On Wed, Sep 13, 2023 at 03:51:35PM +0200, Phil Sutter wrote:
> Patch f1 fixes/improves Pablo's fix for the bug I built into nf_tables'
> audit support code.
>
> Patch 2 adds a selftest for the audit notifications in nf_tables. I
> consider it mature enough to submit it as non-RFC now.
>
> Larger
On Wed, Oct 23, 2019 at 01:20:24PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 18, 2019 at 05:51:14PM +0200, Phil Sutter wrote:
> > Variable 'table' is an array of type struct table_struct, so this is a
> > classical use-case for ARRAY_SIZE() macro.
> >
On Fri, Oct 18, 2019 at 05:51:14PM +0200, Phil Sutter wrote:
> Variable 'table' is an array of type struct table_struct, so this is a
> classical use-case for ARRAY_SIZE() macro.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Mon, Oct 14, 2019 at 01:02:23PM +1100, Duncan Roe wrote:
> The documentation was written in the days before doxygen required groups or
> even
> doxygen.cfg, so create doxygen.cfg.in and introduce one \defgroup per source
> file, encompassing pretty-much the whole file.
>
> Also add a tiny \mai
On Wed, Oct 23, 2019 at 11:49:57AM +0800, wenxu wrote:
>
> On 10/22/2019 11:47 PM, Pablo Neira Ayuso wrote:
> > Hi,
> >
> > This is a RFC patchset, untested, to introduce new infrastructure to
> > specify protocol decapsulation and encapsulation actions. This p
6tables-restore as well. Also add the required checking code to the
> latter since the original commit missed it.
>
> Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 22, 2019 at 05:57:25PM +0200, Christian Göttsche wrote:
> Hi,
> I am trying to finally get secmark with nftables to work.
> The kernel[1][2] and libnftnl[3] parts are done.
> For the nft front-end I think some things need a further change than
> already introduced[4].
>
> 1.
> I found
This patch adds support for the decapsulation infrastructure, including
VLAN support for this.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 16 +
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net
ation type, instead this
is specified through the encap statement, that would require a bit more
work on the object infrastructure which is probably a good idea.
This is work-in-progress, syntax is tentative, comments welcome.
Thanks.
Pablo Neira Ayuso (2):
netfilter: nf_tables: add decap
This patch adds encapsulation support through the encapsulation object,
that specifies the encapsulation policy.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 40 +-
net/netfilter/nft_encap.c| 224 ++-
2 files
On Mon, Oct 21, 2019 at 10:49:20PM +0100, Jeremy Sowden wrote:
> From https://bugzilla.netfilter.org/show_bug.cgi?id=1374:
>
> Listing an entire ruleset or a table with 'nft list ...' will also
> print all elements of all set definitions within the ruleset or
> requested table. Seeing the fu
gt; command lines anyway.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Mon, Oct 21, 2019 at 05:11:48PM +0100, Jeremy Sowden wrote:
> Currently, --stateless only suppresses the output of the contents of
> dynamic sets. Extend it to support an optional parameter, `all`. If it
> is given, `nft list` will also omit the elements of sets which are not
> marked `dynamic
On Mon, Oct 21, 2019 at 05:47:13PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Mon, Oct 21, 2019 at 05:38:35PM +0200, Pablo Neira Ayuso wrote:
> > # nft add chain x y { type filter hook input priority -30\; }
> > nft: invalid option -- '3'
> >
> > F
On Mon, Oct 21, 2019 at 04:40:55PM +0200, Phil Sutter wrote:
> The function was changed to return an expression or NULL but error
> checking wasn't adjusted while doing so.
>
> Fixes: dba4a9b4b5fe2 ("src: allow variable in chain policy")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
2644cf7 ("src: Add tproxy support")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
# nft add chain x y { type filter hook input priority -30\; }
nft: invalid option -- '3'
Fix this by restricting getopt_long() to the first curly brace.
Signed-off-by: Pablo Neira Ayuso
---
src/main.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
This patch allows you to register one netdev basechain to multiple
devices. This adds a new NFTA_HOOK_DEVS netlink attribute to specify
the list of netdevices. Basechains store a list of hooks.
Signed-off-by: Pablo Neira Ayuso
---
v2: update nft_flow_offload_chain() and nft_flow_block_chain() to
Unbind callbacks on chain deletion.
Fixes: 8fc618c52d16 ("netfilter: nf_tables_offload: refactor the
nft_flow_offload_chain function")
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net
On Fri, Oct 18, 2019 at 11:50:54AM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Fri, Oct 18, 2019 at 10:11:24AM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 18, 2019 at 12:48:31AM +0200, Phil Sutter wrote:
> > > The same piece of code appears three times, intr
, no support for multidevice is included in this
patch.
Signed-off-by: Pablo Neira Ayuso
---
include/rule.h | 4 +++-
src/json.c | 17 +
src/mnl.c | 29 -
src/netlink.c | 20 +---
src/parser_bison.y | 26
Add support for NFTA_HOOK_DEVS.
Signed-off-by: Pablo Neira Ayuso
---
include/libnftnl/chain.h| 1 +
include/linux/netfilter/nf_tables.h | 2 +
src/chain.c | 107 +++-
3 files changed, 109 insertions(+), 1 deletion(-)
diff
Remove artificial upper limit of 8 devices per flowtable.
Signed-off-by: Pablo Neira Ayuso
---
src/flowtable.c | 29 +++--
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 1f7ba3052d4f..54e1bea25775 100644
--- a/src
On Thu, Oct 17, 2019 at 07:06:28PM +0200, Phil Sutter wrote:
> On Thu, Oct 17, 2019 at 12:08:16PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 17, 2019 at 11:03:32AM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Oct 15, 2019 at 01:41:44PM +0200, Phil Sutter wrote:
> > &
On Fri, Oct 18, 2019 at 12:48:36AM +0200, Phil Sutter wrote:
> Since commit 0baa08fed43fa ("xtables: unify user chain add/flush for
> restore case") it is not used anymore, so just drop it.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
Acked-by: Pablo Neira Ayuso
On Fri, Oct 18, 2019 at 12:48:34AM +0200, Phil Sutter wrote:
> This was overlooked when merging argv-related code: newargc is
> initialized at declaration and reset in free_argv() again.
>
> Fixes: a2ed880a19d08 ("xshared: Consolidate argv construction routines")
> Signed-off-by: Phil Sutter
> --
On Fri, Oct 18, 2019 at 12:48:33AM +0200, Phil Sutter wrote:
> Just like with xtables-restore, these callbacks don't change at
> run-time.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Fri, Oct 18, 2019 at 12:48:32AM +0200, Phil Sutter wrote:
> There is no need for dynamic callback mangling, so make all instances
> static const.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
nd).
>
> While being at it, drop pointless casting when passing pcnt/bcnt to
> add_argv().
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
If you get to consolidate more common code between xml and native
parsers, probably you can add a xtables-restore.c file to store
instance xtables-nft-multi. Either way, there is no practical
> significance since newargv[0] is used exclusively in debug output.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Fri, Oct 18, 2019 at 12:48:29AM +0200, Phil Sutter wrote:
> This structure contains restore parser configuration, parser is not
> supposed to alter it.
>
> Suggested-by: Pablo Neira Ayuso
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
cache level flags").
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/monitor.c | 13 -
src/rule.c| 19 ---
3 files changed, 12 insertions(+), 21 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 279723f33d31..e6
cache level flags").
Signed-off-by: Pablo Neira Ayuso
---
include/netlink.h | 1 -
src/monitor.c | 13 -
src/rule.c| 19 ---
3 files changed, 12 insertions(+), 21 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 279723f33d31..e6
ds
> either newline or semicolon chars depending on output mode.
>
> Fixes: 43ae7a48ae3de ("rule: do not print semicolon in ct timeout")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
> ---
> src/rule.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion
On Thu, Oct 17, 2019 at 01:29:10PM +0200, Phil Sutter wrote:
> On Thu, Oct 17, 2019 at 01:14:37PM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 17, 2019 at 01:03:22AM +0200, Phil Sutter wrote:
> > > Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout&q
On Thu, Oct 17, 2019 at 12:36:49PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Thu, Oct 17, 2019 at 11:07:38AM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 17, 2019 at 10:55:49AM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 17, 2019 at 01:03:20AM +0200, Phil Su
On Thu, Oct 17, 2019 at 01:03:22AM +0200, Phil Sutter wrote:
> Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout")
> removed an extra semicolon at end of line, but thereby broke single line
> output. The correct fix is to use opts->stmt_separator which holds
> either newline or semi
policy and timeout")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Thu, Oct 17, 2019 at 01:03:19AM +0200, Phil Sutter wrote:
> These shouldn't happen in practice and printing to stderr is not the
> right thing either, but fix this anyway.
>
> Fixes: f9563c0feb24d ("src: add events reporting")
> Signed-off-by: Phil Sutter
On Thu, Oct 17, 2019 at 12:36:49PM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Thu, Oct 17, 2019 at 11:07:38AM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 17, 2019 at 10:55:49AM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 17, 2019 at 01:03:20AM +0200, Phil Su
This fixes a memleak when releasing the compound expression via
expr_free().
Fixes: 92911b362e90 ("src: add support to add flowtables")
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 2 +-
src/parser_json.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff -
rt to add flowtables")
Signed-off-by: Eric Jallot
Signed-off-by: Pablo Neira Ayuso
---
v2: simplify original patch a bit.
src/parser_bison.y | 1 +
src/rule.c | 12
2 files changed, 13 insertions(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8ad581f6
On Sun, Oct 13, 2019 at 08:19:45PM +0200, Florian Westphal wrote:
> Once ct->ext gets free'd via kfree() rather than kfree_rcu we can't
> access the extension area anymore without owning the conntrack.
>
> This is a special case:
>
> The worker is walking the pcpu dying list while holding dying l
Applied.
On Fri, Oct 11, 2019 at 12:30:37AM +0200, Florian Westphal wrote:
> At this time, NF_HOOK_LIST() macro will iterate the list and then calls
> nf_hook() for each individual skb.
>
> This makes it so the entire list is passed into the netfilter core.
> The advantage is that we only need to fetch the
On Thu, Oct 17, 2019 at 11:03:32AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 01:41:44PM +0200, Phil Sutter wrote:
> > Fourth try at caching optimizations implementation.
> >
> > Changes since v3:
> >
> > * Rebase onto current master after p
On Tue, Oct 15, 2019 at 03:19:13PM +0200, Florian Westphal wrote:
> conntrack extensions are free'd via kfree_rcu, but there appears to be
> no need for this anymore.
>
> Lookup doesn't access ct->ext. All other accesses i found occur
> after taking either the hash bucket lock, the dying list loc
On Thu, Oct 17, 2019 at 10:55:49AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 01:03:20AM +0200, Phil Sutter wrote:
> > This reverts commit 9b032cd6477b847f48dc8454f0e73935e9f48754.
> >
> > While it is true that a cache exists, we still need to capture new sets
&
attr array).
> Consequently, when copying values from nlattr array into ct timeout
> object in timeout_parse_attr_data(), loop is adjusted to start at index
> 0 and the type value decrement is dropped there.
>
> Fixes: 0adceeab1597a ("src: add ct timeout support")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 15, 2019 at 01:41:44PM +0200, Phil Sutter wrote:
> Fourth try at caching optimizations implementation.
>
> Changes since v3:
>
> * Rebase onto current master after pushing the accepted initial three
> patches.
> * Avoid cache inconsistency in __nft_build_cache() if kernel ruleset
>
On Thu, Oct 17, 2019 at 01:03:20AM +0200, Phil Sutter wrote:
> This reverts commit 9b032cd6477b847f48dc8454f0e73935e9f48754.
>
> While it is true that a cache exists, we still need to capture new sets
> and their elements if they are anonymous. This is because the name
> changes and rules will refe
S.
>
> Core cache fetching routine __nft_build_cache() accepts a new level via
> parameter and raises cache completeness to that level.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
After unbinding the list of flow_block callbacks, iterate over it to
remove the existing rules in the netdevice that has just been
unregistered.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 26 +-
1 file changed, 13 insertions(+), 13 deletions
Add helper function to set up the flow_cls_offload object.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 37 -
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter
This patch allows you to register one netdev basechain to multiple
devices. This adds a new NFTA_HOOK_DEVS netlink attribute to specify
the list of netdevices. Basechains store a list of hooks.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 4 +-
include/uapi
Add nft_flow_block_chain() helper function.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter/nf_tables_offload.c
index e546f759b7a7
.
This patches comes in preparation for:
5) Allow for hooking multiple devices to the same netdev basechain.
Pablo Neira Ayuso (5):
netfilter: nf_tables_offload: add nft_flow_block_chain()
netfilter: nf_tables_offload: Pass callback list to nft_setup_cb_call()
netfilter: nf_tables_offload
This allows to reuse nft_setup_cb_call() from callback unbind path.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_offload.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_offload.c
b/net/netfilter/nf_tables_offload.c
index
Rise the maximum limit of devices per flowtable up to 256. Rename
NFT_FLOWTABLE_DEVICE_MAX to NFT_NETDEVICE_MAX in preparation to reuse
the netdev hook parser for ingress basechain.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_api.c
Hardware offload needs access to the priority field, store this field in
the nf_flowtable object.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_flow_table.h | 1 +
include/net/netfilter/nf_tables.h | 2 --
net/netfilter/nf_tables_api.c | 10 +-
3 files
.
Pablo Neira Ayuso (4):
netfilter: nf_flow_table: move priority to struct nf_flowtable
netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables
netfilter: nf_tables: allow only one netdev per flowtable
netfilter: nf_tables: increase maximum devices number per flowtable
Allow netdevice only once per flowtable, otherwise hit EEXIST.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0e0e35876b53..80ded807d529
Use a list of hooks per device instead an array.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 8 +-
net/netfilter/nf_tables_api.c | 253 +++---
2 files changed, 158 insertions(+), 103 deletions(-)
diff --git a/include/net
On Wed, Oct 16, 2019 at 11:55:02AM +0100, Jeremy Sowden wrote:
> On 2019-10-15, at 10:32:52 +0200, Pablo Neira Ayuso wrote:
> > On Tue, Sep 24, 2019 at 08:40:54AM +0100, Jeremy Sowden wrote:
> > > By default, continue to use libreadline, but if
> > > `--with-cli=lineno
ze expected for NFTNL_SET_ELEM_VERDICT attribute is
> sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg
> accordingly.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 15, 2019 at 07:09:33PM +0200, Phil Sutter wrote:
> On Tue, Oct 15, 2019 at 06:32:39PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 06:11:34PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Tue, Oct 15, 2019 at 05:53:46PM +0200,
On Tue, Oct 15, 2019 at 07:27:27PM +0200, Phil Sutter wrote:
> On Tue, Oct 15, 2019 at 06:37:21PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 06:35:29PM +0200, Phil Sutter wrote:
> > > On Tue, Oct 15, 2019 at 06:33:46PM +0200, Pablo Neira Ayuso wrote:
> >
On Tue, Oct 15, 2019 at 06:25:59PM +0200, Phil Sutter wrote:
> Hi,
>
> On Tue, Oct 15, 2019 at 06:09:13PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 06:02:55PM +0200, Phil Sutter wrote:
> > > On Tue, Oct 15, 2019 at 05:52:44PM +0200, Pablo Neira Ayuso wr
On Tue, Oct 15, 2019 at 06:35:29PM +0200, Phil Sutter wrote:
> On Tue, Oct 15, 2019 at 06:33:46PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 06:21:30PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Tue, Oct 15, 2019 at 05:57:16PM +0200,
On Tue, Oct 15, 2019 at 06:21:30PM +0200, Phil Sutter wrote:
> Hi,
>
> On Tue, Oct 15, 2019 at 05:57:16PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 04:16:57PM +0200, Phil Sutter wrote:
> > > Array 'tb' has only 'attr_max' elements, th
On Tue, Oct 15, 2019 at 06:11:34PM +0200, Phil Sutter wrote:
> Hi,
>
> On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote:
> > > By calling nftnl_set_set(), any data size checks are effectivel
On Tue, Oct 15, 2019 at 06:02:55PM +0200, Phil Sutter wrote:
> On Tue, Oct 15, 2019 at 05:52:44PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 04:16:55PM +0200, Phil Sutter wrote:
> [...]
> > > diff --git a/src/set_elem.c b/src/set_elem.c
> > > inde
Fixes: ea63a05272f54 ("obj: add tunnel support")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 15, 2019 at 04:16:57PM +0200, Phil Sutter wrote:
> Array 'tb' has only 'attr_max' elements, the loop overstepped its
> boundary by one. Copy array_size() macro from include/utils.h in
> nftables.git to make sure code does the right thing.
>
> Fixes: 0adceeab1597a ("src: add ct timeout
On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote:
> By calling nftnl_set_set(), any data size checks are effectively
> bypassed. Better call nftnl_set_set_data() directly, passing the real
> size for validation.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira A
Acked-by: Pablo Neira Ayuso
Before pushing out this, see below.
> ---
> include/libnftnl/set.h | 2 ++
> src/set_elem.c | 10 ++
> 2 files changed, 12 insertions(+)
>
> diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
> index 6640ad929f346..2ea2e9a56
On Tue, Oct 15, 2019 at 04:16:54PM +0200, Phil Sutter wrote:
> The function returned -1 on success.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 15, 2019 at 04:16:53PM +0200, Phil Sutter wrote:
> Don't ignore nested attribute parsing errors, this may hide bugs in
> users' code.
>
> Fixes: 0adceeab1597a ("src: add ct timeout support")
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
On Tue, Oct 15, 2019 at 04:17:45PM +0200, Phil Sutter wrote:
> The function is unsafe to use as it effectively bypasses data length
> checks. Instead use nftnl_set_set_str() which at least asserts a const
> char pointer is passed.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
:272)
==13768==by 0x48A136E: nft_evaluate (libnftables.c:406)
==13768==by 0x48A1B71: nft_run_cmd_from_buffer (libnftables.c:4
==13768==by 0x10953E: main (main.c:326)
Fixes: db0697ce7f60 ("src: support for flowtable listing")
Signed-off-by: Pablo Neira Ayuso
---
src/r
On Tue, Sep 24, 2019 at 08:40:54AM +0100, Jeremy Sowden wrote:
> By default, continue to use libreadline, but if `--with-cli=linenoise`
> is passed to configure, build the linenoise implementation instead.
Applied, thanks Jeremy.
On Fri, Oct 11, 2019 at 12:54:33AM +0200, Florian Westphal wrote:
> Edward Cree wrote:
> > On 10/10/2019 23:30, Florian Westphal wrote:
> > > NF_HOOK_LIST now only works for ipv4 and ipv6, as those are the only
> > > callers.
> > ...
> > > +
> > > + rcu_read_lock();
> > > + switch (pf) {
>
On Fri, Oct 11, 2019 at 01:24:52PM +0200, Phil Sutter wrote:
> Hi,
>
> On Fri, Oct 11, 2019 at 11:28:23AM +0200, Pablo Neira Ayuso wrote:
> [...]
> > You could also just parse the ruleset twice in userspace, once to
> > calculate the cache you need and anothe
buffer in netlink dumps to speed up netlink
dumps for a while. Let's recommend this buffer size through this new
definitions.
Update examples too.
Signed-off-by: Pablo Neira Ayuso
---
examples/netfilter/nfct-dump.c | 2 +-
examples/rtnl/rtnl-addr-dump.c | 4 ++--
examples/rtnl/rtnl
] __do_softirq+0xcc/0x27c
[570953.959464] irq_exit+0xe8/0x100
[570953.960097] do_IRQ+0x59/0xe0
[570953.960734] common_interrupt+0xf/0xf
Fixes: 43c8f131184f ("netfilter: nf_flow_table: fix missing error check for
rhashtable_insert_fast")
Signed-off-by: Pablo Neira Ayuso
---
net
onstants (in hexadecimal):
> expected0x0001
> seen-reply 0x0002
> [..]
>
> Signed-off-by: Florian Westphal
Acked-by: Pablo Neira Ayuso
On Fri, Oct 11, 2019 at 12:09:11AM +0200, Phil Sutter wrote:
[...]
> Maybe we could go with a simpler solution for now, which is to check
> kernel genid again and drop the local cache if it differs from what's
> stored. If it doesn't, the current cache is still up to date and we may
> just fetch wh
On Fri, Oct 11, 2019 at 12:09:11AM +0200, Phil Sutter wrote:
> Hi Pablo,
>
> On Wed, Oct 09, 2019 at 12:29:01PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Oct 09, 2019 at 11:37:23AM +0200, Pablo Neira Ayuso wrote:
> > > Hi Phil,
> > >
> > > On Tue, Oct
: Display pre-defined inet_service values in host
byte order")
Signed-off-by: Pablo Neira Ayuso
---
v2: use div_round_up() - Florian Westphal.
src/datatype.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/datatype.c b/src/datatype.c
index 873f7d4d358b..b9e167e0376
: Display pre-defined inet_service values in host
byte order")
Signed-off-by: Pablo Neira Ayuso
---
src/datatype.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/datatype.c b/src/datatype.c
index 873f7d4d358b..0ee2925a8368 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -22
On Tue, Oct 08, 2019 at 10:37:51PM +0200, Phil Sutter wrote:
> Rename and optimize internal function nftnl_set_lookup() for external
> use. Just like with nftnl_chain_list, use a hash table for fast set name
> lookups.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
Thanks Phil.
On Wed, Oct 09, 2019 at 11:37:23AM +0200, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> On Tue, Oct 08, 2019 at 06:14:40PM +0200, Phil Sutter wrote:
> > Replace the simple have_cache boolean by a cache level indicator
> > defining how complete the cache is. Since have_cache ind
On Tue, Oct 08, 2019 at 03:47:24PM +0200, Eric Jallot wrote:
> Each object (secmark, synproxy, quota, limit, counter) is dynamically
> allocated
> by the parser and not freed at exit.
> However, there is no need to use dynamic allocation here because struct obj
> already provides the required stor
On Tue, Oct 08, 2019 at 12:54:11PM +0200, Alin Nastac wrote:
> On big endian arches UDP/TCP checksum is incorrectly computed when
> payload length is odd.
Applied, thanks Alin.
Skip this optimization for non-anonymous sets, otherwise, element
deletion breaks.
Signed-off-by: Pablo Neira Ayuso
---
src/segtree.c | 3 +-
.../shell/testcases/maps/0008interval_map_delete_0 | 32 ++
2 files changed, 34 insertions
Hi Phil,
On Tue, Oct 08, 2019 at 06:14:40PM +0200, Phil Sutter wrote:
> Replace the simple have_cache boolean by a cache level indicator
> defining how complete the cache is. Since have_cache indicated full
> cache (including rules), make code depending on it check for cache level
> NFT_CL_RULES.
On Tue, Oct 08, 2019 at 06:14:39PM +0200, Phil Sutter wrote:
> The amount of code dealing with caching only is considerable and hence
> deserves an own source file.
>
> Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
tter
Acked-by: Pablo Neira Ayuso
Signed-off-by: Phil Sutter
Acked-by: Pablo Neira Ayuso
1 - 100 of 7402 matches
Mail list logo
