This patchset fixes bugs in ipt_CLUSTERIP.
First patch fixes deadlock when netns is destroyed.
When netns is destroyed cleanup_net() is called.
That function calls ->exit callback of pernet_ops.
->exit callback of ipt_CLUSTERIP hold same lock with cleanup_net().
so that deadlock will occurred.
When network namespace is destroyed, cleanup_net() is called.
cleanup_net() holds pernet_ops_rwsem then calls each ->exit callback.
So that clusterip_tg_destroy() is called by cleanup_net().
And clusterip_tg_destroy() calls unregister_netdevice_notifier().
But both cleanup_net() and
When network namespace is destroyed, both clusterip_tg_destroy() and
clusterip_net_exit() are called. and clusterip_net_exit() is called
before clusterip_tg_destroy().
Hence cleanup check code in clusterip_net_exit() doesn't make sense.
test commands:
%ip netns add vm1
%ip netns exec vm1
This does not fix a real issue, target or match field should never be
NULL. Also, I can't find a place where opts field is being assigned to.
Still, covscan sees the NULL check and assumes that if target or match
field is NULL *and* opts field is NULL as well, code ends up
dereferencing the NULL
The variable 'root' is always assigned to after initialization, so there
is no point in initializing it upon declaration.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter
---
src/json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
Since handle->family is unsigned, checking for value < 0 never yields
true. Overcome this by changing parse_family() to return an error code
and write the parsed family value into a pointer passed as parameter.
The above change required a bit more cleanup to avoid passing pointers
to signed
Allocated scanner object leaks when returning to caller. For some odd
reason, this was missed by the commit referenced below.
Fixes: bd82e03e15df8 ("libnftables: Move scanner object into struct nft_ctx")
Signed-off-by: Phil Sutter
---
src/libnftables.c | 7 +++
1 file changed, 3
Make sure allocated 'stmt' is freed before returning to caller.
Fixes: 30d45266bf38b ("expr: extend fwd statement to support address and
family")
Signed-off-by: Phil Sutter
---
src/netlink_delinearize.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git
It is safe to place a flow that is coming from IPSec into the flowtable.
So decapsulated can benefit from the flowtable fastpath.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Steffen Klassert
---
I'm recovering this patch, this enables faster flowtable forwarding from
ingress. Florian has
When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
is called and that checks whether interface index of offload and
index of link down interface is same. but only interface index checking
is not enough because flowtable is not pernet list.
So that, if other netns's
parameter net of nf_flow_table_cleanup() is not used.
So that it can be removed.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_flow_table.h | 2 +-
net/netfilter/nf_flow_table_core.c| 2 +-
net/netfilter/nft_flow_offload.c | 2 +-
3 files changed, 3 insertions(+), 3
Those were forgotten when renaming meta secpath to meta ipsec.
Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec")
Signed-off-by: Phil Sutter
---
tests/py/inet/meta.t.json| 8 +---
tests/py/inet/meta.t.json.output | 15 +++
2 files changed, 20 insertions(+),
Monitor output is supposed to be single lined without tabs, but ct
object were printed with newlines and tabs hard-coded. Fixing this
wasn't too hard given that there is 'stmt_separator' to also include
semi-colons where required if newline was removed.
A more obvious mistake was position of
This series essentially moves nft monitor JSON output to libnftables (in
patch 7). Patch 8 enhances tests/monitor to get that tested as well (via
passing '-j' parameter to run-tests.sh). The leading six patches are
more or less prerequisites for the later ones.
Phil Sutter (8):
tests/py: Add
This switches 'nft monitor' JSON output from using libnftnl's to
libnftables' implementation.
Signed-off-by: Phil Sutter
---
include/json.h | 51 +
src/json.c | 57 ++
src/monitor.c | 281 +
src/rule.c | 2 -
4 files
Since libnftnl doesn't support XML formatting, pretending to do so in
nft monitor is pointless.
Signed-off-by: Phil Sutter
---
src/monitor.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/src/monitor.c b/src/monitor.c
index 4310c3b8dc434..d75410888e3d0 100644
--- a/src/monitor.c
+++
Add support for printing and parsing ct timeout objects to JSON API.
Signed-off-by: Phil Sutter
---
src/json.c | 29 ++
src/parser_json.c | 82 +-
tests/py/ip/objects.t.json | 7
3 files changed, 117 insertions(+), 1
Enhance monitor test suite to test check JSON output as well. Note that
for now there is no support for --echo output testing with JSON.
Signed-off-by: Phil Sutter
---
tests/monitor/README | 27 +++-
tests/monitor/run-tests.sh | 45
This seems like a left-over from day 1: Said function is static in
json.c, so there is no point in providing a stub when compiling with
JSON disabled.
Signed-off-by: Phil Sutter
---
include/json.h | 6 --
1 file changed, 6 deletions(-)
diff --git a/include/json.h b/include/json.h
index
Oleh Danilovskyi wrote:
> I have implemented a custom extension for conntrack. It is basically
> extra pointer which resides in "struct nf_conn".
> The pointer references a slab buffer and it is used/modified in custom
> netfilter match extension.
> I'm not sure whether it is possible that
I have implemented a custom extension for conntrack. It is basically
extra pointer which resides in "struct nf_conn".
The pointer references a slab buffer and it is used/modified in custom
netfilter match extension.
I'm not sure whether it is possible that different skbs with the same
nf_conn can
On Thu, 11 Oct 2018 at 19:17, Pablo Neira Ayuso wrote:
>
Hi Pablo,
> On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote:
> > On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> > > checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> > > But only
This is a partial revert of commit 9f075031a1973 ("Combine
parse_target() and command_jump() implementations"): Upstream prefers to
reduce max chain name length of arptables by two characters instead of
the introduced struct xtables_globals field which requires to bump
library API version.
Fixes:
On Thu, 11 Oct 2018 at 03:09, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote:
> > When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
> > is called and that checks whether interface index of offload
On Thu, 11 Oct 2018 at 02:32, Pablo Neira Ayuso wrote:
>
Hi Pablo,
Thank you for review!
> On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote:
> > diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> > index 2c8d313ae216..6ccabe6f74a6 100644
> >
On Wed, Oct 10, 2018 at 09:57:13AM +0200, Fernando Fernandez Mancera wrote:
> Add ttl option support to the nftables "osf" expression.
Applied, thanks.
I have mangled the patch to:
netfilter: nft_osf: usage from output path is not valid
This never meant to work there actually, to make
On Sun, Oct 07, 2018 at 12:09:18AM +0900, Taehee Yoo wrote:
> TEE netdevice notifier handler checks only interface name. however
> each netns can have same interface name. hence other netns's interface
> could be selected.
>
> test commands:
>%ip netns add vm1
>%iptables -I INPUT -p icmp
On Wed, Oct 10, 2018 at 07:56:18PM +0200, Pablo Neira Ayuso wrote:
> On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> > checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> > But only netdevice notifier handler can set that.
> > Hence priv->oif is always -1
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zeroes the tail area after the ->matchsize
and ->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for
x_tables")
Reported-by: Florian
info area in match is always available, and remove unneeded variables.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_osf.c | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index bf7bba80e24c..7a103553d10d 100644
On Tue, Oct 09, 2018 at 02:59:48AM +0900, Taehee Yoo wrote:
> When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
> is called and that checks whether interface index of offload and
> index of link down interface is same. but only interface index checking
> is not enough
On Sun, Oct 07, 2018 at 12:09:32AM +0900, Taehee Yoo wrote:
> checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> But only netdevice notifier handler can set that.
> Hence priv->oif is always -1 until notifier handler is called.
>
> Fixes: 22265a5c3c10 ("netfilter:
On Sat, Oct 06, 2018 at 01:42:42AM +0900, Taehee Yoo wrote:
> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> index 2c8d313ae216..6ccabe6f74a6 100644
> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -59,7 +59,6 @@
Adding new elements result in a confusing "Success" error message.
# nft add element x y { 0-3 }
Error: interval overlaps with an existing one
add element x y { 0-3 }
^^^
Error: Could not process rule: Success
add element x y { 0-3 }
Eyal says:
doesn't the use of nft_pf(pkt) in this context limit the matching of
encapsulated packets to the same family?
IIUC when an e.g. IPv6-in-IPv4 packet is matched, the nft_pf(pkt) will
be the decapsulated packet family - IPv6 - whereas the state may be
IPv4. So this check would
Add range to the list of matching elements.
Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing
elements")
Signed-off-by: Pablo Neira Ayuso
---
src/segtree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/segtree.c b/src/segtree.c
index
Just a simple wrapper function, replace it by direct call to
mnl_nft_rule_del().
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/netlink.c | 10 --
src/rule.c| 2 +-
3 files changed, 1 insertion(+), 12 deletions(-)
diff --git a/include/netlink.h
We can remove alloc_nftnl_set() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 18 +++--
include/netlink.h | 14 ++--
src/mnl.c | 192 ++
src/netlink.c | 176
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/netlink.c | 5 -
src/rule.c| 3 +--
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index e27d75ead855..b7e2232f4bd9 100644
--- a/include/netlink.h
+++
Lieber Freund,
Ich bin Herr Tayeb Souami, New Jersey, Vereinigte Staaten von Amerika, der
Mega-Gewinner von $ 315million In Mega Millions Jackpot, spende ich an 5
zufällige Personen, wenn Sie diese E-Mail erhalten, dann wurde Ihre E-Mail nach
einem Spinball ausgewählt.Ich habe den größten
We can remove alloc_nftnl_rule() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 11 ---
include/netlink.h | 9 --
src/mnl.c | 90 ---
src/netlink.c | 76
On Tue, Oct 09, 2018 at 04:47:20PM -0700, Maciej Żenczykowski wrote:
> Ah, yes, the (2**64 - 1) + 1 problem.
>
> The fact max allowed remaining is (2**64 - 2) is perhaps surprising...
> should we clamp? or warn?
>
> userspace has:
> if (cb->entry->id == O_REMAIN) info->remain++;
> should this
On Tue, Oct 09, 2018 at 04:14:40PM -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduces some iptables tests for the new --remain option in xt_quota
> module. Add a breif description for how to use the --remain option in
> the iptables-extension man page.
Applied, thanks Chenbo.
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1:initial patch
v2:v2: code correctness and fix the "~" typo.
v3:make priv->ttl = ttl; optional and priv->ttl default value is now 0.
v4:delete "if (ttl_check != -1)" branch
---
nft_osf no longer supports "output" hook as xt_osf doesn't either.
Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint
module in nft_osf")
Signed-off-by: Fernando Fernandez Mancera
---
net/netfilter/nft_osf.c | 10 ++
1 file changed, 10 insertions(+)
diff
Ah, yes, the (2**64 - 1) + 1 problem.
The fact max allowed remaining is (2**64 - 2) is perhaps surprising...
should we clamp? or warn?
userspace has:
if (cb->entry->id == O_REMAIN) info->remain++;
should this error out in userspace if we end up at zero?
+-m quota --quota 18446744073709551615
From: Chenbo Feng
Introduces some iptables tests for the new --remain option in xt_quota
module. Add a breif description for how to use the --remain option in
the iptables-extension man page.
Signed-off-by: Chenbo Feng
---
extensions/libxt_quota.man | 4
extensions/libxt_quota.t | 11
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zero the tail area after the ->matchsize and
->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for
x_tables")
Signed-off-by: Pablo Neira
Structure layout is different, therefore a new struct xt_option_entry is
needed.
Fixes: f9efc8cb79c0 ("extensions: add cgroup revision 2")
Signed-off-by: Pablo Neira Ayuso
---
extensions/libxt_cgroup.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git
Pedretti Fabio wrote:
> Hi, I tried iptables 1.8 with the new nf_tables back-end using the
> Debian 1.8.0-1~exp1 package with my firewall script.
>
> It seems to properly load most rules, however I am getting an error
> when negating an interface and using protocol ports, which works fine
> with
Hi, I tried iptables 1.8 with the new nf_tables back-end using the
Debian 1.8.0-1~exp1 package with my firewall script.
It seems to properly load most rules, however I am getting an error
when negating an interface and using protocol ports, which works fine
with classic iptables.
Specifically
On Tue, 9 Oct 2018 at 08:19, Pablo Neira Ayuso wrote:
>
> Hi Taehee,
>
Hi Pablo,
Thank you for your review!
> I can reproduce it, so this is a bug :-). Still one question below:
>
> On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
> [...]
> > diff --git
Hi Taehee,
I can reproduce it, so this is a bug :-). Still one question below:
On Tue, Oct 02, 2018 at 02:17:14AM +0900, Taehee Yoo wrote:
[...]
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index f0159eea2978..42487d01a3ed 100644
> ---
On Thu, Sep 20, 2018 at 09:43:22AM +0200, Christian Göttsche wrote:
> Add support for new nft object secmark holding security context strings.
>
> The following should demonstrate its usage (based on SELinux context):
>
> # define a tag containing a context string
> nft add secmark inet
On Thu, Oct 04, 2018 at 02:17:53PM +0200, Fernando Fernandez Mancera wrote:
> On 10/4/18 2:03 PM, Pablo Neira Ayuso wrote:
> > On Thu, Oct 04, 2018 at 01:57:17PM +0200, Fernando Fernandez Mancera wrote:
> > [...]
> > > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> >
When interface is down, offload cleanup function(nf_flow_table_do_cleanup)
is called and that checks whether interface index of offload and
index of link down interface is same. but only interface index checking
is not enough because flowtable is not pernet list.
So that, if other netns's
In order to upload helper module automatically, helper alias name
is needed. so that MODULE_ALIAS_NFCT_HELPER() should be added.
And unlike other nat helper modules, the nf_nat_snmp_basic can be
used independently.
helper name is "snmp_trap" so that alias name will be
"nfct-helper-snmp_trap" by
TEE netdevice notifier handler checks only interface name. however
each netns can have same interface name. hence other netns's interface
could be selected.
test commands:
%ip netns add vm1
%iptables -I INPUT -p icmp -j TEE --gateway 192.168.1.1 --oif enp2s0
%ip link set enp2s0 netns vm1
This patchset fix bugs in xt_TEE.c
First patch fixes wrong interface selection.
In the netdevice notifier handler of xt_TEE, other netns's interface
could be selected. but that is wrong behaviour.
Second patch adds missing code that finds interface's index(dev->ifindex)
when rule is inserted.
When network namespace is destroyed, both clusterip_tg_destroy() and
clusterip_net_exit() are called. and clusterip_net_exit() is called
before clusterip_tg_destroy().
Hence cleanup check code in clusterip_net_exit() doesn't make sense.
test commands:
%ip netns add vm1
%ip netns exec vm1
When network namespace is destroyed, cleanup_net() is called.
cleanup_net() holds pernet_ops_rwsem then calls each ->exit callback.
So that clusterip_tg_destroy() is called by cleanup_net().
And clusterip_tg_destroy() calls unregister_netdevice_notifier().
But both cleanup_net() and
This patchset fixes bug in ipt_CLUSTERIP when network namespace is destroyed.
First patch fixes deadlock.
Second patch removes wrong warning message.
test commands:
test commands:
%ip netns add vm1
%ip netns exec vm1 bash
%ip link set lo up
%iptables -A INPUT -p tcp -i lo -d
On 10/4/18 2:03 PM, Pablo Neira Ayuso wrote:
On Thu, Oct 04, 2018 at 01:57:17PM +0200, Fernando Fernandez Mancera wrote:
[...]
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 00db27dfd2ff..e0fe1b8429ac 100644
--- a/net/netfilter/nfnetlink_osf.c
+++
On Thu, Oct 04, 2018 at 01:57:17PM +0200, Fernando Fernandez Mancera wrote:
[...]
> diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> index 00db27dfd2ff..e0fe1b8429ac 100644
> --- a/net/netfilter/nfnetlink_osf.c
> +++ b/net/netfilter/nfnetlink_osf.c
> @@ -32,9 +32,7 @@
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1:initial patch
v2:v2: code correctness and fix the "~" typo.
v3:make priv->ttl = ttl; optional and priv->ttl default value is now 0.
---
include/linux/netfilter/nfnetlink_osf.h | 3 ++-
On Thu, Oct 04, 2018 at 01:05:42PM +0200, Fernando Fernandez Mancera wrote:
[...]
> On 10/3/18 5:36 PM, Pablo Neira Ayuso wrote:
[...]
> > Better make this optional, ie.
> >
> > if (tb[NFTA_OSF_TTL]) {
> > ttl = nla_get_u8(tb[NFTA_OSF_TTL]);
> > if (ttl
On 10/3/18 5:36 PM, Pablo Neira Ayuso wrote:
Hi Fernando,
A few comments.
On Sat, Sep 29, 2018 at 12:18:51PM +0200, Fernando Fernandez Mancera wrote:
Add ttl option support to the nftables "osf" expression.
[..]
if (!os_name)
strncpy((char *)dest, "unknown",
On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> Of all possible TCP flags, 'ecn' is special since it is recognized by
> lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
> same name). Therefore it is listed in keyword_expr, but that was
> sufficient for RHS
Hi Phil,
On Wed, Oct 03, 2018 at 09:00:51PM +0200, Phil Sutter wrote:
> On Wed, Oct 03, 2018 at 05:28:24PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> > > Of all possible TCP flags, 'ecn' is special since it is recognized by
> > > lex as a
Hi Pablo,
On Wed, Oct 03, 2018 at 05:28:24PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> > Of all possible TCP flags, 'ecn' is special since it is recognized by
> > lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
> > same
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/netlink.c | 5 -
src/rule.c| 5 +++--
3 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index d153e2be03ac..4925af04a707 100644
--- a/include/netlink.h
+++
Hi,
A bunch of assorted updates:
1) Remove json code, we have better support these days in libnftables.
So we can deprecate the existing code in libnftnl.
2) Peel off the netlink layer sitting between the command and mnl
layers. This is just preparation works for the extended error
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_chain() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 10 +++---
include/netlink.h | 8 -
src/mnl.c | 98
We have better json support these days, remove libnftnl json support.
Signed-off-by: Pablo Neira Ayuso
---
src/netlink.c | 276 +-
1 file changed, 2 insertions(+), 274 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_table() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 9 +
include/netlink.h | 7 ---
src/mnl.c | 55
On Wed, Oct 03, 2018 at 05:28:24PM +0200, Pablo Neira Ayuso wrote:
[...]
> On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> > diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
> > index d66ba8438a32f..f96e3634f41ed 100644
> > --- a/tests/py/inet/tcp.t
> > +++
Hi Fernando,
A few comments.
On Sat, Sep 29, 2018 at 12:18:51PM +0200, Fernando Fernandez Mancera wrote:
> Add ttl option support to the nftables "osf" expression.
>
> Signed-off-by: Fernando Fernandez Mancera
> ---
> v1: initial patch
> v2: code correctness and fix the "~" typo.
> ---
>
Hi Phil,
On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> Of all possible TCP flags, 'ecn' is special since it is recognized by
> lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
> same name). Therefore it is listed in keyword_expr, but that was
> sufficient
No need to keep iterating once the range object has been allocated.
Signed-off-by: Pablo Neira Ayuso
---
src/segtree.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c
index dc2554b72acf..dc457d6bc1b7 100644
--- a/src/segtree.c
+++
Release set and elements in case of error.
Signed-off-by: Pablo Neira Ayuso
---
src/rule.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/rule.c b/src/rule.c
index e6d61b670688..6d027c261f97 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2190,17 +2190,15 @@ static
On Fri, Sep 28, 2018 at 06:17:31PM +0200, Phil Sutter wrote:
> This command is currently broken when used in sets with ranges. Test
> various variants against known data and check if output is as expected.
Applied, thanks.
Release set content on error. Moreover, release input set content in
case we finally manage to decompose it.
Signed-off-by: Pablo Neira Ayuso
---
src/segtree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/segtree.c b/src/segtree.c
index 0d53c83fd837..dc2554b72acf 100644
---
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter
Hi Harsha,
On Wed, Sep 05, 2018 at 12:21:16AM +0530, Harsha Sharma wrote:
[...]
> diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
> index 83a2575..120673d 100644
> --- a/doc/stateful-objects.txt
> +++ b/doc/stateful-objects.txt
> @@ -1,4 +1,4 @@
> -CT
> +CT HELPER
> ~~
This
Hi,
On Mon, 1 Oct 2018, Florent Fourcot wrote:
> Do you have any news on this topic? Can I help you to move forward for
> inclusion?
Sorry for the extremely long delay: I have been working on the userspace
library and it still needs a couple of days. There'll be a new release in
the first
When device is unregistered, flowtable flush routine is called
by notifier_call(nf_tables_flowtable_event). and exit callback of
nftables pernet_operation(nf_tables_exit_net) also has flowtable flush
routine. but when network namespace is destroyed, both notifier_call
and pernet_operation are
Allow to find closest matching for the right side of an interval (end
flag set on) so we allow lookups for inner ranges lookup, eg. 10-20 in
5-25.
Fixes: ba0e4d9917b4 ("netfilter: nf_tables: get set elements via netlink")
Reported-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
@Phil: You
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
Fernando Fernandez Mancera wrote:
> @@ -31,4 +31,5 @@ noinst_HEADERS =cli.h \
> rule.h \
> rt.h\
> utils.h \
> + xfrm.h \
> xt.h
Signed-off-by: Fernando Fernandez Mancera
---
include/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/Makefile.am b/include/Makefile.am
index d3a677d..c103f48 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -31,4 +31,5 @@ noinst_HEADERS = cli.h
Sorry, I have forgotten to add "Signed-off-by: Fernando Fernandez
Mancera ". Thanks.
On 9/29/18 12:15 PM, Fernando Fernandez Mancera wrote:
---
doc/primary-expression.txt | 20
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/doc/primary-expression.txt
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: code correctness and fix the "~" typo.
---
include/linux/netfilter/nfnetlink_osf.h | 3 ++-
include/uapi/linux/netfilter/nf_tables.h | 7 +++
Signed-off-by: Fernando Fernandez Mancera
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 4 +++-
src/expr/osf.c | 26 +-
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/include/libnftnl/expr.h
---
doc/primary-expression.txt | 20
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 0fda76d..92dd89a 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -187,18 +187,30 @@
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl nocheck name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera
---
v1: initial patch
v2: use
This command is currently broken when used in sets with ranges. Test
various variants against known data and check if output is as expected.
Signed-off-by: Phil Sutter
---
tests/shell/testcases/sets/0034get_element_0 | 37
1 file changed, 37 insertions(+)
create mode
Applied, thanks.
On Mon, Sep 24, 2018 at 02:10:04PM +0200, Florian Westphal wrote:
> Unfortunately some versions of gcc emit following warning:
> $ make net/xfrm/xfrm_output.o
> linux/compiler.h:252:20: warning: array subscript is above array bounds
> [-Warray-bounds]
> hook_head =
On Tue, Sep 25, 2018 at 12:38:28AM +0900, Taehee Yoo wrote:
> nf_flow_offload_{ip/ipv6}_hook() check nat flag then, call
> nf_flow_nat_{ip/ipv6} but that also check nat flag. so that
> nat flag check code in nf_flow_offload_{ip/ipv6}_hook() are unnecessary.
Applied, thanks Taehee.
On Tue, Sep 25, 2018 at 12:39:27AM +0900, Taehee Yoo wrote:
> Internally, rhashtable_lookup_fast() calls rcu_read_lock() then,
> calls rhashtable_lookup(). so that in places where are guaranteed
> by rcu read lock, rhashtable_lookup() is enough.
Also applied, thanks.
501 - 600 of 13251 matches
Mail list logo
