[PATCH nf-next] netfilter: nf_meta: support for nexthop and nexthop6

From: Anders K. Pedersen Add meta support for IPv4 nexthop and IPv6 nexthop6 (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 meta nexthop !=

[PATCH nft] meta: support for nexthop and nexthop6

From: Anders K. Pedersen Add meta support for IPv4 nexthop and IPv6 nexthop6 (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 meta nexthop !=

Re: [PATCH 0/4] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Tue, 13 Sep 2016 11:05:13 +0200 > The following patchset contains Netfilter fixes for your net tree, > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks Pablo. -- To unsubscribe from th

[ANNOUNCE] netdev 1.2 tokyo weekly update (13th September, 2016)

Hello folks, I hope you're fine and ready to trip to Tokyo. Here is an weekly update of Netdev 1.2 Tokyo. == Keynote talk == We confirmed that David Miller will give a keynote titled "Fast Programmable Networks & Encapsulated Protocols". == Newly accepted sessions == We also accepted one ad

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

2016-09-13 17:19 GMT+08:00 Pablo Neira Ayuso : > Hi Liping, > > A bit more comments on top of Florian's suggestion to use one single > _SREG. > > On Sun, Sep 11, 2016 at 10:05:28PM +0800, Liping Zhang wrote: >> diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c >> static void nft_q

RE: Outlook Web-App

Sua senha expira em {2} Dias Faculdade Atual e pessoal deve fazer logon no site para validar o seu E-mail. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http

[PATCH v3 libnftnl] expr: numgen: add number generation offset

Add support to pass through an offset value to the counter initialization. With this feature, the sysadmin is able to apply a value to be added to the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with series 100, 101, 100, 101, ... Sugges

[PATCH v3] netfilter: nft_numgen: add number generation offset

Add support of an offset value for incremental counter and random. With this option the sysadmin is able to start the counter to a certain value and then apply the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with the serie 100, 101, 100,

Re: [PATCH nf-next] netfilter: nft_queue: add _SREG_FROM and _SRGE_TO to select the queue numbers

Hi Liping, A bit more comments on top of Florian's suggestion to use one single _SREG. On Sun, Sep 11, 2016 at 10:05:28PM +0800, Liping Zhang wrote: > diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c > index d16d599..6557118 100644 > --- a/net/netfilter/nft_queue.c > +++ b/net/n

Re: [PATCH nf-next] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES

On Tue, Sep 13, 2016 at 01:45:38PM +0800, Liping Zhang wrote: > 2016-09-13 1:50 GMT+08:00 Pablo Neira Ayuso : > > We have nft_queue support for bridge now, but nfqueue_hash() takes a > > pkt->pf parameter expecting NFPROTO_IPV4 or NFPROTO_IPV6. > > > > So nft_queue hashing with bridge is currently

[PATCH 2/4] netfilter: nft_chain_route: re-route before skb is queued to userspace

From: Liping Zhang Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain filter output {type route hook output

[PATCH 3/4] netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup()

nf_nat_setup_info() returns NF_* verdicts, so convert them to error codes that is what ctnelink expects. This has passed overlook without having any impact since this nf_nat_setup_info() has always returned NF_ACCEPT so far. Since 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable"

[PATCH 4/4] netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions

From: Gao Feng When memory is exhausted, nfct_seqadj_ext_add may fail to add the synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't check if get valid seqadj pointer by the nfct_seqadj. Now drop the packet directly when fail to add seqadj extension to avoid dereference NULL p

[PATCH 1/4] netfilter: nf_tables_trace: fix endiness when dump chain policy

From: Liping Zhang NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_trace.c | 2 +- 1 file changed, 1

[PATCH 0/4] Netfilter fixes for net

Hi David, The following patchset contains Netfilter fixes for your net tree, they are: 1) Endianess fix for the new nf_tables netlink trace infrastructure, NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang. 2) Fix broken re-route after userspace queueing in nf_tables route

Re: [PATCH v8 nf] netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions

On Tue, Sep 13, 2016 at 08:49:18AM +0800, f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the > synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't > check if get valid seqadj pointer by the nfct_seqadj. > > Now drop th

Re: [PATCH] netfilter: nft_hash: fix hash overflow validation

On Tue, Sep 13, 2016 at 10:21:46AM +0200, Laura Garcia Liebana wrote: > The overflow validation in the init() function establishes that the > maximum value that the hash could reach is less than U32_MAX, which is > likely to be true. > > The fix detects the overflow when the maximum hash value is

[PATCH] netfilter: nft_hash: fix hash overflow validation

The overflow validation in the init() function establishes that the maximum value that the hash could reach is less than U32_MAX, which is likely to be true. The fix detects the overflow when the maximum hash value is less than the offset itself. Fixes: 70ca767ea1b2 ("netfilter: nft_hash: Add has

Re: [PATCH v2] netfilter: nft_hash: Add hash offset value

On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote: > Hi Laura, > > 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana : > > static int nft_hash_init(const struct nft_ctx *ctx, > > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx, > > !tb[NFTA_HASH_MODULUS]