Hi,
This patchset introduces the named stateful expressions for nf_tables,
that allows userspace to set a name for the stateful expression for
several reasons:
* Provide a unique identifier to fetch and reset it internal state.
* Allow to update of their parameters and internal state.
* Allow
This patch adds the 'nexpr' expression, this expression allows us to
refer to existing named expressions. This generic expression can be used
from rules and set elements.
This patch also adds nft_nexpr_lookup() to the core, as this new
expression requires this function.
Signed-off-by: Pablo Neira
This patch adds a new NFT_MSG_GETNEXPR_RESET command to dump and to
atomically reset the internal state of the named expression.
Stateful expressions may implement the new reset() interface to allow
the reset of this named expressions.
This patch comes with the first client of it: the nft_counter
Users can define named counters in iptables through the nfacct
infrastructure. This extended accounting infrastructure provides a
netlink interface to create counters, that are uniquely identified by a
name, to fetch them from userspace; and to (atomically) fetch and reset
them.
In nf_tables, the
Tested-by: Vadim A. Misbakh-Soloviov
--
// now it generates valid nftables rule
signature.asc
Description: This is a digitally signed message part.
The iptables command:
-m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
should translate to:
tcp flags & fin|syn|rst|psh|ack|urg == 0x0
instead of:
tcp flags & fin|syn|rst|psh|ack|urg == none
Reported-by: Vadim A. Misbakh-Soloviov
Signed-off-by: Arturo Borrero Gonzalez
---
extensions/libxt_t
A basic tests to check we can perform operations in different network
namespaces.
Signed-off-by: Arturo Borrero Gonzalez
---
tests/shell/testcases/netns/0001nft-f_0 | 116 +
tests/shell/testcases/netns/0002loosecommands_0 | 63 +++
tests/shell/testcases/net
