This patch introduces deletion in a similar fashion as in iptables, thus,
we can delete the first rule that matches our description, for example:
$ nft list -a ruleset
table ip t {
chain c {
ip saddr 1.1.1.1 counter packets 0 bytes 0 # handle
This patch implements the function 'bool nftnl_rule_cmp(const struct
nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.
Expressions within rules need to be compared, so also has been created the
function 'nftnl_expr_cmp' which calls new field within
'nfntl_expr_': a function pointer
This patch separates the rule identification from the rule localization, so
the logic moves from the evaluator to the parser. This allows to revert the
patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.
An specific error message is s
If I configure nftables via:
./configure --prefix=/usr
the connlabel path breaks due to missing slash, so append this after
DEFAULT_INCLUDE_PATH.
Signed-off-by: Pablo Neira Ayuso
---
src/ct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ct.c b/src/ct.c
index
Just like we do with other symbol tables.
Signed-off-by: Pablo Neira Ayuso
---
src/ct.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/ct.c b/src/ct.c
index f6b1dc1..f6018d8 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -164,6 +164,11 @@ static void __init ct_label_table_init(void)
Pablo Neira Ayuso wrote:
> If I configure nftables via:
>
> ./configure --prefix=/usr
>
> the connlabel path breaks due to missing slash, so append this after
> DEFAULT_INCLUDE_PATH.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Florian Westphal
--
To unsubscribe from this list: send
Pablo Neira Ayuso wrote:
> Just like we do with other symbol tables.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Florian Westphal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http:
Hi,
Recently I attempted to work on a new libipset program and also tried to
review something I wrote in the past (ssh-blocker). In order to find
some "best practices" or a reference manual, I went to:
http://ipset.netfilter.org/
but surprisingly, it has no developer resources even though it
Hi,
The following patchset is addressing part of the syntax issues that we
have discussed during the NFWS.
1) Quote user-defined strings from rule selectors. The current behaviour
is inconsistent since some selectors are quoting user-defined strings
and others do not, so let's quote them al
The following selectors display strings using quotes:
* meta iifname
* meta oifname
* meta ibriport
* meta obriport
However, the following do not:
* meta oif
* meta iif
* meta skuid
* meta skgid
* meta iifgroup
* meta oifgroup
* meta rtclassid
* ct label
Given they refer to user-defined values,
This is extra syntaxtic sugar to get this consistent with other
statements such as redirect, masquerade, dup and fwd that indicates
where to go.
Existing syntax is still preserved, but the listing shows the one
including 'to'.
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y
POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says:
"The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -"
On top of that it says:
"The
This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.
The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.
Here below, several example on how to match the packet priorit
No need to print this in iptables CLASSIFY target format,
eg. 0004:1230, this is innecessarily large.
And always print major and minor numbers.
Signed-off-by: Pablo Neira Ayuso
---
src/meta.c | 9 +
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/src/meta.c b/src/meta.c
ind
This expression is not used anywhere in this scanner code.
Signed-off-by: Pablo Neira Ayuso
---
src/scanner.l | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/scanner.l b/src/scanner.l
index 6f497e8..b1420f3 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -110,7 +110,6 @@ digit
Use the colon port syntax for consistency with other statements.
Existing syntax is still preserved but the output displays the colon.
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 9 +
tests/py/ip/redirect.t | 24
tests
The statement:
dnat to 2001:838:35f:1:::80
is very confusing as it is not so easy to identify where address ends
and the port starts. This even harder to read with ranges.
So this patch adds squared brackets as RFC2732 to enclose the IPv6
address.
Signed-off-by: Pablo Neira Ayuso
---
Signed-off-by: Pablo Neira Ayuso
---
include/datatype.h | 4 ++--
src/meta.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/datatype.h b/include/datatype.h
index 3eb686e..12ec46b 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -27,7 +27,7 @@
:1:24-24: Error: syntax error, unexpected newline, expecting string or
QUOTED_STRING or ASTERISK_STRING
add rule x y log prefix
^
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/parser_bis
On Sat, Aug 13, 2016 at 01:02:03AM +0200, Laura Garcia Liebana wrote:
> Support for the nft hash expression in libnftnl.
Applied, thanks Laura.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Mon, Aug 15, 2016 at 12:03:19AM +0800, kbuild test robot wrote:
> Hi Laura,
>
> [auto build test ERROR on nf-next/master]
> [also build test ERROR on v4.8-rc1 next-20160812]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the system]
>
> url:
> h
On Wed, Aug 17, 2016 at 01:00:08PM +0200, Carlos Falgueras García wrote:
> This patch implements the function 'bool nftnl_rule_cmp(const struct
> nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.
>
> Expressions within rules need to be compared, so also has been created the
> funct
On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote:
> The comment_xlate function was not supporting this option that is
> necessary in some situations.
I have applied what I'm attaching to this email, that is more simple
than this and makes sure buffer is nul-terminated (given
On Tue, Aug 16, 2016 at 07:44:33PM +0200, Pablo M. Bermudo Garay wrote:
> If quotes are escaped, nft -f is unable to parse and load the translated
> ruleset.
>
> Signed-off-by: Pablo M. Bermudo Garay
> ---
> iptables/xtables-translate.c | 11 +++
> 1 file changed, 11 insertions(+)
>
> d
On Fri, Aug 12, 2016 at 06:00:07PM +0200, Phil Sutter wrote:
> This part of the code is pretty weird due to suboptimal variable name
> choice: 'data', 'len', 'datalen', 'data_len'.
>
> But even without understanding all of it, the code checking 'datalen - 1
> >= 0' assumes 'datalen - 1' may actual
On Fri, Aug 12, 2016 at 06:00:08PM +0200, Phil Sutter wrote:
> As netlink_get_register() may return NULL, we must not pass the returned
> data unchecked to expr_set_type() as that will dereference it. Since the
> parser has failed at that point anyway, by returning early we can skip
> the useless s
On Fri, Aug 12, 2016 at 06:00:09PM +0200, Phil Sutter wrote:
> When being called from stmt_evaluate_reset(), it seems that 'base' might
> actually be NULL, so better make sure it is not in proto_find_num().
I would suggest you address this from stmt_evaluate_reset().
--
To unsubscribe from this li
On Fri, Aug 12, 2016 at 06:00:10PM +0200, Phil Sutter wrote:
> Looking at expr_evaluate_concat(), 'off' might be zero and the error
> checks not triggering (by having dtype != NULL and i->dtype->size > 0).
> Decrementing it will then lead to casting -1 to unsigned during the call
> to concat_subtyp
On Wed, Aug 17, 2016 at 01:00:09PM +0200, Carlos Falgueras García wrote:
> diff --git a/include/parser.h b/include/parser.h
> index 92beab2..41e5340 100644
> --- a/include/parser.h
> +++ b/include/parser.h
> @@ -27,6 +27,8 @@ struct parser_state {
>
> struct list_headcmds;
>
On Sun, Aug 14, 2016 at 01:59:01PM -0700, Kevin Cernekee wrote:
> clang treats "char buffer[size]" inside a union as VLAIS unless |size|
> is const:
>
> src/conntrack/api.c:992:8: error: fields must have a constant size: 'variable
> length array in structure' extension will never be supported
>
For non-IP traffic seen from the netdev family, set nft_pktinfo fields
other the value of these fields is garbage.
This patch sets transport protocol number to IPPROTO_RAW since 0 means
IPPROTO_IP, then zero transport and fragment offsets.
Reported-by: Florian Westphal
Signed-off-by: Pablo Neira
On Wed, Aug 17, 2016 at 05:14:59PM +0200, Pablo Neira Ayuso wrote:
> For non-IP traffic seen from the netdev family, set nft_pktinfo fields
> other the value of these fields is garbage.
Will send a v2. It seems we can leave unset field in bridge too for
non-IP traffic.
This should be a problem si
On Mon, Aug 15, 2016 at 09:50:35PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We should skip the conntracks that belong to a different namespace,
> otherwise other unrelated netns's conntrack entries will be dumped via
> /proc/net/nf_conntrack.
Applied to nf, thanks.
--
To unsubscribe f
On Sat, Aug 13, 2016 at 10:35:36PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Since Commit 64b87639c9cb ("netfilter: conntrack: fix race between
> nf_conntrack proc read and hash resize") introdue the
> nf_conntrack_get_ht, so there's no need to check nf_conntrack_generation
> again and
On Sat, Aug 13, 2016 at 10:46:04PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules
> to log packets to the userspace when we specify it with arp family,
> such as:
>
> # nft add rule arp filter input log group 0
> :1:1-37:
On Wed, 2016-08-17 at 08:42 -0700, Eric Dumazet wrote:
> On Wed, 2016-08-17 at 17:31 +0300, Denys Fedoryshchenko wrote:
> > Hi!
> >
> > Tried to run squid on latest kernel, and hit a panic
> > Sometimes it just shows warning in dmesg (but doesnt work properly)
> > [ 75.701666] IPv4: Attempt to r
On Sun, Aug 14, 2016 at 04:59:36PM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
> index e25b35d..ca247e5 100644
> --- a/net/netfilter/nft_cmp.c
> +++ b/net/netfilter/nft_cmp.c
> @@ -84,8 +84,11 @@ static int nft_cmp_init(const struct nft_ctx *c
I've got some questions about ulogd internals. I'm not sure this is
the right list, but I can't find another that would seem to be any
closer to the audience that I want to receive my questions.
If anyone knows where a list more directly involved with ulogd
developers is hosted, please point me at
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana
---
Changes in V4:
- Rename prandom state identifier
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/Kconfig| 6 +
net/netfilter/Makefile
On Wed, 2016-08-17 at 19:44 +0300, Denys Fedoryshchenko wrote:
> Yes, everything fine after patch!
> Thanks a lot
Perfect, thanks for testing, I am sending the official patch.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vge
From: Eric Dumazet
inet_lookup_listener() and inet6_lookup_listener() no longer
take a reference on the found listener.
This minimal patch adds back the refcounting, but we might do
this differently in net-next later.
Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synfloo
On 2016-08-17 19:04, Eric Dumazet wrote:
On Wed, 2016-08-17 at 08:42 -0700, Eric Dumazet wrote:
On Wed, 2016-08-17 at 17:31 +0300, Denys Fedoryshchenko wrote:
> Hi!
>
> Tried to run squid on latest kernel, and hit a panic
> Sometimes it just shows warning in dmesg (but doesnt work properly)
> [
On Sat, Aug 13, 2016 at 11:13:02PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> We should report the over quota message to the right net namespace
> instead of the init netns.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body o
On Sat, Aug 13, 2016 at 11:13:01PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Suppose that we input the following commands at first:
> # nfacct add test
> # iptables -A INPUT -m nfacct --nfacct-name test
>
> And now "test" acct's refcnt is 2, but later when we try to delete the
> "t
On Thu, Aug 11, 2016 at 04:00:37PM +0200, Josue Alvarez wrote:
> Hi,
>
> I tried to play a little bit with the quota features of the extended
> accounting infrastructure.
> However, it seemed that the quotas were not registered when creating the
> accounting objects.
>
> Example :
> # nfacct add
On Thu, Aug 18, 2016 at 12:26:34AM +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 13, 2016 at 11:13:01PM +0800, Liping Zhang wrote:
> > From: Liping Zhang
> >
> > Suppose that we input the following commands at first:
> > # nfacct add test
> > # iptables -A INPUT -m nfacct --nfacct-name test
>
On Wed, Aug 17, 2016 at 09:56:46AM -0700, Eric Dumazet wrote:
> From: Eric Dumazet
>
> inet_lookup_listener() and inet6_lookup_listener() no longer
> take a reference on the found listener.
>
> This minimal patch adds back the refcounting, but we might do
> this differently in net-next later.
A
Mostly comestic changes, see below.
On Wed, Aug 17, 2016 at 06:44:48PM +0200, Laura Garcia Liebana wrote:
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 6913454..81f22c3 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -80,6 +80,7 @@ obj-$(CONFIG_NF
This patch adds the quota expression. This new stateful expression
integrate easily into the dynset expression to build 'hashquota' flow
tables.
Arguably, we could use instead "counter bytes > 1000" instead, but this
approach has several problems:
1) We only support for one single stateful expres
Hi Kevin,
Let me comment on this to make sure I follow.
On Tue, Aug 16, 2016 at 09:51:00PM -0700, Kevin Cernekee wrote:
> Hi,
>
> I am trying to extend the ssdp user helper in conntrackd to handle
> event subscriptions on a UPnP control point. The flow looks like
> this:
>
> 1) Outbound multic
track_ipv4.ko]
undefined!
Caused by commit
adf0516845bc ("netfilter: remove ip_conntrack* sysctl compat code")
or maybe
92e47ba8839b ("netfilter: conntrack: simplify the code by using
nf_conntrack_get_ht")
I have used the netfilter-next tree from next-20160817 for today.
-
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 92e47ba8839bacc185db89f3b11cd8036193e6a9
commit: adf0516845bcd0e626323c858ece28ee58c74455 [8/9] netfilter: remove
ip_conntrack* sysctl compat code
config: i386-allmodconfig (attached as .config)
compiler: gcc-
Comparators are mandatory so hash expression must have one.
Signed-off-by: Carlos Falgueras García
---
src/expr/hash.c | 22 ++
1 file changed, 22 insertions(+)
diff --git a/src/expr/hash.c b/src/expr/hash.c
index 7309907..01f362f 100644
--- a/src/expr/hash.c
+++ b/src/expr/
Please ignore this patch. Pablo already added this chunk before. Sorry.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
* Modifies 'test_report' to receive a boolean that replaces 'test_ok'.
* Renames 'print_err' to 'test_assert' and adds a similar parameter.
* 'test_assert_{expr|rule}()' returns a boolean.
* Adapts all test to the new functions.
Signed-off-by: Carlos Falgueras García
---
tests/libtest.c
This patch adds libtest.c and libtest.h to reduce test code and
consolidate it.
Signed-off-by: Carlos Falgueras García
---
.gitignore | 1 +
tests/Makefile.am | 54 +
tests/libtest.c | 53
Use 'nftnl_expr_cmp' and 'nftnl_rule_cmp' in all tests instead of custom
comparator for each one. If objects differ both are printed.
Signed-off-by: Carlos Falgueras García
---
tests/libtest.c | 30 ++
tests/libtest.h | 6 ++
tests
57 matches
Mail list logo