Sergei Zhirikov | 20 Sep 16:20 2014

Bug: ipset-6.22 broken with dynamic modules


I have just tried building ipset-6.22 and encountered this issue. When
configured with --enable-settype-modules --with-settype-modules-list=all the
build succeeds, but what it produces is unusable, because the modules
require several symbols that are not exported from As far as I
can tell, those missing symbols are the five functions introduced with the
commit c1dd8442aac6cadb29110f763f23cafc63135a79 (libipset: Add userspace
code for the skbinfo extension support).


To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Ken-ichirou MATSUZAWA | 20 Sep 08:05 2014

[PATCH libmnl] socket: creating a struct mnl_socket from a pre-existing socket

This patch defines a new function mnl_socket_fdopen() which
creates a struct mnl_socket object from a pre-existing netlink
socket obtained from other process. Now I think of the socket
is obtained from child process via send/recvmsg().

Signed-off-by: Ken-ichirou MATSUZAWA <chamas <at>>
 include/libmnl/libmnl.h |  1 +
 src/          |  1 +
 src/socket.c            | 20 ++++++++++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/include/libmnl/libmnl.h b/include/libmnl/libmnl.h
index 223709c..0de6678 100644
--- a/include/libmnl/libmnl.h
+++ b/include/libmnl/libmnl.h
 <at>  <at>  -22,6 +22,7  <at>  <at>  extern "C" {
 struct mnl_socket;

 extern struct mnl_socket *mnl_socket_open(int type);
+extern struct mnl_socket *mnl_socket_fdopen(int fd);
 extern int mnl_socket_bind(struct mnl_socket *nl, unsigned int groups, pid_t pid);
 extern int mnl_socket_close(struct mnl_socket *nl);
 extern int mnl_socket_get_fd(const struct mnl_socket *nl);
diff --git a/src/ b/src/
index dbc332e..1ea8b8e 100644
--- a/src/
+++ b/src/
 <at>  <at>  -71,4 +71,5  <at>  <at>  local: *;

(Continue reading)

Rob Jones | 19 Sep 12:27 2014

[PATCH] net/netfilter/x_tables.c: use __seq_open_private()

Reduce boilerplate code by using __seq_open_private() instead of seq_open()
in xt_match_open() and xt_target_open().

Signed-off-by: Rob Jones <rob.jones <at>>

This patch uses an existing variant of seq_open() to reduce the kernel code

The only significant variation from the pre-existing code is the fact that
__seq_open_private() calls kzalloc() rather than kmalloc(), which could
conceivably have an impact on timing.

** I am sending this to the developers' list now. I failed to transcribe
the full cc list output by, mea culpa, mea maxima culpa **

 net/netfilter/x_tables.c |   30 ++++--------------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 227aa11..89aa680 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
 <at>  <at>  -1137,22 +1137,11  <at>  <at>  static const struct seq_operations xt_match_seq_ops = {

 static int xt_match_open(struct inode *inode, struct file *file)
-	struct seq_file *seq;
 	struct nf_mttg_trav *trav;
-	int ret;
(Continue reading)

Pablo Neira Ayuso | 19 Sep 11:54 2014

[HEADS UP] maintainance downtime


Please expect downtime by Friday, 26th September. We
have scheduled several maintainaince tasks by that time.

We'll send you a short notice once we're done with it.

Sorry for the inconvenience.
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Arturo Borrero Gonzalez | 19 Sep 11:49 2014

[nft] the -nnn switch


the -nnn switch in in nftables is IMO a bit annoying.
We are bounded to use that switch in every serious usage of nft.

Let me remember the current behaviour:

 -n -> don't translate IP addresses to names.
 -nn -> also, don't translate gids/uids to names.
 -nnn -> also, don't translate port numbers to names.
default -> translate all numbers to names.

I propose here that before nftables goes absolutely mainstream we
change the behaviour to the opposite:

-n -> translate IP addresses to names.
-nn -> translate gids/uids to names.
-nnn -> translate port numbers to names.
default -> show all numerically.

What do you think?



Arturo Borrero González
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at
(Continue reading)

Stig Thormodsrud | 19 Sep 01:04 2014

ipset save issue

I know the max group name length is 32 characters, but I'm running
into a problem with "save" if the group name is 29 characters.  For

ubnt <at> ERL:~$ sudo ipset create  A234567890123456789 bitmap:port range 1-65535
ubnt <at> ERL:~$ sudo ipset add  A234567890123456789 4512-65535
ubnt <at> ERL:~$ sudo ipset save  A234567890123456789 > file
ipset v6.21.1: Internal error at printing to output buffer
ubnt <at> ERL:~$

But if I change it to 28 characters it works:

ubnt <at> ERL:~$ sudo ipset create  A23456789012345678 bitmap:port range 1-65535
ubnt <at> ERL:~$ sudo ipset add A23456789012345678 4512-65535
ubnt <at> ERL:~$ sudo ipset save A23456789012345678 > file
ubnt <at> ERL:~$
ubnt <at> ERL:~$ sudo ipset -V
ipset v6.21.1, protocol version: 6

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Arturo Borrero Gonzalez | 18 Sep 20:18 2014

[nf_tables 1/3] netfilter: nf_tables: store and dump sets mechanism options

The sets mechanism options was not being stored anywhere.

We want to know in which cases the user explicitly set the mechanism
options. In that case, we also want to dump back the info.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at>>
 include/net/netfilter/nf_tables.h |   12 +++++++++++
 net/netfilter/nf_tables_api.c     |   42 +++++++++++++++++++++++++++----------
 2 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index c4d8619..a9c6387 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
 <at>  <at>  -231,6 +231,14  <at>  <at>  struct nft_set_ops {
 int nft_register_set(struct nft_set_ops *ops);
 void nft_unregister_set(struct nft_set_ops *ops);

+/* internal flags to know which attributes were originally set
+ * from userspace.
+ */
+enum nft_set_attr {
  * 	struct nft_set - nf_tables set instance
(Continue reading)

Ana Rey | 18 Sep 13:06 2014

[PATCH] extensions: libxt_devgroup: Fix the path of the mappings file

Use "/etc/iproute2/group" like the path of the mapping file instead of

Signed-off-by: Ana Rey <anarey <at>>
 extensions/libxt_devgroup.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index 4a69c82..fb1fcb5 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
 <at>  <at>  -31,12 +31,12  <at>  <at>  static const struct xt_option_entry devgroup_opts[] = {

-/* array of devgroups from /etc/iproute2/group_map */
+/* array of devgroups from /etc/iproute2/group */
 static struct xtables_lmap *devgroups;

 static void devgroup_init(struct xt_entry_match *match)
-	const char file[] = "/etc/iproute2/group_map";
+	const char file[] = "/etc/iproute2/group";
 	devgroups = xtables_lmap_init(file);
 	if (devgroups == NULL && errno != ENOENT)
 		fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));


(Continue reading)

Ana Rey | 18 Sep 12:39 2014

[v3 nft 0/7] tests: Automated regression testing

This is a new version of the automated regression testing of nftables.

There is no infrastructure to allow us to check all options/features in
nft. So, if anyone sends a patch, we cannot check if it breaks something.

I send in this patchset the nftables automated regression tests. It
contains a python script ( and a set of test files.

This allow us to check the input of rules of nft-tool from the
command-line and the output from nft-tool of this rule. Then, it
compares if the rule input matches the rule output automatically.

We also have plans to add automated regression testing in the packet
path in the future, which should come in a follow up step.

Comments welcome, thanks

[Changes in v3]
 * I fix signal handlers when press ctrl + c repeatedly.
 * I add the output_clean function. This function improves the parser of
   rules is shown by nft.

Ana Rey (7):
  tests: Add automated regression testing
  tests: Add ip folder with test files
  tests: Add ip6 folder with test files.
  tests: Add inet folder with test files.
  tests: Add arp folder with test files.
  tests: Add bridge folder with test files.
  tests: Add any folder with test files.
(Continue reading)

Marcelo Ricardo Leitner | 17 Sep 18:22 2014

Conntrack TW->SS in Reply direction


Any reason on why we don't allow TW->SS state change in reply direction? It is 
currently marked as (since ever it seems) in a comment:
  *  sTW -> sIV  Reopened connection, but server may not do it.

That is true but just if the server role is never swapped between hosts and I 
don't see it violating any spec by allowing it..

Thing is, there is this application that needs a connection as a callback on a 
specified port range. This application is used between 2 servers, using 
conntrack and only allowing in new connections and its (related) packets. 
There will be a moment that the port that once was server for the callback, 
will now originate a callback to the other server.

As Linux stack uses TIME_WAIT timeout as 1min and conntrack as 2mins, there 
will be a moment on which the port selection allows using a port that, for 
conntrack, is still not allowed...

Reducing conntrack's TIME_WAIT timeout is more complicated because it may 
restrain the compatibility with other implementations, but allowing TW->SS 
imposes no harm?

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

(Continue reading)

Patrick McHardy | 17 Sep 15:26 2014

[PATCH] parser: compact log level grammar

Put rule and action on a single line as for other simple mappings.

Signed-off-by: Patrick McHardy <kaber <at>>
 src/parser.y | 40 ++++++++--------------------------------
 1 file changed, 8 insertions(+), 32 deletions(-)

diff --git a/src/parser.y b/src/parser.y
index 653c764..be3b2e9 100644
--- a/src/parser.y
+++ b/src/parser.y
 <at>  <at>  -1316,38 +1316,14  <at>  <at>  log_arg			:	PREFIX			string

-level_type		:	LEVEL_EMERG
-			{
-				$$ = LOG_EMERG;
-			}
-			{
-				$$ = LOG_ALERT;
-			}
-			{
-				$$ = LOG_CRIT;
-			}
-			{
-				$$ = LOG_ERR;
(Continue reading)