Re: [PATCH nf-next 0/6] netfilter: remove support for variably-sized extensions

On Sun, Apr 16, 2017 at 01:29:13AM +0200, Florian Westphal wrote: > 3 years ago we had to bump the offsets to the extensions > (223b02d923ecd7c84cf9780bb3686f455d279279, > "netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len") > because total size of all extensions had increased to a

Re: [PATCH nf-next] netfilter: ipvs: fix incorrect conflict resolution

On Tue, Apr 18, 2017 at 05:49:56PM +0200, Florian Westphal wrote: > The commit ab8bc7ed864b9c4f1fcb00a22bbe4e0f66ce8003 > ("netfilter: remove nf_ct_is_untracked") > changed the line >if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) { > to >if (ct && nfct_nat(ct)) { > >

Re: [PATCH nf-next v2 1/1] netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

On Fri, Apr 14, 2017 at 12:52:05PM +0800, Gao Feng wrote: > > -Original Message- > > From: netfilter-devel-ow...@vger.kernel.org > > On Fri, Apr 14, 2017 at 07:04:44AM +0800, Gao Feng wrote: > > > > -Original Message- > > > > From: Pablo Neira Ayuso [mailto:pa...@netfilter.org] > >

Re: [PATCH nf-next] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote: > From: Gao Feng > > The window scale may be enlarged from 14 to 15 according to the itef > draft https://tools.ietf.org/html/draft-nishida-tcpm-maxwin-03. > > Use the macro TCP_MAX_WSCALE to support it

Re: [PATCH nf-next] netfilter: synproxy: only register hooks when needed

Florian Westphal wrote: > Defer registration of the synproxy hooks until the first SYNPROXY rule is > added. Also means we only register hooks in namespaces that need it. On a related note: should I bother with CLUSTERIP or can be remove it? -- To unsubscribe from this list:

Re: [PATCH iptables v3] iptables-restore/save: exit when given an unknown option

On Sat, Apr 15, 2017 at 12:16:47PM +0200, Vincent Bernat wrote: > When an unknown option is given, iptables-restore should exit instead of > continue its operation. For example, if `--table` was misspelled, this > could lead to an unwanted change. Moreover, exit with a status code of > 1. Make the

[PATCH iptables 2/2] tests: xlate: check if it is being run as root

Signed-off-by: Pablo M. Bermudo Garay --- xlate-test.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xlate-test.py b/xlate-test.py index 37760e9..43c4be1 100755 --- a/xlate-test.py +++ b/xlate-test.py @@ -72,7 +72,9 @@ def load_test_files(): def

[PATCH iptables 1/2] tests: xlate: remove python 3.5 dependency

This commit replaces subprocess.run (introduced in python 3.5) with subprocess.Popen (supported since the first version of python 3). Furthermore, the output has been improved when ip[6]tables-translate exits with non-zero return code. Signed-off-by: Pablo M. Bermudo Garay

[PATCH nf-next] ipvs: convert to use pernet nf_hook api

nf_(un)register_hooks has to maintain an internal hook list to add/remove those hooks from net namespaces as they are added/deleted. ipvs already uses pernet_ops, so we can switch to the (more recent) pernet hook api instead. Compile tested only. Signed-off-by: Florian Westphal

nfqueue buf size for recv()

Hi, all. Can anybody tell me how can i determine a right buf size for recv() in libnetfilter_queue program. http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html#gae36aee5b74d0c88d2f8530e356f68b79 tells nothing about this. P.S. sorry, for noob question. P.P.S. sorry,

[PATCH] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

Not all parameters passed to ctnetlink_parse_tuple() and ctnetlink_exp_dump_tuple() match the enum type in the signatures of these functions. Since this is intended change the argument type of to be an int value. Signed-off-by: Matthias Kaehlcke ---

Re: [PATCH v3 nf-next] netfilter: nft_ct: allow to set ctnetlink event types of a connection

On Sat, Apr 15, 2017 at 07:26:10PM +0200, Florian Westphal wrote: > By default the kernel emits all ctnetlink events for a connection. > This allows to select the types of events to generate. > > This can be used to e.g. only send DESTROY events but no NEW/UPDATE ones > and will work even if

[PATCH net v3] bridge: ebtables: fix reception of frames DNAT-ed to bridge device/port

When trying to redirect bridged frames to the bridge device itself or a bridge port (brouting) via the dnat target then this currently fails: The ethernet destination of the frame is dnat'ed to the MAC address of the bridge device or port just fine. However, the IP code drops it in the beginning

Re: [PATCH] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

El Wed, Apr 19, 2017 at 12:41:10PM -0700 Joe Perches ha dit: > On Wed, 2017-04-19 at 11:39 -0700, Matthias Kaehlcke wrote: > > Not all parameters passed to ctnetlink_parse_tuple() and > > ctnetlink_exp_dump_tuple() match the enum type in the signatures of these > > functions. > > Maybe that

Re: [PATCH nf-next] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

On Wed, Apr 19, 2017 at 09:57:55PM +0200, Pablo Neira Ayuso wrote: > On Wed, Apr 19, 2017 at 09:22:08AM -0700, Eric Dumazet wrote: > > On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote: > > > On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote: > > > > From: Gao Feng

Re: [PATCH] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch

On Wed, 2017-04-19 at 11:39 -0700, Matthias Kaehlcke wrote: > Not all parameters passed to ctnetlink_parse_tuple() and > ctnetlink_exp_dump_tuple() match the enum type in the signatures of these > functions. Maybe that should be changed/fixed. > Since this is intended change the argument type of

Re: [PATCH nf v3] net/openvswitch: Delete conntrack entry clashing with an expectation.

> On Apr 19, 2017, at 3:30 AM, Pablo Neira Ayuso wrote: > > On Tue, Apr 18, 2017 at 12:24:28PM -0700, Joe Stringer wrote: >> On 18 April 2017 at 11:33, Jarno Rajahalme wrote: >>> On Apr 18, 2017, at 11:27 AM, Joe Stringer wrote:

Re: nfqueue buf size for recv()

Oleg wrote: > Can anybody tell me how can i determine a right buf size for recv() > in libnetfilter_queue program. > > http://www.netfilter.org/projects/libnetfilter_queue/doxygen/group__Queue.html#gae36aee5b74d0c88d2f8530e356f68b79 > > tells nothing about this. I'd

[PATCH nf-next] ebtables: remove nf_hook_register usage

Similar to ip_register_table, pass nf_hook_ops to ebt_register_table(). This allows to handle hook registration also via pernet_ops and allows us to avoid use of legacy register_hook api. Signed-off-by: Florian Westphal --- include/linux/netfilter_bridge/ebtables.h | 6 ++-

[PATCH nf-next] netfilter: decnet: only register hooks in init namespace

looks like decnet isn't namespacified in first place, so restrict hook registration to the initial namespace. Prepares for eventual removal of legacy nf_register_hook() api. Signed-off-by: Florian Westphal --- net/decnet/netfilter/dn_rtmsg.c | 4 ++-- 1 file changed, 2

Re: [PATCH] netfilter: xt_socket: Fix broken IPv6 handling

Peter Tirsek wrote: > Commit 834184b1f3a4 ("netfilter: defrag: only register defrag > functionality if needed") used the outdated XT_SOCKET_HAVE_IPV6 macro > which was removed earlier in commit 8db4c5be88f6 ("netfilter: move > socket lookup infrastructure to

[PATCH nf-next] netfilter: synproxy: only register hooks when needed

Defer registration of the synproxy hooks until the first SYNPROXY rule is added. Also means we only register hooks in namespaces that need it. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_synproxy.h | 2 + net/ipv4/netfilter/ipt_SYNPROXY.c

Re: [PATCH nf-next] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote: > On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com wrote: > > From: Gao Feng > > > > The window scale may be enlarged from 14 to 15 according to the itef > > draft

[PATCH nf-next 0/3] netfilter: conntrack: removal prealloc support

The prealloc flag is only used for the nat extension (and that extension is not even needed anymore in some cases). This removes prealloc, marks all extension structs as const and then also simplifies the initial extension allocation. Currently (default settings), each conntrack will use 64

[PATCH nf-next 1/3] netfilter: conntrack: remove prealloc support

It was used by the nat extension, but since commit 7c9664351980 ("netfilter: move nat hlist_head to nf_conn") its only needed for connections that use MASQUERADE target or a nat helper. Also it seems a lot easier to preallocate a fixed size instead. With default settings, conntrack first adds

[PATCH nf-next 2/3] netfilter: conntrack: mark extension structs as const

Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_extend.h | 4 ++-- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_extend.c | 4 ++--

[PATCH nf-next 3/3] netfilter: conntrack: handle initial extension alloc via krealloc

krealloc(NULL, ..) is same as kmalloc(), so we can avoid special-casing the initial allocation after the prealloc removal (we had to use ->alloc_len as the initial allocation size). This also means we do not zero the preallocated memory anymore; only offsets[]. Existing code makes sure the new

RE: [PATCH nf-next] netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

> On Wed, Apr 19, 2017 at 09:57:55PM +0200, Pablo Neira Ayuso wrote: > > On Wed, Apr 19, 2017 at 09:22:08AM -0700, Eric Dumazet wrote: > > > On Wed, 2017-04-19 at 17:58 +0200, Pablo Neira Ayuso wrote: > > > > On Wed, Apr 19, 2017 at 09:23:42AM +0800, gfree.w...@foxmail.com > wrote: > > > > > From:

Re: [PATCH nf-next 3/3] netfilter: conntrack: handle initial extension alloc via krealloc

Hi Florian, [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-conntrack-removal-prealloc-support/20170420-100813 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master reproduce: # apt-get

Re: [PATCH nf v3] net/openvswitch: Delete conntrack entry clashing with an expectation.

On Tue, Apr 18, 2017 at 12:24:28PM -0700, Joe Stringer wrote: > On 18 April 2017 at 11:33, Jarno Rajahalme wrote: > > > >> On Apr 18, 2017, at 11:27 AM, Joe Stringer wrote: > >> > >> On 14 April 2017 at 14:26, Jarno Rajahalme wrote: > >>> Conntrack

Re: [PATCH libmnl] nlmsg: introduce mnl_nlmsg_batch_rest to get the rest length

On Fri, Apr 14, 2017 at 12:27:00AM +0200, Pablo Neira Ayuso wrote: > On Mon, Apr 03, 2017 at 03:11:27PM +0900, Ken-ichirou MATSUZAWA wrote: > > enables to help to wrap these. As of this C library, we can use > > this like below without double sized buffer. > > > > char

Re: Doubt about CTA_EXPECT_* values passed to ctnetlink_parse_tuple()

On Tue, Apr 18, 2017 at 12:43:15PM -0700, Matthias Kaehlcke wrote: > El Tue, Apr 18, 2017 at 12:41:16PM -0700 Matthias Kaehlcke ha dit: > > > Hi Pablo, > > > > Thanks for your reply! > > > > El Tue, Apr 18, 2017 at 10:39:47AM +0200 Pablo Neira Ayuso ha dit: > > > > > On Mon, Apr 17, 2017 at