Pablo Neira Ayuso wrote:
> On Wed, Mar 22, 2017 at 04:44:00PM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > Hm, I wonder why you need this new line in proto_inet_service:
> > >
> > > + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6),
> >
> > meta_expr_pctx_update calls
The organizing committee would like to announce a new silver sponsor:
Solarflare.
Solarflare is returning as a silver sponsor again this year. Welcome
back and many thanks for your support!
cheers,
jamal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
On Wed, Mar 22, 2017 at 04:44:00PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Hm, I wonder why you need this new line in proto_inet_service:
> >
> > + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6),
>
> meta_expr_pctx_update calls proto_find_upper(), without this
> that
On Wed, Mar 22, 2017 at 9:07 AM, Alexandru Ardelean
wrote:
> On Tue, Mar 21, 2017 at 10:54 PM, Eric Leblond wrote:
>> Hello,
>>
>> Thanks for the report and the patch. I'm not sure of your
>> implementation. Can you test with the patch to follow ?
>>
>> On Mon, 2017-03-20 at 10:31 +0200, Alexandr
Pablo Neira Ayuso wrote:
> Hm, I wonder why you need this new line in proto_inet_service:
>
> + PROTO_LINK(IPPROTO_ICMPV6, &proto_icmp6),
meta_expr_pctx_update calls proto_find_upper(), without this
that returns NULL and proto base is set to 'unknown'.
--
To unsubscribe from this l
On Wed, Mar 22, 2017 at 02:44:12PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Tue, Mar 21, 2017 at 07:54:37PM +0100, Florian Westphal wrote:
> > > nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
> > > :1:50-60: Error: conflicting protocols specified:
On Wed, Mar 22, 2017 at 04:29:09PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Mar 22, 2017 at 02:44:12PM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Tue, Mar 21, 2017 at 07:54:37PM +0100, Florian Westphal wrote:
> > > > nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 typ
On Wed, Mar 22, 2017 at 7:08 PM, Pablo Neira Ayuso wrote:
> On Tue, Mar 21, 2017 at 02:14:34PM +0530, simran singhal wrote:
>> This patch series clean up tests if NULL returned on failure.
>
> $ git grep "== NULL" net/netfilter/ | wc -l
> 461
>
> This is cleaning up just some of them, we still see
Pablo Neira Ayuso wrote:
> On Tue, Mar 21, 2017 at 07:54:37PM +0100, Florian Westphal wrote:
> > nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
> > :1:50-60: Error: conflicting protocols specified: unknown vs.
> > icmpv6
> >
> > add icmpv6 to nexthdr list so base gets u
On Tue, Mar 21, 2017 at 02:14:34PM +0530, simran singhal wrote:
> This patch series clean up tests if NULL returned on failure.
$ git grep "== NULL" net/netfilter/ | wc -l
461
This is cleaning up just some of them, we still seem to have quite a
bit of them.
Main problem with this changes is that
On Wed, Mar 15, 2017 at 12:01:27PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Mar 14, 2017 at 03:11:12PM +0100, Phil Sutter wrote:
> > On Mon, Mar 13, 2017 at 05:53:53PM +0100, Pablo Neira Ayuso wrote:
> > > On Mon, Mar 13, 2017 at 05:01:53PM +0100, Phil Sutter wrote:
> > > [...]
> > > > The nftable
From: Liping Zhang
NFCTH_PRIV_DATA_LEN is a must attribute required by the kernel when
creating the cthelper, add it now. Otherwise -EINVAL will be returned.
Signed-off-by: Liping Zhang
---
examples/nfct-helper-add.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/examples/nfct-helper-add.
On Wed, Mar 22, 2017 at 09:00:47PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> NFCTH_PRIV_DATA_LEN is a must attribute required by the kernel when
> creating the cthelper, add it now. Otherwise -EINVAL will be returned.
Applied, thanks Liping.
--
To unsubscribe from this list: send the l
On Tue, Mar 21, 2017 at 07:54:37PM +0100, Florian Westphal wrote:
> nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
> :1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
>
> add icmpv6 to nexthdr list so base gets updated correctly.
>
> Reported-by: Thoma
On Wed, Mar 22, 2017 at 07:43:18AM -0400, Richard Guy Briggs wrote:
> On 2017-03-22 12:11, Pablo Neira Ayuso wrote:
> > On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> > > Even though the skb->data pointer has been moved from the link layer
> > > header to the network layer he
This new helper function allows us to check if this is a basechain.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 5 +
net/netfilter/nf_tables_api.c | 30 +++---
net/netfilter/nf_tables_netdev.c | 2 +-
net/netfilter/nft_compat.c
On Wed, Mar 22, 2017 at 01:26:36AM +0100, Phil Sutter wrote:
> Not having a space between the last element in a set and the closing
> curly brace looks ugly, so add it here.
>
> This also adjusts all shell testcases as they match whitespace in nft
> output and therefore fail otherwise.
It's just
On Wed, Mar 22, 2017 at 01:38:08PM +0800, Liping Zhang wrote:
> Hi Pablo,
>
> 2017-03-21 22:57 GMT+08:00 Pablo Neira Ayuso :
> > We only allow runtime updates of expectation policies for timeout and
> > maximum number of expectations, otherwise reject the update.
> >
> > Signed-off-by: Pablo Neira
On Wed, Mar 22, 2017 at 01:26:34AM +0100, Phil Sutter wrote:
> This makes sure nesting of anonymous sets works regardless of whether
> defines are used or not. As a side-effect, it also checks that overlap
> checking when IP address prefixes are used, works.
Applied, thanks.
--
To unsubscribe from
On 2017-03-22 12:11, Pablo Neira Ayuso wrote:
> On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> > Even though the skb->data pointer has been moved from the link layer
> > header to the network layer header, use the same method to calculate the
> > offset in ipv4 and ipv6 routi
On Wed, Mar 22, 2017 at 01:26:35AM +0100, Phil Sutter wrote:
> If rule set applying failed, this would leave a stray netns in place.
>
> Interestingly, this situation led to other, seemingly unrelated
> testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0:
>
> | $ ./run-tests.sh t
On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> Even though the skb->data pointer has been moved from the link layer
> header to the network layer header, use the same method to calculate the
> offset in ipv4 and ipv6 routines.
>
> Signed-off-by: Richard Guy Briggs
> ---
>
On 22 March 2017 at 01:26, Phil Sutter wrote:
> If rule set applying failed, this would leave a stray netns in place.
>
Thanks Phil.
Acked-by: Arturo Borrero Gonzalez
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.
On Tue, Mar 21, 2017 at 10:54 PM, Eric Leblond wrote:
> Hello,
>
> Thanks for the report and the patch. I'm not sure of your
> implementation. Can you test with the patch to follow ?
>
> On Mon, 2017-03-20 at 10:31 +0200, Alexandru Ardelean wrote:
>> This is a bit zealous to fix like this, but it
Eliminate flipping in and out of message fields, dropping fields in the
process.
Sample raw message format IPv4 UDP:
type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
Sample raw message format IPv6 ICMP6:
type=NETFILTER_PKT msg=audit(148
Even though the skb->data pointer has been moved from the link layer
header to the network layer header, use the same method to calculate the
offset in ipv4 and ipv6 routines.
Signed-off-by: Richard Guy Briggs
---
net/netfilter/xt_AUDIT.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(
26 matches
Mail list logo
