[PATCH nf] netfilter: nf_conntrack_h323: Remove deprecated config check

CONFIG_NF_CONNTRACK_IPV6 has been deprecated so replace it with a check for IPV6 instead. Fixes: a0ae2562c6c4b2 ("netfilter: conntrack: remove l3proto abstraction") Signed-off-by: Subash Abhinov Kasiviswanathan --- include/linux/netfilter_ipv6.h | 2 +- net/netfilter/nf_conntrack_h323_ma

[PATCH nf] netfilter: nf_flow_table: fix missing err check for rhashtable_insert_fast

rhashtable_insert_fast() could return err value when memory allocation is failed. but flow_offload_add() do not check values and this always returns success value. This patch just adds error check code. Fixes: ac2a5e23 ("netfilter: add generic flow table infrastructure") Signed-off-by: Taehee

[PATCH nft] parser_json: default to unspecified l3proto for ct helper/timeout

As per the man page, if the user does not specify the l3proto it should be derived from the table family. Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver --- src/parser_json.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/parser_jso

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

On Thu, May 02, 2019 at 02:56:42PM +0200, Nicolas Dichtel wrote: > Le 02/05/2019 à 13:31, Pablo Neira Ayuso a écrit : > > On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote: > >> Nicolas Dichtel wrote: > >>> I understand your point, but this is a regression. Ignoring a > >>> field/a

[PATCH libnetfilter_conntrack 4/3] src: replace old libnfnetlink builder

Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso --- Better do this now :-) src/conntrack/build.c | 602 ++ src/expect/build.c| 91 ++-- 2 files changed, 28 insertions(+), 665 deletions(-) diff --git a

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

Le 02/05/2019 à 13:31, Pablo Neira Ayuso a écrit : > On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote: >> Nicolas Dichtel wrote: >>> I understand your point, but this is a regression. Ignoring a >>> field/attribute of >>> a netlink message is part of the uAPI. This field exists fo

[PATCH libnetfilter_conntrack 3/3] src: replace old libnfnetlink parser

Use the new libmnl version, remove duplicated code. Signed-off-by: Pablo Neira Ayuso --- Something similar for the build path would be good to remove duplicated code, while leaving the libnfnetlink API in place. include/internal/prototypes.h | 5 - src/callback.c| 8 +- src/

[PATCH libnetfilter_conntrack 2/3] expect: add missing handling for CTA_EXPECT_* attributes

Add missing code to handle CTA_EXPECT_CLASS, CTA_EXPECT_NAT and CTA_EXPECT_FN from libmnl parser. Signed-off-by: Pablo Neira Ayuso --- src/expect/parse_mnl.c | 64 +++--- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/src/expect/parse_m

[PATCH libnetfilter_conntrack 1/3] src: introduce abi_breakage()

Changes in the netlink attributes layout is considered to be a kernel ABI breakage, so report this immediately and stop execution, instead of lazy error back to the client application, which cannot do anything with this. Signed-off-by: Pablo Neira Ayuso --- include/internal/internal.h | 7 +

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

On Thu, May 02, 2019 at 09:46:42AM +0200, Florian Westphal wrote: > Nicolas Dichtel wrote: > > I understand your point, but this is a regression. Ignoring a > > field/attribute of > > a netlink message is part of the uAPI. This field exists for more than a > > decade > > (probably two), so you c

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

Le 02/05/2019 à 09:46, Florian Westphal a écrit : > Nicolas Dichtel wrote: >> I understand your point, but this is a regression. Ignoring a >> field/attribute of >> a netlink message is part of the uAPI. This field exists for more than a >> decade >> (probably two), so you cannot just use it bec

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

Hi, On Thu, May 2, 2019 at 9:46 AM Florian Westphal wrote: > > Nicolas Dichtel wrote: > > I understand your point, but this is a regression. Ignoring a > > field/attribute of > > a netlink message is part of the uAPI. This field exists for more than a > > decade > > (probably two), so you cann

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

Nicolas Dichtel wrote: > I understand your point, but this is a regression. Ignoring a field/attribute > of > a netlink message is part of the uAPI. This field exists for more than a > decade > (probably two), so you cannot just use it because nobody was using it. Just > see > all discussions a

Re: Port triggering

Stéphane Veyret wrote: > Le lun. 12 mars 2018 à 16:53, Florian Westphal a écrit : > > > > Something like: > > > > > > > > chain postrouting { > > > > type filter hook postrouting priority 0; > > > > # tell kernel to install an expectation > > > > # arriving on udp ports 69

Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on flush

Le 01/05/2019 à 10:47, Kristian Evensen a écrit : > Hello, > > On Thu, Apr 25, 2019 at 12:07 PM Nicolas Dichtel > wrote: >> Since this patch, there is a regression with 'conntrack -F', it does not >> flush >> anymore ipv6 conntrack entries. >> In fact, the conntrack tool set by default the famil