It make more sense to use "isprint" than "isalnum" because we use non
alphanumeric characters like '%', '_', etc. And, in case of non printable
character, print a space is preferable to print a NULL (0) in order to keep
alignment.
Before:
...
|00012|--|2||len |flags| type|
| 5f 5f 73 6
On Tue, Jun 07, 2016 at 05:08:10PM +0200, Pablo Neira Ayuso wrote:
> Carlos,
>
> On Tue, May 31, 2016 at 12:08:32PM +0200, Carlos Falgueras García wrote:
> > Check all strdup possible error and treat it consequently.
>
> Please, manually apply these two patches in your local working copy:
>
> ht
Pablo Neira Ayuso wrote:
> + if (attr > NFTNL_CHAIN_MAX) {
> + errno = -EOPNOTSUPP;
The negation should be dropped.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vg
On Wed, Jun 08, 2016 at 01:37:41PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > + if (attr > NFTNL_CHAIN_MAX) {
> > + errno = -EOPNOTSUPP;
>
> The negation should be dropped.
Right, this should be:
errno = EOPNOTSUPP;
--
To unsubscribe from this list
On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote:
> On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote:
> > > One more question, is this chunk below correct from
> > > coding style point of view?
> >
> > if
On Tue, Jun 07, 2016 at 07:06:15PM -0400, Vishwanath Pai wrote:
> On 06/06/2016 06:31 PM, Pablo Neira Ayuso wrote:
> > On Wed, Jun 01, 2016 at 08:23:54PM -0400, Vishwanath Pai wrote:
> >> netfilter/nflog: nflog-range does not truncate packets
> >>
> >> The --nflog-range parameter from userspace is
From: Liping Zhang
When user add a nft rule to set nftrace to zero, for example:
# nft add rule ip filter input nftrace set 0
We should set nf_trace to zero also.
Signed-off-by: Liping Zhang
---
net/netfilter/nft_meta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net
From: Liping Zhang
Instead, we can convert invert flag and ensure it is 1 or 0.
Signed-off-by: Liping Zhang
---
net/netfilter/xt_cpu.c | 12 +---
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index c7a2e54..ca1eaaf 100644
From: Liping Zhang
When we request NFPROTO_INET, it means both NFPROTO_IPV4 and NFPROTO_IPV6.
Signed-off-by: Liping Zhang
---
net/netfilter/nf_log.c | 20
1 file changed, 20 insertions(+)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index a5d41df..73b845d
From: Liping Zhang
This patch set solve such problem, for example, if we add a following
iptables rule:
# iptables -t raw -I PREROUTING -j TRACE
And nf_log_ipv4 kernel module is not installed, no trace log
will be generated, until we install the nf_log_ipv4 module manully.
This is not friendly
From: Liping Zhang
Like xt_TRACE do, we should request related nf_log module appropriately.
Otherwise, if the nf_log_ipv4 kernel module is not installed, and the
user add the following nft rule:
# nft add rule filter input nftrace set 1
There will be no trace log generated until we install nf_
From: Liping Zhang
Since nf_logger_find_get and nf_logger_put can handle NFPROTO_INET
properly, we can remove the special process logic now.
Signed-off-by: Liping Zhang
---
net/netfilter/nft_log.c | 21 +
1 file changed, 1 insertion(+), 20 deletions(-)
diff --git a/net/net
From: Liping Zhang
Consider such situation, if nf_log_ipv4 kernel module is not installed,
and the user add a following iptables rule:
# iptables -t raw -I PREROUTING -j TRACE
There will be no trace log generated until the user install nf_log_ipv4
module manully. So we should add request relat
From: Liping Zhang
For example:
# iptables-translate -t raw -A PREROUTING -j TRACE
nft add rule ip raw PREROUTING counter nftrace set 1
Signed-off-by: Liping Zhang
---
extensions/libxt_TRACE.c | 8
1 file changed, 8 insertions(+)
diff --git a/extensions/libxt_TRACE.c b/extension
Liping Zhang wrote:
> From: Liping Zhang
>
> Like xt_TRACE do, we should request related nf_log module appropriately.
> Otherwise, if the nf_log_ipv4 kernel module is not installed, and the
> user add the following nft rule:
> # nft add rule filter input nftrace set 1
>
> There will be no tra
Liping Zhang wrote:
> From: Liping Zhang
>
> Consider such situation, if nf_log_ipv4 kernel module is not installed,
> and the user add a following iptables rule:
> # iptables -t raw -I PREROUTING -j TRACE
>
> There will be no trace log generated until the user install nf_log_ipv4
> module ma
On Wed, Jun 08, 2016 at 08:47:03PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> For example:
>
> # iptables-translate -t raw -A PREROUTING -j TRACE
> nft add rule ip raw PREROUTING counter nftrace set 1
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe net
Hi!
We are organizing a public user day at the Vrije Universiteit (VU)
Amsterdam on June 27th 2016. This day is titled "Suricata meets
Netfilter" and brings talks about the Linux Netfilter/nftables
Firewall project and the Suricata IDS/IPS project.
Keynote will be delivered by Linux NetDev mainta
On Wed, 2016-06-08 at 13:52 +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote:
> > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Jun 07, 2016 at 10:04:40AM -0700, Joe Perches wrote:
> > > > One more question, is this chunk belo
On Wed, Jun 08, 2016 at 09:52:30AM -0700, Joe Perches wrote:
> On Wed, 2016-06-08 at 13:52 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Jun 07, 2016 at 11:02:30AM -0700, Joe Perches wrote:
> > > On Tue, 2016-06-07 at 19:34 +0200, Pablo Neira Ayuso wrote:
> > > > On Tue, Jun 07, 2016 at 10:04:40AM -0
On Wed, Jun 08, 2016 at 07:31:21PM +0200, Pablo Neira Ayuso wrote:
> Then you can follow up with a patch to add this function.
>
> Just a suggestion, let me know if this is fine with you.
Forget this idea.
Actually your patch from: Date: Tue, 07 Jun 2016 11:02:30 -0700
looks easier to readable
Add translation for frag to nftables. According to the --fraglen code:
case O_FRAGLEN:
/*
* As of Linux 3.0, the kernel does not check for
* fraglen at all.
*/
In addition, the kernel code doesn't show any reference to the
Add translation for the MARK target to nftables.
Examples:
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
nft add rule ip mangle OUTPUT counter meta mark set 0x40
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32
nft add rule ip mangle OUTPUT cou
23 matches
Mail list logo
