Netfilter/Suricata user day on 27th June in Amsterdam, Netherlands

2016-06-08 Thread Pablo Neira Ayuso
Hi! We are organizing a public user day at the Vrije Universiteit (VU) Amsterdam on June 27th 2016. This day is titled "Suricata meets Netfilter" and brings talks about the Linux Netfilter/nftables Firewall project and the Suricata IDS/IPS project. Keynote will be delivered by Linux NetDev

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

2016-06-08 Thread Pablo Neira Ayuso
On Wed, Jun 08, 2016 at 07:31:21PM +0200, Pablo Neira Ayuso wrote: > Then you can follow up with a patch to add this function. > > Just a suggestion, let me know if this is fine with you. Forget this idea. Actually your patch from: Date: Tue, 07 Jun 2016 11:02:30 -0700 looks easier to

Re: [PATCHv3] extensions: libip6t_frag: Add translation to nft

2016-06-07 Thread Pablo Neira Ayuso
On Tue, Jun 07, 2016 at 09:33:13AM +0200, Laura Garcia Liebana wrote: > diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c > index 023df62..7871fb9 100644 > --- a/extensions/libip6t_frag.c > +++ b/extensions/libip6t_frag.c > @@ -173,6 +173,35 @@ static void frag_save(const void

Re: [PATCH] extensions: libxt_dscp: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Sun, Jun 05, 2016 at 07:57:23PM +0200, Laura Garcia Liebana wrote: > Add translation for dscp to nftables, for both ipv4 and ipv6. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT > nft add rule ip filter INPUT ip dscp 0x32 counter accept > > $

Re: [PATCH v2 libnftnl] Check all strdup

2016-06-08 Thread Pablo Neira Ayuso
On Tue, Jun 07, 2016 at 05:08:10PM +0200, Pablo Neira Ayuso wrote: > Carlos, > > On Tue, May 31, 2016 at 12:08:32PM +0200, Carlos Falgueras García wrote: > > Check all strdup possible error and treat it consequently. > > Please, manually apply these two patches in yo

Re: [PATCH v2 libnftnl] Check all strdup

2016-06-08 Thread Pablo Neira Ayuso
On Wed, Jun 08, 2016 at 01:37:41PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > + if (attr > NFTNL_CHAIN_MAX) { > > + errno = -EOPNOTSUPP; > > The negation should be dropped. Right, this should be:

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

2016-06-08 Thread Pablo Neira Ayuso
On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote: > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote: > > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > > > One more question, is this chunk below correct from > > >

Re: [conntrack-tools PATCH] include/network.h: fix erroneus comment in NTA_(S|D)NAT_IPV6

2016-06-06 Thread Pablo Neira Ayuso
On Fri, Jun 03, 2016 at 10:55:21AM +0200, Arturo Borrero Gonzalez wrote: > We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

Re: [PATCH] extensions: libip6t_frag: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 06:57:58PM +0200, Laura Garcia Liebana wrote: > Add translation for frag to nftables. Not supported yet in nft: fraglen, > fragfirst and fraglast. You can provide translations for fragfirst and fraglast. '--fragfirst' is actually frag-off 0. and '--fraglast' is

Re: [GIT PULL] IPVS Fixes for v4.7

2016-06-06 Thread Pablo Neira Ayuso
On Mon, Jun 06, 2016 at 06:24:36PM +0900, Simon Horman wrote: > Hi Pablo, > > please consider this IPVS fix for v4.7. > > The fix from Marco corrects the handling of outgoing connections > which use the SIP-pe such that the binding of a real-server > is updated when needed. This was an omission

Re: [PATCH 07/23] netfilter: x_tables: check standard target size too

2016-06-06 Thread Pablo Neira Ayuso
On Mon, Jun 06, 2016 at 12:02:10AM +0200, Florian Westphal wrote: > Andreas Schwab wrote: > > > From: Florian Westphal > > > > > > We have targets and standard targets -- the latter carries a verdict. > > > > > > The ip/ip6tables validation functions will

Re: [PATCHv4] extensions: libxt_multiport: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 07:29:26PM +0200, Laura Garcia Liebana wrote: > Add translation for multiport to nftables, which it's supported natively. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports > 80,81 -j ACCEPT > nft add rule ip filter INPUT ip

Re: [PATCH] doc: Update datatypes

2016-06-06 Thread Pablo Neira Ayuso
On Sun, Jun 05, 2016 at 12:33:31AM +0200, Laura Garcia Liebana wrote: > Check and update nft parameter datatypes. Applied, thanks. I have rewritten a bit the patch description BTW. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: off-by-one in DecodeQ931

2016-06-06 Thread Pablo Neira Ayuso
On Mon, Jun 06, 2016 at 04:35:55PM +0200, Florian Westphal wrote: > Toby DiPasquale wrote: > > Is this latest patch OK? > > Yes, I don't know why it wasn't applied yet. > > Pablo? This doesn't apply. $ git am /tmp/off-by-one-in-DecodeQ931.patch -s Applying: off-by-one in

[PATCH libnftnl 2/2] src: get rid of EXPORT_SYMBOL_ALIAS()

2016-06-07 Thread Pablo Neira Ayuso
of this aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Make_global.am | 2 +- doxygen.cfg.in | 2 +- include/utils.h | 2 - src/batch.c | 14 +-- src/chain.c | 68 +++--- src/common.c | 14 +-

Re: [PATCH v2 libnftnl] Check all strdup

2016-06-07 Thread Pablo Neira Ayuso
Carlos, On Tue, May 31, 2016 at 12:08:32PM +0200, Carlos Falgueras García wrote: > Check all strdup possible error and treat it consequently. Please, manually apply these two patches in your local working copy: http://patchwork.ozlabs.org/patch/631659/ http://patchwork.ozlabs.org/patch/631660/

Re: [PATCH 2/3] bridge: netfilter: checkpatch data type fixes

2016-06-07 Thread Pablo Neira Ayuso
On Tue, May 10, 2016 at 11:26:57AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces data type 'checks'. > > This patch amends them by changing, for example: > uint8_t -> u8 This looks good. Applied, thanks. -- To unsubscribe from this list: send the line

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

2016-06-07 Thread Pablo Neira Ayuso
Hi, On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces various white space 'checks'. > > This patch amends them. > > Signed-off-by: Tobin C Harding > --- > This is my second linux kernel patch. Unsure if I

Re: [PATCH 3/3] bridge: netfilter: checkpatch null comparison fixes

2016-06-07 Thread Pablo Neira Ayuso
On Tue, May 10, 2016 at 11:26:58AM +1000, tcharding wrote: > From: Tobin C Harding > > checkpatch produces comparison to null 'checks'. > > This patch amends them. We have quite a lot of these in the netfilter tree, so I'd rather start using prefered coding style from now on

Re: [PATCH nf-next] netfilter: helper: avoid extra expectation iterations on unregister

2016-06-07 Thread Pablo Neira Ayuso
On Sun, May 15, 2016 at 07:50:14PM +0200, Florian Westphal wrote: > The expectation table is not duplicated per net namespace anymore, so we can > move > the expectation table and conntrack table iteration out of the per-net loop. Florian, I can place this in the nf-next tree. This hit the queue

Re: [PATCH 1/3] bridge: netfilter: checkpatch whitespace fixes

2016-06-07 Thread Pablo Neira Ayuso
On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote: > On Tue, 2016-06-07 at 17:14 +0200, Pablo Neira Ayuso wrote: > > On Tue, May 10, 2016 at 11:26:56AM +1000, tcharding wrote: > > > From: Tobin C Harding <m...@tobin.cc> > > > This is my second linux ke

Re: [PATCH 2/2 libnftnl] Check memory allocations in setters

2016-06-10 Thread Pablo Neira Ayuso
On Fri, Jun 10, 2016 at 12:20:54PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. Before this patch all setters > method return void, so this patch makes all setters return int instead void

[PATCH libnftnl] build: update LIBVERSION to prepare a new release

2016-05-26 Thread Pablo Neira Ayuso
; + nftnl_udata_get; + nftnl_udata_next; + nftnl_udata_parse; +} LIBNFTNL_4; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Make_global.am | 2 +- configure.ac | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Make_global.am b/Make_global.am index 6

Re: [PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

2016-06-13 Thread Pablo Neira Ayuso
through iter, so we can perform the conditional check based on whether 1) we're dumping or 2) checking for loops (ie. in the middle of a transaction). Let me know if you see any problem with this different approach, thanks. >From 0e1a07d8a5315d06531beb311a30464d1b207023 Mon Sep 17 00:00:00 2001 Fr

Re: [PATCH V2] net: Allow xt_owner in any user namespace

2016-06-14 Thread Pablo Neira Ayuso
On Mon, Jun 13, 2016 at 09:06:55PM -0500, Eric W. Biederman wrote: > Florian Westphal writes: > > > Kevin Cernekee wrote: > >> @@ -35,6 +63,7 @@ owner_mt(const struct sk_buff *skb, struct > >> xt_action_param *par) > >>const struct xt_owner_match_info

[PATCH libnftnl 1/9] src: get rid of aliases

2016-06-14 Thread Pablo Neira Ayuso
of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- Make_global.am | 2 +- doxygen.cfg.in | 2 +- include/libnftnl/batch.h | 16 --- include/libnftnl/chain.h | 77 - include/libnftnl/co

[PATCH libnftnl 8/9] tests: shuffle values that are injected

2016-06-14 Thread Pablo Neira Ayuso
Shuffle value that are used to set attributes, this variability should help us catch more problems in the future. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- tests/nft-chain-test.c | 10 +- tests/nft-expr_bitwise-test.c | 4 ++-- tests/nft-expr_cmp-

[PATCH libnftnl 7/9] src: check for flags before releasing attributes

2016-06-14 Thread Pablo Neira Ayuso
Now that unsetters don't set pointers to NULL, check if the attribute is set before trying to release it. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/chain.c | 18 ++ src/expr/immediate.c | 2 +- src/expr/log.c | 2 +- src/expr/match.c

[PATCH libnftnl 3/9] src: return value on setters that internally allocate memory

2016-06-14 Thread Pablo Neira Ayuso
So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/libnftnl/chain.h | 4 ++-- include/libnftnl/expr.h | 4 ++-- include/li

[PATCH libnftnl 5/9] expr: data_reg: get rid of leftover perror() calls

2016-06-14 Thread Pablo Neira Ayuso
Let the client of this library decide when to display error messages. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/expr/data_reg.c | 9 +++-- 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 6aa47bc..6

[PATCH libnftnl 9/9] chain: dynamically allocate name

2016-06-14 Thread Pablo Neira Ayuso
Just in case we ever support chain with larger names in the future, this will ensure the library doesn't break. Although I don't expect allocating more bytes for this anytime soon, but let's be conservative here. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/chain.

[PATCH libnftnl 2/9] src: assert when setting unknown attributes

2016-06-14 Thread Pablo Neira Ayuso
bail out from the library itself in this case. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/utils.h | 9 + src/chain.c | 4 +--- src/gen.c | 4 +--- src/rule.c | 4 +--- src/set.c | 4 +--- src/table.c | 4 +--- src/utils.c | 8 +

[PATCH libnftnl 6/9] src: simplify unsetters

2016-06-14 Thread Pablo Neira Ayuso
If the attribute is set as we already check at the beginning of this function, then we can release the object. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/chain.c| 15 +++ src/rule.c | 10 ++ src/ruleset.c | 4 src/set.c

[PATCH libnftnl 4/9] src: check for strdup() errors from setters and parsers

2016-06-14 Thread Pablo Neira Ayuso
And pass up an error to the caller. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- src/chain.c | 6 ++ src/expr/data_reg.c | 3 +++ src/expr/dynset.c| 4 src/expr/immediate.c | 2 ++ src/expr/log.c | 4 src/expr/lookup.c| 4 src/

Re: [PATCH] netfilter: fix buffer null termination

2016-06-14 Thread Pablo Neira Ayuso
Cc'ing netfilter-devel. On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote: > + netdev > > On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep > wrote: > > strncpy generally perferable fo non-terminated > > fixed-width strings. For NULL termination strlcpy >

Re: [PATCH] extensions: libxt_cgroup: Add translation to nft

2016-06-14 Thread Pablo Neira Ayuso
On Thu, Jun 09, 2016 at 09:54:22PM +0200, Laura Garcia Liebana wrote: > Add translation for cgroup to nft. Path parameter not supported in nft > yet. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT > nft add rule ip filter INPUT meta cgroup 0 counter

Re: [PATCH 2/2 v2,libnftnl] Check memory allocations in setters

2016-06-14 Thread Pablo Neira Ayuso
On Fri, Jun 10, 2016 at 02:22:46PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. Before this patch all setters > method return void, so this patch makes all setters return int instead void

Re: Re: [PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

2016-06-14 Thread Pablo Neira Ayuso
On Tue, Jun 14, 2016 at 08:07:41PM +0800, Liping Zhang wrote: > Hi pablo, > > At 2016-06-14 02:19:02, "Pablo Neira Ayuso" <pa...@netfilter.org> wrote: > >On Sat, Jun 11, 2016 at 12:20:27PM +0800, Liping Zhang wrote: > > > >Thanks for tracking down

Re: [PATCH 1/2 v2,libnftnl] Fix leak in nftnl_*_unset()

2016-06-14 Thread Pablo Neira Ayuso
Applied, thanks Carlos. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] iptables: extensions: libxt_MARK: Add translation to nft

2016-06-14 Thread Pablo Neira Ayuso
On Thu, Jun 09, 2016 at 12:24:53AM +0200, Roberto García wrote: > diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c > index 556dbde..ec1ed05 100644 > --- a/extensions/libxt_MARK.c > +++ b/extensions/libxt_MARK.c > @@ -245,6 +245,28 @@ static void mark_tg_save(const void *ip, > const

Re: [PATCH] iptables: extensions: libxt_MARK: Add translation to nft

2016-06-14 Thread Pablo Neira Ayuso
On Tue, Jun 14, 2016 at 07:12:22PM +0200, rodan...@gmail.com wrote: > From: Roberto García > > Add translation for the MARK target to nftables. > > Examples: > > $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 > > nft add rule ip mangle OUTPUT counter

Re: [PATCH nf] netfilter: conntrack: destroy kmemcache on module removal

2016-06-15 Thread Pablo Neira Ayuso
On Fri, Jun 10, 2016 at 05:25:19PM +0200, Florian Westphal wrote: > I forgot to move the kmem_cache_destroy into the exit path. Applied to nf, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

Re: [PATCH nf-next] netfilter: nf_tables: fix a wrong check to skip the inactive rules

2016-06-15 Thread Pablo Neira Ayuso
On Tue, Jun 14, 2016 at 08:13:04PM +0800, Liping Zhang wrote: > From: Liping Zhang > > nft_genmask_cur has already done left-shift operator on the gencursor, > so there's no need to do left-shift operator on it again. > > Fixes: ea4bd995b0f2 ("netfilter: nf_tables:

Re: Re: [PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

2016-06-15 Thread Pablo Neira Ayuso
On Tue, Jun 14, 2016 at 05:38:51PM +0200, Pablo Neira Ayuso wrote: > From e067bde1535ca78d9c8fea9f49f86c0731274732 Mon Sep 17 00:00:00 2001 > From: Pablo Neira Ayuso <pa...@netfilter.org> > Date: Sat, 11 Jun 2016 12:20:27 +0800 > Subject: [PATCH] netfilter: nf_tables: reject loop

Re: [PATCH nf-next 1/3] netfilter: nf_tables: fix wrong check of NFT_SET_MAP in nf_tables_bind_set

2016-06-15 Thread Pablo Neira Ayuso
On Sat, Jun 11, 2016 at 12:20:26PM +0800, Liping Zhang wrote: > From: Liping Zhang > > We should check "i" is used as a dictionary or not, "binding" is already > checked before. I've applied this to nf, I qualify this as a fix, thanks. -- To unsubscribe from this

Re: [PATCH nf-next 3/3] netfilter: nf_tables: fix wrong destroy anonymous sets if binding fails

2016-06-15 Thread Pablo Neira Ayuso
On Sat, Jun 11, 2016 at 12:20:28PM +0800, Liping Zhang wrote: > From: Liping Zhang > > When we add a nft rule like follows: > # nft add rule filter test tcp dport vmap {1: jump test} > -ELOOP error will be returned, and the anonymous set will be > destroyed. > >

Re: [nft PATCH] tests/shell: delete unused variable in run-tests.sh

2016-06-15 Thread Pablo Neira Ayuso
On Sat, Jun 11, 2016 at 12:19:17PM +0200, Arturo Borrero Gonzalez wrote: > This ${TESTS_OUTPUT} variable is empty. Delete it. > > It was probably an idea about dinamically redirecting testscases output. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

Re: [nft PATCH] tests/shell: cleanup tempfile handling in testcases/sets/cache_handling_0

2016-06-15 Thread Pablo Neira Ayuso
On Sat, Jun 11, 2016 at 12:25:59PM +0200, Arturo Borrero Gonzalez wrote: > It uses a bogus pattern which was cleaned up already in others testscases, > and this is a leftover. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [PATCH nft] tests: shell: add endless jump loop tests

2016-06-15 Thread Pablo Neira Ayuso
On Mon, Jun 13, 2016 at 08:53:55PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Add some tests for endless jump loop validation. Applied, thanks for adding new tests to catch this problem. -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH] netfilter: fix buffer null termination

2016-06-15 Thread Pablo Neira Ayuso
On Tue, Jun 14, 2016 at 09:52:49PM +0530, Kishan Sandeep wrote: > Hi Pablo, > > On Tue, Jun 14, 2016 at 8:38 PM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > Cc'ing netfilter-devel. > > > > On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep w

Re: [PATCH] ip6tables: Warn about use of DROP in nat table

2016-06-15 Thread Pablo Neira Ayuso
On Fri, Jun 10, 2016 at 02:57:58PM +0200, Thomas Woerner wrote: > Clone of 1eada72b with 9bb76094 and e0390bee on top. Applied, thanks Thomas. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-15 Thread Pablo Neira Ayuso
On Sun, Jun 12, 2016 at 11:40:57PM -0400, Vishwanath Pai wrote: > On 06/09/2016 01:57 PM, Vishwanath Pai wrote: > > On 06/08/2016 08:16 AM, Pablo Neira Ayuso wrote: > >> Looking again at your code: > >> > >> case NFULNL_COPY_PACKET: > >> -

Re: [PATCHv2] extensions: libip6t_frag: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Mon, Jun 06, 2016 at 09:25:46PM +0200, Laura Garcia Liebana wrote: > Add translation for frag to nftables. According to the --fraglen code: > > case O_FRAGLEN: > /* >* As of Linux 3.0, the kernel does not check for >* fraglen at all. >

Re: [PATCHv2] extensions: libxt_dscp: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Mon, Jun 06, 2016 at 08:51:04PM +0200, Laura Garcia Liebana wrote: > Add translation for dscp to nftables, for both ipv4 and ipv6. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT > nft add rule ip filter INPUT ip dscp 0x32 counter accept > > $

Re: [PATCHv2] extensions: libip6t_frag: Add translation to nft

2016-06-06 Thread Pablo Neira Ayuso
On Tue, Jun 07, 2016 at 12:43:45AM +0200, Pablo Neira Ayuso wrote: > On Mon, Jun 06, 2016 at 09:25:46PM +0200, Laura Garcia Liebana wrote: > > Add translation for frag to nftables. According to the --fraglen code: > > > > case O_FRAGLEN: > > /* > &g

Re: [PATCH v3] xtables: Add a smaller delay option when waiting for xtables lock

2016-06-06 Thread Pablo Neira Ayuso
g. > > v2->v3: Move the millisecond behavior to a new option as suggested > by Pablo. > > Cc: Liping Zhang <zlpnob...@gmail.com> > Cc: Pablo Neira Ayuso <pa...@netfilter.org> > Signed-off-by: Subash Abhinov Kasiviswanathan <subas...@codeaurora.org> >

Re: [PATCH 1/1] payload: don't update protocol context if we can't find a description

2016-06-06 Thread Pablo Neira Ayuso
rashes while testing protocols 6 or 17 > (tcp, udp) works. > > Also add a test case for this. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072 > Signed-off-by: Florian Westphal <f...@strlen.de> Thanks for fixing this! Acked-by: Pablo Neira Ayuso <pa...@net

Re: [PATCH] netfilter/nflog: nflog-range does not truncate packets

2016-06-06 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote: > netfilter/nflog: nflog-range does not truncate packets > > The --nflog-range parameter from userspace is ignored in the kernel and > the entire packet is sent to the userspace. The per-instance parameter > copy_range still works,

[PATCH 2/2] ipvs: update real-server binding of outgoing connections in SIP-pe

2016-06-06 Thread Pablo Neira Ayuso
From: Marco Angaroni Previous patch that introduced handling of outgoing packets in SIP persistent-engine did not call ip_vs_check_template() in case packet was matching a connection template. Assumption was that real-server was healthy, since it was sending a packet

[PATCH 0/2] Netfilter/IPVS fixes for net

2016-06-06 Thread Pablo Neira Ayuso
Hi David, The following patchset contains two Netfilter/IPVS fixes for your net tree, they are: 1) Fix missing alignment in next offset calculation for standard targets, introduced in the previous merge window, patch from Florian Westphal. 2) Fix to correct the handling of outgoing

Re: [PATCH] nf_queue: Make the queue_handler pernet

2016-05-30 Thread Pablo Neira Ayuso
On Fri, May 13, 2016 at 09:18:52PM -0500, Eric W. Biederman wrote: > > Florian Weber reported: > > Under full load (unshare() in loop -> OOM conditions) we can > > get kernel panic: > > > > BUG: unable to handle kernel NULL pointer dereference at 0008 > > IP: []

Re: [PATCH nf-next] netfilter: remove leftover binary sysctl define

2016-05-30 Thread Pablo Neira Ayuso
On Fri, May 13, 2016 at 10:48:51PM +0200, Florian Westphal wrote: > Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary > sysctl code"). This is very small, related to changes from the previous release cycle and non-intrusive. So I'm placing this in the nf tree. Applied,

Re: [PATCH nf] netfilter: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags

2016-05-30 Thread Pablo Neira Ayuso
On Thu, May 26, 2016 at 07:08:10PM +0200, Paolo Abeni wrote: > With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at > flowi6_flags") ip6_pol_route() callers were asked to to set the > FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly, > but with the later refactor in

Re: [PATCH nf] netfilter: nf_tables: validate NFTA_SET_TABLE parameter

2016-05-30 Thread Pablo Neira Ayuso
On Fri, May 27, 2016 at 01:34:04PM -0400, Phil Turnbull wrote: > If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is > not set, then a NULL pointer dereference is triggered in > nf_tables_set_lookup because ctx.table is NULL. Applied, thanks. -- To unsubscribe from this list:

Re: [PATCH nft] parser: fix crash if we add a chain with an error chain type

2016-05-30 Thread Pablo Neira Ayuso
On Sun, May 29, 2016 at 07:25:37PM +0800, Liping Zhang wrote: > From: Liping Zhang > > If we add a chain and specify the nonexistent chain type, > chain_type_name_lookup > will return a NULL pointer, and meet the assert condition in xstrdup. > Fix crash like this: >

Re: [PATCH nft 1/3] datatype: fix parsing of tchandle type

2016-05-30 Thread Pablo Neira Ayuso
On Sun, May 29, 2016 at 06:08:07PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Properly detect tchandle strings in the lexer without quotation marks, > otherwise nft will complain the syntax error like this: > > # nft add rule filter test meta priority set

Re: [PATCH 1/2 libnftnl] set_elem: Copy user data memory

2016-05-30 Thread Pablo Neira Ayuso
On Fri, May 27, 2016 at 04:56:54PM +0200, Carlos Falgueras García wrote: > All attributes are passed by copy, so user data should be copied too. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org

Re: [PATCH nf] netfilter: nf_ct_helper: bail out on duplicated ports

2016-05-30 Thread Pablo Neira Ayuso
On Wed, May 25, 2016 at 11:13:57AM +0200, Pablo Neira Ayuso wrote: > Compare the helper name up to the dash, so we can catch if the user has > supplied duplicated ports via module parameters. > > Reported-by: Feng Gao <gfree.w...@gmail.com> > Reported-by: Taehee Yoo <ap42

Re: [PATCH nft 3/3] meta: fix a format error display when we set priority to root or none

2016-05-30 Thread Pablo Neira Ayuso
On Sun, May 29, 2016 at 06:08:09PM +0800, Liping Zhang wrote: > From: Liping Zhang > > Also delete the redundant '\n'. > This fixes: > > # nft add rule filter test meta priority set root > # nft list chain filter test > table ip filter { > chain test { >

Re: [PATCH nft 2/3] meta: fix endianness in priority

2016-05-30 Thread Pablo Neira Ayuso
On Sun, May 29, 2016 at 06:08:08PM +0800, Liping Zhang wrote: > From: Liping Zhang > > For example, after we add rule to set priority 1:2, it will be displayed in > network > byte order as 0200:0100, this is wrong: > > # nft add rule filter test meta priority set

Re: [PATCH 2/2 nft] set_elem: Use libnftnl/udata to store set element comment

2016-05-30 Thread Pablo Neira Ayuso
On Fri, May 27, 2016 at 04:56:55PM +0200, Carlos Falgueras García wrote: > The set element comment is stored in nftnl_set_elem->user.data using > libnftnl/udata infrastructure. This allows store multiple variable length > user data into set element. Applied, thanks. -- To unsubscribe from this

[ANNOUNCE] libnftnl 1.0.6 release

2016-05-30 Thread Pablo Neira Ayuso
Florian Westphal (4): src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIAS src: add trace infrastructure support src: ct: add packet and byte counter support src: meta: add prandom support Pablo Neira Ayuso (13): expr: limit: add burst attribute expr: limit: add per-byte

Re: [PATCH nft] parser: Check commentaries length

2016-05-30 Thread Pablo Neira Ayuso
On Mon, May 30, 2016 at 05:41:00PM +0200, Carlos Falgueras García wrote: > Checks the commentary maximum length and reports to user in case of error. > > The commentary rule of the parser was simplified in order to centralize the > length checking. > > Signed-off-by: Carlos Falgueras García

Re: [PATCH libnfntl] Check all strdup

2016-05-30 Thread Pablo Neira Ayuso
On Mon, May 30, 2016 at 07:03:42PM +0200, Carlos Falgueras García wrote: > diff --git a/src/set.c b/src/set.c > index dbea93b..65b8f1e 100644 > --- a/src/set.c > +++ b/src/set.c > @@ -291,10 +295,16 @@ struct nftnl_set *nftnl_set_clone(const struct > nftnl_set *set) > > memcpy(newset,

[PATCH nf,v2] netfilter: nf_ct_helper: bail out on duplicated helpers

2016-05-30 Thread Pablo Neira Ayuso
-by: Feng Gao <gfree.w...@gmail.com> Reported-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntra

Re: [PATCH v2] extensions: libxt_multiport: Add translation to nft

2016-05-30 Thread Pablo Neira Ayuso
On Tue, May 31, 2016 at 12:08:57AM +0200, Arturo Borrero Gonzalez wrote: > On 30 May 2016 at 21:47, Laura Garcia Liebana wrote: > > Add translation for multiport to nftables, which it's supported natively. > > > > Examples: > > > > $ sudo iptables-translate -t filter -A INPUT -p

Re: [PATCH v2] extensions: libxt_multiport: Add translation to nft

2016-05-31 Thread Pablo Neira Ayuso
On Tue, May 31, 2016 at 10:23:31AM +0200, Arturo Borrero Gonzalez wrote: > On 31 May 2016 at 00:41, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > This is not yet supported. This requires a small kernel patch to allow > > inversions in the nft_lookup.c. Then,

Re: [PATCH] doc: fix old parameters and update datatypes

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 12:25:13AM +0200, Laura Garcia Liebana wrote: > Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation' > instead. Update some FIXME datatypes. Applied, thanks Laura. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body

Re: [PATCH 1/2,libnftnl] Free user data in unsetters

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 12:55:38PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 12:40:23PM +0200, Carlos Falgueras García wrote: > > Signed-off-by: Carlos Falgueras García <carlo...@riseup.net> > > --- > > src/rule.c | 2 ++ > > src/set_elem

Re: [PATCH] extensions: libip6t_hbh: Add translation to nft

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > Add translation for Hop-By-Hop header to nftables. Hbh options are not > supported yet in nft. It would be good to document this in the wiki, as Shivani did already. It would be also good if you can document what is missing

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

2016-06-02 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 10:16:18PM +0200, Laura Garcia wrote: > On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote: > > On 31 May 2016 at 20:26, Laura Garcia Liebana wrote: > > > +static int __multiport_xlate_v1(const void *ip, > > > +

Re: [PATCH 2/2,libnftnl] Check memory allocations in setters

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 12:40:24PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. By now all setters methods > returns void, so the policy adopted in case of error is keep the object >

Re: [PATCH nf] netfilter: x_tables: don't reject valid target size on some architectures

2016-06-02 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 02:04:44AM +0200, Florian Westphal wrote: > Quoting John Stultz: > In updating a 32bit arm device from 4.6 to Linus' current HEAD, I > noticed I was having some trouble with networking, and realized that > /proc/net/ip_tables_names was suddenly empty. > Digging

Re: [PATCH] extensions: libxt_connmark: Fix order of mask and mark

2016-06-02 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 11:38:27PM +0530, Shivani Bhardwaj wrote: > The order of mask and mark in the output is wrong. This has been pointed > out: > http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d > by Liping Zhang . > This patch

Re: [PATCH] extensions: libxt_devgroup: Fix order of mask and id

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 06:54:42PM +0530, Shivani Bhardwaj wrote: > The order of mask and id in the translated code is not apt > so fix it. > This patch follows commit 8548dd by Liping Zhang. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

[ANNOUNCE] nftables 0.6 release

2016-06-02 Thread Pablo Neira Ayuso
ts tests/py: modify supported test file syntax tests/py: update test files syntax rule: add 'list flow tables' support rule: add support for display flow tables content src: add 'list maps' support src: add support for display maps content evaluate: fix &q

Re: Next libmnl release

2016-06-02 Thread Pablo Neira Ayuso
On Thu, Jun 02, 2016 at 06:21:50PM +0200, Guillaume Nault wrote: > Hi, > > Are there any plans for a new libmnl release? Sure there aren't so many > changes, but there are still valuable features, fixes and documentation > updates. Releasing a new version and updating the online documentation >

Re: [PATCH nft v2] evaluate: fix "list set" unexpected behaviour

2016-06-01 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 12:16:51PM +0200, Pablo M. Bermudo Garay wrote: > Special sets like maps and flow tables have their own commands to be > listed and inspected. > > Before this patch, "nft list set" was able to display these special sets > content: > > # nft list set filter test >

[PATCH 5/7] netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags

2016-06-01 Thread Pablo Neira Ayuso
824a ("netfilter: factor out packet duplication for IPv4/IPv6") the flowi6_flags update was lost. This commit re-add it just before the routing decision. Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6") Signed-off-by: Paolo Abeni <pab...@redhat.co

[PATCH 3/7] netfilter: nf_queue: Make the queue_handler pernet

2016-06-01 Thread Pablo Neira Ayuso
pernet exit path is not experienced in batch mode. Reported-by: Florian Westphal <f...@strlen.de> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfil

[PATCH 2/7] netfilter: conntrack: remove leftover binary sysctl define

2016-06-01 Thread Pablo Neira Ayuso
From: Florian Westphal <f...@strlen.de> Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary sysctl code"). Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_standal

[PATCH 1/7] netfilter: nfnetlink_queue: fix timestamp attribute

2016-06-01 Thread Pablo Neira Ayuso
rian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index cb5b630..e34256

[PATCH 4/7] netfilter: nf_ct_helper: Fix helper unregister count.

2016-06-01 Thread Pablo Neira Ayuso
From: Taehee Yoo <ap420...@gmail.com> helpers should unregister the only registered ports. but, helper cannot have correct registered ports value when failed to register. Signed-off-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[PATCH 6/7] netfilter: nf_tables: validate NFTA_SET_TABLE parameter

2016-06-01 Thread Pablo Neira Ayuso
; Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2011977..6947e25 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_table

[PATCH 7/7] netfilter: nf_ct_helper: bail out on duplicated helpers

2016-06-01 Thread Pablo Neira Ayuso
-by: Feng Gao <gfree.w...@gmail.com> Reported-by: Taehee Yoo <ap420...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntra

[PATCH 0/7] Netfilter fixes for net

2016-06-01 Thread Pablo Neira Ayuso
. Biederman (1): netfilter: nf_queue: Make the queue_handler pernet Florian Westphal (2): netfilter: nfnetlink_queue: fix timestamp attribute netfilter: conntrack: remove leftover binary sysctl define Pablo Neira Ayuso (1): netfilter: nf_ct_helper: bail out on duplicated

[PATCH nft] Bump version to v0.6

2016-06-01 Thread Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 0d7e6ed..0e7edcf 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ AC_PREREQ(2.61) AC_COPYRIGHT([Cop

Re: [PATCH] extensions: libxt_mark: fix a wrong translation to nft when mask is specified

2016-06-01 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 08:07:17PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The mask and mark's order is reversed, so when we specify the mask, we will > get the wrong translation result: > # iptables-translate -A INPUT -m mark --mark 0x1/0xff > nft

Re: [PATCH] extensions: libxt_ipcomp: Add translation to nft

2016-06-01 Thread Pablo Neira Ayuso
On Wed, Jun 01, 2016 at 12:06:59AM +0200, Laura Garcia Liebana wrote: > Add translation of ipcomp to nftables. > > First value of the parameter 'ipcompspi' will be translated to 'cpi' > parameter in nftables. Parameter 'compres' is not supported in nftables. > > Examples: > > $ sudo

Re: [nf-next PATCH v2] netfilter: nf_tables: add support for inverted login in nft_lookup

2016-05-31 Thread Pablo Neira Ayuso
On Tue, May 31, 2016 at 01:57:16PM +0200, Arturo Borrero Gonzalez wrote: > @@ -55,6 +58,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx, > { > struct nft_lookup *priv = nft_expr_priv(expr); > struct nft_set *set; > + u32 flags; > int err; > > if

  1   2   3   4   5   6   7   8   9   10   >