Hello,
On Tue, 14 Jun 2016, Quentin Armitage wrote:
> This series of patches arise from discovering that:
> ipvsadm --start-daemon backup --mcast-group IPv6_address ...
> would always fail.
>
> The first patch resolves the problem. The second and third patches are
> optimizations that w
ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduc
From: "Eric W. Biederman"
Making this work is a little tricky as it really isn't kosher to
change the xt_owner_match_info in a check function.
Without changing xt_owner_match_info we need to know the user
namespace the uids and gids are specified in. In the common case
net->user_ns == current_u
(1) If subnet mask is unspecified with an IPv4 address, the rule
lists as
iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4/32
Remove this and make the rule list as
iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4
(2) Fix the tests for NETMAP for IPv4.
Before this patch,
ERROR:
Add translation of conntrack to nftables.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED
-j ACCEPT
nft add rule ip filter INPUT ct state { new,related } counter accept
$ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate
NEW,RELATED
On Tue, Jun 14, 2016 at 07:12:22PM +0200, rodan...@gmail.com wrote:
> From: Roberto García
>
> Add translation for the MARK target to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
>
> nft add rule ip mangle OUTPUT counter meta mark set 0x40
>
From: Roberto García
Add translation for the MARK target to nftables.
Examples:
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64
nft add rule ip mangle OUTPUT counter meta mark set 0x40
$ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark 0x40/0x32
nft add rul
On Thu, Jun 09, 2016 at 12:24:53AM +0200, Roberto García wrote:
> diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
> index 556dbde..ec1ed05 100644
> --- a/extensions/libxt_MARK.c
> +++ b/extensions/libxt_MARK.c
> @@ -245,6 +245,28 @@ static void mark_tg_save(const void *ip,
> const st
On Thu, Jun 09, 2016 at 09:54:22PM +0200, Laura Garcia Liebana wrote:
> Add translation for cgroup to nft. Path parameter not supported in nft
> yet.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT
> nft add rule ip filter INPUT meta cgroup 0 counter
On Wed, Jun 08, 2016 at 07:47:28PM +0200, Laura Garcia Liebana wrote:
> $ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200
> --fraglast -j ACCEPT
^^
> nft add rule ip6 filter INPUT frag id 100-200 f
Hi Pablo,
On Tue, Jun 14, 2016 at 8:38 PM, Pablo Neira Ayuso wrote:
> Cc'ing netfilter-devel.
>
> On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote:
>> + netdev
>>
>> On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep
>> wrote:
>> > strncpy generally perferable fo non-terminated
>> >
On Fri, Jun 10, 2016 at 02:22:46PM +0200, Carlos Falgueras García wrote:
> When you set an object attribute the memory is copied, sometimes an
> allocations is needed and it must be checked. Before this patch all setters
> method return void, so this patch makes all setters return int instead void
Applied, thanks Carlos.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jun 14, 2016 at 08:07:41PM +0800, Liping Zhang wrote:
> Hi pablo,
>
> At 2016-06-14 02:19:02, "Pablo Neira Ayuso" wrote:
> >On Sat, Jun 11, 2016 at 12:20:27PM +0800, Liping Zhang wrote:
> >
> >Thanks for tracking down and fixing this one.
> >
> >I've made a new version based on your origi
Cc'ing netfilter-devel.
On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote:
> + netdev
>
> On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep
> wrote:
> > strncpy generally perferable fo non-terminated
> > fixed-width strings. For NULL termination strlcpy
> > is preferrable.
> >
> > Si
When using HEAD from
https://git.kernel.org/cgit/utils/kernel/ipvsadm/ipvsadm.git/,
the command:
ipvsadm --start-daemon backup --mcast-interface eth0.60 --mcast-group ff01::1:81
fails with the error message:
Argument list too long
whereas both:
ipvsadm --start-daemon master --mcast-interface eth0
Optimise starting sync daemons by using the result of the first call to
__dev_get_by_name() and pass the result or ifindex to subsequent functions
to avoid them having to call __dev_get_by_name() again.
Signed-off-by: Quentin Armitage
---
net/netfilter/ipvs/ip_vs_sync.c | 59 --
This series of patches arise from discovering that:
ipvsadm --start-daemon backup --mcast-group IPv6_address ...
would always fail.
The first patch resolves the problem. The second and third patches are
optimizations that were noticed while investigating the original problem.
The fourth patch adds
Move the block testing result < 0 to avoid the test immediately
after setting result = 0
Signed-off-by: Quentin Armitage
---
net/netfilter/ipvs/ip_vs_sync.c | 12 ++--
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip
Add new multicast parameters to log messages when sync daemons start.
Commits ("ipvs: add sync_maxlen parameter for the sync
daemon") and ("ipvs: add more mcast parameters for the
sync daemon") added additional multicast parameters, but didn't add
them to the log messages when the sync daemons s
When other settings are changed in the socket it is locked, so
lock the socket before setting SK_CAN_REUSE.
Signed-off-by: Quentin Armitage
---
net/netfilter/ipvs/ip_vs_sync.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilte
On Mon, Jun 13, 2016 at 09:06:55PM -0500, Eric W. Biederman wrote:
> Florian Westphal writes:
>
> > Kevin Cernekee wrote:
> >> @@ -35,6 +63,7 @@ owner_mt(const struct sk_buff *skb, struct
> >> xt_action_param *par)
> >>const struct xt_owner_match_info *info = par->matchinfo;
> >>const s
This machinery was introduced to avoid sudden compilation breakage of
old nftables releases. With the release of 0.6 (and 0.5 which is now 9
months old) this is not required anymore. Moreover, users gain nothing
from older releases since they are half-boiled and full of bugs.
So let's get rid of a
Shuffle value that are used to set attributes, this variability should
help us catch more problems in the future.
Signed-off-by: Pablo Neira Ayuso
---
tests/nft-chain-test.c | 10 +-
tests/nft-expr_bitwise-test.c | 4 ++--
tests/nft-expr_cmp-test.c | 2 +-
tests/nft-ex
If this attribute is not supported by the library, we should rise an
assertion so the client knows something is wrong, instead of silently
going through.
The only case I can think may hit this problem is version mismatch
between library and tools. This should not ever really happen, so better
bail
Let the client of this library decide when to display error messages.
Signed-off-by: Pablo Neira Ayuso
---
src/expr/data_reg.c | 9 +++--
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 6aa47bc..688823b 100644
--- a/src/expr/data_
Just in case we ever support chain with larger names in the future,
this will ensure the library doesn't break. Although I don't expect
allocating more bytes for this anytime soon, but let's be conservative
here.
Signed-off-by: Pablo Neira Ayuso
---
src/chain.c | 23 +--
1 fi
If the attribute is set as we already check at the beginning of this
function, then we can release the object.
Signed-off-by: Pablo Neira Ayuso
---
src/chain.c| 15 +++
src/rule.c | 10 ++
src/ruleset.c | 4
src/set.c | 15 +--
src/set_elem.c |
And pass up an error to the caller.
Signed-off-by: Pablo Neira Ayuso
---
src/chain.c | 6 ++
src/expr/data_reg.c | 3 +++
src/expr/dynset.c| 4
src/expr/immediate.c | 2 ++
src/expr/log.c | 4
src/expr/lookup.c| 4
src/rule.c | 4
So the client can bail out of memory allocation errors. Or in case of
daemon, make sure things are left in consistent state before bailing
out.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/chain.h | 4 ++--
include/libnftnl/expr.h | 4 ++--
include/libnftnl/gen.h | 6 +++---
inclu
Now that unsetters don't set pointers to NULL, check if the attribute is
set before trying to release it.
Signed-off-by: Pablo Neira Ayuso
---
src/chain.c | 18 ++
src/expr/immediate.c | 2 +-
src/expr/log.c | 2 +-
src/expr/match.c | 4 ++--
src/expr/target
Hi Florian,
At 2016-06-08 20:59:32, "Florian Westphal" wrote:
>
>With nftables we have a new infrastructure in place that emits trace info via
>nfnetlink.
>
>So loading nf_log_ipX isn't needed anymore in nft.
Yes, in nftables, user can use "nft monitor" to get the trace info.
But I think it is a
Hi pablo,
At 2016-06-14 02:19:02, "Pablo Neira Ayuso" wrote:
>On Sat, Jun 11, 2016 at 12:20:27PM +0800, Liping Zhang wrote:
>
>Thanks for tracking down and fixing this one.
>
>I've made a new version based on your original patch, find it
>attached.
>
>Basically, the idea is to pass the genmask th
From: Liping Zhang
nft_genmask_cur has already done left-shift operator on the gencursor,
so there's no need to do left-shift operator on it again.
Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions")
Cc: Patrick McHardy
Signed-off-by: Liping Zhang
---
net/netfilter/
Hi,
We'll be performing several maintainance tasks on the netfilter.org
infrastructure next Thu 16th June 2016 starting 12:00 CEST (Central
European Time).
Sorry for the inconvenience.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message t
35 matches
Mail list logo