There are no external callers anymore, previous change just
forgot to also remove the EXPORT_SYMBOL().
Fixes: 9971a514ed269 ("netfilter: nf_nat: add nat type hooks to nat core")
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 1 -
1 file changed,
-by: Florian Westphal
---
doc/primary-expression.txt | 34 +
include/expression.h| 8 +++
include/json.h | 2 +
include/linux/netfilter/nf_tables.h | 29
include/xfrm.h | 16 +
src/Makefile.am
Signed-off-by: Florian Westphal
---
include/libnftnl/expr.h | 8 +
include/linux/netfilter/nf_tables.h | 29
src/Makefile.am | 1 +
src/expr/xfrm.c | 325
src/expr_ops.c | 2
for symmetry with 'rt ipsec'. "meta secpath" still works.
Signed-off-by: Florian Westphal
---
doc/primary-expression.txt | 6 +++---
src/meta.c | 5 -
src/parser_bison.y | 1 +
tests/py/inet/meta.t | 4 ++--
tests/py/inet/meta.t.payload | 2 +
None of these spots really needs to crash the kernel.
In one two cases we can jsut report error to userspace, in the other
cases we can just use WARN_ON (and leak memory instead).
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 9 ++---
net/netfilter/nft_cmp.c | 6
I see no reason for them, label or timer cannot be NULL, and if they
were, we'll crash with null deref anyway.
For skb_header_pointer failure, just set hotdrop to true and toss
such packet.
Signed-off-by: Florian Westphal
---
net/ipv6/netfilter/ip6t_ipv6header.c | 5 -
net/ipv6/netfilter
Signed-off-by: Florian Westphal
---
src/proto.c | 4 ++--
tests/py/ip/icmp.t| 4 ++--
tests/py/ip/icmp.t.payload.ip | 2 +-
tests/py/ip6/icmpv6.t | 6 +++---
tests/py/ip6/icmpv6.t.payload.ip6 | 2 +-
5 files changed, 9 insertions(+), 9
supports fetching saddr/daddr of tunnel mode states, request id and spi.
If direction is 'in', use inbound skb secpath, else dst->xfrm.
Joint work with Máté Eckl.
Signed-off-by: Florian Westphal
---
include/uapi/linux/netfilter/nf_tables.h | 29 +++
net/netfilter/Kcon
Signed-off-by: Florian Westphal
---
tests/py/inet/osf.t.json| 18 ++
tests/py/inet/socket.t.json | 5 +++--
tests/py/inet/tproxy.t.json | 25 -
tests/py/ip/tproxy.t.json | 23 ++-
tests/py/ip6/tproxy.t.json | 25
Phil Sutter wrote:
> Make sure return codes match legacy ones at least for a few selected
> commands typically used to check ruleset state.
Applied, thank you.
Phil Sutter wrote:
> Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
> from command line, not for those read from kernel. As a result,
> appropriate rules could not be deleted. A simple test case is:
Applied, thanks.
as of a0ae2562c6c4b27 ("netfilter: conntrack: remove l3proto
abstraction") there are no users anymore.
Signed-off-by: Florian Westphal
---
include/linux/netfilter/nf_conntrack_common.h | 3 ---
net/netfilter/nf_conntrack_standalone.c | 7 ---
2 files changed, 10 deletion
This is userspace side of 'rt ipsec' support.
It allows e.g. to suppress NAT for packets that will be tunneled via esp.
For symmetry it might make sense to rename 'meta secpath' to 'meta
ipsec', what do you think?
Old keyword would be presevered of course.
Signed-off-by: Florian Westphal
---
doc/primary-expression.txt | 4
include/linux/netfilter/nf_tables.h | 1 +
src/parser_bison.y | 2 ++
src/parser_json.c | 1 +
src/rt.c| 5 +
src/scanner.l
Signed-off-by: Florian Westphal
---
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/rt.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 382ca548112e..da2dda9760eb 100644
;activate() has to be provided too.
So print a warning and refuse registration if expr->ops provides
only one of the two operations.
v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi)
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 19 +++
Eckl, Máté wrote:
> Could you please hold this one back for a few days? I can review this at
> the beginning of next week and I'd like to because of the tricky use of
> families.
Sorry, I pushed it moments ago before seeing your reply.
You can send a relative patch or even a revert if needed,
There is one synchronize_rcu instance left in the nf_tables config path,
its required when something has to be removed that might still be
visible from the packet path, such as rules or set elements.
In such case, we have something like this:
1. transaction changes are applied
2. synchronize_rcu
;activate() has to be provided too.
So print a warning and refuse registration if expr->ops provides
only one of the two operations.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 20
1 file changed, 20 insertions(+)
diff --git a/net/netfilter/nf_ta
Release the committed transaction log from a work queue, moving
expensive synchronize_rcu out of the locked section and providing
opportunity to batch this.
On my test machine this cuts runtime of nft-test.py in half.
Based on earlier patch from Pablo Neira Ayuso.
Signed-off-by: Florian Westphal
is aborted.
Destroy function is added to free the memory, but this could occur
outside of transaction in the future.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_tables.h | 7 ++-
net/netfilter/nf_tables_api.c | 36 +---
net/netfilter
Signed-off-by: Florian Westphal
---
include/json.h | 2 +
src/json.c | 26 +
src/parser_json.c | 43
src/statement.c | 1 +
tests/py/inet/tproxy.t.json | 91 +++
tests
to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Signed-off-by: Florian Westphal
---
src/evaluate.c| 30
Signed-off-by: Florian Westphal
---
include/json.h | 2 ++
src/json.c | 5
src/osf.c| 2 ++
src/parser_json.c| 17 +++-
tests/py/inet/osf.t.json | 67
5 files changed, 92 insertions
This series adds JSON support for tproxy and osf.
Furthermore, it relaxes a tproxy check that prohibited use
of 'tproxy ip' syntax in ip family, and 'tproxy ip6' syntax
in ip6 family.
Reason is that this check makes JSON support harder as
we'd need to be able to add conditional family handling
Signed-off-by: Florian Westphal
---
src/parser_bison.y | 18 --
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index bc6f72779dd7..b3b4f40d1705 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -582,7 +582,7 @@ int
Useful e.g. to avoid NATting inner headers of to-be-encrypted packets.
Signed-off-by: Florian Westphal
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_rt.c | 11 +++
2 files changed, 13 insertions(+)
diff --git a/include/uapi/linux/netfilter
: 4d3a57f23dec59 ("netfilter: conntrack: do not enable connection tracking
unless needed")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net
hanges since v2:
- don't handle 'ct is confirmed case'
- after previous patch, no need to special-case tcp/dccp/sctp timeout
anymore
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_timeout.h | 2 +-
net/netfilter/nft_ct.c
and udp/icmp/gre/generic.
The alternative is to map all array accesses to 'i - 1', but that
is a much more intrusive change.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto_dccp.c | 7 +++
net/netfilter/nf_conntrack_proto_sctp.c | 7 +++
net/netfilter
Doug Smythies wrote:
> > Could you try conntrack -F after removing your ruleset?
>
> ad1d697 + this patch:
>
> O.K. that eliminates the 1 minute wait, and the other ssh connections
> drop right away when I try to use them, after ruleset is loaded again.
> The ssh session I ran the commands from
Pablo Neira Ayuso wrote:
> > > percpu template would allow us to combine both, I mean, to use the
> > > template as a scratchpad area. The template is only used from the same
> > > hook point to pass information between hook callbacks.
> >
> > I found no way to do this.
> >
> > Consider this:
>
s that are evaluated *after* the conntrack lookup
> > has taken place.
> >
> > No released kernel contains the timeout policy feature yet, so this change
> > should be ok.
> >
> > Signed-off-by: Florian Westphal
> > ---
> > nft_ct_timeout_updat
ilter: conntrack: do not enable connection tracking
unless needed")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 29 +
1 file changed, 29 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_pro
Doug Smythies wrote:
> On 2018.08.22 11:26 Doug Smythies wrote:
> > On 2018.08.21 02:26 Florian Westphal wrote:
> >
> > ... [snip] ...
> >
> >> Fix this by clearing maxwin of existing tcp connections on register.
> >> While at it, lower timeout of exi
imeout policy feature yet, so this change
should be ok.
Signed-off-by: Florian Westphal
---
nft_ct_timeout_update() is ugly, but i found no better
solution.
The alternative is to allow use of templates,
but that requires nasty kmemdup() games to clone the
template, else we'd modify some percpu/re
Martin Willi wrote:
> The cluster match requires conntrack for matching packets. If the
> netns does not have conntrack hooks registered, the match does not
> work at all.
Acked-by: Florian Westphal
' header checksum and add a
one-time warning in case such rule isn't restricted to UDP.
v2: check IP6T_F_PROTO flag before cmp (Michal Kubecek)
Reported-by: Satish Patel
Reported-by: Markos Chandras
Reported-by: Michal Kubecek
Signed-off-by: Florian Westphal
---
net/netfilter/Kconfig | 12
Ahmed Abdelsalam wrote:
> +static int seg6_check(const struct xt_tgchk_param *par)
> +{
> + /**
> + * In the future, some new action may require using
> + * this function for doing some checks
> + */
Please add add a check on seg6->action and return -EOPNOSTUPP
in case it
Phil Sutter wrote:
> Use of payload expression to match against IPv6 nexthdr field does not
> work if extension headers are present. A simple example for that is
> matching for fragmented icmpv6 traffic. Instead, generate a 'meta
> l4proto' expression which works even if extension headers are
Heena Sirwani wrote:
> This patch fixes the crash when registering the hashlimit extension
> with xtables during init_extensions(when built with static libs) .
> The option validation function xtables_option_metavalidate has a
> loop termination condition of the entry name being NULL. The loop
>
-by: Doug Smythies
Fixes: 4d3a57f23dec59 ("netfilter: conntrack: do not enable connection tracking
unless needed")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 61 --
1 file changed, 59 insertions(+), 2 deletions(-)
' header checksum and add a
one-time warning in case such rule isn't restricted to UDP.
Reported-by: Satish Patel
Reported-by: Markos Chandras
Reported-by: Michal Kubecek
Signed-off-by: Florian Westphal
---
net/netfilter/Kconfig | 12 ++--
net/netfilter/xt_CHECKSUM.c | 19
Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, Aug 15, 2018 at 12:17:28PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Aug 14, 2018 at 08:16:11PM +0200, Phil Sutter wrote:
> > > Hi Arturo,
> > >
> > > I see that in your commit[1] you explicitly disable policy setting for
> > > user-defined ebtables
; while testing. Recently, this has become problematic, with the
> SSH session being dropped upon re-load of the rule set.
>
> 4d3a57f23dec59f0a2362e63540b2d01b37afe0a is the first bad commit
> commit 4d3a57f23dec59f0a2362e63540b2d01b37afe0a
> Author: Florian Westphal
> Date:
Neal P. Murphy wrote:
> Does nftables have an equivalent of iptables' "-m time"?
No. Whats the use case?
-m time is problematic (kernel has no idea what a timezone is).
It seems simpler to add to or delete from a named set via cron or
similar.
Phil Sutter wrote:
> This is actually quite a mess: xtables-eb.c defines names for bits in
> 'flags' variable of do_commandeb(), though these tend to clash with bit
> names defined in xshared.h due to the same 'OPT_' prefix. Therefore
> checking for bits OPT_NUMERIC and OPT_VERBOSE is
Phil Sutter wrote:
> Got it! The problem is ebt_limit.ko is not automatically loaded as it
> should. I noticed that problem once but forgot about it again. If you
> manually modprobe ebt_limit before running the testsuite, it should all
> pass.
Indeed, I've applied this, thank you.
I wonder if
Phil Sutter wrote:
> The function expects a boolean, not a bitfield. This bug caused
> inversion in another match to carry over to protocol match by accident.
> The supplied testcase contains rules which then fail because they
> contain matches requiring that protocol.
Applied, thank you.
--
To
Florian Westphal wrote:
> Phil Sutter wrote:
> > In an attempt to sanitize shell scripting, exit test in recent testcases
> > was altered, which led to them being skipped even in nft test runs. Drop
> > the quotes so that globbing happens again.
>
> Are the tests su
Phil Sutter wrote:
> In an attempt to sanitize shell scripting, exit test in recent testcases
> was altered, which led to them being skipped even in nft test runs. Drop
> the quotes so that globbing happens again.
Are the tests supposed to pass with current master?
GNU bash, version
Akshat Kakkar wrote:
> Thanks for the info. nftables set infra lacks lot of things specially
> interfaces.
nft add set inet filter example '{ type ifname; }'
nft add set inet filter example '{ type iface_index; }'
nft add set inet filter example '{ type ifname . ifname ; }'
... should all work.
t all processes down before realizing there is nothing
> - * more to reclaim.
> - */
> - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY);
> + info = kvmalloc(sz, GFP_KERNEL | __GFP_ACCOUNT);
> if (!info)
> return NULL;
Acked-by: Florian W
Phil Sutter wrote:
> Fix a few minor spelling issues in xtables-monitor help output and man
> page. While being at it, change 'ipv4' and 'ipv6' to 'IPv4' and 'IPv6',
> respectively.
Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
Michal Hocko wrote:
> On Tue 07-08-18 13:19:26, Florian Westphal wrote:
> > Michal Hocko wrote:
> > > > I can't reproduce it anymore.
> > > > If i understand correctly this way memory allocated will be
> > > > accounted to kmem of this cgroup (if
Michal Hocko wrote:
> > I can't reproduce it anymore.
> > If i understand correctly this way memory allocated will be
> > accounted to kmem of this cgroup (if inside cgroup).
>
> s@this@caller's@
>
> Florian, is this patch acceptable
I am no mm expert. Should all longlived GFP_KERNEL
Phil Sutter wrote:
> This is a respin containing fixed versions of patches objected against
> and remaining ones not applied earlier.
Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More
Phil Sutter wrote:
> If batch_rule_add() failed (ENOMEM), nft_rule_append() frees the
> rule and then tries to add it to the rule cache. Better return 0
> (failure) instead of continuing.
Applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
Duncan Roe wrote:
> These were found by ispell -p ./ispell_nft *.txt in nftables/doc.
>
> - ispell.nft: Added some new words
> - nft.txt: (nothing special)
> - payload-expression.txt: lengthbits and offsetbits were run together
>before the conversion to .txt, but the conversion lost the
Phil Sutter wrote:
> Legacy ip{,6}tables prints feedback for various commands if in verbose
> mode, make sure nft variants do the same.
Applied, thanks.
I fixed up the conflict, no need to send a v2.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
Phil Sutter wrote:
> Legacy ip{,6}tables prints feedback for various commands if in verbose
> mode, make sure nft variants do the same.
This doesn't apply anymore to current master after
all the other changes applied so far, can you send an updated version?
Sorry for the extra work.
--
To
Phil Sutter wrote:
> Fix the same issue commit a4e78370af849 ("iptables-compat: fix empty
> chains after first invocation of iptables-compat -L") fixed back in
> 2014. Seems like some changes since then broke it again.
Applied.
--
To unsubscribe from this list: send the line "unsubscribe
Phil Sutter wrote:
> Unlike iptables, nftables counts rules in a chain as references to that
> chain. Align output of 'iptables-nft -L' with that of legacy iptables by
> counting the number of rules in a chain and subtracting that value from
> reference count before printing the chain header.
Phil Sutter wrote:
> On Sat, Aug 04, 2018 at 04:31:58PM +0200, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > Legacy ebtables-restore does not support COMMIT directive, so allow for
> > > callers of xtables_restore_parse() to toggle support for it.
> >
Phil Sutter wrote:
> On Sat, Aug 04, 2018 at 04:18:16PM +0200, Florian Westphal wrote:
> [...]
> > I've applied the series up to this point.
>
> Seems like something went wrong. Upstream doesn't contain patches 11,
> 15 and 16. In doubt I will simply resend them al
Phil Sutter wrote:
> On Sat, Aug 04, 2018 at 04:18:16PM +0200, Florian Westphal wrote:
> > Phil Sutter wrote:
> > > Legacy ebtables-save does not use a policy string of '-' to denote
> > > user-defined chains but instead lists them with a policy of ACCEPT.
> >
Phil Sutter wrote:
> This effectively flushes all built-in chains and removes user-defined
> ones. Since compat layer takes care of built-in table/chain creation, it
> is sufficient to just drop the relevant table.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe
Phil Sutter wrote:
> Legacy ebtables-restore does not support COMMIT directive, so allow for
> callers of xtables_restore_parse() to toggle support for it.
>
> If it is not supported, allow for next table definition without previous
> COMMIT and implicitly commit the ruleset after parsing input
Phil Sutter wrote:
> Legacy ebtables-save does not use a policy string of '-' to denote
> user-defined chains but instead lists them with a policy of ACCEPT.
This gives
xtables-restore.c:336:24: warning: ‘curtable’ may be used uninitialized
in this function [-Wmaybe-uninitialized]
if
Pablo Neira Ayuso wrote:
> a) Should we just import iptables/utils/nfnl_osf.c into nftables and
>use it. So we keep two copies in the tree?
Yes, its 400LOC with almost no changes since it was imported.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
gets free'd right after anyway.
v2: add comment wrt. missing unreg call.
Fixes: a0ae2562c6c4b2 ("netfilter: conntrack: remove l3proto abstraction")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff -
labels are handled via hidden dependency that gets
auto-selected by the connlabel match.
Make it a visible knob, as labels can be attached via ctnetlink
or via nftables rules (nft_ct expression) too.
This allows to use conntrack labels and zones with nftables-only build.
Signed-off-by: Florian
There is an hard-to-trigger race condition when nf_tables module
is repeatedly removed while concurrent processes create net namespaces
that use nf_tables (and then exit immediately).
I made a prevous attempt to fix this, but its incorrect.
So first patch fixes actual problem: the nfnetlink
: 0a2cf5ee432c2 ("netfilter: nf_tables: close race between netns exit and
rmmod")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c| 6 +-
net/netfilter/nft_chain_filter.c | 12 +++-
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nf_ta
We must register nfnetlink ops last, as that exposes nf_tables to
userspace. Without this, we could theoretically get nfnetlink request
before net->nft state has been initialized.
Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support")
Signed-off-by: Flo
netns exit paths")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_proto.c
index 803607a90102..838972224a7b 100644
Eric Garver wrote:
> Currently rule counters are always printed, but that's not the desired
> behavior. We should only print them with the verbose flag. This broke
> when the arguments of nft_rule_print_save() were changed to accept the
> format instead of a counters flag.
Applied, thanks.
This
Máté Eckl wrote:
> Too long lines may cause error when sending a patch with git send-email.
> fatal: patch.patch:287: patch contains a line longer than 998
> characters
>
> This series wraps long lines to 80 characters.
All applied, thank you.
--
To unsubscribe from this list: send the
Máté Eckl wrote:
> When I tried to send a patch that included man page update I got the
> following error from git send-email:
> fatal: patch.patch:287: patch contains a line longer than 998 characters
> Line 287 was a non-modified line so it was there before my patch.
Applied, thanks for
synthesized unregister events for all devices.
So we must not grab netns reference.
The mutex is enough to serialize with concurrent netns exit call.
Fixes: 0a2cf5ee432c2 ("netfilter: nf_tables: close race between netns exit and
rmmod")
Signed-off-by: Florian Westphal
---
Probabl
Fixes: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard
transactions")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_a
conntrack expression.
This allows to use conntrack labels and zones with nft-only kernel.
Signed-off-by: Florian Westphal
---
net/netfilter/Kconfig | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0febf3e21f91
ed back. But now we know that it doesn't...
> >
> > [1] https://lore.kernel.org/lkml/20180130140104.ge21...@dhcp22.suse.cz/T/#u
>
> Yes i see. I will add Florian Westphal to CC list. netfilter-devel is
> already in this list so probably have to wait for their opinion.
It
s used in commit 90fd131afc565159c9e0ea742f082b337e10f8c6
("netfilter: nf_tables: move dumper state allocation into ->start").
Reported-by: shaochun chen
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_netlink.c | 26 +-
net/netfilter/nfnetlin
kbuild test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> master
> head: 4ed8eb6570a49931c705512060acd50058d61616
> commit: f9324952088f1cd62ea4addf9ff532f1e6452a22 [5/7] netfilter:
> nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c
>
Pablo Neira Ayuso wrote:
> On Fri, Jul 27, 2018 at 12:53:22PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Fri, Jul 27, 2018 at 11:45:16AM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Jul 27, 2018 at 12:22:33AM +0200, Phil Sutter wrote:
> > > > This should happen in ebtables-restore only: If a
: 2c41f33c1b703 ("netfilter: move table iteration out of netns exit paths")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net/netfilter/nf_conntrack_pro
Joel Goguen wrote:
> Currently, when running `iptables-restore --table=X`, where `X` is not the
> first
> table in the rules dump, the restore will fail when parsing the second table:
Applied, thanks for your patience.
> And the test suite:
> # ./iptables/tests/shell/run-tests.sh
Thanks
Arushi Singhal wrote:
> This patch converts nft.xml into asciidoc markup.
Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
6 fib lookups")
Reported-by: Roman Mamedov
Tested-by: Roman Mamedov
Signed-off-by: Florian Westphal
---
net/ipv6/netfilter/ip6t_rpfilter.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c
b/net/ipv6/netfilter/ip6t_rpfilt
Roman Mamedov wrote:
> I have a machine which is a DHCPv6 client on a PPPoE connection. It also has:
>
> sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
> ip6tables -t raw -A PREROUTING ! -i lo -m rpfilter --invert -j DROP
>
> After commits:
>
> netfilter: don't set F_IFACE on ipv6 fib
gets free'd right after anyway.
Fixes: a0ae2562c6c4b2 ("netfilter: conntrack: remove l3proto abstraction")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_proto.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto.c
b/net
in this case), now we will see all other
chains including base chains that live in another table (and now need to
be skipped).
It seems better to extend the chain cache long-term to track chains
per table instead.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Floria
Fernando Fernandez Mancera wrote:
> I think I found a typo in socket.h at nftables repository. It is just a
> small fix so I propose this patch.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Allow to show '-p tcp' in case rule was added by nft (which prefers
use of meta l4proto).
Signed-off-by: Florian Westphal
---
iptables/nft-ipv4.c | 10 ++
iptables/nft-ipv6.c | 10 ++
2 files changed, 20 insertions(+)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index
Phil Sutter wrote:
> This series contains a minor crash fix in patch 1, a number of cleanups
> and (hopefully) simplifications in patches 2-12 and ultimately drop-in
> replacement implementations of ebtables-save and -restore in patch 17
> along with a bunch of changes preparing it (patches
Phil Sutter wrote:
> - nft_rule_list_get(h);
> + if (!nft_rule_list_get(h)) {
> + printf("nft_rule_list_get() failed!\n");
> + return 0;
> + }
Applied, but i removed the printf().
There is still a 'Permission denied' error message, so I
don't think the extra
Pablo Neira Ayuso wrote:
> Then, moving forward, if we go for default size for sets, we may need
> a way to signal the kernel that the hashtable is resizable, in case
> the user wants to dynamically update the maximum size (in such case,
> the rhashtable implementation would be still useful I
...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal
---
Does anyone actually use dccp conntrack/nat?
I propose to axe it in nf-next.
net/netfilter/nf_conntrack_proto_dccp.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c
b/net
the renamed chain, thus kfree needs to
happen after waiting for rcu readers to complete.
Fixes: b7263e071a ("netfilter: nf_tables: Allow chain name of up to 255 chars")
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 17 +++--
1 file changed, 11 insertions(+), 6
101 - 200 of 1651 matches
Mail list logo
