Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On 30 November 2016 at 19:28, Pablo Neira Ayuso wrote: >> * You can probably augment this at some pointer to rely on the new >> nf_tables tracing infrastructure. >> That would be rather complex. > > Only one more question left: Do you think you can slightly generalize > this so we decouple tes

Re: [PATCH] netfilter: avoid warn and OOM on vmalloc call

On Wed, Nov 30, 2016 at 8:42 PM, Marcelo Ricardo Leitner wrote: > Hi Andrey, > > Please let me know how this works for you. It seems good here, though > your poc may still trigger OOM through other means. Hi Marcelo, Don't see any reports with this patch. Thanks! > > Thanks, > Marcelo > > ---8

[conntrack-tools PATCH] src: add log message when resync is requested by other node

If a resync is requested with 'conntrackd -n', a log message is printed in the caller node, but no message is printed in the other. Print a message so tracking the behaviour of a cluster is a bit easier. Signed-off-by: Arturo Borrero Gonzalez --- src/sync-ftfw.c|2 +- src/sync-notrack.c

Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On Thu, Dec 01, 2016 at 09:10:53AM +0100, Arturo Borrero Gonzalez wrote: > On 30 November 2016 at 19:28, Pablo Neira Ayuso wrote: > >> * You can probably augment this at some pointer to rely on the new > >> nf_tables tracing infrastructure. > >> > > That would be rather complex. OK, let's star

[PATCH nft 1/2] rule: Introduce helper function cache_flush

cache_release empties the cache, and marks it as uninitialized. Add cache_flush, which does the same, except it keeps the cache initialized, eg. after a "nft flush ruleset" when empty is the correct state of the cache. Signed-off-by: Anatole Denis --- include/rule.h | 1 + src/rule.c | 7 +++

[PATCH nft 2/2] evaluate: Update cache on flush ruleset

After a flush, the cache should be empty, otherwise the cache and the expected state are desynced, causing unwarranted errors. See tests/shell/testcases/cache/0002_interval_0. `flush table` and `flush chain` don't empty sets or destroy chains, so the cache does not need an update in those cases, s

Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On Thu, Dec 1, 2016 at 12:45 PM, Pablo Neira Ayuso wrote: > On Thu, Dec 01, 2016 at 09:10:53AM +0100, Arturo Borrero Gonzalez wrote: >> On 30 November 2016 at 19:28, Pablo Neira Ayuso wrote: >> >> * You can probably augment this at some pointer to rely on the new >> >> nf_tables tracing infrast

[PATCH nft] evaluate: return ctx->table from table_lookup_global()

Instead of returning ctx->cmd->table. Note that ctx->cmd->table and ctx->table points to the same object when all commands are embedded into the table definition. But this is not true if we mix table definitions with linear list commands in one file that we load via nft -f. Reported-by: Martin Bed

Re: [PATCH nft 1/2] rule: Introduce helper function cache_flush

On Thu, Dec 01, 2016 at 11:50:16AM +0100, Anatole Denis wrote: > cache_release empties the cache, and marks it as uninitialized. Add > cache_flush, > which does the same, except it keeps the cache initialized, eg. after a "nft > flush ruleset" when empty is the correct state of the cache. Applied

Re: [PATCH nft 2/2] evaluate: Update cache on flush ruleset

On Thu, Dec 01, 2016 at 11:50:17AM +0100, Anatole Denis wrote: > After a flush, the cache should be empty, otherwise the cache and the expected > state are desynced, causing unwarranted errors. See > tests/shell/testcases/cache/0002_interval_0. > > `flush table` and `flush chain` don't empty sets

Re: [conntrack-tools PATCH] src: add log message when resync is requested by other node

On Thu, Dec 01, 2016 at 10:59:02AM +0100, Arturo Borrero Gonzalez wrote: > If a resync is requested with 'conntrackd -n', a log message is printed > in the caller node, but no message is printed in the other. > > Print a message so tracking the behaviour of a cluster is a bit easier. Applied, tha

Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On 1 December 2016 at 11:45, Pablo Neira Ayuso wrote: > I mean, it would be good if you place as much common code as possible > in the runner script, so individual unit tests don't result in too > much copy and paste. > Ok, I understand. Actually, as you know I'm just experimenting with this. A

Re: [PATCH 00/11] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Wed, 30 Nov 2016 22:57:14 +0100 > This is a large batch of Netfilter fixes for net, they are: ... > I know is late but I think these are important, specifically the NAT > bits, as they are mostly addressing fallout from recent changes. I also > read there are chance

Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On Thu, Dec 01, 2016 at 04:05:07PM +0100, Arturo Borrero Gonzalez wrote: > On 1 December 2016 at 11:45, Pablo Neira Ayuso wrote: > > I mean, it would be good if you place as much common code as possible > > in the runner script, so individual unit tests don't result in too > > much copy and paste.

Re: [PATCH] netfilter: avoid warn and OOM on vmalloc call

On Thu, Dec 01, 2016 at 10:42:22AM +0100, Andrey Konovalov wrote: > On Wed, Nov 30, 2016 at 8:42 PM, Marcelo Ricardo Leitner > wrote: > > Hi Andrey, > > > > Please let me know how this works for you. It seems good here, though > > your poc may still trigger OOM through other means. > > Hi Marcelo