Liping Zhang wrote:
> From: Liping Zhang
>
> Add translation for connlabel to nftables.
> For examples:
>
> # iptables-translate -A INPUT -m connlabel --label bit40
> nft add rule ip filter INPUT ct label bit40 counter
>
> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
Liping Zhang wrote:
> From: Liping Zhang
>
> We only get nf_connlabels if the user add ct label set expr successfully,
> but we will also put nf_connlabels if the user delete ct lable get expr.
> This is mismathced, and will cause ct label expr cannot work properly.
>
> Also, if we init somethi
At 2016-07-16 17:04:39, "Florian Westphal" wrote:
>Liping Zhang wrote:
>>
>> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
>> nft add rule ip filter INPUT ct label set bit40 ct label != bit40 counter
>
>Should probably be:
>
>... ct label and bit40 != bit40 ...
>
>!= bit40
From: Liping Zhang
Add translation for connlabel to nftables.
For examples:
# iptables-translate -A INPUT -m connlabel --label bit40
nft add rule ip filter INPUT ct label bit40 counter
# iptables-translate -A INPUT -m connlabel ! --label bit40 --set
nft add rule ip filter INPUT ct label
Liping Zhang wrote:
> From: Liping Zhang
>
> Add translation for connlabel to nftables.
> For examples:
>
> # iptables-translate -A INPUT -m connlabel --label bit40
> nft add rule ip filter INPUT ct label bit40 counter
>
> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
From: Liping Zhang
When connlabel.conf is empty, nfct_labelmap_new will return NULL and
set errno to 0. So we will miss to check this situation, and cause NULL
deference in nfct_labelmap_get_bit.
Input the following commands will reproduce this crash:
# echo > /etc/xtables/connlabel.conf
# i
Liping Zhang wrote:
> From: Liping Zhang
>
> When connlabel.conf is empty, nfct_labelmap_new will return NULL and
> set errno to 0. So we will miss to check this situation, and cause NULL
> deference in nfct_labelmap_get_bit.
>
> Input the following commands will reproduce this crash:
> # ech
On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Add translation for connlabel to nftables.
> For examples:
>
> # iptables-translate -A INPUT -m connlabel --label bit40
> nft add rule ip filter INPUT ct label bit40 counter
>
> # iptables-translate -A
On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
> nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40
> counter
I think this logic is inverted, I mean:
nft add rule ip filter INPUT ct lab
On Sat, Jul 16, 2016 at 04:51:30PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> > # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
> > nft add rule ip filter INPUT ct label set bit40 ct label and bit40 !=
> > bit40 counter
>
Pablo Neira Ayuso wrote:
> On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> > # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
> > nft add rule ip filter INPUT ct label set bit40 ct label and bit40 !=
> > bit40 counter
>
> I think this logic is inverted, I mean
Pablo Neira Ayuso wrote:
> On Sat, Jul 16, 2016 at 04:51:30PM +0200, Pablo Neira Ayuso wrote:
> > On Sat, Jul 16, 2016 at 06:42:24PM +0800, Liping Zhang wrote:
> > > # iptables-translate -A INPUT -m connlabel ! --label bit40 --set
> > > nft add rule ip filter INPUT ct label set bit40 ct label
12 matches
Mail list logo
