Pablo Neira Ayuso wrote:
> On Tue, Mar 15, 2016 at 05:10:09PM +0100, Florian Westphal wrote:
> > Instead of taking the value to set from a source register, userspace
> > passes the bit that we should set as a netlink attribute.
> >
> > This follows a similar approach that xtables 'connlabel'
> >
Pablo Neira Ayuso wrote:
> If we have some generic way to parse immediates, this would look like:
>
> if (nfntl_attr_is_set(nle, NFTNL_EXPR_CT_SREG)) {
> ...
> } else if (nftnl_attr_is_set(nle, NFTNL_EXPR_CT_IMM)) {
> ...
> }
>
> Would this
Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule.
Add "*-rule-udata.[json|xml]" to check parsers.
Signed-off-by: Carlos Falgueras García
---
tests/jsonfiles/71-rule-udata.json | 1 +
tests/nft-rule-test.c | 21 +
tests/xmlfiles/82-rule-udata
Now it is possible to store multiple variable length user data into rule.
Modify the parser in order to fill the nftnl_udata with the comment, and
the print function for extract these commentary and print it to user.
Signed-off-by: Carlos Falgueras García
---
include/rule.h| 7 +
Thank you Pablo for the feedback. I will send now the version 5 with all
changes you have asked me.
On 12/03/16 12:09, Pablo Neira Ayuso wrote:
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 2e193b7..d6cd2a7 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -336,6 +336,22 @@ globa
Now is it possible to store multiple variable length user data into a rule.
Modify XML and JSON parsers to support this new feature.
Signed-off-by: Carlos Falgueras García
---
include/json.h | 7 ++
include/utils.h | 2 +
include/xml.h | 6 ++
src/jansson.c | 66 +++
src/
Thanks Pablo. I will send all of these changes now.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user data into an object.
Example usage:
```
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso wrote:
> On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote:
>> Add the --disable-connlabel option and the appropriate functionality
>> associated with it.
>>
>> After this patch, iptables configuration shows up as:
>>
>> Iptables Co
There is still some memory-leak in nft which is due to no matching free for
xstrdup in scanner.l:580.
In main.c, argv is passed as a const, and in main.c:270 filename points to this
const location (by optarg).
So it would be safe to remove xstrdup from scanner.l:580.
$ sudo valgrind --leak-check=f
On Tue, Mar 15, 2016 at 01:15:01AM +0100, Pablo Neira Ayuso wrote:
> On Mon, Mar 14, 2016 at 01:07:36PM -0700, Weongyo Jeong wrote:
> > It seems pr_debug() calls didn't be updated while code was refactoring.
>
> Better add:
>
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> at the top of the fi
Uses pr_fmt() macro for debugging messages of nf_conntrack module.
Signed-off-by: Weongyo Jeong
---
net/netfilter/nf_conntrack_core.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index f
On Tue, Mar 15, 2016 at 05:10:11PM +0100, Florian Westphal wrote:
> Pablo suggested to support this by adding the label bit number
> that we want to set as a netlink attribute and pass that to the kernel.
>
> IOW, ct label set doesn't use an sreg -- instead, the bit that we
> should set in the con
On Tue, Mar 15, 2016 at 05:10:09PM +0100, Florian Westphal wrote:
> Instead of taking the value to set from a source register, userspace
> passes the bit that we should set as a netlink attribute.
>
> This follows a similar approach that xtables 'connlabel'
> match uses, so when user inputs
>
>
The scanner allocates memory for this, so release them given that we
don't attach them to any object.
==6277== 42 bytes in 6 blocks are definitely lost in loss record 2 of 4
==6277==at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==6277==by 0x57AC9D9: strdup (strdup.c:42)
==6277==by 0x4
This chain type string is released via chain_free() since b7cb6915a88f,
so duplicate it so we don't try to release statically allocated memory.
Fixes: b7cb6915a88f ("rule: Remove memory leak")
Reported-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 2 +-
1 file c
Consolidate this rule by introducing the dev_spec and prio_spec, we save
50 LOC with this patch.
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 66 +-
1 file changed, 15 insertions(+), 51 deletions(-)
diff --git a/src/parser_bison.y
Instead of taking the value to set from a source register, userspace
passes the bit that we should set as a netlink attribute.
This follows a similar approach that xtables 'connlabel'
match uses, so when user inputs
ct label set bar
then we will set the bit used by the 'bar' label and leave
label set support is implemented by passing the bit value that we want
to set as a netlink attribute.
So kernel does
priv->set_label_bit = ntohl(nla_get_be32(tb[NFTA_CT_LABEL]));
and then uses
test_and_set_bit(priv->set_label_bit, ct_labels->bits);
to set it in atomic fashion.
Signed-off-by: Fl
Pablo suggested to support this by adding the label bit number
that we want to set as a netlink attribute and pass that to the kernel.
IOW, ct label set doesn't use an sreg -- instead, the bit that we
should set in the conntrack label area is taken directly from the user.
This works pretty much t
Hi Pablo
This attempts to implement the set support via your proposed
setter attribute.
IOW instead of taking an sreg and replacing the entire label
area with whatever is contained therein take a bit number
passed in from userspace and set only that one bit.
So ct label set foo
will really mean
Hi,
Today we're releasing the NetDev 1.1 videos, you can find them at:
https://www.youtube.com/channel/UCribHdOMgiD5R3OUDgx2qTg
Regarding papers: Quick reminder to talk presenters that didn't sent
us yet your paper, we have extended submission deadline to *31th March
2016*. You only have
On Tue, Mar 15, 2016 at 08:37:41AM +0530, Piyush Pangtey wrote:
> Added matching xfree calls in chain_free(), for the chain members 'type' and
> 'dev'.
Applied, thanks Piyush.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.k
I'm going to push this into the repo, I would like this becomes part
of the upcoming nft 0.6 release. Please let me know if you find any
problem with it.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More
On Tue, Mar 15, 2016 at 04:21:38PM +0530, ravin goyal wrote:
> Hi
>
> Thanks for the reply, I ran same command conntrack -E -o ktimestamp
> and results are same as you have shown
> but when i ran conntrack -E -otimestamp OR conntrack -E
> -otimestamp,extended , start and stop timestamp are missing
On Tue, Mar 15, 2016 at 12:04:35PM +0530, ravin goyal wrote:
> Hi
>
> this email is in reference to previous email regarding the NFCT_OF_TIMESTAMP,
>
> setting /proc/sys/net/netfilter/nf_conntrack_timestamp to 1 or 0
> doesn't run the following code in
> /libnetfilter_conntrack-1.0.4/src/conntrac
On Tuesday 2016-03-15 04:13, Piyush Pangtey wrote:
>Unnecessary line-feed characters removed.
>
>Signed-off-by: Piyush Pangtey
>---
> COPYING| 8
>
>diff --git a/COPYING b/COPYING
>index bf7f06e..b9e45a5 100644
>--- a/COPYING
>+++ b/COPYING
>@@ -63,7 +63,7 @@ patent must be licen
27 matches
Mail list logo