1. 06 May, 2018 3 commits
    • Ahmed Abdelsalam's avatar
      netfilter: ip6t_srh: extend SRH matching for previous, next and last SID · c1c7e44b
      Ahmed Abdelsalam authored
      IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed
      by SR encapsulated packet. Each SID is encoded as an IPv6 prefix.
      
      When a Firewall receives an SR encapsulated packet, it should be able
      to identify which node previously processed the packet (previous SID),
      which node is going to process the packet next (next SID), and which
      node is the last to process the packet (last SID) which represent the
      final destination of the packet in case of inline SR mode.
      
      An example use-case of using these features could be SID list that
      includes two firewalls. When the second firewall receives a packet,
      it can check whether the packet has been processed by the first firewall
      or not. Based on that check, it decides to apply all rules, apply just
      subset of the rules, or totally skip all rules and forward the packet to
      the next SID.
      
      This patch extends SRH match to support matching previous SID, next SID,
      and last SID.
      Signed-off-by: default avatarAhmed Abdelsalam <amsalam20@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c1c7e44b
    • Laura Garcia Liebana's avatar
      netfilter: nft_numgen: enable hashing of one element · 75e72f05
      Laura Garcia Liebana authored
      The modulus in the hash function was limited to > 1 as initially
      there was no sense to create a hashing of just one element.
      
      Nevertheless, there are certain cases specially for load balancing
      where this case needs to be addressed.
      
      This patch fixes the following error.
      
      Error: Could not process rule: Numerical result out of range
      add rule ip nftlb lb01 dnat to jhash ip saddr mod 1 map { 0: 192.168.0.10 }
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      The solution comes to force the hash to 0 when the modulus is 1.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      75e72f05
    • Laura Garcia Liebana's avatar
      netfilter: nft_numgen: add map lookups for numgen statements · d734a288
      Laura Garcia Liebana authored
      This patch includes a new attribute in the numgen structure to allow
      the lookup of an element based on the number generator as a key.
      
      For this purpose, different ops have been included to extend the
      current numgen inc functions.
      
      Currently, only supported for numgen incremental operations, but
      it will be supported for random in a follow-up patch.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d734a288
  2. 26 Apr, 2018 6 commits
  3. 24 Apr, 2018 27 commits
  4. 21 Apr, 2018 3 commits
  5. 19 Apr, 2018 1 commit