On Thu, Oct 25, 2018 at 7:56 AM Taehee Yoo wrote:
>
> conn_free() holds lock with spin_lock(). and it is called by both
> nf_conncount_lookup() and nf_conncount_gc_list().
> nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> is process context. so that spin_lock() is not
Hi Jozsef,
On Sat, Oct 27, 2018 at 06:05:43PM +0200, Jozsef Kadlecsik wrote:
> The ip_set() macro is called when either ip_set_ref_lock held only
> or no lock/nfnl mutex is held at dumping. Take this into account
> properly.
>
> Signed-off-by: Jozsef Kadlecsik
> ---
>
On Sat, Oct 27, 2018 at 06:05:38PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please pull the next patches for the nf tree:
>
> - Decrease refcount synchronously on deletion and replace by
> Stefano Brivio, which fixes the reference counter shown in
> userspace.
> - Allow CIDR 0 in
Hi,
On Sat, Oct 27, 2018 at 01:05:45PM -0700, Cameron Norman wrote:
> The attached patch fixes building ulogd2 with musl libc. It is being
> used on Void Linux right now.
>
> https://bugzilla.netfilter.org/show_bug.cgi?id=1278
>
> Thanks,
> --
> Cameron Nemo
> diff --git a/src/ulogd.c
On Mon, Oct 29, 2018 at 06:50:13PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> > @Phil, thinking here we could probably get rid of
> > NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
> > NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
> >
> >
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Fixes: baa4e0e3fa5f ("src: add NFT_CTX_OUTPUT_NUMERIC_PROTO")
Reported-by: Phil Sutter
Signed-off-by:
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
v3: Expose this -p option, Phil has a usecase for this.
doc/nft.txt | 4
src/main.c | 7 ++-
2 files changed,
On Mon, Oct 29, 2018 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> @Phil, thinking here we could probably get rid of
> NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
> NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
>
> There's no option for -p anymore, so we could simply things a bit
> before.
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Fixes: baa4e0e3fa5f ("src: add NFT_CTX_OUTPUT_NUMERIC_PROTO")
Reported-by: Phil Sutter
Signed-off-by:
@Phil, thinking here we could probably get rid of
NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
There's no option for -p anymore, so we could simply things a bit
before.
On Mon, Oct 29, 2018 at 04:03:32PM +0100, Pablo Neira Ayuso wrote:
> This
On Mon, Oct 29, 2018 at 05:49:56PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Oct 29, 2018 at 05:46:29PM +0100, Phil Sutter wrote:
> > Hi,
> >
> > On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> > > We keep printing layer 4 protocols as literals since we do not use
> > >
On Mon, Oct 29, 2018 at 05:54:25PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 04:19:03PM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> > > The basic principle is to not return a JSON object freshly created from
> > > netlink
On Mon, Oct 29, 2018 at 03:31:37PM +0100, Pablo Neira Ayuso wrote:
> We keep printing layer 4 protocols as literals since we do not use
> /etc/protocols. This new flag allows us to print it as a number.
>
> libnftables internally uses this to print layer 4 protocol as numbers
> when part of a
On Mon, Oct 29, 2018 at 03:31:38PM +0100, Pablo Neira Ayuso wrote:
> By default base chains are printed using default hook priority
> definitions. Add -y option to print them as numbers.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Reported-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
Based on my recent patches, still not
Hi,
On Mon, Oct 29, 2018 at 04:19:03PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> > The basic principle is to not return a JSON object freshly created from
> > netlink responses, but just update the existing user-provided one to
> > make sure
On Mon, Oct 29, 2018 at 05:46:29PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> > We keep printing layer 4 protocols as literals since we do not use
> > /etc/protocols. Add -p option to print layer 4 protocols numerically.
> >
> >
On Mon, Oct 29, 2018 at 04:20:52PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Oct 26, 2018 at 11:42:05AM +0200, Phil Sutter wrote:
> > The first test in there shows how the current cache update strategy
> > causes trouble. The second test shows that proposed "locking" of cache
> > when local
Hi,
On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> We keep printing layer 4 protocols as literals since we do not use
> /etc/protocols. Add -p option to print layer 4 protocols numerically.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
One question:
[...]
On Sat, Oct 27, 2018 at 12:15:50PM +0200, Phil Sutter wrote:
> Since this pseudo log level fundamentally changes behaviour of log
> statement, dedicate this mode a separate paragraph.
Applied, thanks Phil.
On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> The basic principle is to not return a JSON object freshly created from
> netlink responses, but just update the existing user-provided one to
> make sure callers get back exactly what they expect.
Applied, thanks Phil.
> To achieve
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. This new flag allows us to print it as a number.
libnftables internally uses this to print layer 4 protocol as numbers
when part of a range.
Signed-off-by: Pablo Neira Ayuso
---
This patch was "src: add -p to
By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Signed-off-by: Pablo Neira Ayuso
---
v2: Rebase on top of "src: add NFT_CTX_OUTPUT_NUMERIC_PROTO"
doc/libnftables.adoc | 3 +++
doc/nft.txt| 4
On Mon, Oct 29, 2018 at 02:55:15PM +0100, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> I would probably keep back this patch, it's too fine grain. Instead I
> would turn -n into 'display everything numerically' after this
> patchset.
>
> Hence, we have the fine grain toggles for stateless, reverse
Hi Phil,
I would probably keep back this patch, it's too fine grain. Instead I
would turn -n into 'display everything numerically' after this
patchset.
Hence, we have the fine grain toggles for stateless, reverse dns,
service, guid and chain priority. Then the global toggles to turn
everything
On Mon, Oct 29, 2018 at 02:15:34PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
> [...]
> > @@ -1354,10 +1354,11 @@ json_t *objref_stmt_json(const struct stmt *stmt,
> > struct output_ctx *octx)
> > json_t *meter_stmt_json(const struct
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
v2: update documentation.
Rename to NUMERIC_PROTO.
doc/libnftables.adoc | 3 +++
doc/nft.txt
By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 3 +++
doc/nft.txt| 4
include/nftables.h | 5 +
On Mon, Oct 29, 2018 at 01:48:49PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
Hi,
On Mon, Oct 29, 2018 at 01:43:00PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Oct 29, 2018 at 01:29:32PM +0100, Phil Sutter wrote:
> > On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
[...]
> > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > index
Hi,
On Mon, Oct 29, 2018 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
[...]
> @@ -1354,10 +1354,11 @@ json_t *objref_stmt_json(const struct stmt *stmt,
> struct output_ctx *octx)
> json_t *meter_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
> {
> json_t *root, *tmp;
> +
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
include/nftables.h | 5 +
include/nftables/libnftables.h | 1 +
src/datatype.c | 2 +-
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Signed-off-by: Pablo Neira Ayuso
---
v3: Refer to flag, not function, in the documentation.
add missing #ifdef HAVE_LIBJANSSON in src/main.c
- Both requested by Phil.
doc/libnftables.adoc | 18 +-
On Mon, Oct 29, 2018 at 01:34:23PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 01:07:28PM +0100, Pablo Neira Ayuso wrote:
> > Like iptables-save, print UID and GID as numeric values by default.
> >
> > Add a new option `-u' to print the UID and GID names as defined by
> > /etc/passwd and
On Mon, Oct 29, 2018 at 01:23:04PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 12:33:38PM +0100, Pablo Neira Ayuso wrote:
> > Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
> > objects from new output flags interface.
> >
> > Signed-off-by: Pablo Neira Ayuso
>
>
On Mon, Oct 29, 2018 at 01:07:28PM +0100, Pablo Neira Ayuso wrote:
> Like iptables-save, print UID and GID as numeric values by default.
>
> Add a new option `-u' to print the UID and GID names as defined by
> /etc/passwd and /etc/group.
>
> Note that -n is ignored after this patch, since
On Mon, Oct 29, 2018 at 12:33:40PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
> the kernel.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
This patch adds nft_output_save_flags() and nft_output_restore_flags()
to temporarily disable stateful printing
Signed-off-by: Pablo Neira Ayuso
---
v3: Use nft_output_save_flags() and
Hi,
On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
>
> Signed-off-by: Pablo Neira Ayuso
[...]
> diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
> index 8b7aee9af134..5a3562c3266c 100644
> ---
On Mon, Oct 29, 2018 at 12:33:38PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
> objects from new output flags interface.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
One minor nit here as well:
[...]
> diff --git
On Mon, Oct 29, 2018 at 01:09:31PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 12:33:37PM +0100, Pablo Neira Ayuso wrote:
> > Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
> > output flags interface.
> >
> > Signed-off-by: Pablo Neira Ayuso
> > ---
> >
Hi,
On Mon, Oct 29, 2018 at 12:33:37PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
> output flags interface.
>
> Signed-off-by: Pablo Neira Ayuso
> ---
> v2: Add nft_output_stateless()
> Fix missing conversion to use
Like iptables-save, print UID and GID as numeric values by default.
Add a new option `-u' to print the UID and GID names as defined by
/etc/passwd and /etc/group.
Note that -n is ignored after this patch, since default are numeric
printing for UID and GID.
Signed-off-by: Pablo Neira Ayuso
---
Hi,
On Mon, Oct 29, 2018 at 12:33:36PM +0100, Pablo Neira Ayuso wrote:
> This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
> which was added during the development cycle before 0.9.1 is released.
>
> After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
>
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_json()
Fix missing conversion to use NFT_CTX_OUTPUT_JSON.
Remove json field from struct output_ctx.
doc/libnftables.adoc | 16 +++-
Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
the kernel.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_echo()
Fix missing conversion to use NFT_CTX_OUTPUT_ECHO.
Remove echo field from struct output_ctx.
doc/libnftables.adoc | 15
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_stateless()
Fix missing conversion to use NFT_CTX_OUTPUT_STATELESS.
Remove stateless field from struct output_ctx.
Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_handle()
Fix missing conversion to use NFT_CTX_OUTPUT_HANDLE.
Remove handle field from struct output_ctx.
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit
Hi,
I'm happy to announce ipset 7.0 which - besides of a couple fixes and
corrections - brings a new internal protocol version between the kernel
and userspace.
The system is fully backward compatible:
- the new kernel modules work fine with any older ipset userspace binary,
- the new ipset
Hi Pablo,
Please consider to pull the next patches for nf-next:
- Introduction of new commands and thus protocol version 7. The
new commands makes possible to eliminate the getsockopt interface
of ipset and use solely netlink to communicate with the kernel.
Due to the strict attribute
From: Stefano Brivio
Set types bitmap:ipmac and hash:ipmac check that MAC addresses
are not all zeroes.
Introduce one missing check, and make the remaining ones
consistent, using is_zero_ether_addr() instead of comparing
against an array containing zeroes.
This was already done for hash:mac
From: Stefano Brivio
There doesn't seem to be any reason to restrict MAC address
matching to source MAC addresses in set types bitmap:ipmac,
hash:ipmac and hash:mac. With this patch, and this setup:
ip netns add A
ip link add veth1 type veth peer name veth2 netns A
ip addr add
Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are
introduced. The new commands makes possible to eliminate the getsockopt
operation (in iptables set/SET match/target) and thus use only netlink
communication between userspace and kernel for ipset. With the new
protocol version,
From: Andrey Ryabinin
ip_set_create() and ip_set_net_init() attempt to allocate physically
contiguous memory for ip_set_list. If memory is fragmented, the
allocations could easily fail:
vzctl: page allocation failure: order:7, mode:0xc0d0
Call Trace:
From: Stefano Brivio
Commit 45040978c899 ("netfilter: ipset: Fix set:list type crash
when flush/dump set in parallel") postponed decreasing set
reference counters to the RCU callback.
An 'ipset del' command can terminate before the RCU grace period
is elapsed, and if sets are listed before
The function is called when rcu_read_lock() is held and not
when rcu_read_lock_bh() is held.
Signed-off-by: Jozsef Kadlecsik
---
include/linux/netfilter/ipset/ip_set_comment.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_comment.h
The ip_set() macro is called when either ip_set_ref_lock held only
or no lock/nfnl mutex is held at dumping. Take this into account
properly.
Signed-off-by: Jozsef Kadlecsik
---
net/netfilter/ipset/ip_set_core.c | 23 +++
1 file changed, 19 insertions(+), 4 deletions(-)
Hi Pablo,
Please pull the next patches for the nf tree:
- Decrease refcount synchronously on deletion and replace by
Stefano Brivio, which fixes the reference counter shown in
userspace.
- Allow CIDR 0 in hash:net,port,net, which is documented but
was unnecessarily disabled, from Eric
From: Eric Westbrook
Allow /0 as advertised for hash:net,port,net sets.
For "hash:net,port,net", ipset(8) says that "either subnet
is permitted to be a /0 should you wish to match port
between all destinations."
Make that statement true.
Before:
# ipset create cidrzero hash:net,port,net
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 16 +++-
include/nftables/libnftables.h | 3 +--
src/libnftables.c | 20 ++--
src/main.c | 2 +-
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 17 +++--
include/nftables/libnftables.h | 3 +--
src/expression.c | 2 +-
src/json.c
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit
Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 17 +++--
include/nftables/libnftables.h | 3 +--
src/libnftables.c | 10 --
Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
the kernel.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 15 +++
include/nftables/libnftables.h | 1 +
src/libnftables.c | 10 --
src/main.c |
Since this pseudo log level fundamentally changes behaviour of log
statement, dedicate this mode a separate paragraph.
Signed-off-by: Phil Sutter
---
doc/statements.txt | 18 ++
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/doc/statements.txt
The basic principle is to not return a JSON object freshly created from
netlink responses, but just update the existing user-provided one to
make sure callers get back exactly what they expect.
To achieve that, keep the parsed JSON object around in a global variable
('cur_root') and provide a
The first test in there shows how the current cache update strategy
causes trouble. The second test shows that proposed "locking" of cache
when local entries are added is flawed, too.
Signed-off-by: Phil Sutter
---
.../shell/testcases/cache/0003_cache_update_0 | 29 +++
1 file
Laura found a better way to do this from userspace without requiring
kernel infrastructure, revert this.
Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random
operations")
Signed-off-by: Laura Garcia Liebana
Signed-off-by: Pablo Neira Ayuso
---
Otherwise, we cannot validate mismatching length size when combining raw
expressions with sets and maps, eg.
# cat /tmp/test
table ip nftlb {
map persistency {
type ipv4_addr : mark
size 65535
timeout 1h
}
chain pre {
nf_conncount_tuple is an element of nft_connlimit and that is deleted by
conn_free(). elements can be deleted by both GC routine and
data path functions(nf_conncount_lookup, nf_conncount_add) and they
calls conn_free() to free elements.
But conn_free() only protects lists, not each element.
So
Two bugs in nf_conncount are fixed by this patch series.
First patch fixes inconsistent lock state in conn_free().
conn_free() is called both BH and process context. so that
spin_lock_bh() should be used.
Second patch fixes unsafe locking scenario of list element.
conn_free() can't protect
conn_free() holds lock with spin_lock(). and it is called by both
nf_conncount_lookup() and nf_conncount_gc_list().
nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
is process context. so that spin_lock() is not safe.
Hence conn_free() should use spin_lock_bh() instead of
On Wed, Oct 24, 2018 at 01:54:03PM +0200, Jiri Slaby wrote:
> With 4.19, programs like ebtables fail to build when they include
> "linux/netfilter_bridge.h". It is caused by commit 94276fa8a2a4 which
> added a use of INT_MIN and INT_MAX to the header:
> : In file included from
On Wed, Oct 24, 2018 at 09:14:37PM +0200, Phil Sutter wrote:
> When trying to convert an xt stmt into JSON, print() callback was
> called. Though the code in src/xt.c does not respect output_fp,
> therefore buffer wasn't filled as expected making libjansson to puke:
>
> | # nft -j list ruleset
>
When trying to convert an xt stmt into JSON, print() callback was
called. Though the code in src/xt.c does not respect output_fp,
therefore buffer wasn't filled as expected making libjansson to puke:
| # nft -j list ruleset
| warning: stmt ops xt have no json callback
| nft: json.c:169:
Thanks Phil, I will keep this in mind for the next time.
On 10/24/18 12:35 PM, Phil Sutter wrote:
Having to use numerical values for ttl property in JSON is not
practical as these values are arbitrary and meaningful only in
netfilter. Instead align JSON output/input with standard API, accepting
Hi Pablo,
On Wed, Oct 24, 2018 at 06:35:45PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 24, 2018 at 06:05:55PM +0200, Phil Sutter wrote:
> > When trying to adjust receive buffer size, the second call to
> > setsockopt() was not error-checked.
> >
> > Signed-off-by: Phil Sutter
> > ---
> >
These functions are not very useful, rule comparison from this layer
does not work well with implicit set definitions.
This infrastructure was added as an attempt to support for deletion by
name from this layer, which should be done from higher level libnftables
library. Finally, we never had a
Replace it by direct call to mnl_batch_talk().
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 2 --
src/libnftables.c | 2 +-
src/netlink.c | 5 -
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index
We can remove alloc_nftnl_flowtable() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 9 +++
include/netlink.h | 5 +---
src/mnl.c | 70 ++-
src/netlink.c | 62
On Wed, Oct 24, 2018 at 06:05:55PM +0200, Phil Sutter wrote:
> When trying to adjust receive buffer size, the second call to
> setsockopt() was not error-checked.
>
> Signed-off-by: Phil Sutter
> ---
> src/mnl.c | 7 +--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git
When trying to adjust receive buffer size, the second call to
setsockopt() was not error-checked.
Signed-off-by: Phil Sutter
---
src/mnl.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/mnl.c b/src/mnl.c
index 2be8ca14e50da..0d9b7ffc85c76 100644
--- a/src/mnl.c
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit
Florian Westphal wrote:
> Lars Wendler wrote:
> > > In file included from ../iptables/nft.h:5,
> > > from libxt_limit.c:18:
> > > ../iptables/nft-shared.h:6:10: fatal error: libnftnl/rule.h: No such
> > > file or directory #include
> > > ^
> > >
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit
Hi,
this is an old patch from Debian to do some upgrades to iptables-apply.
Please, consider merging it to master.
The piece of code itself is pretty old, uses some Debian-specific
constructs, and tries to call fail2ban sysvinit script. So a lot of
wrong stuff that temps me to just drop the code
On Wed, Oct 24, 2018 at 12:35:01PM +0200, Phil Sutter wrote:
> Recent changes to context structs broke compiling with JSON support
> enabled, patch 3 fixes this. While doing so, I noticed that struct
> eval_ctx's comment wasn't updated - fixed by patch 1.
My fault, sorry about this.
> Finally, I
Trying to add a range of size 1 was previously not allowed:
| # nft add element ip t s '{ 40-40 }'
| Error: Range has zero or negative size
| add element ip t s { 40-40 }
| ^
The error message is not correct: A range of N-K with K >= N consists of
K - N + 1 elements (N,
Having to use numerical values for ttl property in JSON is not
practical as these values are arbitrary and meaningful only in
netfilter. Instead align JSON output/input with standard API, accepting
names for TTL matching strategy.
Also add missing documentation in libnftables-json man page and
Previous change to that struct missed to update the comment.
Fixes: 00f777bfc414a ("src: pass struct nft_ctx through struct eval_ctx")
Signed-off-by: Phil Sutter
---
include/rule.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/rule.h b/include/rule.h
index
Commits introducing nft_ctx pointer to netlink and eval contexts did not
update JSON code accordingly.
Fixes: 00f777bfc414a ("src: pass struct nft_ctx through struct eval_ctx")
Fixes: 2dc07bcd7eaa5 ("src: pass struct nft_ctx through struct netlink_ctx")
Signed-off-by: Phil Sutter
---
src/json.c
Recent changes to context structs broke compiling with JSON support
enabled, patch 3 fixes this. While doing so, I noticed that struct
eval_ctx's comment wasn't updated - fixed by patch 1.
Finally, I didn't like how osf ttl support was implemented in JSON.
Patch 2 resolves this.
Phil Sutter (3):
Hi,
please consider reverting
commit 84379c9afe011020e797e3f50a662b08a6355dcf
netfilter: ipv6: nf_defrag: drop skb dst before queueing
It causes kernel crash for locally generated ipv6 fragments
when netfilter ipv6 defragmentation is used.
The faulty commit is not essential for -stable, it
Lars Wendler wrote:
> > In file included from ../iptables/nft.h:5,
> > from libxt_limit.c:18:
> > ../iptables/nft-shared.h:6:10: fatal error: libnftnl/rule.h: No such
> > file or directory #include
> > ^
> > compilation terminated.
>
> and indeed, I
Hi,
I am trying to build iptables-1.8.1 with
> ./configure \
> --prefix=/usr \
> --build=x86_64-pc-linux-gnu \
> --host=x86_64-pc-linux-gnu \
> --mandir=/usr/share/man \
> --infodir=/usr/share/info \
> --datadir=/usr/share \
> --sysconfdir=/etc \
> --localstatedir=/var/lib \
>
Some headers aren't used at these files. So it's safe to remove.
Signed-off-by: Weongyo Jeong
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 -
net/ipv4/netfilter/ipt_REJECT.c| 3 ---
2 files changed, 8 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
301 - 400 of 13251 matches
Mail list logo