Hi,
I'm trying to diagnose an incompatibility between my application
(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy).
Both are (ab)using iptables-restore to do high-speed bulk updates to
iptables and they're both using --noflush so they can use
iptables-restore to edit only
The case which "nat.addr != NULL && nat.proto != NULL && type != ipv6"
wasn't caught in nat_stmt_print(). Now all cases should be considered.
Also, the if statements were reorganized to get rid of one nested if.
Fixes(Bug 1117 - Table ipv4-nat prerouting dnat doesn't accept dest IP:PORT)
On Friday 2017-02-03 21:37, Shaun Crampton wrote:
>
>I'm trying to diagnose an incompatibility between my application
>(Project Calico's Felix daemon) and another (Kuberenetes' kube-proxy).
>Both are (ab)using iptables-restore to do high-speed bulk updates to
>iptables and they're both using
From: Pablo Neira Ayuso
Date: Fri, 3 Feb 2017 13:25:11 +0100
> The following patchset contains Netfilter updates for your net-next
> tree, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled,
On Tue, Jan 31, 2017 at 2:44 PM, Richard Guy Briggs wrote:
> On 2017-01-31 17:13, Steve Grubb wrote:
...
>> I was curious about something. Auparse is trying to interpret the
>> icmptype field for every event. This is not good. Which fields are
>> valid for each kind of packet?
From: Florian Westphal
udplite was copied from udp, they are virtually 100% identical.
This adds udplite tracker to udp instead, removes udplite module,
and then makes the udplite tracker builtin.
udplite will then simply re-use udp timeout settings.
It makes little sense to
From: Florian Westphal
udplite nat was copied from udp nat, they are virtually 100% identical.
Not really surprising given udplite is just udp with partial csum coverage.
old:
textdata bss dec hex filename
116061457 210 1327333d9 nf_nat.ko
From: Liping Zhang
We missed to add descriptions about NFT_CT_LABELS, NFT_CT_PKTS and
NFT_CT_BYTES, now add it.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 3 +++
1
From: Liping Zhang
Similar to xt_connbytes, user can match how many average bytes per packet
a connection has transferred so far.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
From: Willem de Bruijn
Convert iptables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn
Signed-off-by: Pablo Neira Ayuso
---
From: Willem de Bruijn
xt_entry_target, xt_entry_match and their private data may contain
kernel data.
Introduce helper functions xt_match_to_user, xt_target_to_user and
xt_data_to_user that copy only the expected fields. These replace
existing logic that calls copy_to_user
This adds the ability to set the conntrack zone from nftables, i.e.
native replacement for -j CT --zone $number.
See individual patches for details.
This will need more documentation and exposure of the builtin
hook priorities (e.g. via defines?) so users can more easily
see whats happening.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/ct.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index
Next patch will add ZONE_ID set support which will need similar
error unwind (put operation) as conntrack labels.
Prepare for this: remove the 'label_got' boolean in favor
of a switch statement that can be extended in next patch.
As we already have that in the set_destroy function place that in
Signed-off-by: Florian Westphal
---
tests/py/any/ct.t | 13 +
tests/py/any/ct.t.payload | 44
2 files changed, 57 insertions(+)
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 2cfbfe13ccd2..6f32d29c0c40
Once directional zone support is added we also need to print the
direction of the statement, so factor the common code to re-use
this helper from the statement print function.
Signed-off-by: Florian Westphal
---
src/ct.c | 13 +
1 file changed, 9 insertions(+), 4
This enables zone get/set support.
As the zone can be optionally tied to a direction as well we need a new
token for this (unless we turn reply/original into tokens in which case
we could handle zone via STRING).
There was some discussion on how zone set support should be handled,
especially
This is needed once we add support to set a zone, as in
ct zone set 42
Using integer_type makes nft use big-endian representation of the zone id
instead of the required host byte order.
When using 'ct zone 1', things will work because the (implicit) relational
operation makes sure that the left
From: Florian Westphal
After this change conntrack operations (lookup, creation, matching from
ruleset) only access one instead of two sk_buff cache lines.
This works for normal conntracks because those are allocated from a slab
that guarantees hw cacheline or 8byte alignment
From: Florian Westphal
It is never accessed for reading and the only places that write to it
are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo).
The conntrack core specifically checks for attached skb->nfct after
->error() invocation and returns early in this
From: Florian Westphal
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
From: Liping Zhang
Since there's no broadcast address in IPV6, so in ipv6 family, the
PACKET_LOOPBACK must be multicast packets, there's no need to check
it again.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
Hi David,
The following patchset contains Netfilter updates for your net-next
tree, they are:
1) Stash ctinfo 3-bit field into pointer to nf_conntrack object from
sk_buff so we only access one single cacheline in the conntrack
hotpath. Patchset from Florian Westphal.
2) Don't leak pointer
From: Florian Westphal
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/linux/skbuff.h
From: Florian Westphal
Next patch makes direct skb->nfct access illegal, reduce noise
in next patch by using accessors we already have.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/ip_vs.h
From: Willem de Bruijn
In matches and targets that define a kernel-only tail to their
xt_match and xt_target data structs, add a field .usersize that
specifies up to where data is to be shared with userspace.
Performed a search for comment "Used internally by the kernel" to
From: Feng
If something fails in nf_tables_table_enable(), it unregisters the
chains. But the rollback code is the same as nf_tables_table_disable()
almostly, except there is one counter check. Now create one wrapper
function to eliminate the duplicated codes.
Signed-off-by:
From: Willem de Bruijn
Convert ebtables to copying entries, matches and targets one by one.
The solution is analogous to that of generic xt_(match|target)_to_user
helpers, but is applied to different structs.
Convert existing helpers ebt_make_XXXname helpers that overwrite
From: Willem de Bruijn
Convert compat to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn
Signed-off-by: Pablo Neira Ayuso
---
From: Liping Zhang
After adding the following nft rule, then ping 224.0.0.1:
# nft add rule netdev t c pkttype host counter
The warning complain message will be printed out again and again:
WARNING: CPU: 0 PID: 10182 at net/netfilter/nft_meta.c:163 \
From: Geliang Tang
To make the code clearer, use rb_entry() instead of container_of() to
deal with rbtree.
Signed-off-by: Geliang Tang
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_connlimit.c | 4 ++--
1 file
From: Willem de Bruijn
Convert ip6tables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn
Signed-off-by: Pablo Neira Ayuso
---
From: Willem de Bruijn
Convert arptables to copying entries, matches and targets one by one,
using the xt_match_to_user and xt_target_to_user helper functions.
Signed-off-by: Willem de Bruijn
Signed-off-by: Pablo Neira Ayuso
---
Signed-off-by: Kaarle Ritvanen
---
ulogd.logrotate | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ulogd.logrotate b/ulogd.logrotate
index b3fb6d1..a865353 100644
--- a/ulogd.logrotate
+++ b/ulogd.logrotate
@@ -1,4 +1,4 @@
-/var/log/ulogd.log
the change causes non-ipv6 addresses to not be printed at all in case
a nfproto was given.
Also add a test case to catch this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117
Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with
brackets")
Signed-off-by:
35 matches
Mail list logo