Hi,
Clean tested working pulls CPUs and QTYs in stock.
115 X X5650
65 X E5410
75 X X5660
145 X E5530
100 X E5645
40 X X5680
75 X X5690
Brand new sealed IP phones and QTYs in stock.
55 x CP-7937G
77 x CP-7942G
54 x CP-7945G
75 x CP-7962G
..
45 x Avaya 9630
65 x Avaya 9641
55 x Avaya 9640
U
Add translation for module hop-by-hop to nftables.
Full translation of this match awaits the support for --hbh-opts option.
Examples:
$ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength 33 counter
$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-
Add translation for sctp to nftables.
Full translation of this match awaits the support for --chunk-types
option.
Examples:
$ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop
$ sudo iptables-translate -A INPUT -p sctp ! --sport 8
Add translation for random mode to nftables. The nth mode is not
supported yet.
Examples:
$ iptables-translate -A INPUT -m statistic --mode random --probability
0.1 -j ACCEPT
nft add rule ip filter INPUT meta random 0.109 counter accept
$ iptables-translate -A INPUT -m statistic --mode r
On Wed, Feb 03, 2016 at 10:00:10AM -0800, Joe Stringer wrote:
> Since commit 0848f6428ba3 ("inet: frags: fix defragmented packet's IP
> header for af_packet"), ip_send_check() would be called twice for
> defragmentation that occurs from netfilter ipv4 defrag hooks. Remove the
> extra call.
Applied
On Tue, Mar 01, 2016 at 04:49:36PM +0100, Laura Garcia wrote:
> On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> > On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana
> > wrote:
> >
> > Hi Laura,
> >
> > > Add translation for random to nftables.
> > >
> > Here, you are provi
Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.
Examples:
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner
--uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
$
On Mon, Feb 29, 2016 at 05:50:39PM +0100, Florian Westphal wrote:
> given
>
> table filter {
> set local {
> type iface_index
> elements = { lo }
> }
> chain input {
> type filter hook input priority 0;
> iif { @lan, } accept;
> }
> }
>
> nft BUG()s. I don't see how we co
On Wed, Mar 02, 2016 at 12:05:47AM +0530, Shivani Bhardwaj wrote:
> Add translation for target masquerade to nftables.
> Full translation of this target awaits the support for --to-ports
> option.
Just sent the patch to support this.
Could you add translation for that and send a v2? Thanks.
--
To
From: Shivani Bhardwaj
Provide full support for masquerading by allowing port range selection, eg.
# nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024
Signed-off-by: Shivani Bhardwaj
Signed-off-by: Pablo Neira Ayuso
---
v3: Don't use stmt->nat.proto from the delinearize
From: Shivani Bhardwaj
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
Signed-off-by: Pablo Neira Ayuso
---
No changes, just original Shivani's patch.
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.h | 2 ++
sr
On Tue, Mar 01, 2016 at 04:56:59PM +0100, Laura Garcia wrote:
> On Tue, Mar 01, 2016 at 11:13:31AM +0100, Pablo Neira Ayuso wrote:
> >
> > I would like to have them merged upstream, no need to wait to fully
> > support every extension, we can document these limitations in the wiki
> > and the comm
Complete masquerading support by allowing port range selection.
Signed-off-by: Pablo Neira Ayuso
---
v2: Fix netlink parsing problems in the dump and init function.
include/net/netfilter/nft_masq.h | 4 ++-
include/uapi/linux/netfilter/nf_tables.h | 4 +++
net/ipv4/netfilter/nft_masq_
Add translation for target masquerade to nftables.
Full translation of this target awaits the support for --to-ports
option.
Examples:
$ sudo ip6tables-translate -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip6 nat POSTROUTING oifname eth0 counter masquerade
$ sudo ip6tables-translat
Add translation for target MASQUERADE to nftables.
Full translation of this target awaits the support for --to-ports option.
Examples:
$ sudo iptables-translate -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip nat POSTROUTING oifname eth0 counter masquerade
$ sudo iptables-translate -
On Fri, Feb 26, 2016 at 12:34:50AM +0530, Guruswamy Basavaiah wrote:
> Output of command "./iptables-translate junk" is Bad argument
> `junk' Try `iptables-translate -h' or 'iptables-translate --help' for more
> information. nft
>
> Output of command "./iptables-translate -B" is
> iptables-tran
On Tue, Mar 01, 2016 at 11:13:31AM +0100, Pablo Neira Ayuso wrote:
>
> I would like to have them merged upstream, no need to wait to fully
> support every extension, we can document these limitations in the wiki
> and the commit log.
>
> IIRC, if the .xlate indirection returns 0, then it means no
On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana wrote:
>
> Hi Laura,
>
> > Add translation for random to nftables.
> >
> Here, you are providing translation for module statistic, random is
> just a mode for matching the rul
exhdr needs to be treated as if we'd test an ipv6 header field, i.e.
inet, bridge, netdev need to add a dependency on ipv6 protocol.
Signed-off-by: Florian Westphal
---
tests/py/ip6/dst.t.payload.inet | 30
tests/py/ip6/frag.t.payload.inet | 145 +++
Don't allow use of exthdr with e.g. ip family.
Move frag.t to ip6 directory and don't use it with ipv4 anymore.
This change causes major test failures for all exthdr users
since they now fail with inet/bridge/netdev families.
Will be resolved in a later patch -- we need to add
an ipv6 dependency
rule ip6 filter input frag frag-off 33
before patch:
[ exthdr load 1b @ 44 + 2 => reg 1 ]
[ cmp eq reg 1 0x2100 ]
We truncated 13bit field to 1 byte.
after patch:
[ exthdr load 2b @ 44 + 2 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xf8ff ) ^ 0x ]
[ cmp eq reg 1 0x0801 ]
- a
Should treat this as if user would have asked to match ipv6 header field.
Signed-off-by: Florian Westphal
---
include/payload.h | 2 ++
src/evaluate.c| 17 ++---
src/payload.c | 15 +++
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/include/paylo
This enables nft to display
frag frag-off 33
... by considering a mask during binop postprocess in case
the initial template lookup done when the exthdr expression was
created did not yield a match.
In the above example, kernel netlink data specifies 16bits,
but the frag field is only 13b
exthdr expression requires a dependency on ipv6; we can
thus remove an ipv6 protocol test if its present.
Signed-off-by: Florian Westphal
---
src/netlink_delinearize.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delin
This adds following enhancements and fixes for the exthdr
expression.
#1. Treat exthdr as if user asked for an ip6 protocol header field,
i.e. add ipv6 dependency for bridge/netdev/inet family.
#2. Add scaling and masking to handle protocol headers that have
non-byte divisible sizes.
Tested br
netlink_gen_payload_mask assumes expr is a payload expression,
but most of this function would work fine with exthdr too.
So split the gernic part into a helper, followup patch will
add netlink_gen_exthdr_mask.
Signed-off-by: Florian Westphal
---
src/netlink_linearize.c | 35 +++
binop_postprocess takes care of removing masks if we're dealing
with payload expressions that have non-byte divisible sizes
or offsets.
Same can happen when matching some extension header fields, i.e.
this also needs to handle exthdr expression, not just payload.
So rename payload to left and mov
Its possible that we cannot find the template without also
considering an implicit mask. For this we need to store the offset.
Signed-off-by: Florian Westphal
---
include/expression.h | 1 +
src/exthdr.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/include/expression.h b/inclu
We should treat exthdr just as if user asked for e.g. ip6 saddr
and inject the needed dependency statement.
Signed-off-by: Florian Westphal
---
src/payload.c | 66 ++-
1 file changed, 38 insertions(+), 28 deletions(-)
diff --git a/src/payl
Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal wrote:
> > Shivani Bhardwaj wrote:
> >> Add missing packet type "invalid" for DCCP.
> >>
> >> Signed-off-by: Shivani Bhardwaj
> >> ---
> >> src/proto.c | 1 +
> >> 1 file changed, 1 insertion(+)
> >>
> >> diff --git a/s
On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> Add missing packet type "invalid" for DCCP.
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> src/proto.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/src/proto.c b/src/proto.c
>> index 0ed98ed..4d
Shivani Bhardwaj wrote:
> Add missing packet type "invalid" for DCCP.
>
> Signed-off-by: Shivani Bhardwaj
> ---
> src/proto.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/proto.c b/src/proto.c
> index 0ed98ed..4d049f5 100644
> --- a/src/proto.c
> +++ b/src/proto.c
> @@ -443,6 +
On Tue, Mar 01, 2016 at 12:00:55PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > Ok, but how do you plan to handle the key length?
> >
> > Right, in concatenations we can infer this from the lhs, but in set
> > definitions there is not way.
>
> Okay. So whats the plan there?
From: Shivani Bhardwaj
Provide full support for masquerading by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
Signed-off-by: Pablo Neira Ayuso
---
v2: Resolve pending problems in original Shivani's work in the evaluation
step and use stmt_expr from the parser.
include/st
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Also, since inversion of set is not possible in nftables, using dccp
with rules like
...dccp type != {request, response}..
is going to throw errors.
Examples:
$ sudo iptables-translate -A I
Add missing packet type "invalid" for DCCP.
Signed-off-by: Shivani Bhardwaj
---
src/proto.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/proto.c b/src/proto.c
index 0ed98ed..4d049f5 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -443,6 +443,7 @@ static const struct symbol_table dccp_pk
Pablo Neira Ayuso wrote:
> > Ok, but how do you plan to handle the key length?
>
> Right, in concatenations we can infer this from the lhs, but in set
> definitions there is not way.
Okay. So whats the plan there?
> What I would suggest is to recover a patch that Patrick submitted that
> intro
On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana wrote:
>
> Hi Laura,
>
> > Add translation for random to nftables.
> >
> Here, you are providing translation for module statistic, random is
> just a mode for matching the rul
On Mon, Feb 29, 2016 at 02:19:23PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > The problem is that unqualified types cannot be currently used because
> > the have no specific length.
>
> Yes.
>
> > Carlos has been submitting patches for a while (he's on Cc) that it
> > would be
On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana wrote:
Hi Laura,
> Add translation for random to nftables.
>
Here, you are providing translation for module statistic, random is
just a mode for matching the rule. Please make sure to use correct
module name in the commit message next time.
>
40 matches
Mail list logo
