| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Use NFTA_TABLE_HANDLE instead of NFTA_TABLE_NAME to refer to the
table 64-bit unique handle.
Fixes: 7840b9224d5b ("evaluate: remove table from cache on delete table")
Fixes: f8aec603aa7e ("src: initial extended netlink error reporting")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Apply the same change from iptables-nft to nftables to keep them in
sync with regards to max supported transaction sizes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Flags are already set on from mnl_nft_flowtable_add(), remove duplicated
code.
Fixes: e6cc9f37385 ("nftables: add flags offload to flowtable")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/
tested on mt7622/Bananapi-R64
table ip filter {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload;
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}
}
table ip nat {
chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
In combination with libnftnl's commit "set_elem: Fix printing of verdict
map elements", This adds the vmap target to netlink dumps. Adjust dumps
in tests/py accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft_mnl_socket_reopen() was introduced to deal with the EINTR case.
By reopening the netlink socket, pending netlink messages that are part of
a stale netlink dump are implicitly drop. This patch replaces the
nft_mnl_socket_reopen() strategy by pulling out all of the remaining
netlink message to restart in a clean state.
This is implicitly fixing up a bug in the table ownership support, which
assumes that the netlink socket remains open until nft_ctx_free() is
invoked.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Extend the set element infrastructure to support for several statements.
This patch places the statements right after the key when printing it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Netlink attribute maximum size is 65536 bytes (given nla_len is
16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as
possible that can fit into this netlink attribute.
Netlink messages with NLMSG_ERROR type originating from the kernel
contain the original netlink message as payload, they might be larger
than 65536 bytes.
Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header
coming as (error) reply from the kernel. This estimate is based on the
maximum netlink message size that nft sends from userspace.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel provides information regarding expression since
83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for
expressions").
A common mistake is to refer a chain which does not exist, e.g.
# nft add rule x y jump test
Error: Could not process rule: No such file or directory
add rule x y jump test
^^^^
Use the existing netlink extended error reporting infrastructure to
provide better error reporting as in the example above.
Requires Linux kernel patch 83d9dcba06c5 ("netfilter: nf_tables:
extended netlink error reporting for expressions").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the user to specify a comment when adding a chain.
Relies on kernel space supporting userdata for chains.
> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset
table ip filter {
chain input {
comment "test"
type filter hook input priority filter; policy accept;
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Assume each error in the batch will result in a 1k notification for the
non-echo flag set on case as described in 860671662d3f ("mnl: fix --echo
buffer size again").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables specifying an optional comment when declaring named objects. The
comment is to be specified inside the object's block ({} block)
Relies on libnftnl exporting nftnl_obj_get_data and kernel space support
to store the comments.
For consistency, this patch makes the comment be printed first when
listing objects.
Adds a testcase importing all commented named objects except for secmark,
although it's supported.
Example: Adding a quota with a comment
> add table inet filter
> nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; }
> list ruleset
table inet filter {
quota q {
comment "test_comment"
over 1200 bytes
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds userdata building logic if a comment is specified when creating a
new table. Adds netlink userdata parsing callback function.
Relies on kernel supporting userdata for nft_table.
Example:
> nft add table ip x { comment "test"\; }
> nft list ruleset
table ip x {
comment "test"
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to add a comment when declaring a named set.
Adds set output handling the comment in both nftables and json
format.
$ nft add table ip x
$ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}}
$ nft list ruleset
table ip x {
set s {
type ipv4_addr;
comment "some_addrs"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
$ nft --json list ruleset
{
"nftables": [
{
"metainfo": {
"json_schema_version": 1,
"release_name": "Capital Idea #2",
"version": "0.9.6"
}
},
{
"table": {
"family": "ip",
"handle": 4857,
"name": "x"
}
},
{
"set": {
"comment": "some_addrs",
"elem": [
"1.1.1.1",
"1.2.3.4"
],
"family": "ip",
"handle": 1,
"name": "s",
"table": "x",
"type": "ipv4_addr"
}
}
]
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The listing shows no devices:
# nft list ruleset
table ip x {
flowtable y {
hook ingress priority filter
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows you to remove a device to an existing flowtable:
# nft delete flowtable x y { devices = { eth0 } \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows you to add new devices to an existing flowtables.
# nft add flowtable x y { devices = { eth0 } \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds nft_flowtable_dev_array() to convert the list of devices
into an array. This array is released through
nft_flowtable_dev_array_free().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(null) (null) b size 1
The debugging output displays table and set names as (null). This patch
sets the table and name before displaying the netlink debugging, then
unset them to not break the extended error support.
Fixes: 086ec6f30c96 ("mnl: extended error support for create command")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to specify an interval of IP address in maps.
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
}
}
The example above performs SNAT to packets that comes from 10.141.11.4
to an interval of IP addresses from 192.168.2.2 to 192.168.2.4 (both
included).
You can also combine this with dynamic maps:
table ip x {
map y {
type ipv4_addr : interval ipv4_addr
flags interval
elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4 }
}
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map @y
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Store location of chain hook definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to enable flow counters via control plane toggle, e.g.
table ip x {
flowtable y {
hook ingress priority 0;
counter;
}
chain z {
type filter hook ingress priority filter;
flow add @z
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to turn on counter for each element in the set.
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
}
chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
This example shows how to turn on counters globally in the set 'y'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the basechain definition to allow users to specify
the offload flag. This flag enables hardware offload if your drivers
supports it.
# cat file.nft
table netdev x {
chain y {
type filter hook ingress device eth0 priority 10; flags offload;
}
}
# nft -f file.nft
Note: You have to enable offload via ethtool:
# ethtool -K eth0 hw-tc-offload on
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This string might not be nul-terminated, resulting in spurious errors
when adding netdev chains.
Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
Fixes: 92911b362e90 ("src: add support to add flowtables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft delete rule ip y z handle 7
Error: Could not process rule: No such file or directory
delete rule ip y z handle 7
^
# nft delete rule ip x z handle 7
Error: Could not process rule: No such file or directory
delete rule ip x z handle 7
^
# nft delete rule ip x x handle 7
Error: Could not process rule: No such file or directory
delete rule ip x x handle 7
^
# nft replace rule x y handle 10 ip saddr 1.1.1.2 counter
Error: Could not process rule: No such file or directory
replace rule x y handle 10 ip saddr 1.1.1.2 counter
^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
When trying to set a policy to non-base chain:
# nft add chain x y { policy accept\; }
Error: Could not process rule: Operation not supported
add chain x y { policy accept; }
^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft create table x
Error: Could not process rule: File exists
create table x
^
# nft create chain x y
Error: Could not process rule: File exists
create chain x y
^
# nft create set x y { typeof ip saddr\; }
Error: Could not process rule: File exists
create set x y { typeof ip saddr; }
^
# nft create counter x y
Error: Could not process rule: File exists
create counter x y
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch correlates the in-kernel extended netlink error offset and
the location information.
Assuming 'foo' table does not exist, then error reporting shows:
# nft delete table foo
Error: Could not process rule: No such file or directory
delete table foo
^^^
Similarly, if table uniquely identified by handle '1234' does not exist,
then error reporting shows:
# nft delete table handle 1234
Error: Could not process rule: No such file or directory
delete table handle 1234
^^^^
Assuming 'bar' chain does not exists in the kernel, while 'foo' does:
# nft delete chain foo bar
Error: Could not process rule: No such file or directory
delete chain foo bar
^^^
This also gives us a hint when adding rules:
# nft add rule ip foo bar counter
Error: Could not process rule: No such file or directory
add rule ip foo bar counter
^^^
This is based on ("src: basic support for extended netlink errors") from
Florian Westphal, posted in 2018, with no netlink offset correlation
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support arbitrary range concatenations, the kernel needs to know
how long each field in the concatenation is. The new libnftnl
NFTNL_SET_DESC_CONCAT set attribute describes this as an array of
lengths, in bytes, of concatenated fields.
While evaluating concatenated expressions, export the datatype size
into the new field_len array, and hand the data over via libnftnl.
Similarly, when data is passed back from libnftnl, parse it into
the set description.
When set data is cloned, we now need to copy the additional fields
in set_clone(), too.
This change depends on the libnftnl patch with title:
set: Add support for NFTA_SET_DESC_CONCAT attributes
v4: No changes
v3: Rework to use set description data instead of a stand-alone
attribute
v2: No changes
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Same as key: if the size isn't divisible by BITS_PER_BYTE, we need to
round up, not down.
Without this, you can't store vlan ids in a map, as they are truncated
to 8 bit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two new expression operations to build and to parse the
userdata area that describe the set key and data typeof definitions.
For maps, the grammar enforces either
"type data_type : data_type" or or "typeof expression : expression".
Check both key and data for valid user typeof info first.
If they check out, flag set->key_typeof_valid as true and use it for
printing the key info.
This patch comes with initial support for using payload expressions
with the 'typeof' keyword, followup patches will add support for other
expressions as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be needed once we add support for the 'typeof' keyword to
handle maps that could e.g. store 'ct helper' "type" values.
Instead of:
set foo {
type ipv4_addr . mark;
this would allow
set foo {
typeof(ip saddr) . typeof(ct mark);
(exact syntax TBD).
This would be needed to allow sets that store variable-sized data types
(string, integer and the like) that can't be used at at the moment.
Adding special data types for everything is problematic due to the
large amount of different types needed.
For anonymous sets, e.g. "string" can be used because the needed size can
be inferred from the statement, e.g. 'osf name { "Windows", "Linux }',
but in case of named sets that won't work because 'type string' lacks the
context needed to derive the size information.
With 'typeof(osf name)' the context is there, but at the moment it won't
help because the expression is discarded instantly and only the data
type is retained.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change fixes the following warnings:
mnl.c: In function ‘mnl_nft_flowtable_add’:
mnl.c:1442:14: warning: implicit declaration of function ‘calloc’ [-Wimplicit-function-declaration]
dev_array = calloc(len, sizeof(char *));
^~~~~~
mnl.c:1442:14: warning: incompatible implicit declaration of built-in function ‘calloc’
mnl.c:1442:14: note: include ‘<stdlib.h>’ or provide a declaration of ‘calloc’
mnl.c:1449:2: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration]
free(dev_array);
^~~~
mnl.c:1449:2: warning: incompatible implicit declaration of built-in function ‘free’
mnl.c:1449:2: note: include ‘<stdlib.h>’ or provide a declaration of ‘free’
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Also, display handle when listing with '-a'.
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to dump a named flowtable.
# nft list flowtable inet t f
table inet t {
flowtable f {
hook ingress priority filter + 10
devices = { eth0, eth1 }
}
}
Also:
libnftables-json.adoc: fix missing quotes.
Fixes: db0697ce7f60 ("src: support for flowtable listing")
Fixes: 872f373dc50f ("doc: Add JSON schema documentation")
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Setting strings won't make a difference, but passing data length to
*_set_data() functions allows for catching accidental changes on either
side.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Currently assuming a maximum of 8 devices, remove this artificial cap.
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to specify multiple netdevices to be bound to the
netdev basechain, eg.
# nft add chain netdev x y { \
type filter hook ingress devices = { eth0, eth1 } priority 0\; }
json codebase has been updated to support for one single device with the
existing representation, no support for multidevice is included in this
patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The function is unsafe to use as it effectively bypasses data length
checks. Instead use nftnl_set_set_str() which at least asserts a const
char pointer is passed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
SO_SNDBUF never fails, this socket option just provides a hint to the
kernel. SO_SNDBUFFORCE sets the buffer size to zero if the value goes
over INT_MAX. Userspace is caching the buffer hint that sends to the
kernel, so it might leave userspace out of sync if the kernel ignores
the hint. Do not make assumptions, fetch the sender buffer size from the
kernel via getsockopt().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "synproxy" stateful object. For example (for TCP port 80 and
using maps with saddr):
table ip foo {
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
synproxy other-synproxy {
mss 1460
wscale 5
}
chain bar {
tcp dport 80 synproxy name "https-synproxy"
synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If restart is triggered with --echo, it causes rules to be duplicated
which is not correct. Remove restart logic.
1. If user passes --echo, use a default 4mb buffer.
2. assume each element in the batch will result in a 1k
notification.
This passes tests both in x86_64 and s390.
Joint work with Florian Westphal.
Fixes: 877baf9538f6 ("src: mnl: retry when we hit -ENOBUFS")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/shell/testcases/transactions/0049huge_0
still fails with ENOBUFS error after endian fix done in
previous patch. Its enough to increase the scale factor (4)
on s390x, but rather than continue with these "guess the proper
size" game, just increase the buffer size and retry up to 3 times.
This makes above test work on s390x.
So, implement what Pablo suggested in the earlier commit:
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
v2: call setsockopt unconditionally, then increase on error.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel expects socklen_t (int).
Using size_t causes kernel to read upper 0-bits.
This caused tests/shell/testcases/transactions/0049huge_0
to fail on s390x -- it uses 'echo' mode and will quickly
overrun the tiny buffer size set due to this bug.
Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain policy definition, e.g.
define default_policy = "accept"
add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain priority definitions,
e.g.
define prio = filter
define prionum = 10
define prioffset = "filter - 150"
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This modification allow to directly add/list/delete expectations.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Two map types are currently possible:
* data maps, ie. set_is_datamap().
* object maps, ie. set_is_objmap().
This patch adds helper functions to check for the map type.
set_is_map() allows you to check for either map type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
