[PATCH nf-next] netfilter: ebt: Use ebt_invalid_target instead of INVALID_TARGET

From: Gao Feng Use the new helper function ebt_invalid_target instead of the old macro INVALID_TARGET to enhance the readability. Signed-off-by: Gao Feng --- include/linux/netfilter_bridge/ebtables.h | 2 -- net/bridge/netfilter/ebt_dnat.c

Re: [nf-next PATCH] netfilter: nf_tables: Report transactions' process info to user space

On Tue, May 30, 2017 at 06:21:49PM +0200, Phil Sutter wrote: > On Tue, May 30, 2017 at 02:12:11PM +0200, Pablo Neira Ayuso wrote: > > On Fri, May 19, 2017 at 12:41:28PM +0200, Phil Sutter wrote: > > > On Mon, May 15, 2017 at 07:54:44PM +0200, Pablo Neira Ayuso wrote: > > > > On Mon, May 15, 2017

Re: [PATCHv2] extensions: libxt_cluster: Add translation to nft

On Tue, May 30, 2017 at 08:47:09PM +0530, Shyam Saini wrote: > On Tue, May 30, 2017 at 3:50 PM, Pablo Neira Ayuso > wrote: > > On Tue, May 30, 2017 at 12:08:55PM +0200, Pablo Neira Ayuso wrote: > >> On Tue, May 30, 2017 at 01:55:34PM +0530, Shyam Saini wrote: > >> > Add

Re: [nf-next PATCH] netfilter: nf_tables: Report transactions' process info to user space

On Tue, May 30, 2017 at 02:12:11PM +0200, Pablo Neira Ayuso wrote: > On Fri, May 19, 2017 at 12:41:28PM +0200, Phil Sutter wrote: > > On Mon, May 15, 2017 at 07:54:44PM +0200, Pablo Neira Ayuso wrote: > > > On Mon, May 15, 2017 at 06:44:32PM +0200, Phil Sutter wrote: > > > > On Mon, May 15, 2017

Re: [PATCHv2] extensions: libxt_cluster: Add translation to nft

On Tue, May 30, 2017 at 3:50 PM, Pablo Neira Ayuso wrote: > On Tue, May 30, 2017 at 12:08:55PM +0200, Pablo Neira Ayuso wrote: >> On Tue, May 30, 2017 at 01:55:34PM +0530, Shyam Saini wrote: >> > Add translation for cluster match to nftables >> > >> > $ sudo

Re: [nf-next PATCH] netfilter: nf_tables: Report transactions' process info to user space

On Fri, May 19, 2017 at 12:41:28PM +0200, Phil Sutter wrote: > On Mon, May 15, 2017 at 07:54:44PM +0200, Pablo Neira Ayuso wrote: > > On Mon, May 15, 2017 at 06:44:32PM +0200, Phil Sutter wrote: > > > On Mon, May 15, 2017 at 05:53:31PM +0200, Pablo Neira Ayuso wrote: > > > > On Mon, May 15, 2017

Re: RFC: Ideas about possible solutions for nfbz#949

On Tue, May 30, 2017 at 01:04:24PM +0200, Phil Sutter wrote: [...] > On Mon, May 29, 2017 at 07:52:18PM +0200, Pablo Neira Ayuso wrote: [...] > > > My idea was to build something like the protocol dependencies we have > > > for e.g. TCP header fields but with ICMP, a given header field might be >

Re: RFC: Ideas about possible solutions for nfbz#949

Hi Pablo, On Mon, May 29, 2017 at 07:52:18PM +0200, Pablo Neira Ayuso wrote: > I'm recovering this RFC that got lost in the pile. Thanks for not dropping it! :) > On Wed, May 10, 2017 at 05:34:29PM +0200, Phil Sutter wrote: > > Hi, > > > > Netfilter Bugzilla #949[1] complains about broken

[PATCH] ipset: Fix ipset command replacement in runtest.sh

Fix the ipset command replacement. For ipset="/sbin/ipset" Actual: /sbin//sbin/ipset 2>.foo.err | ... | xargs -n1 ipset Expected: /sbin/ipset 2>.foo.err | ... | xargs -n1 /sbin/ipset --- tests/runtest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

Re: [PATCHv2] extensions: libxt_cluster: Add translation to nft

On Tue, May 30, 2017 at 12:08:55PM +0200, Pablo Neira Ayuso wrote: > On Tue, May 30, 2017 at 01:55:34PM +0530, Shyam Saini wrote: > > Add translation for cluster match to nftables > > > > $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster > > --cluster-total-nodes 2

Re: [PATCHv2] extensions: libxt_cluster: Add translation to nft

On Tue, May 30, 2017 at 01:55:34PM +0530, Shyam Saini wrote: > Add translation for cluster match to nftables > > $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster > --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed > 0xdeadbeef -j MARK --set-mark 0x > nft

[PATCH nf-next] netns: add and use net_ns_barrier

Quoting Joe Stringer: If a user loads nf_conntrack_ftp, sends FTP traffic through a network namespace, destroys that namespace then unloads the FTP helper module, then the kernel will crash. Events that lead to the crash: 1. conntrack is created with ftp helper in netns x 2. This netns is

[PATCH nf-next] netfilter: move table iteration out of netns exit paths

We only need to iterate & remove in case of module removal; for netns destruction all conntracks will be removed anyway. Signed-off-by: Florian Westphal --- net/netfilter/nf_conntrack_proto.c | 26 +- 1 file changed, 17 insertions(+), 9 deletions(-) diff

[PATCHv2] extensions: libxt_cluster: Add translation to nft

Add translation for cluster match to nftables $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0x nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 2

[PATCH conntrack-tools v2] ipv6: remove use of HAVE_INET_PTON_IPV6

The goal of this patch is to fix the ipv6 support when conntrackd is cross-compiled. The AC_RUN_IFELSE macro must be avoided as much as possible. See section 6.6 of the gnu autoconf: "If you really need to test for a runtime behavior while configuring, you can write a test program to determine

Re: [PATCH conntrack-tools] ipv6: remove use of HAVE_INET_PTON_IPV6

Le 29/05/2017 à 18:25, Pablo Neira Ayuso a écrit : [snip] >> -#ifdef HAVE_INET_PTON_IPV6 >> -if (inet_pton(AF_INET6, $2, >> - [conf.channel_num].u.mcast.in) <= 0) { >> +err = inet_pton(AF_INET6, $2, >> +[conf.channel_num].u.mcast.in); >> +if (err ==