On Tue, May 29, 2018 at 08:10:53AM +0800, kbuild test robot wrote:
q
> Hi Máté,
>
> Thank you for the patch! Yet something to improve:
>
> [auto build test ERROR on nf-next/master]
>
> url:
> https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matchi
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nf_tables-make-get-and-dump-operations-lockless/20180529-071211
base: https://git.kernel.org/pub/scm/linux/kerne
From: Gao Feng
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
From: Pablo Neira Ayuso
Date: Tue, 29 May 2018 01:42:12 +0200
> The following patchset contains Netfilter/IPVS fixes for your net tree:
>
> 1) Null pointer dereference when dumping conntrack helper configuration,
>from Taehee Yoo.
>
> 2) Missing sanitization in ebtables extension name throu
Fixes: 809f719f9b3f ("netfilter: nft: add support for native socket matching")
Signed-off-by: kbuild test robot
---
nft_socket.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 5eb1069..3429a2e 100644
--- a/net
Hi Máté,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180529-064304
base: https://git.kernel.org/pub/scm/linux/kernel/git/pabl
Hi Máté,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180529-064304
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-n
This patch fixes the following splat.
[118709.054937] BUG: using smp_processor_id() in preemptible [] code:
test/1571
[118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables]
[118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335
[...]
[118709.054992
Credit calculations for the packet ratelimiting are not correct, as per
the applied ratelimit of 25/second and burst 8, a total of 33 packets
should have been accepted. This is true in iptables(33) but not in
nftables (~65). For packet ratelimiting, use:
div_u64(limit->nsecs, limit->rate)
From: Eric Dumazet
Recent patch forgot to remove nla_data(), upsetting syzkaller a bit.
BUG: KASAN: slab-out-of-bounds in nla_strlcpy+0x13d/0x150 lib/nlattr.c:314
Read of size 1 at addr 8801ad1f4fdd by task syz-executor189/4509
CPU: 1 PID: 4509 Comm: syz-executor189 Not tainted 4.17.0-rc6+
From: Taehee Yoo
The table field in nft_obj_filter is not an array. In order to check
tablename, we should check if the pointer is set.
Test commands:
%nft add table ip filter
%nft add counter ip filter ct1
%nft reset counters
Splat looks like:
[ 306.510504] kasan: CONFIG_KASAN_INLI
From: Julian Anastasov
syzkaller reports for buffer overflow for interface name
when starting sync daemons [1]
What we do is that we copy user structure into larger stack
buffer but later we search NUL past the stack buffer.
The same happens for sched_name when adding/editing virtual server.
We
From: Taehee Yoo
When a chain is updated, a counter can be attached. if so,
the nft_counters_enabled should be increased.
test commands:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 4\; }
%iptables-compat -Z input
%nft delete chain ip fil
Hi David,
The following patchset contains Netfilter/IPVS fixes for your net tree:
1) Null pointer dereference when dumping conntrack helper configuration,
from Taehee Yoo.
2) Missing sanitization in ebtables extension name through compat,
from Paolo Abeni.
3) Broken fetch of tracing value
From: Taehee Yoo
In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
But if family is ipv6, priv->helper6 should be dereferenced.
Steps to reproduces:
#test.nft
table ip6 filter {
ct helper ftp {
type "ftp" protocol tcp
}
From: Paolo Abeni
strlcpy() can't be safely used on a user-space provided string,
as it can try to read beyond the buffer's end, if the latter is
not NULL terminated.
Leveraging the above, syzbot has been able to trigger the following
splat:
BUG: KASAN: stack-out-of-bounds in strlcpy include/li
From: Taehee Yoo
In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg.
But correct type is u8. so that sometimes incorrect value is dereferenced.
Steps to reproduce:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 4\; }
%nft
Hello,
syzbot found the following crash on:
HEAD commit:861d9dd37526 Merge tag 'kbuild-fixes-v4.17-2' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bffd0f80
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
da
Perform incremental tracking on rule cache updates, instead of flushing
and resynchronizing with the kernel over and over again.
Note that there is no need to call flush_rule_cache() from
nft_rule_delete() and nft_rule_delete_num(), since __nft_rule_del()
already deletes the rule from the list.
S
Otherwise, flush commands on not-yet-initialized basechains hit ENOENT.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
iptables/nft.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 03a9f29df0ee..ec9dd13b4031 100644
--- a/iptables/nft.c
+++ b/i
We cannot assume iptables-restore files always come with explicit
basechain definition, eg.
:PREROUTING ACCEPT
incremental ruleset updates may deliberately skip this.
But loading basechains over and over again can take time, so do it just
once per batch.
Signed-off-by: Pablo Neira Ayuso
---
v2
So we don't have to dump the chain cache content over and over again.
Moreover, perform incremental updates on the chain cache to add and to
delete non-base chains.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
iptables/nft.c | 82 -
We cannot assume iptables-restore files always come with explicit
basechain definition, eg.
:PREROUTING ACCEPT
incremental ruleset updates may deliberately skip this.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/iptables/nft.c b/ipta
Applied with changes, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Applied with changes, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
This patch allows to add, list and delete connection tracking timeout
policies via nft objref infrastructure and assigning these timeout
via nft rule.
Ruleset:
table ip raw {
ct timeout cttime {
protocol tcp
established 111 close 13
l3proto ip
}
chain output {
On Tue, May 29, 2018 at 01:15:27AM +0900, Taehee Yoo wrote:
> The comment and trace_loginfo are not used anymore.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger
On Sun, May 27, 2018 at 11:21:31AM +0200, Florian Westphal wrote:
> harmless, but it avoids sparse warnings:
>
> nf_tables_api.c:2813:16: warning: incorrect type in return expression
> (different base types)
> nf_tables_api.c:2863:47: warning: incorrect type in argument 3 (different
> base types
On Sun, May 27, 2018 at 11:24:34AM +0200, Florian Westphal wrote:
> abort batch processing and return so task can exit faster.
> Otherwise even SIGKILL has no immediate effect.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message t
On Tue, May 29, 2018 at 12:50:55AM +0200, Pablo Neira Ayuso wrote:
> On Sun, May 27, 2018 at 11:31:46AM +0200, Florian Westphal wrote:
> > This callback just fetches the current base sequence,
> > there is no need to serialize this with nfnl nft mutex.
>
> Series applied, thanks!
For the record:
Pablo Neira Ayuso writes:
> On Mon, May 28, 2018 at 04:27:46PM +0200, Toke Høiland-Jørgensen wrote:
> [...]
>> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
>> index 0f6b8172fb9a..520565198f0e 100644
>> --- a/net/netfilter/core.c
>> +++ b/net/netfilter/core.c
>> @@ -572,6 +572,27 @@ vo
On Sun, May 27, 2018 at 11:20:48AM +0200, Florian Westphal wrote:
> Just use .call_rcu instead. We can drop the rcu read lock
> after obtaining a reference and re-acquire on return.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
On Sun, May 27, 2018 at 11:31:46AM +0200, Florian Westphal wrote:
> This callback just fetches the current base sequence,
> there is no need to serialize this with nfnl nft mutex.
Series applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
On Thu, May 24, 2018 at 01:17:28PM +0200, Florian Westphal wrote:
> Instead of using extra modules for these, turn the config options into
> an implicit dependency that adds masq feature to the protocol specific nf_nat
> module.
Applied, thanks Florian.
--
To unsubscribe from this list: send the
On Thu, May 24, 2018 at 01:17:29PM +0200, Florian Westphal wrote:
> Similar to previous patch, this time, merge redirect+nat.
> The redirect module is just 2k in size, get rid of it and make
> redirect part available from the nat core.
Also applied, thanks.
--
To unsubscribe from this list: send t
On Sun, May 27, 2018 at 06:39:01PM +0530, Arushi Singhal wrote:
> There is a difference between error messages in iptables and
> iptables-compat:
>
> #sudo iptables-compat -D INPUT 4
> iptables: No chain/target/match by that name.
>
> #sudo iptables -D INPUT 4
> iptables: Index of deletion too bi
On Sat, May 26, 2018 at 09:48:53AM +, Wei Yongjun wrote:
> Fixes the following sparse warning:
>
> net/netfilter/nf_nat_core.c:1039:20: warning:
> symbol 'nat_hook' was not declared. Should it be static?
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-
On Mon, May 28, 2018 at 09:03:47AM +0200, Máté Eckl wrote:
> Is it okay now Pablo? You were right, those forward declarations became
> unnecessary.
It's fine.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.
This patch series adds the CAKE qdisc, and has been split up to ease
review.
I have attempted to split out each configurable feature into its own patch.
The first commit adds the base shaper and packet scheduler, while
subsequent commits add the optional features. The full userspace API and
most d
When CAKE is deployed on a gateway that also performs NAT (which is a
common deployment mode), the host fairness mechanism cannot distinguish
internal hosts from each other, and so fails to work correctly.
To fix this, we add an optional NAT awareness mode, which will query the
kernel conntrack me
On Tue, May 29, 2018 at 01:13:45AM +0900, Taehee Yoo wrote:
> The table of nft_obj_filter is not array.
> So, in order to check tablename, we should use pointer of that.
>
> test commands:
>
>%nft add table ip filter
>%nft add counter ip filter ct1
>%nft reset counters
Applied, thank
This adds a global netfilter function to extract a conntrack tuple from an
skb. The function uses a new function added to nf_ct_hook, which will try
to get the tuple from skb->_nfct, and do a full lookup if that fails. This
makes it possible to use the lookup function before the skb has passed
thro
On Fri, May 25, 2018 at 12:25:48AM +0200, Florian Westphal wrote:
> synchronize_rcu() is expensive.
>
> The commit phase currently enforces an unconditional
> synchronize_rcu() after incrementing the generation counter.
>
> This is to make sure that a packet always sees a consistent chain, either
On Tue, May 29, 2018 at 01:14:12AM +0900, Taehee Yoo wrote:
> When a chain is updated, a counter can be attached. if so,
> the nft_counters_enabled should be increased.
>
> test commands:
>
>%nft add table ip filter
>%nft add chain ip filter input { type filter hook input priority 4\; }
>
Pablo Neira Ayuso writes:
> On Mon, May 28, 2018 at 04:27:46PM +0200, Toke Høiland-Jørgensen wrote:
>> When CAKE is deployed on a gateway that also performs NAT (which is a
>> common deployment mode), the host fairness mechanism cannot distinguish
>> internal hosts from each other, and so fails t
On Mon, May 28, 2018 at 06:07:29PM +0200, Alin Nastac wrote:
> Signed-off-by: Alin Nastac
> ---
> include/linux/netfilter_bridge/ebt_limit.h | 4
> include/linux/netfilter_bridge/ebt_mark_m.h | 5 +
> include/linux/netfilter_bridge/ebt_mark_t.h | 4
> 3 files changed, 13 insertions
On Mon, May 28, 2018 at 04:27:46PM +0200, Toke Høiland-Jørgensen wrote:
> When CAKE is deployed on a gateway that also performs NAT (which is a
> common deployment mode), the host fairness mechanism cannot distinguish
> internal hosts from each other, and so fails to work correctly.
>
> To fix thi
On Mon, May 28, 2018 at 04:27:46PM +0200, Toke Høiland-Jørgensen wrote:
[...]
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 0f6b8172fb9a..520565198f0e 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -572,6 +572,27 @@ void nf_conntrack_destroy(struct nf_con
iptables-restore < /tmp/bogus
iptables-restore v1.6.2: iptables-restore:
line 49: RULE_APPEND failed (No such file or directory): rule in chain FOOBAR
line 2023: RULE_APPEND failed (Invalid argument): rule in chain TESTSNAT
This is a followup commit to 437746c7b528f ("xtables: extended error
repo
its same as omitting it, so instead of generating
invalid compare-with-0-sized-register, just ignore it.
Reported-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
iptables/nft-shared.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/iptables/nft-share
Perform incremental tracking on rule cache updates, instead of flushing
and resynchronizing with the kernel over and over again.
Note that there is no need to call flush_rule_cache() from
nft_rule_delete() and nft_rule_delete_num(), since __nft_rule_del()
already deletes the rule from the list.
S
Otherwise, flush commands on not-yet-initialized basechains hit ENOENT.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 3cfd23c7cdab..851073fb4a44 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@
So we don't have to dump the chain cache content over and over again.
Moreover, perform incremental updates on the chain cache to add and to
delete non-base chains.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 82 --
iptables/nft.h
We cannot assume iptables-restore files always come with explicit
basechain definition, eg.
:PREROUTING ACCEPT
incremental ruleset updates may deliberately skip this.
Signed-off-by: Pablo Neira Ayuso
---
iptables/nft.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/iptables/nft.c b/ipta
Allow to add rule object before any existing rule.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/rule.h | 1 +
src/libnftnl.map| 4
src/rule.c | 6 ++
3 files changed, 11 insertions(+)
diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
index 947
When parsing the optional "field" property, use return code of
json_unpack() directly to check if it was present or not.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index f3d2c0f1d
While writing JSON schema documentation, a number of ugly/broken bits
were identified which this series addresses in patches 1-7.
Patches 8-11 contain some fixes and improvements to parser_json.c which
don't change the schema.
Patches 12, 13 and 14 contain fixes for JSON part of tests/py,
identif
Property name "helper" was a bit unclear, "type" is better.
Signed-off-by: Phil Sutter
---
src/json.c| 2 +-
src/parser_json.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/json.c b/src/json.c
index e458eb3e4bdd8..1b73b919d5df2 100644
--- a/src/json.c
+++ b
Concat expressions with just a single element don't make sense, so
there's no point in supporting a shorter syntax for this.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index 993368f
Fix parsing and printing of named limit objects by aligning the code
with parser/printer of anonymous ones.
Signed-off-by: Phil Sutter
---
src/json.c| 43 -
src/parser_json.c | 49 ++-
2 files changed, 48
Signed-off-by: Phil Sutter
---
tests/py/inet/tcp.t.json | 16
1 file changed, 16 insertions(+)
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index 559206dfd323f..f5df72aa252a6 100644
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -1021,6 +102
Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper"
for consistency. Note that this is not used in regular nft output since
objref_stmt_print() treats this object type separately.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
src/statement.c| 2
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout")
Signed-off-by: Phil Sutter
---
tests/py/inet/sets.t.json | 37 +
1 file changed, 37 insertions(+)
create
Meter name being optional seems to come from old flow statement, so
don't support this. Also add size support as was recently added to
standard syntax.
Signed-off-by: Phil Sutter
---
src/json.c| 5 +++--
src/parser_json.c | 11 ++-
2 files changed, 9 insertions(+), 7 deletions(-
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index bd1c0a04993c8..432991fa152d4 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -951,7 +951,7 @@ static struct expr *json_parse_p
First of all, don't print the position property when listing rules. This
was there only because libnftnl JSON output has it too, but since the
preferred way to *add* a rule at some location is via 'handle' keyword,
keeping "position" in output would be non-intuitive. Changing "position"
property na
The key must be a set elem expression, but if a "regular" expression was
provided (which should be commonly accepted in case no set elem specific
properties are required), the resulting object tree crashed libnftables.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 4 ++--
1 file changed, 2
Commit 71624f25f22b1 ("tests: py: add expires tests with different time
bases") removed two testcases and added five other ones, adjust JSON
equivalent and recorded output to those changes.
Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases")
Signed-off-by: Phil Sutter
Since an explicit "immediate" expression doesn't exist in JSON (the
values are represented as plain JSON string/integer/boolean types),
there is no need for json_parse_immediate_expr() to comply to the common
expression parser parameter format.
Apart from that:
* Drop CTX_F_RHS checks - caller as
* There is no need to prefix element-specific properties with 'elem_',
they can't conflict.
* In json_parse_set_stmt(), searching for above properties is pointless
since that's already done by called function.
* Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt():
json_parse_f
Taehee Yoo wrote:
> The table of nft_obj_filter is not array.
> So, in order to check tablename, we should use pointer of that.
>
> test commands:
>
>%nft add table ip filter
>%nft add counter ip filter ct1
>%nft reset counters
Fixes: e46abbcc05aa8 ("netfilter: nf_tables: Allow tabl
Taehee Yoo wrote:
> The comment and trace_loginfo are not used anymore.
Indeed, thanks for fixing this up.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http:
The comment and trace_loginfo are not used anymore.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_tables_core.c | 16
1 file changed, 16 deletions(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index d457d85..a1b93fa 100644
--- a/net/netfilter/
When a chain is updated, a counter can be attached. if so,
the nft_counters_enabled should be increased.
test commands:
%nft add table ip filter
%nft add chain ip filter input { type filter hook input priority 4\; }
%iptables-compat -Z input
%nft delete chain ip filter input
we can s
The table of nft_obj_filter is not array.
So, in order to check tablename, we should use pointer of that.
test commands:
%nft add table ip filter
%nft add counter ip filter ct1
%nft reset counters
we can see below messages:
[ 306.510504] kasan: CONFIG_KASAN_INLINE enabled
[ 306.51618
Alin Nastac wrote:
Whats wrong exactly?
64bit kernel should be able to understand this without
userspace kludges (see net/bridge/netfilter/ebt_mark_m.c,
mark_mt_compat_from_user()).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord..
Signed-off-by: Alin Nastac
---
include/linux/netfilter_bridge/ebt_limit.h | 4
include/linux/netfilter_bridge/ebt_mark_m.h | 5 +
include/linux/netfilter_bridge/ebt_mark_t.h | 4
3 files changed, 13 insertions(+)
diff --git a/include/linux/netfilter_bridge/ebt_limit.h
b/include/l
Hi,
On Mon, May 28, 2018 at 03:59:39PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > A meter size of 0x is the default, so regardless of whether it was
> > explicitly specified by user or not, don't print it. This is in line
> > with nft's tendency of shortening rules down to the mi
Máté Eckl wrote:
> > +const struct socket_template socket_templates[] = {
> > + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent",
> > + .dtype = &integer_type,
> > + .len = 1 * BITS_PER_BYTE,
>
> I wanted to use
> +const struct socket_template socket_templates[] = {
> + [NFT_SOCKET_TRANSPARENT]= {.token = "transparent",
> +.dtype = &integer_type,
> +.len = 1 * BITS_PER_BYTE,
I wanted to use len = 1 here to only mak
For now it can only match sockets with IP(V6)_TRANSPARENT socket option
set.
Example:
table inet sockin {
chain sockchain {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x0001 nftrace set 1 counter
packets 0 by
This patch series adds the CAKE qdisc, and has been split up to ease
review.
I have attempted to split out each configurable feature into its own patch.
The first commit adds the base shaper and packet scheduler, while
subsequent commits add the optional features. The full userspace API and
most d
This adds a callback to netfilter to extract a conntrack tuple from an skb
that works before the _nfct skb field has been initialised (e.g., in an
ingress qdisc). The tuple is copied to the caller to avoid issues with
reference counting.
The callback will return false when conntrack is not loaded,
When CAKE is deployed on a gateway that also performs NAT (which is a
common deployment mode), the host fairness mechanism cannot distinguish
internal hosts from each other, and so fails to work correctly.
To fix this, we add an optional NAT awareness mode, which will query the
kernel conntrack me
Phil Sutter wrote:
> A meter size of 0x is the default, so regardless of whether it was
> explicitly specified by user or not, don't print it. This is in line
> with nft's tendency of shortening rules down to the minimal required
> form.
I think it should be printed to not depend on future ve
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index bd1c0a04993c8..432991fa152d4 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -951,7 +951,7 @@ static struct expr *json_parse_p
* There is no need to prefix element-specific properties with 'elem_',
they can't conflict.
* In json_parse_set_stmt(), searching for above properties is pointless
since that's already done by called function.
* Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt():
json_parse_f
The key must be a set elem expression, but if a "regular" expression was
provided (which should be commonly accepted in case no set elem specific
properties are required), the resulting object tree crashed libnftables.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 4 ++--
1 file changed, 2
Meter name being optional seems to come from old flow statement, so
don't support this. Also add size support as was recently added to
standard syntax.
Signed-off-by: Phil Sutter
---
src/json.c| 5 +++--
src/parser_json.c | 11 ++-
2 files changed, 9 insertions(+), 7 deletions(-
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout")
Signed-off-by: Phil Sutter
---
tests/py/inet/sets.t.json | 37 +
1 file changed, 37 insertions(+)
create
Commit 71624f25f22b1 ("tests: py: add expires tests with different time
bases") removed two testcases and added five other ones, adjust JSON
equivalent and recorded output to those changes.
Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases")
Signed-off-by: Phil Sutter
Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper"
for consistency. Note that this is not used in regular nft output since
objref_stmt_print() treats this object type separately.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
src/statement.c| 2
Property name "helper" was a bit unclear, "type" is better.
Signed-off-by: Phil Sutter
---
src/json.c| 2 +-
src/parser_json.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/json.c b/src/json.c
index e458eb3e4bdd8..1b73b919d5df2 100644
--- a/src/json.c
+++ b
Concat expressions with just a single element don't make sense, so
there's no point in supporting a shorter syntax for this.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index 993368f
When parsing the optional "field" property, use return code of
json_unpack() directly to check if it was present or not.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index f3d2c0f1d
A meter size of 0x is the default, so regardless of whether it was
explicitly specified by user or not, don't print it. This is in line
with nft's tendency of shortening rules down to the minimal required
form.
While being at it, clean things up a bit:
- Introduce a macro to hold the default s
While writing JSON schema documentation, a number of ugly/broken bits
were identified which this series addresses in patches 1-7.
Patches 8-11 contain some fixes and improvements to parser_json.c which
don't change the schema.
Patches 12 and 13 contain fixes for JSON part of tests/py, identified
Since an explicit "immediate" expression doesn't exist in JSON (the
values are represented as plain JSON string/integer/boolean types),
there is no need for json_parse_immediate_expr() to comply to the common
expression parser parameter format.
Apart from that:
* Drop CTX_F_RHS checks - caller as
Fix parsing and printing of named limit objects by aligning the code
with parser/printer of anonymous ones.
Signed-off-by: Phil Sutter
---
src/json.c| 43 -
src/parser_json.c | 49 ++-
2 files changed, 48
First of all, don't print the position property when listing rules. This
was there only because libnftnl JSON output has it too, but since the
preferred way to *add* a rule at some location is via 'handle' keyword,
keeping "position" in output would be non-intuitive. Changing "position"
property na
1 - 100 of 107 matches
Mail list logo
