On Thu, Jan 26, 2017 at 02:49:44PM -0800, Kevin Cernekee wrote:
> Prior to Linux 4.4, it was usually harmless to send a CTA_HELP attribute
> containing the name of the current helper. That is no longer the case:
> as of Linux 4.4, if ctnetlink_change_helper() returns an error from
> the
On Thu, Jan 26, 2017 at 02:49:43PM -0800, Kevin Cernekee wrote:
> The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
> when building a CTA_STATUS attribute. If this toggles the bit from
> 0->1, the parser will return an error. On Linux 4.4+ this will cause any
> NFQA_EXP
From: Pablo Neira Ayuso
> Sent: 03 February 2017 12:26
> The next change will merge skb->nfct pointer and skb->nfctinfo
> status bits into single skb->_nfct (unsigned long) area.
>
> For this to work nf_conn addresses must always be aligned at least on
> an 8 byte boundary since we will need the
From: Liping Zhang
When using "-w" to avoid concurrent instances, we try to do flock() every
one second until it success. But one second maybe too long in some
situations, and it's hard to select a suitable interval time. So when
using "iptables -w" to wait indefinitely,
A few announcements:
- We expect to open up registration and announce hotel and location
this week.
- We are pleased to announce the first netdev 2.1 sponsor!
Many thanks to Mellanox who has been a strong supporter of the netdev
community. Mellanox is first to cross the netdev2.1 sponsor line
On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote:
> Diving the divider by the multiplier before applying to the input.
> When this would "divide by zero", divide the multiplier by the divider
> first then multiply the input by this value.
>
> Currently user2creds outputs zero when
On Tue, Jan 17, 2017 at 10:51:26PM +0100, Phil Sutter wrote:
> If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field
> data into *dest, but instead set it to 1 if the header is found and 0
> otherwise.
Applied this one, thanks Phil.
I have fixed this here, via sparse (make C=2):
This patch enables nft to match against TCP options.
Currently these TCP options are supported:
* End of Option List (eol)
* No-Operation (noop)
* Maximum Segment Size (maxseg)
* Window Scale (window)
* SACK Permitted (sack_permitted)
* SACK (sack)
* Timestamps (timestamp)
Syntax: tcp options
This patch implements the kernel side of the TCP option patch.
Signed-off-by: Manuel Messner
Reviewed-by: Florian Westphal
---
include/uapi/linux/netfilter/nf_tables.h | 17 -
net/netfilter/Kconfig| 4 +-
net/netfilter/nft_exthdr.c
This patch set is part of the TCP option matching implementation for nftables.
These patch sets enable nft to match against the following TCP options:
* End of Option List
* No-Operation
* Maximum Segment Size
* Window Scale
* SACK
* SACK Permitted
* Timestamps
Florian Westphal (1):
payload:
This patch automatically removes the dependencies for exthdr and tcpopt.
# nft add rule filter input tcp option maxseg kind 3 counter.
# nft list table filter input
Before:
# ip protocol 6 tcp option maxseg kind 3 counter
After:
# tcp option maxseg kind 3 counter
Thus allowing to write
currently exthdr always needs ipv6 dependency (i.e. link layer), but
with upcomming TCP option matching we also need to include TCP at the
network layer.
This patch prepares this change by adding two parameters to
exthdr_gen_dependency.
Signed-off-by: Manuel Messner
Signed-off-by: Manuel Messner
Reviewed-by: Florian Westphal
---
include/linux/netfilter/nf_tables.h | 17 -
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
This patch set is part of the TCP option matching implementation for nftables.
Manuel Messner (1):
src: add TCP option matching requirements
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 17 -
src/expr/exthdr.c | 49
Hi Pablo,
On Mon, Jan 23, 2017 at 01:57:47PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote:
> > The following series adds two distinct features to nftables, though
> > since the second one depends on presence of the first one this is
> > submitted
Le lundi 06 février 2017 à 14:04 +0100, Pablo Neira Ayuso a écrit :
> On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote:
> > diff --git a/net/netfilter/xt_hashlimit.c
> > b/net/netfilter/xt_hashlimit.c
> > index 10063408141d..df75ad643eef 100644
> > --- a/net/netfilter/xt_hashlimit.c
On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote:
> On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote:
>> I'm still trying to understand what purpose this record actually
>> serves, and what requirements may exist. In an earlier thread
>> somewhere Steve mentioned
On Mon, Feb 06, 2017 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote:
> > diff --git a/include/datatype.h b/include/datatype.h
> > index 9f127f2954e3..8c1c827253be 100644
> > --- a/include/datatype.h
> > +++ b/include/datatype.h
> >
Nftables uses a internal service table to print service names. This
very table should be used when parsing new rules, to avoid conflicts
between nft service table and the local /etc/services, when loading
an exported ruleset.
Complements the commit:
(ccc5da4: datatype: Replace getnameinfo() by
On Thu, Feb 02, 2017 at 01:52:18PM +0100, Christoph Pleger wrote:
> Hello,
>
> On 2017-01-11, I wrote:
>
> > The Wiki on https://wiki.nftables.org mentions two priorities
> specifically available for NAT, -100 and 100. But of these two, the
> wiki's example for NAT only uses the value 100 for
On Mon, Feb 06, 2017 at 03:26:20PM +0100, Phil Sutter wrote:
[...]
> On Mon, Jan 23, 2017 at 01:57:47PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote:
> > > The following series adds two distinct features to nftables, though
> > > since the second
On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote:
> diff --git a/include/datatype.h b/include/datatype.h
> index 9f127f2954e3..8c1c827253be 100644
> --- a/include/datatype.h
> +++ b/include/datatype.h
> @@ -82,6 +82,7 @@ enum datatypes {
> TYPE_DSCP,
> TYPE_ECN,
>
On Mon, Feb 06, 2017 at 01:53:40PM -0200, Elise Lennion wrote:
> Nftables uses a internal service table to print service names. This
> very table should be used when parsing new rules, to avoid conflicts
> between nft service table and the local /etc/services, when loading
> an exported ruleset.
>
Diving the divider by the multiplier before applying to the input.
When this would "divide by zero", divide the multiplier by the divider
first then multiply the input by this value.
Currently user2creds outputs zero when input value is bigger than the
number of slices and lower than scale.
This
Pablo Neira Ayuso wrote:
> On Fri, Feb 03, 2017 at 01:35:52PM +0100, Florian Westphal wrote:
> > diff --git a/include/datatype.h b/include/datatype.h
> > index 9f127f2954e3..8c1c827253be 100644
> > --- a/include/datatype.h
> > +++ b/include/datatype.h
> > @@ -82,6 +82,7 @@
25 matches
Mail list logo