Re: [PATCH nf-next v2 2/2] netfilter: nft_hash: support of symmetric hash

Hi, 2017-03-01 1:38 GMT+08:00 Laura Garcia Liebana : [...] > +static const struct nft_expr_ops * > +nft_hash_select_ops(const struct nft_ctx *ctx, > + const struct nlattr * const tb[]) > +{ > + u32 type; > + > + if (!tb[NFTA_HASH_TYPE]) > + return ERR_PT

Re: nft authentication

Fabian Franz wrote: > I am working on my module but I cannot get the match visible to the nft > tool. Could you please give me a hint, what is wrong in the code? I have > uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c I do not know what 'visible to the nft tool' means. No '

[PATCH] netfilter: Use pr_cont where appropriate

Logging output was changed when simple printks without KERN_CONT are now emitted on a new line and KERN_CONT is required to continue lines so use pr_cont. Miscellanea: o realign arguments o use print_hex_dump instead of a local variant Signed-off-by: Joe Perches --- net/bridge/netfilter/ebt_lo

Re: [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition

Hi, Pablo On Tue, Feb 28, 2017 at 12:48:09PM +0100, Pablo Neira Ayuso wrote: > So you want to check if the addresses mismatch, so we infer from there > if there is NAT or not when status bits are not available. > > Are you trying to catch up some case in netlink event specifically? It's nothin

Re: [PATCH V3] audit: normalize NETFILTER_PKT

On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote: > Eliminate flipping in and out of message fields, dropping fields in the > process. > > Sample raw message format IPv4 UDP: > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 > saddr=127.0.0.1 daddr=127.0.0.1 proto=17^

nft authentication

Hi all, I am working on my module but I cannot get the match visible to the nft tool. Could you please give me a hint, what is wrong in the code? I have uploaded it to my web server: http://files.fabian-franz.eu/nft_auth.c The match should be "auth ". Kind regards Fabian Franz -- To unsubsc

[PATCH nft v2] src: hash: support of symmetric hash

This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through s

[PATCH nf-next v2 2/2] netfilter: nft_hash: support of symmetric hash

This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. For this purpose, the __skb_get_hash_symmetric() is used to identify the flow as it uses FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL flag by default. The new attribute NFTA_HASH_TYPE h

ANNOUNCE: Netdev 2.1 update Feb 28

A few announcements: 1) Going forward we are going to be sending more frequent announcements to the conference discussion/announcement list: peo...@netdevconf.org You can subscribe via mailman here: https://lists.netdevconf.org/cgi-bin/mailman/listinfo/people We urge people to subscribe to tha

Re: [PATCH v3] libiptc: don't set_changed() when checking rules with module jumps

On Tue, Feb 28, 2017 at 01:03:07PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Sat, Feb 25, 2017 at 10:02:03PM -0600, Dan Williams wrote: > > > Checking a rule that includes a jump to a module-based target currently > > > sets the "changed" flag on the handle, which then cause

Re: [4.9.10] ip_route_me_harder() reading off-slab

On Mon, Feb 27, 2017 at 10:41:48PM +0800, Daniel J Blueman wrote: > On 17 February 2017 at 15:39, Florian Westphal wrote: > > Daniel J Blueman wrote: > > > > [ CC nf-devel, pablo ] > > > >> When booting a VM in libvirt/KVM attached to a local bridge and KASAN > >> enabled on 4.9.10, we see a stre

Re: [PATCH v3] libiptc: don't set_changed() when checking rules with module jumps

Pablo Neira Ayuso wrote: > On Sat, Feb 25, 2017 at 10:02:03PM -0600, Dan Williams wrote: > > Checking a rule that includes a jump to a module-based target currently > > sets the "changed" flag on the handle, which then causes TC_COMMIT() to > > run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNT

Re: [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition

Hi, Pablo On Tue, Feb 28, 2017 at 11:47:25AM +0100, Pablo Neira Ayuso wrote: > > diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c > > index fb43d6c..1581480 100644 > > --- a/src/conntrack/objopt.c > > +++ b/src/conntrack/objopt.c > > @@ -144,10 +144,8 @@ int __setobjopt(struct nf_conn

Re: [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition

On Tue, Feb 28, 2017 at 08:44:53PM +0900, Ken-ichirou MATSUZAWA wrote: > Hi, Pablo > > On Tue, Feb 28, 2017 at 11:47:25AM +0100, Pablo Neira Ayuso wrote: > > > diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c > > > index fb43d6c..1581480 100644 > > > --- a/src/conntrack/objopt.c > > >

Re: [PATCH v3] libiptc: don't set_changed() when checking rules with module jumps

On Sat, Feb 25, 2017 at 10:02:03PM -0600, Dan Williams wrote: > Checking a rule that includes a jump to a module-based target currently > sets the "changed" flag on the handle, which then causes TC_COMMIT() to > run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This > seems wrong for

[PATCH] netfilter: remove redundant check on ret being non-zero

From: Colin Ian King ret is initialized to zero and if it is set to non-zero in the xt_entry_foreach loop then we exit via the out_free label. Hence the check for ret being non-zero is redundant and can be removed. Detected by CoverityScan, CID#1357132 ("Logically Dead Code") Signed-off-by: Col

Re: [PATCH 0/7] nftables: add ct helper set support

On Mon, Feb 27, 2017 at 04:02:48PM +0100, Florian Westphal wrote: > This series adds initial support to set conntrack helpers via > the nft objref infrastructure. > > As -next is closed I will not push this yet since kernel support > is still missing. > > Currently only supported attributes are:

Re: [PATCH iptables] extensions: libxt_hashlimit: Add translation to nft

On Mon, Feb 27, 2017 at 02:43:08PM -0300, Elise Lennion wrote: > Hashlimit has similar functionality to flow tables in nftables. Some > usage examples are: > > $ iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit \ > --hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode

Re: [PATCH iptables V2 2/2] xshared: using the blocking file lock request when we wait indefinitely

On Mon, Feb 06, 2017 at 07:47:47PM +0800, Liping Zhang wrote: > From: Liping Zhang > > When using "-w" to avoid concurrent instances, we try to do flock() every > one second until it success. But one second maybe too long in some > situations, and it's hard to select a suitable interval time. So

Re: [PATCH iptables 1/2] xshared: do not lock again and again if "-w" option is not specified

On Sun, Feb 05, 2017 at 09:57:34PM +0800, Liping Zhang wrote: > From: Liping Zhang > > After running the following commands, some confusing messages was printed > out: > # while : ; do > iptables -A INPUT & > iptables -D INPUT & > done > [...] > Another app is currently holding the xt

Re: [PATCH lnfct 1/2] conntrack: fix missing break

Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition

Hi Ken-ichirou, On Tue, Feb 28, 2017 at 02:00:41PM +0900, Ken-ichirou MATSUZAWA wrote: > From 9e8aa4ed079b526faf190b69a2c1032f22776602 Mon Sep 17 00:00:00 2001 > From: Ken-ichirou MATSUZAWA > Date: Tue, 28 Feb 2017 11:34:29 +0900 > Subject: [PATCH 2/2] conntrack: revert getobjopt_is_nat condition