETER_PROBLEM, "bad value for option " >> "\"--hashlimit-burst\", value \"%s\"

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Sunday 2017-04-09 05:42, Arushi Singhal wrote: >On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote: > > On Saturday 2017-04-08 19:21, Arushi Singhal wrote: > > &g

Re: [PATCH] net: netfilter: Replace explicit NULL comparisons

On Saturday 2017-04-08 19:21, Arushi Singhal wrote: >Replace explicit NULL comparison with ! operator to simplify code. I still wouldn't do this, for the same reason as before. Comparing to NULL explicitly more or less gave an extra guarantee that the other operand was also a pointer. -- To

Re: [PATCH v2] netfilter: Clean up tests if NULL returned on failure

On Wednesday 2017-03-29 11:15, SIMRAN SINGHAL wrote: >> dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL); >>- if (dest == NULL) >>+ if (!dest) >> return -ENOMEM; > >But, according to me we should prefer !var over ( var ==NULL ) according to the

Re: [PATCH v2] netfilter: Clean up tests if NULL returned on failure

On Tuesday 2017-03-28 18:23, SIMRAN SINGHAL wrote: >On Tue, Mar 28, 2017 at 7:24 PM, Jan Engelhardt <jeng...@inai.de> wrote: >> On Tuesday 2017-03-28 15:13, simran singhal wrote: >> >>>Some functions like kmalloc/kzalloc return NULL on failure. When NULL >>>

Re: [PATCH] netfilter: ipset: Use max macro instead of ternary operator

On Tuesday 2017-03-28 15:32, simran singhal wrote: >This patch replaces ternary operator with macro max as it shorter and >thus increases code readability. > >- return (ret < 0 ? 0 : ret); >+ return max(0, ret); While the two are functionally equivalent, "max" conveys a meaning of

Re: [PATCH v2] netfilter: Clean up tests if NULL returned on failure

On Tuesday 2017-03-28 15:13, simran singhal wrote: >Some functions like kmalloc/kzalloc return NULL on failure. When NULL >represents failure, !x is commonly used. > >@@ -910,7 +910,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct >ip_vs_dest_user_kern *udest, > } > > dest =

Re: [PATCH] net: Remove unnecessary cast on void pointer

On Tuesday 2017-03-28 14:50, simran singhal wrote: >The following Coccinelle script was used to detect this: >@r@ >expression x; >void* e; >type T; >identifier f; >@@ >( > *((T *)e) >| > ((T *)x)[...] >| > ((T*)x)->f >| > >- (T*) > e >) > >Signed-off-by: simran singhal

Re: [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote: >On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote: >> A long-standing problem has been that `iptables -s any_host_here` >> could yield multiple rules with the same address if the DNS was >> indeed so p

[PATCH 2/3] libxtables: abolish AI_CANONNAME

ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- libxtables/xtables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtable

[PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

A long-standing problem has been that `iptables -s any_host_here` could yield multiple rules with the same address if the DNS was indeed so populated. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- libxtables/xtables.c | 44 1 file chang

[PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr

The error path already terminally returns from the function, so there is no point in having an explicit else block. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- libxtables/xtables.c | 54 +++- 1 file changed, 24 insertions(+), 30 del

[PATCH 3/3] libxtables: avoid returning duplicate address for host resolution

A long-standing problem has been that `iptables -s any_host_here` could yield multiple rules with the same address if the DNS was indeed so populated. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- libxtables/xtables.c | 44 1 file chang

[PATCH 2/3] libxtables: abolish AI_CANONNAME

ares->ai_canonname is never used, so there is no point in requesting that piece of information with AI_CANONNAME. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- libxtables/xtables.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libxtables/xtables.c b/libxtables/xtable

Filter duplicate IP addresses from libxtables

(Of course that send went wrong.. with github and all that, I hardly had to use git-send-email ever since.) The right set follows. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH 1/3] extensions: libxt_socket: add --restore-skmark option

From: Harout Hedeshian xt_socket is useful for matching sockets with IP_TRANSPARENT and taking some action on the matching packets. However, it lacks the ability to match only a small subset of transparent sockets. Suppose there are 2 applications, each with its own set

Re: [PATCH] libxtables: duplicated loopback address via host_to_ipaddr()

Pablo wrote: >libc seem to need if we have 127.0.0.1 and ::1 >entries in /etc/hosts that are common in many distros. I was trying to imply that this problem is not specific to localhost, but could happen with any host name. Testing the memory contents for for just htonl(INADDR_LOOPBACK) does not

[PATCH 3/3] extensions: restore matching any SPI id by default

This is the same as commit v1.4.15-12-g8a988f6. If no id option is given, the extensions only match packets with a zero-valued identification field. This behavior deviates from what it used to do back in v1.4.10-273-g6944f2c^. Signed-off-by: Jan Engelhardt <jeng...@inai.de> --- exte

Re: [PATCH iptables 2/2] libxtables: pass AI_ADDRCONFIG flag to getaddrinfo()

On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote: > >If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses >are returned in the list pointed to by res only if the local system has >at least one IPv4 address configured, and IPv6 addresses are only >returned if the local

Re: [PATCH] netfilter: Parse ICMPv6 redirects

On Wednesday 2017-03-01 15:32, Alin Nastac wrote: >Extract IPv6 packet that triggered the sending of redirect message from >ICMPv6 Redirected Header option and check if conntrack table contain such >connection. Mark redirect packet as RELATED if a matching connection is found. > >Signed-off-by:

Re: Concurrent iptables-restore calls clobberring each other

On Friday 2017-02-03 21:37, Shaun Crampton wrote: > >I'm trying to diagnose an incompatibility between my application >(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy). >Both are (ab)using iptables-restore to do high-speed bulk updates to >iptables and they're both using

Re: [PATCH xtables-addons] build: support for Linux 4.10

On Monday 2016-12-26 16:14, Ralph Sennhauser wrote: >Commit 613dbd95723aee7abd16860745691b6c7bda20dc (netfilter: >x_tables: move hook state into xt_action_param structure) changes the >struct xt_action_param, accommodate for it. Both applied. -- To unsubscribe from this list: send the line

Re: routing table lookup

On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote: >2016-10-11 20:28 GMT+02:00 Jan Engelhardt <jeng...@inai.de>: >> Well you can mark routes with realm numbers, and match on that. (In >> iptables, this was done with -m realm.) At least that is the idea. Not >> sure

Re: routing table lookup

On Tuesday 2016-10-11 20:11, Bjørnar Ness wrote: >Hello, netfilter-devel. > >Is it possible/planned to be able to do routing table lookup from >within nftables? >Thinking then of a routingtable like "set". This would be nice to be able to do >early drop on bgp populated saddr based rtbl. Well

Re: [PATCH v3 2/2] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

On Thursday 2016-09-22 18:43, Vishwanath Pai wrote: >+struct hashlimit_cfg2 { >+ __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */ >+ __u64 avg;/* Average secs between packets * scale */ >+ __u64 burst; /* Period multiplier for upper limit. */ This would have different

Re: [PATCH 1116/1285] Replace numeric parameter like 0444 with macro

On Tuesday 2016-08-02 14:17, Baole Ni wrote: >I find that the developers often just specified the numeric value >when calling a macro which is defined with a parameter for access permission. >As we know, these numeric value for access permission have had the >corresponding macro, >and that

Re: libxtables backward compatibility

On Sunday 2016-07-03 23:29, Neal P. Murphy wrote: >> On Sunday 2016-07-03 22:00, Neal P. Murphy wrote: >> >> >Specifically, should programs linked to--and expecting to >> >use--libxtables.so.7 >> >work with versions libxtables.so.10 and libxtables.so.11? I suspect yes >> >> Absolutely not.

Re: libxtables backward compatibility

On Sunday 2016-07-03 22:00, Neal P. Murphy wrote: >Specifically, should programs linked to--and expecting to use--libxtables.so.7 >work with versions libxtables.so.10 and libxtables.so.11? I suspect yes Absolutely not. Never has been in any shared library system. -- To unsubscribe from this

  1   2   >