Snooping expected connections in a user CT helper

[Kevin Cernekee]

Hi,

I am trying to extend the ssdp user helper in conntrackd to handle
event subscriptions on a UPnP control point.  The flow looks like
this:

1) Outbound multicast M-SEARCH packet (dst: 1900/udp)
 - Create expectation for unicast reply from  to source port

2) Inbound unicast reply (there may be several of these from different devices)
 - Find the device's URL, e.g.
   LOCATION: http://192.168.1.123:1400/xml/device_description.xml
 - Create expectation to track connections to this host:port (tcp)

3) Outbound connection to device's web server (there will be several of these)
 - Watch for a SUBSCRIBE request
 - Find the control point's callback URL, e.g.
   CALLBACK: 
 - Create expectation to open up inbound connections to this host:port

4) Inbound connection to control point's web server
 - Once this is complete, the subscription should work

So, all of the port numbers except 1900 are dynamic, and thus each
stage depends on the result of the previous stage.  Therefore I need
the callback to inspect the traffic for stages (1)-(3).

Currently, ssdp_helper_cb() only gets called for stage (1).  Is there
something I can do when creating the expectation to tell netfilter
that I would like to receive callbacks when the unicast reply from (2)
is received?

Alternatively, is there an iptables rule that I should be creating for
this purpose?  I tried this:

iptables -t raw -I INPUT -m helper --helper ssdp -j CT --helper ssdp

but `-m helper` did not work in the raw table, and `-j CT` did not
work in the filter table.  `-m state --state RELATED` also did not
work in the raw table.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables 2/2] xtables-translate-restore: do not escape quotes

[Pablo M. Bermudo Garay]

If quotes are escaped, nft -f is unable to parse and load the translated
ruleset.

Signed-off-by: Pablo M. Bermudo Garay 
---
 iptables/xtables-translate.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 3c577ed..914d3b1 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -72,6 +72,11 @@ int xlate_action(const struct iptables_command_state *cs, 
bool goto_set,
.numeric= numeric,
.escape_quotes  = true,
};
+   if (!strcmp(xtables_globals.program_name,
+  "iptables-translate-restore") ||
+   !strcmp(xtables_globals.program_name,
+  "ip6tables-translate-restore"))
+   params.escape_quotes = false;
ret = cs->target->xlate(xl, );
}
else
@@ -100,6 +105,12 @@ int xlate_matches(const struct iptables_command_state *cs, 
struct xt_xlate *xl)
.escape_quotes  = true,
};
 
+   if (!strcmp(xtables_globals.program_name,
+  "iptables-translate-restore") ||
+   !strcmp(xtables_globals.program_name,
+  "ip6tables-translate-restore"))
+   params.escape_quotes = false;
+
if (!matchp->match->xlate)
return 0;
 
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables 1/2] xtables-translate: add escape_quotes option to comment_xlate

[Pablo M. Bermudo Garay]

The comment_xlate function was not supporting this option that is
necessary in some situations.

Signed-off-by: Pablo M. Bermudo Garay 
---
 extensions/libxt_comment.c | 9 -
 iptables/nft-ipv4.c| 2 +-
 iptables/nft-ipv6.c| 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 0e31edd..bf9a039 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -52,9 +52,16 @@ static int comment_xlate(struct xt_xlate *xl,
 const struct xt_xlate_mt_params *params)
 {
struct xt_comment_info *commentinfo = (void *)params->match->data;
+   char comment[XT_MAX_COMMENT_LEN];
 
commentinfo->comment[XT_MAX_COMMENT_LEN - 1] = '\0';
-   xt_xlate_add_comment(xl, commentinfo->comment);
+   if (params->escape_quotes)
+   snprintf(comment, XT_MAX_COMMENT_LEN, "comment \\\"%s\\\"",
+commentinfo->comment);
+   else
+   snprintf(comment, XT_MAX_COMMENT_LEN, "comment \"%s\"",
+commentinfo->comment);
+   xt_xlate_add_comment(xl, comment);
 
return 1;
 }
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 50706cb..f5c0d95 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -490,7 +490,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate 
*xl)
 
comment = xt_xlate_get_comment(xl);
if (comment)
-   xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+   xt_xlate_add(xl, "%s", comment);
 
ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 8ca523c..3792c68 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -439,7 +439,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate 
*xl)
 
comment = xt_xlate_get_comment(xl);
if (comment)
-   xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+   xt_xlate_add(xl, "%s", comment);
 
ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
 
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/3 v3 nft] tests: Use libnftnl comparators in all tests

[Pablo Neira Ayuso]

On Tue, Aug 16, 2016 at 12:30:24PM +0200, Carlos Falgueras García wrote:
> Use 'nftnl_expr_cmp' and 'nftnl_rule_cmp' in all tests instead of custom
> comparator for each one. If objects differ both are printed.

Please, please. One at a time...

This depends on your previois patchset so I cannot take this patchset.
Sorry.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3 v4 libnftnl] Implement rule comparison

[Pablo Neira Ayuso]

On Tue, Aug 16, 2016 at 12:21:24PM +0200, Carlos Falgueras García wrote:
> diff --git a/src/expr.c b/src/expr.c
> index e5c1dd3..7f32055 100644
> --- a/src/expr.c
> +++ b/src/expr.c
> @@ -203,6 +203,20 @@ const char *nftnl_expr_get_str(const struct nftnl_expr 
> *expr, uint16_t type)
>  }
>  EXPORT_SYMBOL_ALIAS(nftnl_expr_get_str, nft_rule_expr_get_str);
>  
> +bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2)
> +{
> + if (e1->flags != e2->flags)
> + return false;
> +
> + if (strcmp(e1->ops->name, e2->ops->name))
> + return false;
> + if (e1->ops->cmp)
> + return e1->ops->cmp(e1, e2);
> + else
> + return !memcmp(e1->data, e2->data, e1->ops->alloc_len);

We cannot do memcmp() anymore, we have to add cmp() for each
expression because of we have already discussed wrt. unset attributes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces

[Michal Kubecek]

On Mon, May 16, 2016 at 08:43:16AM +0200, Michal Kubecek wrote:
> On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> > > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> > > xt_LOG") disabled logging packets using the LOG target from non-init
> > > namespaces. The motivation was to prevent containers from flooding
> > > kernel log of the host. The plan was to keep it that way until syslog
> > > namespace implementation allows containers to log in a safe way.
> > > 
> > > However, the work on syslog namespace seems to have hit a dead end
> > > somewhere in 2013 and there are users who want to use xt_LOG in all
> > > network namespaces. This patch allows to do so by setting
> > 
> > I understand this stuff is tricky. Did you contact already namespace
> > folks to see if they plan any move on this?
> 
> Not yet. I'll contact the people involved in the discussion about the
> serires submitted in 2013 to check what their plans are (and if there
> are any).

Sorry for the delay, there were some security bugs so that this lost my
attention.

I did some asking around and the syslog namespace work is dead. There
were some design issues that turned out to be hard to address and the
overall consensus was that use cases like netfilter logging can be
handled in a different way (e.g. using NFLOG target).

Would the patch be acceptable? (It still applies cleanly to current
nf-next tree but I can resend a rebased version if needed.)

 Michal Kubecek
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/3 v3 nft] tests: Use libnftnl comparators in all tests

[Carlos Falgueras García]

Use 'nftnl_expr_cmp' and 'nftnl_rule_cmp' in all tests instead of custom
comparator for each one. If objects differ both are printed.

Signed-off-by: Carlos Falgueras García 
---
 tests/libtest.c | 30 ++
 tests/libtest.h |  6 ++
 tests/nft-expr_bitwise-test.c   | 27 +--
 tests/nft-expr_byteorder-test.c | 22 +-
 tests/nft-expr_cmp-test.c   | 19 +--
 tests/nft-expr_counter-test.c   | 13 +
 tests/nft-expr_ct-test.c| 15 +--
 tests/nft-expr_dup-test.c   | 13 +
 tests/nft-expr_exthdr-test.c| 19 +--
 tests/nft-expr_fwd-test.c   | 10 +-
 tests/nft-expr_immediate-test.c | 40 ++--
 tests/nft-expr_limit-test.c | 22 +-
 tests/nft-expr_log-test.c   | 19 +--
 tests/nft-expr_lookup-test.c| 25 +
 tests/nft-expr_masq-test.c  | 16 +---
 tests/nft-expr_match-test.c | 20 +---
 tests/nft-expr_meta-test.c  | 13 +
 tests/nft-expr_nat-test.c   | 28 +---
 tests/nft-expr_payload-test.c   | 19 +--
 tests/nft-expr_queue-test.c | 13 +
 tests/nft-expr_redir-test.c | 16 +---
 tests/nft-expr_reject-test.c| 13 +
 tests/nft-expr_target-test.c| 20 +---
 tests/nft-rule-test.c   | 36 +---
 24 files changed, 59 insertions(+), 415 deletions(-)

diff --git a/tests/libtest.c b/tests/libtest.c
index ed7eafa..883e7a7 100644
--- a/tests/libtest.c
+++ b/tests/libtest.c
@@ -51,3 +51,33 @@ int test_report(const char *prog)
return EXIT_FAILURE;
}
 }
+
+#define SNPRINTF_BUFF_LEN 1024
+
+static const char *rule2str(const struct nftnl_rule *r)
+{
+   static char buff[SNPRINTF_BUFF_LEN];
+   nftnl_rule_snprintf(buff, SNPRINTF_BUFF_LEN, r, NFTNL_OUTPUT_DEFAULT, 
0);
+   return buff;
+}
+
+static const char *expr2str(const struct nftnl_expr *e)
+{
+   static char buff[SNPRINTF_BUFF_LEN];
+   nftnl_expr_snprintf(buff, SNPRINTF_BUFF_LEN, e, NFTNL_OUTPUT_DEFAULT, 
0);
+   return buff;
+}
+
+void test_assert_expr(const struct nftnl_expr *e1, const struct nftnl_expr *e2)
+{
+   if (!nftnl_expr_cmp(e1, e2))
+   print_err("expressions mismatch:\n\texpr 1: %s\n\texpr 2: %s",
+ expr2str(e1), expr2str(e2));
+}
+
+void test_assert_rule(const struct nftnl_rule *r1, const struct nftnl_rule *r2)
+{
+   if (!nftnl_rule_cmp(r1, r2))
+   print_err("rules mismatch:\nRULE 1:\n%s\nRULE 2:\n%s",
+ rule2str(r1), rule2str(r2));
+}
diff --git a/tests/libtest.h b/tests/libtest.h
index f570057..dd1d5cb 100644
--- a/tests/libtest.h
+++ b/tests/libtest.h
@@ -2,10 +2,16 @@
 #define _TESTS_UTILS_H
 
 #include 
+#include 
+#include 
+#include 
+#include 
 
 #define oom_assert(cond, prog) __oom_assert(cond, prog, __FILE__, __LINE__)
 void __oom_assert(bool cond, const char *prog, const char *file, int line);
 void print_err(const char *fmt, ...);
 int test_report(const char *prog);
+void test_assert_expr(const struct nftnl_expr *e1, const struct nftnl_expr 
*e2);
+void test_assert_rule(const struct nftnl_rule *r1, const struct nftnl_rule 
*r2);
 
 #endif
diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c
index 42e9bb2..1eff343 100644
--- a/tests/nft-expr_bitwise-test.c
+++ b/tests/nft-expr_bitwise-test.c
@@ -21,31 +21,6 @@
 
 #include "libtest.h"
 
-static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
- struct nftnl_expr *rule_b)
-{
-   uint32_t maska, maskb;
-   uint32_t xora, xorb;
-
-   if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) !=
-   nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG))
-   print_err("Expr BITWISE_DREG mismatches");
-   if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) !=
-   nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG))
-   print_err("Expr BITWISE_SREG mismatches");
-   if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) !=
-   nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN))
-   print_err("Expr BITWISE_DREG mismatches");
-   nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_MASK, );
-   nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_MASK, );
-   if (maska != maskb)
-   print_err("Size of BITWISE_MASK mismatches");
-   nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_XOR, );
-   nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_XOR, );
-   if (xora != xorb)
-   print_err("Size of BITWISE_XOR mismatches");
-
-}
 int main(int argc, char *argv[])
 {
struct nftnl_rule *a, *b = NULL;
@@ -95,7 +70,7 @@ int main(int argc, char 

[PATCH 1/3 v3 nft] tests: Consolidate printing error utilities

[Carlos Falgueras García]

This patch adds libtest.c and libtest.h to reduce test code and
consolidate it.

Signed-off-by: Carlos Falgueras García 
---
 .gitignore  |  1 +
 tests/Makefile.am   | 52 +---
 tests/libtest.c | 53 +
 tests/libtest.h | 11 +
 tests/nft-chain-test.c  | 18 --
 tests/nft-expr_bitwise-test.c   | 29 +++---
 tests/nft-expr_byteorder-test.c | 29 +++---
 tests/nft-expr_cmp-test.c   | 29 +++---
 tests/nft-expr_counter-test.c   | 27 +++--
 tests/nft-expr_ct-test.c| 28 +++---
 tests/nft-expr_dup-test.c   | 28 +++---
 tests/nft-expr_exthdr-test.c| 28 +++---
 tests/nft-expr_fwd-test.c   | 28 +++---
 tests/nft-expr_immediate-test.c | 34 ++
 tests/nft-expr_limit-test.c | 29 +++---
 tests/nft-expr_log-test.c   | 29 +++---
 tests/nft-expr_lookup-test.c| 30 +++
 tests/nft-expr_masq-test.c  | 29 +++---
 tests/nft-expr_match-test.c | 38 +
 tests/nft-expr_meta-test.c  | 29 +++---
 tests/nft-expr_nat-test.c   | 29 +++---
 tests/nft-expr_payload-test.c   | 29 +++---
 tests/nft-expr_queue-test.c | 29 +++---
 tests/nft-expr_redir-test.c | 29 +++---
 tests/nft-expr_reject-test.c| 29 +++---
 tests/nft-expr_target-test.c| 37 +---
 tests/nft-rule-test.c   | 20 
 tests/nft-set-test.c| 18 --
 tests/nft-table-test.c  | 17 -
 29 files changed, 305 insertions(+), 511 deletions(-)
 create mode 100644 tests/libtest.c
 create mode 100644 tests/libtest.h

diff --git a/.gitignore b/.gitignore
index 1650e58..5a781db 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,4 +28,5 @@ examples/*
 !examples/Makefile.am
 tests/*
 !tests/*.c
+!tests/*.h
 !tests/Makefile.am
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 0377081..b55aeba 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -4,6 +4,8 @@ EXTRA_DIST =test-script.sh  \
jsonfiles   \
xmlfiles
 
+LIBTEST =  libtest.c
+
 check_PROGRAMS =   nft-parsing-test\
nft-table-test  \
nft-chain-test  \
@@ -34,77 +36,77 @@ check_PROGRAMS =nft-parsing-test\
 nft_parsing_test_SOURCES = nft-parsing-test.c
 nft_parsing_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS} ${LIBXML_LIBS} 
${LIBJSON_LIBS}
 
-nft_table_test_SOURCES = nft-table-test.c
+nft_table_test_SOURCES = nft-table-test.c ${LIBTEST}
 nft_table_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_chain_test_SOURCES = nft-chain-test.c
+nft_chain_test_SOURCES = nft-chain-test.c ${LIBTEST}
 nft_chain_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_rule_test_SOURCES = nft-rule-test.c
+nft_rule_test_SOURCES = nft-rule-test.c ${LIBTEST}
 nft_rule_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_set_test_SOURCES = nft-set-test.c
+nft_set_test_SOURCES = nft-set-test.c ${LIBTEST}
 nft_set_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_bitwise_test_SOURCES = nft-expr_bitwise-test.c
+nft_expr_bitwise_test_SOURCES = nft-expr_bitwise-test.c ${LIBTEST}
 nft_expr_bitwise_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_byteorder_test_SOURCES = nft-expr_byteorder-test.c
+nft_expr_byteorder_test_SOURCES = nft-expr_byteorder-test.c ${LIBTEST}
 nft_expr_byteorder_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_cmp_test_SOURCES = nft-expr_cmp-test.c
+nft_expr_cmp_test_SOURCES = nft-expr_cmp-test.c ${LIBTEST}
 nft_expr_cmp_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_counter_test_SOURCES = nft-expr_counter-test.c
+nft_expr_counter_test_SOURCES = nft-expr_counter-test.c ${LIBTEST}
 nft_expr_counter_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_exthdr_test_SOURCES = nft-expr_exthdr-test.c
+nft_expr_exthdr_test_SOURCES = nft-expr_exthdr-test.c ${LIBTEST}
 nft_expr_exthdr_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_ct_test_SOURCES = nft-expr_ct-test.c
+nft_expr_ct_test_SOURCES = nft-expr_ct-test.c ${LIBTEST}
 nft_expr_ct_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_dup_test_SOURCES = nft-expr_dup-test.c
+nft_expr_dup_test_SOURCES = nft-expr_dup-test.c ${LIBTEST}
 nft_expr_dup_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
 
-nft_expr_fwd_test_SOURCES = nft-expr_fwd-test.c
+nft_expr_fwd_test_SOURCES = nft-expr_fwd-test.c ${LIBTEST}
 nft_expr_fwd_test_LDADD = 

[PATCH 2/3 v4 nft] Simplify parser rule_spec tree

[Carlos Falgueras García]

This patch separates the rule identification from the rule localization, so
the logic moves from the evaluator to the parser. This allows to revert the
patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.

An specific error message is shown when user commits a syntax error, as
before this patch:

$ nft add rule t c handle 3 ...
:1:14-19: Error: Expected `position' or nothing
add rule t c handle 3 ...
 ^^

$ nft delete rule t c position 3 ...
:1:17-24: Error: syntax error, unexpected position, expecting 
handle
delete rule t c position 3 ...


Also new boolean field is added to the structure 'parser_state' in order to
avoid print the error twice.

Signed-off-by: Carlos Falgueras García 
---
 include/parser.h   |  2 ++
 src/evaluate.c | 68 +-
 src/parser_bison.y | 61 
 3 files changed, 39 insertions(+), 92 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 92beab2..41e5340 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -27,6 +27,8 @@ struct parser_state {
 
struct list_headcmds;
struct eval_ctx ectx;
+
+   boolerr_recovering;
 };
 
 extern void parser_init(struct parser_state *state, struct list_head *msgs);
diff --git a/src/evaluate.c b/src/evaluate.c
index 87f5a6d..2f94ac6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -44,12 +44,6 @@ static const char *byteorder_names[] = {
__stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
 #define cmd_error(ctx, fmt, args...) \
__stmt_binary_error(ctx, &(ctx->cmd)->location, NULL, fmt, ## args)
-#define handle_error(ctx, fmt, args...) \
-   __stmt_binary_error(ctx, >cmd->handle.handle.location, NULL, fmt, 
## args)
-#define position_error(ctx, fmt, args...) \
-   __stmt_binary_error(ctx, >cmd->handle.position.location, NULL, 
fmt, ## args)
-#define handle_position_error(ctx, fmt, args...) \
-   __stmt_binary_error(ctx, >cmd->handle.handle.location, 
>cmd->handle.position.location, fmt, ## args)
 
 static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx,
   const struct set *set,
@@ -2481,68 +2475,11 @@ static int set_evaluate(struct eval_ctx *ctx, struct 
set *set)
return 0;
 }
 
-static int rule_evaluate_cmd(struct eval_ctx *ctx)
-{
-   struct handle *handle = >cmd->handle;
-
-   /* allowed:
-* - insert [position] (no handle)
-* - add [position] (no handle)
-* - replace  (no position)
-* - delete  (no position)
-*/
-
-   switch (ctx->cmd->op) {
-   case CMD_INSERT:
-   if (handle->handle.id && handle->position.id)
-   return handle_position_error(ctx, "use only `position'"
-" instead");
-
-   if (handle->handle.id)
-   return handle_error(ctx, "use `position' instead");
-   break;
-   case CMD_ADD:
-   if (handle->handle.id && handle->position.id)
-   return handle_position_error(ctx, "use only `position'"
-" instead");
-
-   if (handle->handle.id)
-   return handle_error(ctx, "use `position' instead");
-
-   break;
-   case CMD_REPLACE:
-   if (handle->handle.id && handle->position.id)
-   return handle_position_error(ctx, "use only `handle' "
-"instead");
-   if (handle->position.id)
-   return position_error(ctx, "use `handle' instead");
-   if (!handle->handle.id)
-   return cmd_error(ctx, "missing `handle'");
-   break;
-   case CMD_DELETE:
-   if (handle->handle.id && handle->position.id)
-   return handle_position_error(ctx, "use only `handle' "
-"instead");
-   if (handle->position.id)
-   return position_error(ctx, "use `handle' instead");
-   if (!handle->handle.id)
-   return cmd_error(ctx, "missing `handle'");
-   break;
-   default:
-   BUG("unkown command type %u\n", ctx->cmd->op);
-   }
-
-   return 0;
-}
-
 static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
 {
struct stmt *stmt, *tstmt = NULL;
struct error_record *erec;
 
-   if (rule_evaluate_cmd(ctx) < 0)
-   return -1;
-
proto_ctx_init(>pctx, rule->handle.family);
memset(>ectx, 0, sizeof(ctx->ectx));
 

[PATCH 1/3 v4 libnftnl] Implement rule comparison

[Carlos Falgueras García]

This patch implements the function 'bool nftnl_rule_cmp(const struct
nftnl_rule *r, const struct nftnl_rule *r2)' for rule comparison.

Expressions within rules need to be compared, so also has been created the
function 'nftnl_expr_cmp' which calls new field within
'nfntl_expr_': a function pointer to a comparator. The
expressions that can be compared with memcmp have this new field set to
NULL, otherwise they have implemented a comparator.

Signed-off-by: Carlos Falgueras García 
---
 include/data_reg.h  |  3 +++
 include/expr_ops.h  |  1 +
 include/libnftnl/expr.h |  2 ++
 include/libnftnl/rule.h |  2 ++
 src/expr.c  | 14 ++
 src/expr/data_reg.c | 16 
 src/expr/dynset.c   | 26 ++
 src/expr/immediate.c| 18 ++
 src/expr/log.c  | 24 
 src/expr/lookup.c   | 22 ++
 src/expr/match.c| 20 
 src/expr/target.c   | 20 
 src/libnftnl.map|  5 +
 src/rule.c  | 30 ++
 14 files changed, 203 insertions(+)

diff --git a/include/data_reg.h b/include/data_reg.h
index e749b5b..3fec7cd 100644
--- a/include/data_reg.h
+++ b/include/data_reg.h
@@ -3,6 +3,7 @@
 
 #include 
 #include 
+#include 
 #include 
 
 enum {
@@ -27,6 +28,8 @@ int nftnl_data_reg_snprintf(char *buf, size_t size,
const union nftnl_data_reg *reg,
uint32_t output_format, uint32_t flags,
int reg_type);
+bool nftnl_data_reg_cmp(const union nftnl_data_reg *r1,
+   const union nftnl_data_reg *r2, int reg_type);
 struct nlattr;
 
 int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int 
*type);
diff --git a/include/expr_ops.h b/include/expr_ops.h
index 3c0cb18..a334732 100644
--- a/include/expr_ops.h
+++ b/include/expr_ops.h
@@ -13,6 +13,7 @@ struct expr_ops {
uint32_t alloc_len;
int max_attr;
void(*free)(const struct nftnl_expr *e);
+   bool(*cmp)(const struct nftnl_expr *e1, const struct nftnl_expr 
*e2);
int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, 
uint32_t data_len);
const void *(*get)(const struct nftnl_expr *e, uint16_t type, uint32_t 
*data_len);
int (*parse)(struct nftnl_expr *e, struct nlattr *attr);
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 17f60bd..8ae6f57 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -36,6 +36,8 @@ uint32_t nftnl_expr_get_u32(const struct nftnl_expr *expr, 
uint16_t type);
 uint64_t nftnl_expr_get_u64(const struct nftnl_expr *expr, uint16_t type);
 const char *nftnl_expr_get_str(const struct nftnl_expr *expr, uint16_t type);
 
+bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2);
+
 int nftnl_expr_snprintf(char *buf, size_t buflen, const struct nftnl_expr 
*expr, uint32_t type, uint32_t flags);
 
 enum {
diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
index e3bd6b8..adeedf2 100644
--- a/include/libnftnl/rule.h
+++ b/include/libnftnl/rule.h
@@ -50,6 +50,8 @@ uint64_t nftnl_rule_get_u64(const struct nftnl_rule *r, 
uint16_t attr);
 
 void nftnl_rule_add_expr(struct nftnl_rule *r, struct nftnl_expr *expr);
 
+bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2);
+
 struct nlmsghdr;
 
 void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule 
*t);
diff --git a/src/expr.c b/src/expr.c
index e5c1dd3..7f32055 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -203,6 +203,20 @@ const char *nftnl_expr_get_str(const struct nftnl_expr 
*expr, uint16_t type)
 }
 EXPORT_SYMBOL_ALIAS(nftnl_expr_get_str, nft_rule_expr_get_str);
 
+bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2)
+{
+   if (e1->flags != e2->flags)
+   return false;
+
+   if (strcmp(e1->ops->name, e2->ops->name))
+   return false;
+   if (e1->ops->cmp)
+   return e1->ops->cmp(e1, e2);
+   else
+   return !memcmp(e1->data, e2->data, e1->ops->alloc_len);
+}
+EXPORT_SYMBOL(nftnl_expr_cmp);
+
 void
 nftnl_expr_build_payload(struct nlmsghdr *nlh, struct nftnl_expr *expr)
 {
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 688823b..a954e95 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -379,6 +379,22 @@ int nftnl_data_reg_snprintf(char *buf, size_t size,
return -1;
 }
 
+bool nftnl_data_reg_cmp(const union nftnl_data_reg *r1,
+   const union nftnl_data_reg *r2, int reg_type)
+{
+   switch (reg_type) {
+   case DATA_VALUE:
+   return  r1->len == r2->len &&
+   !memcmp(r1->val, r2->val, r1->len);
+   case DATA_VERDICT:
+   case DATA_CHAIN:
+   return  r1->verdict == 

[PATCH 3/3 v4 nft] Implement deleting rule by description

[Carlos Falgueras García]

This patch introduces deletion in a similar fashion as in iptables, thus,
we can delete the first rule that matches our description, for example:

$ nft list -a ruleset
table ip t {
chain c {
ip saddr 1.1.1.1 counter packets 0 bytes 0 # handle 1
ip saddr 1.1.1.2 counter packets 0 bytes 0 # handle 2
ip saddr 1.1.1.2 counter packets 0 bytes 0 # handle 3
ip saddr 1.1.1.4 counter packets 0 bytes 0 # handle 4
}
}
$ nft delete rule table chain ip saddr 1.1.1.2 counter
$ nft list -a ruleset
table ip t {
chain c {
ip saddr 1.1.1.1 counter packets 0 bytes 0 # handle 1
ip saddr 1.1.1.2 counter packets 0 bytes 0 # handle 3
ip saddr 1.1.1.4 counter packets 0 bytes 0 # handle 4
}
}

Also a custom error is thrown when user commits a syntax error:

$ nft delete rule t c position 3 ...
:1:17-24: Error: Expected `handle' or rule description
delete rule t c position 3 ...

Signed-off-by: Carlos Falgueras García 
---
 src/evaluate.c |  6 ++
 src/parser_bison.y | 32 
 src/rule.c | 45 +++--
 3 files changed, 73 insertions(+), 10 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 2f94ac6..f7b349b 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2661,7 +2661,13 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, 
struct cmd *cmd)
 
return setelem_evaluate(ctx, >expr);
case CMD_OBJ_SET:
+   return 0;
case CMD_OBJ_RULE:
+   /* CMD_LIST force caching all ruleset */
+   ret = cache_update(CMD_LIST, ctx->msgs);
+   if (ret < 0)
+   return ret;
+   return rule_evaluate(ctx, cmd->rule);
case CMD_OBJ_CHAIN:
case CMD_OBJ_TABLE:
return 0;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 93c283f..713002e 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -427,8 +427,8 @@ static void location_update(struct location *loc, struct 
location *rhs, int n)
 %type base_cmd add_cmd replace_cmd create_cmd 
insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd 
describe_cmd
 %destructor { cmd_free($$); }  base_cmd add_cmd replace_cmd create_cmd 
insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd 
describe_cmd
 
-%type  table_spec chain_spec chain_identifier 
ruleid_spec handle_spec position_spec rule_position ruleset_spec
-%destructor { handle_free(&$$); } table_spec chain_spec chain_identifier 
ruleid_spec handle_spec position_spec rule_position ruleset_spec
+%type  table_spec chain_spec chain_identifier 
handle_spec position_spec rule_position ruleset_spec
+%destructor { handle_free(&$$); } table_spec chain_spec chain_identifier 
handle_spec position_spec rule_position ruleset_spec
 %type  set_spec set_identifier
 %destructor { handle_free(&$$); } set_spec set_identifier
 %type family_spec family_spec_explicit chain_policy 
prio_spec
@@ -440,7 +440,7 @@ static void location_update(struct location *loc, struct 
location *rhs, int n)
 %destructor { close_scope(state); table_free($$); }table_block_alloc
 %type   chain_block_alloc chain_block
 %destructor { close_scope(state); chain_free($$); }chain_block_alloc
-%typerule rule_alloc
+%typerule ruleid_spec rule_alloc
 %destructor { rule_free($$); } rule
 
 %type set_flag_list   set_flag
@@ -747,9 +747,10 @@ add_cmd:   TABLE   
table_spec
}
;
 
-replace_cmd:   RULEruleid_spec rule
+replace_cmd:   RULEchain_spec  handle_spec 
rule
{
-   $$ = cmd_alloc(CMD_REPLACE, CMD_OBJ_RULE, &$2, 
&@$, $3);
+   handle_merge(&$2, &$3);
+   $$ = cmd_alloc(CMD_REPLACE, CMD_OBJ_RULE, &$2, 
&@$, $4);
}
;
 
@@ -794,7 +795,7 @@ delete_cmd  :   TABLE   table_spec
}
|   RULEruleid_spec
{
-   $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_RULE, &$2, 
&@$, NULL);
+   $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_RULE, 
&$2->handle, &@$, $2);
}
|   SET set_spec
{
@@ -1285,8 +1286,23 @@ rule_position  

[ANNOUNCE] Netdev 1.2 updates (16th August, 2016)

[Hajime Tazaki]

Hello folks,

I hope all of you're fine.

Here is an update for coming Netdev 1.2 Tokyo.

* Summary
1) extended early-bird registration
2) paper submission deadline
3) slides submission deadline
4) newly accepted sessions

So here we go.

1) extended early bird registration deadline
Due to numerous requests, we'd like to extend the deadline
for the early bird registration of netdev 1.2 (Tokyo).

The new deadline is August 31 2016.  Please don't miss the
discount ticket - and your early registration will be
definitely helpful to prepare the conference.

http://netdevconf.org/1.2/registration.html


2) paper submission deadline
(This is only for the speakers of Talk)
If you're a speaker of talk at the conference, please be
prepared a PDF and submit to us once it's ready.

The due date is September 26, 2016.

for more information, please look at the page below.

http://netdevconf.org/1.2/submit-proposal.html


3) slides submission deadline
(This is for all of speakers including Talks, Tutorials,
BoFs, Workshops)
Please submit slide decks to us once your presentation
material is ready to go.

The due date is October 3, 2016.

for more information, please look at the page below.

http://netdevconf.org/1.2/submit-proposal.html


4) New accepted sessions

Here is the newly accepted sessions.  We will announce more
sessions once we got confirmed.

http://netdevconf.org/1.2/accepted-sessions.html

* Talk
- Implementing IPv6 Segment Routing 
  by David Lebrun

- Kernel TLS (Transport Layer Security) Socket
  by Dave Watson

- Making Linux TCP Fast
 by Yuchung Cheng, Neal Cardwell


Our sponsors:
- Platinum
Verizon, Facebook, Cumulus Networks
- Gold
Mojatatu Networks, VMWare, Google, NTT
- Silver
NetApp, IIJ, Netronome, SolarFlare, Mellanox

Twitter: https://twitter.com/netdev01
Web: http://netdevconf.org/1.2/

-- Hajime

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html