Hi all,
Using nftables to control the traffic flow on ip address has been
succeed on my Linux PC, then I ported the same
nft script into another linux-like system called OpenWrt. Unfortunately, it
failed. Is there any conflict between iptables and nftables ? Or
it needs some other
Signed-off-by: Fernando Fernandez Mancera
---
net/netfilter/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e57c9d479503..a5b60e6a983e 100644
--- a/net/netfilter/Kconfig
+++
On Tue 15 May 2018 at 18:25, Jamal Hadi Salim wrote:
> On 14/05/18 04:46 PM, Vlad Buslov wrote:
>>
>> On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote:
>>> On 14/05/18 10:27 AM, Vlad Buslov wrote:
>
>
>> Hello Jamal,
>>
>> I'm trying to run tdc, but
On 14/05/18 04:46 PM, Vlad Buslov wrote:
On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote:
On 14/05/18 10:27 AM, Vlad Buslov wrote:
Hello Jamal,
I'm trying to run tdc, but keep getting following error even on clean
branch without my patches:
Vlad, not sure if you
Geert Uytterhoeven wrote:
> On Tue, May 8, 2018 at 9:17 AM, Florian Westphal wrote:
> > Stephen Rothwell wrote:
> >> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell
> >> wrote:
> >> >
> >> > After merging
Bridge family allows reject statement in prerouting and input chains
only. Users can't know without looking at kernel code.
Signed-off-by: Phil Sutter
---
doc/nft.xml | 4
1 file changed, 4 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index
On Sat, May 05, 2018 at 07:37:33AM -0500, Eric W. Biederman wrote:
> Christoph Hellwig writes:
>
> > The shole seq_file sequence already operates under a single RCU lock pair,
> > so move the pid namespace lookup into it, and stop grabbing a reference
> > and remove all kinds of
On Mon, Apr 30, 2018 at 02:19:25PM +0100, David Howells wrote:
> Christoph Hellwig wrote:
>
> > +
> > +struct proc_dir_entry *proc_create_seq_data(const char *name, umode_t mode,
> > + struct proc_dir_entry *parent, const struct seq_operations *ops,
> > + void
On Sat, May 05, 2018 at 07:51:18AM -0500, Eric W. Biederman wrote:
> Christoph Hellwig writes:
>
> > Use remove_proc_subtree to remove the whole subtree on cleanup, and
> > unwind the registration loop into individual calls. Switch to use
> > proc_create_seq where applicable.
>
>
On Sun, May 06, 2018 at 08:19:49PM +0300, Alexey Dobriyan wrote:
> On Wed, Apr 25, 2018 at 05:47:47PM +0200, Christoph Hellwig wrote:
> > Changes since V1:
> > - open code proc_create_data to avoid setting not fully initialized
> >entries live
> > - use unsigned int for state_size
>
> Need
On Thu, Apr 26, 2018 at 11:45:50AM +1000, Finn Thain wrote:
> >
> > -/*
> > - * /proc/nubus stuff
> > - */
> > -
>
> I don't think that the introduction of proc_create_single{,_data} alters
> the value of that comment. That comment and similar comments in the same
> file do have a purpose,
A validate callback is called just before calling a ->commit callback.
If it is failed, ->abort is called.
Signed-off-by: Taehee Yoo
---
net/netfilter/nfnetlink.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/net/netfilter/nfnetlink.c
After this patch, the nft_chain_validate_dependency and
nft_chain_validate_hooks use chain information array.
so that these functions can validate both basechain and non-basechain.
Now expr->ops->validate should be called in the nf_tables_validate because
that uses chain information that is
This patch adds validate callback to the nfnetlink_subsysem.
It validates type and hook of both basechain and non-basechain.
To validate type and hook, it constructs chain information array.
Like loop detection routine, validator travels each rules and sets
then marks type and hook value to the
The struct nft_af_info was removed.
Signed-off-by: Taehee Yoo
---
include/net/netns/nftables.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 4813435..29c3851 100644
--- a/include/net/netns/nftables.h
Non-basechain rulesets can't be validated.
because only basechain has information that are type and hooknum.
So, common validation functions(nft_chain_validate_hooks,
nft_chain_validate_dependency) skip non-basechain rulesets.
So that, null-ptr exception can occurred.
Steps to reproduce :
%nft
This patch prepares for next patches.
The nft_chain_validate_hooks and
nft_chain_validate_dependency are going to use both net and nft_chain.
Signed-off-by: Taehee Yoo
---
include/net/netfilter/nf_tables.h| 4 ++--
net/bridge/netfilter/nft_reject_bridge.c | 4 ++--
Tue, May 15, 2018 at 01:41:45PM CEST, vla...@mellanox.com wrote:
>
>On Tue 15 May 2018 at 11:39, Jiri Pirko wrote:
>> Tue, May 15, 2018 at 01:32:51PM CEST, vla...@mellanox.com wrote:
>>>
>>>On Tue 15 May 2018 at 11:24, Jiri Pirko wrote:
Mon, May 14, 2018
On Tue 15 May 2018 at 08:58, Jiri Pirko wrote:
> Mon, May 14, 2018 at 08:49:07PM CEST, vla...@mellanox.com wrote:
>>
>>On Mon 14 May 2018 at 16:23, Jiri Pirko wrote:
>>> Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote:
Without rtnl lock
Tue, May 15, 2018 at 01:32:51PM CEST, vla...@mellanox.com wrote:
>
>On Tue 15 May 2018 at 11:24, Jiri Pirko wrote:
>> Mon, May 14, 2018 at 04:27:08PM CEST, vla...@mellanox.com wrote:
>>>Change action API to assume that action init function always takes
>>>reference to action,
Mon, May 14, 2018 at 04:27:08PM CEST, vla...@mellanox.com wrote:
>Change action API to assume that action init function always takes
>reference to action, even when overwriting existing action. This is
>necessary because action API continues to use action pointer after init
>function is done. At
Hi Florian,
On Tue, May 8, 2018 at 9:17 AM, Florian Westphal wrote:
> Stephen Rothwell wrote:
>> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell
>> wrote:
>> >
>> > After merging the netfilter-next tree, today's linux-next build
Move the nf_ct_destroy indirection to the struct nf_ct_hook.
Signed-off-by: Pablo Neira Ayuso
---
v2: Place struct nf_ct_hook declaration after forward declaration of struct
nf_conn and enum ip_conntrack_info as this will avoid compilation problems
one the new update
Move decode_session() and parse_nat_setup_hook() indirections to struct
nf_nat_hook structure.
Signed-off-by: Pablo Neira Ayuso
---
v2: place __rcu before nf_nat_hook in its definition to calm down sparse
warning, it seems sparse is sensible to the position where we
In nfqueue, two consecutive skbuffs may race to create the conntrack
entry. Hence, the one that loses the race gets dropped due to clash in
the insertion into the hashes from the nf_conntrack_confirm() path.
This patch adds a new nf_conntrack_update() function which searches for
possible clashes
On Tue, May 15, 2018 at 11:37:56AM +0200, Phil Sutter wrote:
> The initial approach of keeping as much of lex/yacc-specific data
> local to the relevant parsing routines was flawed in that input
> descriptors which parsed commands' location information points at were
> freed after parsing (in
The initial approach of keeping as much of lex/yacc-specific data
local to the relevant parsing routines was flawed in that input
descriptors which parsed commands' location information points at were
freed after parsing (in scanner_destroy()) although they were required
later for error reporting
On Tue 15 May 2018 at 09:03, Jiri Pirko wrote:
> Mon, May 14, 2018 at 09:07:06PM CEST, vla...@mellanox.com wrote:
>>
>>On Mon 14 May 2018 at 16:47, Jiri Pirko wrote:
>>> Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote:
>>>
>>> [...]
>>>
>>>
Mon, May 14, 2018 at 09:07:06PM CEST, vla...@mellanox.com wrote:
>
>On Mon 14 May 2018 at 16:47, Jiri Pirko wrote:
>> Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote:
>>
>> [...]
>>
>>
>>>+static int tcf_action_del_1(struct net *net, char *kind, u32 index,
>>>+
Mon, May 14, 2018 at 08:49:07PM CEST, vla...@mellanox.com wrote:
>
>On Mon 14 May 2018 at 16:23, Jiri Pirko wrote:
>> Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote:
>>>Without rtnl lock protection it is no longer safe to use pointer to tc
>>>action without
Mon, May 14, 2018 at 08:03:20PM CEST, j...@mojatatu.com wrote:
>On 14/05/18 10:27 AM, Vlad Buslov wrote:
>> Currently, all netlink protocol handlers for updating rules, actions and
>> qdiscs are protected with single global rtnl lock which removes any
>> possibility for parallelism. This patch set
31 matches
Mail list logo