On Wed, Sep 13, 2023 at 09:31:46PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > The value in idx and the number of rules handled in that particular
> > __nf_tables_dump_rules() call is not identical. The former is a cursor
> > to pick up from if multiple netlink me
fer exhaustion: Any
rules previously dumped into that skb would evade audit logging
otherwise.
Fixes: 9b5ba5c9c5109 ("netfilter: nf_tables: Unbreak audit log reset")
Signed-off-by: Phil Sutter
---
Changes since v2:
- Restore per-chain logging as requested.
Changes since v1:
- Use max_t() to
Patch f1 fixes/improves Pablo's fix for the bug I built into nf_tables'
audit support code.
Patch 2 adds a selftest for the audit notifications in nf_tables. I
consider it mature enough to submit it as non-RFC now.
Larger changes in both patches, details in each patch.
Phil
Compare NETFILTER_CFG type audit logs emitted from kernel upon ruleset
modifications against expected output.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Implement a custom log reader which turns audit logging on/off as
needed, drop auditd dependency.
- Record required CONFIG_AUDIT in
Hi Pablo,
On Wed, Oct 23, 2019 at 01:23:11PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 23, 2019 at 01:20:24PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 18, 2019 at 05:51:14PM +0200, Phil Sutter wrote:
> > > Variable 'table' is an array of type struc
n.
Signed-off-by: Phil Sutter
---
src/main.c | 2 +-
tests/shell/testcases/chains/0039negative_priority_0 | 8
2 files changed, 1 insertion(+), 9 deletions(-)
delete mode 100755 tests/shell/testcases/chains/0039negative_priority_0
diff --git a/sr
it.
Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
Signed-off-by: Phil Sutter
---
iptables/ip6tables.c | 6 ++
iptables/iptables.c | 4 +++-
.../ipt-restore/0009-table-name-comment_0 | 21 +
ot collate arguments but just stop after the first
non-option, leaving the rest for manual handling. In fact, this is just
what nft desires: mixing options with nft syntax leads to confusive
command lines anyway.
Signed-off-by: Phil Sutter
---
src/main.c | 2
Hi Pablo,
On Mon, Oct 21, 2019 at 05:38:35PM +0200, Pablo Neira Ayuso wrote:
> # nft add chain x y { type filter hook input priority -30\; }
> nft: invalid option -- '3'
>
> Fix this by restricting getopt_long() to the first curly brace.
Wouldn't it suffice to set the first char of OPTSTRING t
The function was changed to return an expression or NULL but error
checking wasn't adjusted while doing so.
Fixes: dba4a9b4b5fe2 ("src: allow variable in chain policy")
Signed-off-by: Phil Sutter
---
src/parser_json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
d
netlink_get_register() may return NULL and every other caller checks
that. Assuming this situation is not expected, just jump to 'err' label
without queueing an explicit error message.
Fixes: 2be1d52644cf7 ("src: Add tproxy support")
Signed-off-by: Phil Sutter
---
src/netli
ing a table parameter and
error out if it's not the first one.
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter
---
Changes since v1:
Completely rewritten: While simplifying v1 code, I noticed that even
valid --table options ma
Hi,
On Fri, Oct 18, 2019 at 10:58:08PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > > How did you generate it? The added code is pure voodoo magic to me,
> > > so I wonder if we can just remove the 'test for -t in iptables-restore
> > > files'
Extend the shared argv parser by storing whether a given argument was
quoted or not, then use it in iptables-xml. One remaining extra bit is
extraction of chain name in -A commands, do that afterwards in a loop.
Signed-off-by: Phil Sutter
---
iptables/iptables-xml.c | 78
Make add_argv() and related routines reentrant by introducing a data
structure to hold the stored arguments.
Signed-off-by: Phil Sutter
---
iptables/iptables-restore.c | 28 +++---
iptables/iptables-xml.c | 30 ---
iptables/xshared.c | 76
Variable 'table' is an array of type struct table_struct, so this is a
classical use-case for ARRAY_SIZE() macro.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 89b1c7a808f57..3c2
Hi Florian,
On Fri, Oct 18, 2019 at 04:05:08PM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > Xtables-restore tries to reject rule commands in input which contain a
> > --table parameter (since it is adding this itself based on the previous
> > table line)
Hi,
On Fri, Sep 20, 2019 at 05:49:20PM +0200, Phil Sutter wrote:
> Xtables-restore tries to reject rule commands in input which contain a
> --table parameter (since it is adding this itself based on the previous
> table line). Sadly getopt_long's flexibility makes it hard to ge
Hi,
On Fri, Oct 18, 2019 at 10:30:56AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 18, 2019 at 12:48:34AM +0200, Phil Sutter wrote:
> > This was overlooked when merging argv-related code: newargc is
> > initialized at declaration and reset in free_argv() again.
> >
>
Hi Pablo,
On Fri, Oct 18, 2019 at 10:11:24AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 18, 2019 at 12:48:31AM +0200, Phil Sutter wrote:
> > The same piece of code appears three times, introduce a function to take
> > care of tokenizing and error reporting.
> >
> &
Preparing for upcoming xtables-restore performance improvements I
noticed a few things to smooth out. Patches in this series are not
functionally related.
Phil Sutter (8):
xtables-restore: Treat struct nft_xt_restore_parse as const
xtables-restore: Use xt_params->program_name
xtab
().
Signed-off-by: Phil Sutter
---
iptables/iptables-restore.c | 35 ++
iptables/iptables-xml.c | 31 +---
.../ipt-restore/0008-restore-counters_0 | 22 +++
iptables/xshared.c| 37
Just like with xtables-restore, these callbacks don't change at
run-time.
Signed-off-by: Phil Sutter
---
iptables/iptables-restore.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 3655b3e8
Since commit 0baa08fed43fa ("xtables: unify user chain add/flush for
restore case") it is not used anymore, so just drop it.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.h | 2 --
iptables/xtables-restore.c | 15 ---
2 files changed, 17 deletions(-)
di
This structure contains restore parser configuration, parser is not
supposed to alter it.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Phil Sutter
---
iptables/nft-shared.h | 2 +-
iptables/xtables-restore.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables
It is merely used to hold nft_strerror() pointer but using that function
in turn does not provide any benefit as it falls back to plain
strerror() if nft_fn is not initialized.
Signed-off-by: Phil Sutter
---
iptables/xtables-restore.c | 9 ++---
1 file changed, 2 insertions(+), 7 deletions
This was overlooked when merging argv-related code: newargc is
initialized at declaration and reset in free_argv() again.
Fixes: a2ed880a19d08 ("xshared: Consolidate argv construction routines")
Signed-off-by: Phil Sutter
---
iptables/xtables-restore.c | 3 ---
1 file changed, 3
There is no need for dynamic callback mangling, so make all instances
static const.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.h| 2 +-
iptables/xtables-restore.c | 8
iptables/xtables-translate.c | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a
newargv[0] is used exclusively in debug output.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.h| 3 +--
iptables/xtables-restore.c | 11 +--
iptables/xtables-translate.c | 2 +-
3 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/iptables/nft-shared.h b/ipta
old cache logic from the monitor code that has been replaced
> by 01e5c6f0ed03 ("src: add cache level flags").
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
Thanks, Phil
On Thu, Oct 17, 2019 at 12:08:16PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 11:03:32AM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 01:41:44PM +0200, Phil Sutter wrote:
> > > Fourth try at caching optimizations implementation.
> > &
Hi Pablo,
On Thu, Oct 17, 2019 at 03:34:55PM +0200, Pablo Neira Ayuso wrote:
> If --echo is passed, then the cache already contains the commands that
> have been sent to the kernel. However, anonymous sets are an exception
> since the cache needs to be updated in this case.
>
> Remove the old cac
On Thu, Oct 17, 2019 at 01:29:17PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 12:36:49PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Thu, Oct 17, 2019 at 11:07:38AM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 17, 2019 at 10:55:49AM
On Thu, Oct 17, 2019 at 01:14:37PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 01:03:22AM +0200, Phil Sutter wrote:
> > Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout")
> > removed an extra semicolon at end of line, but thereby broke si
Hi,
On Thu, Oct 17, 2019 at 01:09:57PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 12:36:49PM +0200, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Thu, Oct 17, 2019 at 11:07:38AM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 17, 2019 at 10:55:49AM
Hi,
On Thu, Oct 17, 2019 at 11:03:32AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 01:41:44PM +0200, Phil Sutter wrote:
> > Fourth try at caching optimizations implementation.
> >
> > Changes since v3:
> >
> > * Rebase onto current master after p
Hi Pablo,
On Thu, Oct 17, 2019 at 11:07:38AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 17, 2019 at 10:55:49AM +0200, Pablo Neira Ayuso wrote:
> > On Thu, Oct 17, 2019 at 01:03:20AM +0200, Phil Sutter wrote:
> > > This reverts commit 9b032cd6477b847f48dc8454f0e73935e9f48754.
8ae3de ("rule: do not print semicolon in ct timeout")
Signed-off-by: Phil Sutter
---
src/rule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rule.c b/src/rule.c
index 2d35bae44c9e5..3c7c8d63f8cdf 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1869,7 +1869,7 @@ sta
These shouldn't happen in practice and printing to stderr is not the
right thing either, but fix this anyway.
Fixes: f9563c0feb24d ("src: add events reporting")
Signed-off-by: Phil Sutter
---
src/monitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/
Echo/monitor testsuite failed for multiple reasons. With this series
applied and a libnftnl with the recently submiited NFTA_CT_TIMEOUT_DATA
parser fix in place, testsuite finally passes again.
Phil Sutter (4):
monitor: Add missing newline to error message
Revert "monitor: fix double
anonymous set in cache
(kernel doesn't (and shouldn't) dump SET_ID value) to update its name,
just go with cache updates. Assuming that echo option is typically used
for single commands, there is not much cache updating happening anyway.
Signed-off-by: Phil Sutter
---
src/monitor.c | 1
Commit a9b0c385a1d5e ("rule: print space between policy and timeout")
changed spacing in ct timeout objects but missed to adjust related test
case.
Fixes: a9b0c385a1d5e ("rule: print space between policy and timeout")
Signed-off-by: Phil Sutter
---
tests/monitor/testcase
index
0 and the type value decrement is dropped there.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter
---
src/obj/ct_timeout.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
inde
; field in union nftnl_data_reg
accordingly.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Change union nftnl_data_reg as outlined above.
---
include/data_reg.h | 2 +-
include/libnftnl/set.h | 2 ++
src/set_elem.c | 10 ++
3 files changed, 13 insertions(+), 1 deletion(-)
On Tue, Oct 15, 2019 at 06:37:21PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 06:35:29PM +0200, Phil Sutter wrote:
> > On Tue, Oct 15, 2019 at 06:33:46PM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Oct 15, 2019 at 06:21:30PM +0200, Phil Sutter
On Tue, Oct 15, 2019 at 06:32:39PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 06:11:34PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Oct 15, 2019 at 04:16:56PM +0200,
On Tue, Oct 15, 2019 at 06:33:46PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 06:21:30PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Tue, Oct 15, 2019 at 05:57:16PM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Oct 15, 2019 at 04:16:57PM +0200, Phil S
Hi,
On Tue, Oct 15, 2019 at 06:09:13PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 06:02:55PM +0200, Phil Sutter wrote:
> > On Tue, Oct 15, 2019 at 05:52:44PM +0200, Pablo Neira Ayuso wrote:
> > > On Tue, Oct 15, 2019 at 04:16:55PM +0200, Phil Sutter wrote:
>
Hi,
On Tue, Oct 15, 2019 at 05:57:16PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 04:16:57PM +0200, Phil Sutter wrote:
> > Array 'tb' has only 'attr_max' elements, the loop overstepped its
> > boundary by one. Copy array_size() macro from include/
Hi,
On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote:
> > By calling nftnl_set_set(), any data size checks are effectively
> > bypassed. Better call nftnl_set_set_data() directly, passing the re
On Tue, Oct 15, 2019 at 05:52:44PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 04:16:55PM +0200, Phil Sutter wrote:
[...]
> > diff --git a/src/set_elem.c b/src/set_elem.c
> > index 3794f12594079..4225a96ee5a0a 100644
> > --- a/src/set_elem.c
> > +++ b/s
Cppcheck complains: Shifting signed 32-bit value by 31 bits is undefined
behaviour.
Indeed, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR enum value is 31. Make sure
behaviour is as intended by shifting unsigned 1.
Fixes: ea63a05272f54 ("obj: add tunnel support")
Signed-off-by: Phil Sutter
--
The function is unsafe to use as it effectively bypasses data length
checks. Instead use nftnl_set_set_str() which at least asserts a const
char pointer is passed.
Signed-off-by: Phil Sutter
---
src/mnl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mnl.c b/src/mnl.c
The function returned -1 on success.
Signed-off-by: Phil Sutter
---
src/set_elem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/set_elem.c b/src/set_elem.c
index 47965249691dd..3794f12594079 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -149,7 +149,7 @@ int
By calling nftnl_set_set(), any data size checks are effectively
bypassed. Better call nftnl_set_set_data() directly, passing the real
size for validation.
Signed-off-by: Phil Sutter
---
src/set.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/set.c b/src/set.c
Fix (potential) issues identified by Coverity tool.
Phil Sutter (6):
obj: ct_timeout: Check return code of mnl_attr_parse_nested()
set_elem: Fix return code of nftnl_set_elem_set()
set_elem: Validate nftnl_set_elem_set() parameters
set: Don't bypass checks in nftnl_set_set_u{
Don't ignore nested attribute parsing errors, this may hide bugs in
users' code.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter
---
src/obj/ct_timeout.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/obj/ct
Array 'tb' has only 'attr_max' elements, the loop overstepped its
boundary by one. Copy array_size() macro from include/utils.h in
nftables.git to make sure code does the right thing.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter
Copying from nftnl_table_set_data(), validate input to
nftnl_set_elem_set() as well. Given that for some attributes the
function assumes passed data size, this seems necessary.
Signed-off-by: Phil Sutter
---
include/libnftnl/set.h | 2 ++
src/set_elem.c | 10 ++
2 files changed
() which
calls xtables_error() in case compatibility check fails. If a chain name
was given, include that in error message.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 32
iptables/nft.h | 5 -
iptables/xtables-save.c | 2 +-
3 files changed
mpty chains, but causes no harm in that case, either.
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 19 ++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 22468d70fec57..afb2126b51495 100644
--- a/iptables/
#x27;chain' function parameter which is not used at that
point).
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 22 +++---
iptables/nft-cache.h | 3 ++-
iptables/nft.c | 32 ++--
3 files changed, 39 insertions(+), 18 deletions(-)
parameter and raises cache completeness to that level.
Signed-off-by: Phil Sutter
---
Changes since v3:
- Make sure cache stays consistent in __nft_build_cache() by extending
cache only if kernel ruleset did not change since last call.
---
iptables/nft-cache.c | 54
Fourth try at caching optimizations implementation.
Changes since v3:
* Rebase onto current master after pushing the accepted initial three
patches.
* Avoid cache inconsistency in __nft_build_cache() if kernel ruleset
changed since last call.
Phil Sutter (8):
nft-cache: Introduce cache
-off-by: Phil Sutter
---
iptables/nft-cache.c | 82 ++--
1 file changed, 57 insertions(+), 25 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index afb2126b51495..822d6f20cf51c 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft
There is no need for a full chain cache, fetch only the few builtin
chains that might need to be created.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 775582aab7955..7e019d54ee475
The function is used to return the given table's chains, so fetching
chain cache is enough.
Add calls to nft_build_cache() in places where a rule cache is required.
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 2 +-
iptables/nft.c | 20
2 files change
doesn't include chains already, it will fetch only the specified
chain from kernel (if existing) and add that to table's chain list which
is returned. This keeps operations for all chains of a table or a
specific one within the same code path in nft.c.
Signed-off-by: Phil Sutter
---
ip
Hi,
On Mon, Oct 14, 2019 at 08:44:05PM +0530, UDAY MEWADA wrote:
> My name is Uday Mewada, pursuing engineering in Computer Science.
>
> I'm looking forward to contributing to Netfilter. Can someone guide me
> how to start contributing in it and what are the initial bugs where I
> can start.
You
gt; approach, but it might work. You would need to invoke
> xtables_restore_parse() twice.
The problem with parsing twice is having to cache input which may be
huge for xtables-restore.
On Fri, Oct 11, 2019 at 12:20:52PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 11, 2019 at 12:09:11AM +
Hi Pablo,
On Wed, Oct 09, 2019 at 12:29:01PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 09, 2019 at 11:37:23AM +0200, Pablo Neira Ayuso wrote:
> > Hi Phil,
> >
> > On Tue, Oct 08, 2019 at 06:14:40PM +0200, Phil Sutter wrote:
> > > Replace the simple have_
Rename and optimize internal function nftnl_set_lookup() for external
use. Just like with nftnl_chain_list, use a hash table for fast set name
lookups.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Adjust LIBVERSION according to libtool documentation.
---
Make_global.am | 2
On Tue, Oct 08, 2019 at 08:06:32PM +0200, Eric Jallot wrote:
> Add double quotes to protect newlines when using <<< redirection.
>
> See also commit b878cb7d83855.
>
> Signed-off-by: Eric Jallot
Applied, thanks!
mpty chains, but causes no harm in that case, either.
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 19 ++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 5f27aec6d9c30..a2cfb6ef6dbcf 100644
--- a/iptables/
The amount of code dealing with caching only is considerable and hence
deserves an own source file.
Signed-off-by: Phil Sutter
---
iptables/Makefile.am | 2 +-
iptables/nft-cache.c | 376 +
iptables/nft-cache.h | 17 ++
iptables/nft.c
This allows to call nft_table_builtin_find() and hence removes the only
real user of __nft_table_builtin_find(). Consequently remove the latter
by integrating it into its sole caller.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 28 +++-
1 file changed, 11 insertions
#x27;chain' function parameter which is not used at that
point).
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 22 +++---
iptables/nft-cache.h | 3 ++-
iptables/nft.c | 32 ++--
3 files changed, 39 insertions(+), 18 deletions(-)
-restore performance.
Phil Sutter (11):
nft: Pass nft_handle to flush_cache()
nft: Avoid nested cache fetching
nft: Extract cache routines into nft-cache.c
nft-cache: Introduce cache levels
nft-cache: Fetch only chains in nft_chain_list_get()
nft-cache: Cover for multiple fetcher invocation
-off-by: Phil Sutter
---
iptables/nft-cache.c | 82 ++--
1 file changed, 57 insertions(+), 25 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index a2cfb6ef6dbcf..3cb397c805a9a 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft
doesn't include chains already, it will fetch only the specified
chain from kernel (if existing) and add that to table's chain list which
is returned. This keeps operations for all chains of a table or a
specific one within the same code path in nft.c.
Signed-off-by: Phil Sutter
---
ip
() which
calls xtables_error() in case compatibility check fails. If a chain name
was given, include that in error message.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 32
iptables/nft.h | 5 -
iptables/xtables-save.c | 2 +-
3 files changed
The function is used to return the given table's chains, so fetching
chain cache is enough.
Add calls to nft_build_cache() in places where a rule cache is required.
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 2 +-
iptables/nft.c | 20
2 files change
There is no need for a full chain cache, fetch only the few builtin
chains that might need to be created.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 775582aab7955..7e019d54ee475
parameter and raises cache completeness to that level.
Signed-off-by: Phil Sutter
---
iptables/nft-cache.c | 51 +++-
iptables/nft.h | 9 +++-
2 files changed, 44 insertions(+), 16 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
Don't call fetch_table_cache() from within fetch_chain_cache() but
instead from __nft_build_cache(). Since that is the only caller of
fetch_chain_cache(), this change should not have any effect in practice.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 3 +--
1 file changed, 1 insertion(
ual among match implementation for
ebtables-nft.
Phil Sutter (12):
nft: family_ops: Pass nft_handle to 'add' callback
nft: family_ops: Pass nft_handle to 'rule_find' callback
nft: family_ops: Pass nft_handle to 'print_rule' callback
nft: family_ops: Pass nft_handle to
Allow for closer inspection by storing payload expression's base and
length values. Also facilitate for two consecutive payload expressions
as LHS of a (cmp/lookup) statement as used with concatenations.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 8
iptables/nft-sha
Support among match as far as possible given the limitations of nftables
sets, namely limited to homogeneous MAC address only or MAC and IP
address only matches.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Fix for overlong lines.
- Use nftnl_set_list_lookup_byname() from libnftnl
Instead of carrying the family value, carry the handle (which contains
the family value) and relieve expression parsers from having to call
nft_family_ops_lookup().
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 40 ++--
iptables/nft-shared.h | 2
In order for add_match() to create anonymous sets when converting
xtables matches it needs access to nft handle. So pass it along from
callers of family ops' add callback.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c| 2 +-
iptables/nft-bridge.c | 5 +++--
iptables/nft-ipv4.c
In order to prepare for rules containing set references, nft handle has
to be passed to nft_rule_to_iptables_command_state() in order to let it
access the set in cache.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c| 4 ++--
iptables/nft-bridge.c | 4 ++--
iptables/nft-shared.c | 7
Down to the point where expression parsing happens, the rule's table is
not known anymore but relevant if set lookups are required.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 1 +
iptables/nft-shared.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/iptables/nft-share
Implement the required infrastructure to create sets as part of a batch
job commit.
Signed-off-by: Phil Sutter
---
iptables/nft.c | 58 ++
1 file changed, 58 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index f46f13c2501e2
Add required glue code to support family specific lookup expression
parsers implemented as family_ops callback.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 9 +
iptables/nft-shared.h | 2 ++
iptables/nft.c| 5 -
3 files changed, 15 insertions(+), 1 deletion
In order to support anonymous sets, cache them along with their
elements.
Signed-off-by: Phil Sutter
---
Changes since v1:
- Fix cache flushing: Since set fetching happens only if rules are
fetched, too, set list may be NULL so call nftnl_set_list_free() and
nftnl_set_list_foreach
If nft_handle is available, use its 'ops' field instead of performing a
new lookup. For the same reason, there is no need to pass ops pointer to
__nft_print_header().
Signed-off-by: Phil Sutter
---
iptables/nft.c | 29 +++--
1 file changed, 11 insertions(+), 18
Prepare for 'rule_to_cs' callback to receive nft_handle pointer so it is
able to access cache for set lookups.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c| 3 ++-
iptables/nft-bridge.c | 4 ++--
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
iptables/nf
This is the actual callback used to parse nftables rules. Pass
nft_handle to it so it can access the cache (and possible sets therein).
Having to pass nft_handle to nft_rule_print_save() allows to simplify it
a bit since no family ops lookup has to be done anymore.
Signed-off-by: Phil Sutter
To quickly see if a given test was run or not, sort the file list. Also
filter non-test files right when preparing the list.
Signed-off-by: Phil Sutter
---
iptables-test.py | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/iptables-test.py b/iptables-test.py
index
Rename and optimize internal function nftnl_set_lookup() for external
use. Just like with nftnl_chain_list, use a hash table for fast set name
lookups.
Signed-off-by: Phil Sutter
---
include/libnftnl/set.h | 2 ++
include/set.h | 1 +
src/libnftnl.map | 4
src/set.c
1 - 100 of 1603 matches
Mail list logo
