[nft PATCH 1/3] nft: use own allocation function
In the current setup, nft (the frontend object) is using the xzalloc() function
from libnftables, which does not makes sense, as this is typically an internal
helper function.
In order to don't use this public libnftables symbol (a later patch just
removes it), let's introduce a new allocation function in the nft frontend.
This results in a bit of code duplication, but given the simplicity of the code,
I don't think it's a big deal.
Other possible approach would be to have xzalloc() become part of libnftables
public API, but that is a much worse scenario I think.
Signed-off-by: Arturo Borrero Gonzalez
---
src/main.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/src/main.c b/src/main.c
index cbfd69a..d5857e8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -19,9 +19,24 @@
#include
#include
+#include
#include
#include
+void *xzalloc(size_t size)
+{
+ void *ptr;
+
+ ptr = malloc(size);
+ if (ptr == NULL) {
+ fprintf(stderr, "%s:%u: Memory allocation failure\n",
+ __FILE__, __LINE__);
+ exit(NFT_EXIT_NOMEM);
+ }
+ memset(ptr, 0, size);
+ return ptr;
+}
+
static struct nft_ctx *nft;
enum opt_vals {
[nft PATCH 3/3] libnftables: export public symbols only
Export public symbols (the library API functions) instead of all symbols in
the library.
This patch introduces the required macros to manage the visibility attributes
(mostly copied from libnftnl.git) and also marks each symbol as exported when
they need to be public. Also, introduce a .map file for proper symbol
versioning.
Previous to this patch, libnftables public symbols were:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 | wc
-l
527
With this patch, libnftables symbols are:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1
libnftables.so.1 libnftables #MINVER#
nft_ctx_add_include_path@Base 0.9.1
nft_ctx_buffer_error@Base 0.9.1
nft_ctx_buffer_output@Base 0.9.1
nft_ctx_clear_include_paths@Base 0.9.1
nft_ctx_free@Base 0.9.1
nft_ctx_get_dry_run@Base 0.9.1
nft_ctx_get_error_buffer@Base 0.9.1
nft_ctx_get_output_buffer@Base 0.9.1
nft_ctx_new@Base 0.9.1
nft_ctx_output_get_debug@Base 0.9.1
nft_ctx_output_get_flags@Base 0.9.1
nft_ctx_output_set_debug@Base 0.9.1
nft_ctx_output_set_flags@Base 0.9.1
nft_ctx_set_dry_run@Base 0.9.1
nft_ctx_set_error@Base 0.9.1
nft_ctx_set_output@Base 0.9.1
nft_ctx_unbuffer_error@Base 0.9.1
nft_ctx_unbuffer_output@Base 0.9.1
nft_run_cmd_from_buffer@Base 0.9.1
nft_run_cmd_from_filename@Base 0.9.1
Signed-off-by: Arturo Borrero Gonzalez
---
configure.ac |5 +
include/utils.h |8
m4/gcc4_visibility.m4 | 21 +
src/Makefile.am |8 +---
src/libnftables.c | 20
src/libnftables.map | 25 +
6 files changed, 84 insertions(+), 3 deletions(-)
create mode 100644 m4/gcc4_visibility.m4
create mode 100644 src/libnftables.map
diff --git a/configure.ac b/configure.ac
index b71268e..26a9cb7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -44,6 +44,11 @@ fi
AM_PROG_AR
AM_PROG_LIBTOOL
+LT_INIT
+AM_PROG_CC_C_O
+AC_EXEEXT
+AC_DISABLE_STATIC
+CHECK_GCC_FVISIBILITY
AS_IF([test "x$enable_man_doc" = "xyes"], [
AC_CHECK_PROG(A2X, [a2x], [a2x], [no])
diff --git a/include/utils.h b/include/utils.h
index e791523..647e8bb 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -11,6 +11,14 @@
#include
#include
+#include "config.h"
+#ifdef HAVE_VISIBILITY_HIDDEN
+# define __visible__attribute__((visibility("default")))
+# define EXPORT_SYMBOL(x) typeof(x) (x) __visible;
+#else
+# define EXPORT_SYMBOL
+#endif
+
#define BITS_PER_BYTE 8
#define pr_debug(fmt, arg...) printf(fmt, ##arg)
diff --git a/m4/gcc4_visibility.m4 b/m4/gcc4_visibility.m4
new file mode 100644
index 000..214d3f3
--- /dev/null
+++ b/m4/gcc4_visibility.m4
@@ -0,0 +1,21 @@
+
+# GCC 4.x -fvisibility=hidden
+
+AC_DEFUN([CHECK_GCC_FVISIBILITY], [
+ AC_LANG_PUSH([C])
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$saved_CFLAGS -fvisibility=hidden"
+ AC_CACHE_CHECK([whether compiler accepts -fvisibility=hidden],
+ [ac_cv_fvisibility_hidden], AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE()],
+ [ac_cv_fvisibility_hidden=yes],
+ [ac_cv_fvisibility_hidden=no]
+ ))
+ if test "$ac_cv_fvisibility_hidden" = "yes"; then
+ AC_DEFINE([HAVE_VISIBILITY_HIDDEN], [1],
+ [True if compiler supports -fvisibility=hidden])
+ AC_SUBST([GCC_FVISIBILITY_HIDDEN], [-fvisibility=hidden])
+ fi
+ CFLAGS="$saved_CFLAGS"
+ AC_LANG_POP([C])
+])
diff --git a/src/Makefile.am b/src/Makefile.am
index fd64175..f97a354 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -19,7 +19,7 @@ AM_CFLAGS = -Wall
\
-Wdeclaration-after-statement -Wsign-compare -Winit-self
\
-Wformat-nonliteral -Wformat-security -Wmissing-format-attribute
\
-Wcast-align -Wundef -Wbad-function-cast
\
- -Waggregate-return -Wunused -Wwrite-strings
+ -Waggregate-return -Wunused -Wwrite-strings
${GCC_FVISIBILITY_HIDDEN}
AM_YFLAGS = -d
@@ -62,7 +62,8 @@ libnftables_la_SOURCES = \
nfnl_osf.c \
tcpopt.c\
socket.c\
- libnftables.c
+ libnftables.c \
+ libnftables.map
# yacc and lex generate dirty code
noinst_LTLIBRARIES = libparser.la
@@ -76,7 +77,8 @@ libparser_la_CFLAGS = ${AM_CFLAGS} \
-Wno-redundant-decls
libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
-libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION}
+libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
+--version-script=$(srcdir)/libnftables.map
if BUILD_MINIGMP
noinst_LTLIBRARIES += libminigmp.la
diff --git a/src/libnf
[nft PATCH 2/3] libnftables: reallocate definition of nft_print() and nft_gmp_print()
They are not part of the libnftables library API, they are not public symbols,
so it doesn't not make sense to have them there. Move the two functions to a
different source file.
Signed-off-by: Arturo Borrero Gonzalez
---
src/libnftables.c | 27 ---
src/utils.c | 26 ++
2 files changed, 26 insertions(+), 27 deletions(-)
diff --git a/src/libnftables.c b/src/libnftables.c
index dccb8ab..f2cd267 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -507,30 +507,3 @@ err:
cache_release(&nft->cache);
return rc;
}
-
-int nft_print(struct output_ctx *octx, const char *fmt, ...)
-{
- int ret;
- va_list arg;
-
- va_start(arg, fmt);
- ret = vfprintf(octx->output_fp, fmt, arg);
- va_end(arg);
- fflush(octx->output_fp);
-
- return ret;
-}
-
-int nft_gmp_print(struct output_ctx *octx, const char *fmt, ...)
-{
- int ret;
- va_list arg;
-
- va_start(arg, fmt);
- ret = gmp_vfprintf(octx->output_fp, fmt, arg);
- va_end(arg);
- fflush(octx->output_fp);
-
- return ret;
-}
-
diff --git a/src/utils.c b/src/utils.c
index 47f5b79..69e8344 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -90,3 +90,29 @@ void xstrunescape(const char *in, char *out)
}
out[k++] = '\0';
}
+
+int nft_print(struct output_ctx *octx, const char *fmt, ...)
+{
+ int ret;
+ va_list arg;
+
+ va_start(arg, fmt);
+ ret = vfprintf(octx->output_fp, fmt, arg);
+ va_end(arg);
+ fflush(octx->output_fp);
+
+ return ret;
+}
+
+int nft_gmp_print(struct output_ctx *octx, const char *fmt, ...)
+{
+ int ret;
+ va_list arg;
+
+ va_start(arg, fmt);
+ ret = gmp_vfprintf(octx->output_fp, fmt, arg);
+ va_end(arg);
+ fflush(octx->output_fp);
+
+ return ret;
+}
Re: [nft PATCH 2/3] libnftables: reallocate definition of nft_print() and nft_gmp_print()
On 6/27/19 12:50 PM, Arturo Borrero Gonzalez wrote: > They are not part of the libnftables library API, they are not public symbols, > so it doesn't not make sense to have them there. Move the two functions to a > different source file. > > Signed-off-by: Arturo Borrero Gonzalez > --- > src/libnftables.c | 27 --- > src/utils.c | 26 ++ > 2 files changed, 26 insertions(+), 27 deletions(-) > This patch is probably not required, it does not affect how visible the symbols of the library are. Drop it or apply it, I'm fine either way.
Re: [nft PATCH 1/3] nft: use own allocation function
Arturo Borrero Gonzalez wrote: > In the current setup, nft (the frontend object) is using the xzalloc() > function > from libnftables, which does not makes sense, as this is typically an internal > helper function. > > In order to don't use this public libnftables symbol (a later patch just > removes it), let's introduce a new allocation function in the nft frontend. > This results in a bit of code duplication, but given the simplicity of the > code, > I don't think it's a big deal. > > Other possible approach would be to have xzalloc() become part of libnftables > public API, but that is a much worse scenario I think. Agree, thus: Acked-by: Florian Westphal
Re: [nft PATCH 3/3] libnftables: export public symbols only
Arturo Borrero Gonzalez wrote: > Export public symbols (the library API functions) instead of all symbols in > the library. \o/ This is long overdue, thanks for doing this Arturo!
Re: [nft PATCH 2/3] libnftables: reallocate definition of nft_print() and nft_gmp_print()
Arturo Borrero Gonzalez wrote: > On 6/27/19 12:50 PM, Arturo Borrero Gonzalez wrote: > > They are not part of the libnftables library API, they are not public > > symbols, > > so it doesn't not make sense to have them there. Move the two functions to a > > different source file. > > > > Signed-off-by: Arturo Borrero Gonzalez > > --- > > src/libnftables.c | 27 --- > > src/utils.c | 26 ++ > > 2 files changed, 26 insertions(+), 27 deletions(-) > > > > This patch is probably not required, it does not affect how visible the > symbols > of the library are. > > Drop it or apply it, I'm fine either way. I'd be inclinded to skip because of the nft_ prefix (and removing that adds useless code churn), provided patch 3 is accepted of course.
Re: [nft PATCH 1/3] nft: use own allocation function
On Thu, Jun 27, 2019 at 12:50:00PM +0200, Arturo Borrero Gonzalez wrote: > In the current setup, nft (the frontend object) is using the xzalloc() > function > from libnftables, which does not makes sense, as this is typically an internal > helper function. > > In order to don't use this public libnftables symbol (a later patch just > removes it), let's introduce a new allocation function in the nft frontend. > This results in a bit of code duplication, but given the simplicity of the > code, > I don't think it's a big deal. > > Other possible approach would be to have xzalloc() become part of libnftables > public API, but that is a much worse scenario I think. Could you replace the call to xzalloc() in main.c by calloc()? Also check for the error if calloc() fails, then print error and exit(). Just like other error path in main.c Thanks!
Re: [nft PATCH 2/3] libnftables: reallocate definition of nft_print() and nft_gmp_print()
On Thu, Jun 27, 2019 at 12:50:11PM +0200, Arturo Borrero Gonzalez wrote: > They are not part of the libnftables library API, they are not public symbols, > so it doesn't not make sense to have them there. Move the two functions to a > different source file. Probably move them to src/print.c ? I like the idea that only the API is placed in libnftables.c. Thanks.
Re: [PATCH nft v9]tests: py: fix pyhton3
On Thu, Jun 20, 2019 at 11:08:18PM +0530, shekhar sharma wrote: > On Thu, Jun 20, 2019 at 8:07 PM Pablo Neira Ayuso wrote: > > > > On Wed, Jun 19, 2019 at 11:27:41PM +0530, Shekhar Sharma wrote: > > > This patch changes the file to run on both python2 and python3. > > > > > > The tempfile module has been imported and used. > > > Although the previous replacement of cmp() by eric works, > > > I have replaced cmp(a,b) by ((a>b)-(a > > > Any reason not to use Eric's approach? This ((a>b)-(a > confusing. > > No, Eric's approach is also working nicely. I read on a website > that cmp(a,b) of python2 can be replaced by ((a>b)-(a
Re: [PATCH nft] tests: py: use tempfile module
On Wed, Jun 19, 2019 at 09:38:42AM -0400, Eric Garver wrote: > os.tmpfile() is not in python3. > > Signed-off-by: Eric Garver > --- Pablo, Shekhar included this change in patch "[PATCH nft v9]tests: py: fix pyhton3". So this patch can be dropped. Thanks. Eric.
Re: [PATCH nft v9]tests: py: fix pyhton3
On Wed, Jun 19, 2019 at 11:27:41PM +0530, Shekhar Sharma wrote: > This patch changes the file to run on both python2 and python3. > > The tempfile module has been imported and used. > Although the previous replacement of cmp() by eric works, > I have replaced cmp(a,b) by ((a>b)-(a > Thanks! > > > Signed-off-by: Shekhar Sharma > --- The patch Subject has a typo, "pyhton3". Please fix it on next revision.
Re: [PATCH nft v9] tests: py: add netns feature
On Fri, Jun 21, 2019 at 11:10:53PM +0530, Shekhar Sharma wrote: > This patch adds the netns feature to the nft-test.py file. > > Signed-off-by: Shekhar Sharma > --- > The global variable 'netns' stores the value of args.netns > which is used as an argument in various functions. > > The version history of the patch is : > v1: add the netns feature > v2: use format() method to simplify print statements. > v3: updated the shebang > v4: resent the same with small changes > v5&v6: resent with small changes > v7: netns commands changed for passing the netns name via netns argument. > v8: correct typo error > v9: use tempfile, replace cmp() and add a global variable 'netns' > and store the args.netns value in it. > There should be a separator (---) after the revision history and before the actual patch. i.e. --- This patch has hunks from your other patch "[PATCH nft v9]tests: py: fix pyhton3". Please keep the changes separate.
Re: [PATCH nft v9]tests: py: fix pyhton3
On Thu, Jun 27, 2019 at 6:02 PM Eric Garver wrote: > > On Thu, Jun 20, 2019 at 11:08:18PM +0530, shekhar sharma wrote: > > On Thu, Jun 20, 2019 at 8:07 PM Pablo Neira Ayuso > > wrote: > > > > > > On Wed, Jun 19, 2019 at 11:27:41PM +0530, Shekhar Sharma wrote: > > > > This patch changes the file to run on both python2 and python3. > > > > > > > > The tempfile module has been imported and used. > > > > Although the previous replacement of cmp() by eric works, > > > > I have replaced cmp(a,b) by ((a>b)-(a > > > > > Any reason not to use Eric's approach? This ((a>b)-(a > > confusing. > > > > No, Eric's approach is also working nicely. I read on a website > > that cmp(a,b) of python2 can be replaced by ((a>b)-(a > This is true, but as Pablo stated it can be confusing. For this function > we only care if the sets are equivalent so I simplified it. > True. > If you agree, the please drop this change from your next revision and > Pablo can take my patch. OK , I will not include this change in v10.
Re: [PATCH nft v9]tests: py: fix pyhton3
On Thu, Jun 27, 2019 at 6:07 PM Eric Garver wrote: > > On Wed, Jun 19, 2019 at 11:27:41PM +0530, Shekhar Sharma wrote: > > This patch changes the file to run on both python2 and python3. > > > > The tempfile module has been imported and used. > > Although the previous replacement of cmp() by eric works, > > I have replaced cmp(a,b) by ((a>b)-(a > > > Thanks! > > > > > > Signed-off-by: Shekhar Sharma > > --- > > The patch Subject has a typo, "pyhton3". Please fix it on next revision. Oops! Will correct it.
Re: [PATCH nft v9] tests: py: add netns feature
On Thu, Jun 27, 2019 at 6:22 PM Eric Garver wrote: > > On Fri, Jun 21, 2019 at 11:10:53PM +0530, Shekhar Sharma wrote: > > This patch adds the netns feature to the nft-test.py file. > > > > Signed-off-by: Shekhar Sharma > > --- > > The global variable 'netns' stores the value of args.netns > > which is used as an argument in various functions. > > > > The version history of the patch is : > > v1: add the netns feature > > v2: use format() method to simplify print statements. > > v3: updated the shebang > > v4: resent the same with small changes > > v5&v6: resent with small changes > > v7: netns commands changed for passing the netns name via netns argument. > > v8: correct typo error > > v9: use tempfile, replace cmp() and add a global variable 'netns' > > and store the args.netns value in it. > > > > There should be a separator (---) after the revision history and before > the actual patch. > i.e. > > --- > Okay. > This patch has hunks from your other patch "[PATCH nft v9]tests: py: fix > pyhton3". Please keep the changes separate. Yes i have included the changes for converting to python3 and also included the netns feature. Should i send a patch without any changes for python3 and only changes for the netns feature? Shekhar
Re: [PATCH nft v9] tests: py: add netns feature
On Thu, Jun 27, 2019 at 9:23 PM shekhar sharma wrote: > > On Thu, Jun 27, 2019 at 6:22 PM Eric Garver wrote: > > > > On Fri, Jun 21, 2019 at 11:10:53PM +0530, Shekhar Sharma wrote: > > > This patch adds the netns feature to the nft-test.py file. > > > > > > Signed-off-by: Shekhar Sharma > > > --- > > > The global variable 'netns' stores the value of args.netns > > > which is used as an argument in various functions. > > > > > > The version history of the patch is : > > > v1: add the netns feature > > > v2: use format() method to simplify print statements. > > > v3: updated the shebang > > > v4: resent the same with small changes > > > v5&v6: resent with small changes > > > v7: netns commands changed for passing the netns name via netns argument. > > > v8: correct typo error > > > v9: use tempfile, replace cmp() and add a global variable 'netns' > > > and store the args.netns value in it. > > > > > > > There should be a separator (---) after the revision history and before > > the actual patch. > > i.e. > > > > --- > > > Okay. > > > This patch has hunks from your other patch "[PATCH nft v9]tests: py: fix > > pyhton3". Please keep the changes separate. > > Yes i have included the changes for converting to python3 and also > included the netns > feature. > Should i send a patch without any changes for python3 and only changes for the > netns feature? > > Shekhar For now, i am posting a patch containing the changes for python3 as well as for netns feature without changing the cmp() function so that the changes proposed by eric in his patch can be applied. If it is necessary i will post another version without the python3 changes :-). Regards, Shekhar
[PATCH nft v10]tests: py: add netns feature
This patch adds the netns feature to nft-test.py.
Signed-off-by: Shekhar Sharma
---
The version history of the patch is :
v1: add the netns feature
v2: use format() method to simplify print statements.
v3: updated the shebang
v4: resent the same with small changes
v5&v6: resent with small changes
v7: netns commands changed for passing the netns name via netns argument.
v8: correct typo error
v9: use tempfile, replace cmp() and add a global variable 'netns'
and store the args.netns value in it.
v10: the cmp() function has again been added so that it can be
replaced the way eric has proposed.
---
tests/py/nft-test.py | 150 +++
1 file changed, 108 insertions(+), 42 deletions(-)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 09d00dba..15f254f8 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/env python
#
# (C) 2014 by Ana Rey Botello
#
@@ -13,12 +13,14 @@
# Thanks to the Outreach Program for Women (OPW) for sponsoring this test
# infrastructure.
+from __future__ import print_function
import sys
import os
import argparse
import signal
import json
import traceback
+import tempfile
TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
@@ -172,27 +174,31 @@ def print_differences_error(filename, lineno, cmd):
print_error(reason, filename, lineno)
-def table_exist(table, filename, lineno):
+def table_exist(table, filename, lineno, netns=""):
'''
Exists a table.
'''
cmd = "list table %s" % table
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
ret = execute_cmd(cmd, filename, lineno)
return True if (ret == 0) else False
-def table_flush(table, filename, lineno):
+def table_flush(table, filename, lineno, netns=""):
'''
Flush a table.
'''
cmd = "flush table %s" % table
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns, cmd)
execute_cmd(cmd, filename, lineno)
return cmd
-def table_create(table, filename, lineno):
+def table_create(table, filename, lineno, netns=""):
'''
Adds a table.
'''
@@ -206,6 +212,8 @@ def table_create(table, filename, lineno):
# We add a new table
cmd = "add table %s" % table
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
ret = execute_cmd(cmd, filename, lineno)
if ret != 0:
@@ -234,7 +242,7 @@ def table_create(table, filename, lineno):
return 0
-def table_delete(table, filename=None, lineno=None):
+def table_delete(table, filename=None, lineno=None, netns=""):
'''
Deletes a table.
'''
@@ -244,6 +252,8 @@ def table_delete(table, filename=None, lineno=None):
return -1
cmd = "delete table %s" % table
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
ret = execute_cmd(cmd, filename, lineno)
if ret != 0:
reason = "%s: I cannot delete table %s. Giving up!" % (cmd, table)
@@ -259,17 +269,19 @@ def table_delete(table, filename=None, lineno=None):
return 0
-def chain_exist(chain, table, filename):
+def chain_exist(chain, table, filename, netns=""):
'''
Checks a chain
'''
cmd = "list chain %s %s" % (table, chain)
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
ret = execute_cmd(cmd, filename, chain.lineno)
return True if (ret == 0) else False
-def chain_create(chain, table, filename):
+def chain_create(chain, table, filename, netns=""):
'''
Adds a chain
'''
@@ -280,6 +292,9 @@ def chain_create(chain, table, filename):
return -1
cmd = "add chain %s %s" % (table, chain)
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
+
if chain.config:
cmd += " { %s; }" % chain.config
@@ -298,7 +313,7 @@ def chain_create(chain, table, filename):
return 0
-def chain_delete(chain, table, filename=None, lineno=None):
+def chain_delete(chain, table, filename=None, lineno=None, netns=""):
'''
Flushes and deletes a chain.
'''
@@ -309,6 +324,9 @@ def chain_delete(chain, table, filename=None, lineno=None):
return -1
cmd = "flush chain %s %s" % (table, chain)
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
+
ret = execute_cmd(cmd, filename, lineno)
if ret != 0:
reason = "I cannot " + cmd
@@ -316,6 +334,8 @@ def chain_delete(chain, table, filename=None, lineno=None):
return -1
cmd = "delete chain %s %s" % (table, chain)
+if netns:
+cmd = "ip netns exec " + "{} {}".format(netns,cmd)
ret = execute_cmd(cmd, filename, lineno)
if ret != 0:
reason = "I cannot " + cmd
@@ -341,7 +361,7 @@ def chain_get_by_name(name):
return chain
-def set_add(s, test_result, filename, lineno):
+def
Re: [PATCH nft v9] tests: py: add netns feature
On Thu, Jun 27, 2019 at 09:46:43PM +0530, shekhar sharma wrote: > For now, i am posting a patch containing the changes for python3 as > well as for netns feature > without changing the cmp() function so that the changes proposed by > eric in his patch > can be applied. > If it is necessary i will post another version without the python3 changes > :-). Please submit a patch that: #1 updates nft-tests.py for python3, that also works with python2, including the changes that Eric suggested. then, once I apply patch #1... #2 You send me a patch to add the netns support for nft-tests.py Better off if we do one thing at a time :-) Thanks.
Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.
On Tue, Jun 25, 2019 at 08:42:04AM +0300, Ibrahim Ercan wrote:
> Syn proxy isn't setting mss value correctly on client syn-ack packet.
> It was sending same mss value with client send instead of the value user set
> in iptables rule. This patch fix that wrong behavior by passing client mss
> information to synproxy_send_client_synack correctly.
>
> Signed-off-by: Ibrahim Ercan
> ---
> net/ipv4/netfilter/ipt_SYNPROXY.c | 9 ++---
> net/ipv6/netfilter/ip6t_SYNPROXY.c | 9 ++---
> 2 files changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c
> b/net/ipv4/netfilter/ipt_SYNPROXY.c
> index 64d9563..e0bd504 100644
> --- a/net/ipv4/netfilter/ipt_SYNPROXY.c
> +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
> @@ -69,13 +69,13 @@ synproxy_send_tcp(struct net *net,
> static void
> synproxy_send_client_synack(struct net *net,
> const struct sk_buff *skb, const struct tcphdr *th,
> - const struct synproxy_options *opts)
> + const struct synproxy_options *opts, const u16
> client_mssinfo)
> {
> struct sk_buff *nskb;
> struct iphdr *iph, *niph;
> struct tcphdr *nth;
> unsigned int tcp_hdr_size;
> - u16 mss = opts->mss;
> + u16 mss = client_mssinfo;
>
> iph = ip_hdr(skb);
>
> @@ -264,6 +264,7 @@ synproxy_tg4(struct sk_buff *skb, const struct
> xt_action_param *par)
> struct synproxy_net *snet = synproxy_pernet(net);
> struct synproxy_options opts = {};
> struct tcphdr *th, _th;
> + u16 client_mssinfo;
>
> if (nf_ip_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
> return NF_DROP;
> @@ -283,6 +284,8 @@ synproxy_tg4(struct sk_buff *skb, const struct
> xt_action_param *par)
> opts.options |= XT_SYNPROXY_OPT_ECN;
>
> opts.options &= info->options;
> + client_mssinfo = opts.mss;
> + opts.mss = info->mss;
No need for this new client_mssinfo variable, right? I mean, you can
just set:
opts.mss = info->mss;
and use it from synproxy_send_client_synack().
This patch will be smaller.
> if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
> synproxy_init_timestamp_cookie(info, &opts);
> else
> @@ -290,7 +293,7 @@ synproxy_tg4(struct sk_buff *skb, const struct
> xt_action_param *par)
> XT_SYNPROXY_OPT_SACK_PERM |
> XT_SYNPROXY_OPT_ECN);
>
> - synproxy_send_client_synack(net, skb, th, &opts);
> + synproxy_send_client_synack(net, skb, th, &opts,
> client_mssinfo);
> consume_skb(skb);
> return NF_STOLEN;
> } else if (th->ack && !(th->fin || th->rst || th->syn)) {
Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.
Pablo Neira Ayuso wrote: > > opts.options &= info->options; > > + client_mssinfo = opts.mss; > > + opts.mss = info->mss; > > No need for this new client_mssinfo variable, right? I mean, you can > just set: > > opts.mss = info->mss; > > and use it from synproxy_send_client_synack(). I thought that as well but we need both mss values, the one configured in the target (info->mss) and the ine received from the peer. The former is what we announce to peer in the syn/ack (as tcp option), the latter is what we need to encode in the syncookie (to decode it on cookie ack).
Re: [PATCH nf v2] selftests: netfilter: add nfqueue test case
On Wed, Jun 26, 2019 at 09:09:29PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 26, 2019 at 09:05:03PM +0200, Pablo Neira Ayuso wrote: > > On Wed, Jun 26, 2019 at 08:56:53PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > On Wed, Jun 26, 2019 at 08:42:34PM +0200, Florian Westphal wrote: > > > > > diff --git a/tools/testing/selftests/netfilter/nf-queue.c > > > > > b/tools/testing/selftests/netfilter/nf-queue.c > > > > > new file mode 100644 > > > > > index ..897274bd6f4a > > > > > --- /dev/null > > > > > +++ b/tools/testing/selftests/netfilter/nf-queue.c > > > > > > > > Oh well. Lots of copied and pasted code from the libraries. > > > > > > > > We'll have to remind to take patches for the example in the library > > > > and the kernel. > > > > > > Do you have an alternative proposal? > > > > Probably install this nf-queue tool from libraries? Then, selftest use > > this binary? So we have a single copy of this code :-) > > Or move this C code to a new git tree under netfilter, eg. > netfilter-tests.git, you may need something similar for > libnetfilter_log I suspect, and so on for other stuff. > > Such new git tree would compile all testing tools for netfilter and > install them. > > kselftest depends on external tooling anyway, this should be fine. You could also integrate the tcpdr tool that Mate was using to test tproxy, there will be a test for tproxy too at some point, right? And you don't want to push that into the kernel? Having all this testing tools in the git repository somewhere where it can be collected could be useful. Users could invoke it from command line to collect packets and print them. I mean, add the nfqueue tool, then the nflog tool too, and so on. It would be also a good way to keep the C code for these tooling in the netfilter tree, while keeping the shell scripts in the kernel tree.
Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.
On Thu, Jun 27, 2019 at 09:00:19PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > opts.options &= info->options; > > > + client_mssinfo = opts.mss; > > > + opts.mss = info->mss; > > > > No need for this new client_mssinfo variable, right? I mean, you can > > just set: > > > > opts.mss = info->mss; > > > > and use it from synproxy_send_client_synack(). > > I thought that as well but we need both mss values, > the one configured in the target (info->mss) and the > ine received from the peer. > > The former is what we announce to peer in the syn/ack > (as tcp option), the latter is what we need to encode > in the syncookie (to decode it on cookie ack). I see, probably place client_mss field into the synproxy_options structure?
Re: [PATCH v2 3/7] nftables: meta: time: Proper handling of DST
On Wed, Jun 26, 2019 at 11:07:58PM +0200, Florian Westphal wrote: > Ander Juaristi wrote: > > same remark, I think this can be squashed. Agreed. Ander, please, use git rebase -i (interactive rebased to squash this patches where they belong). Thanks!
Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.
Pablo Neira Ayuso wrote: > On Thu, Jun 27, 2019 at 09:00:19PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > > opts.options &= info->options; > > > > + client_mssinfo = opts.mss; > > > > + opts.mss = info->mss; > > > > > > No need for this new client_mssinfo variable, right? I mean, you can > > > just set: > > > > > > opts.mss = info->mss; > > > > > > and use it from synproxy_send_client_synack(). > > > > I thought that as well but we need both mss values, > > the one configured in the target (info->mss) and the > > ine received from the peer. > > > > The former is what we announce to peer in the syn/ack > > (as tcp option), the latter is what we need to encode > > in the syncookie (to decode it on cookie ack). > > I see, probably place client_mss field into the synproxy_options > structure? I worked on a fix for this too (Ibrahim was faster), I tried to rename opts.mss so we have u16 mss_peer; u16 mss_configured; but I got confused myself as to where which mss is to be used. perhaps u16 mss_option; u16 mss_encode; ... would have been better.
Re: [PATCH nf v2] selftests: netfilter: add nfqueue test case
Pablo Neira Ayuso wrote: > On Wed, Jun 26, 2019 at 09:09:29PM +0200, Pablo Neira Ayuso wrote: > > On Wed, Jun 26, 2019 at 09:05:03PM +0200, Pablo Neira Ayuso wrote: > > > On Wed, Jun 26, 2019 at 08:56:53PM +0200, Florian Westphal wrote: > > > > Pablo Neira Ayuso wrote: > > > > > On Wed, Jun 26, 2019 at 08:42:34PM +0200, Florian Westphal wrote: > > > > > > diff --git a/tools/testing/selftests/netfilter/nf-queue.c > > > > > > b/tools/testing/selftests/netfilter/nf-queue.c > > > > > > new file mode 100644 > > > > > > index ..897274bd6f4a > > > > > > --- /dev/null > > > > > > +++ b/tools/testing/selftests/netfilter/nf-queue.c > > > > > > > > > > Oh well. Lots of copied and pasted code from the libraries. > > > > > > > > > > We'll have to remind to take patches for the example in the library > > > > > and the kernel. > > > > > > > > Do you have an alternative proposal? > > > > > > Probably install this nf-queue tool from libraries? Then, selftest use > > > this binary? So we have a single copy of this code :-) > > > > Or move this C code to a new git tree under netfilter, eg. > > netfilter-tests.git, you may need something similar for > > libnetfilter_log I suspect, and so on for other stuff. > > > > Such new git tree would compile all testing tools for netfilter and > > install them. > > > > kselftest depends on external tooling anyway, this should be fine. > > You could also integrate the tcpdr tool that Mate was using to test > tproxy, there will be a test for tproxy too at some point, right? And > you don't want to push that into the kernel? Actually ... yes :/ I had hoped that we could maximize coverage of netfilter core infra this way. We have an embarassing number of regressions and really stupid bugs. Largely because we don't have tests at all, or because they live outside of kernel/are not run with a certain config. > Having all this testing tools in the git repository somewhere where it > can be collected could be useful. Users could invoke it from command > line to collect packets and print them. I mean, add the nfqueue tool, > then the nflog tool too, and so on. Yes, but that means that anyone running make run_tests will get a 'SKIP' for these tests UNLESS they also installed the netfilter-test.git tools. If you think thats fine, I can start accumulating tools in a new repo.
Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.
On Thu, Jun 27, 2019 at 09:21:09PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Thu, Jun 27, 2019 at 09:00:19PM +0200, Florian Westphal wrote: > > > Pablo Neira Ayuso wrote: > > > > > opts.options &= info->options; > > > > > + client_mssinfo = opts.mss; > > > > > + opts.mss = info->mss; > > > > > > > > No need for this new client_mssinfo variable, right? I mean, you can > > > > just set: > > > > > > > > opts.mss = info->mss; > > > > > > > > and use it from synproxy_send_client_synack(). > > > > > > I thought that as well but we need both mss values, > > > the one configured in the target (info->mss) and the > > > ine received from the peer. > > > > > > The former is what we announce to peer in the syn/ack > > > (as tcp option), the latter is what we need to encode > > > in the syncookie (to decode it on cookie ack). > > > > I see, probably place client_mss field into the synproxy_options > > structure? > > I worked on a fix for this too (Ibrahim was faster), I > tried to rename opts.mss so we have > > u16 mss_peer; > u16 mss_configured; > > but I got confused myself as to where which mss is to be used. > > perhaps > u16 mss_option; > u16 mss_encode; > > ... would have been better. I would leave the opts.mss as is by now. Given there will be a conflict between nf-next and nf, I was trying to minimize the number of chunks for this fix, but that's just my preference (I'll have to sort out this it seems). Then, adding follow up patches to rename fields would be great indeed as you suggest.
Re: [PATCH nf v2] selftests: netfilter: add nfqueue test case
On Thu, Jun 27, 2019 at 09:25:25PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Wed, Jun 26, 2019 at 09:09:29PM +0200, Pablo Neira Ayuso wrote: > > > On Wed, Jun 26, 2019 at 09:05:03PM +0200, Pablo Neira Ayuso wrote: > > > > On Wed, Jun 26, 2019 at 08:56:53PM +0200, Florian Westphal wrote: > > > > > Pablo Neira Ayuso wrote: > > > > > > On Wed, Jun 26, 2019 at 08:42:34PM +0200, Florian Westphal wrote: > > > > > > > diff --git a/tools/testing/selftests/netfilter/nf-queue.c > > > > > > > b/tools/testing/selftests/netfilter/nf-queue.c > > > > > > > new file mode 100644 > > > > > > > index ..897274bd6f4a > > > > > > > --- /dev/null > > > > > > > +++ b/tools/testing/selftests/netfilter/nf-queue.c > > > > > > > > > > > > Oh well. Lots of copied and pasted code from the libraries. > > > > > > > > > > > > We'll have to remind to take patches for the example in the library > > > > > > and the kernel. > > > > > > > > > > Do you have an alternative proposal? > > > > > > > > Probably install this nf-queue tool from libraries? Then, selftest use > > > > this binary? So we have a single copy of this code :-) > > > > > > Or move this C code to a new git tree under netfilter, eg. > > > netfilter-tests.git, you may need something similar for > > > libnetfilter_log I suspect, and so on for other stuff. > > > > > > Such new git tree would compile all testing tools for netfilter and > > > install them. > > > > > > kselftest depends on external tooling anyway, this should be fine. > > > > You could also integrate the tcpdr tool that Mate was using to test > > tproxy, there will be a test for tproxy too at some point, right? And > > you don't want to push that into the kernel? > > Actually ... yes :/ > > I had hoped that we could maximize coverage of netfilter core infra > this way. > > We have an embarassing number of regressions and really stupid bugs. > Largely because we don't have tests at all, or because they > live outside of kernel/are not run with a certain config. I think they cover different aspects, so far we have good coverage for the control plane, which are the tests you are refering to. > > Having all this testing tools in the git repository somewhere where it > > can be collected could be useful. Users could invoke it from command > > line to collect packets and print them. I mean, add the nfqueue tool, > > then the nflog tool too, and so on. > > Yes, but that means that anyone running make run_tests will get a 'SKIP' > for these tests UNLESS they also installed the netfilter-test.git > tools. Is there any script that pulls dependencies and install them to run this kselftests? > If you think thats fine, I can start accumulating tools in a new repo. I'm just brainstorming where to go, and see if you think it can be useful to start collecting testing/debugging tools that might be not only useful for this test infrastructure, but for general troubleshooting. My only concern is that we might end up with a bit of C code spread over the test tree for all these tooling. Probably these tooling could reside in the kernel tree if you prefer.
[PATCH] netfilter: nat: Update obsolete comment on get_unique_tuple()
Commit c7232c9979cba ("netfilter: add protocol independent NAT core")
added nf_nat_core.c based on ipv4/netfilter/nf_nat_core.c,
with this comment copied.
Referred function doesn't exist anymore, and anyway since day one
of this file it should have referred the generic __nf_conntrack_confirm(),
added in 9fb9cbb1082d6.
Signed-off-by: Yonatan Goldschmidt
---
net/netfilter/nf_nat_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 9ab410455992..3f6023ed4966 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -519,7 +519,7 @@ static void nf_nat_l4proto_unique_tuple(struct
nf_conntrack_tuple *tuple,
* and NF_INET_LOCAL_OUT, we change the destination to map into the
* range. It might not be possible to get a unique tuple, but we try.
* At worst (or if we race), we will end up with a final duplicate in
- * __ip_conntrack_confirm and drop the packet. */
+ * __nf_conntrack_confirm and drop the packet. */
static void
get_unique_tuple(struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_tuple *orig_tuple,
---
[PATCH v3 3/4] Compute result modulo 86400 in case gmtoff is negative
Signed-off-by: Ander Juaristi
---
src/meta.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/meta.c b/src/meta.c
index 152d97d..41f5fa9 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -516,7 +516,7 @@ static struct error_record *day_type_parse(const struct
expr *sym,
return error(&sym->location, "Day name must be at least three
characters long");
}
- for (unsigned i = 0; i < numdays && daynum == -1; i++) {
+ for (int i = 0; i < numdays && daynum == -1; i++) {
daylen = strlen(days[i]);
if (strncasecmp(sym->identifier,
@@ -619,8 +619,8 @@ convert:
/* Substract tm_gmtoff to get the current time */
if (cur_tm) {
- if (result >= cur_tm->tm_gmtoff)
- result -= cur_tm->tm_gmtoff;
+ if ((long int) result >= cur_tm->tm_gmtoff)
+ result = (result - cur_tm->tm_gmtoff) % 86400;
else
result = 86400 - cur_tm->tm_gmtoff + result;
}
--
2.17.1
[PATCH v3 2/4] tests/py: Add tests for day and hour
Signed-off-by: Ander Juaristi --- tests/py/ip/meta.t | 2 ++ tests/py/ip/meta.t.payload | 12 2 files changed, 14 insertions(+) diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 4db8835..02ba11d 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -3,6 +3,8 @@ *ip;test-ip4;input icmp type echo-request;ok +meta day "Saturday" drop;ok;meta day "Saturday" drop +meta hour "17:00" drop;ok;meta hour "17:00" drop meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index 322c087..ad00a1a 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -1,3 +1,15 @@ +# meta day "Saturday" drop +ip test-ip4 input + [ meta load unknown => reg 1 ] + [ cmp eq reg 1 0x0006 ] + [ immediate reg 0 drop ] + +# meta hour "17:00" drop +ip test-ip4 input + [ meta load unknown => reg 1 ] + [ cmp eq reg 1 0xd2f0 0x ] + [ immediate reg 0 drop ] + # icmp type echo-request ip test-ip4 input [ meta load l4proto => reg 1 ] -- 2.17.1
[PATCH v3 1/4] meta: Introduce new conditions 'time', 'day' and 'hour'
These keywords introduce new checks for a timestamp, an absolute date (which is
converted to a timestamp),
an hour in the day (which is converted to the number of seconds since midnight)
and a day of week.
When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp,
we need to substract it the GMT difference in seconds, that is, the value
of the 'tm_gmtoff' field in the tm structure. This is because the kernel
doesn't know about time zones. And hence the kernel manages different timestamps
than those that are advertised in userspace when running, for instance, date
+%s.
The same conversion needs to be done when converting hours (e.g 17:00) to
seconds since midnight
as well.
We also introduce a new command line option (-t, --seconds) to show the actual
timestamps when printing the values, rather than the ISO dates, or the hour.
Some usage examples:
time < "2019-06-06 17:00" drop;
time < "2019-06-06 17:20:20" drop;
time < 12341234 drop;
day "Sat" drop;
day 6 drop;
hour >= 17:00 drop;
hour >= "17:00:01" drop;
hour >= 63000 drop;
Signed-off-by: Ander Juaristi
---
include/datatype.h | 3 +
include/linux/netfilter/nf_tables.h | 6 +
include/meta.h | 3 +
include/nftables.h | 5 +
include/nftables/libnftables.h | 1 +
src/datatype.c | 3 +
src/main.c | 11 +-
src/meta.c | 292
src/parser_bison.y | 4 +
src/scanner.l | 4 +-
10 files changed, 330 insertions(+), 2 deletions(-)
diff --git a/include/datatype.h b/include/datatype.h
index 63617eb..1f46eb0 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -90,6 +90,9 @@ enum datatypes {
TYPE_CT_EVENTBIT,
TYPE_IFNAME,
TYPE_IGMP_TYPE,
+ TYPE_TIME_DATE,
+ TYPE_TIME_HOUR,
+ TYPE_TIME_DAY,
__TYPE_MAX
};
#define TYPE_MAX (__TYPE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 7bdb234..ce621ed 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -793,6 +793,9 @@ enum nft_exthdr_attributes {
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
* @NFT_META_IIFKIND: packet input interface kind name
(dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name
(dev->rtnl_link_ops->kind)
+ * @NFT_META_TIME: a UNIX timestamp
+ * @NFT_META_TIME_DAY: day of week
+ * @NFT_META_TIME_HOUR: hour of day
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -823,6 +826,9 @@ enum nft_meta_keys {
NFT_META_SECPATH,
NFT_META_IIFKIND,
NFT_META_OIFKIND,
+ NFT_META_TIME,
+ NFT_META_TIME_DAY,
+ NFT_META_TIME_HOUR,
};
/**
diff --git a/include/meta.h b/include/meta.h
index a49b4ff..a62a130 100644
--- a/include/meta.h
+++ b/include/meta.h
@@ -41,6 +41,9 @@ extern const struct datatype uid_type;
extern const struct datatype devgroup_type;
extern const struct datatype pkttype_type;
extern const struct datatype ifname_type;
+extern const struct datatype date_type;
+extern const struct datatype hour_type;
+extern const struct datatype day_type;
extern struct symbol_table *devgroup_tbl;
diff --git a/include/nftables.h b/include/nftables.h
index ed446e2..52aff12 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -62,6 +62,11 @@ static inline bool nft_output_guid(const struct output_ctx
*octx)
return octx->flags & NFT_CTX_OUTPUT_GUID;
}
+static inline bool nft_output_seconds(const struct output_ctx *octx)
+{
+ return octx->flags & NFT_CTX_OUTPUT_SECONDS;
+}
+
static inline bool nft_output_numeric_proto(const struct output_ctx *octx)
{
return octx->flags & NFT_CTX_OUTPUT_NUMERIC_PROTO;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index e39c588..87d4ff5 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -52,6 +52,7 @@ enum {
NFT_CTX_OUTPUT_NUMERIC_PROTO= (1 << 7),
NFT_CTX_OUTPUT_NUMERIC_PRIO = (1 << 8),
NFT_CTX_OUTPUT_NUMERIC_SYMBOL = (1 << 9),
+ NFT_CTX_OUTPUT_SECONDS = (1 << 10),
NFT_CTX_OUTPUT_NUMERIC_ALL = (NFT_CTX_OUTPUT_NUMERIC_PROTO |
NFT_CTX_OUTPUT_NUMERIC_PRIO |
NFT_CTX_OUTPUT_NUMERIC_SYMBOL),
diff --git a/src/datatype.c b/src/datatype.c
index 6d6826e..0a00535 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -71,6 +71,9 @@ static const struct datatype *datatypes[TYPE_MAX + 1] = {
[TYPE_BOOLEAN] = &boolean_type,
[TYPE_IFNAME] = &ifname_type,
[TYPE_IGMP_TYPE]= &igmp_type_type,
+ [TYPE_TIME_DATE]= &date_type,
+ [TYPE_TIME_HOUR]= &hour
[PATCH v3 4/4] tests/py: More tests for day and hour
Signed-off-by: Ander Juaristi --- tests/py/ip/meta.t | 2 ++ tests/py/ip/meta.t.payload | 12 2 files changed, 14 insertions(+) diff --git a/tests/py/ip/meta.t b/tests/py/ip/meta.t index 02ba11d..dbcff48 100644 --- a/tests/py/ip/meta.t +++ b/tests/py/ip/meta.t @@ -5,6 +5,8 @@ icmp type echo-request;ok meta day "Saturday" drop;ok;meta day "Saturday" drop meta hour "17:00" drop;ok;meta hour "17:00" drop +meta hour "00:00" drop;ok +meta hour "00:01" drop;ok meta l4proto icmp icmp type echo-request;ok;icmp type echo-request meta l4proto ipv6-icmp icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert meta l4proto 58 icmpv6 type nd-router-advert;ok;icmpv6 type nd-router-advert diff --git a/tests/py/ip/meta.t.payload b/tests/py/ip/meta.t.payload index ad00a1a..be162cf 100644 --- a/tests/py/ip/meta.t.payload +++ b/tests/py/ip/meta.t.payload @@ -10,6 +10,18 @@ ip test-ip4 input [ cmp eq reg 1 0xd2f0 0x ] [ immediate reg 0 drop ] +# meta hour "00:00" drop +ip meta-test input + [ meta load unknown => reg 1 ] + [ cmp eq reg 1 0x00013560 0x ] + [ immediate reg 0 drop ] + +# meta hour "00:01" drop +ip meta-test input + [ meta load unknown => reg 1 ] + [ cmp eq reg 1 0x0001359c 0x ] + [ immediate reg 0 drop ] + # icmp type echo-request ip test-ip4 input [ meta load l4proto => reg 1 ] -- 2.17.1
