> What is missing for your use case?
For eg., can we store connmark and tc classid in skbinfo of named set
in nftables?
> the original ips are already stored in conntrack. If you want to store
> nat mappings: This is already implemented in nft set infra.
> What are you trying to do?
Can we hav
> No, that's a totally wrong way. ipset is independent from
> iptables/ip6tables: you cannot refer to a match/target/chain from ipset.
> It also makes no sense to reimplement those in ipset.
Yes. Thats obvious that iptables need to do decision handling, packet flow, etc.
Just that, I want to store
On Thu, Aug 09, 2018 at 09:57:18PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > Got it! The problem is ebt_limit.ko is not automatically loaded as it
> > should. I noticed that problem once but forgot about it again. If you
> > manually modprobe ebt_limit before running the testsuite, i
Phil Sutter wrote:
> Got it! The problem is ebt_limit.ko is not automatically loaded as it
> should. I noticed that problem once but forgot about it again. If you
> manually modprobe ebt_limit before running the testsuite, it should all
> pass.
Indeed, I've applied this, thank you.
I wonder if we
Phil Sutter wrote:
> The function expects a boolean, not a bitfield. This bug caused
> inversion in another match to carry over to protocol match by accident.
> The supplied testcase contains rules which then fail because they
> contain matches requiring that protocol.
Applied, thank you.
--
To u
On Thu, Aug 09, 2018 at 09:23:48PM +0200, Florian Westphal wrote:
> Florian Westphal wrote:
> > Phil Sutter wrote:
> > > In an attempt to sanitize shell scripting, exit test in recent testcases
> > > was altered, which led to them being skipped even in nft test runs. Drop
> > > the quotes so that
Usage:
./nft-rule-ct-timeout-add ip filter input some-name
./nft-rule-get ip filter
ip filter input 4
[ objref type 7 name some-name ]
nft list ruleset
...
chain input {
ct timeout set "some-name"
}
Signed-off-by: Harsha Sharma
---
Changes in v5:
- No changes
Changes in v4:
- updated
Add, list and delete ct timeout objects from specified table
Usage e.g.:
% ./nft-ct-timeout-add ip filter some-name tcp
% ./nft-ct-timeout-get ip filter
table filter name some-name use 0 [ ct_timeout family 2 protocol 6
policy = {ESTABLISHED = 111,CLOSE_WAIT = 14, CLOSE = 16}]
% ./nft-ct-timeout-
Add support for ct timeout objects, used to assign connection tracking
timeout policies.
Signed-off-by: Harsha Sharma
---
Changes in v5:
- Remove nftnl_timeout_policy_attr_set_u32
- remove NFTNL_OBJ_CT_TIMEOUT_POLICY
- remove nftnl_obj_get_void
- minor changes
Changes in v4:
- updated includ
Hi Florian,
On Thu, Aug 09, 2018 at 09:16:07PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > In an attempt to sanitize shell scripting, exit test in recent testcases
> > was altered, which led to them being skipped even in nft test runs. Drop
> > the quotes so that globbing happens agai
Florian Westphal wrote:
> Phil Sutter wrote:
> > In an attempt to sanitize shell scripting, exit test in recent testcases
> > was altered, which led to them being skipped even in nft test runs. Drop
> > the quotes so that globbing happens again.
>
> Are the tests supposed to pass with current ma
Phil Sutter wrote:
> In an attempt to sanitize shell scripting, exit test in recent testcases
> was altered, which led to them being skipped even in nft test runs. Drop
> the quotes so that globbing happens again.
Are the tests supposed to pass with current master?
GNU bash, version 4.4.23(1)-rel
Akshat Kakkar wrote:
> Thanks for the info. nftables set infra lacks lot of things specially
> interfaces.
nft add set inet filter example '{ type ifname; }'
nft add set inet filter example '{ type iface_index; }'
nft add set inet filter example '{ type ifname . ifname ; }'
... should all work.
On Thu, 9 Aug 2018, Akshat Kakkar wrote:
> Thanks for the info. nftables set infra lacks lot of things specially
> interfaces. Besides, I just dont want to develop new ipsets, but also
> want to extend its functionality so as to include rule decision, natted
> ips, etc.As you have already asked
Thanks for the info. nftables set infra lacks lot of things specially
interfaces. Besides, I just dont want to develop new ipsets, but also
want to extend its functionality so as to include rule decision,
natted ips, etc.
As you have already asked the question in place of me, I appreciate
your effo
The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.
Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol an
In an attempt to sanitize shell scripting, exit test in recent testcases
was altered, which led to them being skipped even in nft test runs. Drop
the quotes so that globbing happens again.
While here, improve the check a bit to glob only on leading path part,
not also the file name. Also print "sk
On Thu, 9 Aug 2018 13:59:59 +0530 Akshat Kakkar wrote:
> I want to create custom ipsets like hash: iface,iface ,etc.
>
> Can anybody guide which is the best place to start development for the
> same? Any documents, etc.
You should likely ask your question on netfilter-devel@vger.kernel.org
An
18 matches
Mail list logo
