[PATCH] src: consolidate XML/JSON exportation for rule

This completes the XML/JSON exportation using the new buffer class for rule. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- include/buffer.h | 5 +++ src/buffer.c | 11 +++ src/rule.c | 96 3 files chang

[PATCH] extensions: libxt_mangle: Use getaddrinfo()

Replace gethostbyname() with getaddrinfo() as getaddrinfo() deprecates the former and allows programs to eliminate IPv4-versus-IPv6 dependencies. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_mangle.c | 28 ++-- 1 file changed, 18 inse

[PATCH] iptables: xtables-arp: Use getaddrinfo()

Replace gethostbyname() with getaddrinfo() as getaddrinfo() deprecates the former and allows programs to eliminate IPv4-versus-IPv6 dependencies. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- iptables/xtables-arp.c | 28 ++-- 1 file changed, 18 inse

[PATCH v4] doc: Complete documentation of statements

Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT, QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v4: Fix the syntax as per parser_bison Changes

[PATCH iptables] configure: Remove flex check warning

Remove the warning about outdated version of flex as it is not needed anymore. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- configure.ac | 15 --- 1 file changed, 15 deletions(-) diff --git a/configure.ac b/configure.ac index b170add..c91e9e7 100644 --- a/config

[PATCH conntrack-tools] configure: Remove flex check warning

Remove the warning about outdated version of flex as it is not needed anymore. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- configure.ac | 15 --- 1 file changed, 15 deletions(-) diff --git a/configure.ac b/configure.ac index c541034..b6c5439 100644 --- a/config

[PATCH] configure: Fix logic for flex version check

According to the previous logic of version check for flex, anything greater than 2.5.33 but within 2.5.x was acceptable. The issue was observed when a false warning generated for flex version 2.6.0. New logic works for basically everything greater than 2.5.33. Signed-off-by: Shivani Bhardwaj

[PATCH] libipt_NETMAP: Avoid listing 32 bit mask and fix tests

: line 3 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to 1.2.3.0/24) ERROR: line 4 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to 1.2.3.4) After this patch, no errors with tests were observed. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- exte

[PATCH nf-next] netfilter: nf_log: Remove NULL check

If 'logger' was NULL, there would be a direct jump to the label 'out', since it has already been checked for NULL, remove this unnecessary check. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- net/netfilter/nf_log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff

[PATCH] extensions: libxt_devgroup: Fix order of mask and id

The order of mask and id in the translated code is not apt so fix it. This patch follows commit 8548dd by Liping Zhang. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_devgroup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exte

[PATCH] extensions: libxt_connmark: Fix order of mask and mark

The order of mask and mark in the output is wrong. This has been pointed out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d by Liping Zhang <liping.zh...@spreadtrum.com>. This patch fixes the same issue with connmark. Signed-off-by: Shivani Bh

Re: [PATCH v2] doc: Complete the documentation of statements

On Thu, May 12, 2016 at 4:35 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, May 12, 2016 at 04:21:06PM +0530, Shivani Bhardwaj wrote: >> On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso <pa...@netfilter.org> >> wrote: >> > On Thu, May 12, 2016 a

Re: [PATCH v2] doc: Complete the documentation of statements

On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote: >> Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT, >> REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LI

[PATCH] extensions: libxt_NFQUEUE: Add missing tests

Add missing tests for NFQUEUE. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_NFQUEUE.t | 4 1 file changed, 4 insertions(+) diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t index d4e4274..b51b19f 100644 --- a/extensions/libxt_NFQ

[PATCH 2/2] extensions: libxt_NFQUEUE: Unstack different versions

Remove the stacking of older version into the newer one by adding the appropriate code corresponding to each version. Suggested-by: Florian Westphal <f...@strlen.de> Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_NFQ

Re: [PATCH] NFQUEUE: Fix bug with order of fanout and bypass

On Tue, Apr 12, 2016 at 10:58 PM, Florian Westphal <f...@strlen.de> wrote: > Shivani Bhardwaj <shivanib...@gmail.com> wrote: >> NFQUEUE had a bug with the ordering of fanout and bypass options which >> was arising due to same and odd values for flags and bypass whe

[PATCH] NFQUEUE: Fix bug with order of fanout and bypass

NFQUEUE balance 0:3 bypass cpu-fanout Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939 Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_NFQUEUE.c | 2 +- 1 file changed, 1 ins

[PATCH nft v2] src: evaluate: Show error for fanout without balance

counter queue num 0 fanout ^ Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Update the description with error that is going to show up src/evaluate.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/eval

Re: [PATCH nft] src: evaluate: Show error for fanout without balance

On Thu, Apr 7, 2016 at 10:43 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, Apr 07, 2016 at 03:06:40PM +0530, Shivani Bhardwaj wrote: >> The idea of fanout option is to improve the performance by indexing CPU >> ID to map packets to the queues. This is us

[PATCH] doc: Complete the documentation of statements

Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT, QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- doc/nft.xml | 188 +

[PATCH v4] configure: Show support for connlabel

:yes IPQ support: no Large file support: yes BPF utils support:no nfsynproxy util support: no nftables support: yes connlabel support:yes Signed-off-by: Shivani Bhardwaj

Re: [PATCH v3] configure: Show support for connlabel

On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote: >> Add the --disable-connlabel option and the appropriate functionality >> associated with it. >> >> After this patch

[PATCH v3] configure: Show support for connlabel

:yes IPQ support: no Large file support: yes BPF utils support:no nfsynproxy util support: no nftables support: yes connlabel support:yes Signed-off-by: Shivani Bhardwaj

Re: [PATCH] extensions: libipt_LOG: Avoid to print the default log level in the translation

On Thu, Mar 10, 2016 at 11:45 PM, Laura Garcia Liebana wrote: > Avoid to print the log level in the translation when the level is the > default value. > > Example: > > $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG > nft add rule ip filter INPUT

[PATCH v2] configure: Show support for connlabel

:yes IPQ support: no Large file support: yes BPF utils support:no nfsynproxy util support: no nftables support: yes connlabel support:yes Signed-off-by: Shivani Bhardwaj

Re: [PATCHv2] extensions: libipt_icmp: Add translation to nft

On Mon, Mar 7, 2016 at 11:34 PM, Laura Garcia wrote: > On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote: >> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote: >> > Add translation for icmp to nftables. Not supported types in nftables >> > are:

Re: [PATCH] configure: Show support for connlabel

On Mon, Mar 7, 2016 at 11:30 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote: >> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote: >> > Yes, I'll do that. >> > I need a bit o

Re: [PATCH v3] extensions: libxt_dccp: Add translation to nft

On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote: >> Add translation for dccp to nftables. >> >> Full translation of this match awaits the support for --dccp-option. &

Re: [PATCH] extensions: libxt_connlabel: Add translation to nft

On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote: >> Shivani Bhardwaj <shivanib...@gmail.com> wrote: >> > Add translation for connlabel to nftables. >> >

[PATCH] configure: Show support for connlabel

support: no Large file support: yes BPF utils support:no nfsynproxy util support: no nftables support: yes connlabel support:yes Signed-off-by: Shivani Bhardwaj <shiva

Re: [PATCH] extensions: libipt_icmp: Add translation to nft

On Sun, Mar 6, 2016 at 1:30 AM, Laura Garcia Liebana wrote: > Add translation for icmp to nftables. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG > nft add rule ip filter INPUT icmp type any counter log level warn > > $ sudo

[PATCH] extensions: libxt_connlabel: Add translation to nft

! --label eth0-out nft add rule ip filter INPUT ct label != eth0-out counter Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_connlabel.c | 23 +++ 1 file changed, 23 insertions(+) diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connl

[PATCH v3] extensions: libxt_dccp: Add translation to nft

,CLOSEREQ,CLOSE,SYNC,SYNCACK nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v3: Return 0 if translation for dccp-option is de

[PATCH v2] extensions: libxt_dccp: Add translation to nft

,CLOSEREQ,CLOSE,SYNC,SYNCACK nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Fix bugs and remove invalid dccp type Fol

[PATCH v2] extensions: libxt_sctp: Add translation to nft

80:100 -j ACCEPT nft add rule ip filter INPUT sctp sport != 80-100 counter accept Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Add code to check if flags is set extensions/libxt_sctp.c | 37 + 1 file changed, 37 inse

[PATCH v2] extensions: libxt_owner: Add translation to nft

dport 80 skuid != 1000 counter accept Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Add different functions for skuid and skgid extensions/libxt_owner.c | 51 1 file changed, 51 insertions(+) diff

Re: [PATCH] extensions: libip6t_hbh: Add translation to nft

On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote: >> Add translation for module hop-by-hop to nftables. >> Full translation of this match awaits the support for --hbh-opts o

[PATCH v2] extensions: libip6t_MASQUERADE: Add translation to nft

nexthdr tcp counter masquerade to :10 $ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20 random Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes

[PATCH v2] extensions: libipt_MASQUERADE: Add translation to nft

tcp counter masquerade to :10 $ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2:

[PATCH] extensions: libip6t_hbh: Add translation to nft

-len 33 nft add rule ip6 filter INPUT hbh hdrlength != 33 counter Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libip6t_hbh.c | 17 + 1 file changed, 17 insertions(+) diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c index c0389ed..f

[PATCH] extensions: libxt_sctp: Add translation to nft

80:100 -j ACCEPT nft add rule ip filter INPUT sctp sport != 80-100 counter accept Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_sctp.c | 34 ++ 1 file changed, 34 insertions(+) diff --git a/extensions/libxt_sctp.c b/exte

[PATCH] extensions: libipt_MASQUERADE: Add translation to nft

-t nat -A POSTROUTING -j MASQUERADE --random nft add rule ip nat POSTROUTING counter masquerade random Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libipt_MASQUERADE.c | 17 + 1 file changed, 17 insertions(+) diff --git a/extensions/libipt_MASQUERA

[PATCH] extensions: libxt_dccp: Add translation to nft

INPUT dccp dport != 100 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp --dccp-type REQUEST,RESPONSE nft add rule ip filter INPUT dccp type {request, response} counter Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_dccp.

[PATCH] src: proto: Add missing packet type

Add missing packet type "invalid" for DCCP. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- src/proto.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/proto.c b/src/proto.c index 0ed98ed..4d049f5 100644 --- a/src/proto.c +++ b/src/proto.c @@ -443,6 +443,7

Re: [PATCH] src: netlink_delinearize: Fix datatype for len

On Mon, Feb 29, 2016 at 3:36 PM, Florian Westphal <f...@strlen.de> wrote: > Shivani Bhardwaj <shivanib...@gmail.com> wrote: >> Change the data type of len from unsigned int to int in order to make >> it valid for checks like >> >> if (len < 0)

[PATCH] src: netlink_delinearize: Fix datatype for len

bug, however there are still issues with frag that need to be fixed. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- src/netlink_delinearize.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index ae6abb0

[PATCH] comment: Add translation to nft

.0 counter comment \"A privatized IP block\" Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libxt_comment.c | 13 + include/xtables.h | 1 + iptables/nft-ipv4.c| 6 ++ iptables/nft-ipv6.c| 6 ++ libxtables/xta

[PATCH 2/2] extensions: libip6t_mh: Add translation to nft

filter INPUT meta l4proto mobility-header mh type 1-3 counter accept Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- extensions/libip6t_mh.c | 21 + 1 file changed, 21 insertions(+) diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c index 686a293..e

[PATCH] comment: Add translation to nft

Add translation for match comment to nftables. Example: $ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block" nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\" Signed-off-by: Shivan

[PATCH v3] extensions: libxt_NFQUEUE: Add translation to nft

-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v3: Add static keyword to sep_need extensions/libxt_NFQUEUE.c | 62 +- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQ

[PATCH v2] extensions: libxt_NFQUEUE: Add translation to nft

-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Fix the code for queue-balance extensions/libxt_NFQUEUE.c | 62 +- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQ

[PATCH] src: netlink_linearize: Fix bug for redirect target

ost [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x0006 ] [ immediate reg 1 0x6400 ] [ immediate reg 2 0xc800 ] [ redir proto_min reg 1 proto_max reg 2 ] Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- src/netlink_line

[PATCH libnftnl v3] Add support for masq port selection

Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v3: Use different values for testing include/libnftnl/expr.h | 4 ++- include/linux/netfilter/nf_tables.h | 2 ++ src/expr/

[PATCH libnftnl v2] Add support for masq port selection

Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib...@gmail.com> --- Changes in v2: Add test file and keep switch cases in incremental order include/libnftnl/expr.h | 4 ++- include/linux/netfilter/nf_tables.