On Tue, Jun 14, 2016 at 06:48:51PM +0200, Pablo Neira Ayuso wrote:
> Please, document on the wikipage that we don't support yet the new
> cgroup2 path-based on nft so we don't forget to discuss about this at
> some point.
Just included in the wiki.
--
To unsubscribe from this list: send the line
On Wed, Jun 15, 2016 at 02:21:27PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 14, 2016 at 08:02:45PM +0200, Laura Garcia Liebana wrote:
> > Add translation of conntrack to nftables.
> >
> > Examples:
> >
> > $ sudo iptables-translate -t filter -A INPUT -m con
On Tue, May 31, 2016 at 12:08:57AM +0200, Arturo Borrero Gonzalez wrote:
> On 30 May 2016 at 21:47, Laura Garcia Liebana <nev...@gmail.com> wrote:
> > Add translation for multiport to nftables, which it's supported natively.
> >
> > Examples:
> >
> > $ sudo i
On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote:
> > Add translation for Hop-By-Hop header to nftables. Hbh options are not
> > supported yet in nft.
>
> It would be good to docu
On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote:
> On 31 May 2016 at 20:26, Laura Garcia Liebana <nev...@gmail.com> wrote:
> > +static int __multiport_xlate_v1(const void *ip,
> > + const struct
On Sun, Mar 06, 2016 at 03:31:15PM +0530, Shivani Bhardwaj wrote:
> There are some icmp types that nftables does not support, have you
And these types (and subtypes) are not supported yet or will never be supported?
> tried adding up rules corresponding to all the packet types?
>
Yes, but not
On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nev...@gmail.com> wrote:
>
> Hi Laura,
>
> > Add translation for random to nftables.
> >
> Here, you are providing translation for module s
On Wed, Aug 10, 2016 at 10:38:08AM +0800, Liping Zhang wrote:
> Hi Laura,
>
> 2016-08-10 2:22 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>:
> > This patch adds a new hash expression, this provides jhash support but
> > this can be extended to suppo
On Tue, Aug 09, 2016 at 12:52:53PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 28, 2016 at 11:20:59AM +0200, Florian Westphal wrote:
> > Laura Garcia <nev...@gmail.com> wrote:
> > > On Thu, Jul 28, 2016 at 01:01:05AM +0200, Florian Westphal wrote:
> > > >
e system]
>
> url:
> https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nft_numgen-add-number-generator-expression/20160814-185132
> base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> config: i386-allyesconfig (attached as .confi
system]
> [Suggest to use git(>=2.9.0) format-patch --base= (or --base=auto for
> convenience) to record what (public, well-known) commit your patch series was
> built on]
> [Check https://git-scm.com/docs/git-format-patch for more information]
>
> url:
> https://github.com/
On Mon, Sep 05, 2016 at 11:10:28AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 05, 2016 at 10:36:57AM +0200, Laura Garcia Liebana wrote:
> > Add support to pass through an offset to the hash value. With this
> > feature, the sysadmin is able to generate a hash with a given
&
On Sun, Sep 11, 2016 at 04:35:57PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to
> NFTNL_EXPR_NG_MODULUS, so compile error happened:
> netlink_linearize.c: In function ‘netlink_gen_numgen’:
>
On Sun, Sep 11, 2016 at 11:12:26PM +0200, Florian Westphal wrote:
> Liping Zhang wrote:
> > From: Liping Zhang
> >
> > Currently, the user can specify the queue numbers by _QUEUE_NUM and
> > _QUEUE_TOTAL attributes, this is enough in most
On Mon, Sep 12, 2016 at 06:45:58PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 07, 2016 at 07:56:49PM +0200, Laura Garcia Liebana wrote:
> > Add support for an initialization counter value. With this option the
> > sysadmin is able to start the counter when used with the
On Mon, Sep 12, 2016 at 06:34:59PM +0200, Pablo Neira Ayuso wrote:
> Hi Laura,
>
> On Tue, Sep 06, 2016 at 08:44:19AM +0200, Laura Garcia Liebana wrote:
> > Add support to pass through an offset to the hash value. With this
> > feature, the sysadmin is able to generat
On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote:
> Hi Laura,
>
> 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nev...@gmail.com>:
> > static int nft_hash_init(const struct nft_ctx *ctx,
> > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ct
On Thu, Sep 22, 2016 at 04:58:36PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Sep 14, 2016 at 03:00:02PM +0200, Laura Garcia Liebana wrote:
> > Check storage of u32 netlink attributes in smaller resources. This
> > validation is usually required when the u32 netlink attributes are b
On Thu, Sep 22, 2016 at 09:16:07AM -0700, Eric Dumazet wrote:
> On Thu, 2016-09-22 at 16:58 +0200, Pablo Neira Ayuso wrote:
> > attributes")
> >
> > Always use 12 bytes commit-ids. 4da449a is too short, given the number
> > of changes we're getting in the kernel tree, this may become ambiguous
>
(...)) + PTR_ERR
>
> Generated by: scripts/coccinelle/api/ptr_ret.cocci
>
> Fixes: d734a2888922 ("netfilter: nft_numgen: add map lookups for numgen
> statements")
> CC: Laura Garcia Liebana <nev...@gmail.com>
> Signed-off-by: kbuild test robot <fengguang...@intel.com
O can be used
>
>
> Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
>
> Generated by: scripts/coccinelle/api/ptr_ret.cocci
>
> Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing
> operations")
> CC: Laura Garcia Liebana <nev...@gmail
On Fri, Aug 3, 2018 at 11:03 AM, Oleg wrote:
> On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote:
>> On 08/03/2018 12:14 AM, Oleg wrote:
>> > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote:
>> >> Dear all,
>> >>
>> >>
>> >> Some of my friends and I have decided to work
On Tue, Aug 7, 2018 at 3:26 PM, Saber Rezvani wrote:
> Do you know who exactly working on this feature in nft? could you possibly
> introduce me to him/her?
> You know we have decided to work on this issue. So It is a best practice to
> get in touch with running development team who works on this
On Tue, Mar 13, 2018 at 7:16 AM, Rafał Miłecki wrote:
> On Mon, 5 Mar 2018 23:11:38 +0100, Pablo Neira Ayuso wrote:
>> On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote:
>> > Fixes issues with connections hanging after >30 seconds idle time.
>> >
>> > Changes since
On Sat, Mar 24, 2018 at 12:47 AM, Duncan Roe <duncan_...@optusnet.com.au> wrote:
> On Wed, Mar 14, 2018 at 10:00:35PM +0100, Laura Garcia Liebana wrote:
>> Create the new type u32_integer with a fixed size in order to
>> be used as a key in maps and sets. The type inte
Hi!
I'm honored to present
nftlb 0.3
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
Check and update nft parameter datatypes.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
doc/nft.xml | 42 --
1 file changed, 16 insertions(+), 26 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index b9f3c69..ea47e2b 100644
---
ip6 filter INPUT ip6 dscp != 0x32 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_dscp.c | 92 ++---
1 file changed, 79 insertions(+), 13 deletions(-)
diff --git a/extensions/libxt_dscp.c b/exte
frag-off 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fraglast.
- fraglen is marked as deprecated.
Changes in v3:
- Ignore completely IP6T_FRAG_LEN.
extensions/libip6t_frag.
frag-off 0 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag more-fragments 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fr
frag-off 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Include translation for fragfirst and fraglast.
- fraglen is marked as deprecated.
extensions/libip6t_frag.c | 33 +
1 file changed, 33 inse
ACCEPT
nft add rule ip filter INPUT meta cgroup != 0 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_cgroup.c | 28
1 file changed, 28 insertions(+)
diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c
index 3
ORIGINAL -j
ACCEPT
nft add rule ip filter INPUT ct direction original counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_conntrack.c | 247 +++
1 file changed, 247 insertions(+)
diff --git a/exte
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v4:
- Support != {} as already given
extensions/libxt_multiport.c | 115 +++
1 file changed, 115 insertions(+)
diff --git a/extensions/libxt_multiport.c b/exte
ip6 filter INPUT hbh hdrlength != 22 counter
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libip6t_hbh.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..416681d 100644
--- a/exte
Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
instead. Update some FIXME datatypes.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
doc/nft.xml | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Add curley brackets to lists and range of ports.
extensions/libxt_multiport.c | 116 +++
1 file changed, 116 insertions(+)
diff --git a/extensions/libxt_multipo
add rule ip filter INPUT meta random != 0.109 counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libxt_statistic.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
random ! --probability
0.1 -j ACCEPT
nft add rule ip filter INPUT meta random != 0.109 counter accept
The .xlate indirection returns 0 if the translation is not available.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Return 0 if the trans
-unreachable counter accept
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
v2:
- Detection of not supported
-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
v2:
- Detection of not supported types in nftables, as Shivani suggest
iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libipt_REJECT.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/exte
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
extensions/libip6t_REJECT.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/exte
iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT
nft add rule ip filter INPUT icmp counter accept
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
v2:
- Detection of not supported types in nftables, as Shivani suggested.
v3:
- Fix array ite
INPUT icmpv6 type nd-neighbor-advert counter log level
warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type
packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level
warn
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
icmp type host-unreachable counter log level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log
level warn
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
exte
-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 15
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_nth.c | 123 +++
4 files c
off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/net/netfilter/nft_nth.h | 31 +++
include/uapi/linux/netfilter/nf_tables.h | 15
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/
Support for the nft nth expression within libnftnl.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/libnftnl/expr.h | 10 ++
include/linux/netfilter/nf_tables.h | 14 +++
src/Makefile.am | 1 +
src/expr/nth.c
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_bitwise.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_bitwise.c b/net/net
Fix the direct assignment from u32 data input into the dlen attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_immediate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immed
Fix the direct assignment from u32 data input into the family
attribute with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_nat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index e
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_cmp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft
Fix the direct assignment from u32 data input into an attribute with a
size of u8.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V2:
- Collapse the 5 independent patches in just one
- Change description and subject
- A
The following patchset adds a check during the load of an u32 value
into an u8 attribute which can cause an overflow.
Laura Garcia Liebana (5):
netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
netfilter
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana <
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed comes already come embedded into this new
expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
Support for the nft hash expression within libnftnl.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 16 ++
include/linux/netfilter/nf_tables.h | 20 +++
src/Makefile.am
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_exthdr.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/net
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V4:
- Rename prandom state identifier
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/Kconfig| 6 +
net/net
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
include/uapi/linux/netfilter/nf_tables.h | 13 +
net/netfilter/nft_
2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c | 3 ++-
src/
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
net/netfilter/nft_hash.c | 36 ++--
1 file c
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V4:
- Define NFT_C
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
v2:
- Avoid warning due to 'const' from symhash eval skb
include/uapi
2
Signed-off-by: Laura Garcia Liebana <laura.gar...@zevenet.com>
---
v2:
- Discard new line remove
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
other expresions with number limits (ex. nft_hash).
Renaming is possible because there isn't a kernel release yet with these
changes.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/hash.c | 39 +++--
tests/nft-expr_hash-test.c | 4
4 files chang
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 13 +++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi
.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Add check for hash + sum overflow.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 16 ++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff
is renamed to _modulus_ as the behaviour is similar to
other expresions with number limits(ex. nft_hash).
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/netfilter/nf_tables.h | 6 --
net/netfilter/nft_numgen.c | 37 ++--
2
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes
, 101, ...
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Rename SUM by OFFSET, as Pab
, ...
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Use OFFSET attribute instead of SUM.
: Add hash offset value")
Reported-by: Liping Zhang <liping.zh...@spreadtrum.com>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nf
number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_numgen.c | 9 +++--
2 files changed, 9 insertions
for increment number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/buffer.h| 1 +
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in V5:
- Reorder the functions
- Add attributes checks
- Use switch instead of if statements
include/uapi/linux/netfilter/nf_tables.h
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V3:
- Use ERANGE i
the configure of the
package.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
configure.ac | 14 +-
include/hash.h | 10 ++
src/parser_bison.y | 5 +
tests/py/ip/hash.t | 2 ++
4 files
This patchset provides several improvements for numgen and hash
expressions:
- support of OFFSET attribute for numgen and hash expressions
- makes SEED attribute optional and randomly generated
- fix the TYPE attribute to be treated as a register
Laura Garcia Liebana (4):
src: make hash
Add support to add an offset to the hash generator.
Example:
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-110.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/expression.h| 1 +
include/
Add support to add an offset to the numgen generated value.
Example:
ct mark set numgen inc mod 2 offset 100
This will generate marks with serie like 100, 101, 100, ...
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/expression.h| 1 +
include
Avoid to treat numgen type attribute as a register.
Fixes: 345236211715 ("src: add hash expression")
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
src/netlink_linearize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink_l
Use the function nft_parse_u32_check() to fetch the value and validate
the u32 attribute into the hash len u8 field.
This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check
on u8 nft_exthdr attributes").
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
--
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Adapt the code to the repository c
ed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v2:
- Use getrandom(2) syscall instead of arc4random, suggested by Pablo.
- This case hasn't a test case due to the random seed generation in
the payload won't match.
configure.ac | 22 +++
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v3:
- This patch depends on 1/4.
include/expres
y meta mark set jhash ip saddr . ip daddr mod 2
The kernel will take care of generate a random seed.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
Changes in v3:
- The random generation is done in kernel side.
- Tests included.
src/parser_bison.y
' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash")
Signed-off-by: Laura Garc
' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash")
Signed-off-by: Laura Garc
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
By default, jenkins hash will be used if no hash type is
provided for compatibility reasons.
Signed-off-by: Laura Garcia Liebana <laura.
Hi!
I'm honored to present
nftlb 0.2
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
The following patches complete the implementation of map lookups
using as a key the given number generator like incremental, random or
the different hash algorithms supported. This is useful for load
balancing use cases but also for dynamic map lookups using these
expressions.
Laura Garcia
This patch creates new attributes to accept a map as argument and
then perform the lookup with the generated hash accordingly.
Both current hash functions are supported: Jenkins and Symmetric Hash.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/uapi/linux/net
This patch uses the map lookup already included to be applied
for random number generation.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
net/netfilter/nft_numgen.c | 79 +++---
1 file changed, 75 insertions(+), 4 deletions(-)
diff
This patch introduces two new attributes for hash expression
to allow map lookups where the hash is the key.
The new attributes are NFTNL_EXPR_HASH_SET_NAME and
NFTNL_EXPR_HASH_SET_ID in order to identify the given map.
Signed-off-by: Laura Garcia Liebana <nev...@gmail.com>
---
include/li
1 - 100 of 119 matches
Mail list logo