From 5a4a39fd4373e78b0019b0180718e96c85b1fdd7 Mon Sep 17 00:00:00 2001
From: Duan Jiong
Date: Thu, 16 Feb 2017 11:07:38 +0800
Subject: [PATCH] nfnetlink_log: fix the typo
s/nfetlink/nfnetlink/
Signed-off-by: Duan Jiong
---
net/netfilter/nfnetlink_log.c | 2 +-
1 file changed, 1 insertion(+),
On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote:
> On 2017-02-13 18:50, Paul Moore wrote:
>> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote:
...
>> > helpful action, hook
>>
>> I haven't checked, but do we allow setting of an audit key in
>> NETFILTER_PKT records?
Klaus Ethgen wrote:
> allow me to ask a question about conntrack and nf_conntrack_ftp and
> nf_nat_ftp and DNAT.
>
> I have a host where I do DNAT from the main IPv4 address to the backend
> ftp server. Currently I have the server data connections limited to a
> small port range and have a hard w
If we use before/after to add an element to an empty list it will cause
a kernel panic.
$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a
$> ipset -R < crash.restore
Executing the above will crash the kernel.
Signed-off-by: Vishwana
Pablo Neira Ayuso wrote:
> > Note from myself, i dislike L3PROTO, it would be nicer to be able
> > to handle this via the table family but I did not yet find a way
> > to detect this from the obj->init() function.
>
> We can pass nft_ctx to obj->init().
OK, I can make that change then, no proble
On 02/15/2017 04:33 AM, Jozsef Kadlecsik wrote:
> Hi,
>
> On Tue, 14 Feb 2017, Vishwanath Pai wrote:
>
>> I noticed that in recent versions of ipset the parameter 'size' in set
>> type list:set is ignored. I noticed this change in the latest upstream
>> code. In kernel 4.1 'ipset add' errors ou
Hi Anatole,
I am aware of this option, but this is still not what I want. For
example, I want to have a firewall rule
"tcp ssh user fabian accept"
to have a rule with my user in the match. For the authentication, a
captive portal or a radius server for 802.1X may be an option. The user
is part
On mer., févr. 15, 2017 at 6:21 , Fabian Franz
wrote:
Dear Mr. Cochran,
even if your document looks good, I am looking for some documentation
related to nftables - iptables is NO option because I want to
implement
a kernel module for nftables doing that.
The problem is, that there is a wiki
Dear Mr. Cochran,
even if your document looks good, I am looking for some documentation
related to nftables - iptables is NO option because I want to implement
a kernel module for nftables doing that.
The problem is, that there is a wiki how to use it, but there is no
information how to extend i
On Wed, Feb 15, 2017 at 05:25:36PM +0100, Florian Westphal wrote:
> This RFC adds native support to assign conntrack helpers.
> Not even compile tested.
>
> It adds NFT_OBJECT_CT_HELPER to assign helpers to connections
> by using the stateful objects infra that is in place for quota and counter.
>
This RFC adds native support to assign conntrack helpers.
Not even compile tested.
It adds NFT_OBJECT_CT_HELPER to assign helpers to connections
by using the stateful objects infra that is in place for quota and counter.
This would also need NFT_OBJECT_CT_TIMEOUT to support
custom timeouts in nft
Hi there,
is there some documentation available how to create a custom match for a
firewall rule (nftables).
What I want to create is a custom match which will query a user space
application, if the packet is allowed (returning a bool value)?
Kind regards
Fabian Franz
--
To unsubscribe from th
Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and
nftnl_nlmsg_build_hdr() share the same code.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/common.h | 4 ++--
src/common.c | 41 ++---
2 files changed, 20 insertions(+), 25 dele
Useful to append netlink attributes after the batch headers.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/common.h | 4 ++--
src/common.c | 12 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/include/libnftnl/common.h b/include/libnftnl/common.h
This patch adds the new NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/rule.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/rule.c | 38 -
3 files changed, 40 insertions(+), 1 delet
Hi,
On Tue, 14 Feb 2017, Vishwanath Pai wrote:
> I noticed that in recent versions of ipset the parameter 'size' in set
> type list:set is ignored. I noticed this change in the latest upstream
> code. In kernel 4.1 'ipset add' errors out when I try to add more
> elements than 'size' but in 4.1
16 matches
Mail list logo