Currently, nf_conncount_count() counts the number of connections that
matches key and inserts a conntrack 'tuple' associated with the key into
the accounting data structure. This patch supports another use case that
only counts the number of connections associated with the key without
providing a
This patch contains two parts.
1. Remove parameter 'family' in nf_conncount_count() and count_tree().
Before commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit
into front and backend"), 'family' was used to determine the type
of nf_inet_addr, but the parameter is not useful after that
Add regression test for netfilter's bugzilla 1228.
Signed-off-by: Pablo Neira Ayuso
---
.../sets/0030add_many_elements_interval_0 | 30 ++
1 file changed, 30 insertions(+)
create mode 100755
On Wed, Feb 28, 2018 at 04:25:38PM +0100, Simon Horman wrote:
> On Sun, Feb 25, 2018 at 10:29:18PM +0200, Julian Anastasov wrote:
> > The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
> > which was needed to fix a crash in 2.6.36-rc, see
> > commit 7bcbf81a2296 ("ipvs: avoid
On Tue, Feb 27, 2018 at 04:56:55PM +0100, Hauke Mehrtens wrote:
> In kernel 3.18 the union bpf_attr does not have a pathname attribute and
> BPF_OBJ_GET is also not defined in these versions.
> This was added in Linux commit b2197755b263 ("bpf: add support for
> persistent maps/progs"). Check for
On Wed, Feb 28, 2018 at 04:04:26PM +0100, Phil Sutter wrote:
> Refactoring libnftables output to support a configurable output stream
> apparently was incomplete in monitor code. This series resolves that.
Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe
Phil Sutter wrote:
> Regarding empty fall through (which seems to be the reason for your
> NACK): There was but a single fall through comment for an empty case in
> the whole code, and there are literally hundreds of them. Covscan didn't
> complain about those, hence why I think even
Hi Florian,
On Wed, Feb 28, 2018 at 04:33:05PM +0100, Florian Westphal wrote:
> Phil Sutter wrote:
> > While revisiting all of them, clear a few oddities as well:
> >
> > - There's no point in marking empty fall through cases: They are easy to
> > spot and a common concept when
Phil Sutter wrote:
> While revisiting all of them, clear a few oddities as well:
>
> - There's no point in marking empty fall through cases: They are easy to
> spot and a common concept when using switch().
NACK, sorry. There a source-code checkers that flag this
(they have
On Sun, Feb 25, 2018 at 10:29:18PM +0200, Julian Anastasov wrote:
> The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat()
> which was needed to fix a crash in 2.6.36-rc, see
> commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP").
> But as IPVS does not set the IPS_SRC_NAT and
These were detected by Coverity tool. All but one case happen in error
path - the regular one is in netlink_parse_hash() if sreg contains a
concatenated expression.
Signed-off-by: Phil Sutter
---
src/netlink_delinearize.c | 23 ---
1 file changed, 16
Refactoring libnftables output to support a configurable output stream
apparently was incomplete in monitor code. This series resolves that.
Phil Sutter (2):
monitor: Make trace events respect output_fp
monitor: Make JSON/XML output respect output_fp
src/netlink.c | 75
Make sure events callbacks print to output_ctx-defined stream for any
type of output format.
Since all of them use nft_print() as last call (if anything is printed
at all), the final call to fflush() in netlink_events_cb() can be
dropped.
Signed-off-by: Phil Sutter
---
Seems like this was incompletely converted, part of the output went to
output_fp already.
Signed-off-by: Phil Sutter
---
src/netlink.c | 38 +-
1 file changed, 21 insertions(+), 17 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index
also mention that 'ip' is used when the family gets omitted.
Signed-off-by: Florian Westphal
---
doc/nft.xml | 27 +++
1 file changed, 27 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 2b88727c941b..1039b03e06ce 100644
--- a/doc/nft.xml
+++
Just to add,
with ipset having entry for 0.0.0.0/0,eth0
if I test
ipset -T foo 192.168.100.100,eth0
its returns success.
But in iptables rule it is not matching.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Segment Routing Header "SRH" is new type of IPv6 Routing extension
header (type 4).
SRH contains a list of segments (each is represented as an IPv6 address)
to be visited by packets during the journey from source to destination.
The SRH specification are defined in the below IETF SRH draft.
On Tue, 27 Feb 2018 18:48:20 +0100
Florian Westphal wrote:
> Ahmed Abdelsalam wrote:
> > > Ahmed Abdelsalam wrote:
> > > > Type 0 and 2 of the IPv6 Routing extension header are not handled
> > > > properly by exthdr_init_raw() in
Signed-off-by: Florian Westphal
---
doc/nft.xml | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 2b88727..b6b5506 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1663,7 +1663,10 @@ filter output ip daddr localhost
19 matches
Mail list logo