[PATCH nftables] doc: add osf expression to man page

Signed-off-by: Fernando Fernandez Mancera --- doc/primary-expression.txt | 29 + 1 file changed, 29 insertions(+) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 50093b4..1445288 100644 --- a/doc/primary-expression.txt +++

Re: [PATCH 1/2 nftables] src: introduce passive OS fingerprint matching

On Fri, Aug 03, 2018 at 11:47:11PM +0200, Fernando Fernandez Mancera wrote: > Add support for "osf" expression. Example: Applied with a few glitches, see below, thanks. > @@ -191,6 +193,7 @@ enum expr_flags { > #include > #include > #include > +#include > > /** > * struct expr > @@

Re: [PATCH] nft: doc: correct some typos in asciidoc

On Tue, Jul 31, 2018 at 07:04:33PM +0530, Arushi Singhal wrote: > Correct some typo mistakes done while converting man page source to > asciidoc. Applied, thanks. Did you make a 1:1 comparison of the old manpage and the new one? It would be important that we don't lose any content from the

[PATCH nf] netfilter: nf_tables: restore too deep jumpstack validation

Otherwise this breaks nested jump to chain to reach the maximum depth. #!/bin/bash nft add table ip filter nft add chain ip filter input { type filter hook input priority 0\; } for ((i=0;i<20;i++)); do nft add chain ip filter a$i done nft add rule ip filter input jump a1 for

[PATCH 2/2 nftables] test: py: add test cases for "osf" matching

Signed-off-by: Fernando Fernandez Mancera --- tests/py/inet/osf.t | 6 ++ tests/py/inet/osf.t.payload | 4 2 files changed, 10 insertions(+) create mode 100644 tests/py/inet/osf.t create mode 100644 tests/py/inet/osf.t.payload diff --git a/tests/py/inet/osf.t

[PATCH 1/2 nftables] src: introduce passive OS fingerprint matching

Add support for "osf" expression. Example: table ip foo { chain bar { type filter hook input priority 0; policy accept; osf "Linux" counter packets 3 bytes 132 } } Signed-off-by: Fernando Fernandez Mancera --- include/expression.h

Re: [PATCH nft v3 1/2] src: add ct timeout support

On Thu, Jul 26, 2018 at 06:13:27PM +0200, Harsha Sharma wrote: > This patch adds support for adding, listing and deleting ct timeout > objects which can be assigned via rule to assign connection tracking > timeout policies via objref infrastructure. > > %nft add table filter > %nft add chain

Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities

On Fri, Aug 03, 2018 at 07:04:44PM +0200, Máté Eckl wrote: > On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote: > > > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and > > > arp but not in case of

Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities

On Fri, Aug 03, 2018 at 07:04:44PM +0200, Máté Eckl wrote: > On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote: > > > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and > > > arp but not in case of

Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities

On Fri, Aug 03, 2018 at 05:17:29PM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote: > > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and > > arp but not in case of bridge. > > > > This patch exposes the hook priority values of the

Re: [PATCH v2 nf-next] netfilter: conntrack: avoid use-after free on rmmod

On Fri, Aug 03, 2018 at 06:40:21PM +0200, Florian Westphal wrote: > When the conntrack module is removed, we call nf_ct_iterate_destroy via > nf_ct_l4proto_unregister(). > > Problem is that nf_conntrack_proto_fini() gets called after the > conntrack hash table has already been freed. > > Just

[PATCH v2 nf-next] netfilter: conntrack: avoid use-after free on rmmod

When the conntrack module is removed, we call nf_ct_iterate_destroy via nf_ct_l4proto_unregister(). Problem is that nf_conntrack_proto_fini() gets called after the conntrack hash table has already been freed. Just remove the l4proto unregister call, its unecessary as the nf_ct_protos[] array

Re: [PATCH v2 nf-next] netfilter: kconfig: remove ct zone/label dependencies

On Fri, Aug 03, 2018 at 05:56:12PM +0200, Florian Westphal wrote: > connection tracking zones currently depend on the xtables CT target. > The reasoning was that it makes no sense to support zones if they can't > be configured (which needed CT target). > > Nowadays zones can also be used by OVS

[PATCH v2 nf-next] netfilter: kconfig: remove ct zone/label dependencies

connection tracking zones currently depend on the xtables CT target. The reasoning was that it makes no sense to support zones if they can't be configured (which needed CT target). Nowadays zones can also be used by OVS and configured via nftables, so remove the dependency. connection tracking

Re: [PATCH] nft: doc: changes in configure file for PDF creation

On Tue, Jul 31, 2018 at 09:10:24PM +0530, Arushi Singhal wrote: > changes in package dependencies for PDF creation (nft.pdf) from asciidoc. > > Signed-off-by: Arushi Singhal > --- > configure.ac | 10 ++ > 1 file changed, 2 insertions(+), 8 deletions(-) > > diff --git a/configure.ac

[iptables PATCH v2] xtables: Reserve space for 'opt' column in ip6tables output

Although ip6tables does not support matching on fragments, the 'opt' column is included in ruleset listing nevertheless. So nft_ipv6_print_rule() has to fill that space up with blanks. Signed-off-by: Phil Sutter --- Changes since v1: - Handle FMT_NOTABLE case as well. --- iptables/nft-ipv6.c |

Re: [PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities

On Fri, Aug 03, 2018 at 01:36:13PM +0200, Máté Eckl wrote: > Netfilter exposes standard hook priorities in case of ipv4, ipv6 and > arp but not in case of bridge. > > This patch exposes the hook priority values of the bridge family (which are > different from the formerly mentioned) via uapi so

[iptables PATCH] xtables: Reserve space for 'opt' column in ip6tables output

Although ip6tables does not support matching on fragments, the 'opt' column is included in ruleset listing nevertheless. So nft_ipv6_print_rule() has to fill that space up with blanks. Signed-off-by: Phil Sutter --- iptables/nft-ipv6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

[iptables PATCH] xtables: Print error when listing non-existent chains

Just like legacy iptables, iptables-nft should not treat the attempt to list a non-existing chain as OK. Signed-off-by: Phil Sutter --- iptables/nft.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 6f1f5e05b7e82..c10737bb531b8

[iptables PATCH] xtables: Fix for no output on first iptables-nft invocation

Fix the same issue commit a4e78370af849 ("iptables-compat: fix empty chains after first invocation of iptables-compat -L") fixed back in 2014. Seems like some changes since then broke it again. This time, existing cache not containing the added table/chains gets into the way, so clear it if

[iptables PATCH] xtables: Do not count rules as chain references

Unlike iptables, nftables counts rules in a chain as references to that chain. Align output of 'iptables-nft -L' with that of legacy iptables by counting the number of rules in a chain and subtracting that value from reference count before printing the chain header. Signed-off-by: Phil Sutter

[PATCH nf-next] netfilter: nf_tables: simplify NLM_F_CREATE handling

* From nf_tables_newchain(), codepath provides context that allows us to infer if we are updating a chain (in that case, no module autoload is required) or adding a new one (then, module autoload is indeed needed). * We only need it in one single spot in nf_tables_newrule(). * Not needed for

[PATCH nf-next] netfilter_bridge: uapi: Expose nf_tables bridge hook priorities

Netfilter exposes standard hook priorities in case of ipv4, ipv6 and arp but not in case of bridge. This patch exposes the hook priority values of the bridge family (which are different from the formerly mentioned) via uapi so that they can be used by user-space applications just like the others.

Re: [PATCH nf-next] netfilter: nf_tables: flow event notifier must use transaction mutex

Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: nft_tproxy: Add missing config check

On Thu, Aug 02, 2018 at 09:18:31PM +0200, Máté Eckl wrote: > A config check was missing form the code when using > nf_defrag_ipv6_enable with NFT_TPROXY != n and NF_DEFRAG_IPV6 = n and > this caused the following error: > > ../net/netfilter/nft_tproxy.c: In function 'nft_tproxy_init': >

Re: [PATCH 2/2 nf-next] nfnetlink_osf: rename nf_osf header file to nfnetlink_osf

Applied with minor glitches, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 1/2] fixup: nf_osf: move nf_osf_fingers to non-uapi nf_osf header file

Applied, thanks Fernando. Please, next time: * Add error message that kbuild robot reports as part of the description. * Use a more orthodox patch subject, eg. netfilter: nf_osf: move nf_osf_fingers to non-uapi header file I mean, when I use 'git am' here I will take that "fixup:"

Re: [PATCH nf-next v3 1/2] netfilter: Kconfig: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT

On Tue, Jul 31, 2018 at 01:34:11PM +0530, Harsha Sharma wrote: > With this, remove ifdef for NF_CONNTRACK_CTTIMEOUT in nfnetlink_cttimeout. > This is also required for moving ctnl_untimeout from nfnetlink_cttimeout > to nf_conntrack_timeout. Applied this one, thanks Harsha. -- To unsubscribe from

Re: [PATCH v3 nft] Expose socket mark via socket expression

On Wed, Aug 01, 2018 at 08:09:22PM +0200, Máté Eckl wrote: > It can be used like ct mark or meta mark except it cannot be set. > doc and tests are included. Applied with coding style fixes, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [PATCH v3 nft] Add tproxy support

On Fri, Jul 20, 2018 at 09:40:09AM +0200, Máté Eckl wrote: > This patch adds support for transparent proxy functionality which is > supported in ip, ip6 and inet tables. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH v3 nft] tests: py: Add test cases for tproxy support

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 nft] doc: Add tproxy statement to man page

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: url filtering with netfiler

On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: > On 08/03/2018 12:14 AM, Oleg wrote: > > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: > >> Dear all, > >> > >> > >> Some of my friends and I have decided to work on Linux community, and > >> add a new feature to the

[PATCH v5 nft] Set/print standard chain prios with textual names

This patch adds the possibility to use textual names to set the chain priority to standard values so that numeric values do not need to be learnt any more for basic usage. Basic arithmetic can also be done with them to ease the addition of relatively higher/lower priority chains. Addition and

Re: url filtering with netfiler

On 08/03/2018 12:14 AM, Oleg wrote: On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: Dear all, Some of my friends and I have decided to work on Linux community, and add a new feature to the networking subsystem. We have concluded that URL filtering with IP/NF tables may be a

Re: [PATCH nf-next] netfilter: nft_tproxy: Add missing config check

On 08/02/2018 12:18 PM, Máté Eckl wrote: > A config check was missing form the code when using > nf_defrag_ipv6_enable with NFT_TPROXY != n and NF_DEFRAG_IPV6 = n and > this caused the following error: > > ../net/netfilter/nft_tproxy.c: In function 'nft_tproxy_init': >

Re: url filtering with netfiler

On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: > Dear all, > > > Some of my friends and I have decided to work on Linux community, and > add a new feature to the networking subsystem. We have concluded that > URL filtering with IP/NF tables may be a good feature if we can >

[PATCH nf 0/2] netfilter: nf_tables: fix register ordering

There is an hard-to-trigger race condition when nf_tables module is repeatedly removed while concurrent processes create net namespaces that use nf_tables (and then exit immediately). I made a prevous attempt to fix this, but its incorrect. So first patch fixes actual problem: the nfnetlink

[PATCH nf 2/2] netfilter: nf_tables: don't prevent event handler from device cleanup on netns exit

When a netnsamespace exits, the nf_tables pernet_ops will remove all rules. However, there is one caveat: Base chains that register ingress hooks will cause use-after-free: device is already gone at that point. The device event handlers prevent this from happening: netns exit synthesizes

[PATCH nf 1/2] netfilter: nf_tables: fix register ordering

We must register nfnetlink ops last, as that exposes nf_tables to userspace. Without this, we could theoretically get nfnetlink request before net->nft state has been initialized. Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support") Signed-off-by: Florian Westphal ---

[PATCH nf-next] netfilter: nft_tproxy: Add missing config check

A config check was missing form the code when using nf_defrag_ipv6_enable with NFT_TPROXY != n and NF_DEFRAG_IPV6 = n and this caused the following error: ../net/netfilter/nft_tproxy.c: In function 'nft_tproxy_init': ../net/netfilter/nft_tproxy.c:237:3: error: implicit declaration of function

[PATCH nf-next 2/2] netfilter: nf_tables: match on tunnel metadata

This patch allows us to match on the tunnel metadata that is available of the packet. We can use this to validate if the packet comes from/goes to tunnel and the corresponding tunnel ID. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 15 +

[PATCH nf-next 1/2] netfilter: nf_tables: add tunnel support

This patch implements the tunnel object type that can be used to configure tunnels via metadata template through the existing lightweight API from the ingress path. Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h | 69 - net/core/dst.c

[PATCH nf-next 0/2] nf_tables lightweight tunneling support

Hi, This patchset adds lightweight tunneling support for nf_tables: 1) Set tunnel configuration via the iproute2 external flag from the ingress hook. Example 1: ERSPAN for packet dissection at collector. # ip link add gre100 type erspan external # ip link set up dev gre100 # cat

[PATCH] netfilter: nf_nat: return the same reply tuple for matching CTs

It is possible that two concurrent packets originating from the same socket of a connection-less protocol (e.g. UDP) can end up having different IP_CT_DIR_REPLY tuples which results in one of the packets being dropped. To illustrate this, consider the following simplified scenario: 1. No

Re: [PATCH v4 nft] Set/print standard chain prios with textual names

On Thu, Aug 02, 2018 at 06:49:59PM +0200, Máté Eckl wrote: > On Wed, Aug 01, 2018 at 06:50:14PM +0200, Máté Eckl wrote: > [...] > > > > > > > > > > > > Could you store the string plus offset instead of building this > > > > > > string that you need to parse again from the evaluation phase? > > >

Re: [PATCH v4 nft] Set/print standard chain prios with textual names

On Wed, Aug 01, 2018 at 06:50:14PM +0200, Máté Eckl wrote: [...] > > > > > > > > > > Could you store the string plus offset instead of building this > > > > > string that you need to parse again from the evaluation phase? > > > > > > > > > > Probably you could reuse the existing priority integer

[iptables PATCH 13/27] ebtables: Fix match_list insertion

Find the end of the match_list before inserting in case the list contains more than one element. Signed-off-by: Phil Sutter --- iptables/xtables-eb.c | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index

[iptables PATCH v2 17/27] arptables: Fix memleaks in do_commandarp()

The function did not free memory allocated in parse_hostnetworkmask() and command_jump(). To fix the latter, code was aligned a bit more with xtables.c (especially opts handling). Signed-off-by: Phil Sutter --- Changes since v1: - Folded with former second arptables memleak patch after finding a

[iptables PATCH v2 18/27] arptables: Fix for trailing spaces in output

This changes mangle target to print whitespace before each option, not afterwards. This fixes any cases of trailing or double whitespace in arptables output. While being at it, introduce ipaddr_to() helper in libarpt_mangle.c to simplify arpmangle_print() a bit. Signed-off-by: Phil Sutter ---

[iptables PATCH 23/27] ebtables: Review match/target lookup

Since ebtables does not indicate extension use on commandline via '-m' flag as in iptables, loading of matches has to happen prior to commandline parsing. While parsing, the right extension is searched for unknown parameters by passing it to its 'parse' callback and checking if it succeeds. As an

[iptables PATCH 08/27] Consolidate DEBUGP macros

This debug printing macro was defined in various places, always identical. Move it into xshared.h and drop it from sources including that header. There are a few exceptions: * iptables-xml.c did not include xshared.h, which this patch changes. * Sources in extensions and libiptc mostly left

[iptables PATCH 01/27] xtables: Allocate rule cache just once

For each parsed table, xtables-restore calls nft_table_flush() which each time allocates a new rule cache, possibly overwriting the pointer to the previously allocated one. Fix this by checking the pointer value and only allocate if it's NULL. Signed-off-by: Phil Sutter --- iptables/nft.c | 8

[iptables PATCH 12/27] ebtables: Fix for wrong program name in error messages

Since nft_init_eb() is shared among standalone ebtables and ebtables-restore, allow for callers to pass the program name. Signed-off-by: Phil Sutter --- iptables/nft.h | 2 +- iptables/xtables-eb-standalone.c | 2 +- iptables/xtables-eb.c| 4 ++--

[iptables PATCH v2 05/27] xtables: Fix compilation with NLDEBUG defined

In libnftnl-1.0.5, symbol name prefix changed from 'nft_' to 'nftnl_'. This patch fixes for two places forgotten by the relevant commit. Fixes: 742baabd185c3 ("iptables-compat: use new symbols in libnftnl") Signed-off-by: Phil Sutter --- Changes since v1: - Patch subject changed to more

[iptables PATCH v2 24/27] xtables: Implement arptables-{save,restore}

This adds C implementations for arptables-save and -restore in compat layer based on the two perl scripts in legacy arptables repository. To share common code, introduce nft_init_arp() analogous to nft_init_eb() introduced earlier. Signed-off-by: Phil Sutter --- Changes since v1: - Convert to

[iptables PATCH 04/27] xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs

Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are not added to the cache. There is one exception though, namely when zeroing counters: nft_chain_zero_counters() adds a chain object it took from chain cache. To distinguish this situation from the others, introduce

[iptables PATCH 19/27] arptables: Print policy only for base chains

Printing a policy for user-defined chains is pointless. Signed-off-by: Phil Sutter --- iptables/nft-arp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 51096034570d5..570a2589747ca 100644 --- a/iptables/nft-arp.c +++

[iptables PATCH 21/27] xtables-restore: Make COMMIT support configurable

Legacy ebtables-restore does not support COMMIT directive, so allow for callers of xtables_restore_parse() to toggle support for it. If it is not supported, allow for next table definition without previous COMMIT and implicitly commit the ruleset after parsing input instead of complaining about

[iptables PATCH 16/27] arptables: Fix jumps into user-defined chains

Trying to jump into a user-defined chain was not possible: | arptables-nft -N foo | arptables-nft -A INPUT -j foo | (null) v1.8.0 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain INPUT Since nft_arp_add() already does the right thing if cs->target is NULL and

[iptables PATCH 25/27] ebtables: Support --init-table command

This effectively flushes all built-in chains and removes user-defined ones. Since compat layer takes care of built-in table/chain creation, it is sufficient to just drop the relevant table. Signed-off-by: Phil Sutter --- iptables/xtables-eb.c | 4 +++- 1 file changed, 3 insertions(+), 1

[iptables PATCH v2 26/27] tests: Add arptables-{save,restore} testcases

This actually does a bit more since it creates the ruleset using separate arptables calls. Note that there are a few commented out lines containing commands which don't apply for unknown reasons - something to investigate later. Signed-off-by: Phil Sutter --- Changes since v1: - Flush table

[iptables PATCH v2 27/27] tests: Add ebtables-{save,restore} testcases

This actually does a bit more since it creates the ruleset using separate ebtables calls. Note that there are a few commented out lines containing commands which don't apply for unknown reasons - something to investigate later. Signed-off-by: Phil Sutter --- Changes since v1: - Uncomment two

[iptables PATCH 14/27] ebtables: Print non-standard target parameters

If a rule has a non-standard target (i.e., cs->target != NULL), it may contain parameters. This patch enables printing them. The code assumed that a non-standard target is only present if cs->jumpto is not set, but that is wrong: If nft_rule_to_iptables_command_state() encounters a target

[iptables PATCH 20/27] xtables-restore: Improve user-defined chain detection

Legacy ebtables-save does not use a policy string of '-' to denote user-defined chains but instead lists them with a policy of ACCEPT. In order to use ebtables_restore_parse() for ebtables-save implementation, make use of builtin table definitions to decide whether a given chain is a builtin one

[iptables PATCH 03/27] xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs

These always have to be freed because nft_chain_user_del() removes them from the cache so they are not freed when the chain cache is flushed. Signed-off-by: Phil Sutter --- iptables/nft.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/nft.c b/iptables/nft.c index

[iptables PATCH 02/27] xtables: Fix for nft_rule_flush() returning garbage

Due to variable 'ret' not being initialized in all situations, return code of the function depends on garbage in stack. Fix this by initializing 'ret' to zero upon declaration. While being at it, make nftnl_chain_list_get() failure as well as nftnl_chain_list_iter_create() failure an error

[iptables PATCH 11/27] xtables: Fix symlinks/names for ebtables-{save,restore}

While xtables-nft-multi only recognized ebtables-save and -restore, Makefile did install only ebtables-nft-save and -restore symlinks. Clean this up by making both name variants known and installing respective symlinks, just like for ebtables and ebtables-nft. Signed-off-by: Phil Sutter ---

[iptables PATCH v2 00/27] Fixes and tests for {eb,arp}tables-{save,restore}

Though officially declared v2, this is more or less a complete rework of the original series (though with the same goal as the first one). Patches 1-7 fix leaks and other issues identified in xtables code. Patches 8-10 deal with some cases of code duplication. Patches 11-19 resolve problems in

[iptables PATCH 09/27] xshared: Consolidate parse_counters()

Move this helper function into xshared. While being at it, drop the need for temporary variables and take over null pointer tolerance from the implementation in iptables-xml.c. Signed-off-by: Phil Sutter --- iptables/ip6tables-restore.c | 11 --- iptables/iptables-restore.c | 11

[iptables PATCH 15/27] arptables: Fix opcode printing in numeric output

This line of code was dropped by accident, add it back. Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall") Signed-off-by: Phil Sutter --- iptables/nft-arp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 328c791db42a8..51096034570d5

[iptables PATCH v2 06/27] xtables: Use correct built-in chain count

In nft_chain_builtin_init(), The wrong macro was used for iterating over the built-in chains of a given table. That array's length is defined using NF_INET_NUMHOOKS, not NF_IP_NUMHOOKS. Though this change is rather cosmetic since both macros resolve into the same value. Signed-off-by: Phil Sutter

[iptables PATCH 07/27] xtables: Fix program name in xtables_error()

The error function is shared among different programs, so it should take information from xt_params pointer instead of xtables_globals object. Signed-off-by: Phil Sutter --- iptables/xtables.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/iptables/xtables.c

url filtering with netfiler

Dear all, Some of my friends and I have decided to work on Linux community, and add a new feature to the networking subsystem. We have concluded that URL filtering with IP/NF tables may be a good feature if we can implement it in Linux networking subsystem. Because through our research we

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Thu 02-08-18 11:25:49, Pablo Neira Ayuso wrote: > On Thu, Aug 02, 2018 at 10:50:43AM +0200, Michal Hocko wrote: [...] > > diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c > > index d0d8397c9588..b769408e04ab 100644 > > --- a/net/netfilter/x_tables.c > > +++

[PATCH v2 nf] netfilter: conntrack: fix removal of conntrack entries when l4tracker is removed

nf_ct_l4proto_unregister_one() leaves conntracks added by to-be-removed tracker behind, nf_ct_l4proto_unregister has to iterate for each protocol to be removed. v2: call nf_ct_iterate_destroy without holding nf_ct_proto_mutex. Fixes: 2c41f33c1b703 ("netfilter: move table iteration out of netns

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Thu, Aug 02, 2018 at 10:50:43AM +0200, Michal Hocko wrote: > On Wed 01-08-18 19:03:03, Georgi Nikolov wrote: > > > > *Georgi Nikolov* > > System Administrator > > www.icdsoft.com > > > > On 08/01/2018 11:33 AM, Michal Hocko wrote: > > > On Wed 01-08-18 09:34:23,

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Wed 01-08-18 19:03:03, Georgi Nikolov wrote: > > *Georgi Nikolov* > System Administrator > www.icdsoft.com > > On 08/01/2018 11:33 AM, Michal Hocko wrote: > > On Wed 01-08-18 09:34:23, Vlastimil Babka wrote: > >> On 07/31/2018 04:05 PM, Florian Westphal wrote: > >>>

Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hello, On Thu, Aug 2, 2018 at 9:28 AM, Harsha Sharma wrote: > This patch allows to add, list and delete connection tracking timeout > policies via nft objref infrastructure and assigning these timeout > via nft rule. > > %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp > > Ruleset: > >

[PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp Ruleset: table ip raw { ct timeout cttime { protocol tcp established

[PATCH nf-next v3 2/2] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - Add static inline definition for nf_ct_untimeout when CONFIG_NF_CONNTRACK_TIMEOUT is not defined

[PATCH nf-next v3 1/2] netfilter: Kconfig: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT

With this, remove ifdef for NF_CONNTRACK_CTTIMEOUT in nfnetlink_cttimeout. This is also required for moving ctnl_untimeout from nfnetlink_cttimeout to nf_conntrack_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - No changes Changes in v2: - No changes net/netfilter/Kconfig

Re: [iptables PATCH] nft: don't print rule counters unless verbose

Eric Garver wrote: > Currently rule counters are always printed, but that's not the desired > behavior. We should only print them with the verbose flag. This broke > when the arguments of nft_rule_print_save() were changed to accept the > format instead of a counters flag. Applied, thanks. This

[iptables PATCH] nft: don't print rule counters unless verbose

Currently rule counters are always printed, but that's not the desired behavior. We should only print them with the verbose flag. This broke when the arguments of nft_rule_print_save() were changed to accept the format instead of a counters flag. Fixes: cdc78b1d6bd7 ("nft: convert rule into a

Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180802-001147 base:

Re: [PATCH nft 0/5] doc: Wrap extra long lines to 80 chars

Máté Eckl wrote: > Too long lines may cause error when sending a patch with git send-email. > fatal: patch.patch:287: patch contains a line longer than 998 > characters > > This series wraps long lines to 80 characters. All applied, thank you. -- To unsubscribe from this list: send the

[PATCH v3 nft] Expose socket mark via socket expression

It can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl --- v2: - doc: remove 0 retval when there's no match v3: - Convert doc to asciidoc doc/primary-expression.txt | 17 +

[PATCH v2 nft] doc: Add tproxy statement to man page

Signed-off-by: Máté Eckl --- v2: convert to asciidoc doc/statements.txt | 58 ++ 1 file changed, 58 insertions(+) diff --git a/doc/statements.txt b/doc/statements.txt index bcf3cc2..38d9982 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@

Re: [iptables PATCH 14/23] ebtables: Fix segfault when parsing a rule

On Wed, Aug 01, 2018 at 06:22:46PM +0200, Phil Sutter wrote: > On Fri, Jul 27, 2018 at 01:29:07PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 27, 2018 at 12:53:22PM +0200, Phil Sutter wrote: > > > Hi, > > > > > > On Fri, Jul 27, 2018 at 11:45:16AM +0200, Pablo Neira Ayuso wrote: > > > > On

Re: [iptables PATCH 13/23] ebtables: Fix loading of non-standard targets

On Wed, Aug 01, 2018 at 06:17:09PM +0200, Phil Sutter wrote: > Hi Pablo, > > On Fri, Jul 27, 2018 at 01:43:09PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 27, 2018 at 12:22:32AM +0200, Phil Sutter wrote: > > > Another fix for ebtables-restore: When encountering a non-standard > > > target,

[PATCH nft 5/5] doc: statements.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/statements.txt | 108 ++--- 1 file changed, 83 insertions(+), 25 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 499b573..bcf3cc2 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -11,9

Re: [PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars

On Wed, Aug 01, 2018 at 04:17:04PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > When I tried to send a patch that included man page update I got the > > following error from git send-email: > > fatal: patch.patch:287: patch contains a line longer than 998 characters > > Line 287 was

[PATCH nft 0/5] doc: Wrap extra long lines to 80 chars

Too long lines may cause error when sending a patch with git send-email. fatal: patch.patch:287: patch contains a line longer than 998 characters This series wraps long lines to 80 characters. Máté Eckl (5): doc: data-types.txt: Wrap extra long lines to 80 chars doc:

[PATCH nft 1/5] doc: data-types.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/data-types.txt | 29 ++--- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/doc/data-types.txt b/doc/data-types.txt index 1d4218e..57aa3a4 100644 --- a/doc/data-types.txt +++ b/doc/data-types.txt @@ -9,7 +9,9 @@ variable | -

[PATCH nft 4/5] doc: stateful-objects.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/stateful-objects.txt | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 9d99264..57bf627 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -3,7 +3,11 @@ CT

[PATCH nft 3/5] doc: primary-expression.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/primary-expression.txt | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 162f32f..50093b4 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@

[PATCH nft 2/5] doc: payload-expression.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/payload-expression.txt | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt index d454c95..3f47b4e 100644 --- a/doc/payload-expression.txt +++

Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180802-001147 base:

Re: [PATCH v4 nft] Set/print standard chain prios with textual names

On Sat, Jul 28, 2018 at 12:14:57PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 04:21:46PM +0200, Máté Eckl wrote: > > On Mon, Jul 16, 2018 at 09:58:44AM +0200, Máté Eckl wrote: > > > On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote: > > > > > diff --git

Re: [iptables PATCH 14/23] ebtables: Fix segfault when parsing a rule

On Fri, Jul 27, 2018 at 01:29:07PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 12:53:22PM +0200, Phil Sutter wrote: > > Hi, > > > > On Fri, Jul 27, 2018 at 11:45:16AM +0200, Pablo Neira Ayuso wrote: > > > On Fri, Jul 27, 2018 at 12:22:33AM +0200, Phil Sutter wrote: > > > > This

<    8   9   10   11   12   13   14   15   16   17   >