On Mon, 13 Aug 2018 20:15:26 +
Robert White wrote:
> ...
> As for DROP versus REJECT :: Using REJECT in most firewall rules is
> considered harmful as it generates return traffic. In the case of casual
> misuse of services that's fine, but in terms of overally internet
> citizenship it's
Building xtables-addons 3 (atm on OpenSUSE Build Service, but the issue's
portable) against Kernel 4.18.x currently fails
https://build.opensuse.org/package/live_build_log/home:pgnd:Kernel:stable/xtables-addons/openSUSE_Leap_15.0/x86_64
...
[ 51s]
Hello,
On Fri, Aug 10, 2018 at 10:52 PM, Harsha Sharma
wrote:
> If l3 protocol value is not specified for ct timeout object then use the
> value from nft_ctx protocol family.
I think I did this before but you asked me to change it (i.e put
L3PROTO condition with other fields).
But this is
Add tests for listing ct timeout objects and input from file.
Signed-off-by: Harsha Sharma
---
Changes in v5:
- Add l3proto in listing
Changes in v4:
- Added these tests
tests/shell/testcases/listing/0013objects_0 | 7 +++
tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 16
Add test for adding ct timeout objects and assigning it via rule.
Signed-off-by: Harsha Sharma
---
Changes in v5:
- Add testcase with l3proto
Changes in v4:
- update tests with syntax
Changes in v3:
- Add more tests for multiple timeout policies
Changes in v2:
- No change
This patch adds support for adding, listing and deleting ct timeout
objects which can be assigned via rule to assign connection tracking
timeout policies via objref infrastructure.
%nft add table filter
%nft add chain filter output
%nft add ct timeout filter test-tcp { protocol tcp \; policy = {
Cleanup patch for ct timeout support as content of cttimeout.h file is
moved to object.h file.
Signed-off-by: Harsha Sharma
---
examples/nft-ct-timeout-add.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/examples/nft-ct-timeout-add.c b/examples/nft-ct-timeout-add.c
index dfa1d76..57c0cf0
Cleanup patch for ct timeout support as content of cttimeout.h file is
moved to object.h file.
Signed-off-by: Harsha Sharma
---
src/obj/ct_timeout.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index 58f49ba..887613e 100644
---
On Monday 2018-08-13 19:34, Neal P. Murphy wrote:
>
>I changed Smoothwall Express to use -m time 4 years ago, and corrected a
>couple bugs shortly after. In short,
> - Set the BIOS clock to local time (the BIOS clock is for humans anyway).
> - Run a modern ntpd to keep the system clock
On Mon, 13 Aug 2018 13:03:54 +0200
Florian Westphal wrote:
> Jan Engelhardt wrote:
> > On Sunday 2018-08-12 23:05, Florian Westphal wrote:
> >
> > >Neal P. Murphy wrote:
> > >> Does nftables have an equivalent of iptables' "-m time"?
> > >
> > >-m time is problematic (kernel has no idea
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in
Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order
to load OS fingerprints automatically from pf.os file.
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nfnetlink_osf.h | 119 +++
include/nfnl_osf.h | 10 +
As we are going to use the function nft_mnl_talk() from the incoming
nftnl_osf.c, we make it public.
Signed-off-by: Fernando Fernandez Mancera
---
include/mnl.h | 4
src/mnl.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/mnl.h b/include/mnl.h
index
On Mon, Aug 13, 2018 at 02:15:07PM +0200, Pablo Neira Ayuso wrote:
> If I apply this patch, when I run `make distcheck', asciidoc tries to
> write into the read-only automake unpacked dist tree here.
>
> "/usr/bin/asciidoc" --backend docbook -a "a2x-format=manpage" --doctype
> manpage --out-file
On Monday 2018-08-13 13:03, Florian Westphal wrote:
>Jan Engelhardt wrote:
>> On Sunday 2018-08-12 23:05, Florian Westphal wrote:
>>
>> >Neal P. Murphy wrote:
>> >> Does nftables have an equivalent of iptables' "-m time"?
>> >
>> >-m time is problematic (kernel has no idea what a timezone is).
> Kernel doesn't know when DST transitions occur though.
> Its an utter mess and usually needs shell/cron scripts to catch this.
So, when these transactions will occur... then cron script can be
used, else let it continue as it is.
i.e. by default -m time can be used. If there are issues with it
If I apply this patch, when I run `make distcheck', asciidoc tries to
write into the read-only automake unpacked dist tree here.
"/usr/bin/asciidoc" --backend docbook -a "a2x-format=manpage" --doctype manpage
--out-file
"/home/git/nftables/nftables-0.9.0/doc/nft.xml"
On Fri, Aug 10, 2018 at 08:23:39PM +0530, Harsha Sharma wrote:
> Add support for ct timeout objects, used to assign connection tracking
> timeout policies.
Applied, thanks Harsha.
BTW, I have merged the cttimeout.h file into object.h so we don't need
an extra file and I have renamed _DATA to
On Sat, Aug 11, 2018 at 05:17:29PM +0200, Fernando Fernandez Mancera wrote:
[...]
> If we place osf_init in struct netlink_ctx we will need to modify
> osf_expr_alloc() and I am not sure if we can get access to netlink_ctx from
> netlink_parse_osf() in netlink_delinearize.c. Also we will need
On Sunday 2018-08-12 23:05, Florian Westphal wrote:
>Neal P. Murphy wrote:
>> Does nftables have an equivalent of iptables' "-m time"?
>
>-m time is problematic (kernel has no idea what a timezone is).
The kernel certainly does have a timezone (if only a limited understanding how
to use it). In
20 matches
Mail list logo