[PATCH nf-next 2/2] nf_conncount: Support count only use case

Currently, nf_conncount_count() counts the number of connections that matches key and inserts a conntrack 'tuple' associated with the key into the accounting data structure. This patch supports another use case that only counts the number of connections associated with the key without providing a

[PATCH nf-next 1/2] netfilter: nf_conncount: Refactor nf_conncount

This patch contains two parts. 1. Remove parameter 'family' in nf_conncount_count() and count_tree(). Before commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"), 'family' was used to determine the type of nf_inet_addr, but the parameter is not useful after that

[PATCH nft] tests: shell: regression test for bugzilla 1228

Add regression test for netfilter's bugzilla 1228. Signed-off-by: Pablo Neira Ayuso --- .../sets/0030add_many_elements_interval_0 | 30 ++ 1 file changed, 30 insertions(+) create mode 100755

Re: [PATCH net] ipvs: remove IPS_NAT_MASK check to fix passive FTP

On Wed, Feb 28, 2018 at 04:25:38PM +0100, Simon Horman wrote: > On Sun, Feb 25, 2018 at 10:29:18PM +0200, Julian Anastasov wrote: > > The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat() > > which was needed to fix a crash in 2.6.36-rc, see > > commit 7bcbf81a2296 ("ipvs: avoid

Re: [PATCH] extensions: libxt_bpf: Fix build with old kernel versions

On Tue, Feb 27, 2018 at 04:56:55PM +0100, Hauke Mehrtens wrote: > In kernel 3.18 the union bpf_attr does not have a pathname attribute and > BPF_OBJ_GET is also not defined in these versions. > This was added in Linux commit b2197755b263 ("bpf: add support for > persistent maps/progs"). Check for

Re: [nft PATCH 0/2] Review monitor code for output_fp conformity

On Wed, Feb 28, 2018 at 04:04:26PM +0100, Phil Sutter wrote: > Refactoring libnftables output to support a configurable output stream > apparently was incomplete in monitor code. This series resolves that. Applied, thanks Phil. -- To unsubscribe from this list: send the line "unsubscribe

Re: [nft PATCH] Review switch statements for unmarked fall through cases

Phil Sutter wrote: > Regarding empty fall through (which seems to be the reason for your > NACK): There was but a single fall through comment for an empty case in > the whole code, and there are literally hundreds of them. Covscan didn't > complain about those, hence why I think even

Re: [nft PATCH] Review switch statements for unmarked fall through cases

Hi Florian, On Wed, Feb 28, 2018 at 04:33:05PM +0100, Florian Westphal wrote: > Phil Sutter wrote: > > While revisiting all of them, clear a few oddities as well: > > > > - There's no point in marking empty fall through cases: They are easy to > > spot and a common concept when

Re: [nft PATCH] Review switch statements for unmarked fall through cases

Phil Sutter wrote: > While revisiting all of them, clear a few oddities as well: > > - There's no point in marking empty fall through cases: They are easy to > spot and a common concept when using switch(). NACK, sorry. There a source-code checkers that flag this (they have

Re: [PATCH net] ipvs: remove IPS_NAT_MASK check to fix passive FTP

On Sun, Feb 25, 2018 at 10:29:18PM +0200, Julian Anastasov wrote: > The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat() > which was needed to fix a crash in 2.6.36-rc, see > commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP"). > But as IPVS does not set the IPS_SRC_NAT and

[nft PATCH] netlink_delinearize: Fix resource leaks

These were detected by Coverity tool. All but one case happen in error path - the regular one is in netlink_parse_hash() if sreg contains a concatenated expression. Signed-off-by: Phil Sutter --- src/netlink_delinearize.c | 23 --- 1 file changed, 16

[nft PATCH 0/2] Review monitor code for output_fp conformity

Refactoring libnftables output to support a configurable output stream apparently was incomplete in monitor code. This series resolves that. Phil Sutter (2): monitor: Make trace events respect output_fp monitor: Make JSON/XML output respect output_fp src/netlink.c | 75

[nft PATCH 2/2] monitor: Make JSON/XML output respect output_fp

Make sure events callbacks print to output_ctx-defined stream for any type of output format. Since all of them use nft_print() as last call (if anything is printed at all), the final call to fflush() in netlink_events_cb() can be dropped. Signed-off-by: Phil Sutter ---

[nft PATCH 1/2] monitor: Make trace events respect output_fp

Seems like this was incompletely converted, part of the output went to output_fp already. Signed-off-by: Phil Sutter --- src/netlink.c | 38 +- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/src/netlink.c b/src/netlink.c index

[PATCH nft] doc: add example for rule add/delete

also mention that 'ip' is used when the family gets omitted. Signed-off-by: Florian Westphal --- doc/nft.xml | 27 +++ 1 file changed, 27 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 2b88727c941b..1039b03e06ce 100644 --- a/doc/nft.xml +++

Re: [ANNOUNCE] ipset 6.28 released

Just to add, with ipset having entry for 0.0.0.0/0,eth0 if I test ipset -T foo 192.168.100.100,eth0 its returns success. But in iptables rule it is not matching. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org

[nft] nftables: Adding support for segment routing header 'srh'

Segment Routing Header "SRH" is new type of IPv6 Routing extension header (type 4). SRH contains a list of segments (each is represented as an IPv6 address) to be visited by packets during the journey from source to destination. The SRH specification are defined in the below IETF SRH draft.

Re: [nft] nftables: Fixing Bug 1219 - handle rt0 and rt2 properly

On Tue, 27 Feb 2018 18:48:20 +0100 Florian Westphal wrote: > Ahmed Abdelsalam wrote: > > > Ahmed Abdelsalam wrote: > > > > Type 0 and 2 of the IPv6 Routing extension header are not handled > > > > properly by exthdr_init_raw() in

[PATCH nft] doc: remove ipv6 address FIXME

Signed-off-by: Florian Westphal --- doc/nft.xml | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index 2b88727..b6b5506 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1663,7 +1663,10 @@ filter output ip daddr localhost