Previous review of match/target lookup did not consider
xtables-eb-translate.c which contains the same code. Fix parsing of
target/match arguments there as well by introducing
ebt_command_default() which consolidates the previously duplicated code.
One notable quirk in comparison to the similar
Mostly to reduce noise from valgrind output, add missing calls to
destroy iterators in nft.c and add cleanup for the populated nft_handle
in xtables_eb_save_main().
Signed-off-by: Phil Sutter
---
iptables/nft.c | 8 ++--
iptables/xtables-save.c | 1 +
2 files changed, 7
On Thu, Aug 23, 2018 at 05:02:07PM +0200, Nicolas Boullis wrote:
> Hi,
>
> On Wed, Aug 22, 2018 at 06:38:49PM +0200, Nicolas Boullis wrote:
> >
> > On Wed, Aug 22, 2018 at 11:59:33AM +0200, Pablo Neira Ayuso wrote:
> > >
> > > Probably better way to go is to support this as a userspace helper in
Hi,
On Wed, Aug 22, 2018 at 06:38:49PM +0200, Nicolas Boullis wrote:
>
> On Wed, Aug 22, 2018 at 11:59:33AM +0200, Pablo Neira Ayuso wrote:
> >
> > Probably better way to go is to support this as a userspace helper in
> > conntrack-tools.
>
> Sorry for asking, but why would it be a “better way”
Pablo Neira Ayuso wrote:
> > > percpu template would allow us to combine both, I mean, to use the
> > > template as a scratchpad area. The template is only used from the same
> > > hook point to pass information between hook callbacks.
> >
> > I found no way to do this.
> >
> > Consider this:
>
On Thu, Aug 23, 2018 at 11:58:34AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > This patch reworks template policy to instead work with existing
> > > conntrack.
> > >
> > > As long as such conntrack has not yet been placed into the hash table
> > > (unconfirmed) we can still
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook
Pablo Neira Ayuso wrote:
> > This patch reworks template policy to instead work with existing conntrack.
> >
> > As long as such conntrack has not yet been placed into the hash table
> > (unconfirmed) we can still add the timeout extension.
> >
> > The only caveat is that we now need to
Hi Florian,
On Wed, Aug 22, 2018 at 05:18:36PM +0200, Florian Westphal wrote:
> Using a private template is problematic:
>
> 1. We can't handle conntrack is already assigned case
> 2. We can't assign both a zone and a timeout policy
>(zone assigns a conntrack template, so we hit problem 1)
Doug Smythies says:
Sometimes it is desirable to temporarily disable, or clear,
the iptables rule set on a computer being controlled via a
secure shell session (SSH). While unwise on an internet facing
computer, I also do it often on non-internet accessible computers
while testing.
Doug Smythies wrote:
> On 2018.08.22 11:26 Doug Smythies wrote:
> > On 2018.08.21 02:26 Florian Westphal wrote:
> >
> > ... [snip] ...
> >
> >> Fix this by clearing maxwin of existing tcp connections on register.
> >> While at it, lower timeout of existing entries when disabling to allow
> >> gc
On 2018.08.22 11:26 Doug Smythies wrote:
> On 2018.08.21 02:26 Florian Westphal wrote:
>
> ... [snip] ...
>
>> Fix this by clearing maxwin of existing tcp connections on register.
>> While at it, lower timeout of existing entries when disabling to allow
>> gc to reap entries more quickly.
>>
>>
On 2018.08.21 02:26 Florian Westphal wrote:
... [snip] ...
> Fix this by clearing maxwin of existing tcp connections on register.
> While at it, lower timeout of existing entries when disabling to allow
> gc to reap entries more quickly.
>
> Reported-by: Doug Smythies
> Fixes: 4d3a57f23dec59
Hi Pablo,
On Wed, Aug 22, 2018 at 11:59:33AM +0200, Pablo Neira Ayuso wrote:
> >
> > Rebase on top of the nf-next git tree, make it work there and the
> > submit patches to the mailing list so we can give it a review.
>
> Probably better way to go is to support this as a userspace helper in
>
Using a private template is problematic:
1. We can't handle conntrack is already assigned case
2. We can't assign both a zone and a timeout policy
(zone assigns a conntrack template, so we hit problem 1)
3. Using a template needs to take care of ct refcount, else we'll
eventually free the
As we are going to need pf.os file to load OS fingerprints from the incoming
nfnl_osf.c, we copy it into the nftables tree directory "files/osf/".
Signed-off-by: Fernando Fernandez Mancera
---
configure.ac | 1 +
files/Makefile.am | 3 +-
files/nftables/Makefile.am |
Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order
to load OS fingerprints automatically from pf.os file.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/Makefile.am | 1 +
include/linux/netfilter/nfnetlink_osf.h | 119 +++
As we are going to use the function nft_mnl_talk() from the incoming
nftnl_osf.c, we make it public.
Signed-off-by: Fernando Fernandez Mancera
---
include/mnl.h | 4
src/mnl.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/mnl.h b/include/mnl.h
index
Some functions of seg6local are very useful to process
SRv6 encapsulated packets
This patch exports some functions of seg6local that we
use for implementing our new ip6atbles target (SEG6).
They can also be used at different parts of the kernel.
The exported functions are:
(1) seg6_get_srh()
(2)
Service Function Chaining (SFC) is one of the main use-cases
of IPv6 Segment Routing (SRv6) [1].
The Segment Routing Header (SRH) allows including a list of
segments in the IPv6 packet. This segment list can be used
to steer the packetthough a set of Virtual Network Functions
(VNFS) e.g.,
In Linux, SRv6 policies can be pushed based on the destination
address of packets.
However for many use-cases, it is needed to push SRv6 policies
based on information from L2/L3/L4.
Consider a use-case where you want to push SRv6 policies based
on the application layer protocol (HTTP/DNS), which
On Wed, Aug 22, 2018 at 11:33:27AM +0200, Florian Westphal wrote:
> Satish Patel reports a skb_warn_bad_offload() splat caused
> by -j CHECKSUM rules:
>
> -A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
>
> The CHECKSUM target has never worked with GSO skbs, and the above rule
> makes no
On Wed, Aug 22, 2018 at 11:56:30AM +0200, Pablo Neira Ayuso wrote:
> Hi Nicolas,
>
> On Tue, Aug 21, 2018 at 10:39:43PM +0200, Nicolas Boullis wrote:
> > Hi,
> >
> > I’m willing to use RTSP through my netfilter-based firewall (that uses
> > NAT for IPv4).
> > After a quick search, I found that
Hi Nicolas,
On Tue, Aug 21, 2018 at 10:39:43PM +0200, Nicolas Boullis wrote:
> Hi,
>
> I’m willing to use RTSP through my netfilter-based firewall (that uses
> NAT for IPv4).
> After a quick search, I found that someone implemented NAT and conntrack
> modules for RTSP a few years ago, and it
Martin Willi wrote:
> The cluster match requires conntrack for matching packets. If the
> netns does not have conntrack hooks registered, the match does not
> work at all.
Acked-by: Florian Westphal
Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.
Unfortunately, there are
Signed-off-by: Stefano Brivio
---
src/ipset.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/ipset.c b/src/ipset.c
index ce1b73f51633..14a351a125f2 100644
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -176,7 +176,7 @@ build_argv(char *buffer)
if ((newargc +
We might overrun the buffer used to save it otherwise.
Signed-off-by: Stefano Brivio
---
lib/session.c | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/lib/session.c b/lib/session.c
index ca96aaa57ea6..7cf3858ca97d 100644
--- a/lib/session.c
+++
This series fixes three potential issues and implements one
possible simplification reported by a recent Covscan run.
Stefano Brivio (4):
Fix use-after-free in ipset_parse_name_compat()
Simplify return statement in ipset_mnl_query()
Check setname length in session code before copying it
When check_setname is used in ipset_parse_name_compat(), the
'str' and 'saved' macro arguments point in fact to the same
buffer. Free the 'saved' argument only after using it.
While at it, remove a useless NULL check on 'saved'.
Signed-off-by: Stefano Brivio
---
lib/parse.c | 7 ---
1 file
The cluster match requires conntrack for matching packets. If the
netns does not have conntrack hooks registered, the match does not
work at all.
Implicitly load the conntrack hook for the family, exactly as many
other extensions do. This ensures that the match works even if the
hooks have not
On Mon, Aug 20, 2018 at 01:34:58PM +0200, Florian Westphal wrote:
> @@ -43,6 +48,18 @@ static int checksum_tg_check(const struct xt_tgchk_param
> *par)
> if (!einfo->operation)
> return -EINVAL;
>
> + switch (par->family) {
> + case NFPROTO_IPV4:
> + if
Thanks Florian!
I'll send a v2 addressing the comments.
Ahmed
On Tue, 21 Aug 2018 18:13:08 +0200
Florian Westphal wrote:
> Ahmed Abdelsalam wrote:
> > +static int seg6_check(const struct xt_tgchk_param *par)
> > +{
> > + /**
> > +* In the future, some new action may require using
> > +
As we are going to use the function nft_mnl_talk() from the incoming
nftnl_osf.c, we make it public.
Signed-off-by: Fernando Fernandez Mancera
---
include/mnl.h | 4
src/mnl.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/mnl.h b/include/mnl.h
index
Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order
to load OS fingerprints automatically from pf.os file.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/Makefile.am | 1 +
include/linux/netfilter/nfnetlink_osf.h | 119 +++
As we are going to need pf.os file to load OS fingerprints from the incoming
nfnl_osf.c, we copy it into the nftables tree directory "files/osf/".
Signed-off-by: Fernando Fernandez Mancera
---
configure.ac | 1 +
files/Makefile.am | 3 +-
files/nftables/Makefile.am |
Hi,
I’m willing to use RTSP through my netfilter-based firewall (that uses
NAT for IPv4).
After a quick search, I found that someone implemented NAT and conntrack
modules for RTSP a few years ago, and it looks rather unmaintained:
https://github.com/maru-sama/rtsp-linux
Has anyone asked for
Ahmed Abdelsalam wrote:
> +static int seg6_check(const struct xt_tgchk_param *par)
> +{
> + /**
> + * In the future, some new action may require using
> + * this function for doing some checks
> + */
Please add add a check on seg6->action and return -EOPNOSTUPP
in case it
Phil Sutter wrote:
> Use of payload expression to match against IPv6 nexthdr field does not
> work if extension headers are present. A simple example for that is
> matching for fragmented icmpv6 traffic. Instead, generate a 'meta
> l4proto' expression which works even if extension headers are
Heena Sirwani wrote:
> This patch fixes the crash when registering the hashlimit extension
> with xtables during init_extensions(when built with static libs) .
> The option validation function xtables_option_metavalidate has a
> loop termination condition of the entry name being NULL. The loop
>
This patch fixes the crash when registering the hashlimit extension
with xtables during init_extensions(when built with static libs) .
The option validation function xtables_option_metavalidate has a
loop termination condition of the entry name being NULL. The loop
does not terminate when
On Tue, Aug 21, 2018 at 11:46:58AM +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 11, 2018 at 10:54:21PM +0300, Oleg wrote:
> > What mechanisms for example?
>
> See Performance in
> https://netfilter.org/projects/libnetfilter_queue/doxygen/html/
Performance already read, but what about any
On Sun, Aug 12, 2018 at 08:54:31AM +0430, Saber Rezvani wrote:
> On 08/12/2018 12:24 AM, Oleg wrote:
> > On Sat, Aug 11, 2018 at 12:15:26PM +0200, Pablo Neira Ayuso wrote:
> > > We used to have mmap for nfq but that was removed because there was no
> > > performance gain from it.
> >
On Sat, Aug 11, 2018 at 10:54:21PM +0300, Oleg wrote:
> On Sat, Aug 11, 2018 at 12:15:26PM +0200, Pablo Neira Ayuso wrote:
> > We used to have mmap for nfq but that was removed because there was no
> > performance gain from it.
>
> Interesting. I didn't know about it. Was that a work without
>
Doug Smythies says:
Sometimes it is desirable to temporarily disable, or clear,
the iptables rule set on a computer being controlled via a
secure shell session (SSH). While unwise on an internet facing
computer, I also do it often on non-internet accessible computers
while testing.
Hi Jozsef,
Sorry for the slow answer.
So if one could guarantee that your library alone communicates to the
ip_set module in the kernel, then it makes sense to pass the indices at
listing and cache them. However that cannot be guaranteed.
It's indeed the main use case of this library. You
Use of payload expression to match against IPv6 nexthdr field does not
work if extension headers are present. A simple example for that is
matching for fragmented icmpv6 traffic. Instead, generate a 'meta
l4proto' expression which works even if extension headers are present.
For consistency,
Satish Patel reports a skb_warn_bad_offload() splat caused
by -j CHECKSUM rules:
-A POSTROUTING -p tcp -m tcp --sport 80 -j CHECKSUM
The CHECKSUM target has never worked with GSO skbs, and the above rule
makes no sense as kernel will handle checksum updates on transmit.
Unfortunately, there are
Hi Jozsef,
On Fri, 17 Aug 2018 22:47:56 +0200 (CEST)
Jozsef Kadlecsik wrote:
> Hi,
>
> On Fri, 17 Aug 2018, Stefano Brivio wrote:
>
> > There doesn't seem to be any reason to restrict MAC address
> > matching to source MAC addresses in set types bitmap:ipmac,
> > hash:ipmac and hash:mac. With
On Sat, Aug 18, 2018 at 12:00:59PM +1000, Duncan Roe wrote:
> Commit c8a0e8c90 added #include but that header
> needs
> the definition of IFNAMSIZ from
> Sample build failure:
>
> CC evaluate.lo
> In file included from ../include/linux/netfilter_bridge.h:10:0,
> from
Hi Pablo,
On Fri, Aug 17, 2018 at 12:00:24PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 17, 2018 at 01:56:32PM +1000, Duncan Roe wrote:
> > Commit 88456a7ef added #include but that header
> > needs
> > the definition of IFNAMSIZ from
>
> Hm, it must be c8a0e8c90e2d1, right? I'll amend it
Commit c8a0e8c90 added #include but that header needs
the definition of IFNAMSIZ from
Sample build failure:
CC evaluate.lo
In file included from ../include/linux/netfilter_bridge.h:10:0,
from rule.c:32:
/usr/include/linux/if_pppox.h:42:20: error: 'IFNAMSIZ' undeclared
Hi,
On Fri, 17 Aug 2018, Stefano Brivio wrote:
> There doesn't seem to be any reason to restrict MAC address
> matching to source MAC addresses in set types bitmap:ipmac,
> hash:ipmac and hash:mac. With this patch, and this setup:
>
> ip netns add A
> ip link add veth1 type veth peer name
This series allows matching on destination MAC address in
bitmap:ipmac, hash:mac and hash:ipmac sets, and makes checks
against all-zero MAC addresses consistent across these three set
types.
Stefano Brivio (2):
ipset: Allow matching on destination MAC address for mac and ipmac
sets
ipset:
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO
On Fri, Aug 17, 2018 at 12:00:24PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 17, 2018 at 01:56:32PM +1000, Duncan Roe wrote:
> > Commit 88456a7ef added #include but that header
> > needs
> > the definition of IFNAMSIZ from
>
> Hm, it must be c8a0e8c90e2d1, right? I'll amend it here before
>
On Fri, Aug 17, 2018 at 02:01:17PM +1000, Duncan Roe wrote:
> See comments at end of doc/build_pdfs.sh
Applied, thanks Duncan.
See comments at end of doc/build_pdfs.sh
Signed-off-by: Duncan Roe
---
doc/build_pdfs.sh | 51 +++
1 file changed, 51 insertions(+)
create mode 100755 doc/build_pdfs.sh
diff --git a/doc/build_pdfs.sh b/doc/build_pdfs.sh
new file mode 100755
Commit 88456a7ef added #include but that header needs
the definition of IFNAMSIZ from
Signed-off-by: Duncan Roe
---
src/rule.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/rule.c b/src/rule.c
index d11b1d2..570d667 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -29,6 +29,7 @@
On Thu, Aug 16, 2018 at 08:20:33PM +0200, Pablo Neira Ayuso wrote:
>
> As an alternative, would you be OK if we keep in the tree a
> build-pdf.sh script that calls asciidoc to generate the PDF? So we get
> this away from the build infrastructure but still you have an easy
> way to quickly build
Hi Jan,
I was just sticking to the naming convention,
but I can send a v2 with the new names.
Thanks,
Ahmed
On Thu, 16 Aug 2018 17:56:28 +0200 (CEST)
Jan Engelhardt wrote:
>
> On Thursday 2018-08-16 16:52, Ahmed Abdelsalam wrote:
>
> >---
> > extensions/libip6t_SEG6.c
We depend on IPV6_SEG6_LWTUNNEL only to be sure that three sympols
seg6_get_srh(), seg6_advance_nextseg(), and seg6_lookup_nexthop exist.
On the other hand, the actions go-next, skip-next, and go-last are
based the ip6tables SRH match of previous, next and last sid.
On Thu, Aug 16, 2018 at 04:51:42PM +0200, Ahmed Abdelsalam wrote:
[...]
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 339d0762b027..a2502c54a837 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -344,6 +344,21 @@ config
On Wed, Aug 15, 2018 at 12:44:01AM +1000, Duncan Roe wrote:
> On Tue, Aug 14, 2018 at 02:51:45PM +0200, Pablo Neira Ayuso wrote:
> > This adds unnecessary complexity to our build infrastructure. People can
> > just manually generate them in PDF in case they need too. So let's keep
> > it simple
On Thu, Aug 16, 2018 at 06:14:36PM +0200, Phil Sutter wrote:
> The previous fix for reference counts in iptables-nft output wasn't
> complete: While iptables lists the number of references for each custom
> chain (i.e., the number of jumps to it), ebtables lists number of
> entries (i.e., the
On Wed, Aug 15, 2018 at 12:34:24PM +0200, Phil Sutter wrote:
> When trying to list a non-existent chain, ebtables-nft would just print
> the table header and then exit with a code of zero. In order to be more
> consistent with legacy ebtables, change the code to:
>
> * Print table header only if
On Thu, Aug 16, 2018 at 06:07:07PM +0200, Phil Sutter wrote:
> To be consistent with legacy iptables, calling -S with a non-existing
> chain should lead to an error message. This is how some scripts find out
> whether a user-defined chain exists or not.
>
> Make sure doing the same for an
On Tue, Aug 14, 2018 at 08:28:03PM +0200, Phil Sutter wrote:
> Just like with 'iptables-nft -L', we have to make sure the standard set
> of chains exist for a given table when listing it using '-S' flag.
Applied, thanks.
> The added code was just copied over from nft_rule_list() which does the
>
On Fri, Aug 10, 2018 at 05:07:34PM +0200, Phil Sutter wrote:
> This series fixes a nasty bug in ebtables-nft in patch 1. Patches 2 and
> 3 are cleanups in the same area.
Series applied, thanks Phil.
On Tue, Aug 14, 2018 at 01:21:06AM +0530, Harsha Sharma wrote:
> Hello,
>
> On Fri, Aug 10, 2018 at 10:52 PM, Harsha Sharma
> wrote:
> > If l3 protocol value is not specified for ct timeout object then use the
> > value from nft_ctx protocol family.
>
> I think I did this before but you asked
On Tue, Aug 14, 2018 at 10:09:10PM +0200, Máté Eckl wrote:
> This patch fixes a warning reported by the kbuild test robot (from linux-next
> tree):
>net/netfilter/nft_tproxy.c: In function 'nft_tproxy_eval_v6':
> >> net/netfilter/nft_tproxy.c:85:9: warning: missing braces around
> >>
Qué tal vas? Encontraste más problemillas?
Me cuentas si necesitas una mano :-)
Saludos!
On Tue, Jul 31, 2018 at 01:41:23PM +0200, Florian Westphal wrote:
> Shaochun Chen points out we leak dumper filter state allocations
> stored in dump_control->data in case there is an error before netlink sets
> cb_running (after which ->done will be called at some point).
>
> In order to fix
On Wed, Jul 25, 2018 at 09:38:43PM +0200, Florian Westphal wrote:
> Roman reports that DHCPv6 client no longer sees replies from server
> due to
>
> ip6tables -t raw -A PREROUTING -m rpfilter --invert -j DROP
>
> rule. We need to set the F_IFACE flag for linklocal addresses, they
> are scoped
On Thu, Jul 26, 2018 at 12:39:51AM +0900, Taehee Yoo wrote:
> In order to determine allocation size of set, ->privsize is invoked.
> At this point, both desc->size and size of each data structure of set
> are used. desc->size means number of element that is given by user.
> desc->size is u32 type.
On Thu, Aug 02, 2018 at 12:30:09PM +0200, Florian Westphal wrote:
> nf_ct_l4proto_unregister_one() leaves conntracks added by
> to-be-removed tracker behind, nf_ct_l4proto_unregister has to iterate
> for each protocol to be removed.
>
> v2: call nf_ct_iterate_destroy without holding
On Thu, Aug 02, 2018 at 09:44:39PM +0200, Florian Westphal wrote:
> There is an hard-to-trigger race condition when nf_tables module
> is repeatedly removed while concurrent processes create net namespaces
> that use nf_tables (and then exit immediately).
>
> I made a prevous attempt to fix this,
The previous fix for reference counts in iptables-nft output wasn't
complete: While iptables lists the number of references for each custom
chain (i.e., the number of jumps to it), ebtables lists number of
entries (i.e., the number of rules contained) for each chain. Both used
the same value for
To be consistent with legacy iptables, calling -S with a non-existing
chain should lead to an error message. This is how some scripts find out
whether a user-defined chain exists or not.
Make sure doing the same for an existing chain does succeed, even if an
invalid rule number was given.
On Thursday 2018-08-16 16:52, Ahmed Abdelsalam wrote:
>---
> extensions/libip6t_SEG6.c| 154 +++
> include/linux/netfilter_ipv6/ip6t_SEG6.h | 22 +
>+#include
I think this should be libxt_SEG6.c, linux/netfilter/xt_SEG6.h,
as there is not really
This patch adds a new extension to iptables to support IPv6
segment routing 'SEG6' target.
The supported actions are:
(1) go-next
(2) skip-next
(3) go-last
(4) bind-sid
Signed-off-by: Ahmed Abdelsalam
---
extensions/libip6t_SEG6.c| 154 +++
Some functions of seg6local are very useful to process
SRv6 encapsulated packets
This patch exports some functions of seg6local that we
use for implementing our new ip6atbles target (SEG6).
They can also be used at different parts of the kernel.
The exported functions are:
(1) seg6_get_srh()
(2)
In Linux, SRv6 policies can be pushed based on
packets destination address.
However for many use-cases, it is needed to push SRv6
policies based on information from L2/L3/L4.
Consider a use-case where you want to push SRv6 policies based on
the application layer protocol (HTTP/DNS), which
Service Function Chaining (SFC) is one of the main use-cases of
IPv6 Segment Routing (SRv6) [1].
The Segment Routing Header (SRH) allows including a list of
segments in the IPv6 packet. This segment list can be used
to steer the packetthough a set of Virtual Network Functions
(VNFS) e.g.,
On Thu, Aug 16, 2018 at 09:26:20AM +0200, Phil Sutter wrote:
> On Wed, Aug 15, 2018 at 11:33:47PM +0200, Florian Westphal wrote:
> > Phil Sutter wrote:
[...]
> > Not pretty but I'd find it much better than adding this to the kernel.
>
> I think Eric can work around this limitation by inserting
Hi,
On Wed, Aug 15, 2018 at 11:33:47PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> > > > Hi Arturo,
> > > >
> > > > I see that
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
Ruleset listing with --stateless should not display the content of
sets that are dynamically populated from the packet path.
Signed-off-by: Pablo Neira Ayuso
---
src/rule.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/rule.c b/src/rule.c
index d11b1d2907f2..fcfcf60cbc7c 100644
chain y {
type filter hook output priority filter; policy accept;
update @xyz{ ip daddr }
^^
Missing space between set reference and the element statement. This does
not break restoring the ruleset but it is inconsistent to the
Instead of using the map expression, store dynamic key and data
separately since they need special handling than constant maps.
Signed-off-by: Pablo Neira Ayuso
---
include/statement.h | 3 ++-
src/evaluate.c| 25 -
src/netlink_delinearize.c | 7
This check is superfluous since it breaks valid configurations, remove it.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_dynset.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 27d7e4598ab6..c35f08084543 100644
---
Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> > > Hi Arturo,
> > >
> > > I see that in your commit[1] you explicitly disable policy setting for
> > > user-defined ebtables
On Wed, Aug 15, 2018 at 06:22:14PM +0200, Fernando Fernandez Mancera wrote:
> On 8/14/18 4:10 PM, Pablo Neira Ayuso wrote:
> > On Mon, Aug 13, 2018 at 06:57:08PM +0200, Fernando Fernandez Mancera wrote:
[...]
> > > + uloga("Loading '%s'.\n", ctx, buffer);
>
> I think we should remove uloga() and
On Wed, 15 Aug 2018 08:05:13 -0700
"Doug Smythies" wrote:
> I do not have a file "/proc/net/nf_conntrack". If you are referring to
> examining
> the conntrack table without using the conntrack tool, I used to love the old
> way
> of using "/proc/net/ip_conntrack", but that disappeared about 3
On Wed, Aug 15, 2018 at 12:37:29PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> > > Hi Arturo,
> > >
> > > I see that in your commit[1] you explicitly disable policy
Hi Pablo,
On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> > Hi Arturo,
> >
> > I see that in your commit[1] you explicitly disable policy setting for
> > user-defined ebtables chains. Is this because ebtables-nft
When trying to list a non-existent chain, ebtables-nft would just print
the table header and then exit with a code of zero. In order to be more
consistent with legacy ebtables, change the code to:
* Print table header only if chosen chain is found and
* propagate the error condition if chain was
On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> Hi Arturo,
>
> I see that in your commit[1] you explicitly disable policy setting for
> user-defined ebtables chains. Is this because ebtables-nft can't support
> them or was it a design decision? I'm asking because it leads to
>
On Tue, 14 Aug 2018 15:19:27 -0700
"Doug Smythies" wrote:
> I don't know what to say, it is 100% repeatable for me, on multiple
> computers.
I do not doubt that, just curious what's the configuration difference and
how I still didn't hit that.
> There has to be some traffic on the SSH session
901 - 1000 of 13251 matches
Mail list logo