Hi Harsha,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352
base: https://git.kernel.org/pub/scm/linux/kerne
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.gi
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-cttimeout-move-ctnl_untimeout-to-nf_conntrack/20180714-095352
base: https://git.kernel.org/pub/scm/linux/kernel/git/
Hi Harsha,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180714-095128
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.gi
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nf_osf-add-nf_osf_match_one/20180714-051307
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.g
IPV6=m
DEFRAG_IPV6=m
CONNTRACK=y yields:
net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
net/netfilter/nf_conntrack_proto.c:802: undefined reference to
`nf_defrag_ipv6_enable'
net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to
`nf_conntrack_l4proto_i
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/ipv6-remove-dependency-of-nf_defrag_ipv6-on-ipv6-module/20180714-051523
base: https://git.kernel.org/pub/scm/linux/kernel/git/pa
As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from
nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout.
Signed-off-by: Harsha Sharma
---
include/net/netfilter/nf_conntrack_timeout.h | 1 +
net/netfilter/nf_conntrack_timeout.c | 17 +
This patch allows to add, list and delete connection tracking timeout
policies via nft objref infrastructure and assigning these timeout
via nft rule.
Ruleset:
table ip raw {
ct timeout cttime {
protocol tcp
established 111 close 13
l3proto ip
}
chain output {
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/ipv6-remove-dependency-of-nf_defrag_ipv6-on-ipv6-module/20180714-051523
base: https://git.kernel.org/pub/scm/linux/kernel/git/pa
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/ipv6-remove-dependency-of-nf_defrag_ipv6-on-ipv6-module/20180713-064909
base: https://git.kernel.org/pub/scm/linux/kernel
IPV6=m
DEFRAG_IPV6=m
CONNTRACK=y yields:
net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
net/netfilter/nf_conntrack_proto.c:802: undefined reference to
`nf_defrag_ipv6_enable'
net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to
`nf_conntrack_l4proto_i
IPV6=m
DEFRAG_IPV6=m
CONNTRACK=y yields:
net/netfilter/nf_conntrack_proto.o: In function `nf_ct_netns_do_get':
net/netfilter/nf_conntrack_proto.c:802: undefined reference to
`nf_defrag_ipv6_enable'
net/netfilter/nf_conntrack_proto.o:(.rodata+0x640): undefined reference to
`nf_conntrack_l4proto_i
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/ipv6-remove-dependency-of-nf_defrag_ipv6-on-ipv6-module/20180713-064909
base: https://git.kernel.org/pub/scm/linux/kernel
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/ipv6-remove-dependency-of-nf_defrag_ipv6-on-ipv6-module/20180713-064909
base: https://git.kernel.org/pub/scm/linux/kernel/git
This new function allows us to check if there is TCP syn packet matching
with a given fingerprint that can be reused from the upcoming new
nf_osf_find() function.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
net/netfilter/nf_osf.c | 207 ++---
Wrap context that allow us to guess the OS into a structure.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
net/netfilter/nf_osf.c | 105 +
1 file changed, 62 insertions(+), 43 deletions(-)
diff --git a/net/netfilter/nf_osf.c b/net/net
This new function returns the OS genre as a string. Plan is to use to
from the new nft_osf extension.
Note that this doesn't yet support ttl options, but it could be easily
extended to do so.
Signed-off-by: Pablo Neira Ayuso
---
Compile tested only.
include/linux/netfilter/nf_osf.h | 3 +++
n
On Fri, Jul 13, 2018 at 02:38:19PM +0200, Florian Westphal wrote:
> Máté Eckl wrote:
> > But that means that this solution cannot support bridge family at all. Or
> > BRNF
> > stands for something that can be interpreted as filter?
>
> Currently bridge family has no special hooks, they are all '
Máté Eckl wrote:
> But that means that this solution cannot support bridge family at all. Or BRNF
> stands for something that can be interpreted as filter?
Currently bridge family has no special hooks, they are all 'filter'.
So it would be fine to only support numbers in my opinion.
We can revis
On Fri, Jul 13, 2018 at 12:59:14PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Jul 13, 2018 at 12:45:34PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > > > > BTW, srcnat only makes sense from postrouting, I think it
On Fri, Jul 13, 2018 at 12:45:34PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > > > possible to reject things that make no sense from th
Pablo Neira Ayuso wrote:
> On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > > possible to reject things that make no sense from there, like srcnat
> > > > with prerouting as in the example above.
> > >
>
On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > possible to reject things that make no sense from there, like srcnat
> > > with prerouting as in the example above.
> >
> > I'll look after this.
>
> What d
> > BTW, srcnat only makes sense from postrouting, I think it would it be
> > possible to reject things that make no sense from there, like srcnat
> > with prerouting as in the example above.
>
> I'll look after this.
What do you think about this compatibility "matrix"?
static bool std_p
25 matches
Mail list logo