The musl libc exposes some struct tcphdr field only when _GNU_SOURCE is
defined. Fix the following build failure:
nfsynproxy.c: In function ‘parse_packet’:
nfsynproxy.c:34:9: error: ‘const struct tcphdr’ has no member named ‘syn’
if (!th->syn || !th->ack)
^
nfsynproxy.c:34:21: error: ‘c
Hi All,
I have noticed the commit below in the kernel 4.7 change logs.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3d051477cf94e9d71d6acadb8a90de15237b9c1
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8804b2722dc5d6f9b7ba0a9e812eae9ee5
On Wed, Mar 01, 2017 at 04:18:00PM +0100, Pablo Neira Ayuso wrote:
> Hm, I'm hitting this here:
>
> I: results: [OK] 107 [FAILED] 0 [TOTAL] 107
>
> Running nft git HEAD and nf.git kernel.
>
See no failures with HEAD. Suspect I misconfigured earlier, sorry for the noise.
--
Mit freundlichen Grüß
On 2017-03-01 17:19, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote:
> > On 2017-02-28 17:22, Paul Moore wrote:
> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs
> >> wrote:
> >> > Eliminate flipping in and out of message fields, dropping fields in the
> >>
On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote:
> On 2017-02-28 17:22, Paul Moore wrote:
>> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote:
>> > Eliminate flipping in and out of message fields, dropping fields in the
>> > process.
>> >
>> > Sample raw message format IPv4 UD
Netlink listeners are currently hitting ESRCH on socket buffer overruns
via nf_tables, this error is misleading and inconsistent with regards to
other existing netlink subsystems. Netlink semantics mandate that
listeners hit ENOBUFS if the socket buffer overruns.
Reported-by: Alexander Alemayhu
T
In case of adjacent ranges, we may indeed see either the high part of
the range in first place or the low part of it. Remove this incorrect
assumption, let's make sure we annotate the low part of the interval in
case of we have adjacent interva intervals so we hit a matching in
lookups.
Reported-b
On Wed, Mar 01, 2017 at 11:28:02AM -0500, Richard Guy Briggs wrote:
> On 2017-02-28 17:22, Paul Moore wrote:
> > On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote:
> > > Eliminate flipping in and out of message fields, dropping fields in the
> > > process.
> > >
> > > Sample raw message f
On 2017-02-28 17:22, Paul Moore wrote:
> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote:
> > Eliminate flipping in and out of message fields, dropping fields in the
> > process.
> >
> > Sample raw message format IPv4 UDP:
> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae
On Wed, Mar 01, 2017 at 07:29:33AM +0900, Ken-ichirou MATSUZAWA wrote:
> Hi, Pablo
>
> On Tue, Feb 28, 2017 at 12:48:09PM +0100, Pablo Neira Ayuso wrote:
> > So you want to check if the addresses mismatch, so we infer from there
> > if there is NAT or not when status bits are not available.
> >
On Wednesday 2017-03-01 15:32, Alin Nastac wrote:
>Extract IPv6 packet that triggered the sending of redirect message from
>ICMPv6 Redirected Header option and check if conntrack table contain such
>connection. Mark redirect packet as RELATED if a matching connection is found.
>
>Signed-off-by: A
Pablo Neira Ayuso wrote:
> Hi Greg,
>
> Please cherry-pick this into 4.9.
>
> commit e5072053b09642b8ff417d47da05b84720aea3ee
> Author: Florian Westphal
> Date: Wed Jan 18 02:01:22 2017 +0100
>
> netfilter: conntrack: refine gc worker heuristics, redux
Note: This applies cleanly if you
On Wed, Mar 01, 2017 at 04:02:53PM +0100, Nicolas Dichtel wrote:
> Le 27/01/2017 à 17:51, Nicolas Dichtel a écrit :
> > Le 26/01/2017 à 17:38, Pablo Neira Ayuso a écrit :
> >> From: Florian Westphal
> >>
> >> This further refines the changes made to conntrack gc_worker in
> >> commit e0df8cae6c16
Hi Greg,
Please cherry-pick this into 4.9.
commit e5072053b09642b8ff417d47da05b84720aea3ee
Author: Florian Westphal
Date: Wed Jan 18 02:01:22 2017 +0100
netfilter: conntrack: refine gc worker heuristics, redux
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter
On Wed, Mar 01, 2017 at 12:41:40PM +0100, Pablo Neira Ayuso wrote:
>
> Actually, this patch would be better. All return values of these
> notify function are ignored, so we can turned it into void.
Monitor seems to work as expected and does not exit with this patch.
Should all of the tests pass w
In commit 82de0be6862cd ("netfilter: Add helper array
register/unregister functions"),
struct nf_conntrack_helper sip[MAX_PORTS][4] was changed to
sip[MAX_PORTS * 4], so the memory init should have been changed to
memset(&sip[4 * i], 0, 4 * sizeof(sip[i]));
But as the sip[] table is allocated in t
On Wed, Mar 01, 2017 at 03:52:27PM +0100, Alexander Alemayhu wrote:
> On Wed, Mar 01, 2017 at 12:41:40PM +0100, Pablo Neira Ayuso wrote:
> >
> > Actually, this patch would be better. All return values of these
> > notify function are ignored, so we can turned it into void.
>
> Monitor seems to wo
Le 27/01/2017 à 17:51, Nicolas Dichtel a écrit :
> Le 26/01/2017 à 17:38, Pablo Neira Ayuso a écrit :
>> From: Florian Westphal
>>
>> This further refines the changes made to conntrack gc_worker in
>> commit e0df8cae6c16 ("netfilter: conntrack: refine gc worker heuristics").
>>
>> The main idea of
Extract IPv6 packet that triggered the sending of redirect message from
ICMPv6 Redirected Header option and check if conntrack table contain such
connection. Mark redirect packet as RELATED if a matching connection is found.
Signed-off-by: Alin Nastac
---
net/ipv6/netfilter/nf_conntrack_proto_ic
Link-local and multicast packets must keep their original oif after
ip6_route_me_harder is called.
Signed-off-by: Alin Nastac
---
net/ipv6/netfilter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e2..02811c5 100644
-
Link-local and multicast packets must keep their original oif after
ip6_route_me_harder is called.
Signed-off-by: Alin Nastac
---
net/ipv6/netfilter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e2..02811c5 100644
-
On Wed, Mar 01, 2017 at 12:11:54PM +0800, Liping Zhang wrote:
> Hi,
>
> 2017-03-01 1:38 GMT+08:00 Laura Garcia Liebana :
> [...]
> > +static const struct nft_expr_ops *
> > +nft_hash_select_ops(const struct nft_ctx *ctx,
> > + const struct nlattr * const tb[])
> > +{
> > +
On Sun, Feb 26, 2017 at 09:24:10PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Feb 26, 2017 at 05:30:58PM +0100, Alexander Alemayhu wrote:
> > Running the test cases in the shell directory while running nft monitor
> > results
> > in nft exiting with '# ERROR: No such process'. The minimal steps whe
On Wed, Mar 01, 2017 at 12:21:03PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Feb 26, 2017 at 09:24:10PM +0100, Pablo Neira Ayuso wrote:
> > On Sun, Feb 26, 2017 at 05:30:58PM +0100, Alexander Alemayhu wrote:
> > > Running the test cases in the shell directory while running nft monitor
> > > result
Fabian Franz wrote:
> yes it is academic and what I want to do is user id matching on
> non-local users (which means I need to connect the IP address with an
> user id or something like that). What I want is to keep the full match
> together, nf_queue is a target.
I'm not sure what 'keep the full
Dear Mr. Westphal,
yes it is academic and what I want to do is user id matching on
non-local users (which means I need to connect the IP address with an
user id or something like that). What I want is to keep the full match
together, nf_queue is a target.
It should be my last year project but it s
26 matches
Mail list logo
