Re: [PATCH] extensions: libxt_cgroup: Add translation to nft

On Tue, Jun 14, 2016 at 06:48:51PM +0200, Pablo Neira Ayuso wrote: > Please, document on the wikipage that we don't support yet the new > cgroup2 path-based on nft so we don't forget to discuss about this at > some point. Just included in the wiki. -- To unsubscribe from this list: send the line

Re: [PATCH] extensions: libxt_conntrack: Add translation to nft

On Wed, Jun 15, 2016 at 02:21:27PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jun 14, 2016 at 08:02:45PM +0200, Laura Garcia Liebana wrote: > > Add translation of conntrack to nftables. > > > > Examples: > > > > $ sudo iptables-translate -t filter -A INPUT -m con

Re: [PATCH v2] extensions: libxt_multiport: Add translation to nft

On Tue, May 31, 2016 at 12:08:57AM +0200, Arturo Borrero Gonzalez wrote: > On 30 May 2016 at 21:47, Laura Garcia Liebana <nev...@gmail.com> wrote: > > Add translation for multiport to nftables, which it's supported natively. > > > > Examples: > > > > $ sudo i

Re: [PATCH] extensions: libip6t_hbh: Add translation to nft

On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > > Add translation for Hop-By-Hop header to nftables. Hbh options are not > > supported yet in nft. > > It would be good to docu

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote: > On 31 May 2016 at 20:26, Laura Garcia Liebana <nev...@gmail.com> wrote: > > +static int __multiport_xlate_v1(const void *ip, > > + const struct

Re: [PATCH] extensions: libipt_icmp: Add translation to nft

On Sun, Mar 06, 2016 at 03:31:15PM +0530, Shivani Bhardwaj wrote: > There are some icmp types that nftables does not support, have you And these types (and subtypes) are not supported yet or will never be supported? > tried adding up rules corresponding to all the packet types? > Yes, but not

Re: [Outreachy kernel] [PATCH] extensions: libxt_statistic: Add translation to nft

On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote: > On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nev...@gmail.com> wrote: > > Hi Laura, > > > Add translation for random to nftables. > > > Here, you are providing translation for module s

Re: [PATCH v2] netfilter: nf_tables: add hash expression

On Wed, Aug 10, 2016 at 10:38:08AM +0800, Liping Zhang wrote: > Hi Laura, > > 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>: > > This patch adds a new hash expression, this provides jhash support but > > this can be extended to suppo

Re: [PATCH v2] netfilter: nft_nth: match every n packets

On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote: > > Laura Garcia <nev...@gmail.com> wrote: > > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote: > > > >

Re: [PATCH v3] netfilter: nft_numgen: add number generator expression

e system] > > url: > https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nft_numgen-add-number-generator-expression/20160814-185132 > base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git > master > config: i386-allyesconfig (attached as .confi

Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

system] > [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for > convenience) to record what (public, well-known) commit your patch series was > built on] > [Check https://git-scm.com/docs/git-format-patch for more information] > > url: > https://github.com/

Re: [PATCH] netfilter: nft_hash: Add hash offset value

On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote: > > Add support to pass through an offset to the hash value. With this > > feature, the sysadmin is able to generate a hash with a given &

Re: [PATCH nft] src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnl

On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote: > From: Liping Zhang > > In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to > NFTNL_EXPR_NG_MODULUS, so compile error happened: > netlink_linearize.c: In function ‘netlink_gen_numgen’: >

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

On Sun, Sep 11, 2016 at 11:12:26PM +0200, Florian Westphal wrote: > Liping Zhang wrote: > > From: Liping Zhang > > > > Currently, the user can specify the queue numbers by _QUEUE_NUM and > > _QUEUE_TOTAL attributes, this is enough in most

Re: [PATCH v2] netfilter: nft_numgen: add increment counter offset value

On Mon, Sep 12, 2016 at 06:45:58PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 07, 2016 at 07:56:49PM +0200, Laura Garcia Liebana wrote: > > Add support for an initialization counter value. With this option the > > sysadmin is able to start the counter when used with the

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

On Mon, Sep 12, 2016 at 06:34:59PM +0200, Pablo Neira Ayuso wrote: > Hi Laura, > > On Tue, Sep 06, 2016 at 08:44:19AM +0200, Laura Garcia Liebana wrote: > > Add support to pass through an offset to the hash value. With this > > feature, the sysadmin is able to generat

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote: > Hi Laura, > > 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>: > > static int nft_hash_init(const struct nft_ctx *ctx, > > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ct

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote: > > Check storage of u32 netlink attributes in smaller resources. This > > validation is usually required when the u32 netlink attributes are b

Re: [PATCH nf] netfilter: nf_tables: Ensure u8 attributes are loaded from u32 within the bounds

On Thu, Sep 22, 2016 at 09:16:07AM -0700, Eric Dumazet wrote: > On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote: > > attributes") > > > > Always use 12 bytes commit-ids. 4da449a is too short, given the number > > of changes we're getting in the kernel tree, this may become ambiguous >

Re: [PATCH] netfilter: nft_numgen: fix ptr_ret.cocci warnings

(...)) + PTR_ERR > > Generated by: scripts/coccinelle/api/ptr_ret.cocci > > Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen > statements") > CC: Laura Garcia Liebana <nev...@gmail.com> > Signed-off-by: kbuild test robot <fengguang...@intel.com

Re: [PATCH] netfilter: nft_hash: fix ptr_ret.cocci warnings

O can be used > > > Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR > > Generated by: scripts/coccinelle/api/ptr_ret.cocci > > Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing > operations") > CC: Laura Garcia Liebana <nev...@gmail

Re: url filtering with netfiler

On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote: > On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: >> On 08/03/2018 12:14 AM, Oleg wrote: >> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: >> >> Dear all, >> >> >> >> >> >> Some of my friends and I have decided to work

Re: url filtering with netfiler

On Tue, Aug 7, 2018 at 3:26 PM, Saber Rezvani wrote: > Do you know who exactly working on this feature in nft? could you possibly > introduce me to him/her? > You know we have decided to work on this issue. So It is a best practice to > get in touch with running development team who works on this

Re: [PATCH v3 0/17] netfilter: nf_flow_table: refactoring, TCP state tracking, sending flows to slow path

On Tue, Mar 13, 2018 at 7:16 AM, Rafał Miłecki wrote: > On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote: >> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote: >> > Fixes issues with connections hanging after >30 seconds idle time. >> > >> > Changes since

Re: [PATCH nft] create u32_integer type to be used as a key for sets and maps

On Sat, Mar 24, 2018 at 12:47 AM, Duncan Roe <duncan_...@optusnet.com.au> wrote: > On Wed, Mar 14, 2018 at 10:00:35PM +0100, Laura Garcia Liebana wrote: >> Create the new type u32_integer with a fixed size in order to >> be used as a key in maps and sets. The type inte

[ANNOUNCE] nftlb 0.3 release

Hi! I'm honored to present nftlb 0.3 nftlb stands for nftables load balancer, a user space tool that builds a complete load balancer and traffic distributor using the nft infrastructure. nftlb is a nftables rules manager that creates virtual services for load balancing at layer 2, layer 3

[PATCH] doc: Update datatypes

Check and update nft parameter datatypes. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- doc/nft.xml | 42 -- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index b9f3c69..ea47e2b 100644 ---

[PATCH] extensions: libxt_dscp: Add translation to nft

ip6 filter INPUT ip6 dscp != 0x32 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_dscp.c | 92 ++--- 1 file changed, 79 insertions(+), 13 deletions(-) diff --git a/extensions/libxt_dscp.c b/exte

[PATCHv3] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fraglast. - fraglen is marked as deprecated. Changes in v3: - Ignore completely IP6T_FRAG_LEN. extensions/libip6t_frag.

[PATCHv4] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept $ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT nft add rule ip6 filter INPUT frag more-fragments 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fr

[PATCHv2] extensions: libip6t_frag: Add translation to nft

frag-off 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Include translation for fragfirst and fraglast. - fraglen is marked as deprecated. extensions/libip6t_frag.c | 33 + 1 file changed, 33 inse

[PATCH] extensions: libxt_cgroup: Add translation to nft

ACCEPT nft add rule ip filter INPUT meta cgroup != 0 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_cgroup.c | 28 1 file changed, 28 insertions(+) diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c index 3

[PATCH] extensions: libxt_conntrack: Add translation to nft

ORIGINAL -j ACCEPT nft add rule ip filter INPUT ct direction original counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_conntrack.c | 247 +++ 1 file changed, 247 insertions(+) diff --git a/exte

[PATCHv4] extensions: libxt_multiport: Add translation to nft

Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v4: - Support != {} as already given extensions/libxt_multiport.c | 115 +++ 1 file changed, 115 insertions(+) diff --git a/extensions/libxt_multiport.c b/exte

[PATCH] extensions: libip6t_hbh: Add translation to nft

ip6 filter INPUT hbh hdrlength != 22 counter Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libip6t_hbh.c | 17 + 1 file changed, 17 insertions(+) diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c index c0389ed..416681d 100644 --- a/exte

[PATCH] doc: fix old parameters and update datatypes

Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation' instead. Update some FIXME datatypes. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- doc/nft.xml | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml

[PATCH v2] extensions: libxt_multiport: Add translation to nft

accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Add curley brackets to lists and range of ports. extensions/libxt_multiport.c | 116 +++ 1 file changed, 116 insertions(+) diff --git a/extensions/libxt_multipo

[PATCH] extensions: libxt_statistic: Add translation to nft

add rule ip filter INPUT meta random != 0.109 counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libxt_statistic.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c

[PATCH v3] extensions: libxt_statistic: Add translation to nft

random ! --probability 0.1 -j ACCEPT nft add rule ip filter INPUT meta random != 0.109 counter accept The .xlate indirection returns 0 if the translation is not available. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Return 0 if the trans

[PATCHv4] extensions: libipt_icmp: Add translation to nft

-unreachable counter accept $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT nft add rule ip filter INPUT icmp type != destination-unreachable counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- v2: - Detection of not supported

[PATCHv5] extensions: libipt_icmp: Add translation to nft

-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT nft add rule ip filter INPUT icmp type != destination-unreachable counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- v2: - Detection of not supported types in nftables, as Shivani suggest

[PATCH] extensions: libipt_REJECT: Avoid to print the default reject with value in the translation

iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT nft add rule ip filter FORWARD tcp dport 22 counter reject Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libipt_REJECT.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/exte

[PATCH] extensions: libip6t_REJECT: Avoid to print the default reject with value in the translation

ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT nft add rule ip6 filter FORWARD tcp dport 22 counter reject Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- extensions/libip6t_REJECT.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/exte

[PATCHv6] extensions: libipt_icmp: Add translation to nft

iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT nft add rule ip filter INPUT icmp counter accept Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- v2: - Detection of not supported types in nftables, as Shivani suggested. v3: - Fix array ite

[PATCHv2] extensions: libip6t_icmp6: Add translation to nft

INPUT icmpv6 type nd-neighbor-advert counter log level warn $ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level warn Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>

[PATCH] extensions: libipt_icmp: Add translation to nft

icmp type host-unreachable counter log level warn $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG nft add rule ip filter INPUT icmp type != destination-unreachable counter log level warn Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- exte

[PATCH v2] netfilter: nft_nth: match every n packets

-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 15 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 + net/netfilter/nft_nth.c | 123 +++ 4 files c

[PATCH] netfilter: nft_nth: match every n packets

off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/net/netfilter/nft_nth.h | 31 +++ include/uapi/linux/netfilter/nf_tables.h | 15 net/netfilter/Kconfig| 6 ++ net/netfilter/Makefile | 1 + net/netfilter/

[PATCH libnftnl] expr: nth: match every n packets

Support for the nft nth expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/libnftnl/expr.h | 10 ++ include/linux/netfilter/nf_tables.h | 14 +++ src/Makefile.am | 1 + src/expr/nth.c

[PATCH v5] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

[PATCH v2] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

[PATCH 1/5] netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute

Fix the direct assignment from u32 data input into the len attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_bitwise.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_bitwise.c b/net/net

[PATCH 4/5] netfilter: nf_tables: Check u32 load in u8 nft_immediate attribute

Fix the direct assignment from u32 data input into the dlen attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_immediate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immed

[PATCH 5/5] netfilter: nf_tables: Check u32 load in u8 nft_nat attribute

Fix the direct assignment from u32 data input into the family attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_nat.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index e

[PATCH 3/5] netfilter: nf_tables: Check u32 load in u8 nft_cmp attribute

Fix the direct assignment from u32 data input into the len attribute with a size of u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_cmp.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft

[PATCH v2] netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes

Fix the direct assignment from u32 data input into an attribute with a size of u8. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V2: - Collapse the 5 independent patches in just one - Change description and subject - A

[PATCH 0/5] Check u32 load in u8 attributes

The following patchset adds a check during the load of an u32 value into an u8 attribute which can cause an overflow. Laura Garcia Liebana (5): netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute netfilter

[PATCH v4] netfilter: nf_tables: add hash expression

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed already comes embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana <

[PATCH] netfilter: nft_hash: generate Jenkins Hash per source register

This patch adds a new hash expression, this provides jhash support but this can be extended to support for other hash functions. The modulus and seed comes already come embedded into this new expression. Use case example: meta mark set hash ip saddr mod 10 Signed-off-by: Laura Garcia Liebana

[PATCH libnftnl] expr: hash: Jenkins hash expression support

Support for the nft hash expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/buffer.h| 2 + include/libnftnl/expr.h | 16 ++ include/linux/netfilter/nf_tables.h | 20 +++ src/Makefile.am

[PATCH] netfilter: nf_tables: Add size check on u8 nft_exthdr attributes

Fix the direct assignment of offset and length attributes included in nft_exthdr structure from u32 data to u8. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_exthdr.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/net

[PATCH v4] netfilter: nft_numgen: add number generator expression

Add support for the number generator expression in netfilter. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V4: - Rename prandom state identifier include/uapi/linux/netfilter/nf_tables.h | 25 net/netfilter/Kconfig| 6 + net/net

[PATCH nf-next 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- include/uapi/linux/netfilter/nf_tables.h | 13 + net/netfilter/nft_

[PATCH nft] src: hash: support of symmetric hash

2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- include/expression.h| 1 + include/hash.h | 2 +- include/linux/netfilter/nf_tables.h | 13 + src/evaluate.c | 3 ++- src/

[PATCH nf-next 1/2] netfilter: nft_hash: rename nft_hash to nft_jhash

This patch renames the local nft_hash structure and functions to nft_jhash in order to prepare the nft_hash module code to add new hash functions. Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- net/netfilter/nft_hash.c | 36 ++-- 1 file c

[PATCH v4] netfilter: nf_tables: Ensure init attributes are within the bounds

Check for overflow of u8 fields from u32 netlink attributes and maximum values. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- (was: netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes) Changes in V4: - Define NFT_C

[PATCH nf-next v2 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- v2: - Avoid warning due to 'const' from symhash eval skb include/uapi

[PATCH nft v2] src: hash: support of symmetric hash

2 Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com> --- v2: - Discard new line remove include/expression.h| 1 + include/hash.h | 2 +- include/linux/netfilter/nf_tables.h | 13 + src/evaluate.c

[PATCH v2 libnftnl] expr: numgen: Rename until attribute by modulus

The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH v2] netfilter: nft_numgen: rename until attribute by modulus

The _until_ attribute is renamed to _modulus_ as the behaviour is similar to other expresions with number limits (ex. nft_hash). Renaming is possible because there isn't a kernel release yet with these changes. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH libnftnl] expr: hash: Add offset to hash value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ src/expr/hash.c | 39 +++-- tests/nft-expr_hash-test.c | 4 4 files chang

[PATCH] netfilter: nft_hash: Add hash offset value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_hash.c | 13 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi

[PATCH v2] netfilter: nft_hash: Add hash offset value

. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Add check for hash + sum overflow. include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_hash.c | 16 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff

[PATCH] netfilter: nft_numgen: add counter offset value and rename until by modulus

is renamed to _modulus_ as the behaviour is similar to other expresions with number limits(ex. nft_hash). Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 6 -- net/netfilter/nft_numgen.c | 37 ++-- 2

[PATCH v3 libnftnl] expr: numgen: Rename until attribute by modulus

The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes

[PATCH v3] netfilter: nft_numgen: add number generation offset

, 101, ... Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate offset changes with _until_ attribute renaming, as Pablo suggested. Changes in v3: - Rename SUM by OFFSET, as Pab

[PATCH v3 libnftnl] expr: numgen: add number generation offset

, ... Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate offset changes with _until_ attribute renaming, as Pablo suggested. Changes in v3: - Use OFFSET attribute instead of SUM.

[PATCH] netfilter: nft_hash: fix hash overflow validation

: Add hash offset value") Reported-by: Liping Zhang <liping.zh...@spreadtrum.com> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nf

[PATCH v2] netfilter: nft_numgen: add increment counter offset value

number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate _SUM_ changes with _until_ attribute renaming. include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_numgen.c | 9 +++-- 2 files changed, 9 insertions

[PATCH v2 libnftnl] expr: numgen: add increment counter offset value

for increment number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Separate _SUM_ changes with _until_ attribute renaming. include/buffer.h| 1 + include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.

[PATCH v5] netfilter: nft_numgen: add number generator expression

Add support for the number generator expression in netfilter. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in V5: - Reorder the functions - Add attributes checks - Use switch instead of if statements include/uapi/linux/netfilter/nf_tables.h

[PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

Check for overflow of u8 fields from u32 netlink attributes and maximum values. Refer to 4da449ae1df Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- (was: netfilter: nf_tables: Check for overflow of u8 fields from u32 netlink attributes) Changes in V3: - Use ERANGE i

[PATCH nft 1/4] src: make hash seed attribute optional

the configure of the package. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- configure.ac | 14 +- include/hash.h | 10 ++ src/parser_bison.y | 5 + tests/py/ip/hash.t | 2 ++ 4 files

[PATCH nft 0/4] src: changes related to numgen and hash expressions

This patchset provides several improvements for numgen and hash expressions: - support of OFFSET attribute for numgen and hash expressions - makes SEED attribute optional and randomly generated - fix the TYPE attribute to be treated as a register Laura Garcia Liebana (4): src: make hash

[PATCH nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator. Example: ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-110. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/expression.h| 1 + include/

[PATCH nft 3/4] src: add offset attribute for numgen expression

Add support to add an offset to the numgen generated value. Example: ct mark set numgen inc mod 2 offset 100 This will generate marks with serie like 100, 101, 100, ... Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/expression.h| 1 + include

[PATCH nft 4/4] netlink: fix linearize numgen type

Avoid to treat numgen type attribute as a register. Fixes: 345236211715 ("src: add hash expression") Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- src/netlink_linearize.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink_l

[PATCH nf-next] netfilter: nf_tables: validate maximum value of u32 netlink hash attribute

Use the function nft_parse_u32_check() to fetch the value and validate the u32 attribute into the hash len u8 field. This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes"). Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --

[PATCH v2 nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Adapt the code to the repository c

[PATCH v2 nft 1/4] src: make hash seed attribute optional

ed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v2: - Use getrandom(2) syscall instead of arc4random, suggested by Pablo. - This case hasn't a test case due to the random seed generation in the payload won't match. configure.ac | 22 +++

[PATCH v3 nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v3: - This patch depends on 1/4. include/expres

[PATCH v3 nft 1/4] src: make hash seed attribute optional

y meta mark set jhash ip saddr . ip daddr mod 2 The kernel will take care of generate a random seed. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- Changes in v3: - The random generation is done in kernel side. - Tests included. src/parser_bison.y

[PATCH nft] src: hash: fix seed attribute not listed

' mismatches 'ct mark set jhash \ ip saddr . ip daddr mod 2 offset 100' ip/hash.t: 6 unit tests, 0 error, 2 warning The expression type is now treated as an unsigned int in the hash_expr_print() function. Fixes 3a86406 ("src: hash: support of symmetric hash") Signed-off-by: Laura Garc

[PATCH nft] src: hash: fix seed attribute not listed

' mismatches 'ct mark set jhash \ ip saddr . ip daddr mod 2 offset 100' ip/hash.t: 6 unit tests, 0 error, 2 warning The expression type is now treated as an unsigned int in the hash_expr_print() function. Fixes 3a86406 ("src: hash: support of symmetric hash") Signed-off-by: Laura Garc

[PATCH nf-next v3 2/2] netfilter: nft_hash: support of symmetric hash

, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 By default, jenkins hash will be used if no hash type is provided for compatibility reasons. Signed-off-by: Laura Garcia Liebana <laura.

[ANNOUNCE] nftlb 0.2 release

Hi! I'm honored to present nftlb 0.2 nftlb stands for nftables load balancer, a user space tool that builds a complete load balancer and traffic distributor using the nft infrastructure. nftlb is a nftables rules manager that creates virtual services for load balancing at layer 2, layer 3

[PATCH nf-next 0/2] netfilter: nft map lookups support for number generator expressions

The following patches complete the implementation of map lookups using as a key the given number generator like incremental, random or the different hash algorithms supported. This is useful for load balancing use cases but also for dynamic map lookups using these expressions. Laura Garcia

[PATCH nf-next 2/2] netfilter: nft_hash: add map lookups for hashing operations

This patch creates new attributes to accept a map as argument and then perform the lookup with the generated hash accordingly. Both current hash functions are supported: Jenkins and Symmetric Hash. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/uapi/linux/net

[PATCH nf-next 1/2] netfilter: nft_numgen: add map lookups for numgen random operations

This patch uses the map lookup already included to be applied for random number generation. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- net/netfilter/nft_numgen.c | 79 +++--- 1 file changed, 75 insertions(+), 4 deletions(-) diff

[PATCH libnftnl] expr: add map lookups for hash statements

This patch introduces two new attributes for hash expression to allow map lookups where the hash is the key. The new attributes are NFTNL_EXPR_HASH_SET_NAME and NFTNL_EXPR_HASH_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nev...@gmail.com> --- include/li

  1   2   >