Shannon Wynter | 21 Apr 06:50 2014

ipset suggestion, idle-timeout


I would love to have an "idle timeout" for ipset

It would essentially work like the regular timeout, removing the entry 
from the set but only if no matches on the entry for the duration of the 

Add a match for for 300 seconds.
If there is a match on at 250 seconds then the timer is reset.
If there is no match on for 300 then the entry is removed

I wouldn't mind having a look at this myself but don't really know the 
first thing about NF and I've already gotten lost in the source.
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

mathieu.poirier | 21 Apr 02:58 2014

[RESEND PATCH 1/2] Extend accounting capabilities to support quotas

From: Mathieu Poirier <mathieu.poirier <at>>

The accounting framework already supports accounting at the
quota and byte level.  As such it is a natural extention to
add a ceiling limit to those metrics.

Signed-off-by: Mathieu Poirier <mathieu.poirier <at>>
 include/libnetfilter_acct/libnetfilter_acct.h |  2 +
 include/linux/netfilter/nfnetlink.h           |  4 ++
 include/linux/netfilter/nfnetlink_acct.h      |  9 ++++
 src/libnetfilter_acct.c                       | 67 +++++++++++++++++++++++++--
 4 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/include/libnetfilter_acct/libnetfilter_acct.h b/include/libnetfilter_acct/libnetfilter_acct.h
index b00e366..c6ed858 100644
--- a/include/libnetfilter_acct/libnetfilter_acct.h
+++ b/include/libnetfilter_acct/libnetfilter_acct.h
 <at>  <at>  -14,6 +14,8  <at>  <at>  enum nfacct_attr_type {

 struct nfacct *nfacct_alloc(void);
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 4a4efaf..d3e0ea8 100644
--- a/include/linux/netfilter/nfnetlink.h
(Continue reading)

mathieu.poirier | 21 Apr 02:57 2014

[RESEND PATCH v2] netfilter: nfnetlink_acct: Adding quota support to accounting framework

From: Mathieu Poirier <mathieu.poirier <at>>

Nf_acct objects already support accounting at the byte and packet
level.  As such it is a natural extention to add the possiblity to
define a ceiling limit for both metrics.

All the support for quotas itself is added to nfnetlink acctounting
framework to stay coherent with current accounting object management.
Quota limit checks are implemented in xt nfacct filter where
statistic collection is already done.

Pablo Niera Ayuso has also contributed to this feature.

Signed-off-by: Mathieu Poirier <mathieu.poirier <at>>
Changes for v2:
- Moved 'smp_mb__before_clear_bit()' before 'if' condition.
- Fixed erroneous variable declaration.
- Optimzed return statement in 'nfacct_mt()'.
 include/linux/netfilter/nfnetlink_acct.h      |  8 ++-
 include/uapi/linux/netfilter/nfnetlink.h      |  2 +
 include/uapi/linux/netfilter/nfnetlink_acct.h |  9 +++
 net/netfilter/nfnetlink_acct.c                | 86 +++++++++++++++++++++++++++
 net/netfilter/xt_nfacct.c                     |  5 +-
 5 files changed, 108 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index b2e85e5..6ec9757 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
(Continue reading)

Simon Horman | 21 Apr 02:16 2014

[GIT PULL nf-next] IPVS Updates for v3.16

Hi Pablo,

please consider the following updates for IPVS for v3.16.

It consists of a format string fix from Masanari Iida.

The following changes since commit 6125c94e6972fca79214809a43eb60e27feff3ee:

  netfilter: nft_ct: split nft_ct_init() into two functions for get/set (2014-03-30 13:31:44 +0200)

are available in the git repository at:

  git:// tags/ipvs-for-v3.16

for you to fetch changes up to 9c55bfa9373b4b44c32f0e844923a0e6c607056d:

  netfilter: Fix format string mismatch in ip_vs_proto_name() (2014-04-03 10:35:35 +0900)

IPVS Updates for v3.16

* Format string fix from  Masanari Iida

Masanari Iida (1):
      netfilter: Fix format string mismatch in ip_vs_proto_name()

 net/netfilter/ipvs/ip_vs_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
(Continue reading)

Donovan | 17 Apr 23:25 2014

additional conntrack feature


We are writing Proof Of Concept (POC) code to export (send) enhanced 
NetFlow based on conntrack events. We've added some new minimal 
functionality to the kernel socket and netfilter-conntrack code. This 
provides new information in the events as can be viewed by the conntrack 

We would like to send NetFlow based on the conntrack events and were 
wondering where to place such functionality. We would like such NetFlow 
to be sent by a service or daemon and we would like for this 
functionality to become open source. We have some questions:

- Would it be acceptable to enhance conntrack-tools to send this NetFlow?
- Like for instance placing it in the conntrackd daemon?
- Or would it be OK to provide a new program alongside conntrack and 
conntrackd or the conntrack-tools to do this?

Getting the kernel changes committed is one matter but they are 
pointless without a user-space program to make use of the conntrack 
events and send the NetFlow which is our final aim. We did also think of 
potentially adding such code to the existing flow-tools suite 
(  but it 
feels odd that such flow-tool code will rely on conntrack events.

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
(Continue reading)

Pablo Neira Ayuso | 17 Apr 13:09 2014

[ANNOUNCE] libnftnl 1.0.1 release


The Netfilter project proudly presents:

        libnftnl 1.0.1

libnftnl is a userspace library providing a low-level netlink
programming interface (API) to the in-kernel nf_tables subsystem. The
library libnftnl has been previously known as libnftables. This
library is currently used by the nft command line tool.

This release comes with new features available in 3.14 and fixes.
See ChangeLog that comes attached to this email for more details.

You can download it from:

Have fun!
Ana Rey (9):
      tests: Use getopt_long to parse the command-line arguments.
      xml, json: Delete a cmpdata label in xml and json file
      xml, json: Delete an immediatedate label in xml and json file
      tests: New tools to update xml and json testfiles
      tests: Add support to check a json or xml testfile
      tests: Fix a memory leak
      target, match: Fix an invalid read
(Continue reading)

Arturo Borrero Gonzalez | 16 Apr 18:43 2014

[nft PATCH v2 8/8] src: add events reporting

This patch adds a basic events reporting option to nft.

The syntax is:
 % nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at>>
v2: Move code to libnftnl. Allow multiple set_elem in a single event.
    Rename functions. Rename options to [new|destroy].
    Handle chain/table updates.
 include/mnl.h     |    3 
 include/netlink.h |   10 +
 include/rule.h    |    6 +
 src/evaluate.c    |    1 
 src/mnl.c         |   10 +
 src/netlink.c     |  547 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/parser.y      |   90 ++++++++-
 src/rule.c        |   89 +++++++++
 src/scanner.l     |    5 
 9 files changed, 755 insertions(+), 6 deletions(-)

diff --git a/include/mnl.h b/include/mnl.h
index f4de27d..ece7ee7 100644
--- a/include/mnl.h
+++ b/include/mnl.h
 <at>  <at>  -67,4 +67,7  <at>  <at>  int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nft_set *nls);

 struct nft_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
 					 uint32_t family);
+int mnl_nft_event_listener(struct mnl_socket *nf_sock,
(Continue reading)

Arturo Borrero Gonzalez | 16 Apr 18:10 2014

[PATCH] build: delete useless characters

There are a lot of '-e' that seem useless in the build system.

Previous to this patch:
  -e CC		src/evaluate.c
  -e CC		src/expression.c
  -e CC		src/proto.c

With this patch:
  CC		src/evaluate.c
  CC		src/expression.c
  CC		src/proto.c

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez <at>>
--- |   20 ++++++++++----------
 doc/   |    4 ++--
 files/ |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/ b/
index 6a00916..53ba7e9 100644
--- a/
+++ b/
 <at>  <at>  -12,16 +12,16  <at>  <at>  configure:
 			sh configure

(Continue reading)

Arturo Borrero Gonzalez | 16 Apr 14:46 2014

nftables v0.2 doesn't build with libnftnl v1.0.0

Hi there!

nftables v0.2 needs latest libnftnl to build.

When using libnftnl v1.0.0 I get:

src/netlink.c: In function ‘alloc_nft_rule’:
src/netlink.c:124:3: warning: implicit declaration of function
‘nft_rule_attr_set_data’ [-Wimplicit-function-declaration]
src/netlink.c:124:31: error: ‘NFT_RULE_ATTR_USERDATA’ undeclared
(first use in this function)
src/netlink.c:124:31: note: each undeclared identifier is reported
only once for each function it appears in

Would you please release a new version of libnftnl?

thanks, regards.


Arturo Borrero González
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at>
More majordomo info at

Ana Rey | 16 Apr 09:19 2014

[iptables PATCH] extensions: udp: add translation to nft

Some examples:

 $ sudo iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
add rule ip filter INPUT iifname eth0 udp sport 53 counter accept

 $ sudo ./iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP
add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop

 $ sudo ./iptables-translate -I OUTPUT -p udp -d -j ACCEPT
nft insert rule ip filter OUTPUT ip protocol udp ip daddr counter accept

Sign-off-by: Ana Rey <anarey <at>>
 extensions/libxt_udp.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/extensions/libxt_udp.c b/extensions/libxt_udp.c
index b9f39ee..f3532ef 100644
--- a/extensions/libxt_udp.c
+++ b/extensions/libxt_udp.c
 <at>  <at>  -152,6 +152,39  <at>  <at>  static void udp_save(const void *ip, const struct xt_entry_match *match)

+static int udp_xlate(const struct xt_entry_match *match, struct xt_buf *buf)
+	const struct xt_udp *udpinfo = (struct xt_udp *)match->data;
+	if (udpinfo->spts[0] != 0 || udpinfo->spts[1] != 0xFFFF) {
+		if (udpinfo->spts[0] != udpinfo->spts[1])
(Continue reading)

isabelle | 15 Apr 21:47 2014

spende /Donation

Wenn ich diese Nachricht zu senden wollte, ist dies nicht einfach Zufall. Dies ist, weil Ihre e-Mail vom
elektronischen Roboter gesichert meine WX.7AR BW ausgewählt wurde.
Zunächst möchte ich mich für dieses Eindringen in Ihr Leben zu entschuldigen, obwohl ich zugeben, dass
es mir sehr wichtig. Ich bin Isabelle Vasudev. Ich leide an Krebs im Hals seit nun mehr als 3 Jahre und eine
halbe und es leider, mein Arzt hat gerade informiert mich, dass ich bin voller unheilbar und, dass meine
Tage, wegen meinen etwas gezählt sind abgebaut Zustand. Ich bin eine Witwe und ich habe keine Kind, das
ich beginne zu bedauern.
In der Tat ist der Grund, warum ich Sie kontaktieren bin, möchte ich einen Teil von meinem Grundstück zu
spenden, weil ich niemand, wer die Erben konnte. Ich habe fast mein ganzes Zeug, darunter ein Unternehmen
der Export von Holz, Gummi und Stahl-Industrie in Afrika, wo ich wohne nun mehr 10 Jahren, verkauft. Ein
großer Teil der Gelder gesammelt wurde mit unterschiedlichen Verbänden humanitären Charakter
überall in der Welt, aber besonders hier in Afrika bezahlt.
Im Hinblick auf den Rest der Summe genau in Höhe von 750.000, 00euros (sieben hundert und fünfzig tausend
Euro) auf eine gesperrte Mitarbeiter-Account, meine letzte wünschen würde Sie es spenden, so dass Sie
in Ihrer Branche und vor allem den humanitären investieren können. Ich bin ganz bewusst was ich zu tun
beabsichtigen, und ich denke, trotz der Tatsache, die wir nicht wissen, werdet ihr diese Summe gut
nutzen. Ich bitte Sie, bitte dieses Erbe zu akzeptieren, ohne jedoch Fragen Sie alles, was in
zurückgeben wenn es nicht immer denken, gutes zu tun, um dich herum, was ich nicht getan habe, in meiner Existenz.
Das heißt, wird auf einer verantwortlichen Person und besonders gutem Glauben fallen zu lassen
beruhigt, ich möchte bitten, dass Sie bitte mich bei den meisten schnell kontaktieren, um weitere
Erklärung über die Gründe für meine Geste und den Verlauf der Dinge zu geben. Bitte kontaktieren Sie
mich so bald wie möglich, wenn Sie mein Angebot akzeptieren.
Gott möge mit dir sein!
Ich fordere Sie auf, mich über meine persönliche e-Mail-Adresse zu kontaktieren:
Isabelle.claude654 <at>
Der Frieden und Barmherzigkeit Gottes möge mit dir sein.
Mrs Isabelle

(Continue reading)