Hi Pablo,
2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> +unsigned int queuenum, bool bypass)
> +{
> + int ret;
> +
> + ret = __nf_queue(skb, state, queuenum);
> + if (ret < 0) {
> +
On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> Hi Pablo,
>
> 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> > +unsigned int queuenum, bool bypass)
> > +{
> > + int ret;
> > +
> > + r
Le 13/10/2016 à 22:43, Florian Westphal a écrit :
> Nicolas Dichtel wrote:
>> Le 10/10/2016 à 16:04, Florian Westphal a écrit :
>>> Nicolas Dichtel wrote:
After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove
timed-out entries"), netlink conntrack deletion events may
On Fri, Oct 14, 2016 at 11:53:30AM +0200, Pablo Neira Ayuso wrote:
[...]
> BTW, looking at ipt_mangle_out():
>
> ret = ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
> /* Reroute for ANY change. */
> if (ret != NF_DROP && ret != NF_STOLEN) {
> i
Make sure we skip the current hook from where the packet was enqueued,
otherwise the packets gets enqueued over and over again.
Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
Signed-off-by: Pablo Neira Ayuso
---
v2: Make sure next hook is non-null, otherwise we are a
Nicolas Dichtel wrote:
> Le 13/10/2016 à 22:43, Florian Westphal a écrit :
> > Nicolas Dichtel wrote:
> >> Le 10/10/2016 à 16:04, Florian Westphal a écrit :
> >>> Nicolas Dichtel wrote:
> After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove
> timed-out entries"), n
On Fri, Oct 14, 2016 at 12:37:26PM +0200, Florian Westphal wrote:
> Nicolas Dichtel wrote:
> > Le 13/10/2016 à 22:43, Florian Westphal a écrit :
[...]
> > > (Or cause too many useless scans)
> > >
> > > Another idea worth trying might be to get rid of the max cap and
> > > instead break early in
Pablo Neira Ayuso wrote:
> I would prefer not to expose sysctl knobs, if we don't really know
> what good default values are good, then we cannot expect our users to
> know this for us.
>
> I would go tune this in a way that this resembles to the previous
> behaviour.
I do not see how this is po
Bjørnar Ness wrote:
> 2016-10-12 8:19 GMT+02:00 Michal Kubecek :
> > On Wed, Oct 12, 2016 at 12:17:24AM +0200, Bjørnar Ness wrote:
> >>
> >> Yeah, sortoff. But afaik rpfilter is a iptables module, and not
> >> available in nftables yet.
> >>
> >> Pablo: is the "lookup in routing table from nftable
Pablo Neira Ayuso wrote:
> On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > Hi Pablo,
> >
> > 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > > +int nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
> > > +unsigned int queuenum, bool bypass)
> > > +{
On Fri, Oct 14, 2016 at 05:38:12PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > > Hi Pablo,
> > >
> > > 2016-10-13 20:02 GMT+08:00 Pablo Neira Ayuso :
> > > > +int nf_queue(struct sk_buff *skb, const struct nf_hook_
2016-10-14 13:44 GMT+02:00 Florian Westphal :
> Bjørnar Ness wrote:
>>
>> ip saddr rt_table 10 drop
>>
>> comments?
>
> I don't really understand why you would want this.
>
> If you only want to match saddr, why not use ipset (or nftables set) for
> this?
Its hard to populate via routing protocol
On Fri, Oct 07, 2016 at 07:08:48PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> This patch set fixes some bugs related to translation:
> * libipt_realm: add a missing space
> * libxt_iprange: ip6tables translation's format is not correct
> * libxt_iprange & libxt_devgroup: handle the
On Fri, Oct 14, 2016 at 06:47:20PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 14, 2016 at 05:38:12PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Fri, Oct 14, 2016 at 04:06:15PM +0800, Liping Zhang wrote:
> > > > Hi Pablo,
> > > >
> > > > 2016-10-13 20:02 GMT+08:00 Pablo
14 matches
Mail list logo