search for: verdict

https://bugzilla.netfilter.org/show_bug.cgi?id=1736 Bug ID: 1736 Summary: nftables - dynamic update for verdict map from the packet path Product: nftables Version: 1.0.x Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org...

...g rule table inet kube-netpol { comment "rules for kubernetes NetworkPolicy" chain forward { type filter hook forward priority filter - 5; policy accept; ct state new queue to 100 } } and in userspace I process the packet to emit a verdict. Everything works fine with TCP and UDP, but when using SCTP I can see the packet its modified and breaks the establishment of the connection, more details in https://github.com/aojea/kube-netpol/issues/8 Once I remove the `nfqueue` rule the SCTP connection is established correctly. I triple che...

https://bugzilla.netfilter.org/show_bug.cgi?id=1455 Bug ID: 1455 Summary: Queue verdict cannot be used in vmap Product: nftables Version: unspecified Hardware: arm OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: phi...

On Fri, 07 Jan 2005 17:05:59 +0000 David Woodhouse <dwmw2@infradead.org> wrote: > On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote: > > It's not really an oops, just a warning that stack space got quiet > > tight. > > > > The problem seems to be that the br netfilter code is nesting far too > > deeply and recursing several times. Looks like a design

...t known solution. cheers, Bart --- linux-2.6.11-rc3/include/linux/netfilter.h.old 2005-02-12 13:48:13.000000000 +0100 +++ linux-2.6.11-rc3/include/linux/netfilter.h 2005-02-12 17:02:48.000000000 +0100 @@ -18,7 +18,8 @@ #define NF_STOLEN 2 #define NF_QUEUE 3 #define NF_REPEAT 4 -#define NF_MAX_VERDICT NF_REPEAT +#define NF_STOP 5 +#define NF_MAX_VERDICT NF_STOP /* Generic cache responses from hook functions. <= 0x2000 is used for protocol-flags. */ @@ -138,21 +139,32 @@ void nf_log_packet(int pf, /* This is gross, but inline doesn't cut it for avoiding the function call in fas...

https://bugzilla.netfilter.org/show_bug.cgi?id=1261 Bug ID: 1261 Summary: nft trace crash with msg "BUG: invalid verdict value 2" Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Repor...

...stdout); return id; } static int cb (struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *data) { uint32_t ip_src, ip_dst; struct in_addr s_ip; struct in_addr d_ip; uint16_t src_port; uint16_t dst_port; int verdict; int id; int ret; unsigned char *buffer; struct nfqnl_msg_packet_hdr *ph = nfq_get_msg_packet_hdr (nfa); if (ph) { id = ntohl (ph->packet_id); printf ("received packet with id %d", id); } ret = nfq_get_payload (nfa...

https://bugzilla.netfilter.org/show_bug.cgi?id=1471 Bug ID: 1471 Summary: consider quick accept verdict and delayed drop policy Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporte...

...0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev filter egress verdict continue trace id 195bb0a6 netdev filter egress policy accept With E1000, captured packet : tcpdump: verbose output suppressed, use -v[v]... for full protocol deco...

...0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev filter egress verdict continue trace id 195bb0a6 netdev filter egress policy accept With E1000, captured packet : tcpdump: verbose output suppressed, use -v[v]... for full protocol deco...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Nov 29, 2015 at 06:15:11AM +0200 > > Thank you for the replies. I do appreciate it. > I appreciate a verdict/judgement/decision on patches. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJWXTGWAAoJECE10SPYwZvsi+oQAJwRreo5RlzmhbMQ/me5j3l+ J6LysAMB/J+ziJgNTn/yJ6yaQNwb672z1murRfn9fV8gT94cvSNFKP/zBSZjbf6D ptX2rrDKOWPjoAwVLVDmt88w2lPZPKY7WSyhRL/QhOUXM6WKj9p+Y98MOs831UyB JD3jCe...

...e: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: c.marquis at viapass.com Hi, i noticed a byte order inversion while adding an element to a verdict map, as following: > nft add element ip filter ok { 0x00000045: jump go } produces: > map ok { > type mark : verdict > elements = { 0x45000000 : jump go } > } (version: both nftables and libnftnl from last commit on this day 24 July 2019 - 11h40 AM) -- You are receivi...

....5.1.53 > 10.3.5.8.38047: 41247 1/3/3 A 12.34.123.210 (157) 13:29:21.774174 IP 10.3.5.1.53 > 10.3.5.8.38047: 12691 0/1/0 (94) * Using a queue ('tcpdump -ni eth0 udp port 53' and queue manager on the same terminal): 01) 20:08:00.486366: recv returned 108 02) 20:08:00.486566: setting verdict : accept the packet... 03) 20:08:00.486614 IP 10.3.5.8.46938 > 10.3.5.1.53: 51146+ A? www.mydomain.net. (35) 04) 20:08:00.487193 IP 10.3.5.1.53 > 10.3.5.8.46938: 51146 1/3/3 A 12.34.123.210 (157) 05) 20:08:00.586723: recv returned 108 06) 20:08:00.586789: setting verdict : accept the packet.....

...ttachment 485 --> https://bugzilla.netfilter.org/attachment.cgi?id=485&action=edit dmesg log from kernel oops The following ruleset, when loaded with 'nft -f bad.txt', results in a kernel oops: ----snip---- flush ruleset table ip inlinenat { map sourcemap { type ipv4_addr : verdict; } chain postrouting { ip saddr vmap @sourcemap accept } } add chain inlinenat test add element inlinenat sourcemap { 100.123.10.2 : jump test } ----snip---- If the element and chain are inserted as part of the table statement everything works: ----snip---- flush ruleset table ip inlin...

...Reporter: anton.aksola at upcloud.com OS: Debian GNU/Linux 10 (Buster) Kernel: 4.19.0-8-amd64 This works every time: # nft -f - << EOF flush ruleset add table ip filter add chain ip filter forward { type filter hook forward priority 0; policy accept; } add map ip filter foo { type ifname : verdict; } add rule ip filter forward iifname vmap @foo add element ip filter foo { "dummy0" : accept } add element ip filter foo { "dummy0" : accept } EOF While these do not: # nft -f - << EOF flush ruleset add table ip filter add chain ip filter forward { type filter hook forwa...

...: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sbezverk at cisco.com table ip ipv4table { map cluster-ip-services-set { type inet_proto . ipv4_addr . inet_service : verdict } chain k8s-nat-mark-masq { ip protocol . ip daddr vmap @cluster-ip-services-set } chain k8s-nat-do-mark-masq { meta mark set 0x00004000 return } } the command to add rule to k8s-nat-mark-masq chain is: sudo nft add rule ipv4table k8s-nat-mark-masq ip protoc...

Googling for acts_as_taggable is a little confusing: gem, plugin?! What are the differences? Which one to choose? Where is the best doc? Alain

...ime tradeoff, eg. optimize memory: # nft add set filter set1 { type ipv4_addr ; policy memory ; } Or optimize performance: # nft add set filter set1 { type ipv4_addr ; policy performance ; } You can also use this in maps: # nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; } And indicate the expected size to assist the set selection routine: # nft add set filter set1 { type ipv4_addr ; size 1024 ; } * Complete reject support (available for ip, ip6 and inet since 3.14. bridge support and the icmpx abstraction since 3.18)....

What was the verdict? Any plans to move? I hate coding anything knowing that I'll have to use Phabricator. It's like nails on a chalkboard. -bw On Tue, Jan 7, 2020 at 4:13 PM Finkel, Hal J. <hfinkel at anl.gov> wrote: > > On 1/7/20 6:03 PM, Bill Wendling via llvm-dev wrote: > > Now that we&...

After reading the following articles, it doesn''t sound very hopeful for Xen. [1] Xen vs. KVM: Verdict still out on dueling hypervisors http://searchdatacenter.techtarget.com/news/article/0,289142,sid80_gci1368664,00.html [2] Xen vs. KVM Linux virtualization hypervisors http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1371226,00.html [3] Xen vs. KVM: The Linux Foundation’...