If kernel tells revision isn't found/supported at the moment we should
keep entity in pending list, not register or bail to do so later.
Kernel might still load module for entity we asking it for and this
could be slow on some embedded devices.
Catch double registration attempts by checking me->n
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147
Testing: tested by repdoducing original issue with and without changes
In short if kernel match/target supports more revisions than current
version iptables can configure: highest possible negotiated.
If update iptables to new version wi
Size is known at xtables_register_match()/xtables_register_target()
calls: no need to defer it to final registration steps.
Signed-off-by: Serhey Popovych
---
libxtables/xtables.c | 30 --
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/libxtables/xt
Updating iptables from 1.4.x to 1.6.x brokes rules print/save output
and causes rules load after reboot to fail. Here is example from
iptables-save(8) output after update:
-A CHAIN1 -m set [unsupported revision] -j DROP
-A CHAIN1 -m set [unsupported revision] -j DROP
Similar output could be o
Keep the order of matches by appending them; keep order between
revisions of same match from most to least recent. All of this
keeps xtables_find_match() happy to find most recent supported
by kernel revision in the given order.
Apply the same for targets, except prepend targets; order between
rev
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
netlink.c is rather large file, move the monitor code to its own file.
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 14 +
src/Makefile.am | 1 +
src/monitor.c | 948 ++
src/netlink.c | 931 +-
On Wed, Mar 07, 2018 at 01:22:21PM +0100, Pablo Neira Ayuso wrote:
> netlink.c is rather large file, move the monitor code to its own file.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a m
On 7 March 2018 at 13:36, Phil Sutter wrote:
> On Wed, Mar 07, 2018 at 01:22:21PM +0100, Pablo Neira Ayuso wrote:
>> netlink.c is rather large file, move the monitor code to its own file.
>>
>> Signed-off-by: Pablo Neira Ayuso
>
> Acked-by: Phil Sutter
Acked-by: Arturo Borrero Gonzalez
--
To u
Follow up after cc8c5fd02448 ("netlink: remove non-batching routine").
Signed-off-by: Pablo Neira Ayuso
---
include/mnl.h | 2 --
include/netlink.h | 3 ---
src/libnftables.c | 2 --
src/mnl.c | 64 ---
src/netlink.c | 8 ---
This causes python tests to report payload mismatching errors.
Fixes: a43cc8d53096 ("src: support for get element command")
Signed-off-by: Pablo Neira Ayuso
---
src/netlink.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/netlink.c b/src/netlink.c
index 2422ea114815..a74dc2551e88 100644
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1147
> Testing: tested by repdoducing original issue with and without changes
> In short if kernel match/target supports more revisions than current
> version iptables can configure: highest possible negotiated.
> If update iptables to new
Hi Florian,
I think the codes now are much more intuitive after addressing review comments.
Both patches should be fairly straight-forward :P
I am posting it on the mailing list now.
Thanks,
Jack--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a messa
Attached two patches.
From ae4b151a8e8f86758aa0a7ac79a6f890c068d73e Mon Sep 17 00:00:00 2001
From: Jack Ma
Date: Mon, 12 Feb 2018 13:41:29 +1300
Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set and
save-mark
This patch adds a new feature to iptables that allow bitshifting
Complete the automated shell tests with the verification of
the test file dump, only for positive tests and if the test
execution was successful.
It's able to generate the dump file with the -g option.
Example:
# ./run-tests.sh -g testcases/chains/0001jumps_0
The dump files are generated in the
On Mon, Feb 19, 2018 at 01:52:18PM +0100, Harald Welte wrote:
> Hi Daniel,
>
> On Mon, Feb 19, 2018 at 01:03:17PM +0100, Daniel Borkmann wrote:
> > Hi Harald,
> >
> > On 02/17/2018 01:11 PM, Harald Welte wrote:
> > [...]
[...]
> It would be an interesting test to see if e.g. docker would run on top
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.
commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result becaus
Attn: Beneficiary,
We have contacted the Federal Ministry of Finance on your Behalf and
they have brought a solution to your problem by coordinating your
payment in total (10,000,000.00) Ten Million Dollars in an atm card
which you can use to withdraw money from any ATM MACHINE CENTER
anywhere in
18 matches
Mail list logo
