Hi,
On Wed, Sep 12, 2018 at 05:41:03PM -0700, Ignatius Cheng wrote:
> Add and register l4 GRE/IPv6 support.
IIRC the GRE tracker depends on the PPTP helper, and the PPTP helper
only supports IPv4 at this stage, right?
On Wed, Sep 26, 2018 at 08:53:08PM +0200, Fernando Fernandez Mancera wrote:
> Sorry if I have misunderstood you but right now, the function implements
> 'ttl nocheck' and 'ttl global' behaviours. Yes I am going to document that
> the default behaviour is 'ttl local'.
>
> So if I am not wrong this
On 9/18/18 1:16 AM, Pablo Neira Ayuso wrote:
On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera
wrote:
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl 0 name
Sorry if I have misunderstood you but right now, the function implements
'ttl nocheck' and 'ttl global' behaviours. Yes I am going to document
that the default behaviour is 'ttl local'.
So if I am not wrong this doesn't require changes. Did you mean
something different or it is fine? Thanks!
On Wed, Sep 26, 2018 at 04:32:56PM +0200, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> On Tue, Sep 25, 2018 at 02:37:15PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > When dealing with a covscan report for nft, I was pointed at the loop's
> > else-clause of get_set_decompose() as it overwrites
Hi Phil,
On Tue, Sep 25, 2018 at 02:37:15PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> When dealing with a covscan report for nft, I was pointed at the loop's
> else-clause of get_set_decompose() as it overwrites 'left' without
> freeing it first. The code in question is this:
>
> |
Alexandre Connat wrote:
> 1) FIRST QUESTION:
> Would you be interested in such a contribution? Nothing was previously done
> on GRE, specifically, I suppose. I wonder why there is no target module out
> there that let you set any arbitrary data within the raw packet, at a certain
> offset?
Phil Sutter wrote:
> Patch 1 contains a fix for parser_bison.y to accept 'out' as priority
> name (again a keyword vs. string issue).
>
> The remaining patches deal with flaws in the test case itself, including
> the whopping 38s it took to complete on my testing VM.
Applied, thanks Phil.
On Tue, Sep 25, 2018 at 03:38:43PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > On Tue, Sep 25, 2018 at 12:18:50PM +0200, Florian Westphal wrote:
> > > Phil Sutter wrote:
> > > > In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> > > > so remove it.
> > >
> > >
Phil Sutter wrote:
> On Tue, Sep 25, 2018 at 12:18:50PM +0200, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> > > so remove it.
> >
> > It should be used, "spnum" parsing is missing.
>
> I see. Máté, do you plan to
On Tue, Sep 25, 2018 at 12:18:50PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> > so remove it.
>
> It should be used, "spnum" parsing is missing.
I see. Máté, do you plan to add the missing bits?
Thanks, Phil
Hi Pablo,
When dealing with a covscan report for nft, I was pointed at the loop's
else-clause of get_set_decompose() as it overwrites 'left' without
freeing it first. The code in question is this:
| list_for_each_entry_safe(i, next, >init->expressions, list) {
| if (i->flags &
Enhance the function to accept an optional fourth parameter specifying
the device name, then use it for netdev family. Also remove dubled empty
lines and instead put together what belongs together.
Signed-off-by: Phil Sutter
---
tests/shell/testcases/chains/0021prio_0 | 15 ---
1
Pointless indenting doesn't increase readability, merely makes the
script seem more complicated than it actually is.
Signed-off-by: Phil Sutter
---
tests/shell/testcases/chains/0021prio_0 | 67 -
1 file changed, 33 insertions(+), 34 deletions(-)
diff --git
This test called nft binary 391 times and took about 38s to complete on
my testing VM. Improve this by writing all commands into a temporary
file for processing in a single nft call. Reduces run-time to about 4s.
Interestingly, piping the sub-process's output directly into 'nft -f -'
leads to
There is really no point in declaring a variable which is used just
once. Also mark function local variables as such to make sure they don't
overwrite global ones.
Signed-off-by: Phil Sutter
---
tests/shell/testcases/chains/0021prio_0 | 45 +
1 file changed, 15
Since 'out' is defined as a keyword in scanner.l, using it as a chain
priority name without quotes is not possible. Fix this by introducing
'extended_prio_name' in bison which may be either a string (as before)
or OUT, which is then converted into a string.
Fixes: c8a0e8c90e2d1 ("src: Set/print
Patch 1 contains a fix for parser_bison.y to accept 'out' as priority
name (again a keyword vs. string issue).
The remaining patches deal with flaws in the test case itself, including
the whopping 38s it took to complete on my testing VM.
Phil Sutter (5):
parser_bison: Fix for chain prio name
Hello, developers of Netfilter,
I wanted to tell you some things, and ask you a few questions :
For a student project, I wrote a Netfilter module (both a Match, and a Target)
that allows you to play with the GRE Header reserved flags. (Why on earth would
you do that? Well, it could be used
Phil Sutter wrote:
> In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
> so remove it.
It should be used, "spnum" parsing is missing.
In nftnl_expr_xfrm_json_parse(), variable 'spnum' is apparently unused
so remove it.
Fixes: f4621a6f87064 ("expr: add xfrm support")
Signed-off-by: Phil Sutter
---
src/expr/xfrm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c
index
I reviewed the previously rejected changes in "Sanitize calls to
strcpy()" again and found merely two valid ones:
* Copying from 'real_name' of matches/targets: Length of that field is
not checked xtables_register_* functions, so it's length may be
arbitrary. Patch 1 of this series adds the
This simplifies code a bit since it takes care of checking for
out-of-memory conditions.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 13 ++---
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index
Just like with 'name', if given check 'real_name' to not exceed max
length.
Signed-off-by: Phil Sutter
---
libxtables/xtables.c | 12
1 file changed, 12 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6dd0b152dfecf..34a084f47c290 100644
---
This merges the basically identical implementations of command_match()
from xtables, iptables and ip6tables into one. The only required
adjustment was to make use of xt_params instead of the different
*_globals objects.
Signed-off-by: Phil Sutter
---
iptables/ip6tables.c | 35
Merge these two functions from xtables, iptables, ip6tables and
arptables. Both functions were basically identical in the first three,
only the last one required a bit more attention.
To eliminate access to 'invflags' in variant-specific location, move the
call to set_option() into callers. This
No point in having a dedicated implementation for 'parse_target'
callback since it is identical with the shared one.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c | 9 +
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index
On 9/24/18 6:10 AM, Florian Westphal wrote:
> Unfortunately some versions of gcc emit following warning:
> $ make net/xfrm/xfrm_output.o
> linux/compiler.h:252:20: warning: array subscript is above array bounds
> [-Warray-bounds]
> hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
>
Internally, rhashtable_lookup_fast() calls rcu_read_lock() then,
calls rhashtable_lookup(). so that in places where are guaranteed
by rcu read lock, rhashtable_lookup() is enough.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_core.c | 4 ++--
net/netfilter/nft_set_hash.c | 8
nf_flow_offload_{ip/ipv6}_hook() check nat flag then, call
nf_flow_nat_{ip/ipv6} but that also check nat flag. so that
nat flag check code in nf_flow_offload_{ip/ipv6}_hook() are unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_ip.c | 6 ++
1 file changed, 2
Phil Sutter wrote:
> - use snprintf(),
> - use strlcpy() from libbsd or
> - introduce a poor-man's strlcpy() macro/function.
>
> What would you prefer? Leave everything as-is, one of the above or
> something completely different? :)
I don't really care that much, I'd avoid adding new dependency
Hi Florian,
On Mon, Sep 24, 2018 at 11:11:59AM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > Make sure destination buffers are NULL-terminated by replacing strcpy()
> > with strncat() (if destination is guaranteed to be zeroed) or explicitly
> > set last byte in buffer to zero.
>
>
Phil Sutter wrote:
> Make sure destination buffers are NULL-terminated by replacing strcpy()
> with strncat() (if destination is guaranteed to be zeroed) or explicitly
> set last byte in buffer to zero.
I'm sorry, but i don't like this at all.
> - strcpy(cs->target->t->u.user.name,
Hi,
On Sat, Sep 22, 2018 at 09:05:45AM +0330, morteza1...@gmail.com wrote:
> Hello
> I am in a dire need about using squid in my Linux iptables firewall as a
> transparent proxy.
> I want to have both firewalling rules and http filtering with squid based on
> linux iptables.
> I know, it is
Hello
I am in a dire need about using squid in my Linux iptables firewall as a
transparent proxy.
I want to have both firewalling rules and http filtering with squid based on
linux iptables.
I know, it is not possible to apply iptables rules in forward chain and after
that filter http
On Fri, Sep 21, 2018 at 11:54:27AM +1000, Duncan Roe wrote:
> It was tempting to remove "position" from the synopsis,
> but have left that for another patch.
Applied, thanks Duncan.
Hi,
I have a minor correction for the REDIRECT explanation in[1]. Instead
of:
| is exactly equivalent to doing DNAT to the address of
it should read:
| is exactly equivalent to doing DNAT to the primary address of
Is there a repository I could send a patch for?
Thanks, Phil
[1]
It was tempting to remove "position" from the synopsis,
but have left that for another patch.
Signed-off-by: Duncan Roe
---
doc/nft.txt | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 9d04e43..2a76a6c 100644
--- a/doc/nft.txt
On Fri, Sep 14, 2018 at 12:56:33AM +0900, Taehee Yoo wrote:
> rhashtable_walk_init() is deprecated and rhashtable_walk_enter() can be
> used instead. rhashtable_walk_init() is wrapper function of
> rhashtable_walk_enter() so that logic is actually same.
> But rhashtable_walk_enter() doesn't return
On Wed, Sep 19, 2018 at 10:40:39AM +0530, Harsha Sharma wrote:
> Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes compilation error
> "../include/obj.h:43:21: error: ‘NFTNL_CTTIMEOUT_ARRAY_MAX’
> undeclared here (not in a function);
Applied, thanks Harsha.
On Wed, Sep 12, 2018 at 03:19:06PM +0200, Florian Westphal wrote:
> icmp(v6) are the only protocols that need the error()
> callback (to handle icmp errors that are related to an established
> connections, e.g. packet too big, port unreachable and the like).
>
> Handle icmp from core, then get
Christian Göttsche wrote:
> Adding a new keyword "secmark_raw" seems to do the trick a bit.
> But somewhere it is still unsupported:
>
> $ nft --debug=netlink add rule inet filter output meta secmark_raw set
> ct secmark_raw
> inet filter output
> [ ct load secmark => reg 1 ]
> [ meta set
Aargh, some code in the nft_meta.c was missing.
Now it works, I'll test further and append the patches with the next
round of the secmark ones.
for reference: https://github.com/cgzones/secmark/tree/master/connsecmark
Adding a new keyword "secmark_raw" seems to do the trick a bit.
But somewhere it is still unsupported:
$ nft --debug=netlink add rule inet filter output meta secmark_raw set
ct secmark_raw
inet filter output
[ ct load secmark => reg 1 ]
[ meta set secmark with reg 1 ]
Error: Could not
Christian Göttsche wrote:
> I am trying to get a connsecmark equivalent working.
>
> How can I implement the secmark pushing from the ct state to the package?
Good question. Should we even allow setting it from register context
or should we enforce strict ct->secmark = skb->secmark?
> $ nft
I am trying to get a connsecmark equivalent working.
How can I implement the secmark pushing from the ct state to the package?
kernel patch:
---
net/netfilter/nft_ct.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index
Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag
\"system_u:object_r:ssh_server_packet_t:s0\"
nft list
The new object will hold security context strings.
Note:
nftnl_obj_secmark_json_parse is not yet implemented;
I'd like to get some help how to implement json string parsing as it is not
implemented in ct_helper or ct_timeout.
Based on v1.1.1
Signed-off-by: Christian Göttsche
---
Christian Göttsche wrote:
> I think it was a bug of mine, sorted it out:
> https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
>
> Now I'll focus on connsecmark and testing :-)
Great. You should be able to remove the secmark data type as well:
[NFT_META_SECMARK]
I think it was a bug of mine, sorted it out:
https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
Now I'll focus on connsecmark and testing :-)
Christian Göttsche wrote:
> Now the following works:
>
> $ nft add secmark inet filter sshtag
> \"system_u:object_r:ssh_server_packet_t:s0\"
> $ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
> $ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
> $
Many thanks, now I think I understand the desired behavior with the
helper objects.
Now the following works:
$ nft add secmark inet filter sshtag
\"system_u:object_r:ssh_server_packet_t:s0\"
$ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
$ nft add map inet filter
Christian Göttsche wrote:
> I stuck a bit with the nft cli coding.
>
> By now the following works:
>
> $ nft add map inet filter secmapping { type inet_service : secmark \; }
> $ nft add rule inet filter input tcp dport 21 secmark
> \"system_u:object_r:ftp_server_packet_t:s0\"
> $ nft add rule
This series merges legacy ip6tables-save with iptables-save and
ip6tables-restore with iptables-restore. For convenience, struct xtc_ops
from libiptc is extended by a few more callbacks.
Note: This series is based on my recent 28 patches covscan fixes series.
Phil Sutter (3):
libiptc: Extend
Add a few more callbacks used by iptables-save.
Signed-off-by: Phil Sutter
---
include/libiptc/xtcshared.h | 5 +
libiptc/Makefile.am | 4 ++--
libiptc/libiptc.c | 4
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/include/libiptc/xtcshared.h
Both implementations were very similar already. Differences were mostly
in which libiptc functions were called. Therefore introduce struct
iptables_save_cb to point to the right functions for each variant.
Signed-off-by: Phil Sutter
---
iptables/Makefile.am | 8 +-
Introduce struct iptables_restore_cb and merge ip6tables-restore with
iptables-restore.
Signed-off-by: Phil Sutter
---
iptables/Makefile.am | 6 +-
iptables/ip6tables-restore.c | 391 ---
iptables/iptables-restore.c | 154 ++
3 files
This change originated from covscan complaining about the strcpy() call
with an unknown size source buffer. But in fact, the size is known (and
equal to the destination size), so pass a pointer to STRUCT_GETINFO to
alloc_handle() instead of it's fields separately. Hopefully this will
silence
Since sinfo->flags is only 8 bytes large, checking for
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return
false, so drop this dead code.
Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir")
Signed-off-by: Phil Sutter
---
extensions/libxt_conntrack.c | 8
1 file
In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.
Signed-off-by: Phil Sutter
---
All commands this block handles set p->chain. Also the pointer is
dereferenced before, so no point in checking for it to be non-NULL.
Signed-off-by: Phil Sutter
---
iptables/xtables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xtables.c b/iptables/xtables.c
Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
strcmp() may be passed a NULL pointer. Therefore check if the pointer is
valid before doing so.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Make sure destination buffers are NULL-terminated by replacing strcpy()
with strncat() (if destination is guaranteed to be zeroed) or explicitly
set last byte in buffer to zero.
While being at it, replace two direct calls to calloc() with
xtables_calloc() since that takes care of error checking.
Instead of using strcat() and assuming the name will fit, print into the
buffer using snprintf() which truncates the string as needed.
Signed-off-by: Phil Sutter
---
extensions/libxt_LED.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/extensions/libxt_LED.c
This (rather large) series of patches contains changes to address
complaints of a recent covscan run. As is typical for covscan, not all
of them are problematic in practice, but in case the false-negative is
not obvious at first (or second) sight, changing the code is still not a
bad idea just to
Both affected functions check if 'oldopts' is NULL once but later seem
to ignore that possibility. To catch up on that, increment the pointer
only if it isn't NULL, also don't copy its content into the merged
options buffer in that case.
Signed-off-by: Phil Sutter
---
libxtables/xtables.c |
Not a real problem here, but covscan got confused by one string
containing 'then' keyword.
Signed-off-by: Phil Sutter
---
iptables/iptables-apply | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index
These functions contain code which occurs in legacy's print_firewall()
functions, so use them there.
Rename them to at least make clear they print more than a single
address.
Also introduce ipv{4,6}_addr_to_string() which take care of converting
an address/netmask pair into string representation
This moves getethertype.c into libxtables so that both extensions and
xtables-nft-multi may use the implementations therein. New users are
libebt_arp and libebt_vlan which drop their own duplicated
implementations of getethertypebyname() for the shared one.
This change originated from a covscan
This gets rid of a number of assignments which are either redundant or
not used afterwards.
Signed-off-by: Phil Sutter
---
iptables/ip6tables-restore.c| 4 ++--
iptables/iptables-restore.c | 4 ++--
iptables/iptables-xml.c | 4 ++--
iptables/nft.c | 2 --
Just like with libxt_conntrack, get rid of the temporary buffer. The
comment even states that it was copied from there, so just make them
identical again.
Signed-off-by: Phil Sutter
---
extensions/libxt_ipvs.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff
This is a leftover from previous cleanup.
Fixes: 098ee2e91756c ("xtables-save: Ignore uninteresting tables")
Signed-off-by: Phil Sutter
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index c67718c882a64..032c3788a20a7
According to covscan, vfork() may lead to a deadlock in the parent
process. It suggests to use posix_spawn() instead. Since the latter
combines vfork() and exec() calls, use it for xtables_insmod().
Signed-off-by: Phil Sutter
---
libxtables/xtables.c | 15 +--
1 file changed, 5
This eliminates the deprecation warning when compiling the sources.
Signed-off-by: Phil Sutter
---
utils/nfnl_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index e65c320156518..fad7f70024c56 100644
--- a/utils/nfnl_osf.c
+++
The code obviously tries to assert that nft_table_builtin_find()
returned a valid pointer before dereferencing it, but the wrong argument
was given. Assume this is just a typo and insert the missing underscore.
Fixes: 9b896224e0bfc ("xtables: rework rule cache logic")
Signed-off-by: Phil Sutter
Signed-off-by: Phil Sutter
---
iptables/.gitignore | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/.gitignore b/iptables/.gitignore
index 5ca54adca38cf..d0301c6de896e 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -14,6 +14,8 @@
/iptables-xml
/iptables-xml.1
The variable is not read before being assigned the return value of
strtoul(), thefore the initialization is useless. And since after this
change parameter 'end' becomes unused, drop it as well.
Signed-off-by: Phil Sutter
---
extensions/libxt_time.c | 8
1 file changed, 4 insertions(+),
Since info->protocol is of type __u8, its value will never become -1.
Apart from that, xtables_parse_protocol() calls xt_params->exit_err() in
case of error, so this code is dead anyway.
Signed-off-by: Phil Sutter
---
extensions/libebt_ip.c | 4
extensions/libebt_ip6.c | 4
2 files
Move the function to xshared.c for common use between legacy and xtables
sources. While being at it, silence a covscan warning triggered by that
function as it couldn't verify input buffers won't exceed IFNAMSIZ.
Therefore use snprintf() when writing to the local buffer.
Signed-off-by: Phil
I stuck a bit with the nft cli coding.
By now the following works:
$ nft add map inet filter secmapping { type inet_service : secmark \; }
$ nft add rule inet filter input tcp dport 21 secmark
\"system_u:object_r:ftp_server_packet_t:s0\"
$ nft add rule inet filter input secmark name tcp dport
Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes compilation error
"../include/obj.h:43:21: error: ‘NFTNL_CTTIMEOUT_ARRAY_MAX’
undeclared here (not in a function);
Signed-off-by: Harsha Sharma
---
Changes in v2:
- Add compilation error in log message
include/obj.h | 1 +
1 file
> Simplest version is to merge your patch into nft_meta.c, in the
> "set" part, and make the init() function translate it to the 32bit
> immedidate, this would pretty much look like your patch.
Doesn't this conflict with the fact that e.g. reloading the SELinux
policy invalidates the string <->
On Tue, Sep 18, 2018 at 12:23:42PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Sep 18, 2018 at 02:56:02AM +0200, Florian Westphal wrote:
[...]
> > We'd need a new NFT_OBJECT_SELCTX in kernel, that gets the security
> > label and can do the conversion to the 32bit id.
> >
> > This would live in
On Tue, Sep 18, 2018 at 02:56:02AM +0200, Florian Westphal wrote:
> Christian Göttsche wrote:
> > Hi,
> > after I found a nice tutorial [1], I started to hack some code [2].
> > Is it the correct approach to introduce a new kernel module and a new
> > nftables statement?
>
> Yes and no :-)
>
>
On 9/18/18 1:16 AM, Pablo Neira Ayuso wrote:
On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera wrote:
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
On 9/18/18 1:15 AM, Pablo Neira Ayuso wrote:
On Sun, Sep 16, 2018 at 09:10:16PM +0200, Fernando Fernandez Mancera wrote:
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nfnetlink_osf.h | 3 ++-
Christian Göttsche wrote:
> Hi,
> after I found a nice tutorial [1], I started to hack some code [2].
> Is it the correct approach to introduce a new kernel module and a new
> nftables statement?
Yes and no :-)
The problem is that current nft_meta.c uses the 32bit secmark id,
which, as far as i
On Mon, Sep 17, 2018 at 01:38:33PM +0200, Phil Sutter wrote:
> Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds
> access") tried to fix parse_hex_string() for overlong strings but the
> change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE
> which leads to
On Sun, Sep 16, 2018 at 09:11:12PM +0200, Fernando Fernandez Mancera wrote:
> Add support for ttl option in "osf" expression. Example:
>
> table ip foo {
> chain bar {
> type filter hook input priority filter; policy accept;
> osf ttl 0 name "Linux"
Looking at
On Sun, Sep 16, 2018 at 09:10:16PM +0200, Fernando Fernandez Mancera wrote:
> Add ttl option support to the nftables "osf" expression.
>
> Signed-off-by: Fernando Fernandez Mancera
> ---
> include/linux/netfilter/nfnetlink_osf.h | 3 ++-
> include/uapi/linux/netfilter/nf_tables.h | 7
Hi,
after I found a nice tutorial [1], I started to hack some code [2].
Is it the correct approach to introduce a new kernel module and a new
nftables statement?
Is there an easy way to attach the secmark to the parent connection,
so that all packets of the same connection inherit it?
Best
On Wed, Sep 05, 2018 at 11:16:43AM +0200, Florian Westphal wrote:
> for symmetry with 'rt ipsec'. "meta secpath" still works.
>
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
On Wed, Sep 05, 2018 at 11:16:42AM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
On Wed, Sep 05, 2018 at 11:16:41AM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
On Fri, Sep 14, 2018 at 11:00:23AM +0200, Phil Sutter wrote:
> Previously, changes to any of the included adoc snippets in nft.txt were
> not detected and hence the man page not updated (unless 'make clean' was
> called). It seems like the '.txt.8' target only considers foo.txt when
> trying to
On Fri, Sep 14, 2018 at 11:00:14AM +0200, Phil Sutter wrote:
> Commit 8a7f6de536408 ("meta: fix pkttype name and add 'other' symbol")
> deprecated pkt_type value 'unicast' (for it being misleading) and
> introduced 'host' and 'other' but it did not update documentation
> accordingly. Fix this by
On Fri, Sep 07, 2018 at 01:02:24PM +0200, Florian Westphal wrote:
> There are no external callers anymore, previous change just
> forgot to also remove the EXPORT_SYMBOL().
Also applied, thanks.
On Wed, Sep 12, 2018 at 12:20:43AM +0900, Taehee Yoo wrote:
> nf_nat_redirect_ipv4() and nf_nat_redirect_ipv6() are only called by
> netfilter hook point. so that rcu_read_lock and rcu_read_unlock() are
> unnecessary.
Applied, thanks.
On Fri, Aug 31, 2018 at 08:29:37PM +0200, Florian Westphal wrote:
> as of a0ae2562c6c4b27 ("netfilter: conntrack: remove l3proto
> abstraction") there are no users anymore.
Applied, thanks Florian.
On Tue, Sep 04, 2018 at 04:01:47PM +0200, Florian Westphal wrote:
> None of these spots really needs to crash the kernel.
> In one two cases we can jsut report error to userspace, in the other
> cases we can just use WARN_ON (and leak memory instead).
Applied, thanks.
601 - 700 of 13251 matches
Mail list logo