On Tuesday 2018-12-04 11:57, Pablo Neira Ayuso wrote:
>On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
>> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
>> > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
>> >> Hi,
>> >>
>> >> Now that the iptables.git repo
On Tuesday 2018-11-27 12:56, Rolf Eike Beer wrote:
>Hi,
>
>it seems to me that "--disable-silent-rules" has no effect on iptables
>configure, i.e. I still have to pass V=1 to make to see what it is actually
>doing.
This is expected because automake is not used in every
directory. But V=1 is
On Tuesday 2018-11-13 12:18, Pablo Neira Ayuso wrote:
>Looks good, may I include your Signed-off-by tag?
Oh yeah, this is "kernel land" where it's needed ;-)
Please also consider folding in Stefano's comment about one "an".
Signed-off-by: Jan Engelhardt
>On Tue,
---
Additional fixes on top of V. Skyttä's patch: lots of "a", "the", etc.
missing, wrong prepositions addressed. Contractions are expanded for
better write style.
doc/data-types.txt | 6 +-
doc/libnftables-json.adoc | 145 +++--
doc/libnftables.adoc
On Monday 2018-11-05 10:55, Pablo Neira Ayuso wrote:
>On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote:
>> -Z doesn't just zero base counters, it zeroes out all rule
>> counters, or, optionally, all counters of a chain (-Z FOO).
>
>Looks good.
>
>But I think we need to extend this
On Tuesday 2018-08-28 10:26, Phil Sutter wrote:
>+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
>@@ -0,0 +1,10 @@
>+#!/bin/sh
>+
>+set -e
>+
>+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
[[ is not sh-compatible. Either #!/bin/bash or [
On Thursday 2018-08-16 16:52, Ahmed Abdelsalam wrote:
>---
> extensions/libip6t_SEG6.c| 154 +++
> include/linux/netfilter_ipv6/ip6t_SEG6.h | 22 +
>+#include
I think this should be libxt_SEG6.c, linux/netfilter/xt_SEG6.h,
as there is not really
On Monday 2018-08-13 19:34, Neal P. Murphy wrote:
>
>I changed Smoothwall Express to use -m time 4 years ago, and corrected a
>couple bugs shortly after. In short,
> - Set the BIOS clock to local time (the BIOS clock is for humans anyway).
> - Run a modern ntpd to keep the system clock
On Monday 2018-08-13 13:03, Florian Westphal wrote:
>Jan Engelhardt wrote:
>> On Sunday 2018-08-12 23:05, Florian Westphal wrote:
>>
>> >Neal P. Murphy wrote:
>> >> Does nftables have an equivalent of iptables' "-m time"?
>> >
>>
On Sunday 2018-08-12 23:05, Florian Westphal wrote:
>Neal P. Murphy wrote:
>> Does nftables have an equivalent of iptables' "-m time"?
>
>-m time is problematic (kernel has no idea what a timezone is).
The kernel certainly does have a timezone (if only a limited understanding how
to use it). In
On Monday 2018-07-30 14:23, Pablo Neira Ayuso wrote:
>
>Right, but we cannot assume users use iptables, they may develop their
>own applications based on our binary interface.
But if iptables does the file copy, and nftables does the same copy,
then by that pattern, all applications, his own
On Friday 2018-07-27 00:22, Phil Sutter wrote:
>In nft_chain_builtin_init(), The wrong macro was used for iterating over
>the built-in chains of a given table. That array's length is defined
>using NF_INET_NUMHOOKS, not NF_IP_NUMHOOKS. Though this change is rather
>cosmetic since both macros
On Monday 2018-07-23 12:06, Pablo Neira Ayuso wrote:
>On Fri, Jul 20, 2018 at 04:41:11PM +0200, Fernando Fernandez Mancera wrote:
>> Rename nf_osf.c to nfnetlink_osf.c as we introduce nfnetlink_osf which is
>> the OSF infraestructure.
>>
>> Signed-off-by: Fernando Fernandez Mancera
>> ---
>>
On Friday 2018-07-06 11:32, Florian Westphal wrote:
>iptables 1.8
>
>This release introduces a more prominent distinction between the
>'classic' iptables and 'new' iptables front-end that internally uses the
>nf_tables API to talk to the kernel.
>
>legacy commandline tools:
On Friday 2018-06-29 12:36, Florian Westphal wrote:
>
>My only concern is someone complaining/asking where the ebt_foo.so files
>went.
That's an easy part. — The hard part is conveying to, and convincing distro
people that certain *new* files need to be in certain subpackages of theirs...
;-)
On Friday 2018-06-29 12:11, Pablo Neira Ayuso wrote:
>On Fri, Jun 29, 2018 at 12:05:12PM +0200, Jan Engelhardt wrote:
>> So does that mean we're not going to address the build failure
>> experienced by Duncan Roe and the tomato project?
>
>I think we agreed the proble
On Friday 2018-06-29 11:45, Florian Westphal wrote:
>
>Yes, thanks for clarifying. I poorly worded my first reply about
>integrating ebtables, I was only talking about
>ebtables-using-nf_netlink.
>
>[...] So I'm leaning towards not applying this, sorry.
So does that mean we're not going to
On Friday 2018-06-29 11:19, Pablo Neira Ayuso wrote:
>Not sure this is worth this change.
>
>I would prefer conversion to autotools is just as transparent as
>possible.
And that means what exactly, splitting the patch to that effect?
>Having said this, as Florian mentioned already, modernizing
On Thursday 2018-06-28 22:43, Florian Westphal wrote:
>Jan Engelhardt wrote:
>> Prepare for autoconf-based substitution of macros in the file.
>
>It breaks make install.
>
>Not a big deal, after pulling wholse series make seems to create
>a static build by default, make
On Thursday 2018-06-28 11:35, Arushi Singhal wrote:
>README added
>
>Signed-off-by: Arushi Singhal
>---
> iptables/tests/shell/README | 20
> 1 file changed, 20 insertions(+)
> create mode 100644 iptables/tests/shell/README
>
>diff --git a/iptables/tests/shell/README
Commands, options, filenames, and possibly references to other
manpages, should always use the minus. (Important for copy-n-paste
and e.g. following manpage links.) Everything else can do with the
dash.
---
iptables/xtables-legacy.8 | 22 +++---
iptables/xtables-nft.8| 60
On Thursday 2018-06-28 00:08, Florian Westphal wrote:
>Jan Engelhardt wrote:
>>
>> The following changes since commit 56993546c80576986930f9bae7ae4ba744b1e508:
>>
>> extensions: fix build failure on fc28 (2018-06-06 14:22:25 +0200)
>>
>&
On Wednesday 2018-06-27 13:33, Florian Westphal wrote:
>This adds a clear distinction between old iptables (formerly
>xtables-multi, now xtables-legacy-multi) and new iptables
>(formerly xtables-compat-multi, now xtables-nft-multi).
>
>Users will get the ip/ip6tables names via symbolic links,
---
.gitignore| 23 +-
INSTALL | 71 ++---
Makefile | 214 --
Makefile.am | 76 ++
autogen.sh| 4 +
configure.ac | 23 ++
m4/.gitignore | 2 +
7 files changed, 149 insertions(+), 264
---
Makefile | 8
ebtables-save.in | 2 +-
ebtables.8.in| 6 +++---
ebtables.sysv.in | 38 +++---
4 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/Makefile b/Makefile
index d0a12d6..7c70db0 100644
--- a/Makefile
+++
The ebtables initialization is easier, and, judging from the "static"
recipe in Makefile, that calling ebt_*_register ahead of main is
safe.
This means that a static build won't need the pseudomain hack,
and that -nostartfiles can also go away.
---
Makefile| 34
---
.gitignore | 7 +++
1 file changed, 7 insertions(+)
create mode 100644 .gitignore
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000..d2fc36e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+*.o
+*.so
+/ebtables
+/ebtables-restore
+/ebtablesd
+/ebtablesu
+/static
--
Prepare for autoconf-based substitution of macros in the file.
---
Makefile | 14 +++---
ebtables-config => ebtables-config.in | 0
ebtables-save => ebtables-save.in | 0
ebtables.8 => ebtables.8.in | 0
ebtables.sysv => ebtables.sysv.in |
Calling /usr/bin/install with -o/-g will attempt to chown, and fail
if unsuccessful, which makes an unprivileged install with DESTDIR a
futile attempt always.
Drop it, because /usr/bin/install chowns to the current running user
*anyway*, which means when root calls `make install`, it will do the
to 21bd17f272b4e31fa5ef53dbd0620bd16873eb96:
build: move to automake (2018-06-27 11:42:22 +0200)
Jan Engelhardt (6):
build: drop install -o/-g root
build: rename sed source files to .in
build: use autoconf-style placeholders in sed-ed files
On Tuesday 2018-06-26 11:03, Máté Eckl wrote:
>Isn't that an option to add these includes to CFLAGS variable? So that it would
>be less redundant.
Yes and no...
No, because CFLAGS -- at least in the automake world, which I know
ebtables is far from, but let's go with the thought anyway --
On Monday 2018-06-25 04:51, Duncan Roe wrote:
>
>With gcc configured as a cross-compiler, we now have a documented and
>reproducable case where the use of angle brackets forces the use of headers in
>system locations [...]
>To reproduce: if necessary run up a Debian or Ubuntu VM (I used Ubuntu
On Thursday 2018-06-21 20:00, Phil Sutter wrote:
>On Thu, Jun 21, 2018 at 07:35:18PM +0200, Jan Engelhardt wrote:
>> On Thursday 2018-06-21 17:05, Phil Sutter wrote:
>> >> >> >+# This is _NOT_ the library release version, it's an API version.
>> >>
On Thursday 2018-06-21 17:05, Phil Sutter wrote:
>> >> >+# This is _NOT_ the library release version, it's an API version.
>> >> >+# Extracted from Chapter 6 "Library interface versions" of the libtool
>> >> >docs.
>> >>
>> >> I don't know if this chapter 6 reference blurb really helps;
>> >>
On Monday 2018-06-18 12:30, Phil Sutter wrote:
>> >Analogous to libnftnl's build system, define libnftables interface
>> >version in a variable in Make_global.am.
>> >+# This is _NOT_ the library release version, it's an API version.
>> >+# Extracted from Chapter 6 "Library interface versions"
On Monday 2018-06-18 13:51, Eric Leblond wrote:
>diff --git a/doc/Makefile.am b/doc/Makefile.am
>index 9796d34..1ec3b3e 100644
>--- a/doc/Makefile.am
>+++ b/doc/Makefile.am
>@@ -9,19 +9,19 @@ endif
> pdfdir=${docdir}/pdf
>
> .xml.pdf:
>- ${AM_V_GEN}dblatex -q -t pdf -o $@ $<
>+
On Monday 2018-06-18 10:43, Phil Sutter wrote:
>Analogous to libnftnl's build system, define libnftables interface
>version in a variable in Make_global.am.
>
>Suggested-by: Pablo Neira Ayuso
>Signed-off-by: Phil Sutter
>---
> Make_global.am | 21 +
> src/Makefile.am | 4
On Wednesday 2018-06-06 13:40, Pablo Neira Ayuso wrote:
>On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote:
>> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
>> again and import a new ebtables.h
>> from the kernel tree that has
Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
again and import a new ebtables.h
from the kernel tree that has the "revision" field.
With this, include/ebtables.h is (again) used by no source file, and
so can be removed.
Signed-off-by: Jan Engelhardt
--
On Wednesday 2018-06-06 09:45, Duncan Roe wrote:
>
>ebtables would not build on my system and I submitted a patch to fix that which
>was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
Well then let's start there.
"" The cause of this failure is that the commit updated
On Tuesday 2018-06-05 20:04, Duncan Roe wrote:
>diff --git a/include/ip6tables.h b/include/ip6tables.h
>index 5f1c5b6..d95953e 100644
>--- a/include/ip6tables.h
>+++ b/include/ip6tables.h
>@@ -2,8 +2,8 @@
> #define _IP6TABLES_USER_H
>
> #include
>-#include
>-#include
>+#include "xtables.h"
On Tuesday 2018-06-05 08:20, Duncan Roe wrote:
>libmnl carries a private copy of a number of system headers. These were mostly
>still being included with angle brackets as though they were system headers.
These headers are willingly used in exactly that context: they are
system headers, just at
On Monday 2018-06-04 09:03, Máté Eckl wrote:
>On Sun, May 27, 2018 at 02:54:11PM +1000, Duncan Roe wrote:
>> ebtables carries a private copy of some system headers provided by the
>> linux-headers package. These were mostly still being included with angle
>> brackets as though they were system
On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote:
>> > --- a/net/netfilter/x_tables.c
>> > +++ b/net/netfilter/x_tables.c
>> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned
>> > int size)
>> > * than shoot all processes down before realizing there is
On Thursday 2018-05-03 17:03, Yuri Gribov wrote:
>Hi all,
>
>Here's the updated version of the patch.
>
>diff --git a/src/Makefile.am b/src/Makefile.am
>index d0098cc..d91c9f7 100644
>--- a/src/Makefile.am
>+++ b/src/Makefile.am
>@@ -3,7 +3,8 @@ include $(top_srcdir)/Make_global.am
>
On Saturday 2018-04-28 10:28, Yuri Gribov wrote:
>>> AM_CPPFLAGS = -I$(top_srcdir)/include
>>>-AM_CFLAGS = -Wall
>>>+AM_CFLAGS = -Wall @VISFLAGS@
>>
>> Only use @@ in .am files when you must (like, left-hand sides).
>> Otherwise, just ${VISFLAGS}.
>
>Ok, thanks. LDSFLAGS probly have to keep using
On Saturday 2018-04-28 00:29, Yuri Gribov wrote:
>--- a/Make_global.am
>+++ b/Make_global.am
>@@ -5,4 +5,4 @@
> LIBVERSION=2:0:2
>
> AM_CPPFLAGS = -I$(top_srcdir)/include
>-AM_CFLAGS = -Wall
>+AM_CFLAGS = -Wall @VISFLAGS@
Only use @@ in .am files when you must (like, left-hand sides).
On Friday 2018-04-20 10:47, Pablo Neira Ayuso wrote:
>> -if ((event != NFT_MSG_DELRULE) && (rule->list.prev != >rules)) {
>> -prule = list_prev_entry(rule, list);
>> -if (nla_put_be64(skb, NFTA_RULE_POSITION,
>> - cpu_to_be64(prule->handle),
On Monday 2018-04-16 18:04, Florian Westphal wrote:
>+ u64 max = (u64)(~((u64)0));
>+ max = div_u64(max, NSEC_PER_MSEC);
>+ if (ms >= max)
Why opencode, is there a problem with UINT64_MAX?
Just this:
u64 max = div_u64(UINT64_MAX, NSEC_PER_MSEC);
--
To unsubscribe from
>commit 516600858cb54906fb728d04e5edf1131ee7b3b2
>Author: Jozsef Kadlecsik
>Date: Tue Apr 10 20:48:35 2018 +0200
>
>Fix parsing service names for ports
>
>Parsing is attempted both for numbers and service names and
>the temporary stored error message
On Tuesday 2018-03-20 12:47, Pablo Neira Ayuso wrote:
>Signed-off-by: Pablo Neira Ayuso
>---
> include/conntrackd.h | 4
> include/helper.h | 2 --
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
>diff --git a/include/conntrackd.h b/include/conntrackd.h
>index
On Monday 2018-02-19 16:32, David Miller wrote:
>From: Harald Welte
>Date: Mon, 19 Feb 2018 16:23:21 +0100
>
>> Also, as long as legacy ip_tables/x_tables is still in the kernel, you
>> can still run your old userspace against that old implementation in the
>> kernel.
>
On Friday 2018-02-02 12:55, Pablo Neira Ayuso wrote:
>On Fri, Feb 02, 2018 at 12:49:38PM +0100, Pablo Neira Ayuso wrote:
>[...]
>> bool net_valid_name(const char *name, size_t len)
>> {
>> ...
>> }
>
>Am I missing anything in all these tricky string handling? Thanks!
One will have to
On Monday 2018-01-29 17:57, Florian Westphal wrote:
>> > > vmalloc() once became killable by commit 5d17a73a2ebeb8d1 ("vmalloc: back
>> > > off when the current task is killed") but then became unkillable by
>> > > commit
>> > > b8c8a338f75e052d ("Revert "vmalloc: back off when the current task
libipset/types.h includes args.h, therefore args.h must be installed
too.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
include/libipset/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/libipset/Makefile.am b/include/libipset/Makefile.am
index 3b47518..79a1357
>nftables 0.8.1
>
>This release contains mostly incremental fixes and documentation
>updates, such as fixing up ./configure --with-mini-gmp for embedded
>setups that don't have libgmp.
Why is this now installing a libnftables.pc file when there is no
library or headers to go with it?
On Thursday 2018-01-04 18:50, Marcelo Henrique Cerri wrote:
>The following patches fix the build against 4.14 and 4.15 kernels.
Added.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Thursday 2017-11-30 18:11, Phil Sutter wrote:
>This changes Makefiles so that libnftables is built into a static
>library which is not installed. This allows for incompatible changes
>while still providing a library to link to for testing purposes.
>
>diff --git a/src/Makefile.am
On Monday 2017-11-13 16:21, Pablo Neira Ayuso wrote:
>On Mon, Nov 13, 2017 at 05:54:06PM +1100, Duncan Roe wrote:
>> The nftables Wiki page
>> https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
>> refers
>> to using nfqnl_test with its numeric queue argument, but this only
On Friday 2017-10-13 01:41, Pablo Neira Ayuso wrote:
>
>libnftnl 1.0.8
Here's a buffer overflow reported by gcc:
expr/data_reg.c: In function 'nftnl_data_reg_json_parse':
expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes
into a region of size 2
On Thursday 2017-09-21 19:00, Jean Weisbuch wrote:
>
> - For strings, SQL_STRINGSIZE now defines the max length of values (before
> being escaped), longer values will be truncated and the double of
> SQL_STRINGSIZE is allocated in case all characters would have to be escaped
>
> I am not sure
On Wednesday 2017-09-13 15:24, Shmulik Ladkani wrote:
>
>One way to fix is to have iptables open the object (using the stored
>xt_bpf_info_v1->path), gaining a new process local fd for the object,
>just after getting the rules from IPT_SO_GET_ENTRIES.
>However we didn't see any other extensions
On Wednesday 2017-09-06 16:02, Phil Sutter wrote:
>> Knowing that, people just avoid them most of the time for groff - and if I
>> may
>> say so, it has not reduced the document quality.
>
>Right now, nft.8 makes extensive use of tables which is why I considered
>proper table support an
On Wednesday 2017-09-06 13:58, Phil Sutter wrote:
>
>Regarding reStructuredText, did you look at how tables are written
>there? If not, see here[2]. I really think that speaks for itself.
Markup is the least problem. Tables, when rendered, have a tendency to quickly
grow too large for the
On Wednesday 2017-09-06 11:56, Arturo Borrero Gonzalez wrote:
>
>Regarding the separation of text in different includes, why not creating
>different manpages? Netfilter did this in the past with iptables(8) and
>iptables-extensions(8).
The split into iptables-extensions.8 happened not because of
On Sunday 2017-09-03 16:30, Taehee Yoo wrote:
>When xt_TEE target is inserted, lockdep warns about possible
>DEADLOCK situation. to avoid deadlock situation
>the register_netdevice_notifier() should be called by only init routine.
>
>+#include
>
> struct xt_tee_tginfo {
> union
On Saturday 2017-08-19 10:43, Eric Leblond wrote:
>>> Hence I defined a global init and deinit. But maybe it does not
>>> really make sense and could be attached to each context or init
>>> could be done at first usage.
>>
>> My idea was to implement simple reference counting to see whether
>>
On Friday 2017-08-11 00:44, Jan Engelhardt wrote:
>Some history for the mail archives: {} is not specified, but follows from
>prominent use of | inside [] and the desire to have some kind of grouping for
>non-optional things. I will — cautiously — claim that {} was an idea of mine
>
On Thursday 2017-08-10 20:29, Phil Sutter wrote:
>
>With no prior knowlege of how this syntax works, we start parsing the
>line from left to right and find out that something like:
>
>| {foo | bar}
>
>probably means "either 'foo' or 'bar'", no big deal. Next comes 'table' in
>bold font. What does
On Wednesday 2017-06-21 18:16, Pablo Neira Ayuso wrote:
>Hi Loic,
>
>On Tue, Jun 20, 2017 at 08:31:26PM +0200, Loic wrote:
>> Hi,
>>
>> I think there is a problem in the geoip code because I detect this:
>>
>> grep -ar "cicus.162_313 max" /usr/src/xtables-addons-2.12/extensions/
>>
On Sunday 2017-05-14 18:16, Ralph Sennhauser wrote:
>As a result of commit cc41c84b7e7f ("netfilter: kill the fake untracked
>conntrack objects") the helper nf_ct_is_untracked always returns false
>and commit ab8bc7ed864b ("netfilter: remove nf_ct_is_untracked") removes
>it all together.
On Tuesday 2017-05-09 00:22, Sergey Yermakov wrote:
> Hello,
>
> 1. Sorry if this has been already asked before ( couldn't find the answer in
> the archives) or the wrong list.
>
> 2. Changing the destination ip and port of TEE'ed udp datagrams seems doable
> and I was just wondering if there are
On Saturday 2017-04-08 22:29, Pablo Neira Ayuso wrote:
>> @@ -262,7 +262,7 @@ static uint64_t parse_burst(const char *burst, int
>> revision)
>> if (v > max)
>> xtables_error(PARAMETER_PROBLEM, "bad value for option "
>> "\"--hashlimit-burst\", value \"%s\"
On Sunday 2017-04-09 05:42, Arushi Singhal wrote:
>On Sun, Apr 9, 2017 at 1:44 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sat, Apr 08, 2017 at 08:21:56PM +0200, Jan Engelhardt wrote:
> > On Saturday 2017-04-08 19:21, Arushi Singhal wrote:
> >
&g
On Saturday 2017-04-08 19:21, Arushi Singhal wrote:
>Replace explicit NULL comparison with ! operator to simplify code.
I still wouldn't do this, for the same reason as before. Comparing to
NULL explicitly more or less gave an extra guarantee that the other
operand was also a pointer.
--
To
On Wednesday 2017-03-29 11:15, SIMRAN SINGHAL wrote:
>> dest = kzalloc(sizeof(struct ip_vs_dest), GFP_KERNEL);
>>- if (dest == NULL)
>>+ if (!dest)
>> return -ENOMEM;
>
>But, according to me we should prefer !var over ( var ==NULL ) according to the
On Tuesday 2017-03-28 18:23, SIMRAN SINGHAL wrote:
>On Tue, Mar 28, 2017 at 7:24 PM, Jan Engelhardt <jeng...@inai.de> wrote:
>> On Tuesday 2017-03-28 15:13, simran singhal wrote:
>>
>>>Some functions like kmalloc/kzalloc return NULL on failure. When NULL
>>>
On Tuesday 2017-03-28 15:32, simran singhal wrote:
>This patch replaces ternary operator with macro max as it shorter and
>thus increases code readability.
>
>- return (ret < 0 ? 0 : ret);
>+ return max(0, ret);
While the two are functionally equivalent, "max" conveys a meaning of
On Tuesday 2017-03-28 15:13, simran singhal wrote:
>Some functions like kmalloc/kzalloc return NULL on failure. When NULL
>represents failure, !x is commonly used.
>
>@@ -910,7 +910,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct
>ip_vs_dest_user_kern *udest,
> }
>
> dest =
On Tuesday 2017-03-28 14:50, simran singhal wrote:
>The following Coccinelle script was used to detect this:
>@r@
>expression x;
>void* e;
>type T;
>identifier f;
>@@
>(
> *((T *)e)
>|
> ((T *)x)[...]
>|
> ((T*)x)->f
>|
>
>- (T*)
> e
>)
>
>Signed-off-by: simran singhal
On Wednesday 2017-03-08 17:45, Pablo Neira Ayuso wrote:
>On Wed, Mar 08, 2017 at 05:26:58PM +0100, Jan Engelhardt wrote:
>> A long-standing problem has been that `iptables -s any_host_here`
>> could yield multiple rules with the same address if the DNS was
>> indeed so p
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
libxtables/xtables.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtable
A long-standing problem has been that `iptables -s any_host_here`
could yield multiple rules with the same address if the DNS was
indeed so populated.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
libxtables/xtables.c | 44
1 file chang
The error path already terminally returns from the function, so there
is no point in having an explicit else block.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
libxtables/xtables.c | 54 +++-
1 file changed, 24 insertions(+), 30 del
A long-standing problem has been that `iptables -s any_host_here`
could yield multiple rules with the same address if the DNS was
indeed so populated.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
libxtables/xtables.c | 44
1 file chang
ares->ai_canonname is never used, so there is no point in requesting
that piece of information with AI_CANONNAME.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
libxtables/xtables.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtable
(Of course that send went wrong.. with github and all that, I hardly
had to use git-send-email ever since.)
The right set follows.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
From: Harout Hedeshian
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set
Pablo wrote:
>libc seem to need if we have 127.0.0.1 and ::1
>entries in /etc/hosts that are common in many distros.
I was trying to imply that this problem is not specific to localhost,
but could happen with any host name. Testing the memory contents for
for just htonl(INADDR_LOOPBACK) does not
This is the same as commit v1.4.15-12-g8a988f6.
If no id option is given, the extensions only match packets with a
zero-valued identification field. This behavior deviates from what it
used to do back in v1.4.10-273-g6944f2c^.
Signed-off-by: Jan Engelhardt <jeng...@inai.de>
---
exte
On Wednesday 2017-03-08 14:16, Pablo Neira Ayuso wrote:
>
>If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4 addresses
>are returned in the list pointed to by res only if the local system has
>at least one IPv4 address configured, and IPv6 addresses are only
>returned if the local
On Wednesday 2017-03-01 15:32, Alin Nastac wrote:
>Extract IPv6 packet that triggered the sending of redirect message from
>ICMPv6 Redirected Header option and check if conntrack table contain such
>connection. Mark redirect packet as RELATED if a matching connection is found.
>
>Signed-off-by:
On Friday 2017-02-03 21:37, Shaun Crampton wrote:
>
>I'm trying to diagnose an incompatibility between my application
>(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy).
>Both are (ab)using iptables-restore to do high-speed bulk updates to
>iptables and they're both using
On Monday 2016-12-26 16:14, Ralph Sennhauser wrote:
>Commit 613dbd95723aee7abd16860745691b6c7bda20dc (netfilter:
>x_tables: move hook state into xt_action_param structure) changes the
>struct xt_action_param, accommodate for it.
Both applied.
--
To unsubscribe from this list: send the line
On Tuesday 2016-10-11 21:10, Bjørnar Ness wrote:
>2016-10-11 20:28 GMT+02:00 Jan Engelhardt <jeng...@inai.de>:
>> Well you can mark routes with realm numbers, and match on that. (In
>> iptables, this was done with -m realm.) At least that is the idea. Not
>> sure
On Tuesday 2016-10-11 20:11, Bjørnar Ness wrote:
>Hello, netfilter-devel.
>
>Is it possible/planned to be able to do routing table lookup from
>within nftables?
>Thinking then of a routingtable like "set". This would be nice to be able to do
>early drop on bgp populated saddr based rtbl.
Well
On Thursday 2016-09-22 18:43, Vishwanath Pai wrote:
>+struct hashlimit_cfg2 {
>+ __u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
>+ __u64 avg;/* Average secs between packets * scale */
>+ __u64 burst; /* Period multiplier for upper limit. */
This would have different
On Tuesday 2016-08-02 14:17, Baole Ni wrote:
>I find that the developers often just specified the numeric value
>when calling a macro which is defined with a parameter for access permission.
>As we know, these numeric value for access permission have had the
>corresponding macro,
>and that
On Sunday 2016-07-03 23:29, Neal P. Murphy wrote:
>> On Sunday 2016-07-03 22:00, Neal P. Murphy wrote:
>>
>> >Specifically, should programs linked to--and expecting to
>> >use--libxtables.so.7
>> >work with versions libxtables.so.10 and libxtables.so.11? I suspect yes
>>
>> Absolutely not.
On Sunday 2016-07-03 22:00, Neal P. Murphy wrote:
>Specifically, should programs linked to--and expecting to use--libxtables.so.7
>work with versions libxtables.so.10 and libxtables.so.11? I suspect yes
Absolutely not. Never has been in any shared library system.
--
To unsubscribe from this
1 - 100 of 118 matches
Mail list logo