> On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
>> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
>> > Hi Pablo,
>> >
>> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
>> > wrote:
>> > > Restore o
Hi Pablo,
On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso wrote:
> Restore original syntax for the yet experimental VM low-level json
> representation.
>
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224
> Signed-off-by: Pablo Neira Ayuso
> ---
> I asked for this change to make r
DROP
nft add rule ip filter INPUT tcp dport 80 meter http3 { ip saddr and
255.255.255.0 limit rate 200/second } counter drop
Signed-off-by: shyam saini
---
extensions/libxt_hashlimit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_hashlimit.c b/
> Hi Shyam,
Hi Pablo,
> On Tue, Dec 05, 2017 at 07:37:34PM +0530, Shyam Saini wrote:
>> This new operation allows to import low level virtual machine ruleset in
>> json to make incremental changes using the parse functions of libnftnl.
>>
>> A basic way to
This patch adds test cases for iptables to nft translation of cluster match
This adds all test cases including corner cases.
Run these test cases like:
$ ./xlate-test.py extensions/libxt_cluster.txlate
Signed-off-by: Shyam Saini
---
extensions/libxt_cluster.txlate | 26
> Hi Shyam,
Hi Pablo,
> On Mon, Jan 15, 2018 at 11:29:28AM +0530, Shyam Saini wrote:
>> Add translation for cluster to nft
>>
>> $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
>> --cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-se
original saddr
mod 7 seed 0xdeadbeef eq { 0, 2 } meta pkttype set host counter meta
mark set 0x
Signed-off-by: Shyam Saini
---
extensions/libxt_cluster.c | 52 +-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_cluster.c b
and Arturo Borrero
Acked-by: Arturo Borrero Gonzalez
Signed-off-by: Shyam Saini
---
V6:
Patch series Rebased
V5:
Adopt new "vm" symbol in the grammer which will be used to specify
json format in low level virtual machine format.
The defaut format will be high level json format w
s/import/vm_json_import_0
Signed-off-by: Shyam Saini
---
V5:
Patch series rebased
V4:
Adopt new "vm" symbol for export/import operations
---
tests/shell/testcases/import/vm_json_import_0 | 71 +++
1 file changed, 71 insertions(+)
create mode 100755 tests/s
s/import/vm_json_import_0
Signed-off-by: Shyam Saini
---
V4:
Adopt new "vm" symbol for export/import operations
---
tests/shell/testcases/import/vm_json_import_0 | 72 +++
1 file changed, 72 insertions(+)
create mode 100755 tests/shell/testcases/import/vm
and Arturo Borrero
Acked-by: Arturo Borrero Gonzalez
Signed-off-by: Shyam Saini
---
V5:
Adopt new "vm" symbol in the grammer which will be used to specify
json format in low level virtual machine format.
The defaut format will be high level json format which will
come into exi
> My only concern with this is that we'll end up having a json
> representation in high-level format.
>
> So I wonder if it would be good to make a distinction between the
> low-level VM (Virtual-Machine) json representation and the high-level
> one.
>
> What I'm proposing is that we just add a com
Neira
and Arturo Borrero
Acked-by: Arturo Borrero Gonzalez
Signed-off-by: Shyam Saini
---
V4:
Fix coding style issues
Avoid nested function calls (As Suggested by Arturo )
---
include/netlink.h | 9 ++
include/rule.h | 14 +--
src/evaluate.c | 2 +
src/netlink.c | 285
Neira
and Arturo Borrero
Signed-off-by: Shyam Saini
---
V3:
Follow kernel coding style
---
include/netlink.h | 9 ++
include/rule.h | 14 +--
src/evaluate.c | 2 +
src/netlink.c | 288 +
src/parser_bison.y | 38
a ruleset exported in json format.
>>
>> Highly based on work from Alvaro Neira
>> and Arturo Borrero .
>>
>> Signed-off-by: Shyam Saini
>> ---
>> V2:
>> Build Patch over updated repository.
>
>
> Hi Shyam,
Hi Arturo,
> I was able t
Neira
and Arturo Borrero .
Signed-off-by: Shyam Saini
---
V2:
Build Patch over updated repository.
---
include/netlink.h | 9 ++
include/rule.h | 14 +--
src/evaluate.c | 2 +
src/netlink.c | 280 +
src/parser_bison.y | 38
> Hi Shyam,
Hi Arturo,
> your v3 looks fine.
Thank you :)
> I was going to test it out, but it seems the first patch [0] in the
> series requires a refresh.
> Please, refresh this first patch.
>
> thanks for your work!
>
> [0] http://patchwork.ozlabs.org/patch/803561/
Sorry, for the inconvenien
rules_ipv6*->ip6 table rules files
>> rules_arp* -> arp table rules files
>> rules_bridge* ->bridge table rules files
>>
>> Signed-off-by: Shyam Saini
>> ---
>
> This is v2: generally in this patch section we include
ases/import/json_import_0
Signed-off-by: Shyam Saini
---
v3:
Retain json_import_0 file which runs the actaual tests
Drop all the rules_* files as they are no longer useful
Drop all_ruleset_list file as rules are already included in test file
v2:
Add rules_* file for the reference
Add
* ->bridge table rules files
Signed-off-by: Shyam Saini
---
tests/shell/testcases/import/all_ruleset_list | 46 ++
tests/shell/testcases/import/json_import_0 | 72 ++
.../testcases/import/rules_arp_hlen_range.json | 1 +
On Wed, Aug 30, 2017 at 3:09 AM, Arturo Borrero Gonzalez
wrote:
> Thanks Shyam,
>
> Acked-by: Arturo Borrero Gonzalez
> in the future, please add a tag to the [PATCH] header, like "[PATCH
> libnftnl]" so we can easily know to which tree this patch should be
> applied to.
Thanks Arturo
I'll fol
==definitely lost: 40 bytes in 1 blocks
==11831==indirectly lost: 0 bytes in 0 blocks
==11831== possibly lost: 0 bytes in 0 blocks
==11831==still reachable: 0 bytes in 0 blocks
==11831== suppressed: 0 bytes in 0 blocks
Signed-off-by: Shyam Saini
---
examples/nft-chain-add.c
>
> > These test cases can be used to test upcoming "import json" command.
> >
> > Here is the short description of the files:
> > all_ruleset_list ->contains list of all the individual rules
>
> Wait. You are generating the JSON files from this ruleset, right?
>
yes.
>
> Then, why not simpl
of time some tests may fails.
For example:
dup to 172.20.0.2
ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
Signed-off-by: Shyam Saini
---
tests/shell/testcases/import/all_ruleset_list | 50 ++
.../testcases/import/rules_arp_hlen_range.json |
On Wed, Aug 23, 2017 at 3:32 PM, Arturo Borrero Gonzalez
wrote:
> On 22 August 2017 at 11:30, Shyam Saini wrote:
>>
>> Should I send the version 2 of this patch with this script?
>>
>
> Yes,
>
> my suggestion is:
>
> * create a new testcase in nftables: te
On Tue, Aug 22, 2017 at 2:43 PM, Arturo Borrero Gonzalez
wrote:
> On 21 August 2017 at 22:55, Shyam Saini wrote:
>> These cases can be used to test upcoming "import json" command.
>>
>> Here is the short description of the files:
>> all_ruleset_list ->
arp table
rules_bridge* ->bridge table
At this point of time some tests may fails.
For example:
dup to 172.20.0.2
ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
Signed-off-by: Shyam Saini
---
tests/json/all_ruleset_list| 50 +
Here is the rules.json file which i tested.
On Sat, Aug 19, 2017 at 6:10 PM, Shyam Saini wrote:
> This new operation allows to import ruleset in json to make
> incremental changes using the parse functions of libnftnl.
>
> A basic way to test this new functionality is:
>
>
Neira
and Arturo Borrero .
Signed-off-by: Shyam Saini
---
include/netlink.h | 9 ++
include/rule.h | 14 +--
src/evaluate.c | 10 +-
src/netlink.c | 279 +
src/parser_bison.y | 38 +---
src/rule.c | 44
On Mon, Jun 26, 2017 at 11:38 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 26, 2017 at 11:24:23PM +0530, Shyam Saini wrote:
>> On Mon, Jun 26, 2017 at 11:07 PM, Pablo Neira Ayuso
>> wrote:
>> > On Mon, Jun 26, 2017 at 11:02:34PM +0530, Shyam Saini wrote:
>> >&
On Mon, Jun 26, 2017 at 11:07 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 26, 2017 at 11:02:34PM +0530, Shyam Saini wrote:
>> On Mon, Jun 26, 2017 at 10:29 PM, Pablo Neira Ayuso
>> wrote:
>> > On Fri, Jun 23, 2017 at 05:35:55PM +0530, Shyam Saini wrote:
>> >>
On Mon, Jun 26, 2017 at 10:29 PM, Pablo Neira Ayuso wrote:
> On Fri, Jun 23, 2017 at 05:35:55PM +0530, Shyam Saini wrote:
>> Before the [Test] commit if we run nft with incomplete "add set"
>> command it caused segmentation fault and exit with error code 139 and
>&
Before the [Test] commit, nft error message was pointing to wrong
file.
But after the commit it points to right file.
This commit test the changes made in the [Test] commit.
Test:b14572f72aac (" erec: Fix input descriptors for included files ")
Signed-off-by: Shyam Saini
---
.
an incomplete set add
command" )
Signed-off-by: Shyam Saini
---
.../testcases/sets/0023incomplete_add_set_command_0 | 16
1 file changed, 16 insertions(+)
create mode 100755 tests/shell/testcases/sets/0023incomplete_add_set_command_0
diff --git a/tests/shell/testcases/sets/
On Sun, Jun 18, 2017 at 3:18 PM, Pablo Neira Ayuso wrote:
> On Sun, Jun 18, 2017 at 11:29:13AM +0200, Pablo Neira Ayuso wrote:
>> On Sat, Jun 17, 2017 at 01:05:42AM +0530, Shyam Saini wrote:
>> > This test checks bug identified and fixed in the commit mentioned below
>> &
atements which set values")
Signed-off-by: Shyam Saini
---
tests/py/nft-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index c1da71aaf827..8d099a15aaf8 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -702
On Sun, Jun 18, 2017 at 3:01 PM, Pablo Neira Ayuso wrote:
> On Sun, Jun 18, 2017 at 11:29:13AM +0200, Pablo Neira Ayuso wrote:
>> On Sat, Jun 17, 2017 at 01:05:42AM +0530, Shyam Saini wrote:
>> > This test checks bug identified and fixed in the commit mentioned below
>> &
On Sun, Jun 18, 2017 at 2:59 PM, Pablo Neira Ayuso wrote:
> On Sat, Jun 17, 2017 at 01:05:42AM +0530, Shyam Saini wrote:
>> This test checks bug identified and fixed in the commit mentioned below
>> In a statement if there are multiple src data then it would be
>> totall
("evaluate: avoid reference to multiple src data in
statements which set values")
Signed-off-by: Shyam Saini
---
tests/py/any/ct.t | 10 ++
tests/py/any/meta.t | 8
tests/py/bridge/ether.t | 7 +++
tests/py/inet/tcp.t | 7 +++
tests/py/inet/udp.
On Thu, Jun 15, 2017 at 3:21 PM, Pablo Neira Ayuso wrote:
> On Fri, Jun 09, 2017 at 09:31:00PM +0530, Shyam Saini wrote:
>> This test checks bug identified and fixed in the commit mentioned below
>> In a statement if there are multiple src data then it would be
>> totall
On Mon, Jun 12, 2017 at 4:19 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 12, 2017 at 04:16:16PM +0530, Shyam Saini wrote:
>> On Mon, Jun 12, 2017 at 2:52 PM, Pablo Neira Ayuso
>> wrote:
>> > On Fri, Jun 09, 2017 at 09:31:00PM +0530, Shyam Saini wrote:
>> >>
On Mon, Jun 12, 2017 at 2:52 PM, Pablo Neira Ayuso wrote:
> On Fri, Jun 09, 2017 at 09:31:00PM +0530, Shyam Saini wrote:
>> diff --git a/tests/shell/testcases/sets/0023unknown_value_to_use_0
>> b/tests/shell/testcases/sets/0023unknown_value_to_use_0
>> new file mode 10
; as return code. So, we can't detect 134 != 1 there.
(both 1 and 134 stats failure)
Test: 986dea8 ("evaluate: avoid reference to multiple src data in
statements which set values")
Signed-off-by: Shyam Saini
---
.../testcases/sets/0023unknown_value_to_use_0 | 33 +
On Fri, Jun 9, 2017 at 3:28 PM, Arturo Borrero Gonzalez
wrote:
> On 9 June 2017 at 11:30, Shyam Saini wrote:
>> This test checks bug identified and fixed in the commit mentioned below
>> In a statement if there are multiple src data then it would be
>> totally ambiguous
; as return code. So, we can't detect 134 != 1 there.
(both 1 and 134 stats failure)
Test: 986dea8 ("evaluate: avoid reference to multiple src data in statements
which set values")
Signed-off-by: Shyam Saini
---
.../testcases/sets/0023unknown_value_to_use_0 | 34 +
On Tue, May 30, 2017 at 3:50 PM, Pablo Neira Ayuso wrote:
> On Tue, May 30, 2017 at 12:08:55PM +0200, Pablo Neira Ayuso wrote:
>> On Tue, May 30, 2017 at 01:55:34PM +0530, Shyam Saini wrote:
>> > Add translation for cluster match to nftables
>> >
>> > $ sudo
-nodes is 2) in the cluster then
modulus 2 = {0, 1}
For node 1 (--cluster-local-node 1)
jhash ct original saddr mod 2 seed 0xdeadbeef eq 0
For node 2 (--cluster-local-node 2)
jhash ct original saddr mod 2 seed 0xdeadbeef eq 1
Signed-off-by: Shyam Saini
---
extensions/libxt_clu
On Wed, May 24, 2017 at 9:14 PM, Pablo Neira Ayuso wrote:
> On Wed, May 24, 2017 at 06:01:51PM +0530, Shyam Saini wrote:
>> Add translation for cluster to nft
>
> I think this should be:
>
> -m cluster --cluster-total-nodes 2 --cluster-local-node 1
> --clus
>> Add translation for cluster to nft
>>
>> $ sudo iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster
>> --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed
>> 0xdeadbeef -j MARK --set-mark 0x
>>
>> nft add rule ip mangle PREROUTING iifname eth1 ct state {new,establis
]
[ cmp eq reg 1 0x ]
[ payload load 4b @ network header + 12 => reg 2 ]
[ hash reg 1 = jhash(reg 2, 4, 0xdeadbeef) % mod 2 offset 1 ]
[ meta set mark with reg 1 ]
[ counter pkts 0 bytes 0 ]
[ immediate reg 1 0x ]
[ meta set mark with reg 1 ]
Signed-off-by:
PT
After this patch
$ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter jump LONGNACCEPT comme
Remove unnecessary debug code
Signed-off-by: Shyam Saini
---
libxtables/xtables.c | 33 +
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 921dfe9..6e75c15 100644
--- a/libxtables/xtables.c
+++ b
Replace gethostbyaddr() with getnameinfo() as getnameinfo()
deprecates the former and allows programs to
eliminate IPv4-versus-IPv6 dependencies
Signed-off-by: Shyam Saini
---
libxtables/xtables.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/libxtables
Use getnameinfo() instead of deprecated gethostbyaddr()
Signed-off-by: Shyam Saini
---
libxtables/xtables.c | 25 -
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 921dfe9..338e325 100644
--- a/libxtables
54 matches
Mail list logo
