Hi!
I'm honored to present
nftlb 0.3
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
makes a declaration of the json_events_cb() function
consistent.
Fixes: bb32d8db9a12 ("JSON: Add support for echo option")
Signed-off-by: Laura Garcia Liebana
---
include/json.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/json.h b/include/json.h
ind
On Tue, Aug 7, 2018 at 3:26 PM, Saber Rezvani wrote:
> Do you know who exactly working on this feature in nft? could you possibly
> introduce me to him/her?
> You know we have decided to work on this issue. So It is a best practice to
> get in touch with running development team who works on this
On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote:
> On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote:
>> On 08/03/2018 12:14 AM, Oleg wrote:
>> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
>> >> Dear all,
>> >>
>> >>
>> >> Some of my friends and I have decided to work
(...)) + PTR_ERR
>
> Generated by: scripts/coccinelle/api/ptr_ret.cocci
>
> Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen
> statements")
> CC: Laura Garcia Liebana <nev...@gmail.com>
> Signed-off-by: kbuild test robot <fengguang...@intel.com
O can be used
>
>
> Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
>
> Generated by: scripts/coccinelle/api/ptr_ret.cocci
>
> Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing
> operations")
> CC: Laura Garcia Liebana <nev...@gmail
This patch avoids some LOCs duplication.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
examples/rtnl/rtnl-neigh-dump.c | 5 -
1 file changed, 5 deletions(-)
diff --git a/examples/rtnl/rtnl-neigh-dump.c b/examples/rtnl/rtnl-neigh-dump.c
index 54d87e5..f4d5000
Use 80 characters per line limit.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
examples/rtnl/rtnl-neigh-dump.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/examples/rtnl/rtnl-neigh-dump.c b/examples/rtnl/rtnl-neigh-dump.c
index 52fa1c7..54d87e5
Use NDA_MAX for neigh maximum attributes instead of IFA_MAX,
which is only for interfaces.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
examples/rtnl/rtnl-neigh-dump.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/examples/rtnl/rtnl-neigh-dump.c b/ex
These series apply some small code cleanups.
Laura Garcia Liebana (3):
examples: fix neigh max attributes
examples: fix print line format
examples: reduce LOCs during neigh attributes validation
examples/rtnl/rtnl-neigh-dump.c | 13 +
1 file changed, 5 insertions(+), 8
Adding ARP example in order to dump the info in the form:
index= family= dst= lladdr=
state=
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
examples/rtnl/Makefile.am | 6 +-
examples/rtnl/rtnl-arp-dump.c | 161 ++
2 files change
Hi!
I'm honored to present
nftlb 0.2
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
On Fri, May 11, 2018 at 02:50:46PM +0200, Pablo Neira Ayuso wrote:
> config.c: In function ‘config_file’:
> config.c:60:30: warning: ordered comparison of pointer with integer zero
> [-Wextra]
> if ((fd = fopen(file, "r")) <= 0) {
> ^~
>
> nft.c: In function
On Fri, May 11, 2018 at 02:24:29PM +0200, Pablo Neira Ayuso wrote:
> - Add configure.ac and Makefile.am files.
> - Update .gitignore file to ignore autogenerated scripts by autotools.
>
Applied, thanks Pablo!
https://github.com/zevenet/nftlb/commit/52ae2784dd624a1a411addd58e796cb73cc5a1b2
--
To
This patch introduces two new attributes for hash expression
to allow map lookups where the hash is the key.
The new attributes are NFTNL_EXPR_HASH_SET_NAME and
NFTNL_EXPR_HASH_SET_ID in order to identify the given map.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/li
This patch creates new attributes to accept a map as argument and
then perform the lookup with the generated hash accordingly.
Both current hash functions are supported: Jenkins and Symmetric Hash.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/net
This patch uses the map lookup already included to be applied
for random number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_numgen.c | 79 +++---
1 file changed, 75 insertions(+), 4 deletions(-)
diff
The following patches complete the implementation of map lookups
using as a key the given number generator like incremental, random or
the different hash algorithms supported. This is useful for load
balancing use cases but also for dynamic map lookups using these
expressions.
Laura Garcia
ess rule: Numerical result out of range
add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 }
^^^
The solution comes to force the hash to 0 when the modulus is 1.
Signed-off-by: Laura Garcia Liebana &
This patch introduces a map as a numgen attribute, which permits
to lookup a value based on the numgen result as the key.
This approach only supports named maps.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/expression.h| 1 +
include/linux/net
This patch introduces two new attributes for numgen to allow map
lookups where the number generator will be the key.
Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and
NFTNL_EXPR_NG_SET_ID in order to identify the given map.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.
, but
it will be supported for random in a follow-up patch.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 4 ++
net/netfilter/nft_numgen.c | 85 ++--
2 files changed, 84 insertions(+), 5 deletions(-)
On Sat, Mar 24, 2018 at 12:47 AM, Duncan Roe <duncan_...@optusnet.com.au> wrote:
> On Wed, Mar 14, 2018 at 10:00:35PM +0100, Laura Garcia Liebana wrote:
>> Create the new type u32_integer with a fixed size in order to
>> be used as a key in maps and sets. The type inte
+ 12 => reg 1 ]
[ numgen reg 2 = inc mod 2 offset 100 ]
[ dynset add reg_key 1 set persistencia sreg_data 2 ]
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/statement.h | 11 +++
src/evaluate.c| 10 ++
src/netlink_delineari
}
set conjunto {
type u32_integer
}
}
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
This is the v2 of ("fix integer type size to be used as a key
for sets and maps"), due to this approach fits better with the
current design of nft types than
On Tue, Mar 13, 2018 at 7:16 AM, Rafał Miłecki wrote:
> On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote:
>> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
>> > Fixes issues with connections hanging after >30 seconds idle time.
>> >
>> > Changes since
in the same path in the folder named
dumps/ with .nft extension.
It has been avoided the dump verification code in every test
file.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
tests/shell/README | 5 +-
tests/shell/run-te
in the same path with .dump
extension.
It has been avoided the dump verification code in every test
file.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
tests/shell/README | 5 +-
tests/shell/run-tests.sh
On Fri, Mar 02, 2018 at 06:58:44PM +0100, Phil Sutter wrote:
> Hi Laura,
>
> On Fri, Mar 02, 2018 at 05:34:02PM +0100, Laura Garcia Liebana wrote:
> [...]
> > diff --git a/src/datatype.c b/src/datatype.c
> > index 324ac80..06015bb 100644
> > --- a/src/datat
; }
^^^
After this patch, we can use an integer as a key for sets
and maps:
table ip nftlb {
map mapa {
type integer : ipv4_addr
}
set conjunto {
type integer
}
}
Signed-off-by: Laura Garcia Liebana <nev...@gmail.
-by: Laura Garcia Liebana <nev...@gmail.com>
---
src/parser_bison.y | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index df672b1..0c9e6c2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1462,6 +1462,11 @@ map_block
' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash")
Signed-off-by: Laura Garc
' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash")
Signed-off-by: Laura Garc
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
By default, jenkins hash will be used if no hash type is
provided for compatibility reasons.
Signed-off-by: Laura Garcia Liebana <laura.
2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
v2:
- Discard new line remove
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
v2:
- Avoid warning due to 'const' from symhash eval skb
include/uapi
2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c | 3 ++-
src/
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
include/uapi/linux/netfilter/nf_tables.h | 13 +
net/netfilter/nft_
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
net/netfilter/nft_hash.c | 36 ++--
1 file c
Use the function nft_parse_u32_check() to fetch the value and validate
the u32 attribute into the hash len u8 field.
This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check
on u8 nft_exthdr attributes").
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
--
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v3:
- This patch depends on 1/4.
include/expres
y meta mark set jhash ip saddr . ip daddr mod 2
The kernel will take care of generate a random seed.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v3:
- The random generation is done in kernel side.
- Tests included.
src/parser_bison.y
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Adapt the code to the repository c
ed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Use getrandom(2) syscall instead of arc4random, suggested by Pablo.
- This case hasn't a test case due to the random seed generation in
the payload won't match.
configure.ac | 22 +++
Avoid to treat numgen type attribute as a register.
Fixes: 345236211715 ("src: add hash expression")
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
src/netlink_linearize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink_l
Add support to add an offset to the numgen generated value.
Example:
ct mark set numgen inc mod 2 offset 100
This will generate marks with serie like 100, 101, 100, ...
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/expression.h| 1 +
include
Add support to add an offset to the hash generator.
Example:
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-110.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/expression.h| 1 +
include/
This patchset provides several improvements for numgen and hash
expressions:
- support of OFFSET attribute for numgen and hash expressions
- makes SEED attribute optional and randomly generated
- fix the TYPE attribute to be treated as a register
Laura Garcia Liebana (4):
src: make hash
the configure of the
package.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
configure.ac | 14 +-
include/hash.h | 10 ++
src/parser_bison.y | 5 +
tests/py/ip/hash.t | 2 ++
4 files
On Thu, Sep 22, 2016 at 09:16:07AM -0700, Eric Dumazet wrote:
> On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote:
> > attributes")
> >
> > Always use 12 bytes commit-ids. 4da449a is too short, given the number
> > of changes we're getting in the kernel tree, this may become ambiguous
>
On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote:
> > Check storage of u32 netlink attributes in smaller resources. This
> > validation is usually required when the u32 netlink attributes are b
, ...
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Use OFFSET attribute instead of SUM.
, 101, ...
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Rename SUM by OFFSET, as Pab
: Add hash offset value")
Reported-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nf
On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote:
> Hi Laura,
>
> 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>:
> > static int nft_hash_init(const struct nft_ctx *ctx,
> > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ct
On Mon, Sep 12, 2016 at 06:45:58PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 07, 2016 at 07:56:49PM +0200, Laura Garcia Liebana wrote:
> > Add support for an initialization counter value. With this option the
> > sysadmin is able to start the counter when used with the
On Mon, Sep 12, 2016 at 06:34:59PM +0200, Pablo Neira Ayuso wrote:
> Hi Laura,
>
> On Tue, Sep 06, 2016 at 08:44:19AM +0200, Laura Garcia Liebana wrote:
> > Add support to pass through an offset to the hash value. With this
> > feature, the sysadmin is able to generat
On Sun, Sep 11, 2016 at 11:12:26PM +0200, Florian Westphal wrote:
> Liping Zhang wrote:
> > From: Liping Zhang
> >
> > Currently, the user can specify the queue numbers by _QUEUE_NUM and
> > _QUEUE_TOTAL attributes, this is enough in most
On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to
> NFTNL_EXPR_NG_MODULUS, so compile error happened:
> netlink_linearize.c: In function ‘netlink_gen_numgen’:
>
for increment number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/buffer.h| 1 +
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.
number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_numgen.c | 9 +++--
2 files changed, 9 insertions
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Add check for hash + sum overflow.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 16 ++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff
On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote:
> > Add support to pass through an offset to the hash value. With this
> > feature, the sysadmin is able to generate a hash with a given
&
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/hash.c | 39 +++--
tests/nft-expr_hash-test.c | 4
4 files chang
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 13 +++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
other expresions with number limits (ex. nft_hash).
Renaming is possible because there isn't a kernel release yet with these
changes.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
is renamed to _modulus_ as the behaviour is similar to
other expresions with number limits(ex. nft_hash).
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 6 --
net/netfilter/nft_numgen.c | 37 ++--
2
system]
> [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for
> convenience) to record what (public, well-known) commit your patch series was
> built on]
> [Check https://git-scm.com/docs/git-format-patch for more information]
>
> url:
> https://github.com/
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V4:
- Define NFT_C
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V3:
- Use ERANGE i
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V5:
- Reorder the functions
- Add attributes checks
- Use switch instead of if statements
include/uapi/linux/netfilter/nf_tables.h
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V4:
- Rename prandom state identifier
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/Kconfig| 6 +
net/net
e system]
>
> url:
> https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nft_numgen-add-number-generator-expression/20160814-185132
> base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> config: i386-allyesconfig (attached as .confi
Fix the direct assignment from u32 data input into an attribute with a
size of u8.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V2:
- Collapse the 5 independent patches in just one
- Change description and subject
- A
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_cmp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft
Fix the direct assignment from u32 data input into the family
attribute with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_nat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index e
Fix the direct assignment from u32 data input into the dlen attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_immediate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immed
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_bitwise.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_bitwise.c b/net/net
On Wed, Aug 10, 2016 at 10:38:08AM +0800, Liping Zhang wrote:
> Hi Laura,
>
> 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>:
> > This patch adds a new hash expression, this provides jhash support but
> > this can be extended to suppo
The following patchset adds a check during the load of an u32 value
into an u8 attribute which can cause an overflow.
Laura Garcia Liebana (5):
netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
netfilter
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_exthdr.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/net
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote:
> > Laura Garcia <nev...@gmail.com> wrote:
> > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote:
> > > >
Support for the nft hash expression within libnftnl.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 16 ++
include/linux/netfilter/nf_tables.h | 20 +++
src/Makefile.am
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed comes already come embedded into this new
expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 15
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_nth.c | 123 +++
4 files c
Support for the nft nth expression within libnftnl.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/libnftnl/expr.h | 10 ++
include/linux/netfilter/nf_tables.h | 14 +++
src/Makefile.am | 1 +
src/expr/nth.c
off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/net/netfilter/nft_nth.h | 31 +++
include/uapi/linux/netfilter/nf_tables.h | 15
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/
On Wed, Jun 15, 2016 at 02:21:27PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 14, 2016 at 08:02:45PM +0200, Laura Garcia Liebana wrote:
> > Add translation of conntrack to nftables.
> >
> > Examples:
> >
> > $ sudo iptables-translate -t filter -A INPUT -m con
On Tue, Jun 14, 2016 at 06:48:51PM +0200, Pablo Neira Ayuso wrote:
> Please, document on the wikipage that we don't support yet the new
> cgroup2 path-based on nft so we don't forget to discuss about this at
> some point.
Just included in the wiki.
--
To unsubscribe from this list: send the line
ORIGINAL -j
ACCEPT
nft add rule ip filter INPUT ct direction original counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_conntrack.c | 247 +++
1 file changed, 247 insertions(+)
diff --git a/exte
ACCEPT
nft add rule ip filter INPUT meta cgroup != 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_cgroup.c | 28
1 file changed, 28 insertions(+)
diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c
index 3
frag-off 0 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag more-fragments 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fr
frag-off 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fraglast.
- fraglen is marked as deprecated.
Changes in v3:
- Ignore completely IP6T_FRAG_LEN.
extensions/libip6t_frag.
frag-off 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fraglast.
- fraglen is marked as deprecated.
extensions/libip6t_frag.c | 33 +
1 file changed, 33 inse
ip6 filter INPUT ip6 dscp != 0x32 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_dscp.c | 92 ++---
1 file changed, 79 insertions(+), 13 deletions(-)
diff --git a/extensions/libxt_dscp.c b/exte
1 - 100 of 119 matches
Mail list logo