Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

On Fri, 2016-08-19 at 18:04 +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote: > > > > > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock, > > > in case object is free'd SLAB_DESTROY_BY_RCU

[PATCH nf] netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

From: Liping Zhang After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [] nf_send_reset+0xaf/0x400 Call Trace: [] ? nf_reject_ip_tcphdr_get+0x160/0x160 []

Re: [PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible

On 21 August 2016 at 20:10, Pablo M. Bermudo Garay wrote: > This patch adds a verification of the compatibility between the nft > ruleset and iptables. If the nft ruleset is not compatible with > iptables, the execution stops and an error message is displayed to the > user. >

[PATCH 2/4 V6 nft] Implement deleting rule by description

This patch introduces deletion in a similar fashion as in iptables, thus, we can delete the first rule that matches our description, for example: $ nft list -a ruleset table ip t { chain c { ip saddr 1.1.1.1 counter packets 0 bytes 0 #

[PATCH 4/4 V6 nft] parser: Improve syntax errors

Shows a more informative message when user commits a syntax error: $ nft add rule t c handle 3 ... :1:14-19: Error: Did you mean `position'? add rule t c handle 3 ... ^^ $ nft delete rule t c position 3 ... :1:17-24: Error: Did you

[PATCH 1/4 V6 nft] Simplify parser rule_spec tree

This patch separates the rule identification from the rule localization, so the logic moves from the evaluator to the parser. This allows to revert the patch "evaluate: improve rule managment checks" (4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code. Signed-off-by: Carlos

[PATCH 3/4 V6 nft] test: shell: Add tests for deleting rule by description

They checks if commands like "nft delete rule " works as is expected. First one checks if command deletes only one of the matched rules. Second one checks if command fails when rule did not found. Signed-off-by: Carlos Falgueras García ---

[PATCH iptables 1/3] xtables-compat: remove useless functions

The static function nft_rule_list_get was exposed outside nft.c through the nft_rule_list_create function, but this was never used out there. A similar situation occurs with nftnl_rule_list_free and nft_rule_list_destroy. This patch removes nft_rule_list_create and nft_rule_list_destroy for the

[PATCH iptables 3/3] xtables-compat: add rule cache

This patch adds a cache of rules within the nft handle. This feature is more useful after the new checks of ruleset compatibility, since the rule list is loaded twice consecutively. Now all the operations causing changes in the ruleset must invalidate the cache, a function called flush_rule_cache

[PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible

This patch adds a verification of the compatibility between the nft ruleset and iptables. If the nft ruleset is not compatible with iptables, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands.

[PATCH iptables] extensions: libxt_CLASSIFY: Add translation to nft

From: Liping Zhang For examples: # iptables-translate -A OUTPUT -j CLASSIFY --set-class 0:0 nft add rule ip filter OUTPUT counter meta priority set none # iptables-translate -A OUTPUT -j CLASSIFY --set-class : nft add rule ip filter OUTPUT counter

[PATCH -next] netfilter: nft_hash: fix non static symbol warning

Fixes the following sparse warning: net/netfilter/nft_hash.c:40:25: warning: symbol 'nft_hash_policy' was not declared. Should it be static? Signed-off-by: Wei Yongjun --- net/netfilter/nft_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git