Support for the nft hash expression in libnftnl.
Signed-off-by: Laura Garcia Liebana
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 8 +
include/linux/netfilter/nf_tables.h | 21 +++
src/Makefile.am | 1 +
src/expr/hash.c
Use 'nftnl_expr_cmp' and 'nftnl_rule_cmp' in all tests instead of custom
comparator for each one. If objects differ both are printed.
Signed-off-by: Carlos Falgueras García
---
tests/libtest.c | 44 +++
tests/libtest.h | 15 ++-
tests/nft-chain
This patch adds libtest.c and libtest.h to reduce test code and
consolidate it.
Signed-off-by: Carlos Falgueras García
---
.gitignore | 1 +
tests/Makefile.am | 52 +---
tests/libtest.c | 53 +
Signed-off-by: Carlos Falgueras García
---
tests/nft-expr_masq-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/nft-expr_masq-test.c b/tests/nft-expr_masq-test.c
index f0302e2..3f9903d 100644
--- a/tests/nft-expr_masq-test.c
+++ b/tests/nft-expr_masq-test.c
@@ -52,
Changes random values for macros because the conversion to string of these
values are performed by accessing to an array of strings.
Signed-off-by: Carlos Falgueras García
---
tests/nft-expr_cmp-test.c | 2 +-
tests/nft-expr_nat-test.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
On 08/12/2016 01:32 AM, Pablo Neira Ayuso wrote:
On Thu, Aug 11, 2016 at 03:25:07PM +0200, Carlos Falgueras García wrote:
- cmp_nftnl_expr(rule_a,rule_b);
+ if (!nftnl_expr_cmp(rule_a, rule_b))
+ print_err("expressions mismatches:\n\texpr 1: %s\n\texpr 2: %s",
+
On 08/12/2016 01:26 AM, Pablo Neira Ayuso wrote:
On Thu, Aug 11, 2016 at 03:25:06PM +0200, Carlos Falgueras García wrote:
diff --git a/tests/libtest.c b/tests/libtest.c
new file mode 100644
index 000..91f2d5e
--- /dev/null
+++ b/tests/libtest.c
@@ -0,0 +1,49 @@
+#include
+
+#include
+#incl
Looking at expr_evaluate_concat(), 'off' might be zero and the error
checks not triggering (by having dtype != NULL and i->dtype->size > 0).
Decrementing it will then lead to casting -1 to unsigned during the call
to concat_subtype_lookup() will lead to bit-shifting in
concat_subtype_id() by a valu
As netlink_get_register() may return NULL, we must not pass the returned
data unchecked to expr_set_type() as that will dereference it. Since the
parser has failed at that point anyway, by returning early we can skip
the useless statement allocation that follows in
netlink_parse_ct_stmt().
Signed-
As for libnftnl, this series aims at fixing a number of issues
identified by covscan. And again, due to my limited overview of the
code-base, some of them might as well be invalid although I tried to
verify the issues as best as I can.
Phil Sutter (4):
evaluate: Fix datalen checks in expr_evalua
When being called from stmt_evaluate_reset(), it seems that 'base' might
actually be NULL, so better make sure it is not in proto_find_num().
Signed-off-by: Phil Sutter
---
This might be invalid in that if 'base' is NULL, ctx->pctx.family is
always either NFPROTO_INET or NFPROTO_BRIDGE. But if so
This part of the code is pretty weird due to suboptimal variable name
choice: 'data', 'len', 'datalen', 'data_len'.
But even without understanding all of it, the code checking 'datalen - 1
>= 0' assumes 'datalen - 1' may actually become negative, which is not
true since it is unsigned. So make 'da
2016-08-12 19:49 GMT+08:00 Pablo Neira Ayuso :
> On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote:
>> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso :
> [...]
>> >
>> > I think it is a good time to kill compat /proc/net/ip_conntrack*. That
>> > has been there for so long already. So we ca
On Fri, Aug 12, 2016 at 02:39:50PM +0200, Phil Sutter wrote:
> From: Phil Sutter
>
> Apart from being a bad idea in general, the return statement contained
> in that macro in some cases leads to returning from functions without
> properly cleaning up, thereby causing memory leaks.
>
> Instead, j
From: Phil Sutter
Apart from being a bad idea in general, the return statement contained
in that macro in some cases leads to returning from functions without
properly cleaning up, thereby causing memory leaks.
Instead, just sanitize the value in 'ret' to not harm further calls of
snprintf() (as
On Wed, Aug 10, 2016 at 11:48:56AM +0200, Carlos Falgueras García wrote:
> This patch separates the rule identification from the rule localization, so
> the logic moves from the evaluator to the parser. This allows to revert the
> patch "evaluate: improve rule managment checks"
> (4176c7d30c2ff1b3f
On Fri, Aug 12, 2016 at 07:12:32PM +0800, Liping Zhang wrote:
> 2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso :
[...]
> >
> > I think it is a good time to kill compat /proc/net/ip_conntrack*. That
> > has been there for so long already. So we can inline this function,
> > this is the only one that n
This backward compatibility has been around for more than ten years,
since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have
alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and
the conntrack utility got adopted by many people in the user community
according to wh
Hi Pablo,
On Fri, Aug 12, 2016 at 12:24:43PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 03, 2016 at 03:21:28PM +0200, Florian Westphal wrote:
> > Once timer is removed from nf_conn struct we cannot open-code
> > the removal sequence anymore.
>
> @Simon and other IPVS folks: I'm going to take t
Hi pablo,
2016-08-12 18:34 GMT+08:00 Pablo Neira Ayuso :
> On Sat, Jul 30, 2016 at 07:42:53PM +0800, Liping Zhang wrote:
>> From: Liping Zhang
>>
>> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
>> nf_conntrack proc read and hash resize") introdue the
>> nf_conntrack_get_ht,
On Wed, Aug 10, 2016 at 03:23:07PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> The xt_bpf module applies BPF bytecode to the packet. Depending on
> where the module is invoked, the kernel may pass a packet with or
> without link layer header. Iptables has no such header.
>
> A co
On Thu, Aug 11, 2016 at 06:02:07PM +0200, Laura Garcia Liebana wrote:
> This patch adds a new hash expression, this provides jhash support but
> this can be extended to support for other hash functions.
>
> The modulus and seed already comes embedded into this new expression.
>
> Use case example
On Sat, Jul 30, 2016 at 07:42:53PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
> nf_conntrack proc read and hash resize") introdue the
> nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation
> again and
On Wed, Aug 03, 2016 at 02:45:07AM +0200, Florian Westphal wrote:
> ... so we don't need to touch all of these places when we get rid of the
> timer in nf_conn.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...
On Wed, Aug 03, 2016 at 03:21:28PM +0200, Florian Westphal wrote:
> Once timer is removed from nf_conn struct we cannot open-code
> the removal sequence anymore.
@Simon and other IPVS folks: I'm going to take this patch since
Florian needs this merged for follow up patches.
So I'm dealing with th
On Sat, Jul 30, 2016 at 07:44:12PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> IP header checksum will be recalculated at ip_local_out, so
> there's no need to calculated it here, remove it. Also update
> code comments to illustrate it, and delete the misleading
> comments about checksum
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jul 23, 2016 at 07:21:47PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> We only need first 4 bytes instead of 8 bytes to get the ports of
> tcp/udp/dccp/sctp/udplite in their pkt_to_tuple function.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfil
On Fri, Aug 12, 2016 at 02:47:46AM +0200, Phil Sutter wrote:
> On Fri, Aug 12, 2016 at 02:05:54AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote:
> > > > The following series ai
On Fri, Aug 12, 2016 at 02:44:58AM +0200, Phil Sutter wrote:
> On Fri, Aug 12, 2016 at 01:42:02AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote:
> > > From: Phil Sutter
> > >
> > > This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it con
On Fri, Aug 12, 2016 at 01:13:52AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 10, 2016 at 06:11:51PM +0400, Loganaden Velvindron wrote:
> > It is easier to check that the calculation doesn't wrap or return a smaller
> > allocation.
>
> Could you review the netfilter tree in search for similar k
On Fri, Aug 12, 2016 at 01:13:52AM +0200, Pablo Neira Ayuso wrote:
> On Wed, Aug 10, 2016 at 06:11:51PM +0400, Loganaden Velvindron wrote:
> > It is easier to check that the calculation doesn't wrap or return a smaller
> > allocation.
>
> Could you review the netfilter tree in search for similar k
32 matches
Mail list logo