On 07.04.2016 19:53, Mart Frauenlob wrote:
On 07.04.2016 19:50, Pablo Neira Ayuso wrote:
On Thu, Apr 07, 2016 at 07:33:43PM +0200, Mart Frauenlob wrote:
On 07.04.2016 18:47, Pablo Neira Ayuso wrote:
On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
autoreconf fails with automa
The missing commands: flush, disable, default-set and default-get
were added to the manpage.
The description of the subsystem has been corrected.
Signed-off-by: Mart Frauenlob
---
nfct.8 | 16 +++-
1 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/nfct.8 b/nfct.8
inde
Signed-off-by: Mart Frauenlob
---
src/nfct.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/src/nfct.c b/src/nfct.c
index 3331e5b..27841be 100644
--- a/src/nfct.c
+++ b/src/nfct.c
@@ -204,6 +204,9 @@ static const char help_msg[] =
" add object-name\tAdd new a
Signed-off-by: Mart Frauenlob
---
src/nfct-extensions/helper.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
index dfc55e7..0569827 100644
--- a/src/nfct-extensions/helper.c
+++ b/src/nfct-extensions/helper
Signed-off-by: Mart Frauenlob
---
src/nfct-extensions/timeout.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/nfct-extensions/timeout.c b/src/nfct-extensions/timeout.c
index 1cb04a1..30f9464 100644
--- a/src/nfct-extensions/timeout.c
+++ b/src/nfct-extensions/time
Good day,
this series includes some documentation updates and corrections for nfct.
For the first patch: add missing commands to usage output,
I was not able to trigger the usage output. I think the parser is broken.
Best regards,
Mart
--
To unsubscribe from this list: send the line "unsubscri
ip[6]tables currently waits for 1 second for the xtables lock to
be freed if the -w option is used. We have seen that the lock is
held much less than that resulting in unnecessary delay when
trying to acquire the lock. This problem is even severe in case
of latency sensitive applications.
Introduc
Pablo Neira Ayuso wrote:
> This patchset introduces the named stateful expressions for nf_tables,
> that allows userspace to set a name for the stateful expression for
> several reasons:
>
> * Provide a unique identifier to fetch and reset it internal state.
> * Allow to update of their paramet
Command ./iptables-restore-translate, was printing
table name before the chain name for user added chains.
This is breaking ./nft -f command.
Before fix, output of "./iptables-restore-translate"
add chain ip OUTPUT_direct raw
After fix:
add chain ip raw OUTPUT_direct
Signed-off-by: Guruswamy Bas
Good day,
this series includes some documentation updates for conntrack.
Best regards,
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Signed-off-by: Mart Frauenlob
---
src/conntrack.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/conntrack.c b/src/conntrack.c
index 162caa9..0312166 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -547,8 +547,8 @@ static const char usage_update_parameters[
Signed-off-by: Mart Frauenlob
---
src/conntrack.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/conntrack.c b/src/conntrack.c
index dadbea5..162caa9 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -551,7 +551,7 @@ static const char usage_parameters[] =
Signed-off-by: Mart Frauenlob
---
conntrack.8 | 17 +
1 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/conntrack.8 b/conntrack.8
index e54951a..dfde9f0 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -48,6 +48,23 @@ mechanism used to "expect" RELATED connections to
Signed-off-by: Mart Frauenlob
---
conntrack.8 |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/conntrack.8 b/conntrack.8
index f2c1ca5..184e51c 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -129,7 +129,7 @@ Match only entries whose source address in the reply
direction
Signed-off-by: Mart Frauenlob
---
conntrack.8 |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/conntrack.8 b/conntrack.8
index 184e51c..e54951a 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -115,11 +115,11 @@ however, this results in more memory consumption.
This opti
On 07.04.2016 19:50, Pablo Neira Ayuso wrote:
On Thu, Apr 07, 2016 at 07:33:43PM +0200, Mart Frauenlob wrote:
On 07.04.2016 18:47, Pablo Neira Ayuso wrote:
On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
autoreconf fails with automake version smaller than 1.12,
because of u
On Thu, Apr 07, 2016 at 07:33:43PM +0200, Mart Frauenlob wrote:
> On 07.04.2016 18:47, Pablo Neira Ayuso wrote:
> >On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
> >> autoreconf fails with automake version smaller than 1.12,
> >> because of undefined macro AM_PROG_AR.
> >> So on
On Thu, Apr 07, 2016 at 07:30:57PM +0200, Mart Frauenlob wrote:
> On 07.04.2016 11:45, Pablo Neira Ayuso wrote:
> >also applied.
> >
>
> I'd update the man page also, but I'm unsure about the wording.
> Is there a description of the tables dying and unconfirmed
> somewhere in the source? Or maybe
On Wed, Apr 06, 2016 at 11:39:19AM +0530, Shivani Bhardwaj wrote:
> Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT,
> COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT,
> QUEUE STATEMENT.
Providing a bit of feedback to enhance this.
> Signed-off-by: Shivani Bha
On 07.04.2016 18:47, Pablo Neira Ayuso wrote:
On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
autoreconf fails with automake version smaller than 1.12,
because of undefined macro AM_PROG_AR.
So only expand it if it's actually defined.
Signed-off-by: Mart Frauenlob
---
c
On 07.04.2016 11:42, Pablo Neira Ayuso wrote:
On Tue, Apr 05, 2016 at 11:31:58PM +0200, Mart Frauenlob wrote:
Usage shows --protonum, while the man page talks about --proto.
Should be --proto in usage too. --protonum remains valid,
but is marked deprecated in source.
You better fix the manpage
On 07.04.2016 11:45, Pablo Neira Ayuso wrote:
also applied.
I'd update the man page also, but I'm unsure about the wording.
Is there a description of the tables dying and unconfirmed somewhere in
the source? Or maybe someone can help me out with a brief description?
Thanks,
Mart
--
To unsub
The idea of fanout option is to improve the performance by indexing CPU
ID to map packets to the queues. This is used for load balancing.
Fanout option is not required when there is a single queue specified.
According to iptables, queue balance should be specified in order to use
fanout. Following
On 07.04.2016 11:40, Pablo Neira Ayuso wrote:
On Tue, Apr 05, 2016 at 08:44:52AM +0200, Mart Frauenlob wrote:
The old options --src and --dst were still defined at two places.
Replaced with according --orig-src and --orig-dst entry.
--src is valid shortcut.
This breaks backward compatibility.
On Thu, Apr 07, 2016 at 07:24:55PM +0200, Mart Frauenlob wrote:
> On 07.04.2016 11:40, Pablo Neira Ayuso wrote:
> >On Tue, Apr 05, 2016 at 08:44:52AM +0200, Mart Frauenlob wrote:
> >>The old options --src and --dst were still defined at two places.
> >>Replaced with according --orig-src and --orig-
On Thu, Mar 31, 2016 at 10:01:12AM +0200, Arturo Borrero Gonzalez wrote:
> New simple testcases for kernel commit/rollback operations.
>
> * ruleset A is loaded (good ruleset)
> * ruleset B is loaded (bad ruleset): fail is expected
> * ruleset A should remain in the kernel
Also applied, thanks.
-
On Wed, Apr 06, 2016 at 01:00:10PM +0200, Arturo Borrero Gonzalez wrote:
> A basic tests to check we can perform operations in different network
> namespaces.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.k
On Thu, Apr 7, 2016 at 10:43 PM, Pablo Neira Ayuso wrote:
> On Thu, Apr 07, 2016 at 03:06:40PM +0530, Shivani Bhardwaj wrote:
>> The idea of fanout option is to improve the performance by indexing CPU
>> ID to map packets to the queues. This is used for load balancing.
>> Fanout option is not requ
On Thu, Apr 07, 2016 at 03:06:40PM +0530, Shivani Bhardwaj wrote:
> The idea of fanout option is to improve the performance by indexing CPU
> ID to map packets to the queues. This is used for load balancing.
> Fanout option is not required when there is a single queue specified.
>
> According to i
On Thu, Apr 07, 2016 at 11:31:56AM +0200, Mart Frauenlob wrote:
> Good day,
>
> while I'm writing bash completion code for conntrack-tools, I browsed
> through the source and found some things, that raised this questions for me
> (I'm no C developer, so limited here).
>
> 1: Are there three undoc
On Sun, Apr 03, 2016 at 10:03:33PM +0800, Haishuang Yan wrote:
> ip6_route_output() never returns NULL, so it is not appropriate to
> check if the return value is NULL.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord
On Mon, Apr 04, 2016 at 11:39:40AM +0200, Mart Frauenlob wrote:
> autoreconf fails with automake version smaller than 1.12,
> because of undefined macro AM_PROG_AR.
> So only expand it if it's actually defined.
>
> Signed-off-by: Mart Frauenlob
> ---
> configure.ac |2 +-
> 1 files change
On Wed, Mar 30, 2016 at 11:34:35AM +0200, Jozsef Kadlecsik wrote:
> Baozeng Ding reported a KASAN stack out of bounds issue - it uncovered that
> the TCP option parsing routines in netfilter TCP connection tracking could
> read one byte out of the buffer of the TCP options. Therefore in the patch
On Mon, Mar 28, 2016 at 01:32:41PM +0200, Arturo Borrero Gonzalez wrote:
> +static int rule_evaluate_cmd(struct eval_ctx *ctx)
> +{
> + struct handle *handle = &ctx->cmd->handle;
> +
> + /* allowed:
> + * - insert [position] (no handle)
> + * - add [position] (no handle)
> +
From: Munehisa Kamata
[ upstream commit 94f9cd81436c85d8c3a318ba92e236ede73752fc ]
Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
redirect IPv4 to use it from nf_tables") has introduced a trivial logic
change which can result in the following crash.
BUG: unable to han
On Tue, Mar 29, 2016 at 11:05:16AM +0200, Florian Westphal wrote:
> arptables is broken since we didn't register the table anymore --
> even 'arptables -L' fails.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majo
On Fri, Apr 01, 2016 at 12:06:24AM +0530, Guruswamy Basavaiah wrote:
> Moving of printing "nft" back to xtables_xlate_main from
> function do_command_xlate.
>
> This reverts of previous commit 4f75601d37349c5a983a969d46c1ff0604991b5c
> which was breaking "iptables-restore-translate -f" and "./nft
On Tue, Apr 05, 2016 at 12:38:37PM +0530, Guruswamy Basavaiah wrote:
> Printing the table name before chain name.
>
> Command ./iptables-restore-translate, was printing
> table name before the chain name for user added chains.
> This is breaking ./nft -f command.
>
> Before fix, output of "./ipta
On Wed, Apr 06, 2016 at 02:10:52PM +0200, Arturo Borrero Gonzalez wrote:
> The iptables command:
> -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
>
> should translate to:
> tcp flags & fin|syn|rst|psh|ack|urg == 0x0
>
> instead of:
> tcp flags & fin|syn|rst|psh|ack|urg == none
Applied, thank
also applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Also applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 05, 2016 at 11:31:58PM +0200, Mart Frauenlob wrote:
> Usage shows --protonum, while the man page talks about --proto.
> Should be --proto in usage too. --protonum remains valid,
> but is marked deprecated in source.
You better fix the manpage. Please, don't unnecessarily deprecate
thin
On Tue, Apr 05, 2016 at 08:44:52AM +0200, Mart Frauenlob wrote:
> The old options --src and --dst were still defined at two places.
> Replaced with according --orig-src and --orig-dst entry.
--src is valid shortcut.
This breaks backward compatibility.
--
To unsubscribe from this list: send the li
The idea of fanout option is to improve the performance by indexing CPU
ID to map packets to the queues. This is used for load balancing.
Fanout option is not required when there is a single queue specified.
According to iptables, queue balance should be specified in order to use
fanout, following
Good day,
while I'm writing bash completion code for conntrack-tools, I browsed
through the source and found some things, that raised this questions for
me (I'm no C developer, so limited here).
1: Are there three undocumented parameters?
namely: disable, default-get, default-set
At least the
Good day!
The usage output as well as the man page of conntrackd
contain superflous separator characters.
The man page has two quoting errors.
Best regards,
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Mo
Signed-off-by: Mart Frauenlob
---
conntrackd.8 |8
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/conntrackd.8 b/conntrackd.8
index 1ac96a2..3bb4335 100644
--- a/conntrackd.8
+++ b/conntrackd.8
@@ -24,17 +24,17 @@ Run conntrackd in daemon mode.
.B conntrackd
can b
Signed-off-by: Mart Frauenlob
---
src/main.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/main.c b/src/main.c
index 161f654..d12fe18 100644
--- a/src/main.c
+++ b/src/main.c
@@ -43,12 +43,12 @@ static const char usage_daemon_commands[] =
static const char usag
49 matches
Mail list logo
