Re: [nft PATCH RFC] monitor: Support printing processes which caused the event

On 10 May 2017 at 12:55, Phil Sutter wrote: > This adds support for printing the process ID and name for changes which > 'nft monitor' reports: > > | nft -a -p monitor > | add chain ip t2 bla3 # pid 11616 (nft) > > If '-n' was given in addition to '-p', parsing the process name from

[conntrack-tools PATCH 2/2] conntrackd: request resync at startup

If a node goes to live, ask the other for resync at startup. This has to be done usually by hand, but I guess is an operation common enough to add some bits to ease people life here. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5

[conntrack-tools PATCH 1/2] conntrackd: consolidate more code to use resync_send()

These digest_msg() functions can use resync_send() as well. While at it, bring back a call to kernel_resync() in notrack_local() which was lost in a previous commit. Fixes: 131df891f77dc75515d5eabdedd9818105d29f5a ("conntrackd: factorize resync operations") Signed-off-by: Artu

Re: [nft PATCH] nft.8: Enhance NAT documentation

; Signed-off-by: Phil Sutter <p...@nwl.cc> > --- > doc/nft.xml | 58 +- > 1 file changed, 57 insertions(+), 1 deletion(-) > Thanks Phil, more docs are always good. Acked-by: Arturo Borrero Gonzalez <art...@debian.org> --

[nft PATCH v3] expression: print sets and maps in pretty format

. "lo" : accept } } set s3 { type ipv4_addr elements = { 1.1.1.1, 2.2.2.2, 3.3.3.3 } } } Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: align column using spaces rather than

migrating from iptables to nftables

Hi all, Debian is about to release Stretch stable. Given this is our first release officially including nftables and the translate/compat tools and we will recommend users to move from iptables to nftables I would like to direct users to robust docs. I wrote this [0] in Dec 2016 and I would like

Re: [conntrack-tools PATCH 2/4] conntrackd: warn users about queue allocation errors

On 25 April 2017 at 15:16, Pablo Neira Ayuso wrote: > > Yes, but this is going to full the logs if ever happen. > > Better add stats: > > /* statistics */ > struct { > uint64_tmsg_rcv_malformed; > uint32_t

Re: [conntrack-tools PATCH 4/4] conntrackd: introduce RequestResync option

On 1 May 2017 at 11:13, Pablo Neira Ayuso wrote: >> >> the ALARM mode requires to commit the external cache instead of the >> conns being directly injected into the kernel. > > You may want to disable the external cache with the alarm mode. The > alarm mode only needs the

Re: [nft PATCH 2/2] masquerade: Complain if no prerouting chain exists

On 28 April 2017 at 10:28, Phil Sutter <p...@nwl.cc> wrote: > On Fri, Apr 28, 2017 at 10:11:51AM +0200, Arturo Borrero Gonzalez wrote: >> On 28 April 2017 at 10:05, Phil Sutter <p...@nwl.cc> wrote: >> >> >> >> This warning will be printed even in rulese

Re: [nft PATCH 2/2] masquerade: Complain if no prerouting chain exists

On 28 April 2017 at 10:05, Phil Sutter wrote: >> >> This warning will be printed even in rulesets loaded with '-f' >> which first creates the masq rule an then the other chain. > > Hmm. I tested it with the following config and it works fine: > > | table ip nat { > | chain post

Re: [nft PATCH 2/2] masquerade: Complain if no prerouting chain exists

On 27 April 2017 at 15:24, Phil Sutter wrote: > As reported in netfilter bz#1105, masquerading won't work if there isn't > at least an empty base chain hooked into prerouting. In order to raise > awareness of this problem at the user, complain if a masquerading > statement is added

Re: [conntrack-tools PATCH 4/4] conntrackd: introduce RequestResync option

On 25 April 2017 at 15:18, Pablo Neira Ayuso wrote: >> >> Yes. The timer based approach is... timer based (async). >> >> It doesn't fit in an environment where you need to sync events as soon >> as they happen. > > IIRC the timer based works like this: > > 1) If event occurs,

[nft PATCH v2] expression: print sets and maps in pretty format

. "lo" : accept } } set s3 { type ipv4_addr elements = { 1.1.1.1, 2.2.2.2, 3.3.3.3 } } } NOTE: some testcases require updates because the output change. Signed-off-by: Arturo Borrero Gonzalez <art...

Re: [conntrack-tools PATCH 4/4] conntrackd: introduce RequestResync option

On 25 April 2017 at 13:37, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, Apr 20, 2017 at 07:28:16PM +0200, Arturo Borrero Gonzalez wrote: >> In some environments where both nodes of a cluster share all the conntracks, >> after an initial or manual resync, the

Re: [conntrack-tools PATCH 2/4] conntrackd: warn users about queue allocation errors

On 25 April 2017 at 13:34, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Thu, Apr 20, 2017 at 07:28:06PM +0200, Arturo Borrero Gonzalez wrote: >> These warnings, if they happen, should help users. >> >> Signed-off-by: Arturo Borrero Gonzalez <art...@debian

[nft RFC PATCH] expression: print sets and maps in pretty format

} } chain c { ip saddr . tcp dport {1.1.1.1 . 22, 2.2.2.2 . 80 } tcp dport {3, 4 } iif vmap {0 : accept } } } NOTE: some testcases require updates because the output change. Signed-off-by: Arturo Borrero Gonzalez &l

Re: [nft RFC PATCH] rule: introduce new option to print set elements per line

On 25 April 2017 at 11:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > Hi Arturo, > > On Fri, Apr 21, 2017 at 12:30:24PM +0200, Arturo Borrero Gonzalez wrote: >> Add a new option to nft to print set elements per line instead >> of all in a single line. >

[nft RFC PATCH] rule: introduce new option to print set elements per line

} ip saddr . tcp dport { 1.1.1.1 . 22 } } } Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/expression.h |1 + include/nftables.h |1 + src/expression.c |2 +- src/main.c | 12 +++- src/rule.c |2 ++ 5

[conntrack-tools PATCH 4/4] conntrackd: introduce RequestResync option

Checksum on } Options { TCPWindowTracking Off ExpectationSync On } } [...] Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5 |9 + include/conntrackd.h |1 + include/re

[conntrack-tools PATCH 1/4] conntrackd: factorice tx_queue functions

They are shared by both sync-ftfw and sync-notrack. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/Makefile.am |2 +- include/queue_tx.h |7 ++ src/Makefile.am |2 +- src/queue_tx.c | 60 ++

[conntrack-tools PATCH 3/4] conntrackd: factorize resync operations

Resync operations factorization. There are two: * resync_send --> conntrackd -B (send bulk resync) * resync_req --> conntrackd -n (request resync) Future patches reuse this factorized code. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/Makefi

[conntrack-tools PATCH 2/4] conntrackd: warn users about queue allocation errors

These warnings, if they happen, should help users. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/channel.c |6 +- src/queue_tx.c | 11 +-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/channel.c b/src/channel.c index acbfa7d..b

[conntrack-tools PATCH 4/4] conntrackd: introduce RequestResync option

Checksum on } Options { TCPWindowTracking Off ExpectationSync On } } [...] Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5 |9 + include/conntrackd.h |1 + include/re

[conntrack-tools PATCH 3/4] conntrackd: factorize resync operations

Resync operations factorization. There are two: * resync_send --> conntrackd -B (send bulk resync) * resync_req --> conntrackd -n (request resync) Future patches reuse this factorized code. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/Makefi

[conntrack-tools PATCH 1/4] conntrackd: factorice tx_queue functions

They are shared by both sync-ftfw and sync-notrack. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/Makefile.am |2 +- include/queue_tx.h |7 ++ src/Makefile.am |2 +- src/queue_tx.c | 60 ++

[conntrack-tools PATCH 2/4] conntrackd: warn users about queue allocation errors

These warnings, if they happen, should help users. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/channel.c |6 +- src/queue_tx.c | 11 +-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/channel.c b/src/channel.c index acbfa7d..b

[conntrack-tools PATCH] conntrackd: request resync at startup

If a node goes to live, ask the other for resync at startup. This has to be done usually by hand, but I guess is an operation common enough to add some bits to ease people life here. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- NOTE: this patch belongs to the previous

Re: [PATCH iptables] extensions: libxt_hashlimit: fix 64-bit printf formats

On 7 April 2017 at 13:47, James Cowgill wrote: > hashlimit was using "%lu" in a lot of printf format specifiers to print > 64-bit integers. This is incorrect on 32-bit architectures because > "long int" is 32-bits there. On MIPS, it was causing iptables to > segfault

Re: [nft PATCH 2/3] tests: shell: netns/0003many_0: Fix cleanup after error

On 22 March 2017 at 01:26, Phil Sutter <p...@nwl.cc> wrote: > If rule set applying failed, this would leave a stray netns in place. > Thanks Phil. Acked-by: Arturo Borrero Gonzalez <art...@debian.org> -- To unsubscribe from this list: send the line "unsubscribe netfi

Re: [PATCH nf] netfilter: nf_tables: fix missmatch in big-endian system

On 9 March 2017 at 13:46, Liping Zhang wrote: >> >> Any chance the compiler detects the double assignment and removes the first >> one? > > This will never happen, since these two assignment statements are not > identical. But perhaps the compiler can look beyond the high

Re: [PATCH nf] netfilter: nf_tables: fix missmatch in big-endian system

On 8 March 2017 at 15:54, Liping Zhang wrote: > > +/* Store/load an u16 or u8 integer to/from the u32 data register. > + * > + * Note, when using concatenations, register allocation happens at 32-bit > + * level. So for store instruction, pad the rest part with zero to avoid >

Re: [PATCH ulogd2] adjust ulogd.logrotate to match ulogd.conf

On 12 February 2017 at 15:09, Pablo Neira Ayuso wrote: > I'll let Eric decide to this small update. > Perhaps it would be good idea to drop this file from our tree and let distros adjust this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

Re: [PATCH] src: consolidate XML/JSON exportation for rule

/buffer.c | 11 +++ > src/rule.c | 96 > > 3 files changed, 43 insertions(+), 69 deletions(-) > Acked-by: Arturo Borrero Gonzalez <art...@debian.org> -- To unsubscribe from this list: send the line "unsubsc

[nft PATCH v2] payload: explicit network ctx assignation for icmp/icmp6 in special families

factorization is introduced. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: cover netdev/bridge families as well, factorize code, add tests. src/payload.c | 70 +++ te

Re: [nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family

On 20 January 2017 at 13:02, Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> wrote: > From: Arturo Borrero Gonzalez <art...@debian.org> > duplicated, sorry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

[nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family

From: Arturo Borrero Gonzalez <art...@debian.org> In the inet family, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset

[nft PATCH] payload: use explicit network ctx assignation for icmp/icmp6 in inet family

is inet, the network layer protocol context can be safely update to 'ip' or 'ip6'. Moreover, nft currently generates a 'meta nfproto ipvX' depedency when using icmp or icmp6 in the inet family. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <

Re: build failure if --with-xtables [WAS: nftables 0.7 release]

On 3 January 2017 at 22:56, Robby Workman wrote: > On Tue, 20 Dec 2016 21:46:36 +0100 > Pablo Neira Ayuso wrote: > >> Hi! >> >> The Netfilter project proudly presents: >> >> nftables 0.7 >> >> This release contains many accumulated bug fixes and

Re: Feature request: Load u32 value into packet mark

On 20 December 2016 at 12:24, Llorente Santos Jesus wrote: > Hi, > > I have been playing quite a bit with iptables lately. Ever since the ipset > was updated to support hash:ip,mark sets, there has been the potential to > apply efficient matching on packet marks.

[conntrack-tools PATCH] config: drop old/obsolete/deprecated conntrackd.conf config options

There has been a long adaptation time already, with several conntrack-tools releases in the meantime. Users migrating from an old conntrackd to a current one are required to update their config file. Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Arturo Borrero Go

[conntrack-tools PATCH] systemd: fix missing log.h include

Produces this: warning: implicit declaration of function 'dlog' Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/systemd.c |1 + 1 file changed, 1 insertion(+) diff --git a/src/systemd.c b/src/systemd.c index c6253cc..64bfc66 100644 --- a/src/systemd.c +++ b/src/sys

[conntrack-tools PATCH] src: add log message when resync is requested by other node

If a resync is requested with 'conntrackd -n', a log message is printed in the caller node, but no message is printed in the other. Print a message so tracking the behaviour of a cluster is a bit easier. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/sync-ftfw.c

Re: [RFC nft PATCH] tests: shell: add a basic scapy test

On 30 November 2016 at 19:28, Pablo Neira Ayuso wrote: >> * You can probably augment this at some pointer to rely on the new >> nf_tables tracing infrastructure. >> That would be rather complex. > > Only one more question left: Do you think you can slightly generalize >

[RFC nft PATCH] tests: shell: add a basic scapy test

From: Arturo Borrero Gonzalez <art...@debian.org> This test uses scapy to send a packet and test our packet/data path. We grep the 'nft list ruleset' output for a counter increment. If we like this approach, then we could easily add more testcases following the pattern in this patch. Ref

[nft PATCH 1/2] tests: shell: add a testcase for many defines

From: Arturo Borrero Gonzalez <art...@debian.org> Use many defines in a single nft -f run. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- tests/shell/testcases/nft-f/0011manydefines_0 | 37 + 1 file changed, 37 insertions(+) create mode

[nft PATCH 2/2] tests: shell: add testcase for different defines usage

From: Arturo Borrero Gonzalez <art...@debian.org> This testcase add some defines in a nft -f run and then uses them in different spots (which are not covered in previous testcases). * defines used to define another one * different datatypes (numbers, strings, bits, ranges) * usage i

Re: netfilter/nftables oops in 4.8

On 18 November 2016 at 09:05, Arturo Borrero Gonzalez <art...@debian.org> wrote: > Hi, > > this happened today in my machine at boot time. I can't reproduce it again. Find it attached for better format linux 4.8.5-1 (debian) [vie nov 18 08:42:18 2016] INFO: task modprobe:641 b

netfilter/nftables oops in 4.8

Hi, this happened today in my machine at boot time. I can't reproduce it again. linux 4.8.5-1 (debian) [vie nov 18 08:42:18 2016] INFO: task modprobe:641 blocked for more than 120 seconds. [vie nov 18 08:42:18 2016] Not tainted 4.8.0-1-amd64 #1 [vie nov 18 08:42:18 2016] "echo 0 >

[nft] about commit 3e5b0e406cf2b635200f9ee05ba8a158528fe622

Hi, commit id 3e5b0e406cf2b635200f9ee05ba8a158528fe622 : tests: py: nft-tests.py: Add function for loading and removing kernel modules introduces dummy kernel module loading to tests/py/nft-test.py. The justification is that some tests are using the dummy module, but I don't see them: % git

[nft PATCH 3/3] tests: shell: another testcase for deleting many set elements

From: Arturo Borrero Gonzalez <art...@debian.org> This testcase adds and deletes many elements in a set. We add and delete 65.536 elements in two different nft -f runs. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- .../testcases/sets/0013add_delete_many_elemen

[nft PATCH 1/3] tests: shell: testcase for adding many set elements

From: Arturo Borrero Gonzalez <art...@debian.org> This testcase adds many elements in a set. We add 65.356 elements. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- tests/shell/testcases/sets/0011add_many_elements_0 | 32 1 file changed, 3

[nft PATCH 2/3] tests: shell: testcase for deleting many set elements

From: Arturo Borrero Gonzalez <art...@debian.org> This testcase adds and deletes many elements in a set. We add and delete 65.536 elements in a same batch of netlink messages, (single nft -f run). Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- .../te

[nft PATCH] tests: shell: add testcases for comments in set elements

From: Arturo Borrero Gonzalez <art...@debian.org> This patch adds a several testcases for comments in set elements. This includes the netfilter bug #1090 about comments in set interval elements. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- tests/shell/te

Re: [PATCH nft] segtree: keep element comments in set intervals

d-off-by: Pablo Neira Ayuso <pa...@netfilter.org> > --- > src/segtree.c | 10 +++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > Hi, just tested this patch before/after, and it really works. Tested-by: Arturo Borrero Gonzalez <art...@debian.org> I think we can ad

Re: [PATCH nf] netfilter: nf_tables: fix oops when inserting an element into a verdict map

On 6 November 2016 at 07:40, Liping Zhang wrote: > From: Liping Zhang > > Dalegaard says: > The following ruleset, when loaded with 'nft -f bad.txt' > snip > flush ruleset > table ip inlinenat { >map sourcemap { > type ipv4_addr :

[conntrack-tools PATCH 3/3] conntrackd: replace fprintf calls with dlog()

' is printed before closing the log engine. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/ctnl.c|4 +-- src/filter.c |4 +-- src/main.c| 67 +++-- src/read_config_lex.l | 13 +- sr

[conntrack-tools PATCH 2/3] conntrackd: replace error reporting in the config parser with dlog()

Now that our main log function is able to handle the case of the log engine not being initialised, we can use the general function instead of a custom one in the parser. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/read_config_yy.y

[conntrack-tools PATCH 1/3] log: introduce a mechanism to know if log was initialized

can't log parsing messages to logfiles but only to stderr/stdout. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/conntrackd.h |1 + src/log.c|9 - 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/include/conntrackd.h b/i

[nft PATCH 2/3] tests: shell: introduce the cache testcases directory

From: Arturo Borrero Gonzalez <art...@debian.org> This directory is for testcases related to the nft cache. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- tests/shell/testcases/cache/0001_cache_handling_0 | 29 + tests/shell/testcases/sets/cach

[nft PATCH 3/3] tests: shell: add a new testcase for ruleset loading bug

From: Arturo Borrero Gonzalez <art...@debian.org> There seems to be a bug that prevent loading a ruleset twice in a row if the ruleset contains sets with intervals. This seems related to the nft cache. By the time of this commit, the bug is not fixed yet. Signed-off-by: Arturo Borrero Go

Re: reject statement - "crazy" parse error?

On 26 October 2016 at 20:50, James Feeney wrote: >> I can't reproduce the issue here. > > Thanks Arturo. What distribution are you using? Hmm - any suggestions about > how to "poke" at this issue on my end? > I'm using Debian, of course :-) You could check the config of

[conntrack-tools PATCH v2] log: print messages to stdout/sderr if running in console mode

failed ERROR: conntrackd cannot start, please check the logfile for more info Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: fix va_list arguments usage by using pointers where needed. include/conntrackd.h |1 + src/log.c

[conntrack-tools PATCH] log: print messages to stdout/sderr if running in console mode

failed ERROR: conntrackd cannot start, please check the logfile for more info Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- include/conntrackd.h |1 + src/log.c| 67 +++--- src/main.c |1 + 3 files c

[conntrack-tools PATCH] sync-mode: print errno message on failure

: No such device [ERROR] initialization failed Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/sync-mode.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sync-mode.c b/src/sync-mode.c index e69ecfe..8fe65f1 100644 --- a/src/sync-mode.c +++

Re: reject statement - "crazy" parse error?

On 26 October 2016 at 03:30, James Feeney wrote: > > I'm guessing that that error message is wildly off-base. > > Or is "reject" not a proper "terminal statement"? > > Or is there something wrong with the syntax? I can't reproduce the issue here. % nft -f test.nft % nft list

Re: [RFC nf-next PATCH] netfilter: nf_conntrack_proto_tcp: propagate IP_CT_TCP_FLAG_BE_LIBERAL

(please keep the netfilter-devel list in CC) On 21 October 2016 at 09:18, Mathew Heard wrote: > That's been covered already. > > The problem with it is that only the ORIG side of the connection ends > up set. REPLY does not. > > I don't know the fundamental reason why this

[nf-next PATCH] netfilter: update Arturo Borrero Gonzalez email address

The email address has changed, let's update the copyright statements. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- net/ipv4/netfilter/nft_masq_ipv4.c |4 ++-- net/ipv4/netfilter/nft_redir_ipv4.c |4 ++-- net/ipv6/netfilter/nft_masq_ipv6.c |4 ++-- ne

[nft PATCH] tests: shell: update kernel modules to clean

From: Arturo Borrero Gonzalez <art...@debian.org> Let's keep the kernel_cleanup() function updated with latest kernel changes: * added nft_quota, nft_queue, nft_numgen, nft_range * rename nft_hash to nft_set_hash * keep nft_hash as well * rename nft_rbtree to nft_set_rbtree Th

[nft PATCH] xt: update Arturo Borrero Gonzalez email address

From: Arturo Borrero Gonzalez <art...@debian.org> Update email address to a new one in the copyright notice. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/xt.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/xt.c b/src/xt.c index 0777

Re: [PATCH nf-next 2/5] netfilter: nft: basic routing expression

On 16 October 2016 at 15:42, Anders K. Pedersen | Cohaesio wrote: > From: Anders K. Pedersen > > Introduce basic infrastructure for nftables rt expression for routing > related data. Initially "rt classid" is implemented identical to "meta > rtclassid",

Re: [PATCH nf-next 1/5] netfilter: nft: UAPI headers for routing expression

On 16 October 2016 at 15:41, Anders K. Pedersen | Cohaesio wrote: > diff --git a/include/uapi/linux/netfilter/nf_tables.h > b/include/uapi/linux/netfilter/nf_tables.h > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -759,6

[libnftnl PATCH] libnftnl: update Arturo Borrero Gonzalez email

Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- examples/nft-chain-parse-add.c |2 +- examples/nft-rule-parse-add.c |2 +- examples/nft-ruleset-get.c |2 +- examples/nft-set-parse-add.c |2 +- examples/nft

Re: [PATCH nf-next 0/2] netfilter: autoload NAT support for non-builtin L4 protocols

On 7 October 2016 at 11:59, Davide Caratti <dcara...@redhat.com> wrote: > On Fri, 2016-10-07 at 09:35 +0200, Arturo Borrero Gonzalez wrote: >> Since I can add the same rule in nftables, I wonder if the same problem >> happens: >> >> chain postrouting { >>

Re: [PATCH nf-next 0/2] netfilter: autoload NAT support for non-builtin L4 protocols

On 6 October 2016 at 19:09, Davide Caratti wrote: > this series fixes SNAT/DNAT rules where port number translation is > explicitly configured, but only the L3 address is translated: > > # iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source > 10.0.0.1:61000 >

Re: [RFC] nftables: reverse path filtering for nft

On 14 September 2016 at 23:13, Florian Westphal wrote: > > Other solution I see is to not use mark and oif and come up > with new/different keyword, but thats not good either. > this solution is the less disruptive I think -- Arturo Borrero González -- To unsubscribe from this

Re: [RFC] nftables: reverse path filtering for nft

On 14 September 2016 at 23:13, Florian Westphal wrote: > > Or remove unqualified meta keywords, that should work as well. That was my first idea, but discarded it because it means breaking the syntax. Not sure if it worth. -- Arturo Borrero González -- To unsubscribe from this

Re: [RFC] nftables: reverse path filtering for nft

Hi Florian, thanks for working on this, here my comments. On 14 September 2016 at 19:45, Florian Westphal wrote: > Pablo Neira Ayuso wrote: >> On Mon, Sep 12, 2016 at 09:00:25PM +0200, Florian Westphal wrote: >> > Pablo Neira Ayuso

[nft] Using variable sized data types in concat expressions

Hi! It would be great it this were supported: iifname . oifname vmap { eth1 . eth0 : jump chain1, eth2 . eth0 : jump chain2 } Error: can not use variable sized data types (string) in concat expressions Why iifname rather than iifindex? I would like to test/deploy my ruleset in machines which

[conntrack-tools PATCH 4/4 v2] doc/manual/conntrack-tools: include some bits about init systems

ed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- v2: include suggestions reported by Rami Rosen. doc/manual/conntrack-tools.tmpl | 51 +++ 1 file changed, 51 insertions(+) diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manu

[conntrack-tools PATCH 4/4] doc/manual/conntrack-tools: include some bits about init systems

ed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- doc/manual/conntrack-tools.tmpl | 51 +++ 1 file changed, 51 insertions(+) diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 87a792e..5c12c4a 100644 ---

[conntrack-tools PATCH 3/4] conntrackd.8: add reference to systemd

Add reference to systemd integration in the manpage. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- conntrackd.8 |7 +++ 1 file changed, 7 insertions(+) diff --git a/conntrackd.8 b/conntrackd.8 index bd195ec..6ccf261 100644 --- a/conntrackd.8 +++ b/conn

[conntrack-tools PATCH 2/4] conntrackd.8: refresh file

Refresh conntrackd.8 manpage to match the help message in the binary. Changes are related to the syntax and options of conntrackd, the syntax of the manpage itself and clarification of some aspects. Also, break lines at 80 characters. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrer

Re: [PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible

On 21 August 2016 at 20:10, Pablo M. Bermudo Garay wrote: > This patch adds a verification of the compatibility between the nft > ruleset and iptables. If the nft ruleset is not compatible with > iptables, the execution stops and an error message is displayed to the > user. >

Re: [RFC nft] meta: deprecate unqualified meta statements

On 27 July 2016 at 04:17, Florian Westphal wrote: > During NFWS we discussed reducing the number of keywords in nftables. > > Obviously keywords are required for the parser to know what to expect. > > But always requiring the 'meta' keyword would allow us to handle > iif, oif,

Re: [PATCH nft v5 3/3] src: add xt compat support

good to see this finally merged :-) -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] iptables: extensions: libxt_ecn: Add translation to nft

On 28 June 2016 at 21:58, wrote: > diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c > index 286782a..8e0c35b 100644 > --- a/extensions/libxt_ecn.c > +++ b/extensions/libxt_ecn.c > @@ -118,6 +118,50 @@ static void ecn_save(const void *ip, const struct >

Re: [libnftnl PATCH v2] expr: lookup: give support for inverted matching

On 24 June 2016 at 09:07, Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> wrote: > Inverted matching support was included in the kernel, let's give support here > as well. > > Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> > --- >

[nft PATCH] tests: shell: run-tests.sh: use src/nft binary by default

Better use the local tree nft binary rather than the installed one. Requested-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- tests/shell/README |4 +++- tests/shell/run-tests.sh |3 ++- 2 file

Re: nft shell tests

On 23 June 2016 at 12:43, Pablo Neira Ayuso wrote: > Hi Arturo, > > I think it would be good if the run-test.sh script uses the binary > in this tree, just like nft-tests.py. Instead of using the one that is > available on the system. > > Let me know, thanks. You can use

[nf-next PATCH v5] netfilter: nf_tables: add support for inverted logic in nft_lookup

of options, as we should consider 4 cases: * lookup false, invert false -> NFT_BREAK * lookup false, invert true -> return w/o NFT_BREAK * lookup true, invert false -> return w/o NFT_BREAK * lookup true, invert true -> NFT_BREAK Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero

Re: [nf-next PATCH v4] netfilter: nf_tables: add support for inverted logic in nft_lookup

On 23 June 2016 at 09:32, Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> wrote: > On 22 June 2016 at 20:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote: >> On Wed, Jun 01, 2016 at 05:23:02PM +0200, Arturo Borrero Gonzalez wrote: >>> Introd

Re: [nf-next PATCH v4] netfilter: nf_tables: add support for inverted logic in nft_lookup

On 22 June 2016 at 20:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Jun 01, 2016 at 05:23:02PM +0200, Arturo Borrero Gonzalez wrote: >> Introduce a new configuration option for this expression, which allows users >> to invert the logic of set lookups. > >

Re: [PATCH] iptables: extensions: libxt_MARK: Fix translation of --set-xmark option

off-by: Roberto García <rodan...@gmail.com> > --- > extensions/libxt_MARK.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Seems good to me :-) Acked-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> -- Arturo Borrero González -- To unsubscribe from th

Re: [PATCH] iptables: extensions: libxt_CONNMARK: Add translation to nft

-- > extensions/libxt_CONNMARK.c | 45 > + > 1 file changed, 45 insertions(+) Acked-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[nft PATCH] tests/shell: cleanup tempfile handling in testcases/sets/cache_handling_0

It uses a bogus pattern which was cleaned up already in others testscases, and this is a leftover. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- tests/shell/testcases/sets/cache_handling_0 |8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff

[nft PATCH] tests/shell: delete unused variable in run-tests.sh

This ${TESTS_OUTPUT} variable is empty. Delete it. It was probably an idea about dinamically redirecting testscases output. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- tests/shell/run-tests.sh |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff

Re: [PATCH nft] tests: shell: make testcases which using tcp/udp port more rubost

hell/testcases/nft-f/0002rollback_rule_0 | 2 +- > tests/shell/testcases/nft-f/0003rollback_jump_0 | 2 +- > tests/shell/testcases/nft-f/0004rollback_set_0 | 2 +- > tests/shell/testcases/nft-f/0005rollback_map_0 | 2 +- > 7 files changed, 7 insertions(+), 7 deletions(-) > Acked-by: Arturo

Re: [PATCH] iptables: extensions: libxt_MARK: Add translation to nft

On 4 June 2016 at 14:42, wrote: > From: Roberto García > > Add translation for the MARK target to nftables. > > Examples: > > $ sudo iptables-translate -t mangle -A OUTPUT -p tcp --dport 22 -j MARK > --set-mark 64 > nft add rule ip mangle OUTPUT tcp dport

[conntrack-tools PATCH] include/network.h: fix erroneus comment in NTA_(S|D)NAT_IPV6

We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- include/network.h |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/network.h b/include/network.h index ab04591..e

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

On 31 May 2016 at 20:26, Laura Garcia Liebana wrote: > +static int __multiport_xlate_v1(const void *ip, > + const struct xt_entry_match *match, > + struct xt_xlate *xl, int numeric) > +{ > + const struct

<    1   2   3   >