Re: [NetDev] [NetDev-tech] ANNOUNCE: New sponsor Netronome

2017-03-19 Thread Alexander Alemayhu 
On Sat, Mar 18, 2017 at 09:56:36PM -0400, Jamal Hadi Salim wrote:
> 
> Note: this discussion already has generated more traffic
> than a few days worth of announcements ;->
>

IIRC Hajime always added links to the site in his announcements, which
made it easy to lookup netdev.  Maybe adding some lines about netdev to
all emails would reduce confusion? Suspect not everyone subscribed to
these lists knows what netdev is. 

Don't consider these emails spam at all :)

Thanks.

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables] iptables-translate: print nft iff there are more expanded rules to print

2017-03-09 Thread Alexander Alemayhu 
On Thu, Mar 09, 2017 at 12:00:44PM +0100, Pablo Neira Ayuso wrote:
> $ iptables-translate -I INPUT -s yahoo.com
> nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
> nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
> nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
> nft
> 
> This extra 'nft' print is incorrect, just print it if there are more
> rules to be printed.
> 
> Reported-by: Alexander Alemayhu <alexan...@alemayhu.com>
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Tested-by: Alexander Alemayhu <alexan...@alemayhu.com>

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] libxtables: duplicated loopback address via host_to_ipaddr()

2017-03-08 Thread Alexander Alemayhu 
On Wed, Mar 08, 2017 at 03:33:04PM +0100, Pablo Neira Ayuso wrote:
> Originally reported as a iptables-translate problem, but this also
> affects iptables and ip6tables.
> 
>  $ iptables-translate -A INPUT -s localhost -j ACCEPT
> 
> gives duplicated rules:
> 
>  nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept
>  nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept
> 
> This handling sucks, but libc seem to need if we have 127.0.0.1 and ::1
> entries in /etc/hosts that are common in many distros.
> 
> For more info, see:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=4980
> https://bugzilla.redhat.com/show_bug.cgi?id=496300
> 
> Reported-by: Alexander Alemayhu <alexan...@alemayhu.com>
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Was going to test it, but it does not apply.

Applying: libxtables: duplicated loopback address via host_to_ipaddr()
error: patch failed: libxtables/xtables.c:1375
error: libxtables/xtables.c: patch does not apply
Patch failed at 0001 libxtables: duplicated loopback address via 
host_to_ipaddr()
The copy of the patch that failed is found in: .git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables 1/2] iptables-translate: print nft command for each expand rules via dns names

2017-03-08 Thread Alexander Alemayhu 
On Wed, Mar 08, 2017 at 02:16:09PM +0100, Pablo Neira Ayuso wrote:
> After this patch:
> 
>  # iptables-translate -I INPUT -s yahoo.com
>  nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
>  nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
>  nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
>
The first run returns similiar to above, but subsequent runs returns one
extra nft printed at the end.

# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter 
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter 
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter 
nft 
# git ll
48ad179bfdfd (libxtables: abolish AI_CANONNAME, 2017-03-08)
# git ll c6df55d6ebbe6102ac5136ae38813bea42d8c782
c6df55d6ebbe (iptables-translate: print nft command for each expand rules via 
dns names, 2017-03-08)

Thanks.
-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables] libxtables: fix wrong naddr when using localhost

2017-03-08 Thread Alexander Alemayhu 
On Wed, Mar 08, 2017 at 10:55:32AM +0100, Pablo Neira Ayuso wrote:
> 
> This is actually a generic problem:
> 
> # iptables -I INPUT -p tcp -s localhost
> 
> results in:
> 
> # iptables-save 
> # Generated by iptables-save v1.6.1 on Wed Mar  8 10:53:07 2017
> *filter
> :INPUT ACCEPT [13:1628]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4:317]
> -A INPUT -s 127.0.0.1/32 -p tcp
> -A INPUT -s 127.0.0.1/32 -p tcp
> COMMIT
> # Completed on Wed Mar  8 10:53:07 2017
>

What's the right way to fix this? I want to use iptables-translate in a web
application[0] so I can copy and use the translations.  Adding the extra line
forces me to manually edit the output.

> Original problem was introduce at:
> 
> commit 2d2b5e046aa56a518160716a9ddf9df53fc79c1f
> Author: Arpan Kapoor <rpn...@gmail.com>
> Date:   Thu Mar 17 18:27:19 2016 +0530
> 
> libxtables: Replace gethostbyname() with getaddrinfo()
> 
> Did you also run iptables tests? See iptables-test.py, although I
> guess our test infrastructure is not catching up this case.
>
Before and after patch I get:
102 test files, 706 unit tests, 687 passed

Thanks.

[0]: https://2nft.alemayhu.com/
-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] mnl: continue monitor if errno is ESRCH

2017-03-01 Thread Alexander Alemayhu 
On Wed, Mar 01, 2017 at 04:18:00PM +0100, Pablo Neira Ayuso wrote:
> Hm, I'm hitting this here:
> 
> I: results: [OK] 107 [FAILED] 0 [TOTAL] 107
> 
> Running nft git HEAD and nf.git kernel.
>
See no failures with HEAD. Suspect I misconfigured earlier, sorry for the noise.

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] mnl: continue monitor if errno is ESRCH

2017-03-01 Thread Alexander Alemayhu 
On Wed, Mar 01, 2017 at 12:41:40PM +0100, Pablo Neira Ayuso wrote:
> 
> Actually, this patch would be better. All return values of these
> notify function are ignored, so we can turned it into void.

Monitor seems to work as expected and does not exit with this patch.
Should all of the tests pass with this? Currently seeing

I: results: [OK] 58 [FAILED] 49 [TOTAL] 107 

Thanks.

-- 
Mit freundlichen Grüßen

Alexander Alemayhu
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH libnftnl] exthdr: remove unused variable uval8

2017-02-23 Thread Alexander Alemayhu 
Was added but not used in d7b451fe1a45 (src: add TCP option matching
requirements, 2017-02-07). Fixes the following warning:

expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’:
expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable]
  uint8_t uval8;
  ^

Signed-off-by: Alexander Alemayhu <alexan...@alemayhu.com>
---
 src/expr/exthdr.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c
index c44c1a75a5ea..9ed4ae1725ac 100644
--- a/src/expr/exthdr.c
+++ b/src/expr/exthdr.c
@@ -241,7 +241,6 @@ nftnl_expr_exthdr_json_parse(struct nftnl_expr *e, json_t 
*root,
 #ifdef JSON_PARSING
const char *exthdr_type;
uint32_t uval32;
-   uint8_t uval8;
int type;
 
if (nftnl_jansson_parse_reg(root, "dreg", NFTNL_TYPE_U32, ,
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: nf_tables: fix spelling mistakes

2017-01-04 Thread Alexander Alemayhu 
o s/numerice/numeric
o s/opertaor/operator

Signed-off-by: Alexander Alemayhu <alexan...@alemayhu.com>
---
 include/uapi/linux/netfilter/nf_tables.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index b00a05d1ee56..7b730cab99bd 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -235,7 +235,7 @@ enum nft_rule_compat_flags {
 /**
  * enum nft_rule_compat_attributes - nf_tables rule compat attributes
  *
- * @NFTA_RULE_COMPAT_PROTO: numerice value of handled protocol (NLA_U32)
+ * @NFTA_RULE_COMPAT_PROTO: numeric value of handled protocol (NLA_U32)
  * @NFTA_RULE_COMPAT_FLAGS: bitmask of enum nft_rule_compat_flags (NLA_U32)
  */
 enum nft_rule_compat_attributes {
@@ -499,7 +499,7 @@ enum nft_bitwise_attributes {
  * enum nft_byteorder_ops - nf_tables byteorder operators
  *
  * @NFT_BYTEORDER_NTOH: network to host operator
- * @NFT_BYTEORDER_HTON: host to network opertaor
+ * @NFT_BYTEORDER_HTON: host to network operator
  */
 enum nft_byteorder_ops {
NFT_BYTEORDER_NTOH,
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html