[ANNOUNCE] nftlb 0.3 release

Hi! I'm honored to present nftlb 0.3 nftlb stands for nftables load balancer, a user space tool that builds a complete load balancer and traffic distributor using the nft infrastructure. nftlb is a nftables rules manager that creates virtual services for load balancing at layer 2, layer 3

[PATCH nft] json: fix json_events_cb() declaration when libjansson is not present

makes a declaration of the json_events_cb() function consistent. Fixes: bb32d8db9a12 ("JSON: Add support for echo option") Signed-off-by: Laura Garcia Liebana --- include/json.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/json.h b/include/json.h ind

Re: url filtering with netfiler

On Tue, Aug 7, 2018 at 3:26 PM, Saber Rezvani wrote: > Do you know who exactly working on this feature in nft? could you possibly > introduce me to him/her? > You know we have decided to work on this issue. So It is a best practice to > get in touch with running development team who works on this

Re: url filtering with netfiler

On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote: > On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: >> On 08/03/2018 12:14 AM, Oleg wrote: >> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: >> >> Dear all, >> >> >> >> >> >> Some of my friends and I have decided to work

Re: [PATCH] netfilter: nft_numgen: fix ptr_ret.cocci warnings

(...)) + PTR_ERR > > Generated by: scripts/coccinelle/api/ptr_ret.cocci > > Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen > statements") > CC: Laura Garcia Liebana <nev...@gmail.com> > Signed-off-by: kbuild test robot <fengguang...@intel.com

Re: [PATCH] netfilter: nft_hash: fix ptr_ret.cocci warnings

O can be used > > > Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR > > Generated by: scripts/coccinelle/api/ptr_ret.cocci > > Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing > operations") > CC: Laura Garcia Liebana <nev...@gmail

[PATCH libmnl 3/3] examples: reduce LOCs during neigh attributes validation

This patch avoids some LOCs duplication. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- examples/rtnl/rtnl-neigh-dump.c | 5 - 1 file changed, 5 deletions(-) diff --git a/examples/rtnl/rtnl-neigh-dump.c b/examples/rtnl/rtnl-neigh-dump.c index 54d87e5..f4d5000

[PATCH libmnl 2/3] examples: fix print line format

Use 80 characters per line limit. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- examples/rtnl/rtnl-neigh-dump.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/rtnl/rtnl-neigh-dump.c b/examples/rtnl/rtnl-neigh-dump.c index 52fa1c7..54d87e5

[PATCH libmnl 1/3] examples: fix neigh max attributes

Use NDA_MAX for neigh maximum attributes instead of IFA_MAX, which is only for interfaces. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- examples/rtnl/rtnl-neigh-dump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/rtnl/rtnl-neigh-dump.c b/ex

[PATCH libmnl 0/3] examples: rtnl neigh dump cleanups

These series apply some small code cleanups. Laura Garcia Liebana (3): examples: fix neigh max attributes examples: fix print line format examples: reduce LOCs during neigh attributes validation examples/rtnl/rtnl-neigh-dump.c | 13 + 1 file changed, 5 insertions(+), 8

[PATCH libmnl] examples: add arp cache dump example

Adding ARP example in order to dump the info in the form: index= family= dst= lladdr= state= Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- examples/rtnl/Makefile.am | 6 +- examples/rtnl/rtnl-arp-dump.c | 161 ++ 2 files change

[ANNOUNCE] nftlb 0.2 release

Hi! I'm honored to present nftlb 0.2 nftlb stands for nftables load balancer, a user space tool that builds a complete load balancer and traffic distributor using the nft infrastructure. nftlb is a nftables rules manager that creates virtual services for load balancing at layer 2, layer 3

Re: [PATCH nftlb] src: add -W and compilation warnings that result from it

On Fri, May 11, 2018 at 02:50:46PM +0200, Pablo Neira Ayuso wrote: > config.c: In function ‘config_file’: > config.c:60:30: warning: ordered comparison of pointer with integer zero > [-Wextra] > if ((fd = fopen(file, "r")) <= 0) { > ^~ > > nft.c: In function

Re: [PATCH nftlb,v4] build: use autotools

On Fri, May 11, 2018 at 02:24:29PM +0200, Pablo Neira Ayuso wrote: > - Add configure.ac and Makefile.am files. > - Update .gitignore file to ignore autogenerated scripts by autotools. > Applied, thanks Pablo! https://github.com/zevenet/nftlb/commit/52ae2784dd624a1a411addd58e796cb73cc5a1b2 -- To

[PATCH libnftnl] expr: add map lookups for hash statements

This patch introduces two new attributes for hash expression to allow map lookups where the hash is the key. The new attributes are NFTNL_EXPR_HASH_SET_NAME and NFTNL_EXPR_HASH_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/li

[PATCH nf-next 2/2] netfilter: nft_hash: add map lookups for hashing operations

This patch creates new attributes to accept a map as argument and then perform the lookup with the generated hash accordingly. Both current hash functions are supported: Jenkins and Symmetric Hash. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/net

[PATCH nf-next 1/2] netfilter: nft_numgen: add map lookups for numgen random operations

This patch uses the map lookup already included to be applied for random number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_numgen.c | 79 +++--- 1 file changed, 75 insertions(+), 4 deletions(-) diff

[PATCH nf-next 0/2] netfilter: nft map lookups support for number generator expressions

The following patches complete the implementation of map lookups using as a key the given number generator like incremental, random or the different hash algorithms supported. This is useful for load balancing use cases but also for dynamic map lookups using these expressions. Laura Garcia

[PATCH nf-next] netfilter: nf_tables: enable hashing of one element

ess rule: Numerical result out of range add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 } ^^^ The solution comes to force the hash to 0 when the modulus is 1. Signed-off-by: Laura Garcia Liebana &

[PATCH nft] expr: add map lookups for numgen statements

This patch introduces a map as a numgen attribute, which permits to lookup a value based on the numgen result as the key. This approach only supports named maps. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/expression.h| 1 + include/linux/net

[PATCH libnftnl] expr: add map lookups for numgen statements

This patch introduces two new attributes for numgen to allow map lookups where the number generator will be the key. Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and NFTNL_EXPR_NG_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nev...@gmail.

[PATCH nf-next] netfilter: nf_tables: add map lookups for numgen statements

, but it will be supported for random in a follow-up patch. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 4 ++ net/netfilter/nft_numgen.c | 85 ++-- 2 files changed, 84 insertions(+), 5 deletions(-)

Re: [PATCH nft] create u32_integer type to be used as a key for sets and maps

On Sat, Mar 24, 2018 at 12:47 AM, Duncan Roe <duncan_...@optusnet.com.au> wrote: > On Wed, Mar 14, 2018 at 10:00:35PM +0100, Laura Garcia Liebana wrote: >> Create the new type u32_integer with a fixed size in order to >> be used as a key in maps and sets. The type inte

[PATCH nft] support of dynamic map addition and update of elements

+ 12 => reg 1 ] [ numgen reg 2 = inc mod 2 offset 100 ] [ dynset add reg_key 1 set persistencia sreg_data 2 ] Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/statement.h | 11 +++ src/evaluate.c| 10 ++ src/netlink_delineari

[PATCH nft] create u32_integer type to be used as a key for sets and maps

} set conjunto { type u32_integer } } Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- This is the v2 of ("fix integer type size to be used as a key for sets and maps"), due to this approach fits better with the current design of nft types than

Re: [PATCH v3 0/17] netfilter: nf_flow_table: refactoring, TCP state tracking, sending flows to slow path

On Tue, Mar 13, 2018 at 7:16 AM, Rafał Miłecki wrote: > On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote: >> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote: >> > Fixes issues with connections hanging after >30 seconds idle time. >> > >> > Changes since

[PATCH nft] tests: shell: autogenerate dump verification

in the same path in the folder named dumps/ with .nft extension. It has been avoided the dump verification code in every test file. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- tests/shell/README | 5 +- tests/shell/run-te

[RFC nft] tests: shell: autogenerate dump verification

in the same path with .dump extension. It has been avoided the dump verification code in every test file. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- tests/shell/README | 5 +- tests/shell/run-tests.sh

Re: [PATCH nft] fix integer type size to be used as a key for sets and maps

On Fri, Mar 02, 2018 at 06:58:44PM +0100, Phil Sutter wrote: > Hi Laura, > > On Fri, Mar 02, 2018 at 05:34:02PM +0100, Laura Garcia Liebana wrote: > [...] > > diff --git a/src/datatype.c b/src/datatype.c > > index 324ac80..06015bb 100644 > > --- a/src/datat

[PATCH nft] fix integer type size to be used as a key for sets and maps

; } ^^^ After this patch, we can use an integer as a key for sets and maps: table ip nftlb { map mapa { type integer : ipv4_addr } set conjunto { type integer } } Signed-off-by: Laura Garcia Liebana <nev...@gmail.

[PATCH nft] parser: support of maps with timeout

-by: Laura Garcia Liebana <nev...@gmail.com> --- src/parser_bison.y | 5 + 1 file changed, 5 insertions(+) diff --git a/src/parser_bison.y b/src/parser_bison.y index df672b1..0c9e6c2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1462,6 +1462,11 @@ map_block

[PATCH nft] src: hash: fix seed attribute not listed

' mismatches 'ct mark set jhash \ ip saddr . ip daddr mod 2 offset 100' ip/hash.t: 6 unit tests, 0 error, 2 warning The expression type is now treated as an unsigned int in the hash_expr_print() function. Fixes 3a86406 ("src: hash: support of symmetric hash") Signed-off-by: Laura Garc

[PATCH nft] src: hash: fix seed attribute not listed

' mismatches 'ct mark set jhash \ ip saddr . ip daddr mod 2 offset 100' ip/hash.t: 6 unit tests, 0 error, 2 warning The expression type is now treated as an unsigned int in the hash_expr_print() function. Fixes 3a86406 ("src: hash: support of symmetric hash") Signed-off-by: Laura Garc

[PATCH nf-next v3 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 By default, jenkins hash will be used if no hash type is provided for compatibility reasons. Signed-off-by: Laura Garcia Liebana <laura.

[PATCH nft v2] src: hash: support of symmetric hash

2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- v2: - Discard new line remove include/expression.h| 1 + include/hash.h | 2 +- include/linux/netfilter/nf_tables.h | 13 + src/evaluate.c

[PATCH nf-next v2 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- v2: - Avoid warning due to 'const' from symhash eval skb include/uapi

[PATCH nft] src: hash: support of symmetric hash

2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- include/expression.h| 1 + include/hash.h | 2 +- include/linux/netfilter/nf_tables.h | 13 + src/evaluate.c | 3 ++- src/

[PATCH nf-next 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- include/uapi/linux/netfilter/nf_tables.h | 13 + net/netfilter/nft_

[PATCH nf-next 1/2] netfilter: nft_hash: rename nft_hash to nft_jhash

This patch renames the local nft_hash structure and functions to nft_jhash in order to prepare the nft_hash module code to add new hash functions. Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- net/netfilter/nft_hash.c | 36 ++-- 1 file c

[PATCH nf-next] netfilter: nf_tables: validate maximum value of u32 netlink hash attribute

Use the function nft_parse_u32_check() to fetch the value and validate the u32 attribute into the hash len u8 field. This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes"). Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --

[PATCH v3 nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v3: - This patch depends on 1/4. include/expres

[PATCH v3 nft 1/4] src: make hash seed attribute optional

y meta mark set jhash ip saddr . ip daddr mod 2 The kernel will take care of generate a random seed. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v3: - The random generation is done in kernel side. - Tests included. src/parser_bison.y

[PATCH v2 nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Adapt the code to the repository c

[PATCH v2 nft 1/4] src: make hash seed attribute optional

ed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Use getrandom(2) syscall instead of arc4random, suggested by Pablo. - This case hasn't a test case due to the random seed generation in the payload won't match. configure.ac | 22 +++

[PATCH nft 4/4] netlink: fix linearize numgen type

Avoid to treat numgen type attribute as a register. Fixes: 345236211715 ("src: add hash expression") Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- src/netlink_linearize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink_l

[PATCH nft 3/4] src: add offset attribute for numgen expression

Add support to add an offset to the numgen generated value. Example: ct mark set numgen inc mod 2 offset 100 This will generate marks with serie like 100, 101, 100, ... Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/expression.h| 1 + include

[PATCH nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator. Example: ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-110. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/expression.h| 1 + include/

[PATCH nft 0/4] src: changes related to numgen and hash expressions

This patchset provides several improvements for numgen and hash expressions: - support of OFFSET attribute for numgen and hash expressions - makes SEED attribute optional and randomly generated - fix the TYPE attribute to be treated as a register Laura Garcia Liebana (4): src: make hash

[PATCH nft 1/4] src: make hash seed attribute optional

the configure of the package. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- configure.ac | 14 +- include/hash.h | 10 ++ src/parser_bison.y | 5 + tests/py/ip/hash.t | 2 ++ 4 files

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 09:16:07AM -0700, Eric Dumazet wrote: > On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote: > > attributes") > > > > Always use 12 bytes commit-ids. 4da449a is too short, given the number > > of changes we're getting in the kernel tree, this may become ambiguous >

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote: > > Check storage of u32 netlink attributes in smaller resources. This > > validation is usually required when the u32 netlink attributes are b

[PATCH v3 libnftnl] expr: numgen: add number generation offset

, ... Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate offset changes with _until_ attribute renaming, as Pablo suggested. Changes in v3: - Use OFFSET attribute instead of SUM.

[PATCH v3] netfilter: nft_numgen: add number generation offset

, 101, ... Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate offset changes with _until_ attribute renaming, as Pablo suggested. Changes in v3: - Rename SUM by OFFSET, as Pab

[PATCH] netfilter: nft_hash: fix hash overflow validation

: Add hash offset value") Reported-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nf

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote: > Hi Laura, > > 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>: > > static int nft_hash_init(const struct nft_ctx *ctx, > > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ct

Re: [PATCH v2] netfilter: nft_numgen: add increment counter offset value

On Mon, Sep 12, 2016 at 06:45:58PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 07, 2016 at 07:56:49PM +0200, Laura Garcia Liebana wrote: > > Add support for an initialization counter value. With this option the > > sysadmin is able to start the counter when used with the

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

On Mon, Sep 12, 2016 at 06:34:59PM +0200, Pablo Neira Ayuso wrote: > Hi Laura, > > On Tue, Sep 06, 2016 at 08:44:19AM +0200, Laura Garcia Liebana wrote: > > Add support to pass through an offset to the hash value. With this > > feature, the sysadmin is able to generat

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

On Sun, Sep 11, 2016 at 11:12:26PM +0200, Florian Westphal wrote: > Liping Zhang wrote: > > From: Liping Zhang > > > > Currently, the user can specify the queue numbers by _QUEUE_NUM and > > _QUEUE_TOTAL attributes, this is enough in most

Re: [PATCH nft] src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnl

On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote: > From: Liping Zhang > > In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to > NFTNL_EXPR_NG_MODULUS, so compile error happened: > netlink_linearize.c: In function ‘netlink_gen_numgen’: >

[PATCH v2 libnftnl] expr: numgen: add increment counter offset value

for increment number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate _SUM_ changes with _until_ attribute renaming. include/buffer.h| 1 + include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.

[PATCH v2] netfilter: nft_numgen: add increment counter offset value

number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate _SUM_ changes with _until_ attribute renaming. include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_numgen.c | 9 +++-- 2 files changed, 9 insertions

[PATCH v3 libnftnl] expr: numgen: Rename until attribute by modulus

The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH v2] netfilter: nft_hash: Add hash offset value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Add check for hash + sum overflow. include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_hash.c | 16 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff

Re: [PATCH] netfilter: nft_hash: Add hash offset value

On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote: > > Add support to pass through an offset to the hash value. With this > > feature, the sysadmin is able to generate a hash with a given &

[PATCH libnftnl] expr: hash: Add offset to hash value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ src/expr/hash.c | 39 +++-- tests/nft-expr_hash-test.c | 4 4 files chang

[PATCH] netfilter: nft_hash: Add hash offset value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_hash.c | 13 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi

[PATCH v2 libnftnl] expr: numgen: Rename until attribute by modulus

The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH v2] netfilter: nft_numgen: rename until attribute by modulus

The _until_ attribute is renamed to _modulus_ as the behaviour is similar to other expresions with number limits (ex. nft_hash). Renaming is possible because there isn't a kernel release yet with these changes. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH] netfilter: nft_numgen: add counter offset value and rename until by modulus

is renamed to _modulus_ as the behaviour is similar to other expresions with number limits(ex. nft_hash). Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 6 -- net/netfilter/nft_numgen.c | 37 ++-- 2

Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

system] > [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for > convenience) to record what (public, well-known) commit your patch series was > built on] > [Check https://git-scm.com/docs/git-format-patch for more information] > > url: > https://github.com/

[PATCH v4] netfilter: nf_tables: Ensure init attributes are within the bounds

Check for overflow of u8 fields from u32 netlink attributes and maximum values. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- (was: netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes) Changes in V4: - Define NFT_C

[PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

Check for overflow of u8 fields from u32 netlink attributes and maximum values. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- (was: netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes) Changes in V3: - Use ERANGE i

[PATCH v5] netfilter: nft_numgen: add number generator expression

Add support for the number generator expression in netfilter. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V5: - Reorder the functions - Add attributes checks - Use switch instead of if statements include/uapi/linux/netfilter/nf_tables.h

[PATCH v4] netfilter: nft_numgen: add number generator expression

Add support for the number generator expression in netfilter. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V4: - Rename prandom state identifier include/uapi/linux/netfilter/nf_tables.h | 25 net/netfilter/Kconfig| 6 + net/net

Re: [PATCH v3] netfilter: nft_numgen: add number generator expression

e system] > > url: > https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nft_numgen-add-number-generator-expression/20160814-185132 > base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git > master > config: i386-allyesconfig (attached as .confi

[PATCH v2] netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes

Fix the direct assignment from u32 data input into an attribute with a size of u8. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V2: - Collapse the 5 independent patches in just one - Change description and subject - A

[PATCH v5] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

[PATCH v4] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

[PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute

Fix the direct assignment from u32 data input into the len attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_cmp.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft

[PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute

Fix the direct assignment from u32 data input into the family attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_nat.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index e

[PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute

Fix the direct assignment from u32 data input into the dlen attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_immediate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immed

[PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute

Fix the direct assignment from u32 data input into the len attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_bitwise.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_bitwise.c b/net/net

Re: [PATCH v2] netfilter: nf_tables: add hash expression

On Wed, Aug 10, 2016 at 10:38:08AM +0800, Liping Zhang wrote: > Hi Laura, > > 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>: > > This patch adds a new hash expression, this provides jhash support but > > this can be extended to suppo

[PATCH 0/5] Check u32 load in u8 attributes

The following patchset adds a check during the load of an u32 value into an u8 attribute which can cause an overflow. Laura Garcia Liebana (5): netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute netfilter

[PATCH] netfilter: nf_tables: Add size check on u8 nft_exthdr attributes

Fix the direct assignment of offset and length attributes included in nft_exthdr structure from u32 data to u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_exthdr.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/net

[PATCH v2] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

Re: [PATCH v2] netfilter: nft_nth: match every n packets

On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote: > > Laura Garcia <nev...@gmail.com> wrote: > > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote: > > > >

[PATCH libnftnl] expr: hash: Jenkins hash expression support

Support for the nft hash expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/buffer.h| 2 + include/libnftnl/expr.h | 16 ++ include/linux/netfilter/nf_tables.h | 20 +++ src/Makefile.am

[PATCH] netfilter: nft_hash: generate Jenkins Hash per source register

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed comes already come embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana

[PATCH v2] netfilter: nft_nth: match every n packets

-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 15 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 + net/netfilter/nft_nth.c | 123 +++ 4 files c

[PATCH libnftnl] expr: nth: match every n packets

Support for the nft nth expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/libnftnl/expr.h | 10 ++ include/linux/netfilter/nf_tables.h | 14 +++ src/Makefile.am | 1 + src/expr/nth.c

[PATCH] netfilter: nft_nth: match every n packets

off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/net/netfilter/nft_nth.h | 31 +++ include/uapi/linux/netfilter/nf_tables.h | 15 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 + net/netfilter/

Re: [PATCH] extensions: libxt_conntrack: Add translation to nft

On Wed, Jun 15, 2016 at 02:21:27PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 14, 2016 at 08:02:45PM +0200, Laura Garcia Liebana wrote: > > Add translation of conntrack to nftables. > > > > Examples: > > > > $ sudo iptables-translate -t filter -A INPUT -m con

Re: [PATCH] extensions: libxt_cgroup: Add translation to nft

On Tue, Jun 14, 2016 at 06:48:51PM +0200, Pablo Neira Ayuso wrote: > Please, document on the wikipage that we don't support yet the new > cgroup2 path-based on nft so we don't forget to discuss about this at > some point. Just included in the wiki. -- To unsubscribe from this list: send the line

[PATCH] extensions: libxt_conntrack: Add translation to nft

ORIGINAL -j ACCEPT nft add rule ip filter INPUT ct direction original counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_conntrack.c | 247 +++ 1 file changed, 247 insertions(+) diff --git a/exte

[PATCH] extensions: libxt_cgroup: Add translation to nft

ACCEPT nft add rule ip filter INPUT meta cgroup != 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_cgroup.c | 28 1 file changed, 28 insertions(+) diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c index 3

[PATCHv4] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept $ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT nft add rule ip6 filter INPUT frag more-fragments 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fr

[PATCHv3] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fraglast. - fraglen is marked as deprecated. Changes in v3: - Ignore completely IP6T_FRAG_LEN. extensions/libip6t_frag.

[PATCHv2] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fraglast. - fraglen is marked as deprecated. extensions/libip6t_frag.c | 33 + 1 file changed, 33 inse

[PATCH] extensions: libxt_dscp: Add translation to nft

ip6 filter INPUT ip6 dscp != 0x32 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_dscp.c | 92 ++--- 1 file changed, 79 insertions(+), 13 deletions(-) diff --git a/extensions/libxt_dscp.c b/exte

  1   2   >