On 14 April 2016 at 03:35, Pablo Neira Ayuso wrote:
> On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote:
>> David Laight wrote:
>> > From: Joe Stringer
>> > > Sent: 13 April 2016 19:10
>> > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
>> > > orphan skbs
On 14 April 2016 at 01:40, Florian Westphal wrote:
> David Laight wrote:
>> From: Joe Stringer
>> > Sent: 13 April 2016 19:10
>> > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
>> > orphan skbs inside ip_defrag()").
>> >
>> > Prior to commit 029f7f3b8701 ("netfilter: ipv
It seems both Debian/Fedora (and derivates) contains mktemp (from the coreutils
package) so it makes no sense to have this failover, which looks buggy also.
Signed-off-by: Arturo Borrero Gonzalez
---
tests/shell/testcases/netns/0001nft-f_0 |8 +---
tests/shell/testcases/netns/000
On 14/04/16 01:59, Pablo Neira Ayuso wrote:
On Tue, Mar 22, 2016 at 08:46:25PM +0100, Carlos Falgueras García wrote:
diff --git a/src/rule.c b/src/rule.c
index 3a32bf6..db96e5b 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -28,6 +28,7 @@
#include
#include
#include
+#include
struct nft
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and le
Remove the stacking of older version into the newer one by adding the
appropriate code corresponding to each version.
Suggested-by: Florian Westphal
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_NFQUEUE.c | 104 +++--
1 file changed, 92 insertions(
Four years ago we introduced a new sysctl knob to disable automatic
helper assignment in 72110dfaa907 ("netfilter: nf_ct_helper: disable
automatic helper assignment"). This knob kept this behaviour enabled by
default to remain conservative.
This measure was introduced to provide a secure way to co
Pablo Neira Ayuso wrote:
> On Thu, Apr 14, 2016 at 01:16:56PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > > net/netfilter/nf_conntrack_proto_sctp.c | 8 +---
> > > > net/netfilter/nf_conntrack_proto_tcp.c | 8 +---
> > > > 2 files changed, 2 insertions(+), 14 delet
On Thu, Apr 14, 2016 at 01:26:52PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso wrote:
> > > > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote:
> > > > > diff --git a/net/ne
On Thu, Apr 14, 2016 at 01:16:56PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > net/netfilter/nf_conntrack_proto_sctp.c | 8 +---
> > > net/netfilter/nf_conntrack_proto_tcp.c | 8 +---
> > > 2 files changed, 2 insertions(+), 14 deletions(-)
> > >
> > > diff --git a/ne
Pablo Neira Ayuso wrote:
> On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote:
> > > > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> > > > index 25998fa..4ec1cea 100
Pablo Neira Ayuso wrote:
> > net/netfilter/nf_conntrack_proto_sctp.c | 8 +---
> > net/netfilter/nf_conntrack_proto_tcp.c | 8 +---
> > 2 files changed, 2 insertions(+), 14 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_proto_sctp.c
> > b/net/netfilter/nf_conntrack_proto_
On Thu, Apr 14, 2016 at 10:40:15AM +0200, Florian Westphal wrote:
> David Laight wrote:
> > From: Joe Stringer
> > > Sent: 13 April 2016 19:10
> > > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
> > > orphan skbs inside ip_defrag()").
> > >
> > > Prior to commit 029f7f3b
On Fri, Apr 08, 2016 at 12:56:10PM +0200, Arturo Borrero Gonzalez wrote:
> Before this patch, chain deletetion abort path re-add chains in reverse
> order of what was originally in the ruleset.
> Invert the order, so the ruleset is exactly the same after abort.
>
> Example, using 2 config files:
>
On Thu, Apr 14, 2016 at 12:05:27PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote:
> > > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> > > index 25998fa..4ec1cea 100644
> > > --- a/net/netfilter/nft_ct
On Mon, Apr 11, 2016 at 09:14:29PM +0200, Florian Westphal wrote:
> read access doesn't need any lock here.
>
> Signed-off-by: Florian Westphal
> ---
> net/netfilter/nf_conntrack_proto_sctp.c | 8 +---
> net/netfilter/nf_conntrack_proto_tcp.c | 8 +---
> 2 files changed, 2 insertions(+)
Pablo Neira Ayuso wrote:
> On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote:
> > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> > index 25998fa..4ec1cea 100644
> > --- a/net/netfilter/nft_ct.c
> > +++ b/net/netfilter/nft_ct.c
> > @@ -29,6 +29,11 @@ struct nft_ct {
>
On Tue, Apr 12, 2016 at 06:14:26PM +0200, Florian Westphal wrote:
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> index 25998fa..4ec1cea 100644
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -29,6 +29,11 @@ struct nft_ct {
> enum nft_registers
From: Joe Stringer
> Sent: 13 April 2016 19:10
> This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
> orphan skbs inside ip_defrag()").
>
> Prior to commit 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free
> clone operations"), ipv6 fragments sent to nf_ct_frag6_gather() w
David Laight wrote:
> From: Joe Stringer
> > Sent: 13 April 2016 19:10
> > This is the IPv6 equivalent of commit 8282f27449bf ("inet: frag: Always
> > orphan skbs inside ip_defrag()").
> >
> > Prior to commit 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free
> > clone operations"), ipv6 fragm
Testscases for Netfilter bug #965:
* add rule at position
* insert rule at position
* replace rule with given handle
* delete rule with given handle
* don't allow to delete rules with position keyword
Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=965
Signed-off-by: Arturo
21 matches
Mail list logo
