This completes the XML/JSON exportation using the new buffer class for
rule.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
include/buffer.h | 5 +++
src/buffer.c | 11 +++
src/rule.c | 96
3 files chang
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_mangle.c | 28 ++--
1 file changed, 18 inse
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
iptables/xtables-arp.c | 28 ++--
1 file changed, 18 inse
Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT,
COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT,
QUEUE STATEMENT.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v4:
Fix the syntax as per parser_bison
Changes
Remove the warning about outdated version of flex as it is not needed
anymore.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
configure.ac | 15 ---
1 file changed, 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index b170add..c91e9e7 100644
--- a/config
Remove the warning about outdated version of flex as it is not needed
anymore.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
configure.ac | 15 ---
1 file changed, 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index c541034..b6c5439 100644
--- a/config
According to the previous logic of version check for flex, anything
greater than 2.5.33 but within 2.5.x was acceptable. The issue was
observed when a false warning generated for flex version 2.6.0.
New logic works for basically everything greater than 2.5.33.
Signed-off-by: Shivani Bhardwaj
: line 3 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to
1.2.3.0/24)
ERROR: line 4 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to
1.2.3.4)
After this patch, no errors with tests were observed.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
exte
If 'logger' was NULL, there would be a direct jump to the label 'out',
since it has already been checked for NULL, remove this unnecessary
check.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
net/netfilter/nf_log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
The order of mask and id in the translated code is not apt
so fix it.
This patch follows commit 8548dd by Liping Zhang.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_devgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/exte
The order of mask and mark in the output is wrong. This has been pointed
out:
http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang <liping.zh...@spreadtrum.com>.
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bh
On Thu, May 12, 2016 at 4:35 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, May 12, 2016 at 04:21:06PM +0530, Shivani Bhardwaj wrote:
>> On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso <pa...@netfilter.org>
>> wrote:
>> > On Thu, May 12, 2016 a
On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote:
>> Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT,
>> REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LI
Add missing tests for NFQUEUE.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_NFQUEUE.t | 4
1 file changed, 4 insertions(+)
diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t
index d4e4274..b51b19f 100644
--- a/extensions/libxt_NFQ
Remove the stacking of older version into the newer one by adding the
appropriate code corresponding to each version.
Suggested-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_NFQ
On Tue, Apr 12, 2016 at 10:58 PM, Florian Westphal <f...@strlen.de> wrote:
> Shivani Bhardwaj <shivanib...@gmail.com> wrote:
>> NFQUEUE had a bug with the ordering of fanout and bypass options which
>> was arising due to same and odd values for flags and bypass whe
NFQUEUE balance 0:3 bypass cpu-fanout
Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_NFQUEUE.c | 2 +-
1 file changed, 1 ins
counter queue num 0 fanout
^
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Update the description with error that is going to show up
src/evaluate.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/eval
On Thu, Apr 7, 2016 at 10:43 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, Apr 07, 2016 at 03:06:40PM +0530, Shivani Bhardwaj wrote:
>> The idea of fanout option is to improve the performance by indexing CPU
>> ID to map packets to the queues. This is us
Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT,
COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT,
QUEUE STATEMENT.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
doc/nft.xml | 188 +
:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote:
>> Add the --disable-connlabel option and the appropriate functionality
>> associated with it.
>>
>> After this patch
:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
On Thu, Mar 10, 2016 at 11:45 PM, Laura Garcia Liebana wrote:
> Avoid to print the log level in the translation when the level is the
> default value.
>
> Example:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
> nft add rule ip filter INPUT
:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
On Mon, Mar 7, 2016 at 11:34 PM, Laura Garcia wrote:
> On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
>> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
>> > Add translation for icmp to nftables. Not supported types in nftables
>> > are:
On Mon, Mar 7, 2016 at 11:30 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote:
>> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote:
>> > Yes, I'll do that.
>> > I need a bit o
On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
>> Add translation for dccp to nftables.
>>
>> Full translation of this match awaits the support for --dccp-option.
&
On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote:
>> Shivani Bhardwaj <shivanib...@gmail.com> wrote:
>> > Add translation for connlabel to nftables.
>> >
support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj <shiva
On Sun, Mar 6, 2016 at 1:30 AM, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
> nft add rule ip filter INPUT icmp type any counter log level warn
>
> $ sudo
! --label eth0-out
nft add rule ip filter INPUT ct label != eth0-out counter
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_connlabel.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connl
,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data,
ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v3:
Return 0 if translation for dccp-option is de
,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data,
ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Fix bugs and remove invalid dccp type
Fol
80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Add code to check if flags is set
extensions/libxt_sctp.c | 37 +
1 file changed, 37 inse
dport 80 skuid != 1000 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Add different functions for skuid and skgid
extensions/libxt_owner.c | 51
1 file changed, 51 insertions(+)
diff
On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
>> Add translation for module hop-by-hop to nftables.
>> Full translation of this match awaits the support for --hbh-opts o
nexthdr tcp counter masquerade to :10
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE
--to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20
random
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes
tcp counter masquerade to :10
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports
10-20 --random
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20
random
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
-len 33
nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libip6t_hbh.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..f
80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_sctp.c | 34 ++
1 file changed, 34 insertions(+)
diff --git a/extensions/libxt_sctp.c b/exte
-t nat -A POSTROUTING -j MASQUERADE --random
nft add rule ip nat POSTROUTING counter masquerade random
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libipt_MASQUERADE.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libipt_MASQUERA
INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dccp-type REQUEST,RESPONSE
nft add rule ip filter INPUT dccp type {request, response} counter
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_dccp.
Add missing packet type "invalid" for DCCP.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
src/proto.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/proto.c b/src/proto.c
index 0ed98ed..4d049f5 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -443,6 +443,7
On Mon, Feb 29, 2016 at 3:36 PM, Florian Westphal <f...@strlen.de> wrote:
> Shivani Bhardwaj <shivanib...@gmail.com> wrote:
>> Change the data type of len from unsigned int to int in order to make
>> it valid for checks like
>>
>> if (len < 0)
bug, however there are still issues with frag
that need to be fixed.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
src/netlink_delinearize.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index ae6abb0
.0 counter comment \"A
privatized IP block\"
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libxt_comment.c | 13 +
include/xtables.h | 1 +
iptables/nft-ipv4.c| 6 ++
iptables/nft-ipv6.c| 6 ++
libxtables/xta
filter INPUT meta l4proto mobility-header mh type 1-3 counter
accept
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
extensions/libip6t_mh.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 686a293..e
Add translation for match comment to nftables.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A
privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A
privatized IP block\"
Signed-off-by: Shivan
-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v3:
Add static keyword to sep_need
extensions/libxt_NFQUEUE.c | 62 +-
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQ
-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Fix the code for queue-balance
extensions/libxt_NFQUEUE.c | 62 +-
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQ
ost
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x0006 ]
[ immediate reg 1 0x6400 ]
[ immediate reg 2 0xc800 ]
[ redir proto_min reg 1 proto_max reg 2 ]
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
src/netlink_line
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v3:
Use different values for testing
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com>
---
Changes in v2:
Add test file and keep switch cases in incremental order
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.
54 matches
Mail list logo