Add translation for icmpv6 to nftables. Not supported types in nftables
are: no-route, communication-prohibited, beyond-scope,
address-unreachable, port-unreachable, failed-policy, reject-route,
ttl-zero-during-transit, ttl-zero-during-reassembly, bad-header,
unknown-header-type and unknown-option.
Add translation for icmp to nftables. Not supported types in nftables
are: any, network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-
On Mon, Mar 07, 2016 at 07:20:54PM +0100, Pablo Neira Ayuso wrote:
>
> I think you can add these two to icmp_type_tbl in nft/src/proto.c, it
> would be just a two-liner to support ICMP_ROUTERADVERT and
> ICMP_ROUTERSOLICIT.
>
Ok, thanks!
--
To unsubscribe from this list: send the line "unsubscr
On Mon, Mar 07, 2016 at 11:40:08PM +0530, Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 11:34 PM, Laura Garcia wrote:
> > On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
> >> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
> > The brackets are not missin
On Mon, Mar 07, 2016 at 07:08:51PM +0100, Laura Garcia wrote:
> On Mon, Mar 07, 2016 at 06:11:19PM +0100, Pablo Neira Ayuso wrote:
> >
> > #define XT_ICMPV6_TYPE(type)(ND_ROUTER_SOLICIT - type)
> >
> > static const char *icmp6_type_xlate_array[] = {
> > [XT_ICMPV6_TYPE(ND_ROUTER_SOLIC
On Mon, Mar 07, 2016 at 07:04:46PM +0100, Laura Garcia wrote:
> On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
> > On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
> > > Add translation for icmp to nftables. Not supported types in nftables
> > > are: any, ne
On Mon, Mar 7, 2016 at 11:34 PM, Laura Garcia wrote:
> On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
>> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
>> > Add translation for icmp to nftables. Not supported types in nftables
>> > are: any, network-unrea
On Mon, Mar 07, 2016 at 06:11:19PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Mar 06, 2016 at 11:23:10PM +0100, Laura Garcia Liebana wrote:
> > Add translation for icmpv6 to nftables. Not supported types in nftables
> > are: no-route, communication-prohibited, beyond-scope,
> > address-unreachable,
On Mon, Mar 7, 2016 at 11:30 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote:
>> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote:
>> > Yes, I'll do that.
>> > I need a bit of help here.
>> > I followed some other modules for which s
On Mon, Mar 07, 2016 at 08:24:20PM +0530, Piyush Pangtey wrote:
> Instead of using '/' longopts , use ',' ,as followed by man pages of other
> programs.
>
> Signed-off-by: Piyush Pangtey
> ---
> doc/nft.xml | 20 ++--
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff
On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
> > Add translation for icmp to nftables. Not supported types in nftables
> > are: any, network-unreachable, host-unreachable, protocol-unreachable,
> > port-un
On Sun, Mar 06, 2016 at 10:26:57AM -0500, Janani Ravichandran wrote:
> Add translation for rt for options --rt-type, --rt-segsleft and --rt-len.
>
> Examples:
>
> $ sudo ip6tables-translate -A INPUT -m rt --rt-type 0 -j DROP
> nft add rule ip6 filter INPUT rt type 0 counter drop
>
> $ sudo ip6ta
On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote:
> > Yes, I'll do that.
> > I need a bit of help here.
> > I followed some other modules for which support has been mentioned.
> > For example, libipq
> > When I fir
On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 7:39 PM, Pablo Neira Ayuso wrote:
> > On Mon, Mar 07, 2016 at 02:44:47PM +0530, Shivani Bhardwaj wrote:
> >> Add the --enable-connlabel option and show whether it is already
> >> supported.
> >>
> >> After t
On 02/29/2016 01:33 PM, Zefir Kurtisi wrote:
> I've been fighting a kernel bug that is producing random crashes around
> network /
> skb_layer for a long time and was able to isolate it (or one of its
> components) to
> the br_netfilter module.
>
> I am reproducing the bug with PowerPC (TL-WDR49
On Mon, Mar 7, 2016 at 7:39 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 07, 2016 at 02:44:47PM +0530, Shivani Bhardwaj wrote:
>> Add the --enable-connlabel option and show whether it is already
>> supported.
>>
>> After this patch, iptables configuration shows up as:
>>
>> Iptables Configuration:
>
On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables. Not supported types in nftables
> are: any, network-unreachable, host-unreachable, protocol-unreachable,
> port-unreachable, fragmentation-needed, source-route-failed,
> network-unknown, ho
Now it is possible to store multiple variable length user data into rule.
Modify the parser in order to fill the nftnl_udata with the comment, and the
print function for extract these commentary and print it to user.
Signed-off-by: Carlos Falgueras García
---
include/rule.h| 11 +
Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule.
Add "*-rule-udata.[json|xml]" to check parsers.
Signed-off-by: Carlos Falgueras García
---
tests/jsonfiles/71-rule-udata.json | 1 +
tests/nft-rule-test.c | 21 +
tests/xmlfiles/82-rule-udata
Now is it possible to store multiple variable length user data into a rule.
Modify XML and JSON parsers to support this new feature.
Signed-off-by: Carlos Falgueras García
---
include/json.h | 7 ++
include/utils.h | 2 +
include/xml.h | 5 ++
src/jansson.c | 41 +
src/mxml.c
These functions allow to create a buffer (nftnl_udata_buf) of TLV objects
(nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store
several variable length user data into an object.
Example usage:
```
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
On Sun, Mar 06, 2016 at 11:23:10PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmpv6 to nftables. Not supported types in nftables
> are: no-route, communication-prohibited, beyond-scope,
> address-unreachable, port-unreachable, failed-policy, reject-route,
> ttl-zero-during-transit, t
On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables. Not supported types in nftables
> are: any, network-unreachable, host-unreachable, protocol-unreachable,
> port-unreachable, fragmentation-needed, source-route-failed,
> network-unknown, ho
On Mon, Mar 07, 2016 at 10:13:51PM +0530, Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso wrote:
> > On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
> >> Add translation for dccp to nftables.
> >>
> >> Full translation of this match awaits the support
On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso wrote:
> On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
>> Add translation for dccp to nftables.
>>
>> Full translation of this match awaits the support for --dccp-option.
>>
>> Examples:
>>
>> $ sudo iptables-translate -A INPUT
Instead of using '/' longopts , use ',' ,as followed by man pages of other
programs.
Signed-off-by: Piyush Pangtey
---
doc/nft.xml | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 7cc9988..eab97f5 100644
--- a/doc/nft.xml
On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
> Add translation for dccp to nftables.
>
> Full translation of this match awaits the support for --dccp-option.
>
> Examples:
>
> $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
> nft add rule ip filter INPUT dccp
On Sat, Mar 05, 2016 at 09:00:41PM +0100, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
> nft add rule ip filter INPUT icmp type any counter log level warn
>
> $ sudo iptables-tran
On Mon, Mar 07, 2016 at 02:44:47PM +0530, Shivani Bhardwaj wrote:
> Add the --enable-connlabel option and show whether it is already
> supported.
>
> After this patch, iptables configuration shows up as:
>
> Iptables Configuration:
> IPv4 support: yes
> IPv6 supp
On Mon, Mar 7, 2016 at 7:02 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 07, 2016 at 06:55:31PM +0530, Shivani Bhardwaj wrote:
>> On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso
>> wrote:
>> > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
>> >> Shivani Bhardwaj wrote:
>> >>
On Mon, Mar 07, 2016 at 02:30:04PM +0100, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
> > On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso
> > wrote:
> > > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
> > >> Shivani Bhardwaj wrote:
> > >> > Add translation for connla
On Mon, Mar 07, 2016 at 06:55:31PM +0530, Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso wrote:
> > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
> >> Shivani Bhardwaj wrote:
> >> > Add translation for connlabel to nftables.
> >> > Full translation
Shivani Bhardwaj wrote:
> On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso wrote:
> > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
> >> Shivani Bhardwaj wrote:
> >> > Add translation for connlabel to nftables.
> >> > Full translation for this match awaits the support for --
On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso wrote:
> On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
>> Shivani Bhardwaj wrote:
>> > Add translation for connlabel to nftables.
>> > Full translation for this match awaits the support for --set option.
>>
>> Hmm, I sent patch
On 05.03, christophe leroy wrote:
> Hello,
>
> I'm trying to implement support for CT HELPERs in linux kernel for
> nftables and need some help/guidance.
>
> The rule beeing 'udp dport tftp ct helper set "tftp"', I get
> nft_ct_set_init() called when I add the rule in the table output filter
> ta
On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
> > Add translation for connlabel to nftables.
> > Full translation for this match awaits the support for --set option.
>
> Hmm, I sent patches for that a while ago, don't know why they were
> not applied.
The 'reset' keyword can be used as dccp type, so don't qualify it as
reserve keyword to avoid a conflict with this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1055
Reported-by: Shivani Bhardwaj
Signed-off-by: Pablo Neira Ayuso
---
src/parser_bison.y | 11 ---
src/scanner.l
This patch make sure we test dccp type.
Signed-off-by: Pablo Neira Ayuso
---
tests/py/inet/dccp.t| 7 +++
tests/py/inet/dccp.t.payload.inet | 27 +++
tests/py/inet/dccp.t.payload.ip | 27 +++
tests/py/inet/dccp.t.payload.
Patrick McHardy wrote:
> Fix duplicated and incorrect assignments.
Ugh, my bad. Thanks for fixing this up!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-
Fix duplicated and incorrect assignments.
Signed-off-by: Patrick McHardy
---
src/trace.c | 51 +--
1 file changed, 13 insertions(+), 38 deletions(-)
diff --git a/src/trace.c b/src/trace.c
index b04abb5..9655f0a 100644
--- a/src/trace.c
+++ b/src/t
Add the --enable-connlabel option and show whether it is already
supported.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:yes
IPQ suppo
41 matches
Mail list logo
