Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf/master]
[also build test WARNING on v4.17-rc7 next-20180531]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux
Hi Máté,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180601-080238
base:
I wanted to bring bug 1259 to the attention of the listserv.
This is my first bug report filed with netfilter.
In brief: ebtables is returning a permissions error when checking
EPROTONOSUPPORT.
This breaks the stop script when upgrading ebtables and prevents the upgrade.
Ubuntu has worked
Charitable Donation for you, Respond for further directives.
Mr. Mikhail Fridman
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Máté Eckl wrote:
> On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote:
> > Máté Eckl wrote:
> > > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> > > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > > > > On Thu, May 31, 2018 at 10:57:49AM
On Thu, May 31, 2018 at 08:39:35PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
>
Máté Eckl wrote:
> On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > > > > I just wanted to make sure that the only accepted values are 0
This patch provides an interface to maintain the list of connections and
the lookup function to obtain the number of connections in the list.
Signed-off-by: Pablo Neira Ayuso
---
v2: pass cache name to nf_conncount_cache_alloc() as parameter.
include/net/netfilter/nf_conntrack_count.h | 15
This features which allows you to limit the maximum number of
connections per arbitrary key. The connlimit expression is stateful,
therefore it can be used from meters to dynamically populate a set, this
provides a mapping to the iptables' connlimit match. This patch also
comes that allows you
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 12 ++--
net/netfilter/nft_counter.c | 3 ++-
net/netfilter/nft_ct.c| 3 ++-
4 files changed, 12 insertions(+), 9 deletions(-)
diff
For now it can only match sockets with IP(V6)_TRANSPARENT socket option
set.
Example:
table inet sockin {
chain sockchain {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x0001 nftrace set 1 counter
packets 9
On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > > > I just wanted to make sure that the only accepted values are 0 and 1
> > > > and I
> > > >
On Thu, May 31, 2018 at 04:48:58PM +0200, Pablo Neira Ayuso wrote:
> On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> > On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > > > I just wanted to make sure that the only accepted values are 0 and 1
> > > > and I
> > > >
On Thu, May 31, 2018 at 01:42:17PM +0200, Máté Eckl wrote:
> On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > > I just wanted to make sure that the only accepted values are 0 and 1 and I
> > > didn't find other way to provide this check.
> >
> > You can reject this from the
This patch adds the connlimit expression and object, which allows you to
limit the number maximum number of connections. The expression is
stateful, hence it can be used from meters to dynamically populate a
set, to achieve equivalent behaviour to iptables' connlimit match.
Signed-off-by: Pablo
This patch provides an interface to maintain the list of connections and
the lookup function to obtain the number of connections in the list.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_conntrack_count.h | 15 +++
net/netfilter/nf_conncount.c | 67
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 12 ++--
net/netfilter/nft_counter.c | 3 ++-
net/netfilter/nft_ct.c| 3 ++-
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git
On Thu, May 31, 2018 at 10:57:49AM +0200, Pablo Neira Ayuso wrote:
> > I just wanted to make sure that the only accepted values are 0 and 1 and I
> > didn't find other way to provide this check.
>
> You can reject this from the evaluation phase.
Oh, earlier I didn't find how to do it, but now I
Máté Eckl wrote:
> Transparent socket check is already implemented in nf_socket.h.
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
Transparent socket check is already implemented in nf_socket.h.
Signed-off-by: Máté Eckl
---
net/netfilter/xt_TPROXY.c | 16 +++-
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 8c89323c06af..a2ee85240926
On Thu, May 31, 2018 at 08:07:04AM +0200, Máté Eckl wrote:
> On Wed, May 30, 2018 at 08:56:46PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, May 30, 2018 at 08:54:41PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso wrote:
> > > > I suspect you're missing some code in the evaluation phase?
21 matches
Mail list logo