search for: flowtable

https://bugzilla.netfilter.org/show_bug.cgi?id=1776 Bug ID: 1776 Summary: No hw offload for flowtables with intel x710 Product: nftables Version: unspecified Hardware: All OS: other Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: aljutor...

https://bugzilla.netfilter.org/show_bug.cgi?id=1743 Bug ID: 1743 Summary: Flowtable: Flows exiting OFFLOAD State being assigned value of nf_conntrack_tcp_timeout_unacknowledged Product: nftables Version: 1.0.x Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5...

http://dl.acm.org/citation.cfm?id=2843863 Luke Jones, Ryan Whelan, Jeremy Blackthorne, and Graham Baker. 2015. Flowtables: Program Skeletal Inversion for Defeat of Interprocedural Analysis with Unique Metamorphism. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop (PPREW-5). ACM, New York, NY, USA, , Article 6 , 11 pages. DOI=http://dx.doi.org/10.1145/2843859.2843863 -------------- next pa...

Hi! The Netfilter project proudly presents: libnftnl 1.1.4 libnftnl is a userspace library providing a low-level netlink programming interface (API) to the in-kernel nf_tables subsystem. The library libnftnl has been previously known as libnftables. This library is currently used by nftables. See ChangeLog that comes attached to this email for more details. You can download it from:

...8.10.35 counter packets 1 bytes 84, 192.168.10.101 counter p 192.168.10.135 counter packets 0 bytes 0 } } chain z { type filter hook output priority filter; policy accept; ip daddr @y } } * Counters support for flowtables: table ip foo { flowtable bar { hook ingress priority -100 devices = { eth0, eth1 } counter } chain forward { type filter hook forward priority filter; flo...

...o (2): udata: add NFTNL_UDATA_* definitions build: libnftnl 1.1.3 release Phil Sutter (12): chain: Support per chain rules list chain: Add lookup functions for chain list and rules in chain chain: Hash chain list by name object: Avoid obj_ops array overrun flowtable: Add missing break flowtable: Fix use after free in two spots flowtable: Fix memleak in nftnl_flowtable_parse_devs() flowtable: Fix for reading garbage src: chain: Add missing nftnl_chain_rule_del() src: chain: Fix nftnl_chain_rule_insert_at() src: rule: Support...

https://bugzilla.netfilter.org/show_bug.cgi?id=1387 Bug ID: 1387 Summary: Repoering libnftnl bugs Product: bugzilla Version: other Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: netfilter bugzilla Assignee: netfilter-buglog at

...type ipv4_addr flags interval auto-merge elements = $ip-block-4 } - Restore rule replace command replace rule ip t1 c1 handle 3 'jhash ip protocol . ip saddr mod 170 vmap { 0-94 : goto wan1, 95-169 : goto wan2, 170-269 }" - Restore addition of netdevice to flowtable create flowtable inet filter f1 { hook ingress priority 0; counter } add flowtable inet filter f1 { devices = { dummy1 } ; } - Byteorder conversion in set with concatenation and ranges map ipsec_in { typeof ipsec in reqid . iif : verdict flags interval } ipsec in...

...support for NFTNL_SET_EXPR expr: masq: revisit _snprintf() expr: nat: snprint flags in hexadecimal Revert "bitwise: add support for passing mask and xor via registers." include: update nf_tables.h. build: libnftnl 1.1.6 release Phil Sutter (7): tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() chain: Fix memleak in error path of nftnl_chain_parse_devs() flowtable: Correctly check realloc() call chain: Correctly check realloc() call examples: Replace use...

...ct: nftables Version: unspecified Hardware: All OS: other Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: demiobenour at gmail.com If I am using a flowtable to accelerate forwarding and try to use conntrack to delete the offloaded flows, conntrack fails with EBUSY. This is a problem if the purpose of deleting the flows is to enforce changed firewall rules. This was found while investigating https://github.com/QubesOS/qubes-issues/issues/8212 (found b...

...ounter accept } } * Allow to use variables in the log prefix string. define foo= "state" define bar = "match" table x { chain y { ct state invalid log prefix "invalid $foo $bar:" } } * Allow to use variables in chain and flowtable definitions, e.g. define if_main = lo table netdev x { chain y { type filter hook ingress device $if_main priority -500; policy accept; } } * Allow to define negative values in variables: define post = -10 define for = "filter - 100" table inet...

...ops::max_attr field expr: Call expr_ops::set with legal types only include: Sync nf_log.h with kernel headers expr: Introduce struct expr_ops::attr_policy expr: Enforce attr_policy compliance in nftnl_expr_set() chain: Validate NFTNL_CHAIN_USE, too table: Validate NFTNL_TABLE_USE, too flowtable: Validate NFTNL_FLOWTABLE_SIZE, too obj: Validate NFTNL_OBJ_TYPE, too set: Validate NFTNL_SET_ID, too table: Validate NFTNL_TABLE_OWNER, too obj: Do not call nftnl_obj_set_data() with zero data_len obj: synproxy: Use memcpy() to handle potentially unaligned data utils: Fix for wrong var...

...tp://ftp.netfilter.org/pub/libnftnl/ Have fun. -------------- next part -------------- Pablo Neira Ayuso (5): udata: add NFTNL_UDATA_SET_DATA_INTERVAL expr: objref: add nftnl_expr_objref_free() to release object name expr: dynset: release stateful expression from .free path flowtable: relax logic to build NFTA_FLOWTABLE_HOOK build: libnftnl 1.1.7 release

...:ip" and "blocked:host:ip6". In case : is not acceptable in set names for syntax reasons, I'd be fine with using quoted strings for non-alphanumeric set names. Seems like this issue applies to everything using identifier (STRING as acceptable type), including tables chains sets flowtables objects. nft -v nftables v0.9.0 (Fearless Fosdick) Linux p0 4.18.0-0.bpo.1-amd64 #1 SMP Debian 4.18.6-1~bpo9+1 (2018-09-13) x86_64 GNU/Linux -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL...

https://bugzilla.netfilter.org/show_bug.cgi?id=1442 Bug ID: 1442 Summary: Definitions cannot be referenced in chain type configuration Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft

Hi, during some big discussions in the last monts on various lists, one of the problems was that some people would like to use freebsd-update but can't as they are using a custom kernel. With all the kernel modules we provide, the need for a custom kernel should be small, but on the other hand, we do not provide a small kernel-skeleton where you can load just the modules you need.

...erdata interface rt: add parse and build userdata interface fib: add parse and build userdata interface xfrm: add parse and build userdata interface main: enforce options before commands scanner: incorrect error reporting after file inclusion tests: shell: delete flowtable after flushing chain main: restore --debug evaluate: better error notice when interval flag is not set on tests: shell: set lookup and set update tests: shell: update list of rmmod modules tests: shell: validate error reporting with include and glob scanner: use...

Hi, I have a Dell T710 with 4 X 10G ethernet interfaces (2 X Dual port Intel 82599 cards). It is running FreeBSD RELENG_8 last updated on July 13. What I see is packet loss (0 - 40%) on IPv6 packets in vlans, when the machine is not the originator of the packets. Let me try to describe a little more. If a neigbouring machine ping6 it, there will be packet loss. If it act as a router for ipv6,

https://bugzilla.netfilter.org/show_bug.cgi?id=1777 Bug ID: 1777 Summary: Error: COMMAND_FAILED: 'python-nftables' failed Product: nftables Version: 1.0.x Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: blocker Priority: P5 Component: kernel Assignee: pablo at