[PATCH nft] src: rename ibrportname, obrportname

so use 'ibridgename' and 'obridgename' instead. Old names are still recognized, listing shows the new names. Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml| 8 src/meta.c | 15 +-- src/parser_bison.y

[PATCH nft] scanner: add helpers token

without it, you get: nft list ct helpers table filter Error: syntax error, unexpected string, expecting helper or helpers Fixes: 14fd3ad720f6e ("src: prepare for future ct timeout policy support") Signed-off-by: Florian Westphal <f...@strlen.de> --- src/scanner.l | 1 + 1

[PATCH iptables] ebtables-compat: add initial translations

add translations for ip, limit, log, mark, mark_m, nflog. Signed-off-by: Florian Westphal <f...@strlen.de> --- NB: No tests yet, I need to implement 'ebtables-translate' first :-) extensions/libebt_ip.c | 128 + extensions/libebt_limit.c

Re: nftables code size (was: Re: [PATCH nf-next 0/2] ebtables: add support for ICMP and IGMP type/code matching)

Matthias Schiffer wrote: > As an experiment, I created a reduced version of libnftnl by ripping out > all import/export functions and related code like buffer handling. This > reduced the size of libnftnl.so from 155KB to 110KB (on x86-64, -Os, > stripped,

Re: [nft PATCH 1/8] ct: Fix output_fp bypass in ct_print()

Phil Sutter wrote: > Signed-off-by: Phil Sutter > --- > src/ct.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I pushed this one, will review rest of series later today. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

[PATCH iptables] ebtables-compat: don't make failing extension load fatal

We will fail later when we can't parse the option, but that failure only happens if the is actually used. So in some cases things will work fine even if an extension doesn't exist. Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/xtables-eb.c | 17 ++--- 1 file c

[PATCH iptables] ebtables-compat: load mark target

Its already there but it did not work because it wasn't loaded. Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/xtables-eb.c | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 33f785

[PATCH nf] netfilter: nf_tables: can't fail after linking rule into active rule list

: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables") Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 59 +++ 1 file changed, 32 insertions(+), 27 deletions(-) diff --git

[PATCH nf] netfilter: nf_tables: free set name in error path

set->name must be free'd here in case ops->init fails. Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars") Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 8 +--- 1 file changed, 5 insertions(+), 3 de

[PATCH iptables 3/4] xtables-compat: skip unsupported tables

Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/nft.c | 45 - iptables/nft.h | 1 + iptables/xtables-save.c | 8 +++- iptables/xtables.c | 3 ++- 4 files changed, 14 insertions(+), 43 deletions(-) diff

[PATCH iptables 2/4] xtables-compat: also validate priorities and hook points match expected values

Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/nft.c | 35 ++- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 91381419b9cb..a73c72bda7be 100644 --- a/iptables/nft.c +++ b/iptables

[PATCH iptables 1/4] xtables-compat: fix snprintf truncation warnings

proto is u16 in the data structure, so this gave: nft-ipv6.c:422:44: warning: '__builtin___snprintf_chk' output may be truncated before the last format character [-Wformat-truncation=] Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/nft-ipv4.c | 2 +- iptables/nft-ipv6.c | 2

[PATCH iptables 4/4] xtables-compat: only validate the xtables builtin tables

This allows xtables-compat to list all builtin tables unless one contains nft specific expressions. Tables that do not exist in xtables world are not printed anymore (but a small hint is shown that such non-printable table(s) exist). Signed-off-by: Florian Westphal <f...@strlen.de> --- ip

Re: [PATCH] xt_connmark: Add bit mapping for bit-shift operation.

F bits of ctmark 0xFFF(F)000F > into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. > > new_targetmark = (ctmark & ctmask) >> 12; > (new) skb->mark = (skb->mark &~nfmask) ^ >new_targetmark; > > This will preserve the other bits that are n

[ANNOUNCE] 14th Netfilter Workshop in Berlin, Germany

Hi! We are glad to announce a new round in the Netfilter Workshop series. This year this event will take place in Berlin, Germany, from 15th June to 18th June, 2018 [1]. The event will be hosted by Individual Network Berlin e.V. close to Berlin Hauptbahnhof. The Netfilter Workshop (NFWS) is the

[PATCH nf] netfilter: ebtables: don't attempt to allocate 0-sized compat array

rules exist no rule will need 64bit translation. Reported-by: Dmitry Vyukov <dvyu...@google.com> Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests") Signed-off-by: Florian Westphal <f...@strlen.de> --- This change fixes ebtables for me; adding a --limit 1

Re: compat ebtables broke in syzkaller

Dmitry Vyukov wrote: > One question: > > > We will need to special-case compat_table_info() in ebtables.c to > > either not allocate the compat array for nentries == 0, or pretend > > it was 1. > > nentries == 0 is returned to us by EBT_SO_GET_INIT_INFO, and I think > there

Re: compat ebtables broke in syzkaller

c9d0658597f528f815d820fd > Author: Florian Westphal <f...@strlen.de> > Date: Tue Feb 27 19:42:35 2018 +0100 > netfilter: compat: reject huge allocation requests > > But I don't know if it's a problem with kernel or with our code (it kernel. > The idea behind checkpoi

[PATCH nft] configure: don't enable xtables when --without-xtables is passed

> Signed-off-by: Florian Westphal <f...@strlen.de> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 284bcc502346..eb673d52c6f2 100644 --- a/configure.ac +++ b/configure.ac @@ -99,7 +99,7 @@ AM_CONDITIONAL([BUILD_CLI], [tes

[PATCH nft 4/4] evaluate: use recursive call for SET_REF handling

We can now call the helper again, with set->init as new RHS expression. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/evaluate.c | 30 +- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 964

[PATCH nft 3/4] evaluate: handle EXPR_MAPPING

Needed by followup patch. EXPR_SET_REF handling is bonkers, it "works" when using { key : value } because ->key and ->left are aliased in struct expr to the same location. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/evaluate.c | 4 1 file changed, 4 ins

[PATCH nft 1/4] evaluate: move lhs fixup to a helper

... to reuse this in a followup patch. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/evaluate.c | 47 --- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 967ad162e46e..189f1ea4fa6d

[PATCH nft 0/4] evaluate: clean up binop transfer

binop transfer is reponsible to apply needed shift operations to the right hand side of a relational expression. Split binop_transfer into different helpers to make it easier to add EXPR_CONCAT handling later on. While at it, also get rid of SET_REF and use recursive call instead. -- To

[PATCH nft 2/4] evaluate: split binop xfer to separate function

to reuse this in a followup patch. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/evaluate.c | 47 +++ 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 189f1ea4fa6d..acbb1234972a

Re: [PATCH nft] evaluate: increase set key size if needed

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Mon, Apr 02, 2018 at 10:30:12PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso <pa...@netfilter.org> wrote: > > > On Sun, Apr 01, 2018 at 12:47:47AM +0200, Florian Westphal wrote: > > > > t

[PATCH nf] netfilter: nf_conntrack_sip: allow duplicate SDP expectations

to different expectation class and have SIP tracker ignore soft-error. Reported-by: Callum Sinclair <callum.sincl...@alliedtelesis.co.nz> Tested-by: Callum Sinclair <callum.sincl...@alliedtelesis.co.nz> Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_connt

Re: [PATCH nft] evaluate: increase set key size if needed

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sun, Apr 01, 2018 at 12:47:47AM +0200, Florian Westphal wrote: > > this makes following failing test case work: > > ip6 dscp vmap { 0x04, .. > > > > problem was that the 6bit dscp value spans a byte bounda

[PATCH nft] evaluate: increase set key size if needed

based on the previous payload size, we get a set with a keysize of 1 that is then populated with keys of size 2 (which causes a kernel error). So, fixup the set size so kernel is told to expect 2-byte keys in this case. Signed-off-by: Florian Westphal <f...@strlen.de> --- diff --git

Re: [RFC xt-compat] ebtables: full nft translations

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > Cc'ing Arturo, he added the ebtables-compat layer so he probably > remember more details on this. > > On Sat, Mar 31, 2018 at 07:17:41PM +0200, Florian Westphal wrote: > > This (haycky) patch translates 'ebtables --mark

Re: [PATCH nft 3/6] tests: redirect: fix tests for upcoming nft-test.py fix

Pablo Neira Ayuso wrote: > > diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t > > index 26c3704316ae..41f0e98aa6fb 100644 > > --- a/tests/py/ip/masquerade.t > > +++ b/tests/py/ip/masquerade.t > > @@ -27,4 +27,4 @@ ip saddr 10.1.1.1 masquerade drop;fail > > #

[RFC xt-compat] ebtables: full nft translations

This (haycky) patch translates 'ebtables --mark' to a native 'meta mark' and dissects meta mark back to the ebt_mark_m binary representation when parsing back nftables rules. Plan is to do this for all the ebt matches/watchers/targets so that 1. 'nft list ruleset' shows correct/expected output 2.

[PATCH nft 6/6] nft-test: check start of rule with sets too

a gazillion of warnings, will fix in followup commit. Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/nft-test.py | 4 1 file changed, 4 insertions(+) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 87e3d51ec2dd..7998914aa418 100755 --- a/tests/py/nft-test.py +++ b

[PATCH nft 5/6] tests: ct, meta: fixes for upcoming nft-test.py fix

nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/any/ct.t | 4 ++-- tests/py/any/meta.

[PATCH nft 4/6] tests: mh: fix expected test output

Forgot to include '!=', this doesn't trigger at the moment due to a bug in nft-test.py, so fix this before fixing our test script. Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/ip6/mh.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/py/ip6/mh.t b

[PATCH nft 2/6] netlink_delinearize: kill dependency before eval of 'redirect' stmt

it. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/netlink_delinearize.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 754a307e99f5..2126cf20c995 100644 --- a/src/netlink_delinearize.c +++

[PATCH nft 3/6] tests: redirect: fix tests for upcoming nft-test.py fix

nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/ip/masquerade.t| 2 +- tests/py/ip/redirect.t | 4 ++-- tests

[PATCH nft 0/6] fix dependency eval and nft-test.py

nft-test.py has a bug where it won't check beginning of rule when a set is used, i.e. foo { set } bar;ok; baz { set } bar passes, because we only check after {. Fixing that revealed two issues, fixed in first two patches. Rest fixes up test suite to avoid false positives (the expected test

[PATCH nft 1/6] statement: print space before "{" in set add

old: add @set5{ ip6 saddr . ip6 daddr} new: add @set5 { ip6 saddr . ip6 daddr} Signed-off-by: Florian Westphal <f...@strlen.de> --- src/statement.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/statement.c b/src/statement.c index b8e0b036b9eb..f81e0123adda

Re: [PATCH nf-next v2] netfilter: nf_osf implementation: nf_osf_ttl() and nf_osf_match()

Fernando Fernandez Mancera wrote: > +struct xt_osf_opt { > +__u16 kind, length; > +struct xt_osf_wcwc; > +}; Please leave xt_foo things in the xt_osf header. > +bool nf_osf_match(const struct sk_buff *skb, u_int8_t family, > +

Re: [PATCH nft] proto: permit icmp-in-ipv6 and icmpv6-in-ipv4

Phil Sutter wrote: > > is hard to read. So, lets just add icmp/icmpv6 to > > ip/ip6 protocol base so users can just go with > > > > icmp type destination-unreachable > > Does this then lead to generating protocol dependency in e.g. inet > table? Whats the expected behaviour

[PATCH nft] proto: permit icmp-in-ipv6 and icmpv6-in-ipv4

to not remove the dependency can be reverted again. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Florian Westphal <f...@strlen.de> --- diff --git a/src/proto.c b/src/proto.c index a54090a..8cf29d2 100644 --- a/src/proto.c +++ b/src/proto.c @@ -591,6 +591,7 @@ const struc

[PATCH nft] payload: don't remove icmp family dependency in special cases

that won't restore because of ip vs ipv6 conflict. After this patch, this lists as meta l4proto icmp icmp type destination-unreachable instead. We still remove the dependency in "ip" family. Same applies to icmpv6-in-ip. Reported-by: Phil Sutter <p...@nwl.cc> Signed-o

Re: [PATCH nf-next] nf_osf implementation: nf_osf_ttl() and nf_osf_match()

Fernando Fernandez Mancera wrote: > Added nf_osf_ttl() and nf_osf_match() into nf_osf.c in order to start > the nftables OSF implementation. > diff --git a/include/uapi/linux/netfilter/nf_osf.h > b/include/uapi/linux/netfilter/nf_osf.h > new file mode 100644 > index

[PATCH nft] src: avoid errouneous assert with map+concat

-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Florian Westphal <f...@strlen.de> --- src/netlink_linearize.c | 4 1 file changed, 4 insertions(+) diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 1c06fc0..716e962 100644 --- a/src/netlink_linearize.c +++ b/src/netli

Re: [PATCH] doc: nft.8 more spelling fixes

Duncan Roe wrote: > I ran the following command: > > ispell -p ./ispell_nft -H nft.xml > > to create the local dictionary ispell_nft. > ispell_nft contains almost every special word in nft.xml. > The idea is that anyone can run ispell the same way and only have to

Re: [PATCH nf] netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}

Subash Abhinov Kasiviswanathan wrote: > skb_header_pointer will copy data into a buffer if data is non linear, > otherwise it will return a pointer in the linear section of the data. > nf_sk_lookup_slow_v{4,6} always copies data of size udphdr but later > accesses memory

Re: [PATCH nf] netfilter: drop template ct when conntrack is skipped.

s for template ct on every target/match > manipulating skb->_nfct, simply drop the template ct when skipping > nf_conntrack_in(). Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets") Acked-by: Florian Westphal <f...@strlen.de> -- To unsubscribe from this list: send

Re: [nf-next PATCH] net: nftables: Respect hash set backend features

Phil Sutter wrote: > > This is clashing with existing fixes in nf.git. > TBH, I never know which kernel to test against. Candidates usually are > nf-next, nf, net-next and sometimes even net. Probably business as > usual, or do you have a suggestion as to what I should "default" to?

Re: [nft PATCH] tests/shell: Test flush and nat chain recreate in one go

Phil Sutter wrote: > This tests what kernel commit ae6153b50f9bf ("netfilter: nf_tables: > permit second nat hook if colliding hook is going away") fixed for. Applied, thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

[PATCH nf] netfilter: nf_tables: add missing netlink attrs to policies

Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements") Fixes: f25ad2e907f1 ("netfilter: nf_tables: prepare for expressions associated to set elements") Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Sign

Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Tue, Mar 20, 2018 at 12:43:33PM +0100, Florian Westphal wrote: > > I don't understand why push,ack is invalid in first place. > > If we do not have a valid connection at this point then a pure > > ack wo

Re: [PATCH 2/2 nf-next] netfilter: SYNPROXY: don't proxy invalid PSH,ACK packets

Pablo Neira Ayuso wrote: > The example rule in the iptables-extensions(8) manpage suggests: > > iptables -A INPUT -i eth0 -p tcp --dport 80 > -m state --state UNTRACKED,INVALID -j SYNPROXY > --sack-perm --timestamp --mss 1460

Re: [RFC PATCH] netfilter: nf_tables: nf_tables_allow_nat_conflict() can be static

kbuild test robot wrote: > -bool nf_tables_allow_nat_conflict(const struct net *net, > - const struct nf_hook_ops *ops) > +static bool nf_tables_allow_nat_conflict(const struct net *net, > + const struct

Re: [PATCH] doc: nft.8 aim for consistent synopses throughout (again)

Duncan Roe wrote: > Fix a few more items as per commit f9cb9580b924f6320005f429f7d59e52a38aff82 > > Also insert a missing space I noticed along the way Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH libmnl] attr: zero attribute padding

and the beginning of the new attribute. Zero it to silence memory sanitizer output. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/attr.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/attr.c b/src/attr.c index 4f131874c11e..0359ba959d7a 100644 --- a/src/attr.c +++

[PATCH nf] netfilter: nf_tables: permit second nat hook if colliding hook is going away

the exception once. Fixes: f92b40a8b2645 ("netfilter: core: only allow one nat hook per hook point") Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 64 ++- 1 file changed, 63 insertions(+), 1 deletion(-)

[PATCH nft] doc: describe table dormant flag

also mention how to quit interactive mode and provide small table add example. Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 63 - 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml

Re: [PATCH] support bit shifting operations

Jack Ma wrote: > Are these patches likely to be reviewed recently? > > Also, any recommended maintainer for delivery :P? Sorry, I forgot about your mail. In the future, please re-ping after i did not reply for 3 days or so. There is no record of your patches at

[PATCH nft 2/2] tests: add srh test cases

Signed-off-by: Florian Westphal <f...@strlen.de> --- tests/py/ip6/srh.t | 22 tests/py/ip6/srh.t.payload | 64 ++ 2 files changed, 86 insertions(+) create mode 100644 tests/py/ip6/srh.t create mode 100644 tests/

[PATCH nft 1/2] src: fix routing header support

> Fixes: 1400288f6d39d ("src: handle rt0 and rt2 properly") Reported-by: Phil Sutter <p...@nwl.cc> Signed-off-by: Florian Westphal <f...@strlen.de> --- NB: Kernel change that introduced RT0, 2 , 4 can be reverted now. doc/nft.xml | 13 + i

[PATCH nf] netfilter: nf_tables: meter: pick a set backend that supports updates

else is found we at least have a non-ideal match rather than no match at all. Fixes: 6c03ae210ce3 ("netfilter: nft_set_hash: add non-resizable hashtable implementation") Signed-off-by: Florian Westphal <f...@strlen.de> --- net/netfilter/nf_tables_api.c | 5 - net/netfilter/nft_set

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

David Miller wrote: [ flow tables ] > Ok, that seems to constrain the exposure. > > We should talk at some point about how exposed conntrack itself is. Sure, we can do that. If you have specific scenarios (synflood, peer that opens 100k (legitimate) connections,

Re: [PATCH 00/30] Netfilter/IPVS updates for net-next

David Miller wrote: > From: Felix Fietkau > Date: Mon, 12 Mar 2018 20:30:01 +0100 > > > It's not dead and useless. In its current state, it has a software fast > > path that significantly improves nftables routing/NAT throughput, > > especially on embedded

Re: Port triggering

Stéphane Veyret <svey...@gmail.com> wrote: > 2018-03-12 12:25 GMT+01:00 Florian Westphal <f...@strlen.de>: > > (Or i still fail to understand what you want to do, it does > > sound exactly like expectations, e.g. for ftp data channel in > > response to PA

Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables

Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > On 12 March 2018 at 12:36, Florian Westphal <f...@strlen.de> wrote: > > + > > +install-data-hook: > > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* > > -- > > The

[PATCH nft] netlink: use nftnl_flowtable_get/set

the '_array' variant is just a wrapper for get/set api; this allows the array variant to be removed from libnftnl. Signed-off-by: Florian Westphal <f...@strlen.de> --- src/netlink.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/netlink.c b/src/netlink.c

[PATCH nft] src: install table skeleton files to sysconfdir/nftables

rt...@netfilter.org> Signed-off-by: Florian Westphal <f...@strlen.de> --- Makefile.am| 1 + configure.ac | 2 ++ files/Makefile.am | 1 + files/examples/Makefile.am | 18 ++ 4 files changed, 22 insertions(+) create mode 100644 files/Mak

Re: Port triggering

Stéphane Veyret wrote: > A few words on the specs I imagined for the port triggering: > > table ip trigger { > chain postrouting { > type filter hook postrouting priority 0; > ip dport 554 trigger open rtsp timeout 300 # Open the > trigger named rtsp

Re: [PATCH v2] net: netfilter: Replace printk() with appropriate pr_*() macro

Arushi Singhal wrote: > On Mon, Mar 12, 2018 at 2:17 AM, Pablo Neira Ayuso > wrote: > > > Hi Joe, > > > > On Sun, Mar 11, 2018 at 12:52:41PM -0700, Joe Perches wrote: > > > On Mon, 2018-03-12 at 01:11 +0530, Arushi Singhal wrote: > > > >

Re: connlimit modul doesn't works as expected

Toralf Förster <toralf.foers...@gmx.de> wrote: > On 03/10/2018 10:16 PM, Florian Westphal wrote: > > Toralf Förster <toralf.foers...@gmx.de> wrote: > >> At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this > >> rule: > >> > &g

[PATCH 1/1] doc: add set information and example for run-time blackhole

Signed-off-by: Florian Westphal <f...@strlen.de> --- doc/nft.xml | 81 +++-- 1 file changed, 79 insertions(+), 2 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index f7cf077..d3765fa 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@

Re: [PATCH Netfilter] net: netfilter: Replace printk() with more standardize output format.

Arushi Singhal wrote: > I''ll resend the patch according your suggestions. > > Just for curiosity wanted to ask why not netdev_*(). netfilter is not a network driver. > > > register_net_sysctl(net, "net/netfilter", table); > > > if

Re: connlimit modul doesn't works as expected

Toralf Förster wrote: > At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this rule: > > /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match > connlimit --connlimit-above 3000 --connlimit-mask 0 --connlimit-daddr --match > limit

[PATCH nf] netfilter: x_tables: add and use xt_check_proc_name

c.duma...@gmail.com> Reported-by: <syzbot+0502b00edac2a0680...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- include/linux/netfilter/x_tables.h | 2 ++ net/netfilter/x_tables.c | 30 ++ net/netfilter/xt_

Re: WARNING in __proc_create

Cong Wang wrote: > On Fri, Mar 9, 2018 at 2:58 PM, Eric Dumazet wrote: > > > > > > On 03/09/2018 02:56 PM, Eric Dumazet wrote: > > > >> > >> I sent a patch a while back, but Pablo/Florian wanted more than that > >> simple fix. > >> > >> We also

Re: WARNING in __proc_create

Eric Dumazet wrote: > >>fs/proc/generic.c:354 > > > >We need to reject empty names. > > > > I sent a patch a while back, but Pablo/Florian wanted more than that simple > fix. > > We also need to filter special characters like '/' > > Or maybe I am mixing with something

[PATCH nf v5] netfilter: bridge: ebt_among: add more missing match size checks

f ("bridge: ebt_among: add missing match size checks") Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- v5: this is really v3 again, but with explicit (int)sizeof() cast rather than use of temporary 'int mi

Re: Port triggering

Stéphane Veyret wrote: > Hi, > > I saw that patches have been written some years ago for port > triggering in Netfilter, but no such feature is currently available in > the kernel. Is there any reason for that? If I write and submit such a > patch as Xtables-addons module,

Re: [PATCH nf-next] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6}

Pablo Neira Ayuso <pa...@netfilter.org> wrote: > All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to > have strict datatypes. This is causing problems with sets and > concatenations given the specific length of these keys is not known. Acked-by: Florian Westphal

[PATCH nf v4] netfilter: bridge: ebt_among: add more missing match size checks

f ("bridge: ebt_among: add missing match size checks") Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- v4: rewrite wormhash_offset_invalid to make it clearer that 'off' is <= INT_MAX, objdump doesn

Re: [PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

Eric Dumazet <eric.duma...@gmail.com> wrote: > > > On 03/08/2018 04:24 PM, Florian Westphal wrote: > >Eric Dumazet <eric.duma...@gmail.com> wrote: > >>>Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks&q

Re: [PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

Eric Dumazet <eric.duma...@gmail.com> wrote: > >Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") > >Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> > >Signed-off-by: Florian Westphal <f...@strlen.de> >

[PATCH nf v3] netfilter: bridge: ebt_among: add more missing match size checks

f ("bridge: ebt_among: add missing match size checks") Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bridge/netfilter/ebt_among.c | 35 +++ 1 file changed, 35 insert

[PATCH nf v2] netfilter: bridge: ebt_among: add more missing match size checks

ebt_among: add missing match size checks") Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> Cc: Paolo Abeni <pab...@redhat.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- net/bridge/netfilter/ebt_among.c | 40 +

[PATCH nf] netfilter: ebtables: fix erroneous reject of last rule

The last rule in the blob has next_entry offset that is same as total size. This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets") Signed-off-by: Florian West

Re: [PATCH nf] netfilter: bridge: ebt_among: add more missing match size checks

Florian Westphal <f...@strlen.de> wrote: > ebt_among is special, it has a dynamic match size and is exempt > from the central size checks. > > commit c4585a2823edf ("bridge: ebt_among: add missing match size checks") > added validation for pool size,

[PATCH nf] netfilter: bridge: ebt_among: add more missing match size checks

same rules from the earlier patch. Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks") Reported-by: <syzbot+bdabab6f1983a03fc...@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <f...@strlen.de> --- Paolo, if you have time it would be

Re: [RFC nft] tests: shell: autogenerate dump verification

Arturo Borrero Gonzalez wrote: > On 5 March 2018 at 23:57, Laura Garcia Liebana wrote: > > > 141 files changed, 837 insertions(+), 526 deletions(-) > > Better place a new script as a testcase, and all the required dump > files somewhere for it to read

[PATCH nf-next] netfilter: x_tables: fix build with CONFIG_COMPAT=n

I placed the helpers within CONFIG_COMPAT section, move them outside. Fixes: 472ebdcd15ebdb ("netfilter: x_tables: check error target size too") Fixes: 07a9da51b4b6ae ("netfilter: x_tables: check standard verdicts in core") Signed-off-by: Florian Westphal <f...@strlen

Re: [PATCH net] netfilter: check for out-of-bounds while copying compat entries

Paolo Abeni wrote: > Currently, when coping ebt compat entries, no checks are in place > for the offsets provided by user space, so that syzbot was able to > trigger the following splat: > --- > net/bridge/netfilter/ebtables.c | 2 +- > 1 file changed, 1 insertion(+), 1

Re: [PATCH nf-next v2 2/2] nf_conncount: Support count only use case

ber of connections where 'tuple' is not provided. Therefore, > proper changes are made on nf_conncount_count() to support the case where > 'tuple' is NULL. This could be useful for querying statistics or > debugging purpose. Acked-by: Florian Westphal <f...@strlen.de> -- To

Re: [PATCH nf-next v2 1/2] netfilter: Refactor nf_conncount

Yi-Hung Wei <yihung@gmail.com> wrote: > Remove parameter 'family' in nf_conncount_count() and count_tree(). > It is because the parameter is not useful after commit 625c556118f3 > ("netfilter: connlimit: split xt_connlimit into front and backend"). Acked-by: Florian

Re: [PATCH nf-next 0/2] ebtables: add support for ICMP and IGMP type/code matching

Matthias Schiffer wrote: > I recently found myself in a situation that required me to filter IGMP > packets of certain types on a bridge. Switching to nftables is > unfortunately not an option at the moment because of hardware constraints, > in particular regarding

[ANNOUNCE] nftables 0.8.3 release

examples: add ct helper examples files: add load balance example meta: introduce datatype ifname_type Baruch Siach (1): src: fix build with older glibc David Fabian (1): Added undefine/redefine keywords Duncan Roe (1): doc/nft.xml: fix typo Florian Westphal (16):

Re: [PATCH nf-next 2/2] nf_conncount: Support count only use case

Yi-Hung Wei <yihung@gmail.com> wrote: > On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <f...@strlen.de> wrote: > > Yi-Hung Wei <yihung@gmail.com> wrote: > >> Currently, nf_conncount_count() counts the number of connections that > >> matches k

[PATCH nft] src: datatype: prefer sscanf, avoid strncpy

similar to previous patch, but instead of snprintf+temporary use sccanf. Signed-off-by: Florian Westphal <f...@strlen.de> --- Harsha sent a patch to replace strncpy by snprintf but in this case we can avoid temporary buffer completely. src/datatype.c | 21 ++--- 1 file c

Re: [PATCH v2 nft] libnftables: Print error and exit for empty string

Harsha Sharma wrote: > For e.g. > > nft -c " " > nft: no command specified > > Without this patch it segfaults. Applied, thanks for following up. I made one small change: > + if (list_empty(>cmds)) { > + fprintf(stderr, "nft: no command

Re: [PATCH nft] configure: misc updates

Pablo Neira Ayuso wrote: > This patch removes the following macros: [..] Applied, thanks for cleaning this up. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH nf-next 2/2] nf_conncount: Support count only use case

Yi-Hung Wei wrote: > Currently, nf_conncount_count() counts the number of connections that > matches key and inserts a conntrack 'tuple' associated with the key into > the accounting data structure. This patch supports another use case that > only counts the number of

Re: [PATCH nf-next 1/2] netfilter: nf_conncount: Refactor nf_conncount

Yi-Hung Wei wrote: > This patch contains two parts. > > 1. Remove parameter 'family' in nf_conncount_count() and count_tree(). > Before commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit > into front and backend"), 'family' was used to determine the type > of

<    1   2   3   4   5   6   7   8   9   10   >