In case almost or all available ports are taken, clash resolution can
take a very long time, resulting in soft lockup.
This can happen when many to-be-natted hosts connect to same
destination:port (e.g. a proxy) and all connections pass the same SNAT.
Pick a random offset in the acceptable
Sorry already patched. Ignore this.
Il giorno sab 8 dic 2018 alle ore 20:29 Ansuel Smith
ha scritto:
>
> Think is triggerd with nftables support
>
> In file included from
> /home/daniel/Build/openwrt-ath79/staging_dir/toolchain-mips_24kc_gcc-7.3.0_musl/include/net/ethernet.h:10:0,
>
Think is triggerd with nftables support
In file included from
/home/daniel/Build/openwrt-ath79/staging_dir/toolchain-mips_24kc_gcc-7.3.0_musl/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
Xiaozhou Liu wrote:
> > + for (i = 0; i < attempts; ++off) {
> > *portptr = htons(min + off % range_size);
> > - if (++i != range_size && nf_nat_used_tuple(tuple, ct))
> > + if (nf_nat_used_tuple(tuple, ct))
> > continue;
> > if
On Sat, Dec 08, 2018 at 11:07:44AM +0100, Florian Westphal wrote:
> Pablo,
>
> this will unfortunately result in a nf-next merge conflict
> due to *rover removal in nf-next.
> I can send a patch vs. nf-next instead if you prefer.
>
> net/netfilter/nf_nat_proto_common.c | 26
In case almost or all available ports are taken, clash resolution can
take a very long time, resulting in soft lockup.
This can happen when many to-be-natted hosts connect to same
destination:port (e.g. a proxy) and all connections pass the same SNAT.
Pick a random offset in the acceptable
rbnode in insert_tree() is rcu protected pointer.
So, in order to handle this pointer, _rcu function should be used.
rb_link_node_rcu() is a rcu version of rb_link_node().
Fixes: 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal")
Signed-off-by: Taehee Yoo
---
Urgently need money? We can help you!
Are you by the current situation in trouble or threatens you in trouble?
In this way, we give you the ability to take a new development.
As a rich person I feel obliged to assist people who are struggling to give
them a chance. Everyone deserved a second
On Fri, Dec 07, 2018 at 02:05:15PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg.
> >
> > # nft add table arp x
> > # nft add chain arp x y { type filter hook input priority 0\; }
> > # nft add rule arp x y arp
Pablo Neira Ayuso wrote:
> Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg.
>
> # nft add table arp x
> # nft add chain arp x y { type filter hook input priority 0\; }
> # nft add rule arp x y arp ip-saddr 192.168.2.1 counter
'arp {ip,ether} {s,d}addr' would create ambiguities?
Add ip-saddr, ip-daddr, ether-saddr, ether-daddr for arp, eg.
# nft add table arp x
# nft add chain arp x y { type filter hook input priority 0\; }
# nft add rule arp x y arp ip-saddr 192.168.2.1 counter
Testing this:
# ip neigh flush dev eth0
# ping 8.8.8.8
# nft list ruleset
table arp
On Wed, Dec 05, 2018 at 02:12:19PM +0100, Florian Westphal wrote:
> When adjusting sack block sequence numbers, skb_make_writable() gets
> called to make sure tcp options are all in the linear area, and buffer
> is not shared.
>
> This can cause tcp header pointer to get reallocated, so we must
>
On Thu, Dec 06, 2018 at 05:17:50PM +0100, Phil Sutter wrote:
> This series implements a rule list in chains to allow for per chain rule
> caches in iptables-nft as well as nftables.
>
> A second patch then adds utility functions for chain and rule lookups,
> preparing for further optimizing these
This series implements a rule list in chains to allow for per chain rule
caches in iptables-nft as well as nftables.
A second patch then adds utility functions for chain and rule lookups,
preparing for further optimizing these tasks in a transparent way since
users won't open-code the chain/rule
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter
---
include/libnftnl/chain.h | 2 ++
src/chain.c | 28
Currently DNS resolvers that send both A and queries from same source port
can trigger stream mode prematurely, which results in non-early-evictable
conntrack entry
for three minutes, even though DNS requests are done in a few milliseconds.
Add a two second grace period where we continue to
We have no explicit signal when a UDP stream has terminated, peers just
stop sending.
For unreplied UDP case, 10 seconds should be enough to cover
delayed replies, and for suspected stream connections a timeout
of two minutes is sane to keep NAT mapping alive a while longer.
It matches tcp
DNS resolvers that send both A and queries from same source port can
trigger stream mode prematurely, which results in non-early-evictable ct
for three minutes, even though request is done after a few milliseconds.
Add a two second grace period where we continue to use the ordinary
Since a pseudo-random starting point is used in finding a port in
the default case, that 'else if' branch above is no longer a necessity.
So remove it to simplify code.
Signed-off-by: Xiaozhou Liu
---
net/netfilter/nf_nat_proto_common.c | 2 --
1 file changed, 2 deletions(-)
diff --git
When adjusting sack block sequence numbers, skb_make_writable() gets
called to make sure tcp options are all in the linear area, and buffer
is not shared.
This can cause tcp header pointer to get reallocated, so we must
reaload it to avoid memory corruption.
This bug pre-dates git history.
On Wed, Dec 05, 2018 at 12:18:30PM +0100, Arturo Borrero Gonzalez wrote:
[...]
> I would apply the -legacy renaming patch regardless. We already did this
> with arptables after the agreement @ NFWS. In fact, me sending the patch
> now (instead of last summer) is just my lack of time to write it
On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote:
> On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
>> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
>>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
Hi,
Now that the iptables.git repo offers
On Wed, Dec 05, 2018 at 12:59:43AM +0200, Pavel Melnik wrote:
> Hi
>
> > I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw
> > table.
>
> We will try, thanks
Have a look at:
commit 902d6a4c2a4f411582689e53fb101895ffe99028
Author: Subash Abhinov Kasiviswanathan
Date: Wed
Hi
I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw
table.
We will try, thanks
nft add table ip6 filter
nft add chain ...
and so on.
I have tried this, but no effect ..
Regards,
Pavel
Pavel Melnik wrote:
> We were asked to implement functionality to drop fragmented IPv6 packets,
> addressed to local interface, on device based 3.12 kernel
Urgh.
I'd just change NF_IP6_PRI_RAW to -450 and use ip6tables rules in raw
table.
> But we observed the 'same' issue if try to use
Hi
We were asked to implement functionality to drop fragmented IPv6
packets, addressed to local interface, on device based 3.12 kernel
As I understand it's not possible to do this by ip6tables rule in the
case when nf_conntrack is enabled, but it possible if use nftables
Could you please
On Tuesday 2018-12-04 11:57, Pablo Neira Ayuso wrote:
>On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
>> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
>> > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
>> >> Hi,
>> >>
>> >> Now that the iptables.git repo
On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
> > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
> >> Hi,
> >>
> >> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
> >> arptables.git holds
On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
>> Hi,
>>
>> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
>> arptables.git holds arptables-legacy, etc, why we don't just rename the
>> repos?
>>
>> * from
Hi,
On Sat, 1 Dec 2018, Qian Cai wrote:
> To make overflows as obvious as possible and to prevent code from blithely
> proceeding with a truncated string. This also has a side-effect to fix a
> compilation warning when using GCC 8.2.1.
>
> net/netfilter/ipset/ip_set_core.c: In function
On Mon, Nov 26, 2018 at 08:03:30PM +0900, Taehee Yoo wrote:
> basechain->stats is rcu protected data.
> And write critical section of basechain->stats data is
> nft_chain_stats_replace().
> The function is executed in commit phase. so that actually commit_mutex
> lock protects that.
> Hence
Burst can be either bytes or packets, depending on the rate limit unit.
# nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
Error: syntax error, unexpected packets, expecting string or bytes
add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
On Sun, Dec 02, 2018 at 06:56:34PM +0200, Baruch Siach wrote:
> Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2")
> introduced a kernel/user headers conflict workaround that allows build
> of iptables with kernel headers older than 4.2. This minor extension
> allows build
On Mon, Dec 03, 2018 at 02:52:28PM +0100, Phil Sutter wrote:
> Older versions of iptables allowed for negative realm values by accident
> (they would be cast to unsigned). While this was clearly a bug, document
> the fixed behaviour.
Applied, thanks Phil.
Older versions of iptables allowed for negative realm values by accident
(they would be cast to unsigned). While this was clearly a bug, document
the fixed behaviour.
Signed-off-by: Phil Sutter
---
extensions/libipt_realm.man | 2 ++
1 file changed, 2 insertions(+)
diff --git
From: Alin Nastac
Allow media streams that are not passing through this router.
When enabled, the sip_external_media logic will leave SDP
payload untouched when it detects that interface towards INVITEd
party is the same with the one towards media endpoint.
Signed-off-by: Alin Nastac
---
To make overflows as obvious as possible and to prevent code from blithely
proceeding with a truncated string. This also has a side-effect to fix a
compilation warning when using GCC 8.2.1.
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
Signed-off-by: Pablo Neira Ayuso
---
doc/payload-expression.txt | 8
1 file changed, 8 insertions(+)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index a2284ce8c3d9..eb98e5d7898c 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -619,5
Hi,
On Mon, 26 Nov 2018, Qian Cai wrote:
> To make overflows as obvious as possible and to prevent code from blithely
> proceeding with a truncated string. This also has a side-effect to fix a
> compilation warning when using GCC 8.2.1.
>
> net/netfilter/ipset/ip_set_core.c: In function
On Thu, Nov 15, 2018 at 10:22:59AM +0100, Florian Westphal wrote:
> This is a leftover from days where single-cpu systems were common:
> Store last port used to resolve a clash to use it as a starting point when
> the next conflict needs to be resolved.
>
> When we have parallel attempt to
# cat test.nft
define test = "1.2.3.4"
table ip x {
chain y {
ip saddr $text
}
}
# nft -f test.nft
test.nft:5:13-16: Error: unknown identifier 'text'; did you mean identifier
‘test’?
ip saddr $text
Use this from the lookup path, to check for mispellings:
# nft add table filter
# nft add chain filtre test
Error: No such file or directory; did you mean table ‘filter’ in family ip?
add chain filtre test
^^
Signed-off-by: Pablo Neira Ayuso
---
include/misspell.h | 13
So we can pass functions as parameters, needed by follow up patch.
Signed-off-by: Pablo Neira Ayuso
---
include/utils.h | 16 +---
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/include/utils.h b/include/utils.h
index 01560eae8d7f..e791523c0471 100644
---
Restrict suggestions to threshold, like gcc does.
Signed-off-by: Pablo Neira Ayuso
---
src/misspell.c | 21 ++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/src/misspell.c b/src/misspell.c
index 922d305d5e01..059d2e20de7a 100644
--- a/src/misspell.c
+++
From: Alin Nastac
Allow media streams that are not passing through this router.
When enabled, the sip_external_media logic will leave SDP
payload untouched when it detects that interface towards INVITEd
party is the same with the one towards media endpoint.
Signed-off-by: Alin Nastac
---
Hi Alin,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on v4.20-rc4 next-20181129]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
Hi Alin,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf/master]
[also build test ERROR on v4.20-rc4 next-20181129]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
If libxtables is not even installed, build fails due to to missing
include file.
ifdef LIBXTABLES guard fixes the first error, but results in two
followup failures:
1. missing IFNAMSIZ definition
2. dereference of unknown struct.
Signed-off-by: Florian Westphal
---
src/xt.c | 5 +
1 file
Allow media streams that are not passing through this router.
When enabled, the sip_external_media logic will leave SDP
payload untouched when it detects that interface towards INVITEd
party is the same with the one towards media endpoint.
Signed-off-by: Alin Nastac
---
This morning I found this thread, which I didn't see last night. I'm
not sure how I missed it, since I knew what I was searching for. It
includes a link to the same patches as I mentioned, but with a status
filter in the URL such that I can see the patches.
I applied the three patches and tested
Hi,
On Wed, Nov 28, 2018 at 02:51:54PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 28, 2018 at 02:21:01PM +0100, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote:
>
On Wed, Nov 28, 2018 at 02:21:01PM +0100, Phil Sutter wrote:
> Hi Pablo,
>
> On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote:
> > > Phil Sutter wrote:
> > > > > If user doesn't want it cleared at
Please,
consider merging the attached patch.
thanks.
commit 3497067ca187047c61d89ccad6eab4ebf5df9219
Author: Arturo Borrero Gonzalez
Date: Wed Nov 28 14:31:57 2018 +0100
tests: fix return codes
Try to return != 0 if a testsuite fails.
Signed-off-by: Arturo Borrero
Hi Pablo,
On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > > If user doesn't want it cleared at nftnl_chain_free() time they can
> > > > always allocate a new nftnl_rule_list and
On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
> Hi,
>
> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
> arptables.git holds arptables-legacy, etc, why we don't just rename the
> repos?
>
> * from arptables.git to arptables-legacy.git
> * from ebtables.git to
Hi,
Now that the iptables.git repo offers arptables-nft and ebtables-nft,
arptables.git holds arptables-legacy, etc, why we don't just rename the
repos?
* from arptables.git to arptables-legacy.git
* from ebtables.git to ebtables-legacy.git
This rename should help distros understand the
Applied, thanks.
EPILOGUE-AS-PREAMBLE:
I had already typed most of this when I thought to search the
netfilter-devel archive. I found this, which sounds an awful lot like
my issue:
https://www.spinics.net/lists/netfilter-devel/msg56882.html
However, the patch link in the first followup seems empty, so I can't
Rule replacement routine removes an old rule then adds a new rule.
In the old rule removing routine, below steps are needed.
Allocate trans, deactivate rule and deactivate expressons of rule.
But there is no expression deactivation routine in rule replacement
routine.
test commands:
%nft add
On Tue, Nov 27, 2018 at 08:07:11PM +0100, Phil Sutter wrote:
> The problem with converting libxt_comment into nftables comment is that
> rules change when parsing from kernel due to comment match being moved
> to the end of the match list. And since match ordering matters, the rule
> may not be
The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft
New function added by "Introduction of new commands and protocol
version 7" is not working, since we return skb2 to user
Signed-off-by: Victorien Molle
Signed-off-by: Florent Fourcot
---
net/netfilter/ipset/ip_set_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
On Tuesday 2018-11-27 12:56, Rolf Eike Beer wrote:
>Hi,
>
>it seems to me that "--disable-silent-rules" has no effect on iptables
>configure, i.e. I still have to pass V=1 to make to see what it is actually
>doing.
This is expected because automake is not used in every
directory. But V=1 is
Hi,
it seems to me that "--disable-silent-rules" has no effect on iptables
configure, i.e. I still have to pass V=1 to make to see what it is actually
doing.
It also seems that the netfilter-announce archive is missing some mails (or
they never got send), at least I don't see any iptables
Perform the same SNAT translation on RTP/RTCP conntracks regardless of
who sends the first datagram.
Prior to this change, RTP packets send by the peer who required source
port translation were forwarded with unmodified source port when this
peer started its voice/video stream first.
Hi Pablo,
On Tue, Nov 27, 2018 at 12:57 AM Pablo Neira Ayuso wrote:
>
> Hi Alin,
>
> On Mon, Nov 05, 2018 at 02:54:53PM +0100, Alin Nastac wrote:
> > Perform the same SNAT translation on RTP/RTCP conntracks regardless of
> > who sends the first datagram.
> >
> > Prior to this change, RTP packets
--
--
Guten Tag, Wir sind eine registrierte private Geldverleiher. Wir geben
Kredite an Firmen, Einzelpersonen, die ihre finanzielle Status auf der
ganzen Welt aktualisieren müssen, mit minimalen jährlichen Zinsen von
2% .reply, wenn nötig.
Good Day, We are a registered private money lender. We
On Sun, Nov 25, 2018 at 06:47:13PM +0900, Taehee Yoo wrote:
> All lists in the tree_nodes_free() have both zero count and true dead flag.
> Because lists are selected by nf_conncount_gc_list() and that makes that
> zero-count and true dead flag.
> So that the if statement of tree_nodes_free() is
On Thu, Nov 22, 2018 at 07:59:25PM +0900, Taehee Yoo wrote:
> This patch series fix notifier registration bugs.
>
> First patch adds error handling code for failure of notifier registration.
> notifier registration can be failed. so that error handling code are needed.
>
> Second patch fixes
On Wed, Nov 21, 2018 at 02:00:30PM +0100, Alin Nastac wrote:
> When ip6_route_me_harder is invoked, it resets outgoing interface of:
> - link-local scoped packets sent by neighbor discovery
> - multicast packets sent by MLD host
> - multicast packets send by MLD proxy daemon that sets
Hello,
My name is ms. Reem Al-Hashimi. The UAE minister of state for international
cooparation. I got your contact from an email database from your country. I
have a financial transaction i would like to discuss with you. Please reply to
reem2...@daum.net, for more details if you are
To make overflows as obvious as possible and to prevent code from blithely
proceeding with a truncated string. This also has a side-effect to fix a
compilation warning when using GCC 8.2.1.
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
`__ip_conntrack_confirm' in the comments is confusing to newcomers
since it has long been replaced with __nf_conntrack_confirm.
Signed-off-by: Xiaozhou Liu
---
net/netfilter/nf_nat_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c
On Mon, 26 Nov 2018 at 20:28, Pablo Neira Ayuso wrote:
>
> On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote:
> > Hi Pablo,
> >
> > According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig.
> > https://lkml.org/lkml/2018/11/26/291
> >
> > So that I think this patch will
On Mon, Nov 26, 2018 at 06:39:28PM +0900, Taehee Yoo wrote:
> Hi Pablo,
>
> According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig.
> https://lkml.org/lkml/2018/11/26/291
>
> So that I think this patch will be useless.
> Could you check it up?
OK, will keep back your patch
basechain->stats is rcu protected data.
And write critical section of basechain->stats data is
nft_chain_stats_replace().
The function is executed in commit phase. so that actually commit_mutex
lock protects that.
Hence commit_mutex lockdep should be used for rcu_dereference_protected()
in the
Hi,
On Wed, 21 Nov 2018, Qian Cai wrote:
> To make overflows as obvious as possible and to prevent code from blithely
> proceeding with a truncated string. This also has a side-effect to fix a
> compilation warning using GCC 8.2.1.
>
> net/netfilter/ipset/ip_set_core.c: In function
Hi Pablo,
According to Masahiro Yamada, this is Kconfig bug and he is fixing Kconfig.
https://lkml.org/lkml/2018/11/26/291
So that I think this patch will be useless.
Could you check it up?
Thanks!
On Sun, 18 Nov 2018 at 23:39, Taehee Yoo wrote:
>
> xt_TEE.c needs nf_dup_ipv6.c to support
On Wed, Nov 21, 2018 at 01:38:59PM +0100, Florian Westphal wrote:
> Can't move timeouts around, it appears conntrack sysctl unregister
> assumes net_generic() returns nf_proto_net, so we get crash.
>
> Expose layout of netns_proto_gre instead.
>
> Reported-by: kernel test robot
> Fixes:
All lists in the tree_nodes_free() have both zero count and true dead flag.
Because lists are selected by nf_conncount_gc_list() and that makes that
zero-count and true dead flag.
So that the if statement of tree_nodes_free() is unnecessary and wrong.
Fixes: 31568ec09ea0 ("netfilter:
Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2")
introduced a kernel/user headers conflict workaround that allows build
of iptables with kernel headers older than 4.2. This minor extension
allows build with kernel headers older than 3.12, which is the version
that
Phil Sutter wrote:
> When e.g. ebtables-nft detects an incompatible table, a stray '.' was
> printed as last line of output:
>
> | # ebtables-nft -L
> | table `filter' is incompatible, use 'nft' tool.
> | .
>
> This comes from ebtables' own exit_err callback. Instead use the common
> one which
When e.g. ebtables-nft detects an incompatible table, a stray '.' was
printed as last line of output:
| # ebtables-nft -L
| table `filter' is incompatible, use 'nft' tool.
| .
This comes from ebtables' own exit_err callback. Instead use the common
one which also provides useful version
arm-openwrt-linux-gnueabi-gcc -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES
-D_FILE_OFFSET_BITS=64 -D_REENTRANT
-DXTABLES_LIBDIR=\"/usr/lib/iptables\" -DXTABLES_INTERNAL -I../include
-I.. -I../include -I..
On Fri, Nov 23, 2018 at 01:35:17PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > > If user doesn't want it cleared at nftnl_chain_free() time they can
> > > > always allocate a new nftnl_rule_list and splice to
On Fri, Nov 23, 2018 at 12:25:45PM +0100, Florian Westphal wrote:
> Phil Sutter wrote:
> > > If user doesn't want it cleared at nftnl_chain_free() time they can
> > > always allocate a new nftnl_rule_list and splice to that list.
> >
> > Good point. What do you think about the simple approach of
Phil Sutter wrote:
> > If user doesn't want it cleared at nftnl_chain_free() time they can
> > always allocate a new nftnl_rule_list and splice to that list.
>
> Good point. What do you think about the simple approach of introducing:
>
> | struct nftnl_rule_list *nftnl_chain_get_rule_list(const
On Fri, Nov 23, 2018 at 07:49:49AM +0100, Florian Westphal wrote:
> Phil Sutter wrote:
> > In order to improve performance in 'nft -f' as well as xtables-restore
> > with very large rulesets, we need to store rules by chain they belong
> > to. In order to avoid pointless code duplication, this
Phil Sutter wrote:
> In order to improve performance in 'nft -f' as well as xtables-restore
> with very large rulesets, we need to store rules by chain they belong
> to. In order to avoid pointless code duplication, this should be
> supported by libnftnl.
Unfortunately we still need to change
Phil Sutter wrote:
> Relevant code for this was already present (short option '-c'), just the
> long option definition was missing.
Applied, thanks.
Relevant code for this was already present (short option '-c'), just the
long option definition was missing.
While being at it, add '-c' to help text.
Signed-off-by: Phil Sutter
---
iptables/xtables-arp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
masquerade modules register notifier and that should not be
double-registered. so that these modules manage reference counter.
If already notifiers are registered, it just return success.
But there is unsafe scenario.
test commands:
while :
do
modprobe ip6t_MASQUERADE &
This patch series fix notifier registration bugs.
First patch adds error handling code for failure of notifier registration.
notifier registration can be failed. so that error handling code are needed.
Second patch fixes double-register bug in masqerade modules.
In order to protect
register_{netdevice/inetaddr/inet6addr}_notifier returns value that
could be error value. so that error handling code are needed.
Signed-off-by: Taehee Yoo
---
v2:
- Add second patch
- return success when notifier is already registered. (Florian Westphal)
v1: Initial patch
To make overflows as obvious as possible and to prevent code from blithely
proceeding with a truncated string. This also has a side-effect to fix a
compilation warning using GCC 8.2.1.
net/netfilter/ipset/ip_set_core.c: In function 'ip_set_sockfn_get':
net/netfilter/ipset/ip_set_core.c:2027:3:
When ip6_route_me_harder is invoked, it resets outgoing interface of:
- link-local scoped packets sent by neighbor discovery
- multicast packets sent by MLD host
- multicast packets send by MLD proxy daemon that sets outgoing
interface through IPV6_PKTINFO ipi6_ifindex
Link-local and
Can't move timeouts around, it appears conntrack sysctl unregister
assumes net_generic() returns nf_proto_net, so we get crash.
Expose layout of netns_proto_gre instead.
Reported-by: kernel test robot
Fixes: 991acf532b netfilter: nfnetlink_cttimeout: fetch timeouts for udplite
and gre, too
On Wed, Nov 21, 2018 at 01:24:25PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 21, 2018 at 12:17:50PM +0100, Alin Nastac wrote:
> > When ip6_route_me_harder is invoked, it resets outgoing interface of:
> > - link-local scoped packets sent by neighbor discovery
> > - multicast packets sent by
On Wed, Nov 21, 2018 at 12:17:50PM +0100, Alin Nastac wrote:
> When ip6_route_me_harder is invoked, it resets outgoing interface of:
> - link-local scoped packets sent by neighbor discovery
> - multicast packets sent by MLD host
> - multicast packets send by MLD proxy daemon that sets
When ip6_route_me_harder is invoked, it resets outgoing interface of:
- link-local scoped packets sent by neighbor discovery
- multicast packets sent by MLD host
- multicast packets send by MLD proxy daemon that sets outgoing
interface through IPV6_PKTINFO ipi6_ifindex
Link-local and
1 - 100 of 13256 matches
Mail list logo