Re: [PATCH 1/1] iptables: Add file output option to iptables-save

2017-05-26 Thread Pablo Neira Ayuso 
On Fri, May 26, 2017 at 03:43:12PM +0100, Oliver Ford wrote:
> On Fri, May 26, 2017 at 1:31 PM, Pablo Neira Ayuso  
> wrote:
> > On Fri, May 26, 2017 at 12:25:16PM +, Oliver Ford wrote:
> >> Adds an option to output the results of iptables-save,
> >> ip6tables-save, and xtables-save save to a file.
> >> Updates the man page with this new option.
> >>
> >> Uses the dup2 call to replace stdout with the specified file.
> >> Error output is unchanged.
> >>
> >> This is a feature requested by a Gentoo developer in
> >> Bugzilla #905.
> >
> > Please, update manpage to include this new option and send v2.
> >
> > Thanks.
> 
> Hi, I updated the manpage in the file "iptables-save.8.in" which is
> included in the patch. A "man iptables-save" on my box shows the new
> option. Is there somewhere else I need to update it?

Sorry, I overlook that chunk where you update the manpage, that chunk
is indeed not missing.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] iptables: Add file output option to iptables-save

2017-05-26 Thread Oliver Ford 
On Fri, May 26, 2017 at 1:31 PM, Pablo Neira Ayuso  wrote:
> On Fri, May 26, 2017 at 12:25:16PM +, Oliver Ford wrote:
>> Adds an option to output the results of iptables-save,
>> ip6tables-save, and xtables-save save to a file.
>> Updates the man page with this new option.
>>
>> Uses the dup2 call to replace stdout with the specified file.
>> Error output is unchanged.
>>
>> This is a feature requested by a Gentoo developer in
>> Bugzilla #905.
>
> Please, update manpage to include this new option and send v2.
>
> Thanks.

Hi, I updated the manpage in the file "iptables-save.8.in" which is
included in the patch. A "man iptables-save" on my box shows the new
option. Is there somewhere else I need to update it?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 1/2] expression: don't trim off unary expression on delinearization

2017-05-26 Thread Pablo Neira Ayuso 
This transformation introduces an unnecessary asymmetry between the
linearization and delinearization steps that prevent rule deletion from
definition to work fine.

Moreover, do not print htonl and ntonl from unary expression, this
syntax is not allowed by the parser.

Signed-off-by: Pablo Neira Ayuso 
---
 src/expression.c  | 3 ---
 src/netlink_delinearize.c | 5 +
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/expression.c b/src/expression.c
index 5defa63f4a5f..55dd391178c3 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -460,10 +460,7 @@ const char *expr_op_symbols[] = {
 
 static void unary_expr_print(const struct expr *expr)
 {
-   if (expr_op_symbols[expr->op] != NULL)
-   printf("%s(", expr_op_symbols[expr->op]);
expr_print(expr->arg);
-   printf(")");
 }
 
 static void unary_expr_clone(struct expr *new, const struct expr *expr)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 49dc6a6016ba..b355eff47222 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1759,10 +1759,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, 
struct expr **exprp)
}
case EXPR_UNARY:
expr_postprocess(ctx, >arg);
-   expr_set_type(expr->arg, expr->arg->dtype, 
!expr->arg->byteorder);
-
-   *exprp = expr_get(expr->arg);
-   expr_free(expr);
+   expr_set_type(expr, expr->arg->dtype, !expr->arg->byteorder);
break;
case EXPR_BINOP:
expr_postprocess(ctx, >left);
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 2/2] tests: py: flush stdout on each test run

2017-05-26 Thread Pablo Neira Ayuso 
Useful when redirecting output to file and tail -f it.

Signed-off-by: Pablo Neira Ayuso 
---
 tests/py/nft-test.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 8d1df3bc517a..c1da71aaf827 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -955,6 +955,8 @@ def run_test_file(filename, force_all_family_option, 
specific_file):
 tests = passed = total_unit_run = total_warning = total_error = 0
 
 for lineno, line in enumerate(f):
+sys.stdout.flush()
+
 if signal_received == 1:
 print "\nSignal received. Cleaning up and Exitting..."
 cleanup_on_exit()
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] iptables: Add file output option to iptables-save

2017-05-26 Thread Pablo Neira Ayuso 
On Fri, May 26, 2017 at 12:25:16PM +, Oliver Ford wrote:
> Adds an option to output the results of iptables-save,
> ip6tables-save, and xtables-save save to a file.
> Updates the man page with this new option.
> 
> Uses the dup2 call to replace stdout with the specified file.
> Error output is unchanged.
> 
> This is a feature requested by a Gentoo developer in
> Bugzilla #905.

Please, update manpage to include this new option and send v2.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/1] iptables: Add file output option to iptables-save

2017-05-26 Thread Oliver Ford 
Adds an option to output the results of iptables-save,
ip6tables-save, and xtables-save save to a file.
Updates the man page with this new option.

Uses the dup2 call to replace stdout with the specified file.
Error output is unchanged.

This is a feature requested by a Gentoo developer in
Bugzilla #905.

Signed-off-by: Oliver Ford 
---
 iptables/ip6tables-save.c   | 20 +++-
 iptables/iptables-save.8.in | 14 +-
 iptables/iptables-save.c| 20 +++-
 iptables/xtables-save.c | 20 +++-
 4 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index 250ca20..21396e4 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -14,6 +14,7 @@
 #include 
 #include 
 #include 
+#include 
 #include "libiptc/libip6tc.h"
 #include "ip6tables.h"
 #include "ip6tables-multi.h"
@@ -25,6 +26,7 @@ static const struct option options[] = {
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table",.has_arg = true,  .val = 't'},
{.name = "modprobe", .has_arg = true,  .val = 'M'},
+   {.name = "file", .has_arg = true,  .val = 'f'},
{NULL},
 };
 
@@ -129,6 +131,7 @@ int ip6tables_save_main(int argc, char *argv[])
 {
const char *tablename = NULL;
int c;
+   FILE *file = NULL;
 
ip6tables_globals.program_name = "ip6tables-save";
c = xtables_init_all(_globals, NFPROTO_IPV6);
@@ -143,7 +146,7 @@ int ip6tables_save_main(int argc, char *argv[])
init_extensions6();
 #endif
 
-   while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
+   while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) 
{
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not 
implemented\n");
@@ -159,6 +162,21 @@ int ip6tables_save_main(int argc, char *argv[])
case 'M':
xtables_modprobe_program = optarg;
break;
+   case 'f':
+   file = fopen(optarg, "w");
+   if (file == NULL) {
+   fprintf(stderr, "Failed to open file, error: 
%s\n",
+   strerror(errno));
+   exit(1);
+   }
+   int ret = dup2(fileno(file), STDOUT_FILENO);
+   if (ret == -1) {
+   fprintf(stderr, "Failed to redirect stdout, 
error: %s\n",
+   strerror(errno));
+   exit(1);
+   }
+   fclose(file);
+   break;
case 'd':
do_output(tablename);
exit(0);
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 7f99d8a..51e11f3 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -19,27 +19,31 @@
 .\"
 .\"
 .SH NAME
-iptables-save \(em dump iptables rules to stdout
+iptables-save \(em dump iptables rules
 .P
-ip6tables-save \(em dump iptables rules to stdout
+ip6tables-save \(em dump iptables rules
 .SH SYNOPSIS
 \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .P
 \fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-save
 and
 .B ip6tables-save
 are used to dump the contents of IP or IPv6 Table in easily parseable format
-to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+either to STDOUT or to a specified file.
 .TP
 \fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
 Specify the path to the modprobe program. By default, iptables-save will
 inspect /proc/sys/kernel/modprobe to determine the executable's path.
 .TP
+\fB\-f\fR, \fB\-\-file\fR \fIfilename\fP
+Specify a filename to log the output to. If not specified, iptables-save
+will log to STDOUT.
+.TP
 \fB\-c\fR, \fB\-\-counters\fR
 include the current values of all packet and byte counters in the output
 .TP
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 52929b0..00ff05e 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -13,6 +13,7 @@
 #include 
 #include 
 #include 
+#include 
 #include "libiptc/libiptc.h"
 #include "iptables.h"
 #include "iptables-multi.h"
@@ -24,6 +25,7 @@ static const struct option options[] = {
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table",.has_arg = true,  .val = 't'},
{.name = "modprobe", .has_arg = true,  .val = 'M'},
+   {.name = "file", .has_arg = true,  .val = 'f'},
{NULL},
 };
 
@@ -128,6 +130,7 @@

[nft PATCH v2] evaluate: avoid reference to multiple src data in statements which set values

2017-05-26 Thread Arturo Borrero Gonzalez 
Prevent this assert:

% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted

We can't use a set here because we will not known which value to use.

With this patch, a proper error message is reported to users:

% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
 ~~^^^

% nft add rule t c tcp dport set @s
:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
 ~~^^

This error is reported to all statements which set values.

Signed-off-by: Arturo Borrero Gonzalez 
---
v2: check all statements which set values as well

 src/evaluate.c |   15 +++
 1 file changed, 15 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 27cee98..095d3fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1759,6 +1759,21 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, 
struct stmt *stmt,
 "datatype mismatch: expected %s, "
 "expression has type %s",
 dtype->desc, (*expr)->dtype->desc);
+
+   /* we are setting a value, we can't use a set */
+   switch ((*expr)->ops->type) {
+   case EXPR_SET:
+   return stmt_binary_error(ctx, (*expr), stmt,
+"you cannot use a set here, unknown "
+"value to use");
+   case EXPR_SET_REF:
+   return stmt_binary_error(ctx, (*expr), stmt,
+"you cannot reference a set here, "
+"unknown value to use");
+   default:
+   break;
+   }
+
return 0;
 }
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 7/9] netfilter: nf_tables: allow large allocations for new sets

2017-05-26 Thread Liping Zhang 
2017-05-26 18:18 GMT+08:00 Pablo Neira Ayuso :
> On Fri, May 26, 2017 at 06:02:34PM +0800, Liping Zhang wrote:
>> Hi Pablo,
>>
>> 2017-05-24 17:50 GMT+08:00 Pablo Neira Ayuso :
>> [...]
>> > -   err = -ENOMEM;
>> > -   set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
>> > +   alloc_size = sizeof(*set) + size + udlen;
>> > +   if (alloc_size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
>> > +   set = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN |
>> > + __GFP_NORETRY);
>> > if (set == NULL)
>> > +   set = vzalloc(alloc_size);
>>
>> I think maybe we can use "set = kvzalloc(alloc_size, GFP_KERNEL);" to 
>> simplify
>> the above codes.
>
> Like this?

Yes. :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 7/9] netfilter: nf_tables: allow large allocations for new sets

2017-05-26 Thread Pablo Neira Ayuso 
On Fri, May 26, 2017 at 06:02:34PM +0800, Liping Zhang wrote:
> Hi Pablo,
> 
> 2017-05-24 17:50 GMT+08:00 Pablo Neira Ayuso :
> [...]
> > -   err = -ENOMEM;
> > -   set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
> > +   alloc_size = sizeof(*set) + size + udlen;
> > +   if (alloc_size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
> > +   set = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN |
> > + __GFP_NORETRY);
> > if (set == NULL)
> > +   set = vzalloc(alloc_size);
> 
> I think maybe we can use "set = kvzalloc(alloc_size, GFP_KERNEL);" to simplify
> the above codes.

Like this?
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0e54090caa8a..bd4fc8b2cd77 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2910,7 +2910,6 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 {
 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
 	u8 genmask = nft_genmask_next(net);
-	unsigned int size, alloc_size;
 	const struct nft_set_ops *ops;
 	struct nft_af_info *afi;
 	struct nft_table *table;
@@ -2922,6 +2921,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 	u32 ktype, dtype, flags, policy, gc_int, objtype;
 	struct nft_set_desc desc;
 	unsigned char *udata;
+	unsigned int size;
 	u16 udlen;
 	int err;
 
@@ -3057,13 +3057,8 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 	if (ops->privsize != NULL)
 		size = ops->privsize(nla, );
 
-	alloc_size = sizeof(*set) + size + udlen;
-	if (alloc_size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
-		set = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN |
-	  __GFP_NORETRY);
-	if (set == NULL)
-		set = vzalloc(alloc_size);
-	if (set == NULL) {
+	set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
+	if (!set) {
 		err = -ENOMEM;
 		goto err1;
 	}

Re: [PATCH nf-next 7/9] netfilter: nf_tables: allow large allocations for new sets

2017-05-26 Thread Liping Zhang 
Hi Pablo,

2017-05-24 17:50 GMT+08:00 Pablo Neira Ayuso :
[...]
> -   err = -ENOMEM;
> -   set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
> +   alloc_size = sizeof(*set) + size + udlen;
> +   if (alloc_size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
> +   set = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN |
> + __GFP_NORETRY);
> if (set == NULL)
> +   set = vzalloc(alloc_size);

I think maybe we can use "set = kvzalloc(alloc_size, GFP_KERNEL);" to simplify
the above codes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html