[PATCH v3] extensions: libxt_dccp: Add translation to nft

Add translation for dccp to nftables. Full translation of this match awaits the support for --dccp-option. Examples: $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100 nft add rule ip filter INPUT dccp sport 100 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:

[PATCH v2] extensions: libxt_dccp: Add translation to nft

Add translation for dccp to nftables. Full translation of this match awaits the support for --dccp-option. Examples: $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100 nft add rule ip filter INPUT dccp sport 100 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:

Re: [PATCH nft 3/4] meta: add probability matching

On Thursday 2016-03-03 21:32, Florian Westphal wrote: >Jan Engelhardt wrote: >> On Thursday 2016-03-03 18:56, Florian Westphal wrote: >> >> >The float value has to be in range of 0.001 to 0.999 and >> >+ >> >+ if (tmp >= UINT_MAX || d > 0.999) >> >+ return

Re: [PATCH nft 3/4] meta: add probability matching

Jan Engelhardt wrote: > On Thursday 2016-03-03 18:56, Florian Westphal wrote: > > >The float value has to be in range of 0.001 to 0.999 and > >+ > >+if (tmp >= UINT_MAX || d > 0.999) > >+return error(loc, "Probability " META_PROB_FMT " too > >%s", d, "

Re: [PATCH nft 3/4] meta: add probability matching

On Thursday 2016-03-03 18:56, Florian Westphal wrote: >The float value has to be in range of 0.001 to 0.999 and >+ >+ if (tmp >= UINT_MAX || d > 0.999) >+ return error(loc, "Probability " META_PROB_FMT " too >%s", d, "big"); You are misappropriating

Re: [nft PATCH v2] tests/listing: add some listing tests

On Wed, Jan 13, 2016 at 07:29:09PM +0100, Arturo Borrero Gonzalez wrote: > Let's test what is shown with the 'list' command, for ruleset, tables and > sets. > > In order to ease debug in case of failure, if the diff tool is in the system, > then a textual diff is printed. Applied, thanks Arturo.

Re: [nft PATCH v2] rule: delete extra space in sets printing

On Wed, Jan 13, 2016 at 06:21:41PM +0100, Arturo Borrero Gonzalez wrote: > The extra space is printed when sets are printed in tabulated format. > > table inet test { > set test { > ^ > type ipv4_addr > } > } > > However, the space is still required in pr

Re: [nft PATCH] tests/shell: add first `nft -f' tests

On Wed, Jan 13, 2016 at 07:25:46PM +0100, Arturo Borrero Gonzalez wrote: > This patch add some basic initial tests. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http

extensions: libxt_multiport: Multiport translations

Added multiport translations for ipv4 only . It's for review pupose only , it definitely needs changes . example : iptables-translate -A INPUT -p tcp -m multiport --dports 22,http,ssh -j ACCEPT nft add rule ip filter INPUT ip protocol tcp dport { 22,80,22 } counter accept diff --git a/extensions

Re: [PATCH] extensions: libxt_dccp: Add translation to nft

On Tue, Mar 01, 2016 at 06:41:33PM +0530, Shivani Bhardwaj wrote: > Add translation for dccp to nftables. > > Full translation of this match awaits the support for --dccp-option. > Also, since inversion of set is not possible in nftables, using dccp > with rules like > ...dccp type != {request, re

Re: [PATCH] src: proto: Add missing packet type

On Tue, Mar 01, 2016 at 03:01:06PM +0100, Florian Westphal wrote: > Shivani Bhardwaj wrote: > > On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal wrote: > > > Shivani Bhardwaj wrote: > > >> Add missing packet type "invalid" for DCCP. > > >> > > >> Signed-off-by: Shivani Bhardwaj > > >> --- > > >

[PATCH nft 1/3] expression: add helper to decide if operator needs to be shown

tcp dport 22 is treated as if user had given 'tcp dport == 22'. When printing, the implicit == is omitted. In some other cases we use OP_AND instead, e.g. tcp flags ack means 'tcp flags & ack != 0'. In all of these cases, we print the rule in the short form, without showing this implicit operator

[PATCH nft 4/4] meta: add tests for probability matching

Signed-off-by: Florian Westphal --- tests/py/any/meta.t | 16 tests/py/any/meta.t.payload | 15 +++ 2 files changed, 31 insertions(+) diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t index c10297a..4fa961f 100644 --- a/tests/py/any/meta.t +++ b/tests/py

[PATCH nft 3/4] meta: add probability matching

nft meta probability 0.5 probalistic matching just like iptables '-m statistic --mode random --probability 0.5': Internally nft translates the request to this: [ meta load prandom => reg 1 ] [ cmp lte reg 1 0xff7f ] but this stays hidden from the user (i.e. <= operator is not shown on l

Re: [PATCH 1/2] iptables: utils: Add bash completion

On 02.03.2016 13:54, Pablo Neira Ayuso wrote: On Wed, Mar 02, 2016 at 01:24:01PM +0100, Mart Frauenlob wrote: On 02.03.2016 12:34, Pablo Neira Ayuso wrote: On Thu, Feb 25, 2016 at 04:06:53PM +0100, Mart Frauenlob wrote: [...] One idea is to push into iptables some infrastructure so the scrip

Re: [PATCH v2] extensions: libxt_sctp: Add translation to nft

On Thu, Mar 03, 2016 at 12:58:48AM +0530, Shivani Bhardwaj wrote: > Add translation for sctp to nftables. > Full translation of this match awaits the support for --chunk-types > option. > > Examples: > > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > nft add rule ip filter INPUT

Re: [PATCH v2] extensions: libxt_owner: Add translation to nft

On Thu, Mar 03, 2016 at 12:45:55AM +0530, Shivani Bhardwaj wrote: > Add translation for module owner to nftables. > Full translation of this match awaits the support for --socket-exists > option. > > Examples: > > $ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner > --uid-owne