tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: d7f9b2f18eaef74b4f948c7e24e3a8f796f0c90d
commit: 3006a5224f15cf68edc4878799ac6d6089861518 [9/10] netfilter: synproxy:
remove module dependency on IPv6 SYNPROXY
config: i386-randconfig-x013-201924 (attached as
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: d7f9b2f18eaef74b4f948c7e24e3a8f796f0c90d
commit: 3006a5224f15cf68edc4878799ac6d6089861518 [9/10] netfilter: synproxy:
remove module dependency on IPv6 SYNPROXY
config: arm64-defconfig (attached as .config)
com
On Tue, Jun 11, 2019 at 01:20:59PM +0800, xiao ruizhu wrote:
> > On Tue, Jun 11, 2019 at 01:45AM, Pablo Neira Ayuso
> > wrote:
>
> > Looks good, only one more little change and we go.
>
> >> On Tue, Jun 04, 2019 at 04:34:23PM +0800, xiao ruizhu wrote:
> >> [...]
> >> @@ -420,8 +421,10 @@ static
On Wed, Jun 05, 2019 at 12:32:40PM +0300, Igor Ryzhov wrote:
> ct_sip_next_header and ct_sip_get_header return an absolute
> value of matchoff, not a shift from current dataoff.
> So dataoff should be assigned matchoff, not incremented by it.
Could we get a more detailed description of this bug? A
Hi Laura,
On Mon, Jun 17, 2019 at 06:14:24PM +0200, Laura Garcia Liebana wrote:
[...]
> diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
> index 8394560aa695..df19844e994f 100644
> --- a/net/netfilter/nft_dynset.c
> +++ b/net/netfilter/nft_dynset.c
> @@ -24,6 +24,7 @@ struct nf
On 6/17/19 11:55 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 09:49:43PM +0200, Fernando Fernandez Mancera wrote:
>> Hi Pablo, comments below.
>>
>> On 6/17/19 5:45 PM, Pablo Neira Ayuso wrote:
>>> On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
Add SYN
On Mon, Jun 17, 2019 at 09:49:43PM +0200, Fernando Fernandez Mancera wrote:
> Hi Pablo, comments below.
>
> On 6/17/19 5:45 PM, Pablo Neira Ayuso wrote:
> > On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
> >> Add SYNPROXY module support in nf_tables. It preserves the b
On Mon, Jun 17, 2019 at 07:33:29PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 07:28:31PM +0200, Phil Sutter wrote:
> > On Mon, Jun 17, 2019 at 07:24:33PM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Jun 17, 2019 at 06:45:59PM +0200, Phil Sutter wrote:
> > > > On Mon, Jun 17, 2019 at
Hi Pablo, comments below.
On 6/17/19 5:45 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
>> Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
>> SYNPROXY target of iptables but structured in a different way to pr
On Mon, Jun 17, 2019 at 07:34:42PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 07:26:53PM +0200, Phil Sutter wrote:
> > Hey Pablo!
> >
> > On Mon, Jun 17, 2019 at 07:18:39PM +0200, Pablo Neira Ayuso wrote:
> > > This test invokes the 'replace rule ... handle 2' command. However,
> >
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objec
On Mon, Jun 17, 2019 at 07:26:53PM +0200, Phil Sutter wrote:
> Hey Pablo!
>
> On Mon, Jun 17, 2019 at 07:18:39PM +0200, Pablo Neira Ayuso wrote:
> > This test invokes the 'replace rule ... handle 2' command. However,
> > there are no rules in the kernel, therefore it always fails.
>
> I found the
On Mon, Jun 17, 2019 at 07:28:31PM +0200, Phil Sutter wrote:
> On Mon, Jun 17, 2019 at 07:24:33PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Jun 17, 2019 at 06:45:59PM +0200, Phil Sutter wrote:
> > > On Mon, Jun 17, 2019 at 06:28:40PM +0200, Pablo Neira Ayuso wrote:
> > > > On Mon, Jun 17, 2019 at
On Mon, Jun 17, 2019 at 07:24:33PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 06:45:59PM +0200, Phil Sutter wrote:
> > On Mon, Jun 17, 2019 at 06:28:40PM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Jun 17, 2019 at 06:11:04PM +0200, Phil Sutter wrote:
> > > > Hi,
> > > >
> > > > On
Hey Pablo!
On Mon, Jun 17, 2019 at 07:18:39PM +0200, Pablo Neira Ayuso wrote:
> This test invokes the 'replace rule ... handle 2' command. However,
> there are no rules in the kernel, therefore it always fails.
I found the cause for why this stopped working: You forgot to adjust
rule_evaluate(),
On Mon, Jun 17, 2019 at 06:45:59PM +0200, Phil Sutter wrote:
> On Mon, Jun 17, 2019 at 06:28:40PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Jun 17, 2019 at 06:11:04PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Mon, Jun 17, 2019 at 02:25:16PM +0200, Pablo Neira Ayuso wrote:
[...]
> >
> >
nft_evaluate() already populates the cache before running the monitor
command. Remove this code.
Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before
evaluation")
Signed-off-by: Pablo Neira Ayuso
---
v2: move patch from 4/5 to 3/5.
src/rule.c | 32 ---
This test invokes the 'replace rule ... handle 2' command. However,
there are no rules in the kernel, therefore it always fails.
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
tests/shell/testcases/nft-f/0006action_object_0 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Command type is never used in cache_flush().
Signed-off-by: Pablo Neira Ayuso
---
v2: no changes.
include/rule.h | 3 +--
src/evaluate.c | 2 +-
src/rule.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index b41825d000d6..299485ffeeaa
Remove this wrapper, call netlink_list_rules() instead.
Signed-off-by: Pablo Neira Ayuso
---
v2: move patch from 5/5 to 4/5.
include/netlink.h | 2 +-
src/netlink.c | 7 +--
src/rule.c| 2 +-
3 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/include/netlink.h b/incl
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objec
On Mon, Jun 17, 2019 at 06:28:40PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 06:11:04PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Mon, Jun 17, 2019 at 02:25:16PM +0200, Pablo Neira Ayuso wrote:
> > [...]
> > > -int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds)
> >
Hi Pablo,
On Mon, Jun 17, 2019 at 06:06:57PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 17, 2019 at 06:00:30PM +0200, Phil Sutter wrote:
[...]
> > My initial implementation of intra-transaction rule references made
> > this handle guessing impossible, but your single point cache
> > fetching st
On Mon, Jun 17, 2019 at 06:11:04PM +0200, Phil Sutter wrote:
> Hi,
>
> On Mon, Jun 17, 2019 at 02:25:16PM +0200, Pablo Neira Ayuso wrote:
> [...]
> > -int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds)
> > +unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds)
> >
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch will enable the _expir
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch allows to propagate NF
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch handles the NFTA_SET_E
Hi,
On Mon, Jun 17, 2019 at 02:25:16PM +0200, Pablo Neira Ayuso wrote:
[...]
> -int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds)
> +unsigned int cache_evaluate(struct nft_ctx *nft, struct list_head *cmds)
> {
> - unsigned int echo_completeness = CMD_INVALID;
> - unsigned in
Hi Phil,
On Mon, Jun 17, 2019 at 06:00:30PM +0200, Phil Sutter wrote:
> Hi,
>
> On Mon, Jun 17, 2019 at 02:25:15PM +0200, Pablo Neira Ayuso wrote:
> > This test invokes the 'replace rule ... handle 2' command. However,
> > there are no rules in the kernel, therefore it always fails.
>
> This gue
Hi,
On Mon, Jun 17, 2019 at 02:25:15PM +0200, Pablo Neira Ayuso wrote:
> This test invokes the 'replace rule ... handle 2' command. However,
> there are no rules in the kernel, therefore it always fails.
This guesses the previously inserted rule's handle. Does this start
failing with your flags c
Hi,
On Mon, Jun 17, 2019 at 02:25:16PM +0200, Pablo Neira Ayuso wrote:
> The score approach based on command type is confusing.
>
> This patch introduces cache level flags, each flag specifies what kind
> of object type is needed. These flags are set on/off depending on the
> list of commands com
On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
> Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
> SYNPROXY target of iptables but structured in a different way to propose
> improvements in the future.
>
> Signed-off-by: Fernando Fernandez M
On Mon, Jun 17, 2019 at 12:32:35PM +0200, Fernando Fernandez Mancera wrote:
> diff --git a/include/uapi/linux/netfilter/nf_tables.h
> b/include/uapi/linux/netfilter/nf_tables.h
> index 505393c6e959..f225f237f98a 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/net
On Mon, Jun 17, 2019 at 11:55:42AM +0200, Florian Westphal wrote:
> The two rules:
> arp operation 1-2 accept
> arp operation 256-512 accept
>
> are both shown as 256-512:
>
> chain in_public {
> arp operation 256-512 accept
> arp operation 256-512 accept
>
This patch adds the netns feature to the 'nft-test.py' file.
Signed-off-by: Shekhar Sharma
---
The version history of the patch is :
v1: add the netns feature
v2: use format() method to simplify print statements.
v3: updated the shebang
v4: resent the same with small changes
v5&v6: resent with s
On Sat, May 25, 2019 at 03:30:58PM +0200, Stéphane Veyret wrote:
> This patch allows to add, list and delete expectations via nft objref
> infrastructure and assigning these expectations via nft rule.
>
> This allows manual port triggering when no helper is defined to manage a
> specific protocol.
On Mon, Jun 10, 2019 at 02:24:09PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to pull the next patches for the nf-next tree:
>
> - Remove useless memset() calls, nla_parse_nested/nla_parse
> erase the tb array properly, from Florent Fourcot.
> - Merge the uadd and udel funct
On Fri, Jun 07, 2019 at 02:36:00AM +0200, Fernando Fernandez Mancera wrote:
> The patch series have been tested by enabling iptables and ip6tables SYNPROXY.
> All the modules loaded as expected.
Series applied, thanks Fernando.
On Mon, Jun 17, 2019 at 7:00 PM Jones Desougi
wrote:
>
>
>
> On Fri, Jun 14, 2019 at 4:41 PM Shekhar Sharma
> wrote:
>>
>> This patch adds the netns feature to the 'nft-test.py' file.
>>
>>
>> Signed-off-by: Shekhar Sharma
>> ---
>> The version history of the patch is :
>> v1: add the netns fea
Applied, thanks Florian.
Hi Phil,
On Fri, Jun 14, 2019 at 03:41:24PM +0200, Phil Sutter wrote:
[...]
> On Fri, Jun 14, 2019 at 03:04:38PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Jun 14, 2019 at 02:59:10PM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Jun 14, 2019 at 02:54:32PM +0200, Phil Sutter wrote:
> > > > Hi Pabl
This test invokes the 'replace rule ... handle 2' command. However,
there are no rules in the kernel, therefore it always fails.
Signed-off-by: Pablo Neira Ayuso
---
tests/shell/testcases/nft-f/0006action_object_0 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/shell/te
Remove this wrapper, call netlink_list_rules() instead.
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 2 +-
src/netlink.c | 7 +--
src/rule.c| 2 +-
3 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 0c08b1abbf6a.
nft_evaluate() already populates the cache before running the monitor
command. Remove this code.
Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before
evaluation")
Signed-off-by: Pablo Neira Ayuso
---
src/rule.c | 32
1 file changed, 32 del
Command type is never used in cache_flush().
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 3 +--
src/evaluate.c | 2 +-
src/rule.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index b41825d000d6..299485ffeeaa 100644
--- a/inc
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objec
Hi,
I have been working on the synproxy expression. In my opinion, there is
no way to use sets or maps with synproxy so I think it should be a
statement.
This patch is almost finished, but I have been dealing with the
following error.
# nft add table ip foo
# nft add chain ip foo bar
# nft add r
Add SYNPROXY module support in nf_tables. It preserves the behaviour of the
SYNPROXY target of iptables but structured in a different way to propose
improvements in the future.
Signed-off-by: Fernando Fernandez Mancera
---
include/uapi/linux/netfilter/nf_SYNPROXY.h | 4 +
include/uapi/linux/ne
Signed-off-by: Fernando Fernandez Mancera
---
include/linux/netfilter/nf_SYNPROXY.h | 23
include/linux/netfilter/nf_tables.h | 16 +
include/statement.h | 11 ++
src/evaluate.c| 16 +
src/netlink_delinearize.c
Signed-off-by: Fernando Fernandez Mancera
---
include/libnftnl/expr.h | 6 +
include/linux/netfilter/nf_tables.h | 16 +++
src/Makefile.am | 1 +
src/expr/synproxy.c | 170
src/expr_ops.c | 2
The two rules:
arp operation 1-2 accept
arp operation 256-512 accept
are both shown as 256-512:
chain in_public {
arp operation 256-512 accept
arp operation 256-512 accept
meta mark "1"
tcp flags 2,4
}
This is becaus
On Mon, Jun 17, 2019 at 01:48:17AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > This means we now respect format specifier as well:
> > > chain in_public {
> > > arp operation 1-2 accept
> > > arp operation 256-512 accept
> > > m
Hello Everyone,
I am working for a while on two projects (libnetfilter_queue and
linbetfilter_contrack) to get the decision of destined of packets that
arrived in our project. It greats to get the control of all packets.
But I confused a little.
In my solution i just want to forward all packets tha
53 matches
Mail list logo
