From: Pablo Neira Ayuso
Date: Wed, 13 Apr 2016 01:02:38 +0200
> The following patchset contains the first batch of Netfilter updates for
> your net-next tree.
...
Pulled, thanks Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majo
On Wed, Mar 23, 2016 at 01:51:43PM +0100, Arturo Borrero Gonzalez wrote:
> Testscases for Netfilter bug #965:
> * add rule at position
> * insert rule at position
> * replace rule with given handle
> * delete rule with given handle
> * don't allow to delete rules with position keyword
Please,
On Sat, Apr 09, 2016 at 10:46:40AM +0200, Giuseppe Longo wrote:
> >> @@ -128,6 +128,13 @@ if test "x$enable_nftables" = "xyes"; then
> >>
> >> PKG_CHECK_MODULES([libnftnl], [libnftnl >= 1.0.5], [nftables=1],
> >> [nftables=0])
> >>
> >> + if test "$nftables" = 0;
> >> + then
> >> +
On Fri, Apr 08, 2016 at 10:47:15AM +0200, Arturo Borrero Gonzalez wrote:
> Also unload NAT modules between tests.
also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http:/
On Tue, Apr 12, 2016 at 01:31:14AM +0200, Phil Sutter wrote:
> If a requested extension exists as module and is not loaded,
> ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same
> name and fail.
>
> Reproduced with limit match: Given xt_limit and ebt_limit both built as
> modu
On Tue, Apr 12, 2016 at 11:44:17AM +0200, Arturo Borrero Gonzalez wrote:
> Improve checks (and error reporting) for basic rule management operations.
> This includes a fix for netfilter bug #965.
Applied, thanks.
Please, stick to the subject line that we've been using for a while,
for consistency
From: Haishuang Yan
ip6_route_output() never returns NULL, so it is not appropriate to
check if the return value is NULL.
Signed-off-by: Haishuang Yan
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6/netfilter/nf_reject_ipv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/n
From: Stephane Bryant
This makes nf queues use NFQA_VLAN and NFQA_L2HDR in verdict to modify the
original skb
Signed-off-by: Stephane Bryant
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_queue.c | 47 +
1 file changed, 47 insertions(+)
d
From: Florian Westphal
Not performance critical, it is only invoked when an expectation is
added/destroyed.
While at it, kill unused nf_ct_expect_event() wrapper.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_ecache.h | 42 +++
From: Liping Zhang
Replace '64' with the per-net ipv6_devconf_all's hop_limit when
building the ipv6 header.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/ipv6/netfilter/ip6t_SYNPROXY.c | 56 --
1 file changed, 30 insertions(+), 26 de
From: Stephane Bryant
- This creates 2 netlink attribute NFQA_VLAN and NFQA_L2HDR.
- These are filled up for the PF_BRIDGE family on the way to userspace.
- NFQA_VLAN is a nested attribute, with the NFQA_VLAN_PROTO and the
NFQA_VLAN_TCI carrying the corresponding vlan_proto and vlan_tci
field
From: Weongyo Jeong
Uses pr_fmt() macro for debugging messages of nf_conntrack module.
Signed-off-by: Weongyo Jeong
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_core.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_connt
From: Stephane Bryant
This just adds and registers a nf_afinfo for the ethernet
bridge, which enables queuing to userspace for the AF_BRIDGE
family. No checksum computation is done.
Signed-off-by: Stephane Bryant
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/netfilter/nf_tables_bridge.c | 4
From: Florian Westphal
Way too large; move it to nf_conntrack_ecache.c.
Reduces total object size by 1216 byte on my machine.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_ecache.h | 66 ++---
net/netfilter/nf_c
Hi David,
The following patchset contains the first batch of Netfilter updates for
your net-next tree.
1) Define pr_fmt() in nf_conntrack, from Weongyo Jeong.
2) Define and register netfilter's afinfo for the bridge family,
this comes in preparation for native nfqueue's bridge for nft,
fro
On Mon, Apr 11, 2016 at 01:10:33PM +0530, Guruswamy Basavaiah wrote:
> No need to print "nft" in function do_command_xlate,
> if the function is called from iptables-restore-translate command.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the bod
On Fri, Apr 08, 2016 at 01:59:05PM +0200, Florian Westphal wrote:
> > I'm starting to consider that, given that this has been broken since
> > day 1, we pass this through nf-next and then later on we request
> > inclusion for -stable.
>
> Fine with me.
Florian, I'm going to send a pull request to
On Mon, Apr 11, 2016 at 09:52:34PM +0200, Florian Westphal wrote:
> Noticed that we have two static inline functions that should be normal
> functions
> instead.
> First patch saves a bit text size as well.
Series applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfi
Parse flags and pass them to the set via ->deactivate() to check if we
remove the right element from the intervals.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 38 +-
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/net/n
This patch fixes dynamic element updates for adjacent intervals in the
rb-tree representation.
Since elements are sorted in the rb-tree, in case of adjacent nodes with
the same key, the assumption is that an interval end node must be placed
before an interval opening.
In tree lookup operations, t
Add this new nft_rbtree_interval_end() helper function to check in the
end interval is set.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_rbtree.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index 1
This function parses the set element flags, thus, we can reuse the same
handling when deleting elements.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 34 ++
1 file changed, 22 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/nf_ta
This patchset resolves the main issues with the dynamic support for
range and its existing rb-tree implementation.
-ruleset.file-
table ip test {
set myset {
type ipv4_addr
flags interval
}
chain input {
type filter hook inpu
Many of these functions are called from control plane path. Move
ctnetlink_nlmsg_size() under CONFIG_NF_CONNTRACK_EVENTS to avoid a
compilation warning when CONFIG_NF_CONNTRACK_EVENTS=n.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_netlink.c | 117 ++--
Shivani Bhardwaj wrote:
> > I think that this would make it a bit clearer and
> > it also avoids the v3/v2/v1 stacking.
> >
> Sure.
> Just to make sure I get this right, should I be using two objects of
> structures xt_NFQ_info_v3 and xt_NFQ_info_v2 (since v3 does not have
> bypass) and make switc
On Tue, Apr 12, 2016 at 10:58 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> NFQUEUE had a bug with the ordering of fanout and bypass options which
>> was arising due to same and odd values for flags and bypass when used
>> together. Because of this, during bitwise ANDing of flags and
>
Shivani Bhardwaj wrote:
> NFQUEUE had a bug with the ordering of fanout and bypass options which
> was arising due to same and odd values for flags and bypass when used
> together. Because of this, during bitwise ANDing of flags and
> NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and le
Currently labels can only be set either by iptables connlabel
match or via ctnetlink.
Before adding nftables set support, clean up the clabel core and move
helpers that nft will not need after all to the xtables module.
Signed-off-by: Florian Westphal
---
No changes since last iteration.
incl
make the replace function only send a ctnetlink event if the contents
of the new set is different.
Otherwise 'ct label set ct label | bar'
will cause netlink event storm since we "replace" labels for each packet.
Signed-off-by: Florian Westphal
---
No changes since last version.
net/netfilte
nf_connlabel_set() takes the bit number that we would like to set.
nf_connlabels_get() however took the number of bits that we want to
support.
So e.g. nf_connlabels_get(32) support bits 0 to 31, but not 32.
This changes nf_connlabels_get() to take the highest bit that we want
to set.
Callers the
Instead of taking the value to set from a source register, userspace
passes the bit that we should set as an immediate netlink value.
This follows a similar approach that xtables 'connlabel'
match uses, so when user inputs
ct label set bar
then we will set the bit used by the 'bar' label and
Hi.
This is round 5 of the connlabel set support set.
I'm only sending the kernel patches for now.
First 4 patches are preparation changes, patch #4 adds set support.
I added a more generic CT_IMM nested attr that expects a nft_data struct.
Its up to the kernel to (using the key) to figure out h
Christophe Leroy wrote:
[ nft_ct helper set support ]
> Patrick, can you help ?
I have a few pending patches, one of them adds an immediate
attr for ctlabel set support.
Lets see if that approach is sane enough to be reused for helper
support.
I will post it soon.
--
To unsubscribe from this
Patrick, can you help ?
Le 09/03/2016 00:25, Christophe Leroy a écrit :
Le 07/03/2016 14:20, Patrick McHardy a écrit :
On 05.03, christophe leroy wrote:
Hello,
I'm trying to implement support for CT HELPERs in linux kernel for
nftables and need some help/guidance.
The rule beeing 'udp dport
Improve checks (and error reporting) for basic rule management operations.
This includes a fix for netfilter bug #965.
Netfilter bug: http://bugzilla.netfilter.org/show_bug.cgi?id=965
Reported-by: Jesper Sander Lindgren
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Arturo Borrero Gonzalez
---
36 matches
Mail list logo
