Re: [PATCH V2 2/2] netfilter: ctnetlink: Fix regression in CTA_HELP processing

On Thu, Jan 26, 2017 at 02:49:44PM -0800, Kevin Cernekee wrote: > Prior to Linux 4.4, it was usually harmless to send a CTA_HELP attribute > containing the name of the current helper. That is no longer the case: > as of Linux 4.4, if ctnetlink_change_helper() returns an error from > the

Re: [PATCH V2 1/2] netfilter: ctnetlink: Fix regression in CTA_STATUS processing

On Thu, Jan 26, 2017 at 02:49:43PM -0800, Kevin Cernekee wrote: > The libnetfilter_conntrack userland library always sets IPS_CONFIRMED > when building a CTA_STATUS attribute. If this toggles the bit from > 0->1, the parser will return an error. On Linux 4.4+ this will cause any > NFQA_EXP

RE: [PATCH 24/27] netfilter: guarantee 8 byte minalign for template addresses

From: Pablo Neira Ayuso > Sent: 03 February 2017 12:26 > The next change will merge skb->nfct pointer and skb->nfctinfo > status bits into single skb->_nfct (unsigned long) area. > > For this to work nf_conn addresses must always be aligned at least on > an 8 byte boundary since we will need the

[PATCH iptables V2 2/2] xshared: using the blocking file lock request when we wait indefinitely

From: Liping Zhang When using "-w" to avoid concurrent instances, we try to do flock() every one second until it success. But one second maybe too long in some situations, and it's hard to select a suitable interval time. So when using "iptables -w" to wait indefinitely,

ANNOUNCE: Netdev 2.1 update Feb 06

A few announcements: - We expect to open up registration and announce hotel and location this week. - We are pleased to announce the first netdev 2.1 sponsor! Many thanks to Mellanox who has been a strong supporter of the netdev community. Mellanox is first to cross the netdev2.1 sponsor line

Re: [PATCH] netfilter: xt_hashlimit: Fix integer divide round to zero.

On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote: > Diving the divider by the multiplier before applying to the input. > When this would "divide by zero", divide the multiplier by the divider > first then multiply the input by this value. > > Currently user2creds outputs zero when

Re: [nf-next PATCH] netfilter: nf_tables: exthdr: Add support for existence check

On Tue, Jan 17, 2017 at 10:51:26PM +0100, Phil Sutter wrote: > If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field > data into *dest, but instead set it to 1 if the header is found and 0 > otherwise. Applied this one, thanks Phil. I have fixed this here, via sparse (make C=2):

[PATCH nftables 4/7] src: add TCP option matching

This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options

[PATCH nf-next 1/1] net: netfilter: nft_exthdr: add TCP option matching

This patch implements the kernel side of the TCP option patch. Signed-off-by: Manuel Messner Reviewed-by: Florian Westphal --- include/uapi/linux/netfilter/nf_tables.h | 17 - net/netfilter/Kconfig| 4 +- net/netfilter/nft_exthdr.c

[PATCH nftables 0/7] TCP option matching

This patch set is part of the TCP option matching implementation for nftables. These patch sets enable nft to match against the following TCP options: * End of Option List * No-Operation * Maximum Segment Size * Window Scale * SACK * SACK Permitted * Timestamps Florian Westphal (1): payload:

[PATCH nftables 6/7] payload: automatically kill dependencies for exthdr and tcpopt

This patch automatically removes the dependencies for exthdr and tcpopt. # nft add rule filter input tcp option maxseg kind 3 counter. # nft list table filter input Before: # ip protocol 6 tcp option maxseg kind 3 counter After: # tcp option maxseg kind 3 counter Thus allowing to write

[PATCH nftables 3/7] exthdr: prepare exthdr_gen_dependency for tcp support

currently exthdr always needs ipv6 dependency (i.e. link layer), but with upcomming TCP option matching we also need to include TCP at the network layer. This patch prepares this change by adding two parameters to exthdr_gen_dependency. Signed-off-by: Manuel Messner

[PATCH nftables 1/7] include: linux: netfilter: nf_tables: copy file from nf-next

Signed-off-by: Manuel Messner Reviewed-by: Florian Westphal --- include/linux/netfilter/nf_tables.h | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h

[PATCH nf-next 0/1] TCP option matching

This patch set is part of the TCP option matching implementation for nftables. Manuel Messner (1): src: add TCP option matching requirements include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 17 - src/expr/exthdr.c | 49

Re: [nft PATCH 0/3] Boolean comparison and exthdr existence match support

Hi Pablo, On Mon, Jan 23, 2017 at 01:57:47PM +0100, Pablo Neira Ayuso wrote: > On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote: > > The following series adds two distinct features to nftables, though > > since the second one depends on presence of the first one this is > > submitted

Re: [PATCH] netfilter: xt_hashlimit: Fix integer divide round to zero.

Le lundi 06 février 2017 à 14:04 +0100, Pablo Neira Ayuso a écrit : > On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote: > > diff --git a/net/netfilter/xt_hashlimit.c > > b/net/netfilter/xt_hashlimit.c > > index 10063408141d..df75ad643eef 100644 > > --- a/net/netfilter/xt_hashlimit.c

Re: [RFC PATCH] audit: normalize NETFILTER_PKT

On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote: > On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote: >> I'm still trying to understand what purpose this record actually >> serves, and what requirements may exist. In an earlier thread >> somewhere Steve mentioned

Re: [PATCH nftables 5/9] src: add host byte order integer type

On Mon, Feb 06, 2017 at 06:31:10PM +0100, Pablo Neira Ayuso wrote: > On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote: > > diff --git a/include/datatype.h b/include/datatype.h > > index 9f127f2954e3..8c1c827253be 100644 > > --- a/include/datatype.h > > +++ b/include/datatype.h > >

[PATCH nft] datatype: Replace getaddrinfo() by internal lookup table

Nftables uses a internal service table to print service names. This very table should be used when parsing new rules, to avoid conflicts between nft service table and the local /etc/services, when loading an exported ruleset. Complements the commit: (ccc5da4: datatype: Replace getnameinfo() by

Re: Chain priorities for NAT

On Thu, Feb 02, 2017 at 01:52:18PM +0100, Christoph Pleger wrote: > Hello, > > On 2017-01-11, I wrote: > > > The Wiki on https://wiki.nftables.org mentions two priorities > specifically available for NAT, -100 and 100. But of these two, the > wiki's example for NAT only uses the value 100 for

Re: [nft PATCH 0/3] Boolean comparison and exthdr existence match support

On Mon, Feb 06, 2017 at 03:26:20PM +0100, Phil Sutter wrote: [...] > On Mon, Jan 23, 2017 at 01:57:47PM +0100, Pablo Neira Ayuso wrote: > > On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote: > > > The following series adds two distinct features to nftables, though > > > since the second

Re: [PATCH nftables 5/9] src: add host byte order integer type

On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote: > diff --git a/include/datatype.h b/include/datatype.h > index 9f127f2954e3..8c1c827253be 100644 > --- a/include/datatype.h > +++ b/include/datatype.h > @@ -82,6 +82,7 @@ enum datatypes { > TYPE_DSCP, > TYPE_ECN, >

Re: [PATCH nft] datatype: Replace getaddrinfo() by internal lookup table

On Mon, Feb 06, 2017 at 01:53:40PM -0200, Elise Lennion wrote: > Nftables uses a internal service table to print service names. This > very table should be used when parsing new rules, to avoid conflicts > between nft service table and the local /etc/services, when loading > an exported ruleset. >

[PATCH v2] netfilter: xt_hashlimit: Fix integer divide round to zero.

Diving the divider by the multiplier before applying to the input. When this would "divide by zero", divide the multiplier by the divider first then multiply the input by this value. Currently user2creds outputs zero when input value is bigger than the number of slices and lower than scale. This

Re: [PATCH nftables 5/9] src: add host byte order integer type

Pablo Neira Ayuso wrote: > On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote: > > diff --git a/include/datatype.h b/include/datatype.h > > index 9f127f2954e3..8c1c827253be 100644 > > --- a/include/datatype.h > > +++ b/include/datatype.h > > @@ -82,6 +82,7 @@