Displaying 20 results from an estimated 124 matches for "verdict".
2024 Feb 13
16
[Bug 1736] New: nftables - dynamic update for verdict map from the packet path
https://bugzilla.netfilter.org/show_bug.cgi?id=1736
Bug ID: 1736
Summary: nftables - dynamic update for verdict map from the
packet path
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org...
2024 Apr 03
5
[Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
...g rule
table inet kube-netpol {
comment "rules for kubernetes NetworkPolicy"
chain forward {
type filter hook forward priority filter - 5; policy accept;
ct state new queue to 100
}
}
and in userspace I process the packet to emit a verdict.
Everything works fine with TCP and UDP, but when using SCTP I can see the
packet its modified and breaks the establishment of the connection, more
details in https://github.com/aojea/kube-netpol/issues/8
Once I remove the `nfqueue` rule the SCTP connection is established correctly.
I triple che...
2020 Aug 27
0
[Bug 1455] New: Queue verdict cannot be used in vmap
https://bugzilla.netfilter.org/show_bug.cgi?id=1455
Bug ID: 1455
Summary: Queue verdict cannot be used in vmap
Product: nftables
Version: unspecified
Hardware: arm
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: phi...
2007 Apr 18
3
[Bridge] Re: do_IRQ: stack overflow: 872..
On Fri, 07 Jan 2005 17:05:59 +0000
David Woodhouse <dwmw2@infradead.org> wrote:
> On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote:
> > It's not really an oops, just a warning that stack space got quiet
> > tight.
> >
> > The problem seems to be that the br netfilter code is nesting far too
> > deeply and recursing several times. Looks like a design
2007 Apr 18
1
[Bridge] [PATCH/RFC] Reduce call chain length in netfilter (take 2)
...t known solution.
cheers,
Bart
--- linux-2.6.11-rc3/include/linux/netfilter.h.old 2005-02-12 13:48:13.000000000 +0100
+++ linux-2.6.11-rc3/include/linux/netfilter.h 2005-02-12 17:02:48.000000000 +0100
@@ -18,7 +18,8 @@
#define NF_STOLEN 2
#define NF_QUEUE 3
#define NF_REPEAT 4
-#define NF_MAX_VERDICT NF_REPEAT
+#define NF_STOP 5
+#define NF_MAX_VERDICT NF_STOP
/* Generic cache responses from hook functions.
<= 0x2000 is used for protocol-flags. */
@@ -138,21 +139,32 @@ void nf_log_packet(int pf,
/* This is gross, but inline doesn't cut it for avoiding the function
call in fas...
2018 Jun 12
1
[Bug 1261] New: nft trace crash with msg "BUG: invalid verdict value 2"
https://bugzilla.netfilter.org/show_bug.cgi?id=1261
Bug ID: 1261
Summary: nft trace crash with msg "BUG: invalid verdict value
2"
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Repor...
2012 Apr 25
1
forwarding packets to service in same host without using loopback network
...stdout);
return id;
}
static int
cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data)
{
uint32_t ip_src, ip_dst;
struct in_addr s_ip;
struct in_addr d_ip;
uint16_t src_port;
uint16_t dst_port;
int verdict;
int id;
int ret;
unsigned char *buffer;
struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr (nfa);
if (ph)
{
id = ntohl (ph->packet_id);
printf ("received packet with id %d", id);
}
ret = nfq_get_payload (nfa...
2020 Sep 23
1
[Bug 1471] New: consider quick accept verdict and delayed drop policy
https://bugzilla.netfilter.org/show_bug.cgi?id=1471
Bug ID: 1471
Summary: consider quick accept verdict and delayed drop policy
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporte...
2023 Apr 14
5
[Bug 1673] New: bug egress hook virtio interface with VLAN
...0000 0000 0000 0000 ........
nft monitor :
trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev filter egress verdict continue
trace id 195bb0a6 netdev filter egress policy accept
With E1000, captured packet :
tcpdump: verbose output suppressed, use -v[v]... for full protocol deco...
2023 Apr 14
3
[Bug 1672] New: bug egress hook virtio interface with VLAN
...0000 0000 0000 0000 ........
nft monitor :
trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320
0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000
trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict
continue)
trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue)
trace id 195bb0a6 netdev filter egress verdict continue
trace id 195bb0a6 netdev filter egress policy accept
With E1000, captured packet :
tcpdump: verbose output suppressed, use -v[v]... for full protocol deco...
2015 Dec 01
3
[PATCH 0/2] Do not use the "red zone" on EFI
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Nov 29, 2015 at 06:15:11AM +0200
>
> Thank you for the replies. I do appreciate it.
>
I appreciate a verdict/judgement/decision on patches.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJWXTGWAAoJECE10SPYwZvsi+oQAJwRreo5RlzmhbMQ/me5j3l+
J6LysAMB/J+ziJgNTn/yJ6yaQNwb672z1murRfn9fV8gT94cvSNFKP/zBSZjbf6D
ptX2rrDKOWPjoAwVLVDmt88w2lPZPKY7WSyhRL/QhOUXM6WKj9p+Y98MOs831UyB
JD3jCe...
2019 Jul 24
4
[Bug 1356] New: adding element to map inverts byte order
...e: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: c.marquis at viapass.com
Hi, i noticed a byte order inversion while adding an element to a verdict map,
as following:
> nft add element ip filter ok { 0x00000045: jump go }
produces:
> map ok {
> type mark : verdict
> elements = { 0x45000000 : jump go }
> }
(version: both nftables and libnftnl from last commit on this day 24 July 2019
- 11h40 AM)
--
You are receivi...
2011 Mar 07
2
[Bug 708] New: Some accepted packets get lost
....5.1.53 > 10.3.5.8.38047: 41247 1/3/3 A 12.34.123.210
(157)
13:29:21.774174 IP 10.3.5.1.53 > 10.3.5.8.38047: 12691 0/1/0 (94)
* Using a queue ('tcpdump -ni eth0 udp port 53' and queue manager on the same
terminal):
01) 20:08:00.486366: recv returned 108
02) 20:08:00.486566: setting verdict : accept the packet...
03) 20:08:00.486614 IP 10.3.5.8.46938 > 10.3.5.1.53: 51146+ A?
www.mydomain.net. (35)
04) 20:08:00.487193 IP 10.3.5.1.53 > 10.3.5.8.46938: 51146 1/3/3 A
12.34.123.210 (157)
05) 20:08:00.586723: recv returned 108
06) 20:08:00.586789: setting verdict : accept the packet.....
2016 Oct 28
2
[Bug 1096] New: Kernel oops when inserting an element into a map
...ttachment 485
--> https://bugzilla.netfilter.org/attachment.cgi?id=485&action=edit
dmesg log from kernel oops
The following ruleset, when loaded with 'nft -f bad.txt', results in a kernel
oops:
----snip----
flush ruleset
table ip inlinenat {
map sourcemap {
type ipv4_addr : verdict;
}
chain postrouting {
ip saddr vmap @sourcemap accept
}
}
add chain inlinenat test
add element inlinenat sourcemap { 100.123.10.2 : jump test }
----snip----
If the element and chain are inserted as part of the table statement everything
works:
----snip----
flush ruleset
table ip inlin...
2020 Mar 12
3
[Bug 1413] New: Inconsistent EBUSY errors when adding a duplicate element to a map
...Reporter: anton.aksola at upcloud.com
OS: Debian GNU/Linux 10 (Buster)
Kernel: 4.19.0-8-amd64
This works every time:
# nft -f - << EOF
flush ruleset
add table ip filter
add chain ip filter forward { type filter hook forward priority 0; policy
accept; }
add map ip filter foo { type ifname : verdict; }
add rule ip filter forward iifname vmap @foo
add element ip filter foo { "dummy0" : accept }
add element ip filter foo { "dummy0" : accept }
EOF
While these do not:
# nft -f - << EOF
flush ruleset
add table ip filter
add chain ip filter forward { type filter hook forwa...
2020 Jan 07
4
[Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2
...: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sbezverk at cisco.com
table ip ipv4table {
map cluster-ip-services-set {
type inet_proto . ipv4_addr . inet_service : verdict
}
chain k8s-nat-mark-masq {
ip protocol . ip daddr vmap @cluster-ip-services-set
}
chain k8s-nat-do-mark-masq {
meta mark set 0x00004000 return
}
}
the command to add rule to k8s-nat-mark-masq chain is:
sudo nft add rule ipv4table k8s-nat-mark-masq ip protoc...
2006 Feb 11
5
acts_as_taggable : plugin vs gem
Googling for acts_as_taggable is a little confusing: gem, plugin?!
What are the differences?
Which one to choose?
Where is the best doc?
Alain
2014 Dec 16
0
[ANNOUNCE] nftables 0.4 release
...ime tradeoff, eg. optimize memory:
# nft add set filter set1 { type ipv4_addr ; policy memory ; }
Or optimize performance:
# nft add set filter set1 { type ipv4_addr ; policy performance ; }
You can also use this in maps:
# nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
And indicate the expected size to assist the set selection routine:
# nft add set filter set1 { type ipv4_addr ; size 1024 ; }
* Complete reject support (available for ip, ip6 and inet since 3.14.
bridge support and the icmpx abstraction since 3.18)....
2020 Jan 08
3
Phabricator -> GitHub PRs?
What was the verdict? Any plans to move? I hate coding anything knowing
that I'll have to use Phabricator. It's like nails on a chalkboard.
-bw
On Tue, Jan 7, 2020 at 4:13 PM Finkel, Hal J. <hfinkel at anl.gov> wrote:
>
> On 1/7/20 6:03 PM, Bill Wendling via llvm-dev wrote:
>
> Now that we&...
2009 Nov 10
12
Will pv-ops dom0-patched kernel be eventually merged into Linus Torvalds'' mainline Linux kernel tree?
After reading the following articles, it doesn''t sound very hopeful for Xen.
[1] Xen vs. KVM: Verdict still out on dueling hypervisors
http://searchdatacenter.techtarget.com/news/article/0,289142,sid80_gci1368664,00.html
[2] Xen vs. KVM Linux virtualization hypervisors
http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1371226,00.html
[3] Xen vs. KVM: The Linux Foundation’...