We can only specify either name or handle to refer to objects.
Signed-off-by: Pablo Neira Ayuso
---
src/mnl.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/mnl.c b/src/mnl.c
index d3129fda2b89..2be8ca14e50d 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -660,7
These functions are part of the mnl backend, move them there. Remove
netlink_close_sock(), use direct call to mnl_socket_close().
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 4 ++--
include/netlink.h | 1 -
src/libnftables.c | 4 ++--
src/mnl.c | 22
On Tue, Oct 23, 2018 at 05:06:22PM +0200, Fernando Fernandez Mancera wrote:
> Add support for ttl option in "osf" expression. Example:
>
> table ip foo {
> chain bar {
> type filter hook input priority filter; policy accept;
> osf ttl skip name "Linux"
> }
On Tue, Oct 23, 2018 at 04:59:14PM +0200, Phil Sutter wrote:
> When aligning iptables-nft error messages with legacy ones, I missed
> that translate tools shouldn't check for missing or duplicated chains.
>
> Introduce a boolean in struct nft_xt_cmd_parse indicating we're "just"
> translating and
On Tue, Oct 23, 2018 at 12:33:28PM +0200, Phil Sutter wrote:
> On Tue, Oct 23, 2018 at 11:28:28AM +0200, Pablo Neira Ayuso wrote:
[...]
> > Using current nftables git HEAD plus kernel patch, I'm getting:
> >
> > # nft get element ip t s '{ 25, 28 }'
> > table ip t {
> > set s {
> >
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1:initial patch
v2:use
When aligning iptables-nft error messages with legacy ones, I missed
that translate tools shouldn't check for missing or duplicated chains.
Introduce a boolean in struct nft_xt_cmd_parse indicating we're "just"
translating and do_parse() should skip the checks.
Fixes: b6a06c1a215f8 ("xtables:
Hi,
On Tue, Oct 23, 2018 at 11:28:28AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 22, 2018 at 11:14:32PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Mon, Oct 22, 2018 at 09:45:02PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > > A bit of context illustrating why I think the code
Hi!
The Netfilter project proudly presents:
iptables 1.8.1
This release contains fixes and following new features:
* add arp & ebtables-save/restore for nf_tables backend
* new cgroup match revision with reduced memory footprint
Noteable nft backend fixes:
- don't print rule
On Mon, Oct 22, 2018 at 11:14:32PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Mon, Oct 22, 2018 at 09:45:02PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > > A bit of context illustrating why I think the code needs more than just
> > > "more fixes": AFAIU, for each input element (which may be
On Mon, Oct 22, 2018 at 10:46:18PM +0200, Fernando Fernandez Mancera wrote:
> Add support for ttl option in "osf" expression. Example:
>
> table ip foo {
> chain bar {
> type filter hook input priority filter; policy accept;
> osf skip name "Linux"
osf ttl skip
Not sure if you have questions about this bug? I draw the broadcast
packet racing flow chart as following:
br_handle_frame
BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, br_handle_frame_finish)
// skb->_nfct (unconfirmed conntrack) is established at PRE_ROUTING
br_handle_frame_finish
//
Hi Pablo,
On Mon, Oct 22, 2018 at 09:45:02PM +0200, Pablo Neira Ayuso wrote:
[...]
> > A bit of context illustrating why I think the code needs more than just
> > "more fixes": AFAIU, for each input element (which may be part of a
> > range or not), code asks the kernel for whether the element
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf skip name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1:initial patch
v2:use "ttl-global,
---
doc/primary-expression.txt | 20
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 0fda76d..0c02d9d 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -187,18 +187,30 @@
On Mon, Oct 22, 2018 at 06:51:08PM +0200, Florian Westphal wrote:
> this release also adds xtables_getether* functions to libxtables, so
> current and age are incremented as well.
>
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
Thanks Florian!
On Mon, Oct 22, 2018 at 09:38:31PM +0200, Fernando Fernandez Mancera wrote:
> El 22 de octubre de 2018 20:38:13 CEST, Pablo Neira Ayuso
> escribió:
> >On Mon, Oct 22, 2018 at 05:35:42PM +0200, Fernando Fernandez Mancera
> >wrote:
> >> I am going to add the necessary NFT_OSF_* definitions in the
If the attribute is not sent, eg. old libnftnl binary, then
tb[NFTA_OSF_TTL] is NULL and kernel crashes from the _init path.
Fixes: a218dc82f0b5 ("netfilter: nft_osf: Add ttl option support")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_osf.c | 2 +-
1 file changed, 1 insertion(+), 1
Hi Phil,
On Mon, Oct 22, 2018 at 03:45:09PM +0200, Phil Sutter wrote:
> Despite the recent fixes, the test still fails. While trying to address
> the remaining issues, I found more potentially problematic inputs so
> extend the test by those.
Applied, thanks. More comments, see below.
> ---
>
El 22 de octubre de 2018 20:38:13 CEST, Pablo Neira Ayuso
escribió:
>On Mon, Oct 22, 2018 at 05:35:42PM +0200, Fernando Fernandez Mancera
>wrote:
>> I am going to add the necessary NFT_OSF_* definitions in the
>nf_tables.h
>
>Just add a copy of nf_osf.h to nftables tree. We cannot mangle
Otherwise we keep using the old netlink socket if we hit EINTR.
Signed-off-by: Pablo Neira Ayuso
---
Requires patches 1/3 and 2/3.
include/netlink.h | 2 +-
src/netlink.c | 4 ++--
src/rule.c| 3 +--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/include/netlink.h
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 5 +-
src/evaluate.c | 134 ++---
src/parser_bison.y | 5 +-
3 files changed, 69 insertions(+), 75 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 9 +---
include/rule.h| 10 ++--
src/evaluate.c| 55 +++-
src/libnftables.c | 8 +--
src/mnl.c | 28 +-
src/monitor.c | 52
On Mon, Oct 22, 2018 at 05:35:42PM +0200, Fernando Fernandez Mancera wrote:
> I am going to add the necessary NFT_OSF_* definitions in the nf_tables.h
Just add a copy of nf_osf.h to nftables tree. We cannot mangle
nf_tables.h, it's a copy from the original header to ensure sources
compile with
this release also adds xtables_getether* functions to libxtables, so
current and age are incremented as well.
Signed-off-by: Florian Westphal
---
configure.ac | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 07e32064489b..1da8555e65f3
Comments below.
On 10/15/18 2:47 PM, Pablo Neira Ayuso wrote:
Please send a v3 including tests/py. More comments below.
On Sat, Sep 29, 2018 at 12:15:17PM +0200, Fernando Fernandez Mancera wrote:
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
Despite the recent fixes, the test still fails. While trying to address
the remaining issues, I found more potentially problematic inputs so
extend the test by those.
Signed-off-by: Phil Sutter
---
Hi,
A bit of context illustrating why I think the code needs more than just
"more fixes": AFAIU,
Compliment of the day to you. I am Gen.Kelvin W Howard, I am sending this brief
letter to solicit your partnership of Sixteen Million Two Hundred Thousand
United States Dollars ($16,200,000). I shall send you more information and
procedures when I receive positive response from you.Best
When IDLETIMER rule is added, sysfs file is created under
/sys/class/xt_idletimer/timers/
But some label name shouldn't be used.
".", "..", "power", "uevent", "subsystem", etc...
So that sysfs filename checking routine is needed.
test commands:
%iptables -I INPUT -j IDLETIMER --timeout 1
On Sat, Oct 20, 2018 at 12:35:11PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Oct 20, 2018 at 12:24:06PM +0200, Phil Sutter wrote:
> > JSON API as well as nft CLI allow to run multiple commands within the
> > same batch. Depending on the local cache state, a later command may
> > trigger a cache
On Sat, Oct 20, 2018 at 12:24:06PM +0200, Phil Sutter wrote:
> JSON API as well as nft CLI allow to run multiple commands within the
> same batch. Depending on the local cache state, a later command may
> trigger a cache update which removes the local entry added by an earlier
> command.
>
> To
JSON API as well as nft CLI allow to run multiple commands within the
same batch. Depending on the local cache state, a later command may
trigger a cache update which removes the local entry added by an earlier
command.
To overcome this, introduce a special genid value to set when local
entries
Hi,
On Sat, Oct 20, 2018 at 11:21:42AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 19, 2018 at 03:38:58PM +0200, Phil Sutter wrote:
> > On Fri, Oct 19, 2018 at 11:55:07AM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Oct 19, 2018 at 11:04:42AM +0200, Phil Sutter wrote:
> > > > Hi,
> > > >
> >
On Fri, Oct 19, 2018 at 03:38:58PM +0200, Phil Sutter wrote:
> On Fri, Oct 19, 2018 at 11:55:07AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 19, 2018 at 11:04:42AM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Thu, Oct 18, 2018 at 08:33:07PM +0200, Pablo Neira Ayuso wrote:
> > > [...]
>
On Fri, Oct 19, 2018 at 5:14 AM Pablo Neira Ayuso wrote:
>
> On Wed, Oct 17, 2018 at 12:32:54PM -0700, Matt Turner wrote:
> > Rolf Eike Beer reported that nft-expr_quota-test fails
> > with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
> > that and fixes additional sources of
On Fri, Oct 19, 2018 at 01:10:59PM +0200, Pablo Neira Ayuso wrote:
> This is used from extensions and included in libxtables, so we have to
> make them public.
>
> Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core")
> Reported-by: Florian Westphal
> Signed-off-by:
On Fri, Oct 19, 2018 at 12:57:36PM +0200, Pablo Neira Ayuso wrote:
> To avoid symbol pollution, place them under the xt_ and xtables_ prefix
> name.
>
> Reported-by: Florian Westphal
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
On Fri, Oct 19, 2018 at 11:55:07AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 19, 2018 at 11:04:42AM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Thu, Oct 18, 2018 at 08:33:07PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > @@ -108,8 +111,15 @@ def run_test(iptables, rule, rule_save, res,
>
On Wed, Oct 17, 2018 at 12:32:54PM -0700, Matt Turner wrote:
> Rolf Eike Beer reported that nft-expr_quota-test fails
> with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
> that and fixes additional sources of unaligned accesses matching the
> same pattern. Both
On Wed, Oct 17, 2018 at 09:46:07PM +0900, Weongyo Jeong wrote:
> udp.h header isn't used at these files. So it's safe to remove.
>
> Signed-off-by: Weongyo Jeong
> ---
> net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 -
> net/ipv4/netfilter/ipt_REJECT.c| 1 -
> 2 files changed, 2 deletions(-)
>
>
On Wed, Oct 17, 2018 at 09:45:17PM +0900, Weongyo Jeong wrote:
> nft_dup_netdev_ingress_ops and nft_fwd_netdev_ingress_ops variables are
> no longer used at the code.
Applied, thanks.
On Thu, Oct 18, 2018 at 10:29:59PM +0900, Taehee Yoo wrote:
> /include/net/netfilter/nfnetlink_log.h file is empty.
> so that it can be removed.
Applied, thanks.
On Fri, Oct 12, 2018 at 03:01:54AM +0900, Taehee Yoo wrote:
> parameter net of nf_flow_table_cleanup() is not used.
> So that it can be removed.
Applied, thanks.
This is used from extensions and included in libxtables, so we have to
make them public.
Fixes: 31f1434dfe37 ("libxtables: Integrate getethertype.c from xtables core")
Reported-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
extensions/libebt_arp.c | 4 ++--
To avoid symbol pollution, place them under the xt_ and xtables_ prefix
name.
Reported-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
extensions/libebt_arp.c | 6 +++---
extensions/libebt_vlan.c| 4 ++--
include/ebtables/ethernetdb.h | 22 +-
On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
> When device is unregistered, flowtable flush routine is called
> by notifier_call(nf_tables_flowtable_event). and exit callback of
> nftables pernet_operation(nf_tables_exit_net) also has flowtable flush
> routine. but when network
Signed-off-by: Maciej Żenczykowski
This reverts commit e9837e55b0200da544a095a1fca36efd7fd3ba30.
When talking to Maze and Chenbo, we agreed to keep this back by now
due to problems in the ruleset listing path with 32-bit arches.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/xt_quota.h | 8 ++---
We are getting bug reports lately from the netns path, add a new option
to exercise this path.
Signed-off-by: Pablo Neira Ayuso
---
v2: run local xtables-multi command, not the one installed in the system
as requested by Phil Sutter. Several cleanups too.
iptables-test.py | 38
On Fri, Oct 19, 2018 at 11:04:42AM +0200, Phil Sutter wrote:
> Hi,
>
> On Thu, Oct 18, 2018 at 08:33:07PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > @@ -108,8 +111,15 @@ def run_test(iptables, rule, rule_save, res, filename,
> > lineno):
> > command = IPTABLES_SAVE
> >
Hi,
On Thu, Oct 18, 2018 at 08:33:07PM +0200, Pablo Neira Ayuso wrote:
[...]
> @@ -108,8 +111,15 @@ def run_test(iptables, rule, rule_save, res, filename,
> lineno):
> command = IPTABLES_SAVE
> elif splitted[0] == IP6TABLES:
> command = IP6TABLES_SAVE
> +
> +
On Thu, Oct 18, 2018 at 11:00 AM Pablo Neira Ayuso wrote:
>
> Hi!
>
> On Wed, Oct 17, 2018 at 12:32:54PM -0700, Matt Turner wrote:
> > Rolf Eike Beer reported that nft-expr_quota-test fails
> > with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
> > that and fixes additional
We are getting bug reports lately from the netns path, add a new option
to exercise this path.
Signed-off-by: Pablo Neira Ayuso
---
This is crashing the kernel in a few spots, will retest with recent fixes to
see if we are address all existing problems.
iptables-test.py | 54
On Thu, Oct 18, 2018 at 11:42:20PM +0530, Harsha Sharma wrote:
> Add documentation for creating ct timeout objects and assigning timeout
> policies via rules.
Applied, thanks Harsha.
Add documentation for creating ct timeout objects and assigning timeout
policies via rules.
Signed-off-by: Harsha Sharma
---
Changes in v2:
- correct bold font for "ct timeout" title
- update example script
doc/libnftables-json.adoc | 52 ++---
On Wed, Oct 17, 2018 at 12:32:53PM -0700, Matt Turner wrote:
> All tests are now run with make check.
Applied, thanks.
On Wed, Oct 17, 2018 at 12:32:52PM -0700, Matt Turner wrote:
> The existing test-script.sh does not check the return values of the
> tests so it is not very good for automated testing.
Also applied, thanks.
xt_rateest_net_exit() was added to check whether rules are flushed
successfully. but ->net_exit() callback is called earlier than
->destroy() callback.
So that ->net_exit() callback can't check that.
test commands:
%ip netns add vm1
%ip netns exec vm1 iptables -t mangle -I PREROUTING -p udp
From: Chieh-Min Wang
For bridge(br_flood) or broadcast/multicast packets, they could clone skb with
unconfirmed conntrack which break the rule that unconfirmed skb->_nfct is never
shared.
With nfqueue running on my system, the race can be easily reproduced with
following
warning calltrace:
/include/net/netfilter/nfnetlink_log.h file is empty.
so that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nfnetlink_log.h | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 include/net/netfilter/nfnetlink_log.h
diff --git a/include/net/netfilter/nfnetlink_log.h
On Wed, Oct 17, 2018 at 06:34:22PM +0200, Pablo Neira Ayuso wrote:
> Hi Greg,
>
> Could you enqueue the following patch for -stable 4.9.x?
>
> commit ab6dd1beac7be3c17f8bf3d38bdf29ecb7293f1e
> Author: Xin Long
> Date: Thu Aug 10 10:22:24 2017 +0800
>
> netfilter: check for seqadj ext
Hi Pablo,
On Thu, Oct 18, 2018 at 1:53 PM Pablo Neira Ayuso wrote:
>
> Hi Alin,
>
> On Thu, Oct 18, 2018 at 01:27:01PM +0200, Alin Nastac wrote:
> > From: Alin Nastac
> >
> > nf_conntrack_proto_generic refuse to handle grev6 packets when
> > NF_CT_PROTO_GRE is enabled, resulting in grev6
Hi Alin,
On Thu, Oct 18, 2018 at 01:27:01PM +0200, Alin Nastac wrote:
> From: Alin Nastac
>
> nf_conntrack_proto_generic refuse to handle grev6 packets when
> NF_CT_PROTO_GRE is enabled, resulting in grev6 packets being
> categorized as INVALID.
IIRC, this depends on the pptp helper, right?
From: Chieh-Min Wang
For bridge or multicast packets, they could cloned skb with unconfirmed
conntrack
which break the rule unconfirmed skb->nfct is never shared. With nfqueue
running
on my system, the race can be easily reproduced with following warning
calltrace:
[13257.707525] CPU: 0
From: Alin Nastac
nf_conntrack_proto_generic refuse to handle grev6 packets when
NF_CT_PROTO_GRE is enabled, resulting in grev6 packets being
categorized as INVALID.
---
net/netfilter/nf_conntrack_proto_gre.c | 49 +-
1 file changed, 48 insertions(+), 1
Il giorno mar 9 ott 2018 alle ore 16:39 Florian Westphal
ha scritto:
>
> Pedretti Fabio wrote:
> > Hi, I tried iptables 1.8 with the new nf_tables back-end using the
> > Debian 1.8.0-1~exp1 package with my firewall script.
> >
> > It seems to properly load most rules, however I am getting an
From: Chieh-Min Wang
For bridge or multicast packets, they could cloned skb with unconfirmed
conntrack
which break the rule unconfirmed skb->nfct is never shared. With nfqueue
running
on my system, the race can be easily reproduced with following warning
calltrace:
[13257.707525] CPU: 0
Rolf Eike Beer reported that nft-expr_quota-test fails
with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
that and fixes additional sources of unaligned accesses matching the
same pattern. Both nft-expr_quota-test and nft-expr_objref-test
generated unaligned accesses on DEC
Seems to have been forgotten in commit 4d472c225ba0 ("tests: add
flowtable regression test")
Signed-off-by: Matt Turner
---
tests/test-script.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/test-script.sh b/tests/test-script.sh
index 83dbda2..72eebbc 100755
---
The existing test-script.sh does not check the return values of the
tests so it is not very good for automated testing.
Signed-off-by: Matt Turner
---
tests/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 556575f..ad493b5 100644
---
Hi Greg,
Could you enqueue the following patch for -stable 4.9.x?
commit ab6dd1beac7be3c17f8bf3d38bdf29ecb7293f1e
Author: Xin Long
Date: Thu Aug 10 10:22:24 2017 +0800
netfilter: check for seqadj ext existence before adding it in
nf_nat_setup_info
Cc'ing Laura, combining SNAT+DNAT+ftp
udp.h header isn't used at these files. So it's safe to remove.
Signed-off-by: Weongyo Jeong
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 -
net/ipv4/netfilter/ipt_REJECT.c| 1 -
2 files changed, 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
nft_dup_netdev_ingress_ops and nft_fwd_netdev_ingress_ops variables are
no longer used at the code.
Signed-off-by: Weongyo Jeong
---
net/netfilter/nft_dup_netdev.c | 2 --
net/netfilter/nft_fwd_netdev.c | 4
2 files changed, 6 deletions(-)
diff --git a/net/netfilter/nft_dup_netdev.c
Comments about two member variables "family" and
"nft_compat" are missing. So I added them.
Signed-off-by: Hyejeong Jang
---
include/linux/netfilter/x_tables.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/netfilter/x_tables.h
b/include/linux/netfilter/x_tables.h
index
The following ruleset that uses raw expressions:
table ip nftlb {
map persistency {
type inet_service : mark
size 65535
timeout 1h
elements = { 53 expires 59m55s864ms : 0x0064, 80 expires
59m58s924ms : 0x0065, 443
The following ruleset that uses raw expressions:
table ip nftlb {
map persistency {
type inet_service : mark
size 65535
timeout 1h
elements = { 53 expires 59m55s864ms : 0x0064, 80 expires
59m58s924ms : 0x0065, 443
On Thu, Oct 11, 2018 at 11:45:40PM +0200, Pablo Neira Ayuso wrote:
> It is safe to place a flow that is coming from IPSec into the flowtable.
> So decapsulated can benefit from the flowtable fastpath.
>
> Signed-off-by: Pablo Neira Ayuso
> Signed-off-by: Steffen Klassert
> ---
> I'm recovering
On 10/15/18 2:47 PM, Pablo Neira Ayuso wrote:
Please send a v3 including tests/py. More comments below.
On Sat, Sep 29, 2018 at 12:15:17PM +0200, Fernando Fernandez Mancera wrote:
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
On Tue, Oct 16, 2018 at 08:58:20PM +0200, Pablo Neira Ayuso wrote:
> This is never used, ie. always NULL.
>
> Reported-by: Phil Sutter
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
Thanks for clearing this up!
This is never used, ie. always NULL.
Reported-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
include/statement.h | 1 -
src/statement.c | 1 -
src/xt.c| 8 ++--
3 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/include/statement.h b/include/statement.h
Store consumed bytes, instead of remaining bytes, this simplifies
logic quite a bit.
Cc: Chenbo Feng
Cc: Maciej Żenczykowski
Signed-off-by: Pablo Neira Ayuso
---
Before merge window closes and it's too late to change semantics.
include/uapi/linux/netfilter/xt_quota.h | 4 ++--
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 60dd57bba519ab75277df610d5d245ed3af3c57c
commit: 25038aaf0cbf7639a18f80aeddb325811aff23c3 [1/7] UAPI: netfilter: Fix
symbol collision issues [ver #2]
config: m68k-mvme16x_defconfig (attached as .config)
Did you get my email from last week?
Let me know if you have photos for cutting out or retouching?
We are an image team who can do editing for your the web store photos,
industry photos or portrait photos.
Send photos, we will do testing for you to check quality.
Waiting for your reply soon.
On Mon, Oct 15, 2018 at 05:18:48PM +0200, Phil Sutter wrote:
> Hey,
>
> On Mon, Oct 15, 2018 at 04:45:38PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Oct 15, 2018 at 02:34:21PM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Oct 15, 2018 at 02:08:07PM +0200, Phil Sutter wrote:
> > > > On Mon, Oct
Hey,
On Mon, Oct 15, 2018 at 04:45:38PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2018 at 02:34:21PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Oct 15, 2018 at 02:08:07PM +0200, Phil Sutter wrote:
> > > On Mon, Oct 15, 2018 at 01:29:52PM +0200, Pablo Neira Ayuso wrote:
> > > > Subject:
On Mon, Oct 15, 2018 at 02:34:21PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2018 at 02:08:07PM +0200, Phil Sutter wrote:
> > On Mon, Oct 15, 2018 at 01:29:52PM +0200, Pablo Neira Ayuso wrote:
> > > Subject: [PATCH libnftables] src: remove json support
> > ~~~
> >
Please send a v3 including tests/py. More comments below.
On Sat, Sep 29, 2018 at 12:15:17PM +0200, Fernando Fernandez Mancera wrote:
> Add support for ttl option in "osf" expression. Example:
>
> table ip foo {
> chain bar {
> type filter hook input priority filter; policy
On Sun, Oct 07, 2018 at 12:17:07AM +0900, Taehee Yoo wrote:
> In order to upload helper module automatically, helper alias name
> is needed. so that MODULE_ALIAS_NFCT_HELPER() should be added.
> And unlike other nat helper modules, the nf_nat_snmp_basic can be
> used independently.
> helper name
On Mon, Oct 15, 2018 at 02:08:07PM +0200, Phil Sutter wrote:
> On Mon, Oct 15, 2018 at 01:29:52PM +0200, Pablo Neira Ayuso wrote:
> > Subject: [PATCH libnftables] src: remove json support
> ~~~
>
> This is libnftnl, right? :)
>
> Apart from that:
>
> Acked-by: Phil
On Thu, Sep 20, 2018 at 09:43:22AM +0200, Christian Göttsche wrote:
> Add support for new nft object secmark holding security context strings.
>
> The following should demonstrate its usage (based on SELinux context):
>
> # define a tag containing a context string
> nft add secmark inet
On Fri, Oct 12, 2018 at 05:50:15PM +0200, Phil Sutter wrote:
> The variable 'root' is always assigned to after initialization, so there
> is no point in initializing it upon declaration.
Applied, thanks.
On Fri, Oct 12, 2018 at 05:23:24PM +0200, Phil Sutter wrote:
> Since handle->family is unsigned, checking for value < 0 never yields
> true. Overcome this by changing parse_family() to return an error code
> and write the parsed family value into a pointer passed as parameter.
>
> The above
On Fri, Oct 12, 2018 at 12:54:09PM +0200, Phil Sutter wrote:
> Make sure allocated 'stmt' is freed before returning to caller.
Applied, thanks.
On Fri, Oct 12, 2018 at 01:22:55PM +0200, Phil Sutter wrote:
> Allocated scanner object leaks when returning to caller. For some odd
> reason, this was missed by the commit referenced below.
Applied, thanks.
On Thu, Oct 11, 2018 at 05:48:53PM +0200, Phil Sutter wrote:
> This series essentially moves nft monitor JSON output to libnftables (in
> patch 7). Patch 8 enhances tests/monitor to get that tested as well (via
> passing '-j' parameter to run-tests.sh). The leading six patches are
> more or less
On Mon, Oct 15, 2018 at 01:29:52PM +0200, Pablo Neira Ayuso wrote:
> Subject: [PATCH libnftables] src: remove json support
~~~
This is libnftnl, right? :)
Apart from that:
Acked-by: Phil Sutter
Cheers, Phil
Applied, thanks.
On Wed, Oct 10, 2018 at 05:25:47PM +0200, Florian Westphal wrote:
> Eyal says:
> doesn't the use of nft_pf(pkt) in this context limit the matching of
> encapsulated packets to the same family?
>
> IIUC when an e.g. IPv6-in-IPv4 packet is matched, the nft_pf(pkt) will
> be the decapsulated
On Thu, Oct 11, 2018 at 01:30:38PM +0200, Phil Sutter wrote:
> This is a partial revert of commit 9f075031a1973 ("Combine
> parse_target() and command_jump() implementations"): Upstream prefers to
> reduce max chain name length of arptables by two characters instead of
> the introduced struct
A proc_remove() can sleep. so that it can't be inside of spin_lock.
Hence proc_remove() is moved to outside of spin_lock. and it also
adds mutex to sync create and remove of proc entry(config->pde).
test commands:
SHELL#1
%while :; do iptables -A INPUT -p udp -i enp2s0 -d 192.168.1.100 \
401 - 500 of 13251 matches
Mail list logo
