[PATCH] nfnetlink_log: fix the typo

From 5a4a39fd4373e78b0019b0180718e96c85b1fdd7 Mon Sep 17 00:00:00 2001 From: Duan Jiong Date: Thu, 16 Feb 2017 11:07:38 +0800 Subject: [PATCH] nfnetlink_log: fix the typo s/nfetlink/nfnetlink/ Signed-off-by: Duan Jiong ---

[PATCH libnftnl 1/3] common: get rid of nftnl_batch_build_hdr()

Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/common.h | 4 ++-- src/common.c | 41 ++--- 2 files changed, 20

[PATCH libnftnl 2/3] common: return nlmsghdr in nftnl_batch_{begin,end}()

Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/common.h | 4 ++-- src/common.c | 12 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/libnftnl/common.h

[PATCH libnftnl 3/3] rule: add NFTA_RULE_ID attribute

This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/rule.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ src/rule.c | 38 - 3 files changed, 40

Re: Parameter 'size' in type list:set is ignored

Hi, On Tue, 14 Feb 2017, Vishwanath Pai wrote: > I noticed that in recent versions of ipset the parameter 'size' in set > type list:set is ignored. I noticed this change in the latest upstream > code. In kernel 4.1 'ipset add' errors out when I try to add more > elements than 'size' but in

[Question] Is there some documentation for nftables development

Hi there, is there some documentation available how to create a custom match for a firewall rule (nftables). What I want to create is a custom match which will query a user space application, if the packet is allowed (returning a bool value)? Kind regards Fabian Franz -- To unsubscribe from

Re: [Question] Is there some documentation for nftables development

Hi Anatole, I am aware of this option, but this is still not what I want. For example, I want to have a firewall rule "tcp ssh user fabian accept" to have a rule with my user in the match. For the authentication, a captive portal or a radius server for 802.1X may be an option. The user is part

[RFC nf-next] netfilter: ct: add helper assignment support

This RFC adds native support to assign conntrack helpers. Not even compile tested. It adds NFT_OBJECT_CT_HELPER to assign helpers to connections by using the stateful objects infra that is in place for quota and counter. This would also need NFT_OBJECT_CT_TIMEOUT to support custom timeouts in

Re: [RFC nf-next] netfilter: ct: add helper assignment support

On Wed, Feb 15, 2017 at 05:25:36PM +0100, Florian Westphal wrote: > This RFC adds native support to assign conntrack helpers. > Not even compile tested. > > It adds NFT_OBJECT_CT_HELPER to assign helpers to connections > by using the stateful objects infra that is in place for quota and counter.

Re: [RFC nf-next] netfilter: ct: add helper assignment support

Pablo Neira Ayuso wrote: > > Note from myself, i dislike L3PROTO, it would be nicer to be able > > to handle this via the table family but I did not yet find a way > > to detect this from the obj->init() function. > > We can pass nft_ctx to obj->init(). OK, I can make that

[PATCH] netfilter: ipset: Null pointer exception in ipset list:set

If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by:

Re: AUDIT_NETFILTER_PKT message format

On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: > On 2017-02-13 18:50, Paul Moore wrote: >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: ... >> > helpful action, hook >> >> I haven't checked, but do we allow setting of an audit

Re: conntrack_ftp and DNAT

Klaus Ethgen wrote: > allow me to ask a question about conntrack and nf_conntrack_ftp and > nf_nat_ftp and DNAT. > > I have a host where I do DNAT from the main IPv4 address to the backend > ftp server. Currently I have the server data connections limited to a > small port