On Fri, Jun 01, 2018 at 08:59:07PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > index d03bc5a01a70..24802a2a9a90 100644
> > --- a/net/ipv4/netfilter/Kconfig
> > +++ b/net/ipv4/netfilter/Kconfig
> > @@ -29,7 +29,13 @@
On Fri, Jun 01, 2018 at 03:28:31PM -0400, Simon Horman wrote:
> On Thu, May 24, 2018 at 11:40:12PM +0300, Julian Anastasov wrote:
> > ip_vs_ftp requires conntrack modules for mangling
> > of FTP command responses in passive mode.
> >
> > Make sure the conntrack hooks are registered when
> > real s
On Thu, May 24, 2018 at 11:40:12PM +0300, Julian Anastasov wrote:
> ip_vs_ftp requires conntrack modules for mangling
> of FTP command responses in passive mode.
>
> Make sure the conntrack hooks are registered when
> real servers use NAT method in FTP virtual service.
> The hooks will be register
Hi Máté,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180601-094951
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Máté Eckl wrote:
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index d03bc5a01a70..24802a2a9a90 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -29,7 +29,13 @@ config NF_SOCKET_IPV4
> tristate "IPv4 socket lookup support"
> h
The extracted functions will likely be usefull to implement tproxy
support in nf_tables.
Extrancted functions:
- nf_tproxy_sk_is_transparent
- nf_tproxy_laddr4
- nf_tproxy_handle_time_wait4
- nf_tproxy_get_sock_v4
- nf_tproxy_laddr6
- nf_tproxy_handl
I noticed that parser_bison.y contains two identical definitions for
wildcard expression. Patch 1 merges them into one. While being at it, I
made wildcard expression in JSON just a "special" immediate (i.e. a
string consisting of exactly "*") instead of the overly complicated
'{ "*": null }' it was
This was missed by commit fb557b5546084 ("JSON: Sort out rule position
and handles in general"): When adding a rule, the parser would still
expect "pos" property instead of "index".
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Instead of dedicating an object for it ('{ "*": null }'), just use a
string consisting of an asterisk as sole character.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 23 +++
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/parser_json.c b/src/parser_j
This was completely broken. Yet another indicator the JSON API part of
testsuite is insufficient.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index 7971553651f27..9b7aef4b498cc 100644
The two are absolutely identical, just referenced at different places.
Since there is no need for the distinction, just merge them into one.
Signed-off-by: Phil Sutter
---
src/parser_bison.y | 25 +++--
1 file changed, 7 insertions(+), 18 deletions(-)
diff --git a/src/parser
When parsing large (uint64_t) values, capital 'I' has to be used in
format string. While being at it, make sure JSON output code handles
those variables correctly, too.
Signed-off-by: Phil Sutter
---
src/json.c| 26 +++---
src/parser_json.c | 28 ++
The output differs from input in added size property.
Signed-off-by: Phil Sutter
---
tests/py/ip6/flowtable.t.json.output | 62
1 file changed, 62 insertions(+)
create mode 100644 tests/py/ip6/flowtable.t.json.output
diff --git a/tests/py/ip6/flowtable.t.json.outpu
Reuse verdict expression parsing routine. Since the statement simply
wraps an expression, this change is an obvious one.
Signed-off-by: Phil Sutter
---
src/parser_json.c | 39 +++
1 file changed, 3 insertions(+), 36 deletions(-)
diff --git a/src/parser_json.c
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter
---
include/linux/netfilter/nf_tables.h | 5 +
src/evaluate.c
Formerly: netfilter: x_tables: Decrease code duplication in tproxy target
v2: Not only have I made tproxy_sk_is_transparent use nf_sk_is_transparent
but also removed nf_sk_is_tranparent completely.
-- 8< --
There was a function in include/net/netfilter/nf_socket.h to decide if a
socket has IP
On Fri, Jun 01, 2018 at 07:42:25AM -0400, Simon Horman wrote:
> On Fri, May 25, 2018 at 10:06:23PM +0300, Julian Anastasov wrote:
> > The patchset includes two changes to support IPv6 in ip_vs_ftp.
> >
> > The first patch allows IPv6 addresses in ip_vs_nfct.c debugging
> > and removes the AF_INET
On Fri, May 25, 2018 at 10:06:23PM +0300, Julian Anastasov wrote:
> The patchset includes two changes to support IPv6 in ip_vs_ftp.
>
> The first patch allows IPv6 addresses in ip_vs_nfct.c debugging
> and removes the AF_INET restriction for netfilter expectations.
>
> The second patch changes i
In order to allocate icmpv6 skb, sizeof(struct ipv6hdr) should be used.
Signed-off-by: Taehee Yoo
---
net/bridge/netfilter/nft_reject_bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/nft_reject_bridge.c
b/net/bridge/netfilter/nft_reject_bridge.c
On Fri, Jun 01, 2018 at 09:08:09AM +0200, Máté Eckl wrote:
> On Thu, May 31, 2018 at 11:07:12AM +0200, Máté Eckl wrote:
> > Transparent socket check is already implemented in nf_socket.h.
>
> I just realised that even nf_sk_is_transparent is code duplication itself, as
> inet_sk_transparent does e
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, May 30, 2018 at 10:12:34AM +0200, Florian Westphal wrote:
> gfree.w...@vip.163.com wrote:
> > From: Gao Feng
> >
> > The helper and timeout strings are from user-space, we need to make
> > sure they are null terminated. If not, evil user could make kernel
>
> Looks good to me, thank you
This allows us to forward packets from the netdev family via neighbour
layer, so you don't need an explicit link-layer destination when using
this expression from rules. The ttl/hop_limit field is decremented.
Signed-off-by: Pablo Neira Ayuso
---
v3: - dev_get_by_index_rcu() after ttl/hop_limit d
Hi Harsha,
Comments below.
On Mon, May 28, 2018 at 11:58:11PM +0200, Harsha Sharma wrote:
> This patch allows to add, list and delete connection tracking timeout
> policies via nft objref infrastructure and assigning these timeout
> via nft rule.
> Ruleset:
>
> table ip raw {
>ct timeout ctt
On Thu, May 31, 2018 at 11:09:25AM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > Transparent socket check is already implemented in nf_socket.h.
>
> Acked-by: Florian Westphal
Applied, thanks Mate.
And thanks for reviewing.
--
To unsubscribe from this list: send the line "unsubscribe n
On Wed, May 30, 2018 at 08:43:15PM +0200, Jason A. Donenfeld wrote:
> Some drivers, such as vxlan and wireguard, use the skb's dst in order to
> determine things like PMTU. They therefore loose functionality when flow
> offloading is enabled. So, we ensure the skb has it before xmit'ing it
> in the
On Thu, May 24, 2018 at 12:40:04PM +0200, Laura Garcia wrote:
> On Wed, May 23, 2018 at 12:58 PM, kbuild test robot
> wrote:
> > From: kbuild test robot
> >
> > net/netfilter/nft_numgen.c:117:1-3: WARNING: PTR_ERR_OR_ZERO can be used
> >
> >
> > Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) +
On Wed, May 30, 2018 at 11:06:22AM +0200, Phil Sutter wrote:
> This extends log statement to support the behaviour achieved with
> AUDIT target in iptables.
>
> Audit logging is enabled via a pseudo log level 8. In this case any
> other settings like log prefix are ignored since audit log format i
On Fri, Jun 01, 2018 at 09:36:01AM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> > Now it can only match the transparent flag of an ip/ipv6 socket.
>
> Applied with minor comestic changes, thanks.
I took v3, just for the record.
--
To unsubscribe f
On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> Now it can only match the transparent flag of an ip/ipv6 socket.
Applied with minor comestic changes, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel
On Wed, May 30, 2018 at 10:15:36PM +0200, Andreas Jaggi wrote:
> Well spotted indeed :-)
> Here comes the next iteration.
>
> Cheers
> Andreas
>
>
> Extend the JSON output plugin so that the generated JSON stream can be
> sent to a remote host via TCP/UDP or to a local unix socket.
Applied, tha
On Mon, May 28, 2018 at 06:50:55PM +0200, Phil Sutter wrote:
> While writing JSON schema documentation, a number of ugly/broken bits
> were identified which this series addresses in patches 1-7.
>
> Patches 8-11 contain some fixes and improvements to parser_json.c which
> don't change the schema.
On Thu, May 31, 2018 at 11:07:12AM +0200, Máté Eckl wrote:
> Transparent socket check is already implemented in nf_socket.h.
I just realised that even nf_sk_is_transparent is code duplication itself, as
inet_sk_transparent does exactly the same in include/net/tcp.h.
However adding this would cause
33 matches
Mail list logo