Mein Name
ist Friedrich Mayrhofer und ich habe eine Spende von 2.800.000 Euro. Ich
brauche Sie für mich. Kontaktieren Sie mich unter
friedrichmayrhofer.foundat...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger
Hi Máté,
Thanks for working on this.
See comments below.
On Wed, Jun 06, 2018 at 09:33:56PM +0200, Máté Eckl wrote:
> v2:
> - more comprehensive names
> - expose basic priorities used by iptables
> - use arithmetics with new names (+-)
> - print friendly names with arithmetics with an epsilon of
v2:
- more comprehensive names
- expose basic priorities used by iptables
- use arithmetics with new names (+-)
- print friendly names with arithmetics with an epsilon of 10
-- 8< --
This patch adds the possibility to use textual names to set the chain priority
to basic values so that numeric valu
Oh, I overlook you already made tests, great.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jun 04, 2018 at 11:58:17AM +0200, Máté Eckl wrote:
> File was updated from /usr/include/linux/netfilter_ipv4.h
Applied, thanks.
BTW, I remember native English speaker recomment we use present tense.
Telling this because I observe you use past. I think this is
documented somewhere in the k
On Thu, May 31, 2018 at 08:06:16PM +0200, Máté Eckl wrote:
> For now it can only match sockets with IP(V6)_TRANSPARENT socket option
> set.
>
> Example:
> table inet sockin {
> chain sockchain {
> type filter hook prerouting priority -150; policy accept;
> socket
On Thu, Jun 07, 2018 at 02:05:12AM +0900, Taehee Yoo wrote:
> The parameter this doesn't have a flags value. so that it can't be
> used by nft_rbtree_interval_end().
>
> test commands:
>%nft add table ip filter
>%nft add set ip filter s { type ipv4_addr \; flags interval \; }
>%nft add
Allow to forward packets through to explicit destination and interface.
nft add rule netdev x y fwd ip to 192.168.2.200 device eth0
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/nf_tables.h | 4
include/statement.h | 4 +++-
src/evaluate.c
The parameter this doesn't have a flags value. so that it can't be
used by nft_rbtree_interval_end().
test commands:
%nft add table ip filter
%nft add set ip filter s { type ipv4_addr \; flags interval \; }
%nft add element ip filter s {0-1}
%nft add element ip filter s {2-10}
%nft
To support forwarding through neighbour layer from ingress.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/expr.h | 2 ++
include/linux/netfilter/nf_tables.h | 4 +++
src/expr/fwd.c | 60 ++---
3 files changed, 62 insertio
On Wed, Jun 06, 2018 at 01:16:43PM +0200, Jan Engelhardt wrote:
>
> On Wednesday 2018-06-06 09:45, Duncan Roe wrote:
> >
> >ebtables would not build on my system and I submitted a patch to fix that
> >which
> >was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
>
> Well then let's sta
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of
Signed-off-by: Pablo Neira Ayuso
---
include/buffer.h| 1 +
include/libnftnl/expr.h | 5 +
include/linux/netfilter/nf_tables.h | 21 +++-
src/Makefile.am | 1 +
src/expr/connlimit.c| 207 +++
Hi Pablo,
Okay, no problem.
Greg - disregard this, and expect to see something more detailed in a
few weeks when Linus pulls from Dave.
Jason
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Wed, Jun 06, 2018 at 03:06:37PM +0200, Jason A. Donenfeld wrote:
> On Wed, Jun 6, 2018 at 3:01 PM Greg Kroah-Hartman
> wrote:
> > Wait, that commit id is not in Linus's tree yet. So I'm assuming it is
> > in DaveM's tree? If so, shouldn't it also go into 4.17.y? What about
> > 4.14.y or olde
On Wed, Jun 06, 2018 at 02:09:12PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please pull the next patches for nf git tree:
>
> - Check hook mask for unsupported hooks instead of supported ones in xt_set.
> (Serhey Popovych).
> - List/save just timing out entries with "timeout 1" instead of
On Wed, Jun 06, 2018 at 12:14:56PM +0200, Florian Westphal wrote:
> the ebtables evaluation loop expects targets to return
> positive values (jumps), or negative values (absolute verdicts).
>
> This is completely different from what xtables does.
> In xtables, targets are expected to return the st
On Wed, Jun 06, 2018 at 11:13:35AM +0200, Máté Eckl wrote:
> Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of
> AF_INET was misleading when checking the proto family.
> Same with AF_INET6.
Yes, they are equivalent. But OK.
Applied.
--
To unsubscribe from this list: send the
Phil Sutter wrote:
> Previously, this triggered a program abort:
>
> | # nft add table ip t
> | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval
> ; }'
> | # nft add element ip t my_set '{10.0.0.1 . tcp }'
> | BUG: invalid range expression type concat
> | nft: expressi
Jan Engelhardt wrote:
> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
> again and import a new ebtables.h
> from the kernel tree that has the "revision" field.
>
> With this, include/ebtables.h is (again) used by no source file, and
> so can be removed.
Looks good, applied
From: Serhey Popovych
Inserting rule before one with SET target we get error with warning in
dmesg(1) output:
# iptables -A FORWARD -t mangle -j SET --map-set test src --map-prio
# iptables -I FORWARD 1 -t mangle -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
# d
When listing sets with timeout support, there's a probability that
just timing out entries with "0" timeout value is listed/saved.
However when restoring the saved list, the zero timeout value means
permanent elelements.
The new behaviour is that timing out entries are listed with "timeout 1"
inst
Due to the negative value condition in msecs_to_jiffies(), the real
max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC.
Neutron Soutmun proposed the proper fix, but an insufficient one was
applied, see https://patchwork.ozlabs.org/patch/400405/.
Signed-off-by: Jozsef Kadlecsik
From: Florent Fourcot
Userspace `ipset` command forbids family option for hash:mac type:
ipset create test hash:mac family inet4
ipset v6.30: Unknown argument: `family'
However, this check is not done in kernel itself. When someone use
external netlink applications (pyroute2 python library for
Hi Pablo,
Please pull the next patches for nf git tree:
- Check hook mask for unsupported hooks instead of supported ones in xt_set.
(Serhey Popovych).
- List/save just timing out entries with "timeout 1" instead of "timeout 0":
zero timeout value means permanent entries. When restoring the e
On Wednesday 2018-06-06 13:40, Pablo Neira Ayuso wrote:
>On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote:
>> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
>> again and import a new ebtables.h
>> from the kernel tree that has the "revision" field.
>
>...ebtable
Mein Name ist Friedrich Mayrhofer und ich habe eine Spende von 2.800.000 Euro.
Ich brauche Sie für mich. Kontaktieren Sie mich unter
friedrichmayrhofer.foundat...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.ker
On Wed, Jun 06, 2018 at 01:36:25PM +0200, Jan Engelhardt wrote:
> Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
> again and import a new ebtables.h
> from the kernel tree that has the "revision" field.
...ebtables$ git show 66a97018a31eed416c6a25d051ea172e4d65be1b
fatal: bad
Revert 66a97018a31eed416c6a25d051ea172e4d65be1b partly so as to use
again and import a new ebtables.h
from the kernel tree that has the "revision" field.
With this, include/ebtables.h is (again) used by no source file, and
so can be removed.
Signed-off-by: Jan Engelhardt
---
include/ebtables.h
Previously, this triggered a program abort:
| # nft add table ip t
| # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ;
}'
| # nft add element ip t my_set '{10.0.0.1 . tcp }'
| BUG: invalid range expression type concat
| nft: expression.c:1085: range_expr_value_low: Ass
On Wednesday 2018-06-06 09:45, Duncan Roe wrote:
>
>ebtables would not build on my system and I submitted a patch to fix that which
>was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
Well then let's start there.
"" The cause of this failure is that the commit updated include/ebt
the ebtables evaluation loop expects targets to return
positive values (jumps), or negative values (absolute verdicts).
This is completely different from what xtables does.
In xtables, targets are expected to return the standard netfilter
verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
ebtables will cons
the ebtables evaluation loop expects targets to return
positive values (jumps), or negative values (absolute verdicts).
This is completely different from what xtables does.
In xtables, targets are expected to return the standard netfilter
verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
ebtables will cons
Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of
AF_INET was misleading when checking the proto family.
Same with AF_INET6.
Signed-off-by: Máté Eckl
---
src/evaluate.c| 6 +++---
src/netlink_delinearize.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-
Phil Sutter wrote:
> First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
> addition to that, parameter 'type' expects an icmp*_code type, not
> icmp*_type. The respective table column was already correct, but in
> synopsis it was wrong.
Applied, thanks.
--
To unsubscribe from thi
First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
addition to that, parameter 'type' expects an icmp*_code type, not
icmp*_type. The respective table column was already correct, but in
synopsis it was wrong.
Signed-off-by: Phil Sutter
---
doc/nft.xml | 10 +-
1 file ch
On Wed, Jun 06, 2018 at 02:20:10AM +0200, Jason A. Donenfeld wrote:
> Hey Pablo,
>
> > Applied to nf-next, thanks Jason.
>
> I didn't think this was stable material at first, but since you
> applied this, OpenWRT backported it, and two people mentioned to me
> separately that miscellaneous issues
Hi Jan,
Can we step back for a minute and review exactly how this patch originated?
ebtables would not build on my system and I submitted a patch to fix that which
was accepted as commit 66a97018a31eed416c6a25d051ea172e4d65be1b.
Some days later, I received the message as you saw in
https://marc.
38 matches
Mail list logo