l4 protocols are demuxed by l3num, l4num pair.
However, almost all l4 trackers are l3 agnostic.
Only exceptions are:
- gre, icmp (ipv4 only)
- icmpv6 (ipv6 only)
This commit gets rid of the l3 mapping, l4 trackers can now be looked up
by their IPPROTO_XXX value alone, which gets rid of the
On Tue, Sep 04, 2018 at 04:01:57PM +0200, Florian Westphal wrote:
> I see no reason for them, label or timer cannot be NULL, and if they
> were, we'll crash with null deref anyway.
>
> For skb_header_pointer failure, just set hotdrop to true and toss
> such packet.
Applied, thanks.
On Mon, Sep 03, 2018 at 06:28:20PM +0200, Kristian Evensen wrote:
> The same connection mark can be set on flows belonging to different
> address families. This commit adds support for filtering on the L3
> protocol when flushing connection track entries. If no protocol is
> specified, then all L3
On Mon, Sep 03, 2018 at 06:09:40PM +0200, Florian Westphal wrote:
> supports fetching saddr/daddr of tunnel mode states, request id and spi.
> If direction is 'in', use inbound skb secpath, else dst->xfrm.
Nice extension, applied thanks.
On Fri, Aug 31, 2018 at 08:29:37PM +0200, Florian Westphal wrote:
> as of a0ae2562c6c4b27 ("netfilter: conntrack: remove l3proto
> abstraction") there are no users anymore.
Applied, thanks Florian.
On Wed, Aug 29, 2018 at 02:41:29PM +0200, Florian Westphal wrote:
> There is one synchronize_rcu instance left in the nf_tables config path,
> its required when something has to be removed that might still be
> visible from the packet path, such as rules or set elements.
>
> In such case, we have
On Wed, Aug 29, 2018 at 12:19:00AM +0200, Florian Westphal wrote:
> Useful e.g. to avoid NATting inner headers of to-be-encrypted packets.
Applied, thanks Florian.
I have not implemented tests and json support yet because I prefer to do
it after the review of this patchset. Thanks!
On 9/16/18 9:11 PM, Fernando Fernandez Mancera wrote:
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl 0 name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera
---
include/expression.h
Add ttl option support to the nftables "osf" expression.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nfnetlink_osf.h | 3 ++-
include/uapi/linux/netfilter/nf_tables.h | 7 +++
include/uapi/linux/netfilter/nfnetlink_osf.h | 1 +
Hi,
I am a SELinux user and like to see SECMARK support in nftables, to be
able to confine network operations [1][2].
Is there currently some effort in adding support for this?
Best regards,
Christian Göttsche
[1] https://paulmoore.livejournal.com/4281.html
[2]
With introduction of literal option, two of the three meaningful numeric
levels lost their purpose. In fact, they turned into no-ops so that '-n'
had to be given tree times on commandline to have an effect.
To overcome this, spread the three effects of NFT_NUMERIC_ALL to allow
some selection
Previously, changes to any of the included adoc snippets in nft.txt were
not detected and hence the man page not updated (unless 'make clean' was
called). It seems like the '.txt.8' target only considers foo.txt when
trying to generate foo.8, so get rid of that and introduce a dedicated
target for
Commit 8a7f6de536408 ("meta: fix pkttype name and add 'other' symbol")
deprecated pkt_type value 'unicast' (for it being misleading) and
introduced 'host' and 'other' but it did not update documentation
accordingly. Fix this by replacing 'unicast' with 'host' in
documentation and adding 'other'.
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-conntrack-pass-nf_hook_state-to-packet-and-error-handlers/20180914-024412
base:
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-conntrack-pass-nf_hook_state-to-packet-and-error-handlers/20180914-024412
base:
rhashtable_walk_init() is deprecated and rhashtable_walk_enter() can be
used instead. rhashtable_walk_init() is wrapper function of
rhashtable_walk_enter() so that logic is actually same.
But rhashtable_walk_enter() doesn't return error hence error path
code can be removed.
Signed-off-by: Taehee
Phil Sutter wrote:
> This series fixes a number of potential issues identified by Coverity
> tool.
Applied, thanks.
Phil Sutter wrote:
> This series contains a number of fixes for JSON output code indicated by
> failing testcases in tests/py. In one instance, testcase's JSON
> equivalent had to be adjusted.
Series applied, thanks Phil.
Add and register l4 GRE/IPv6 support.
Signed-off-by: Ignatius Cheng
---
net/netfilter/nf_conntrack_proto_gre.c | 54 +-
1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_proto_gre.c
b/net/netfilter/nf_conntrack_proto_gre.c
__nf_nat_mangle_tcp_packet() and nf_nat_mangle_udp_packet() call
mangle_contents(). and __nf_nat_mangle_tcp_packet()
and mangle_contents() call skb_is_nonlinear(). so that
skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() is unnecessary.
Signed-off-by: Taehee Yoo
---
All higher l4proto numbers are handled by the generic tracker; the
l4proto lookup function already returns generic one in case the l4proto
number exceeds max size.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_proto.c
Its unused, next patch will remove l4proto->l3proto number to simplify
l4 protocol demuxer lookup.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 2 +-
net/netfilter/nf_conntrack_proto.c | 5 ++---
net/netfilter/nf_conntrack_proto_dccp.c | 2 +-
l4 protocols are demuxed by l3num, l4num pair.
However, almost all l4 trackers are l3 agnostic.
Only exceptions are:
- gre, icmp (ipv4 only)
- icmpv6 (ipv6 only)
This commit gets rid of the l3 mapping, l4 trackers can now be looked up
by their IPPROTO_XXX value alone, which gets rid of the
->new() gets invoked after ->error() and before ->packet() if
a conntrack lookup has found no result for the tuple.
We can fold it into ->packet() -- the packet() implementations
can check if the conntrack is confirmed (new) or not
(already in hash).
If its unconfirmed, the conntrack isn't in
icmp(v6) are the only two layer four protocols that need the error()
callback (to handle icmp errors that are related to an established
connections, e.g. packet too big, port unreachable and the like).
Remove the error callback and handle these two special cases from the core.
Signed-off-by:
The error() handler gets called before allocating or looking up a
connection tracking entry.
We can instead use direct calls from the ->packet() handlers which get
invoked for every packet anyway.
Only exceptions are icmp and icmpv6, these two special cases will be
handled in the next patch.
Only two protocols need the ->error() function: icmp and icmpv6.
This is because icmp error mssages might be RELATED to an existing
connection (e.g. PMTUD, port unreachable and the like), and their
->error() handlers do this.
The error callback is already optional, so remove it for
udp and call
A recent change to ip/icmp.t and ip6/icmpv6.t did not update JSON
equivalents accordingly, fix this.
Fixes: 0f44d4f627535 ("proto: fix icmp/icmpv6 code datatype")
Signed-off-by: Phil Sutter
---
tests/py/ip/icmp.t.json | 4 +--
tests/py/ip/icmp.t.json.output| 24 ++
If a datatype doesn't provide a 'json' callback, datatype_json() uses
fmemopen() to grab the output from 'print' callback. When doing so,
reuse the existing output context instead of creating a dedicated one to
make sure all output-related settings are exactly as expected.
Signed-off-by: Phil
This series contains a number of fixes for JSON output code indicated by
failing testcases in tests/py. In one instance, testcase's JSON
equivalent had to be adjusted.
Phil Sutter (4):
json: Fix datatype_json() for literal level
json: Make inet_service_type_json() respect literal level
This brings inet_service_type_json() on par with
inet_service_type_print(). Despite datatype_print()'s ability to use the
'print' callback, a dedicated 'json' callback is required to make port
numbers appear as numbers in JSON output instead of strings. Therefore
go with a bit of code duplication
This applies the same change as in commit 85b1e3c0052ef ("src: Always
print range expressions numerically") to JSON output for consistency.
Signed-off-by: Phil Sutter
---
src/json.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/json.c b/src/json.c
index
Hi,
If you have photos for editing, please send email to: hansre...@outlook.com
We have 12 in house image editors and we can help you for cutting out your
photos, or path the photos.
Includes retouching if needed.
Used for products photos or portrait photos, catalog photos.
You may drop us
nf_nat_redirect_ipv4() and nf_nat_redirect_ipv6() are only called by
netfilter hook point. so that rcu_read_lock and rcu_read_unlock() are
unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_nat_redirect.c | 4
1 file changed, 4 deletions(-)
diff --git
Hi,
On Tue, Sep 11, 2018 at 02:39:29AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 03, 2018 at 11:15:54PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Mon, Sep 03, 2018 at 01:57:18PM +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Aug 29, 2018 at 04:33:38PM +0200, Phil Sutter wrote:
> > >
On Mon, Sep 03, 2018 at 11:15:54PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Mon, Sep 03, 2018 at 01:57:18PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Aug 29, 2018 at 04:33:38PM +0200, Phil Sutter wrote:
> > > If an added rule's listing differs from the input (either expected or
> > > not),
We assume they are always set accordingly since a874752a10da
("netfilter: conntrack: timeout interface depend on
CONFIG_NF_CONNTRACK_TIMEOUT"), so we can get rid of this checks.
Signed-off-by: Pablo Neira Ayuso
---
This patch depends on a patch in the nf tree, so it needs to propagate
to nf-next
On Fri, Aug 24, 2018 at 11:22:08PM +0200, Florian Westphal wrote:
> Doug Smythies says:
> Sometimes it is desirable to temporarily disable, or clear,
> the iptables rule set on a computer being controlled via a
> secure shell session (SSH). While unwise on an internet facing
> computer, I
Fix the parameter check in nft_ebt_standard_target() to avoid an array
out of bounds access in ebt_standard_targets.
Signed-off-by: Phil Sutter
---
iptables/nft-bridge.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index
These calls to memset() are passed a length argument which exceeds
t->target.u.user.name's length by one byte and hence overwrite
t->target.u.user.revision as well (relying upon no padding to happen
between both).
Avoid this obscure behaviour by passing the correct field size and
explicitly
If entry->type is to be used as array index, it needs to be at max one
less than that array's size.
Signed-off-by: Phil Sutter
---
libxtables/xtoptions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index
The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.
Fix this by incrementing the index before performing the bounds check.
Signed-off-by: Phil Sutter
---
Initial motivation for this was a covscan report for potential array out
of bounds access in REJECT_xlate (a false-positive, because all possible
values of reject->with occur in reject_table_xlate).
Use reject types as array indices of reject_table so that reject->with
serves as array index. Also
This series fixes a number of potential issues identified by Coverity
tool.
Phil Sutter (5):
libxtables: Fix potential array overrun in xtables_option_parse()
libiptc: Avoid side-effect in memset() calls
ebtables: Fix for potential array boundary overstep
libxt_string: Avoid potential
On Mon, Sep 10, 2018 at 04:18:10PM +0200, Phil Sutter wrote:
> Since literal option is supposed to be a level, matching for equality is
> not correct here since the level may be higher than NFT_LITERAL_PORT.
>
> This fixes for ports being printed numerically if '-l' option was given
> twice.
Phil Sutter wrote:
> Passing --wait option to iptables-nft-restore led to program abort
> because the flag parameter was not skipped. Mimick iptables-restore
> behaviour when encountering --wait or --wait-interval options (but still
> ignore the parameter).
Thanks for submitting a test case too,
Phil Sutter wrote:
> The logic to replicate 'iptables-restore --noflush' behaviour of
> flushing custom chains if listed in the dump was broken for chains being
> referenced. A minimal dump reproducing the issue is:
Applied.
Phil Sutter wrote:
> Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
> fixed for compatibility checking to extend over all chains, not just the
> relevant ones. This patch does the same for rules: Make sure only rules
> belonging to the relevant table are being considered.
On Mon, Sep 10, 2018 at 02:56:48PM +0200, Phil Sutter wrote:
> Hi,
>
> On Wed, Aug 29, 2018 at 02:19:22AM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Aug 28, 2018 at 10:26:56PM +0200, Phil Sutter wrote:
> > > Unless there are objections, I will later follow-up with a patch to
> > > convert
Hi,
On Wed, Aug 29, 2018 at 02:19:22AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 28, 2018 at 10:26:56PM +0200, Phil Sutter wrote:
> > Unless there are objections, I will later follow-up with a patch to
> > convert remaining human readable values into numeric ones in JSON
> > regardless of
On Mon, Sep 10, 2018 at 12:34:00PM +0200, Phil Sutter wrote:
> Hi,
>
> On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> > Of all possible TCP flags, 'ecn' is special since it is recognized by
> > lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
> > same name).
Hi,
On Fri, Aug 24, 2018 at 01:26:57PM +0200, Phil Sutter wrote:
> Of all possible TCP flags, 'ecn' is special since it is recognized by
> lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
> same name). Therefore it is listed in keyword_expr, but that was
> sufficient for RHS
Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
fixed for compatibility checking to extend over all chains, not just the
relevant ones. This patch does the same for rules: Make sure only rules
belonging to the relevant table are being considered.
Note that comparing the
There are no external callers anymore, previous change just
forgot to also remove the EXPORT_SYMBOL().
Fixes: 9971a514ed269 ("netfilter: nf_nat: add nat type hooks to nat core")
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 1 -
1 file changed, 1 deletion(-)
The logic to replicate 'iptables-restore --noflush' behaviour of
flushing custom chains if listed in the dump was broken for chains being
referenced. A minimal dump reproducing the issue is:
| *filter
| :foobar - [0:0]
| -I INPUT -j foobar
| -A foobar -j ACCEPT
| COMMIT
With --noflush, this can
The logic to replicate 'iptables-restore --noflush' behaviour of
flushing custom chains if listed in the dump was broken for chains being
referenced. A minimal dump reproducing the issue is:
| *filter
| :foobar - [0:0]
| -I INPUT -j foobar
| -A foobar -j ACCEPT
| COMMIT
With --noflush, this can
Passing --wait option to iptables-nft-restore led to program abort
because the flag parameter was not skipped. Mimick iptables-restore
behaviour when encountering --wait or --wait-interval options (but still
ignore the parameter).
Fixes: b9d7b49d84bc2 ("xtables-compat: restore: sync options with
From: Máté Eckl
This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.
Examples:
ipsec in ip saddr 192.168.1.0/24
ipsec out ip6 daddr @endpoints
ipsec in spi 1-65536
Joint work with Máté Eckl.
Cc: Máté Eckl
Signed-off-by:
Signed-off-by: Florian Westphal
---
include/libnftnl/expr.h | 8 +
include/linux/netfilter/nf_tables.h | 29
src/Makefile.am | 1 +
src/expr/xfrm.c | 325
src/expr_ops.c | 2
for symmetry with 'rt ipsec'. "meta secpath" still works.
Signed-off-by: Florian Westphal
---
doc/primary-expression.txt | 6 +++---
src/meta.c | 5 -
src/parser_bison.y | 1 +
tests/py/inet/meta.t | 4 ++--
tests/py/inet/meta.t.payload | 2 +-
5 files
On Thu, Aug 30, 2018 at 10:13:56AM +0200, Florian Westphal wrote:
> Eckl, Máté wrote:
> > Could you please hold this one back for a few days? I can review this at
> > the beginning of next week and I'd like to because of the tricky use of
> > families.
>
> Sorry, I pushed it moments ago before
Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX.
Signed-off-by: Harsha Sharma
---
include/obj.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/obj.h b/include/obj.h
index dfdbb73..26184da 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -2,6 +2,7 @@
#define _OBJ_OPS_H_
On Tue, Sep 04, 2018 at 12:07:55PM +0200, Pablo Neira Ayuso wrote:
> cgroup v2 path field is PATH_MAX which is too large, this is placing too
> much pressure on memory allocation for people with many rules doing
> cgroup v1 classid matching, side effects of this are bug reports like:
>
>
None of these spots really needs to crash the kernel.
In one two cases we can jsut report error to userspace, in the other
cases we can just use WARN_ON (and leak memory instead).
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 9 ++---
net/netfilter/nft_cmp.c | 6
I see no reason for them, label or timer cannot be NULL, and if they
were, we'll crash with null deref anyway.
For skb_header_pointer failure, just set hotdrop to true and toss
such packet.
Signed-off-by: Florian Westphal
---
net/ipv6/netfilter/ip6t_ipv6header.c | 5 -
Andrew A. Sabitov says:
I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code
and check incoming icmpv6 traffic against it:
add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; }
add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination
add
From: Michal 'vorner' Vaner
NF_REPEAT places the packet at the beginning of the iptables chain
instead of accepting or rejecting it right away. The packet however will
reach the end of the chain and continue to the end of iptables
eventually, so it needs the same handling as NF_ACCEPT and
cgroup v2 path field is PATH_MAX which is too large, this is placing too
much pressure on memory allocation for people with many rules doing
cgroup v1 classid matching, side effects of this are bug reports like:
https://bugzilla.kernel.org/show_bug.cgi?id=200639
This patch registers a new
Hi Pablo,
On Mon, Sep 03, 2018 at 01:57:18PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 29, 2018 at 04:33:38PM +0200, Phil Sutter wrote:
> > If an added rule's listing differs from the input (either expected or
> > not), reinsert that output and check payload again to make sure the
> >
On Fri, 31 Aug 2018, Stefano Brivio wrote:
> Otherwise, we are missing checks in some paths, e.g. we might
> overrun the buffer used to save the set name in callback_list()
> when we strcpy() to it.
>
> Signed-off-by: Stefano Brivio
> ---
> v3: Also as pointed out by Jozsef, there's no need to
The same connection mark can be set on flows belonging to different
address families. This commit adds support for filtering on the L3
protocol when flushing connection track entries. If no protocol is
specified, then all L3 protocols match.
In order to avoid code duplication and a redundant
supports fetching saddr/daddr of tunnel mode states, request id and spi.
If direction is 'in', use inbound skb secpath, else dst->xfrm.
Joint work with Máté Eckl.
Signed-off-by: Florian Westphal
---
include/uapi/linux/netfilter/nf_tables.h | 29 +++
net/netfilter/Kconfig|
Signed-off-by: Florian Westphal
---
tests/py/inet/osf.t.json| 18 ++
tests/py/inet/socket.t.json | 5 +++--
tests/py/inet/tproxy.t.json | 25 -
tests/py/ip/tproxy.t.json | 23 ++-
tests/py/ip6/tproxy.t.json | 25
On Wed, Aug 29, 2018 at 04:33:38PM +0200, Phil Sutter wrote:
> If an added rule's listing differs from the input (either expected or
> not), reinsert that output and check payload again to make sure the
> asymmetry doesn't lead to (internal) changes in ruleset.
Hm, what is the goal for this one?
Compiler did not catch incorrect typing in the rcu hook assignment.
% nfct add timeout test-tcp inet tcp established 100 close 10 close_wait 10
% iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
dmesg - xt_CT: Timeout policy `test-tcp' can only be used by L3 protocol
number 25000
Compiler did not catch incorrect typing in the rcu hook assignment.
% nfct add timeout test-tcp inet tcp established 100 close 10 close_wait 10
% iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
dmesg - xt_CT: Timeout policy `test-tcp' can only be used by L3 protocol
number 25000
Are you speaking of log entries like these?
---
May 7 00:15:22 lanner kernel: [1331862.087653] Denied-by-mangle:blockSetDrop
IN=eth3 OUT= MAC=00:90:0b:17:f2:7d:00:01:5c:8e:ea:46:08:00 SRC=85.104.239.148
DST=73.n.n.133 LEN=40 TOS=0x00 PREC=0x20 TTL=236 ID=28662 DF PROTO=TCP
SPT=59418 DPT=23
Phil Sutter wrote:
> Make sure return codes match legacy ones at least for a few selected
> commands typically used to check ruleset state.
Applied, thank you.
Phil Sutter wrote:
> Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
> from command line, not for those read from kernel. As a result,
> appropriate rules could not be deleted. A simple test case is:
Applied, thanks.
On 8/31/18 7:19 PM, Pablo Neira Ayuso wrote:
On Thu, Aug 30, 2018 at 07:18:42PM +0200, Fernando Fernandez Mancera wrote:
Remove osf_init variable and call nfnl_osf_load_fingerprints() from
expr_evaluate_osf() instead of doing that from do_command_add() path.
Applied, thanks Fernando.
BTW, I
Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
from command line, not for those read from kernel. As a result,
appropriate rules could not be deleted. A simple test case is:
| # ip6tables-nft -A INPUT -p tcp -j ACCEPT
| # ip6tables-nft -D INPUT -p tcp -j ACCEPT
| iptables:
as of a0ae2562c6c4b27 ("netfilter: conntrack: remove l3proto
abstraction") there are no users anymore.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/nf_conntrack_common.h | 3 ---
net/netfilter/nf_conntrack_standalone.c | 7 ---
2 files changed, 10 deletions(-)
diff
On Thu, Aug 30, 2018 at 07:18:42PM +0200, Fernando Fernandez Mancera wrote:
> Remove osf_init variable and call nfnl_osf_load_fingerprints() from
> expr_evaluate_osf() instead of doing that from do_command_add() path.
Applied, thanks Fernando.
BTW, I have applied a patch to use --debug=mnl to
On Sun, Aug 26, 2018 at 02:35:44AM +0900, Taehee Yoo wrote:
> When element of verdict map is deleted, the delete routine should
> release chain. however, flush element of verdict map routine doesn't
> release chain.
>
> test commands:
>%nft add table ip filter
>%nft add chain ip filter c1
On Sat, Aug 25, 2018 at 01:14:46AM +0200, Florian Westphal wrote:
> NF_TABLES_IPV4 is now boolean so it is possible to set
>
> NF_TABLES=m
> NF_TABLES_IPV4=y
> NFT_CHAIN_NAT_IPV4=y
>
> which causes:
> nft_chain_nat_ipv4.c:(.text+0x6d): undefined reference to `nft_do_chain'
>
> Wrap
Use an internal array and expose maximum size so we can just use the
same array size for all protocol timeouts. This simplifies handling
a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first
place.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/object.h | 2 ++
It's a valid configuration, don't assume this means timeout is unset.
Signed-off-by: Pablo Neira Ayuso
---
src/obj/ct_timeout.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index fe0689a8adab..7c2ea97e7821 100644
---
Now that cttimeout support for nft_ct is in place, these should depend
on CONFIG_NF_CONNTRACK_TIMEOUT otherwise we can crash when dumping the
policy if this option is not enabled.
[ 71.600121] BUG: unable to handle kernel NULL pointer dereference at
[...]
[ 71.600141] CPU: 3
Make sure return codes match legacy ones at least for a few selected
commands typically used to check ruleset state.
Signed-off-by: Phil Sutter
---
iptables/nft.c| 15
iptables/nft.h| 1 +
Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.
Signed-off-by: Stefano Brivio
---
v3: Also as pointed out by Jozsef, there's no need to validate
the set name in ipset_cmd(), this is done
On Fri, 31 Aug 2018 09:53:46 +0200 (CEST)
Jozsef Kadlecsik wrote:
> Hi Stefano,
>
> On Thu, 30 Aug 2018, Stefano Brivio wrote:
>
> > > > @@ -2014,7 +2021,11 @@ ipset_cmd(struct ipset_session *session, enum
> > > > ipset_cmd cmd, uint32_t lineno)
> > > > if (session->lineno != 0 &&
> >
On Tue, Aug 14, 2018 at 01:06:56AM +0530, Harsha Sharma wrote:
> This patch adds support for adding, listing and deleting ct timeout
> objects which can be assigned via rule to assign connection tracking
> timeout policies via objref infrastructure.
Applied this series, thanks. Let's keep
Hi Stefano,
On Thu, 30 Aug 2018, Stefano Brivio wrote:
> > > @@ -2014,7 +2021,11 @@ ipset_cmd(struct ipset_session *session, enum
> > > ipset_cmd cmd, uint32_t lineno)
> > > if (session->lineno != 0 &&
> > > (cmd == IPSET_CMD_ADD || cmd == IPSET_CMD_DEL)) {
> > > /* Save
Remove osf_init variable and call nfnl_osf_load_fingerprints() from
expr_evaluate_osf() instead of doing that from do_command_add() path.
Signed-off-by: Fernando Fernandez Mancera
---
include/osf.h | 1 -
src/evaluate.c | 11 +++
src/nfnl_osf.c | 2 --
src/osf.c | 1 -
Hi Pablo,
On Thu, Aug 30, 2018 at 12:24:11PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 29, 2018 at 04:23:27PM +0200, Phil Sutter wrote:
> > diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
> > index 309988bcf02af..c174a35487d46 100644
> > --- a/doc/libnftables-json.adoc
> >
Hi Jozsef,
On Thu, 30 Aug 2018 11:10:02 +0200 (CEST)
Jozsef Kadlecsik wrote:
> Hi Stefano,
>
> On Wed, 29 Aug 2018, Stefano Brivio wrote:
>
> > We might overrun the buffer used to save it otherwise.
> >
> > Signed-off-by: Stefano Brivio
> > ---
> > v2: As requested by Jozsef, move
On Wed, Aug 29, 2018 at 04:25:09PM +0200, Phil Sutter wrote:
> When trying to add a chain to a non-existing table, error reporting
> tries to dereference indesc pointer of the table's location. Hence make
> sure the latter is initialized correctly.
Applied, thanks Phil.
Applied, thanks.
On Wed, Aug 29, 2018 at 04:23:27PM +0200, Phil Sutter wrote:
> diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
> index 309988bcf02af..c174a35487d46 100644
> --- a/doc/libnftables-json.adoc
> +++ b/doc/libnftables-json.adoc
> @@ -577,8 +577,6 @@ processing continues with the next
701 - 800 of 13251 matches
Mail list logo