The 'original' ebtables-save was a perl script that supported no option.
Add minimal options, like ip(6)tables save.
Retain the old way of formatiing counters via environment variable,
but allow overriding this using the -c option.
Signed-off-by: Florian Westphal
---
iptables/nft-bridge.c |
So we can remove nft_chain_dump() and replace nftnl_chain_get_list().
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 27 +++
iptables/nft.h | 2 +-
iptables/xtables-restore.c | 2 +-
iptables/xtables-save.c| 6 +++---
4 files
On Mon, Nov 12, 2018 at 10:19:56AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 01, 2018 at 06:50:33AM +0100, Andreas Jaggi wrote:
> > Useful to only set a particular range of the conntrack mark while
> > leaving existing parts of the value alone, e.g. when updating
> > conntrack marks via
On Thu, Nov 01, 2018 at 06:50:33AM +0100, Andreas Jaggi wrote:
> Useful to only set a particular range of the conntrack mark while
> leaving existing parts of the value alone, e.g. when updating
> conntrack marks via netlink from userspace.
>
> For NFQUEUE it was already implemented in commit
>
On Sat, Oct 27, 2018 at 06:07:39PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to pull the next patches for nf-next:
>
> - Introduction of new commands and thus protocol version 7. The
> new commands makes possible to eliminate the getsockopt interface
> of ipset and use
On Thu, Nov 1, 2018 at 4:29 PM Pablo Neira Ayuso wrote:
>
> On Wed, Oct 31, 2018 at 07:18:04PM -0700, Matt Turner wrote:
> > On Fri, Oct 19, 2018 at 11:09 AM Matt Turner wrote:
> > > If you wouldn't mind, now might be a good time to make a 1.1.2
> > > release. In the four months since 1.1.1
Hi,friend,
This is Daniel Murray and i am from Sinara Group Co.Ltd Group Co.,LTD in Russia.
We are glad to know about your company from the web and we are interested in
your products.
Could you kindly send us your Latest catalog and price list for our trial order.
Best Regards,
Daniel
For bridge(br_flood) or broadcast/multicast packets, they could clone skb with
unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is never
shared.
With nfqueue running on my system, the race can be easily reproduced with
following
warning calltrace:
[13257.707525] CPU: 0
Hi!
On Wed, Oct 31, 2018 at 02:02:07PM +0800, Chieh-Min Wang wrote:
> From: Chieh-Min Wang
>
> For bridge(br_flood) or broadcast/multicast packets, they could clone skb with
> unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is
> never shared.
> With nfqueue running on my
The data connection with the FTP alg does not seem to respect the masquerade
--to-ports option.
e.g
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
iptables -t nat -I POSTROUTING -o enp0 -j MASQUERADE -p tcp --to-ports
2-21000
Send ftp (EPSV) query
The control connection is changed
Felix Jia wrote:
> From: Jason Rippon
>
> This ensures that port range masquerade rules work with the ftp alg.
> Previously the tfp data flow was not following the iptables rules.
The data connections are supposed to inherit the NAT transformation
of the master connection (connection created
From: Jason Rippon
This ensures that port range masquerade rules work with the ftp alg.
Previously the tfp data flow was not following the iptables rules.
Signed-off-by: Jason Rippon
Signed-off-by: Felix Jia
---
net/netfilter/nf_conntrack_ftp.c | 3 ++-
1 file changed, 2 insertions(+), 1
nf_flow_offload_gc_step() and nf_flow_table_iterate() are very similar.
so that many duplicate code can be removed.
After this patch, nf_flow_offload_gc_step() is simple callback function of
nf_flow_table_iterate() like nf_flow_table_do_cleanup().
Signed-off-by: Taehee Yoo
---
nf_flow_table_iterate() is local function.
It can be static function.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 4
net/netfilter/nf_flow_table_core.c| 8
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git
In this patch series, duplicate code in nf_flow_table_core.c are removed.
First patch makes nf_flow_table_iterate() static because
that is local function.
Second patch makes nf_flow_offfload_gc_step() simplier.
Both nf_flow_offload_gc_step() and nf_flow_table_iterate()
have same rhashtable
When building without libxtables, nft would just silently omit any presence
of nft_compat in the output.
This adds ifdef-ry to at least print name of target/match involved when
libxtables isn't available for decoding.
Signed-off-by: Florian Westphal
---
include/xt.h| 13 +
We can't use it when no translation is available as libxtables will
use plain printf(), but when translation is available we can.
Signed-off-by: Florian Westphal
---
include/xt.h| 5 +++--
src/statement.c | 2 +-
src/xt.c| 6 +++---
3 files changed, 7 insertions(+), 6 deletions(-)
Currently when building nftables without xtables support, then
any nft_compat expression is silently skipped.
This adds minimal support so we will at least be able to print
out that an xtables match is in use in a rule.
Example:
oifname "eth0" # xt_policy counter packets 0 bytes 0 accept
for a
On Mon, Nov 05, 2018 at 10:37:52AM +0100, Pablo Neira Ayuso wrote:
> Applied, thanks Duncan.
>
[...]
>
> Hm, nft_ctx_output_get_flags() and nft_ctx_output_set_flags() should
> be actually at the end, after the list of flags. I fixed this here
> with this patch too, I hope you don't mind.
>
No
Perform the same SNAT translation on RTP/RTCP conntracks regardless of
who sends the first datagram.
Prior to this change, RTP packets send by the peer who required source
port translation were forwarded with unmodified source port when this
peer started its voice/video stream first.
---
On Sun, Nov 04, 2018 at 08:05:20PM +0100, Florian Westphal wrote:
[...]
> diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
> index 761f50bc1392..5846898e170e 100644
> --- a/doc/primary-expression.txt
> +++ b/doc/primary-expression.txt
> @@ -15,6 +15,29 @@ directly or as
On Mon, Nov 05, 2018 at 11:15:32AM +0100, Florian Westphal wrote:
> Florian Westphal wrote:
> > Argh. I'll see about that.
>
> This already works, it uses a different code path
> (INPUT 42 is CMD_ZERO_NUM, not CMD_ZERO, and that was
> implemented already).
>
> So only thing that did not work
passing ->tos as uintmax_t will clear adjacent fields in the structure,
including invflags.
Fixes: 49479aa12a15 ("ebtables-compat: add 'ip' match extension")
Signed-off-by: Florian Westphal
---
extensions/libebt_ip.c | 9 ++---
extensions/libebt_ip.t | 1 +
2 files changed, 7 insertions(+),
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Florian Westphal
---
extensions/libebt_ip6.c | 2 +-
extensions/libebt_ip6.t | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index
Florian Westphal wrote:
> Argh. I'll see about that.
This already works, it uses a different code path
(INPUT 42 is CMD_ZERO_NUM, not CMD_ZERO, and that was
implemented already).
So only thing that did not work correctly was -Z FOO, and that
is corrected here.
On Monday 2018-11-05 10:55, Pablo Neira Ayuso wrote:
>On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote:
>> -Z doesn't just zero base counters, it zeroes out all rule
>> counters, or, optionally, all counters of a chain (-Z FOO).
>
>Looks good.
>
>But I think we need to extend this
Pablo Neira Ayuso wrote:
> On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote:
> > -Z doesn't just zero base counters, it zeroes out all rule
> > counters, or, optionally, all counters of a chain (-Z FOO).
>
> Looks good.
>
> But I think we need to extend this to support zeroing
On Mon, Nov 05, 2018 at 10:44:20AM +0100, Florian Westphal wrote:
> -Z doesn't just zero base counters, it zeroes out all rule
> counters, or, optionally, all counters of a chain (-Z FOO).
Looks good.
But I think we need to extend this to support zeroing of:
* specific chain.
* specific rule
-Z doesn't just zero base counters, it zeroes out all rule
counters, or, optionally, all counters of a chain (-Z FOO).
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1286
Signed-off-by: Florian Westphal
---
iptables/nft.c | 81 --
1 file
If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.
So that MAC address checking routine is added.
test commands:
%iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
A proc_remove() can sleep. so that it can't be inside of spin_lock.
Hence proc_remove() is moved to outside of spin_lock. and it also
adds mutex to sync create and remove of proc entry(config->pde).
test commands:
SHELL#1
%while :; do iptables -A INPUT -p udp -i enp2s0 -d 192.168.1.100 \
When network namespace is destroyed, both clusterip_tg_destroy() and
clusterip_net_exit() are called. and clusterip_net_exit() is called
before clusterip_tg_destroy().
Hence cleanup check code in clusterip_net_exit() doesn't make sense.
test commands:
%ip netns add vm1
%ip netns exec vm1
When network namespace is destroyed, cleanup_net() is called.
cleanup_net() holds pernet_ops_rwsem then calls each ->exit callback.
So that clusterip_tg_destroy() is called by cleanup_net().
And clusterip_tg_destroy() calls unregister_netdevice_notifier().
But both cleanup_net() and
This patchset fixes bugs in ipt_CLUSTERIP.
First patch fixes deadlock when netns is destroyed.
When netns is destroyed cleanup_net() is called.
That function calls ->exit callback of pernet_ops.
->exit callback of ipt_CLUSTERIP hold same lock with cleanup_net().
so that deadlock will occurred.
Signed-off-by: Florian Westphal
---
doc/primary-expression.txt | 25 -
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 761f50bc1392..5846898e170e 100644
--- a/doc/primary-expression.txt
+++
When list->count is 0, the list is deleted by GC.
But list->count is never reached 0. because Initial count value is 1
and it is increased when node is inserted.
So that initial value of list->count should be 0.
Originally GC always finds zero count list through deleting node and
decreasing
nf_conncount_tuple is an element of nft_connlimit and that is deleted by
conn_free(). elements can be deleted by both GC routine and
data path functions(nf_conncount_lookup, nf_conncount_add) and they
calls conn_free() to free elements.
But conn_free() only protects lists, not each element.
So
conn_free() holds lock with spin_lock(). and it is called by both
nf_conncount_lookup() and nf_conncount_gc_list().
nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
is process context. so that spin_lock() is not safe.
Hence conn_free() should use spin_lock_bh() instead of
Three bugs in nf_conncount are fixed by this patch series.
First patch fixes inconsistent lock state in conn_free().
conn_free() is called both BH and process context. so that
spin_lock_bh() should be used.
Second patch fixes unsafe locking scenario of list element.
conn_free() can't protect
Its possible to set both HANDLE and POSITION when replacing a rule.
In this case, the rule at POSITION gets replaced using the
userspace-provided handle. Rule handles are supposed to be generated
by the kernel only.
Duplicate handles should be harmless, however better disable this "feature"
by
Ensure split-off fragments of long lines start with
if the original long line did.
Split 1 remaining long line at sentence boundary.
Insert blank line with before NFT_CTX_OUTPUT_NUMERIC_PROTO:: line
to stop all 4 NFT_CTX_OUTPUT_NUMERIC_* lines running together.
Fix spelling of "eg." to "e.g."
This changes ebtables-nft to consistently print mac
address with two characters, i.e.
00:01:02:03:04:0a, not 0:1:2:3:4:a.
Will require another bump of vcurrent/vage.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
extensions/libebt_arp.c | 13 ++---
On Sun, Nov 04, 2018 at 01:33:43AM +1100, Duncan Roe wrote:
> On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
[...]
> > @@ -105,6 +103,8 @@ NFT_CTX_OUTPUT_STATELESS::
> > If stateless output has been requested then stateful data is not
> > printed. Stateful data refers to
Lines starting by % allows you to run iptables commands, use it for
rateest test.
Signed-off-by: Pablo Neira Ayuso
---
extensions/libxt_rateest.t | 8
iptables-test.py | 8
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_rateest.t
On Sat, 3 Nov 2018 at 22:47, Pablo Neira Ayuso wrote:
>
> Hi Taehee!
>
> On Wed, Oct 31, 2018 at 03:22:22AM +0900, Taehee Yoo wrote:
> > On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote:
> > >
> >
> > Hi Pablo,
> > Thank you for review!
> >
> > > On Fri, Oct 19, 2018 at 12:27:57AM +0900,
On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
>
> Signed-off-by: Pablo Neira Ayuso
> ---
> v2: Add nft_output_json()
> Fix missing conversion to use NFT_CTX_OUTPUT_JSON.
> Remove json field from struct
Hi Taehee!
On Wed, Oct 31, 2018 at 03:22:22AM +0900, Taehee Yoo wrote:
> On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote:
> >
>
> Hi Pablo,
> Thank you for review!
>
> > On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> > > xt_rateest_net_exit() was added to check whether
On Sat, Nov 03, 2018 at 02:42:47PM +0100, Pablo Neira Ayuso wrote:
> Lines starting by @ can be used to invoke an external command of any
> kind. Do not add xtables-multi here since we may want to execute a
> non-iptables command.
Hm, main problem here with this is rateest, that is used @ to
Lines starting by @ can be used to invoke an external command of any
kind. Do not add xtables-multi here since we may want to execute a
non-iptables command.
Signed-off-by: Pablo Neira Ayuso
---
iptables-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Hi Phil,
On Wed, Oct 24, 2018 at 12:42:09PM +0200, Phil Sutter wrote:
> Trying to add a range of size 1 was previously not allowed:
>
> | # nft add element ip t s '{ 40-40 }'
> | Error: Range has zero or negative size
> | add element ip t s { 40-40 }
> | ^
>
> The error
On Fri, Nov 02, 2018 at 06:14:11PM +0100, Florian Westphal wrote:
> This series fixes a few smaller bugs in ebtables-nft,
> adds the 'arpreply' target and adds initial testcases for
> all ebtables extensions ebtables-nft is supposed to support.
>
> It also adds the 'arpreply' target to
Hi everyone,
Just a heads up, I'm rebasing nf.git to get this v2 fix for the recent
ipset pull request:
[PATCH v2] netfilter: ipset: Fix calling ip_set() macro at
Sorry for the inconvenience.
On Fri, Nov 02, 2018 at 11:33:37AM +0100, Florian Westphal wrote:
> Unlike ip(6)tables, the ebtables nat table has no special properties.
> This bug causes 'ebtables -A' to fail when using a target such as
> 'snat' (ebt_snat target sets ".table = "nat"'). Targets that have
> no table restrictions
On Tue, Oct 30, 2018 at 10:43:42PM +0100, Jozsef Kadlecsik wrote:
> The ip_set() macro is called when either ip_set_ref_lock held only
> or no lock/nfnl mutex is held at dumping. Take this into account
> properly. Also, use Pablo's suggestion to use rcu_dereference_raw(),
> the ref_netlink
-j CONTINUE can be added, but it can't be removed:
extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d
de:ad:be:ef:00:00 -j CONTINUE)
This problem stems from silly ambiguity in ebtables-nft vs. iptables.
In iptables, you can do
iptables -A INPUT
(no -j)
in ebtables,
Signed-off-by: Florian Westphal
---
extensions/libebt_redirect.c | 2 +-
extensions/libebt_redirect.t | 4
2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644 extensions/libebt_redirect.t
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index
Signed-off-by: Florian Westphal
---
extensions/libebt_802_3.t | 3 +++
extensions/libebt_arp.t | 11 +++
extensions/libebt_ip.t | 10 ++
extensions/libebt_ip6.t | 12
extensions/libebt_log.t | 6 ++
extensions/libebt_mark.t| 5 +
now that we have ebtables-save, lets add test cases for ebtables-nft
as well.
Signed-off-by: Florian Westphal
---
extensions/libebt_standard.t | 6 ++
iptables-test.py | 13 ++---
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644
This series fixes a few smaller bugs in ebtables-nft,
adds the 'arpreply' target and adds initial testcases for
all ebtables extensions ebtables-nft is supposed to support.
It also adds the 'arpreply' target to ebtables-nft.
Florian Westphal (6):
tests: add basic ebtables test support
Otherwise, we hit a NULL pointer deference since handlers always assume
default timeout policy is passed.
netlink: 24 bytes leftover after parsing attributes in process
`syz-executor2'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
Expose these functions to access conntrack protocol tracker netns area,
nfnetlink_cttimeout needs this.
Signed-off-by: Pablo Neira Ayuso
---
v2: Place these functions in nf_conntrack_l4proto.h.
Wrap nf_dccp_pernet() and nf_sctp_pernet() around ifdef -kbuild robot.
Unlike ip(6)tables, the ebtables nat table has no special properties.
This bug causes 'ebtables -A' to fail when using a target such as
'snat' (ebt_snat target sets ".table = "nat"'). Targets that have
no table restrictions work fine.
Signed-off-by: Florian Westphal
---
rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check
mask (or negation, for that matter).
Fix this and add test cases too.
This also revealed an ip6tables-nft-save bug, it would print
' !-d', not '! -d'.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287
Signed-off-by:
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-nf_-tcp-udp-sctp-icmp-dccp-icmpv6-generic-_pernet/20181102-101813
base:
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-nf_-tcp-udp-sctp-icmp-dccp-icmpv6-generic-_pernet/20181102-101813
base:
On Wed, Oct 31, 2018 at 07:18:04PM -0700, Matt Turner wrote:
> On Fri, Oct 19, 2018 at 11:09 AM Matt Turner wrote:
> > If you wouldn't mind, now might be a good time to make a 1.1.2
> > release. In the four months since 1.1.1 there are some important fixes
> > for oddball systems (big endian,
Otherwise, we hit a NULL pointer deference since handlers always assume
default timeout policy is passed.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general
On Thu, Nov 01, 2018 at 11:32:50PM +0900, Taehee Yoo wrote:
> The libxt_rateest test is always failed because dependent command is not
> executed in netns.
> (@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval \
> 250.0ms --rateest-ewmalog 500.0ms)
> After this path, adding netns
The libxt_rateest test is always failed because dependent command is not
executed in netns.
(@iptables -I INPUT -j RATEEST --rateest-name RE1 --rateest-interval \
250.0ms --rateest-ewmalog 500.0ms)
After this path, adding netns command is executed first.
Then test commands are executed.
Fixes:
Useful to only set a particular range of the conntrack mark while
leaving existing parts of the value alone, e.g. when updating
conntrack marks via netlink from userspace.
For NFQUEUE it was already implemented in commit
534473c6080e01395058445135df29a8eb638c77.
This now adds the same
On Wed, Oct 31, 2018 at 11:16:56PM +0100, Phil Sutter wrote:
> When building from a separate build directory, a2x did not find the
> source file nft.txt. Using '$<' instead fixes this.
Applied, thanks!
On Wed, Oct 31, 2018 at 08:13:34PM +0100, Phil Sutter wrote:
> Due to xtables_parse_interface() and parse_ifname() being misaligned
> regarding interface mask setting, rules containing a wildcard interface
> added with iptables-nft could neither be checked nor deleted.
>
> As suggested, introduce
When building from a separate build directory, a2x did not find the
source file nft.txt. Using '$<' instead fixes this.
Fixes: 3bacae9e4a1e3 ("doc: Review man page building in Makefile.am")
Signed-off-by: Phil Sutter
---
doc/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Due to xtables_parse_interface() and parse_ifname() being misaligned
regarding interface mask setting, rules containing a wildcard interface
added with iptables-nft could neither be checked nor deleted.
As suggested, introduce extensions/iptables.t to hold checks for
built-in selectors. This file
Hey Laura,
On Wed, Oct 31, 2018 at 12:54:18PM +0100, Laura Garcia Liebana wrote:
> When nftables is configured without libjansson support, the following
> compilation error is shown:
>
> monitor.c: In function ‘netlink_echo_callback’:
> monitor.c:910:10: error: too many arguments to function
There is no synchronization between packet path and the configuration plane.
The packet path uses two arrays with rules, one contains the current (active)
generation. The other either contains the last (obsolete) generation or
the future one.
Consider:
cpu1 cpu2
Start flood ping for each cpu while loading/flushing rulesets to make
sure we do not access already-free'd rules from nf_tables evaluation loop.
Also add this to TARGETS so 'make run_tests' in selftest dir runs it
automatically.
This would have caught the bug fixed in previous change
On Wed, Oct 24, 2018 at 12:31:04PM +0200, Florian Westphal wrote:
Hi,
please consider reverting
commit 84379c9afe011020e797e3f50a662b08a6355dcf
netfilter: ipv6: nf_defrag: drop skb dst before queueing
It causes kernel crash for locally generated ipv6 fragments
when netfilter ipv6
On Wed, Oct 31, 2018 at 01:53:16PM +0100, Phil Sutter wrote:
> Introduce setter/getter methods for each introduced output flag. Ignore
> NFT_CTX_OUTPUT_NUMERIC_ALL for now since it's main purpose is for
> internal use.
>
> Adjust the script in tests/py accordingly: Due to the good defaults,
>
On Wed, Oct 31, 2018 at 12:54:18PM +0100, Laura Garcia Liebana wrote:
> When nftables is configured without libjansson support, the following
> compilation error is shown:
>
> monitor.c: In function ‘netlink_echo_callback’:
> monitor.c:910:10: error: too many arguments to function
Introduce setter/getter methods for each introduced output flag. Ignore
NFT_CTX_OUTPUT_NUMERIC_ALL for now since it's main purpose is for
internal use.
Adjust the script in tests/py accordingly: Due to the good defaults,
only numeric proto output has to be selected - this is not a must, but
When nftables is configured without libjansson support, the following
compilation error is shown:
monitor.c: In function ‘netlink_echo_callback’:
monitor.c:910:10: error: too many arguments to function ‘json_events_cb’
return json_events_cb(nlh, _monh);
^~
This patch
Hello,
I'm trying to execute "ebtables -A FORWARD -p arp -j DROP" compiled
for x86_64 from ebtables-v2.0.10-4 sources and get segmentation fault
on file libebtc.c and line 240 (
ebt_find_target(EBT_STANDARD_TARGET)->used = 1; ). Seems that
ebt_find_target returns NULL.
Could anybody help explain
From: Chieh-Min Wang
For bridge(br_flood) or broadcast/multicast packets, they could clone skb with
unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is never
shared.
With nfqueue running on my system, the race can be easily reproduced with
following
warning calltrace:
The ip_set() macro is called when either ip_set_ref_lock held only
or no lock/nfnl mutex is held at dumping. Take this into account
properly. Also, use Pablo's suggestion to use rcu_dereference_raw(),
the ref_netlink protects the set.
Signed-off-by: Jozsef Kadlecsik
---
Thanks to all reviewer!
On Tue, 30 Oct 2018 at 08:41, Florian Westphal wrote:
>
> Pablo Neira Ayuso wrote:
> > On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> > > conn_free() holds lock with spin_lock(). and it is called by both
> > > nf_conncount_lookup() and
On Tue, 30 Oct 2018 at 08:00, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> > xt_rateest_net_exit() was added to check whether rules are flushed
> > successfully. but ->net_exit() callback is called earlier than
> >
On Tue, Oct 30, 2018 at 06:45:20PM +0100, Phil Sutter wrote:
> Hi Pablo,
>
> On Tue, Oct 30, 2018 at 06:01:19PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Oct 30, 2018 at 05:57:53PM +0100, Phil Sutter wrote:
> > > Due to xtables_parse_interface() and parse_ifname() being misaligned
> > >
Hi Pablo,
On Tue, Oct 30, 2018 at 06:01:19PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Oct 30, 2018 at 05:57:53PM +0100, Phil Sutter wrote:
> > Due to xtables_parse_interface() and parse_ifname() being misaligned
> > regarding interface mask setting, rules containing a wildcard interface
> >
On Tue, Oct 30, 2018 at 05:57:53PM +0100, Phil Sutter wrote:
> Due to xtables_parse_interface() and parse_ifname() being misaligned
> regarding interface mask setting, rules containing a wildcard interface
> added with iptables-nft could neither be checked nor deleted.
>
> Signed-off-by: Phil
Due to xtables_parse_interface() and parse_ifname() being misaligned
regarding interface mask setting, rules containing a wildcard interface
added with iptables-nft could neither be checked nor deleted.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c| 2 +-
On Mon, Oct 29, 2018 at 05:52:51PM -0700, Cameron Norman wrote:
> Yes, we can do that.
Would you send me a patch? Please, add your Signed-off-by: tag.
Or I can just mangle this patch here if you prefer this.
Thanks.
> On Mon, Oct 29, 2018 at 2:11 PM Pablo Neira Ayuso wrote:
> >
> > Hi,
> >
>
On Mon, Oct 29, 2018 at 09:58:00PM +0100, Pablo Neira Ayuso wrote:
> Otherwise we end up displaying things that we cannot parse as input.
> Moreover, in a range, it's relevant to the user the values that are
> enclosed in the range, so let's print this numerically.
>
> Fixes: baa4e0e3fa5f ("src:
On Mon, Oct 29, 2018 at 09:57:58PM +0100, Pablo Neira Ayuso wrote:
> This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
> client of the numeric level approach.
>
> This patch updates `-n' option semantics to display all output
> numerically.
>
> Note that monitor code was
Yes, we can do that.
On Mon, Oct 29, 2018 at 2:11 PM Pablo Neira Ayuso wrote:
>
> Hi,
>
> On Sat, Oct 27, 2018 at 01:05:45PM -0700, Cameron Norman wrote:
> > The attached patch fixes building ulogd2 with musl libc. It is being
> > used on Void Linux right now.
> >
> >
Pablo Neira Ayuso wrote:
> On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> > conn_free() holds lock with spin_lock(). and it is called by both
> > nf_conncount_lookup() and nf_conncount_gc_list().
> > nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> > is
On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> conn_free() holds lock with spin_lock(). and it is called by both
> nf_conncount_lookup() and nf_conncount_gc_list().
> nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> is process context. so that spin_lock() is
On Sun, Oct 21, 2018 at 12:00:08AM +0900, Taehee Yoo wrote:
> When IDLETIMER rule is added, sysfs file is created under
> /sys/class/xt_idletimer/timers/
> But some label name shouldn't be used.
> ".", "..", "power", "uevent", "subsystem", etc...
> So that sysfs filename checking routine is
On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> xt_rateest_net_exit() was added to check whether rules are flushed
> successfully. but ->net_exit() callback is called earlier than
> ->destroy() callback.
> So that ->net_exit() callback can't check that.
>
> test commands:
>%ip
On Thu, Oct 25, 2018 at 7:56 AM Taehee Yoo wrote:
>
> nf_conncount_tuple is an element of nft_connlimit and that is deleted by
> conn_free(). elements can be deleted by both GC routine and
> data path functions(nf_conncount_lookup, nf_conncount_add) and they
> calls conn_free() to free elements.
201 - 300 of 13251 matches
Mail list logo