Re: [PATCH nf-next,v2] netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer

2018-05-31 Thread kbuild test robot
Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf/master] [also build test WARNING on v4.17-rc7 next-20180531] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-05-31 Thread kbuild test robot
Hi Máté, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180601-080238 base:

Handling of EPROTONOSUPPORT in ebtables breaking Ubuntu 18.04 apt-get upgrade

2018-05-31 Thread Hayden Barnes
I wanted to bring bug 1259 to the attention of the listserv. This is my first bug report filed with netfilter. In brief: ebtables is returning a permissions error when checking EPROTONOSUPPORT. This breaks the stop script when upgrading ebtables and prevents the upgrade. Ubuntu has worked

Respond for Comfirmation.

2018-05-31 Thread Mr Mikhail Fridman
Charitable Donation for you, Respond for further directives. Mr. Mikhail Fridman --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Florian Westphal
Máté Eckl wrote: > On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote: > > Máté Eckl wrote: > > > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > > > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > > > > On Thu, May 31, 2018 at 10:57:49AM

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Máté Eckl
On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: >

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Florian Westphal
Máté Eckl wrote: > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > > > > I just wanted to make sure that the only accepted values are 0

[PATCH nf-next 2/3] netfilter: nf_conncount: expose connection list interface

2018-05-31 Thread Pablo Neira Ayuso
This patch provides an interface to maintain the list of connections and the lookup function to obtain the number of connections in the list. Signed-off-by: Pablo Neira Ayuso --- v2: pass cache name to nf_conncount_cache_alloc() as parameter. include/net/netfilter/nf_conntrack_count.h | 15

[PATCH nf-next 3/3] netfilter: nf_tables: add connlimit support

2018-05-31 Thread Pablo Neira Ayuso
This features which allows you to limit the maximum number of connections per arbitrary key. The connlimit expression is stateful, therefore it can be used from meters to dynamically populate a set, this provides a mapping to the iptables' connlimit match. This patch also comes that allows you

[PATCH nf-next 1/3] netfilter: nf_tables: pass context to object destroy indirection

2018-05-31 Thread Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 12 ++-- net/netfilter/nft_counter.c | 3 ++- net/netfilter/nft_ct.c| 3 ++- 4 files changed, 12 insertions(+), 9 deletions(-) diff

[PATCH v3 nft] Introduce socket matching

2018-05-31 Thread Máté Eckl
For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x0001 nftrace set 1 counter packets 9

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Máté Eckl
On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > > > I just wanted to make sure that the only accepted values are 0 and 1 > > > > and I > > > >

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Pablo Neira Ayuso
On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote: > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > > > I just wanted to make sure that the only accepted values are 0 and 1 > > > > and I > > > >

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Pablo Neira Ayuso
On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote: > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > > I just wanted to make sure that the only accepted values are 0 and 1 and I > > > didn't find other way to provide this check. > > > > You can reject this from the

[PATCH nf-next 3/3] netfilter: nf_tables: add connlimit support

2018-05-31 Thread Pablo Neira Ayuso
This patch adds the connlimit expression and object, which allows you to limit the number maximum number of connections. The expression is stateful, hence it can be used from meters to dynamically populate a set, to achieve equivalent behaviour to iptables' connlimit match. Signed-off-by: Pablo

[PATCH nf-next 2/3] netfilter: nf_conncount: expose connection list interface

2018-05-31 Thread Pablo Neira Ayuso
This patch provides an interface to maintain the list of connections and the lookup function to obtain the number of connections in the list. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack_count.h | 15 +++ net/netfilter/nf_conncount.c | 67

[PATCH nf-next 1/3] netfilter: nf_tables: pass context to object destroy indirection

2018-05-31 Thread Pablo Neira Ayuso
Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 12 ++-- net/netfilter/nft_counter.c | 3 ++- net/netfilter/nft_ct.c| 3 ++- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Máté Eckl
On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote: > > I just wanted to make sure that the only accepted values are 0 and 1 and I > > didn't find other way to provide this check. > > You can reject this from the evaluation phase. Oh, earlier I didn't find how to do it, but now I

Re: [PATCH nf-next] netfilter: x_tables: Decrease code duplication in tproxy target

2018-05-31 Thread Florian Westphal
Máté Eckl wrote: > Transparent socket check is already implemented in nf_socket.h. Acked-by: Florian Westphal -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

[PATCH nf-next] netfilter: x_tables: Decrease code duplication in tproxy target

2018-05-31 Thread Máté Eckl
Transparent socket check is already implemented in nf_socket.h. Signed-off-by: Máté Eckl --- net/netfilter/xt_TPROXY.c | 16 +++- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index 8c89323c06af..a2ee85240926

Re: [PATCH nft] netlink: Print value sizes on Relational expression size mismatch

2018-05-31 Thread Pablo Neira Ayuso
On Thu, May 31, 2018 at 08:07:04AM +0200, Máté Eckl wrote: > On Wed, May 30, 2018 at 08:56:46PM +0200, Pablo Neira Ayuso wrote: > > On Wed, May 30, 2018 at 08:54:41PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > I suspect you're missing some code in the evaluation phase?