On Sun, Apr 16, 2017 at 01:29:13AM +0200, Florian Westphal wrote:
> 3 years ago we had to bump the offsets to the extensions
> (223b02d923ecd7c84cf9780bb3686f455d279279,
> "netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len")
> because total size of all extensions had increased to a
On Tue, Apr 18, 2017 at 05:49:56PM +0200, Florian Westphal wrote:
> The commit ab8bc7ed864b9c4f1fcb00a22bbe4e0f66ce8003
> ("netfilter: remove nf_ct_is_untracked")
> changed the line
>if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) {
> to
>if (ct && nfct_nat(ct)) {
>
>
On Fri, Apr 14, 2017 at 12:52:05PM +0800, Gao Feng wrote:
> > -Original Message-
> > From: netfilter-devel-ow...@vger.kernel.org
> > On Fri, Apr 14, 2017 at 07:04:44AM +0800, Gao Feng wrote:
> > > > -Original Message-
> > > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org]
> >
On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote:
> From: Gao Feng
>
> The window scale may be enlarged from 14 to 15 according to the itef
> draft https://tools.ietf.org/html/draft-nishida-tcpm-maxwin-03.
>
> Use the macro TCP_MAX_WSCALE to support it
Florian Westphal wrote:
> Defer registration of the synproxy hooks until the first SYNPROXY rule is
> added. Also means we only register hooks in namespaces that need it.
On a related note: should I bother with CLUSTERIP or can be remove it?
--
To unsubscribe from this list:
On Sat, Apr 15, 2017 at 12:16:47PM +0200, Vincent Bernat wrote:
> When an unknown option is given, iptables-restore should exit instead of
> continue its operation. For example, if `--table` was misspelled, this
> could lead to an unwanted change. Moreover, exit with a status code of
> 1. Make the
Signed-off-by: Pablo M. Bermudo Garay
---
xlate-test.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/xlate-test.py b/xlate-test.py
index 37760e9..43c4be1 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -72,7 +72,9 @@ def load_test_files():
def
This commit replaces subprocess.run (introduced in python 3.5) with
subprocess.Popen (supported since the first version of python 3).
Furthermore, the output has been improved when ip[6]tables-translate
exits with non-zero return code.
Signed-off-by: Pablo M. Bermudo Garay
nf_(un)register_hooks has to maintain an internal hook list to add/remove
those hooks from net namespaces as they are added/deleted.
ipvs already uses pernet_ops, so we can switch to the (more recent)
pernet hook api instead.
Compile tested only.
Signed-off-by: Florian Westphal
Hi, all.
Can anybody tell me how can i determine a right buf size for recv()
in libnetfilter_queue program.
http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html#gae36aee5b74d0c88d2f8530e356f68b79
tells nothing about this.
P.S. sorry, for noob question.
P.P.S. sorry,
Not all parameters passed to ctnetlink_parse_tuple() and
ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
functions. Since this is intended change the argument type of to be an int
value.
Signed-off-by: Matthias Kaehlcke
---
On Sat, Apr 15, 2017 at 07:26:10PM +0200, Florian Westphal wrote:
> By default the kernel emits all ctnetlink events for a connection.
> This allows to select the types of events to generate.
>
> This can be used to e.g. only send DESTROY events but no NEW/UPDATE ones
> and will work even if
When trying to redirect bridged frames to the bridge device itself or
a bridge port (brouting) via the dnat target then this currently fails:
The ethernet destination of the frame is dnat'ed to the MAC address of
the bridge device or port just fine. However, the IP code drops it in
the beginning
El Wed, Apr 19, 2017 at 12:41:10PM -0700 Joe Perches ha dit:
> On Wed, 2017-04-19 at 11:39 -0700, Matthias Kaehlcke wrote:
> > Not all parameters passed to ctnetlink_parse_tuple() and
> > ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
> > functions.
>
> Maybe that
On Wed, Apr 19, 2017 at 09:57:55PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Apr 19, 2017 at 09:22:08AM -0700, Eric Dumazet wrote:
> > On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote:
> > > > From: Gao Feng
On Wed, 2017-04-19 at 11:39 -0700, Matthias Kaehlcke wrote:
> Not all parameters passed to ctnetlink_parse_tuple() and
> ctnetlink_exp_dump_tuple() match the enum type in the signatures of these
> functions.
Maybe that should be changed/fixed.
> Since this is intended change the argument type of
> On Apr 19, 2017, at 3:30 AM, Pablo Neira Ayuso wrote:
>
> On Tue, Apr 18, 2017 at 12:24:28PM -0700, Joe Stringer wrote:
>> On 18 April 2017 at 11:33, Jarno Rajahalme wrote:
>>>
On Apr 18, 2017, at 11:27 AM, Joe Stringer wrote:
Oleg wrote:
> Can anybody tell me how can i determine a right buf size for recv()
> in libnetfilter_queue program.
>
> http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html#gae36aee5b74d0c88d2f8530e356f68b79
>
> tells nothing about this.
I'd
Similar to ip_register_table, pass nf_hook_ops to ebt_register_table().
This allows to handle hook registration also via pernet_ops and allows
us to avoid use of legacy register_hook api.
Signed-off-by: Florian Westphal
---
include/linux/netfilter_bridge/ebtables.h | 6 ++-
looks like decnet isn't namespacified in first place, so restrict hook
registration to the initial namespace.
Prepares for eventual removal of legacy nf_register_hook() api.
Signed-off-by: Florian Westphal
---
net/decnet/netfilter/dn_rtmsg.c | 4 ++--
1 file changed, 2
Peter Tirsek wrote:
> Commit 834184b1f3a4 ("netfilter: defrag: only register defrag
> functionality if needed") used the outdated XT_SOCKET_HAVE_IPV6 macro
> which was removed earlier in commit 8db4c5be88f6 ("netfilter: move
> socket lookup infrastructure to
Defer registration of the synproxy hooks until the first SYNPROXY rule is
added. Also means we only register hooks in namespaces that need it.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_synproxy.h | 2 +
net/ipv4/netfilter/ipt_SYNPROXY.c
On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote:
> On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote:
> > From: Gao Feng
> >
> > The window scale may be enlarged from 14 to 15 according to the itef
> > draft
The prealloc flag is only used for the nat extension (and
that extension is not even needed anymore in some cases).
This removes prealloc, marks all extension structs as const and then
also simplifies the initial extension allocation.
Currently (default settings), each conntrack will use 64
It was used by the nat extension, but since commit 7c9664351980
("netfilter: move nat hlist_head to nf_conn") its only needed
for connections that use MASQUERADE target or a nat helper.
Also it seems a lot easier to preallocate a fixed size instead.
With default settings, conntrack first adds
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_extend.h | 4 ++--
net/netfilter/nf_conntrack_acct.c | 2 +-
net/netfilter/nf_conntrack_ecache.c | 2 +-
net/netfilter/nf_conntrack_extend.c | 4 ++--
krealloc(NULL, ..) is same as kmalloc(), so we can avoid special-casing
the initial allocation after the prealloc removal (we had to use
->alloc_len as the initial allocation size).
This also means we do not zero the preallocated memory anymore; only
offsets[]. Existing code makes sure the new
> On Wed, Apr 19, 2017 at 09:57:55PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Apr 19, 2017 at 09:22:08AM -0700, Eric Dumazet wrote:
> > > On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote:
> > > > On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com
> wrote:
> > > > > From:
Hi Florian,
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-conntrack-removal-prealloc-support/20170420-100813
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
# apt-get
On Tue, Apr 18, 2017 at 12:24:28PM -0700, Joe Stringer wrote:
> On 18 April 2017 at 11:33, Jarno Rajahalme wrote:
> >
> >> On Apr 18, 2017, at 11:27 AM, Joe Stringer wrote:
> >>
> >> On 14 April 2017 at 14:26, Jarno Rajahalme wrote:
> >>> Conntrack
On Fri, Apr 14, 2017 at 12:27:00AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Apr 03, 2017 at 03:11:27PM +0900, Ken-ichirou MATSUZAWA wrote:
> > enables to help to wrap these. As of this C library, we can use
> > this like below without double sized buffer.
> >
> > char
On Tue, Apr 18, 2017 at 12:43:15PM -0700, Matthias Kaehlcke wrote:
> El Tue, Apr 18, 2017 at 12:41:16PM -0700 Matthias Kaehlcke ha dit:
>
> > Hi Pablo,
> >
> > Thanks for your reply!
> >
> > El Tue, Apr 18, 2017 at 10:39:47AM +0200 Pablo Neira Ayuso ha dit:
> >
> > > On Mon, Apr 17, 2017 at
32 matches
Mail list logo