Re: [PATCH 0/4] nfct: documentation updates and corrections.
On 08.04.2016 12:36, Pablo Neira Ayuso wrote: On Fri, Apr 08, 2016 at 08:18:40AM +0200, Mart Frauenlob wrote: Good day, this series includes some documentation updates and corrections for nfct. Series applied. Where to? I don't see it on master branch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
FROM: MR. OLIVER SENO!!
Dear Sir. I bring you greetings. My name is Mr.Oliver Seno Lim, I am a staff of Abbey National Plc. London and heading our regional office in West Africa. Our late customer named Engr.Ben W.westland, made a fixed deposit amount of US$7Million.He did not declare any next of kin in any of his paper work, I want you as a foreigner to stand as the beneficiary to transfer this funds out of my bank into your account, after the successful transfer, we shall share in the ratio of 30% for you, 70%for me. Should you be interested please send me your information: 1,Full names. 2,current residential address. 3,Tele/Fax numbers./your work. All I need from you is your readiness, trustworthiness and edication. Please email me directly on my private email address: officeose...@yahoo.com) so we can begin arrangements and I would give you more information on how we would handle this venture and once i hear from you i will give you information of the bank for the transferring funds on your name. Regards, Mr.Oliver Seno Lim -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] net: force inlining of netif_tx_start/stop_queue, sock_hold, __sock_put
Sometimes gcc mysteriously doesn't inline
very small functions we expect to be inlined. See
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66122
Arguably, gcc should do better, but gcc people aren't willing
to invest time into it, asking to use __always_inline instead.
With this .config:
http://busybox.net/~vda/kernel_config_OPTIMIZE_INLINING_and_Os,
the following functions get deinlined many times.
netif_tx_stop_queue: 207 copies, 590 calls:
55 push %rbp
48 89 e5mov%rsp,%rbp
f0 80 8f e0 01 00 00 01 lock orb $0x1,0x1e0(%rdi)
5d pop%rbp
c3 retq
netif_tx_start_queue: 47 copies, 111 calls
55 push %rbp
48 89 e5mov%rsp,%rbp
f0 80 a7 e0 01 00 00 fe lock andb $0xfe,0x1e0(%rdi)
5d pop%rbp
c3 retq
sock_hold: 39 copies, 124 calls
55 push %rbp
48 89 e5mov%rsp,%rbp
f0 ff 87 80 00 00 00lock incl 0x80(%rdi)
5d pop%rbp
c3 retq
__sock_put: 6 copies, 13 calls
55 push %rbp
48 89 e5mov%rsp,%rbp
f0 ff 8f 80 00 00 00lock decl 0x80(%rdi)
5d pop%rbp
c3 retq
This patch fixes this via s/inline/__always_inline/.
Code size decrease after the patch is ~2.5k:
text data bss dec hex filename
56719876 56364551 36196352 149280779 8e5d80b vmlinux_before
56717440 56364551 36196352 149278343 8e5ce87 vmlinux
Signed-off-by: Denys Vlasenko
CC: David S. Miller
CC: linux-ker...@vger.kernel.org
CC: net...@vger.kernel.org
CC: netfilter-devel@vger.kernel.org
---
include/linux/netdevice.h | 4 ++--
include/net/sock.h| 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index cb0d5d0..f924ddc 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2801,7 +2801,7 @@ static inline void netif_tx_schedule_all(struct
net_device *dev)
netif_schedule_queue(netdev_get_tx_queue(dev, i));
}
-static inline void netif_tx_start_queue(struct netdev_queue *dev_queue)
+static __always_inline void netif_tx_start_queue(struct netdev_queue
*dev_queue)
{
clear_bit(__QUEUE_STATE_DRV_XOFF, &dev_queue->state);
}
@@ -2851,7 +2851,7 @@ static inline void netif_tx_wake_all_queues(struct
net_device *dev)
}
}
-static inline void netif_tx_stop_queue(struct netdev_queue *dev_queue)
+static __always_inline void netif_tx_stop_queue(struct netdev_queue *dev_queue)
{
set_bit(__QUEUE_STATE_DRV_XOFF, &dev_queue->state);
}
diff --git a/include/net/sock.h b/include/net/sock.h
index 255d3e0..fd15eb1 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -564,7 +564,7 @@ static inline bool __sk_del_node_init(struct sock *sk)
modifications.
*/
-static inline void sock_hold(struct sock *sk)
+static __always_inline void sock_hold(struct sock *sk)
{
atomic_inc(&sk->sk_refcnt);
}
@@ -572,7 +572,7 @@ static inline void sock_hold(struct sock *sk)
/* Ungrab socket in the context, which assumes that socket refcnt
cannot hit zero, f.e. it is true in context of any socketcall.
*/
-static inline void __sock_put(struct sock *sk)
+static __always_inline void __sock_put(struct sock *sk)
{
atomic_dec(&sk->sk_refcnt);
}
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [iptables PATCH] configure: exit if libnftnl is not found
On Sun, Mar 27, 2016 at 12:05:46PM +0200, Giuseppe Longo wrote: > iptables building is broken if libnftnl is not installed > on the system, raising up the following errors: > > nft-shared.c:25:27: fatal error: libnftnl/rule.h: No such file or directory > #include >^ > compilation terminated. > nft.c:41:28: fatal error: libnftnl/table.h: No such file or directory > #include > ^ > compilation terminated. > mv -f .deps/xtables_multi-iptables-restore.Tpo > .deps/xtables_multi-iptables-restore.Po > In file included from nft.h:5:0, > from nft-ipv6.c:25: > nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory > #include >^ > mv -f .deps/xtables_multi-xshared.Tpo .deps/xtables_multi-xshared.Po > compilation terminated. > In file included from nft.h:5:0, > from nft-ipv4.c:26: > nft-shared.h:6:27: fatal error: libnftnl/rule.h: No such file or directory > #include > > configure script checks if libnftnl is installed, but doesn't > exit if it is not. > > Signed-off-by: Giuseppe Longo > --- > configure.ac | 7 +++ > 1 file changed, 7 insertions(+) > > diff --git a/configure.ac b/configure.ac > index 33a8f2d..b08ecca 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -128,6 +128,13 @@ if test "x$enable_nftables" = "xyes"; then > > PKG_CHECK_MODULES([libnftnl], [libnftnl >= 1.0.5], [nftables=1], > [nftables=0]) > > + if test "$nftables" = 0; > + then > + echo "*** Error: No suitable libnftnl found. ***" > + echo "Please install the 'libnftnl' package." I'm going to take this patch, but mangle it to include this information too: echo "Or consider --disable-nftables to skip " echo "iptables-compat over nftables support." -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC nf-next 0/3] named expressions for nf_tables
Pablo Neira Ayuso wrote:
> * List existing named counters:
>
> # nft lists counters
> table ip filter {
> counter tcp-counter {
> packets 6086 bytes 6278052
> }
> counter udp-counter {
> packets 272 bytes 64690
> }
> counter icmp-counter {
> packets 10 bytes 840
> }
> }
So if we extend this scheme to all (stateful) expressions we'll have to
add 'nft list limits' (or whatever).
Do you think it makes sense to represent this in a more generic fashion?
nft list tables
nft list chains
Maybe add
nft list expressions
?
> The snippet below shows a simplistic configuration to account tcp, udp
> and icmp traffic through the named counter:
>
> -o-
> table ip filter {
> counter tcp-counter {
> packets 6086 bytes 6278052
> }
So this could f.e. look like
expression tcp-counter {
counter packets 6086 bytes 6278052
}
(and tcp-counter is just some identifier).
> support named limits. I have another (imcomplete) patch that allows to
> update the named expressions parameters, this can be useful to
> dynamically update the ratelimiting policies, the command line should
> look like:
>
> # nft update limit name user01234 rate 250 mbytes/day
nft update expression user01234 rate 250 mbytes/day
(or perhaps
nft update expression user01234 limit rate 250 mbytes/day
not sure if we want to allow replacing the (internal) expression
stored in a named expression with a different one)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC nf-next 0/3] named expressions for nf_tables
Pablo Neira Ayuso wrote: > 2) When replacing the rule, the new expression starts from no history >as it will be a new expression, we'll be basically reseting it. You are right, I was only thinking of counter (where userspace can set packets/bytes), but limit would lose its state as most of that is internal only. So I think #2 makes sense. I have more concerns (sorry!) wrt user representation, I'll reply to this in a new email. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation
Pablo Neira Ayuso wrote: > On Fri, Apr 01, 2016 at 02:17:20PM +0200, Florian Westphal wrote: > > This series adds more checks on xtables (arp, ip, ip6tables) rulesets. > > > > - check all offsets (target, next) of all rules during initial pass > > after copy from userspace. > > - check targets of jumps (-j bla): offset should be start of a rule > > - assert that alleged target size is at least as big as minimum target > > structure > > - change CONFIG_COMPAT code path to push ruleset via normal setsockopt > > path after initial 32->64 bit conversion to avoid duplicating checks > > - use a common helper to copy counters from userspace instead of > > the ip/ip6/arp implementation. > > > > Tested: > > - iptables.git iptables-test.py passes > > - made a few performance tests w. really silly rulesets to verify > > that things don't slow down too much, see individual patches for details. > > > > include/linux/netfilter/x_tables.h | 12 + > > net/ipv4/netfilter/arp_tables.c| 303 > > ++ > > net/ipv4/netfilter/ip_tables.c | 327 > > + > > net/ipv6/netfilter/ip6_tables.c| 320 > > > > net/netfilter/x_tables.c | 244 +++ > > 5 files changed, 506 insertions(+), 700 deletions(-) > > Nice work, and we got less code to maintain, good :) > > I'm starting to consider that, given that this has been broken since > day 1, we pass this through nf-next and then later on we request > inclusion for -stable. Fine with me. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf 00/17] netfilter: xtables: stricter ruleset validation
Hi Florian, On Fri, Apr 01, 2016 at 02:17:20PM +0200, Florian Westphal wrote: > This series adds more checks on xtables (arp, ip, ip6tables) rulesets. > > - check all offsets (target, next) of all rules during initial pass > after copy from userspace. > - check targets of jumps (-j bla): offset should be start of a rule > - assert that alleged target size is at least as big as minimum target > structure > - change CONFIG_COMPAT code path to push ruleset via normal setsockopt > path after initial 32->64 bit conversion to avoid duplicating checks > - use a common helper to copy counters from userspace instead of > the ip/ip6/arp implementation. > > Tested: > - iptables.git iptables-test.py passes > - made a few performance tests w. really silly rulesets to verify > that things don't slow down too much, see individual patches for details. > > include/linux/netfilter/x_tables.h | 12 + > net/ipv4/netfilter/arp_tables.c| 303 ++ > net/ipv4/netfilter/ip_tables.c | 327 > + > net/ipv6/netfilter/ip6_tables.c| 320 > > net/netfilter/x_tables.c | 244 +++ > 5 files changed, 506 insertions(+), 700 deletions(-) Nice work, and we got less code to maintain, good :) I'm starting to consider that, given that this has been broken since day 1, we pass this through nf-next and then later on we request inclusion for -stable. We'll have more time in case of fallout (I know you have done a great effort to intensively test this) but this batch looks large that why I'm thinking about this route change. Let me know, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Possible segfault in nft utility
On Fri, Apr 08, 2016 at 11:10:47AM +, Meyer Raffaele wrote: > Dear Sir or Madam > > I am currently using nftables under Ubuntu 15.10. Kernel version is > 4.2.0-16-generic and nftables version is nftables v0.4 (Support Edward > Snowden). > I was looking for a way to match packets based on the mss optional value in > the tcp header. While using the describe command, I encountered a segfault: > > user@machine:~$ nft describe tcp reserved > Segmentation fault (core dumped) This is already fixed in 0.5 as weel as in the upcoming 0.6 release. # nft describe tcp reserved payload expression, datatype integer (integer), 4 bits > It is not really a bad bug since the reserved keyword is probably > not used anyway but I thought to report it. At the same time I > wanted to ask if it is possible to match packets on wether they have > a MaximumSegmentSize set in the TCP header or not. Several people already asked for TCP options matching already, this is coming soon. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC nf-next 0/3] named expressions for nf_tables
On Thu, Apr 07, 2016 at 11:49:42PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Several examples on how this would look from userspace:
> >
> > * Add the 'tcp-counter' counter to the 'filter' table:
> >
> > # nft add counter filter tcp-counter
> >
> > * Delete this counter (only possible if not dereferenced from a rule):
> >
> > # nft delete counter filter tcp-counter
> >
> > * List existing named counters:
> >
> > # nft lists counters
> > table ip filter {
> > counter tcp-counter {
> > packets 6086 bytes 6278052
> > }
> > counter udp-counter {
> > packets 272 bytes 64690
> > }
> > counter icmp-counter {
> > packets 10 bytes 840
> > }
> > }
>
> Can't you already create a 'named counter' via
>
> chain tcp-counter {
> counter
> }
>
> ?
>
> Seems to me we only would have to teach nft list to
> allow filtering output on chain names, e.g.
>
> nft list table filter \*-counter
>
> to have something similar using exsiting feature set.
Right, but we still need a way to uniquely identify this stateful
expression for atomic dump'n'reset.
> > So far, only counters are supported, but it should be possible to
> > support named limits. I have another (imcomplete) patch that allows to
> > update the named expressions parameters, this can be useful to
> > dynamically update the ratelimiting policies, the command line should
> > look like:
> >
> > # nft update limit name user01234 rate 250 mbytes/day
>
> Similar comment here, you could create
>
> chain user01234 {
> limit rate 100 mbytes/day
> }
Right, we can replace this rule via the handle, but I see two problems
with this:
1) The user needs to track the rule handle, not so much of a problem
since userspace can do this at the cost of a bit of more
complexity.
2) When replacing the rule, the new expression starts from no history
as it will be a new expression, we'll be basically reseting it.
Using 'nft update limit...' I think we should be capable of upgrading
the ratelimit by keeping around the quota that the user has already
consumed.
The idea is, if we know the previous cost of every byte/packets in
terms of tokens, given that tokens are generated per nanosecond and
that know how many tokens we have already consumed, then we can
recalculate the quota that has been already consumed and add this to
the limit update, eg. if limit rate is 100 mbytes/day but the user
already consumed 50 mbytes, when calling:
nft update limit rate 200 mbytes/day
we can keep the 50 mbytes that were already consumed around.
Let me know, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft v2] src: evaluate: Show error for fanout without balance
On Thu, Apr 07, 2016 at 10:58:54PM +0530, Shivani Bhardwaj wrote:
> The idea of fanout option is to improve the performance by indexing CPU
> ID to map packets to the queues. This is used for load balancing.
> Fanout option is not required when there is a single queue specified.
>
> According to iptables, queue balance should be specified in order to use
> fanout. Following that, throw an error in nftables if the range of
> queues for load balancing is not specified with the fanout option.
>
> After this patch,
>
> $ sudo nft add rule ip filter forward counter queue num 0 fanout
> :1:46-46: Error: fanout requires queue num range to be specified
> add rule ip filter forward counter queue num 0 fanout
> ^
Thanks, I'm applying this with updates, basically adding this chunk to
your patch:
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4b7c1f5..444ed4c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1722,6 +1722,7 @@ queue_stmt_args : queue_stmt_arg
queue_stmt_arg : QUEUENUMstmt_expr
{
$0->queue.queue = $2;
+ $0->queue.queue->location = @$;
}
| queue_stmt_flags
{
I'm basically reseting the location here.
So the error printing look like:
$ sudo nft add rule ip filter forward counter queue num 0 fanout
:1:46-46: Error: fanout requires a range to be specified
add rule ip filter forward counter queue num 0 fanout
^
which seems slightly better.
We can probably use expr_binary_error() instead expr_error() so we get
something like:
$ sudo nft add rule ip filter forward counter queue num 0 fanout
:1:46-46: Error: fanout requires a range to be specified
add rule ip filter forward counter queue num 0 fanout
^ ~~
But this requires revisiting the parser to convert the flags to
expressions, let's have a look at this later.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Possible segfault in nft utility
Dear Sir or Madam I am currently using nftables under Ubuntu 15.10. Kernel version is 4.2.0-16-generic and nftables version is nftables v0.4 (Support Edward Snowden). I was looking for a way to match packets based on the mss optional value in the tcp header. While using the describe command, I encountered a segfault: user@machine:~$ nft describe tcp reserved Segmentation fault (core dumped) It is not really a bad bug since the reserved keyword is probably not used anyway but I thought to report it. At the same time I wanted to ask if it is possible to match packets on wether they have a MaximumSegmentSize set in the TCP header or not. I want this since most of the TCP-Syn flood tools seem to not set this option and most legitimate TCP stacks do set it. Greetings Raffaele Meyer -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nf_tables PATCH] netfilter: nf_tables: invert chain deletion abort path
Before this patch, chain deletetion abort path re-add chains in reverse
order of what was originally in the ruleset.
Invert the order, so the ruleset is exactly the same after abort.
Example, using 2 config files:
ruleset_good.nft:
8<
flush ruleset
table ip t {
chain c1 {
}
chain c2 {
}
chain c3 {
}
}
8<
ruleset_bad.nft:
8<
flush ruleset
table ip t {
chain c1 {
}
chain c2 {
jump c6
}
chain c3 {
}
}
8<
before this patch:
% nft -f ruleset_good.nft
% nft -f ruleset_bad.nft
% nft list ruleset
table ip t {
chain c3 {
}
chain c2 {
}
chain c1 {
}
}
[ note, inverse order of chain listing ]
after this patch:
% nft -f ruleset_good.nft
% nft -f ruleset_bad.nft
% nft list ruleset
table ip t {
chain c1 {
}
chain c2 {
}
chain c3 {
}
}
[ note, same order of chain listing ]
Signed-off-by: Arturo Borrero Gonzalez
---
net/netfilter/nf_tables_api.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2011977..8578cc6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4060,8 +4060,8 @@ static int nf_tables_abort(struct net *net, struct
sk_buff *skb)
break;
case NFT_MSG_DELCHAIN:
trans->ctx.table->use++;
- list_add_tail_rcu(&trans->ctx.chain->list,
- &trans->ctx.table->chains);
+ list_add_rcu(&trans->ctx.chain->list,
+&trans->ctx.table->chains);
nft_trans_destroy(trans);
break;
case NFT_MSG_NEWRULE:
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/4] nfct: documentation updates and corrections.
On Fri, Apr 08, 2016 at 08:18:40AM +0200, Mart Frauenlob wrote: > > Good day, > > this series includes some documentation updates and corrections for nfct. Series applied. > For the first patch: add missing commands to usage output, > > I was not able to trigger the usage output. I think the parser is broken. Yes, this is broken. It would be good to add getopt_long to disable the help and version via -h and -v. Similar what we have in nft. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 5/5] conntrack: man: Add description of tables dying and unconfirmed.
On Fri, Apr 08, 2016 at 12:19:21PM +0200, Pablo Neira Ayuso wrote: > On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote: > > +.PP > > +The tables "dying" and "unconfirmed" are basically only useful for > > debugging purposes. > > +Under normal operation, it is hard to see entries in any of them. > > +There are corner cases, where it is valid to see entries in the > > +unconfirmed table: > > +1) when packets that are enqueued via nfqueue, or > > +2) when conntrackd runs in event reliable mode. BTW, I have reworded this: "The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. Under normal operation, it is hard to see entries in any of them. There are corner cases, where it is valid to see entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and the dying table, eg. when conntrackd runs in event reliable mode." Actually, you can see entries in the dying table when conntrackd reliable event mode is on, instead of the unconfirmed table. Sorry about that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Printing the table name before chain name.
On Fri, Apr 08, 2016 at 01:08:14AM +0530, Guruswamy Basavaiah wrote: > Command ./iptables-restore-translate, was printing > table name before the chain name for user added chains. > This is breaking ./nft -f command. > > Before fix, output of "./iptables-restore-translate" > add chain ip OUTPUT_direct raw > > After fix: > add chain ip raw OUTPUT_direct Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 4/5] conntrack: man: add options --src and --dst.
Also applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 5/5] conntrack: man: Add description of tables dying and unconfirmed.
Applied, thanks. On Thu, Apr 07, 2016 at 08:31:42PM +0200, Mart Frauenlob wrote: > > Signed-off-by: Mart Frauenlob > --- > conntrack.8 | 17 + > 1 files changed, 17 insertions(+), 0 deletions(-) > > diff --git a/conntrack.8 b/conntrack.8 > index e54951a..dfde9f0 100644 > --- a/conntrack.8 > +++ b/conntrack.8 > @@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to existing > ones. Expectations > are generally used by "connection tracking helpers" (sometimes called > application level gateways [ALGs]) for more complex protocols such as FTP, > SIP, H.323. > +.TP > +.BR "dying" : > +This table shows the conntrack entries, that have expired and that have been > +destroyed by the connection tracking system itself, or via the conntrack > utility. > +.TP > +.BR "unconfirmed" : > +This table shows new entries, that are not yet inserted into the conntrack > table. > +These entries are attached to packets that are traversing the stack, > +but did not reach the confirmation point at the postrouting hook. > +.PP > +The tables "dying" and "unconfirmed" are basically only useful for debugging > purposes. > +Under normal operation, it is hard to see entries in any of them. > +There are corner cases, where it is valid to see entries in the > +unconfirmed table: > +1) when packets that are enqueued via nfqueue, or > +2) when conntrackd runs in event reliable mode. > +.PP > .SH OPTIONS > The options recognized by > .B conntrack > -- > 1.7.2.5 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 3/5] conntrack: show --src and --dst options in usage output.
Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/5] conntrack: add --proto to usage output.
On Thu, Apr 07, 2016 at 08:31:38PM +0200, Mart Frauenlob wrote: > > Signed-off-by: Mart Frauenlob > --- > src/conntrack.c |2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/src/conntrack.c b/src/conntrack.c > index dadbea5..162caa9 100644 > --- a/src/conntrack.c > +++ b/src/conntrack.c > @@ -551,7 +551,7 @@ static const char usage_parameters[] = > " -d, --orig-dst ip\t\tDestination address from original direction\n" > " -r, --reply-src ip\t\tSource addres from reply direction\n" > " -q, --reply-dst ip\t\tDestination address from reply direction\n" > - " -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n" > + " -p, --proto, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n" This works too: # conntrack --pr tcp -L tcp 6 431998 ESTABLISHED src=10.123.10.20 dst=1.2.3.4 sport=47488 dport=80 src=1.2.3.4 dst=10.123.10.20 sport=80 dport=47488 [ASSURED] mark=0 use=1 Really, I wouldn't worry about this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] conntrack-tools: Fix build for old automake.
On Fri, Apr 08, 2016 at 08:40:01AM +0200, Mart Frauenlob wrote:
> On 07.04.2016 19:53, Mart Frauenlob wrote:
> >On 07.04.2016 19:50, Pablo Neira Ayuso wrote:
> >>On Thu, Apr 07, 2016 at 07:33:43PM +0200, Mart Frauenlob wrote:
> >>>On 07.04.2016 18:47, Pablo Neira Ayuso wrote:
> On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
> > autoreconf fails with automake version smaller than 1.12,
> > because of undefined macro AM_PROG_AR.
> > So only expand it if it's actually defined.
> >
> >Signed-off-by: Mart Frauenlob
> >---
> > configure.ac |2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> >diff --git a/configure.ac b/configure.ac
> >index c541034..2c5913f 100644
> >--- a/configure.ac
> >+++ b/configure.ac
> >@@ -14,7 +14,7 @@ AC_SUBST([libdl_LIBS])
> >
> > AC_PROG_CC
> > AC_DISABLE_STATIC
> >-AM_PROG_AR
> >+m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) dnl Workaround for Automake 1.11
>
> How old is your old system? is it still a distro maintained version?
> >>>
> >>>cat /etc/debian_version
> >>>6.0.10
> >>>Has automake 1.11.
> >>
> >>Is that still maintained?
> >>
> >
> >Quoting https://www.debian.org/News/2016/20160212 :
> >
> >February 12th, 2016
> >The Debian Long Term Support (LTS) Team hereby announces that Debian 6.0
> >("squeeze") support will reach its end-of-life on February 29, 2016,
> >five years after its initial release on February 6, 2011.
> >
> >Hm, no longer since 2 months
>
> What does that macro actually do in configure?
>
> AM_PROG_AR([act-if-fail])
>
> You must use this macro when you use the archiver in your project, if
> you want support for unusual archivers such as Microsoft lib. The content of
> the optional argument is executed if the archiver interface is not
> recognized; the default action is to abort configure with an error message.
>
> Does this archiver get called at all?
eed61ed5(Felix Janda2015-05-16 11:19:02 +0200 17)AM_PROG_AR
commit eed61ed57fd2a82b81af9bd2f6895b3aa5221f49
Author: Felix Janda
Date: Sat May 16 11:19:02 2015 +0200
configure: Add AM_PROG_AR to silence automake warning
/usr/share/automake-1.13/am/ltlibrary.am: warning: 'ct_helper_tns.la':
linking libtool libraries using a non-POSIX
/usr/share/automake-1.13/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in
'configure.ac'
src/helpers/Makefile.am:3: while processing Libtool library
'ct_helper_tns.la'
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH] test/shell/run-tests.sh: also unload NAT modules
Also unload NAT modules between tests.
Signed-off-by: Arturo Borrero Gonzalez
---
tests/shell/run-tests.sh |1 +
1 file changed, 1 insertion(+)
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 620fe57..0bbb136 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -56,6 +56,7 @@ kernel_cleanup() {
nft_exthdr nft_payload nft_cmp \
nft_meta nft_meta_bridge nft_counter nft_log nft_limit \
nft_hash nft_rbtree nft_ct nft_compat \
+ nft_chain_nat_ipv4 nft_chain_nat_ipv6 \
nf_tables_inet nf_tables_bridge nf_tables_arp \
nf_tables_ipv4 nf_tables_ipv6 nf_tables
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
