Toralf Förster | 1 Aug 20:12 2014

what is the default value of /proc/sys/net/netfilter/nf_conntrack_helper ?

The doc in states :

nf_conntrack_helper - BOOLEAN
        0 - disabled
        not 0 - enabled (default)

        Enable automatic conntrack helper assignment.

but is that still true ?



To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Pablo Neira Ayuso | 1 Aug 18:40 2014

[PATCH 0/3] Netfilter/IPVS fixes for net

Hi David,

The following patchset contains Netfilter/IPVS fixes for your net tree,
they are:

1) Maintain all DSCP and ECN bits for IPv6 tun forwarding. This
   resolves an inconsistency between IPv4 and IPv6 behaviour.
   Patch from Alex Gartrell via Simon Horman.

2) Fix unnoticeable blink in xt_LED when the led-always-blink option is
   used, from Jiri Prchal.

3) Add missing return in nft_del_setelem(), otherwise this results in a
   double call of nft_data_uninit() in the nf_tables code, from Thomas Graf.

You can pull these changes from:




The following changes since commit 2627b7e15c5064ddd5e578e4efd948d48d531a3f:

  ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack (2014-07-16 09:39:28 +0900)

are available in the git repository at:

  git:// master
(Continue reading)

Thomas Graf | 1 Aug 17:25 2014

[PATCH] nftables: Avoid duplicate call to nft_data_uninit() for same key

nft_del_setelem() currently calls nft_data_uninit() twice on the same
key. Once to release the key which is guaranteed to be NFT_DATA_VALUE
and a second time in the error path to which it falls through.

The second call has been harmless so far though because the type
passed is always NFT_DATA_VALUE which is currently a no-op.

Signed-off-by: Thomas Graf <tgraf <at>>
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8746ff9..b35ba83 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
 <at>  <at>  -3218,6 +3218,7  <at>  <at>  static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
 	if (set->flags & NFT_SET_MAP)
 		nft_data_uninit(&, set->dtype);

+	return 0;
 	nft_data_uninit(&elem.key, desc.type);


To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
(Continue reading)

Pablo Neira Ayuso | 31 Jul 21:26 2014

[PATCH 0/9] Netfilter updates for net-next

Hi David,

The following patchset contains netfilter updates for net-next, they are:

1) Add the reject expression for the nf_tables bridge family, this
   allows us to send explicit reject (TCP RST / ICMP dest unrech) to
   the packets matching a rule.

2) Simplify and consolidate the nf_tables set dumping logic. This uses
   netlink control->data to filter out depending on the request.

3) Perform garbage collection in xt_hashlimit using a workqueue instead
   of a timer, which is problematic when many entries are in place in
   the tables, from Eric Dumazet.

4) Remove leftover code from the removed ulog target support, from
   Paul Bolle.

5) Dump unmodified flags in the netfilter packet accounting when resetting
   counters, so userspace knows that a counter was in overquota situation,
   from Alexey Perevalov.

6) Fix wrong usage of the bitwise functions in nfnetlink_acct, also from

7) Fix a crash when adding new set element with an empty NFTA_SET_ELEM_LIST

This patchset also includes a couple of cleanups for xt_LED from
Duan Jiong and for nf_conntrack_ipv4 (using coccinelle) from
(Continue reading)

Pablo Neira Ayuso | 31 Jul 20:38 2014

[PATCH nf-next] netfilter: don't use mutex_lock_interruptible()

Eric Dumazet reports that getsockopt() or setsockopt() sometimes
returns -EINTR instead of -ENOPROTOOPT, causing headaches to
application developers.

This patch replaces all the mutex_lock_interruptible() by mutex_lock()
in the netfilter tree, as there is no reason we should sleep for a
long time there.

Reported-by: Eric Dumazet <edumazet <at>>
Suggested-by: Patrick McHardy <kaber <at>>
Signed-off-by: Pablo Neira Ayuso <pablo <at>>
 net/bridge/netfilter/ebtables.c |   10 ++-------
 net/netfilter/core.c            |   11 ++-------
 net/netfilter/ipvs/ip_vs_ctl.c  |   19 ++++------------
 net/netfilter/nf_sockopt.c      |    8 ++-----
 net/netfilter/x_tables.c        |   47 ++++++++++-----------------------------
 5 files changed, 22 insertions(+), 73 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 1059ed3..6d69631 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
 <at>  <at>  -327,10 +327,7  <at>  <at>  find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
 	} *e;

-	*error = mutex_lock_interruptible(mutex);
-	if (*error != 0)
-		return NULL;
(Continue reading)

Yuxuan Shui | 31 Jul 18:40 2014

[PATCH] nftables: Add a flags attribute for lookup operator

So that we could modify the behaviour of the lookup operator using

The only flag available now is a negation flag which negates the result
of lookup operation.

v2: Rename the flags, reorder members in struct nft_lookup, check
for invaild flags.

v3: Fix checking for invaild flags.

v4: Fix macro naming.

Signed-off-by: Yuxuan Shui <yshuiv7 <at>>
 include/uapi/linux/netfilter/nf_tables.h | 10 ++++++++++
 net/netfilter/nft_lookup.c               | 22 +++++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index d41880f..9e6617e 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
 <at>  <at>  -479,6 +479,15  <at>  <at>  enum nft_cmp_attributes {
 #define NFTA_CMP_MAX		(__NFTA_CMP_MAX - 1)

+ * enum nft_lookup_flags - flags for nft_lookup operator
+ *
+ *  <at> NFT_LOOKUP_F_NEG: negate the result
(Continue reading)

Ana Rey | 31 Jul 11:08 2014

[PATCH 0/6] tests: Automated regression testing

This is the automated regression testing of nftables.

In all development is important to have a good system to let us
check all features in our tools automatically. In nftables, there is
not an automated tests to check it so far.

There is not system to let us check all options/features in nft. So,
If anyone sends a patch, we can not check all nft-tool automatically.
It's impossible check if anything is broken, or if a change adds a fail
in the system, or fix a problem in all cases.

I send in this patchset the nftables automated regression tests. It
contains a python script ( and a set of test files.

This let us check the input of rules of nft-tool from the command-line
and the output from nft-tool of this rule. Then, It compares if the
rule input matches the rule output automatically. And, the most
important things: It do it automatically.

We also have plans to add automated regression testing in the packet
path in the future, which should come in a follow up step.

Comments welcome, thanks

Ana Rey (6):
  [nft] tests: Add Automated regression testing
  [nft] tests: Add ip6 folder with test files.
  [nft] tests: Add inet folder with test files.
  [nft] tests: Add any folder with test files.
  [nft] tests: Add arp folder with test files.
(Continue reading)

Alexey Perevalov | 30 Jul 17:25 2014

[PATCH] Fix overquota output result

This patch fixes client side of nfacct report.
For details, see kernel patches in "fixes for NFACCT_F_OVERQUOTA usage" thread.
After this fix kernel bugs became visible.

Alexey Perevalov (1):
  Fix overquota output result

 src/libnetfilter_acct.c |   22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)



To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Alexey Perevalov | 30 Jul 17:17 2014

[PATCH 0/2] fixes for NFACCT_F_OVERQUOTA usage

Hello Pablo,

I chose straightforward approach and I have used bitwise operators instead of
bit helper functions.

Also I found some inconsistency in report after reset for overquota.

This patch set was based on commit 5a7439efd1c5c416f768fc550048ca130cf4bf99
(dated Jul 25 20:08:13 2014 - little bit updated :)

Alexey Perevalov (2):
  netfilter: nfnetlink_acct: avoid using NFACCT_F_OVERQUOTA with bit
    helper funcitons
  netfilter: nfnetlink_acct: dump unmodified nfacct flags

 net/netfilter/nfnetlink_acct.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)



To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Willem de Bruijn | 30 Jul 00:19 2014

[PATCH nf-next] include: add linux/filter.h

xt_bpf.h includes linux/filter.h for the definition of sock_filter.
add that file to the repository

Signed-off-by: Willem de Bruijn <willemb <at>>
 include/linux/filter.h | 139 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 include/linux/filter.h

diff --git a/include/linux/filter.h b/include/linux/filter.h
new file mode 100644
index 0000000..a9ae93c
--- /dev/null
+++ b/include/linux/filter.h
 <at>  <at>  -0,0 +1,139  <at>  <at> 
+ * Linux Socket Filter Data Structures
+ */
+#ifndef __LINUX_FILTER_H__
+#define __LINUX_FILTER_H__
+#include <linux/types.h>
+ * Current version of the filter code architecture.
+ */
(Continue reading)

Mr. David Hale | 27 Jul 22:22 2014

Our mutual benefits

Hello, i am seeking your assistance in collecting a fixed deposit. I can give you more details if you are
interested. Regards,
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at