Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Wed, 2016-06-08 at 13:52 +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote: > > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote: > > > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > > > > One more question, is this chunk

Netfilter/Suricata user day on 27th June in Amsterdam, Netherlands

Hi! We are organizing a public user day at the Vrije Universiteit (VU) Amsterdam on June 27th 2016. This day is titled "Suricata meets Netfilter" and brings talks about the Linux Netfilter/nftables Firewall project and the Suricata IDS/IPS project. Keynote will be delivered by Linux NetDev

[PATCHv4] extensions: libip6t_frag: Add translation to nft

Add translation for frag to nftables. According to the --fraglen code: case O_FRAGLEN: /* * As of Linux 3.0, the kernel does not check for * fraglen at all. */ In addition, the kernel code doesn't show any reference to

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Wed, Jun 08, 2016 at 07:31:21PM +0200, Pablo Neira Ayuso wrote: > Then you can follow up with a patch to add this function. > > Just a suggestion, let me know if this is fine with you. Forget this idea. Actually your patch from: Date: Tue, 07 Jun 2016 11:02:30 -0700 looks easier to readable

[PATCH v2] iptables: extensions: libxt_MARK: Add translation to nft

Add translation for the MARK target to nftables. Examples: $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 nft add rule ip mangle OUTPUT counter meta mark set 0x40 $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32 nft add rule ip mangle OUTPUT

Re: [PATCH nf-next 4/4] netfilter: nft_meta: add explicitly nf_logger_find_get call

Liping Zhang wrote: > From: Liping Zhang > > Like xt_TRACE do, we should request related nf_log module appropriately. > Otherwise, if the nf_log_ipv4 kernel module is not installed, and the > user add the following nft rule: > # nft add rule

Re: [PATCH nf-next 3/4] netfilter: xt_TRACE: add explicitly nf_logger_find_get call

Liping Zhang wrote: > From: Liping Zhang > > Consider such situation, if nf_log_ipv4 kernel module is not installed, > and the user add a following iptables rule: > # iptables -t raw -I PREROUTING -j TRACE > > There will be no trace log

Re: [PATCH v2 libnftnl] Check all strdup

On Tue, Jun 07, 2016 at 05:08:10PM +0200, Pablo Neira Ayuso wrote: > Carlos, > > On Tue, May 31, 2016 at 12:08:32PM +0200, Carlos Falgueras García wrote: > > Check all strdup possible error and treat it consequently. > > Please, manually apply these two patches in your local working copy: > >

[PATCH libmnl] nlmsg: Improve payload printing

It make more sense to use "isprint" than "isalnum" because we use non alphanumeric characters like '%', '_', etc. And, in case of non printable character, print a space is preferable to print a NULL (0) in order to keep alignment. Before: ... |00012|--|2||len |flags| type| | 5f 5f 73

Re: [PATCH v2 libnftnl] Check all strdup

On Wed, Jun 08, 2016 at 01:37:41PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > + if (attr > NFTNL_CHAIN_MAX) { > > + errno = -EOPNOTSUPP; > > The negation should be dropped. Right, this should be: errno = EOPNOTSUPP; -- To

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote: > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > > > One more question, is this chunk below correct from > > > coding style point of view? > > > >

[PATCH nf-next 3/4] netfilter: xt_TRACE: add explicitly nf_logger_find_get call

From: Liping Zhang Consider such situation, if nf_log_ipv4 kernel module is not installed, and the user add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE There will be no trace log generated until the user install nf_log_ipv4 module manully.

[PATCH nf-next 0/4] netfilter: request related nf_log module when we add TRACE rule

From: Liping Zhang This patch set solve such problem, for example, if we add a following iptables rule: # iptables -t raw -I PREROUTING -j TRACE And nf_log_ipv4 kernel module is not installed, no trace log will be generated, until we install the nf_log_ipv4 module

[PATCH iptables] extensions: libxt_TRACE: Add translation to nft

From: Liping Zhang For example: # iptables-translate -t raw -A PREROUTING -j TRACE nft add rule ip raw PREROUTING counter nftrace set 1 Signed-off-by: Liping Zhang --- extensions/libxt_TRACE.c | 8 1 file changed, 8

[PATCH nf-next] netfilter: nft_meta: set skb->nf_trace appropriately

From: Liping Zhang When user add a nft rule to set nftrace to zero, for example: # nft add rule ip filter input nftrace set 0 We should set nf_trace to zero also. Signed-off-by: Liping Zhang --- net/netfilter/nft_meta.c | 2 +- 1

[PATCH nf-next] netfilter: xt_cpu: no need to check the validity of invert flag

From: Liping Zhang Instead, we can convert invert flag and ensure it is 1 or 0. Signed-off-by: Liping Zhang --- net/netfilter/xt_cpu.c | 12 +--- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git

[PATCH nf-next 1/4] netfilter: nf_log: handle NFPROTO_INET properly in nf_logger_[find_get|put]

From: Liping Zhang When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6. Signed-off-by: Liping Zhang --- net/netfilter/nf_log.c | 20 1 file changed, 20 insertions(+) diff --git

Re: [PATCH v2 libnftnl] Check all strdup

Pablo Neira Ayuso wrote: > + if (attr > NFTNL_CHAIN_MAX) { > + errno = -EOPNOTSUPP; The negation should be dropped. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More