On 10 May 2017 at 12:55, Phil Sutter wrote:
> This adds support for printing the process ID and name for changes which
> 'nft monitor' reports:
>
> | nft -a -p monitor
> | add chain ip t2 bla3 # pid 11616 (nft)
>
> If '-n' was given in addition to '-p', parsing the process name from
If a node goes to live, ask the other for resync at startup.
This has to be done usually by hand, but I guess is an operation common
enough to add some bits to ease people life here.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
conntrackd.conf.5
These digest_msg() functions can use resync_send() as well.
While at it, bring back a call to kernel_resync() in notrack_local() which was
lost in a previous commit.
Fixes: 131df891f77dc75515d5eabdedd9818105d29f5a ("conntrackd: factorize resync
operations")
Signed-off-by: Artu
; Signed-off-by: Phil Sutter <p...@nwl.cc>
> ---
> doc/nft.xml | 58 +-
> 1 file changed, 57 insertions(+), 1 deletion(-)
>
Thanks Phil, more docs are always good.
Acked-by: Arturo Borrero Gonzalez <art...@debian.org>
--
. "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: align column using spaces rather than
Hi all,
Debian is about to release Stretch stable. Given this is our first
release officially including nftables and the translate/compat tools
and we will recommend users to move from iptables to nftables I would
like to direct users to robust docs.
I wrote this [0] in Dec 2016 and I would like
On 25 April 2017 at 15:16, Pablo Neira Ayuso wrote:
>
> Yes, but this is going to full the logs if ever happen.
>
> Better add stats:
>
> /* statistics */
> struct {
> uint64_tmsg_rcv_malformed;
> uint32_t
On 1 May 2017 at 11:13, Pablo Neira Ayuso wrote:
>>
>> the ALARM mode requires to commit the external cache instead of the
>> conns being directly injected into the kernel.
>
> You may want to disable the external cache with the alarm mode. The
> alarm mode only needs the
On 28 April 2017 at 10:28, Phil Sutter <p...@nwl.cc> wrote:
> On Fri, Apr 28, 2017 at 10:11:51AM +0200, Arturo Borrero Gonzalez wrote:
>> On 28 April 2017 at 10:05, Phil Sutter <p...@nwl.cc> wrote:
>> >>
>> >> This warning will be printed even in rulese
On 28 April 2017 at 10:05, Phil Sutter wrote:
>>
>> This warning will be printed even in rulesets loaded with '-f'
>> which first creates the masq rule an then the other chain.
>
> Hmm. I tested it with the following config and it works fine:
>
> | table ip nat {
> | chain post
On 27 April 2017 at 15:24, Phil Sutter wrote:
> As reported in netfilter bz#1105, masquerading won't work if there isn't
> at least an empty base chain hooked into prerouting. In order to raise
> awareness of this problem at the user, complain if a masquerading
> statement is added
On 25 April 2017 at 15:18, Pablo Neira Ayuso wrote:
>>
>> Yes. The timer based approach is... timer based (async).
>>
>> It doesn't fit in an environment where you need to sync events as soon
>> as they happen.
>
> IIRC the timer based works like this:
>
> 1) If event occurs,
. "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
NOTE: some testcases require updates because the output change.
Signed-off-by: Arturo Borrero Gonzalez <art...
On 25 April 2017 at 13:37, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, Apr 20, 2017 at 07:28:16PM +0200, Arturo Borrero Gonzalez wrote:
>> In some environments where both nodes of a cluster share all the conntracks,
>> after an initial or manual resync, the
On 25 April 2017 at 13:34, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Thu, Apr 20, 2017 at 07:28:06PM +0200, Arturo Borrero Gonzalez wrote:
>> These warnings, if they happen, should help users.
>>
>> Signed-off-by: Arturo Borrero Gonzalez <art...@debian
}
}
chain c {
ip saddr . tcp dport {1.1.1.1 . 22, 2.2.2.2 . 80 }
tcp dport {3, 4 }
iif vmap {0 : accept }
}
}
NOTE: some testcases require updates because the output change.
Signed-off-by: Arturo Borrero Gonzalez &l
On 25 April 2017 at 11:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> Hi Arturo,
>
> On Fri, Apr 21, 2017 at 12:30:24PM +0200, Arturo Borrero Gonzalez wrote:
>> Add a new option to nft to print set elements per line instead
>> of all in a single line.
>
}
ip saddr . tcp dport { 1.1.1.1 . 22 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/expression.h |1 +
include/nftables.h |1 +
src/expression.c |2 +-
src/main.c | 12 +++-
src/rule.c |2 ++
5
Checksum on
}
Options {
TCPWindowTracking Off
ExpectationSync On
}
}
[...]
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
conntrackd.conf.5 |9 +
include/conntrackd.h |1 +
include/re
They are shared by both sync-ftfw and sync-notrack.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/Makefile.am |2 +-
include/queue_tx.h |7 ++
src/Makefile.am |2 +-
src/queue_tx.c | 60 ++
Resync operations factorization. There are two:
* resync_send --> conntrackd -B (send bulk resync)
* resync_req --> conntrackd -n (request resync)
Future patches reuse this factorized code.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/Makefi
These warnings, if they happen, should help users.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/channel.c |6 +-
src/queue_tx.c | 11 +--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/channel.c b/src/channel.c
index acbfa7d..b
Checksum on
}
Options {
TCPWindowTracking Off
ExpectationSync On
}
}
[...]
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
conntrackd.conf.5 |9 +
include/conntrackd.h |1 +
include/re
Resync operations factorization. There are two:
* resync_send --> conntrackd -B (send bulk resync)
* resync_req --> conntrackd -n (request resync)
Future patches reuse this factorized code.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/Makefi
They are shared by both sync-ftfw and sync-notrack.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/Makefile.am |2 +-
include/queue_tx.h |7 ++
src/Makefile.am |2 +-
src/queue_tx.c | 60 ++
These warnings, if they happen, should help users.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/channel.c |6 +-
src/queue_tx.c | 11 +--
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/channel.c b/src/channel.c
index acbfa7d..b
If a node goes to live, ask the other for resync at startup.
This has to be done usually by hand, but I guess is an operation common
enough to add some bits to ease people life here.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
NOTE: this patch belongs to the previous
On 7 April 2017 at 13:47, James Cowgill wrote:
> hashlimit was using "%lu" in a lot of printf format specifiers to print
> 64-bit integers. This is incorrect on 32-bit architectures because
> "long int" is 32-bits there. On MIPS, it was causing iptables to
> segfault
On 22 March 2017 at 01:26, Phil Sutter <p...@nwl.cc> wrote:
> If rule set applying failed, this would leave a stray netns in place.
>
Thanks Phil.
Acked-by: Arturo Borrero Gonzalez <art...@debian.org>
--
To unsubscribe from this list: send the line "unsubscribe netfi
On 9 March 2017 at 13:46, Liping Zhang wrote:
>>
>> Any chance the compiler detects the double assignment and removes the first
>> one?
>
> This will never happen, since these two assignment statements are not
> identical.
But perhaps the compiler can look beyond the high
On 8 March 2017 at 15:54, Liping Zhang wrote:
>
> +/* Store/load an u16 or u8 integer to/from the u32 data register.
> + *
> + * Note, when using concatenations, register allocation happens at 32-bit
> + * level. So for store instruction, pad the rest part with zero to avoid
>
On 12 February 2017 at 15:09, Pablo Neira Ayuso wrote:
> I'll let Eric decide to this small update.
>
Perhaps it would be good idea to drop this file from our tree and let
distros adjust this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
/buffer.c | 11 +++
> src/rule.c | 96
>
> 3 files changed, 43 insertions(+), 69 deletions(-)
>
Acked-by: Arturo Borrero Gonzalez <art...@debian.org>
--
To unsubscribe from this list: send the line "unsubsc
factorization is introduced.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: cover netdev/bridge families as well, factorize code, add tests.
src/payload.c | 70 +++
te
On 20 January 2017 at 13:02, Arturo Borrero Gonzalez
<arturo.borrero.g...@gmail.com> wrote:
> From: Arturo Borrero Gonzalez <art...@debian.org>
>
duplicated, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message
From: Arturo Borrero Gonzalez <art...@debian.org>
In the inet family, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
is inet, the network layer protocol context
can be safely update to 'ip' or 'ip6'.
Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
using icmp or icmp6 in the inet family.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <
On 3 January 2017 at 22:56, Robby Workman wrote:
> On Tue, 20 Dec 2016 21:46:36 +0100
> Pablo Neira Ayuso wrote:
>
>> Hi!
>>
>> The Netfilter project proudly presents:
>>
>> nftables 0.7
>>
>> This release contains many accumulated bug fixes and
On 20 December 2016 at 12:24, Llorente Santos Jesus
wrote:
> Hi,
>
> I have been playing quite a bit with iptables lately. Ever since the ipset
> was updated to support hash:ip,mark sets, there has been the potential to
> apply efficient matching on packet marks.
There has been a long adaptation time already, with several conntrack-tools
releases in the meantime.
Users migrating from an old conntrackd to a current one are required
to update their config file.
Suggested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Arturo Borrero Go
Produces this:
warning: implicit declaration of function 'dlog'
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/systemd.c |1 +
1 file changed, 1 insertion(+)
diff --git a/src/systemd.c b/src/systemd.c
index c6253cc..64bfc66 100644
--- a/src/systemd.c
+++ b/src/sys
If a resync is requested with 'conntrackd -n', a log message is printed
in the caller node, but no message is printed in the other.
Print a message so tracking the behaviour of a cluster is a bit easier.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/sync-ftfw.c
On 30 November 2016 at 19:28, Pablo Neira Ayuso wrote:
>> * You can probably augment this at some pointer to rely on the new
>> nf_tables tracing infrastructure.
>>
That would be rather complex.
>
> Only one more question left: Do you think you can slightly generalize
>
From: Arturo Borrero Gonzalez <art...@debian.org>
This test uses scapy to send a packet and test our packet/data path.
We grep the 'nft list ruleset' output for a counter increment.
If we like this approach, then we could easily add more testcases
following the pattern in this patch.
Ref
From: Arturo Borrero Gonzalez <art...@debian.org>
Use many defines in a single nft -f run.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
tests/shell/testcases/nft-f/0011manydefines_0 | 37 +
1 file changed, 37 insertions(+)
create mode
From: Arturo Borrero Gonzalez <art...@debian.org>
This testcase add some defines in a nft -f run and then uses
them in different spots (which are not covered in previous testcases).
* defines used to define another one
* different datatypes (numbers, strings, bits, ranges)
* usage i
On 18 November 2016 at 09:05, Arturo Borrero Gonzalez <art...@debian.org> wrote:
> Hi,
>
> this happened today in my machine at boot time. I can't reproduce it again.
Find it attached for better format
linux 4.8.5-1 (debian)
[vie nov 18 08:42:18 2016] INFO: task modprobe:641 b
Hi,
this happened today in my machine at boot time. I can't reproduce it again.
linux 4.8.5-1 (debian)
[vie nov 18 08:42:18 2016] INFO: task modprobe:641 blocked for more
than 120 seconds.
[vie nov 18 08:42:18 2016] Not tainted 4.8.0-1-amd64 #1
[vie nov 18 08:42:18 2016] "echo 0 >
Hi,
commit id 3e5b0e406cf2b635200f9ee05ba8a158528fe622 :
tests: py: nft-tests.py: Add function for loading and removing kernel modules
introduces dummy kernel module loading to tests/py/nft-test.py.
The justification is that some tests are using the dummy module, but I
don't see them:
% git
From: Arturo Borrero Gonzalez <art...@debian.org>
This testcase adds and deletes many elements in a set.
We add and delete 65.536 elements in two different nft -f runs.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
.../testcases/sets/0013add_delete_many_elemen
From: Arturo Borrero Gonzalez <art...@debian.org>
This testcase adds many elements in a set.
We add 65.356 elements.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
tests/shell/testcases/sets/0011add_many_elements_0 | 32
1 file changed, 3
From: Arturo Borrero Gonzalez <art...@debian.org>
This testcase adds and deletes many elements in a set.
We add and delete 65.536 elements in a same batch of netlink messages,
(single nft -f run).
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
.../te
From: Arturo Borrero Gonzalez <art...@debian.org>
This patch adds a several testcases for comments in set elements.
This includes the netfilter bug #1090 about comments in set interval elements.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
tests/shell/te
d-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
> ---
> src/segtree.c | 10 +++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
Hi,
just tested this patch before/after, and it really works.
Tested-by: Arturo Borrero Gonzalez <art...@debian.org>
I think we can ad
On 6 November 2016 at 07:40, Liping Zhang wrote:
> From: Liping Zhang
>
> Dalegaard says:
> The following ruleset, when loaded with 'nft -f bad.txt'
> snip
> flush ruleset
> table ip inlinenat {
>map sourcemap {
> type ipv4_addr :
' is
printed before closing the log engine.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/ctnl.c|4 +--
src/filter.c |4 +--
src/main.c| 67 +++--
src/read_config_lex.l | 13 +-
sr
Now that our main log function is able to handle the case of the log engine
not being initialised, we can use the general function instead of a custom
one in the parser.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/read_config_yy.y
can't log parsing messages to logfiles but only to
stderr/stdout.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/conntrackd.h |1 +
src/log.c|9 -
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/conntrackd.h b/i
From: Arturo Borrero Gonzalez <art...@debian.org>
This directory is for testcases related to the nft cache.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
tests/shell/testcases/cache/0001_cache_handling_0 | 29 +
tests/shell/testcases/sets/cach
From: Arturo Borrero Gonzalez <art...@debian.org>
There seems to be a bug that prevent loading a ruleset twice in a row
if the ruleset contains sets with intervals. This seems related to the
nft cache.
By the time of this commit, the bug is not fixed yet.
Signed-off-by: Arturo Borrero Go
On 26 October 2016 at 20:50, James Feeney wrote:
>> I can't reproduce the issue here.
>
> Thanks Arturo. What distribution are you using? Hmm - any suggestions about
> how to "poke" at this issue on my end?
>
I'm using Debian, of course :-)
You could check the config of
failed
ERROR: conntrackd cannot start, please check the logfile for more info
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: fix va_list arguments usage by using pointers where needed.
include/conntrackd.h |1 +
src/log.c
failed
ERROR: conntrackd cannot start, please check the logfile for more info
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
include/conntrackd.h |1 +
src/log.c| 67 +++---
src/main.c |1 +
3 files c
: No such device
[ERROR] initialization failed
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/sync-mode.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/sync-mode.c b/src/sync-mode.c
index e69ecfe..8fe65f1 100644
--- a/src/sync-mode.c
+++
On 26 October 2016 at 03:30, James Feeney wrote:
>
> I'm guessing that that error message is wildly off-base.
>
> Or is "reject" not a proper "terminal statement"?
>
> Or is there something wrong with the syntax?
I can't reproduce the issue here.
% nft -f test.nft
% nft list
(please keep the netfilter-devel list in CC)
On 21 October 2016 at 09:18, Mathew Heard wrote:
> That's been covered already.
>
> The problem with it is that only the ORIG side of the connection ends
> up set. REPLY does not.
>
> I don't know the fundamental reason why this
The email address has changed, let's update the copyright statements.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
net/ipv4/netfilter/nft_masq_ipv4.c |4 ++--
net/ipv4/netfilter/nft_redir_ipv4.c |4 ++--
net/ipv6/netfilter/nft_masq_ipv6.c |4 ++--
ne
From: Arturo Borrero Gonzalez <art...@debian.org>
Let's keep the kernel_cleanup() function updated with latest
kernel changes:
* added nft_quota, nft_queue, nft_numgen, nft_range
* rename nft_hash to nft_set_hash
* keep nft_hash as well
* rename nft_rbtree to nft_set_rbtree
Th
From: Arturo Borrero Gonzalez <art...@debian.org>
Update email address to a new one in the copyright notice.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
src/xt.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/xt.c b/src/xt.c
index 0777
On 16 October 2016 at 15:42, Anders K. Pedersen | Cohaesio
wrote:
> From: Anders K. Pedersen
>
> Introduce basic infrastructure for nftables rt expression for routing
> related data. Initially "rt classid" is implemented identical to "meta
> rtclassid",
On 16 October 2016 at 15:41, Anders K. Pedersen | Cohaesio
wrote:
> diff --git a/include/uapi/linux/netfilter/nf_tables.h
> b/include/uapi/linux/netfilter/nf_tables.h
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -759,6
Update Arturo Borrero Gonzalez email address.
Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
examples/nft-chain-parse-add.c |2 +-
examples/nft-rule-parse-add.c |2 +-
examples/nft-ruleset-get.c |2 +-
examples/nft-set-parse-add.c |2 +-
examples/nft
On 7 October 2016 at 11:59, Davide Caratti <dcara...@redhat.com> wrote:
> On Fri, 2016-10-07 at 09:35 +0200, Arturo Borrero Gonzalez wrote:
>> Since I can add the same rule in nftables, I wonder if the same problem
>> happens:
>>
>> chain postrouting {
>>
On 6 October 2016 at 19:09, Davide Caratti wrote:
> this series fixes SNAT/DNAT rules where port number translation is
> explicitly configured, but only the L3 address is translated:
>
> # iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source
> 10.0.0.1:61000
>
On 14 September 2016 at 23:13, Florian Westphal wrote:
>
> Other solution I see is to not use mark and oif and come up
> with new/different keyword, but thats not good either.
>
this solution is the less disruptive I think
--
Arturo Borrero González
--
To unsubscribe from this
On 14 September 2016 at 23:13, Florian Westphal wrote:
>
> Or remove unqualified meta keywords, that should work as well.
That was my first idea, but discarded it because it means breaking the syntax.
Not sure if it worth.
--
Arturo Borrero González
--
To unsubscribe from this
Hi Florian,
thanks for working on this, here my comments.
On 14 September 2016 at 19:45, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
>> On Mon, Sep 12, 2016 at 09:00:25PM +0200, Florian Westphal wrote:
>> > Pablo Neira Ayuso
Hi!
It would be great it this were supported:
iifname . oifname vmap { eth1 . eth0 : jump chain1, eth2 . eth0 : jump chain2 }
Error: can not use variable sized data types (string) in concat expressions
Why iifname rather than iifindex?
I would like to test/deploy my ruleset in machines which
ed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
v2: include suggestions reported by Rami Rosen.
doc/manual/conntrack-tools.tmpl | 51 +++
1 file changed, 51 insertions(+)
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manu
ed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
doc/manual/conntrack-tools.tmpl | 51 +++
1 file changed, 51 insertions(+)
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 87a792e..5c12c4a 100644
---
Add reference to systemd integration in the manpage.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
conntrackd.8 |7 +++
1 file changed, 7 insertions(+)
diff --git a/conntrackd.8 b/conntrackd.8
index bd195ec..6ccf261 100644
--- a/conntrackd.8
+++ b/conn
Refresh conntrackd.8 manpage to match the help message in the binary.
Changes are related to the syntax and options of conntrackd,
the syntax of the manpage itself and clarification of some aspects.
Also, break lines at 80 characters.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrer
On 21 August 2016 at 20:10, Pablo M. Bermudo Garay wrote:
> This patch adds a verification of the compatibility between the nft
> ruleset and iptables. If the nft ruleset is not compatible with
> iptables, the execution stops and an error message is displayed to the
> user.
>
On 27 July 2016 at 04:17, Florian Westphal wrote:
> During NFWS we discussed reducing the number of keywords in nftables.
>
> Obviously keywords are required for the parser to know what to expect.
>
> But always requiring the 'meta' keyword would allow us to handle
> iif, oif,
good to see this finally merged :-)
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On 28 June 2016 at 21:58, wrote:
> diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
> index 286782a..8e0c35b 100644
> --- a/extensions/libxt_ecn.c
> +++ b/extensions/libxt_ecn.c
> @@ -118,6 +118,50 @@ static void ecn_save(const void *ip, const struct
>
On 24 June 2016 at 09:07, Arturo Borrero Gonzalez
<arturo.borrero.g...@gmail.com> wrote:
> Inverted matching support was included in the kernel, let's give support here
> as well.
>
> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
> ---
>
Better use the local tree nft binary rather than the installed one.
Requested-by: Pablo Neira Ayuso <pa...@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
tests/shell/README |4 +++-
tests/shell/run-tests.sh |3 ++-
2 file
On 23 June 2016 at 12:43, Pablo Neira Ayuso wrote:
> Hi Arturo,
>
> I think it would be good if the run-test.sh script uses the binary
> in this tree, just like nft-tests.py. Instead of using the one that is
> available on the system.
>
> Let me know, thanks.
You can use
of options, as we should consider 4 cases:
* lookup false, invert false -> NFT_BREAK
* lookup false, invert true -> return w/o NFT_BREAK
* lookup true, invert false -> return w/o NFT_BREAK
* lookup true, invert true -> NFT_BREAK
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero
On 23 June 2016 at 09:32, Arturo Borrero Gonzalez
<arturo.borrero.g...@gmail.com> wrote:
> On 22 June 2016 at 20:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
>> On Wed, Jun 01, 2016 at 05:23:02PM +0200, Arturo Borrero Gonzalez wrote:
>>> Introd
On 22 June 2016 at 20:22, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Jun 01, 2016 at 05:23:02PM +0200, Arturo Borrero Gonzalez wrote:
>> Introduce a new configuration option for this expression, which allows users
>> to invert the logic of set lookups.
>
>
off-by: Roberto García <rodan...@gmail.com>
> ---
> extensions/libxt_MARK.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Seems good to me :-)
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
--
Arturo Borrero González
--
To unsubscribe from th
--
> extensions/libxt_CONNMARK.c | 45
> +
> 1 file changed, 45 insertions(+)
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
It uses a bogus pattern which was cleaned up already in others testscases,
and this is a leftover.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
tests/shell/testcases/sets/cache_handling_0 |8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff
This ${TESTS_OUTPUT} variable is empty. Delete it.
It was probably an idea about dinamically redirecting testscases output.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
tests/shell/run-tests.sh |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
hell/testcases/nft-f/0002rollback_rule_0 | 2 +-
> tests/shell/testcases/nft-f/0003rollback_jump_0 | 2 +-
> tests/shell/testcases/nft-f/0004rollback_set_0 | 2 +-
> tests/shell/testcases/nft-f/0005rollback_map_0 | 2 +-
> 7 files changed, 7 insertions(+), 7 deletions(-)
>
Acked-by: Arturo
On 4 June 2016 at 14:42, wrote:
> From: Roberto García
>
> Add translation for the MARK target to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t mangle -A OUTPUT -p tcp --dport 22 -j MARK
> --set-mark 64
> nft add rule ip mangle OUTPUT tcp dport
We don't use 'struct nfct_attr_grp_ipv6', actually 'uint32_t * 4'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com>
---
include/network.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/network.h b/include/network.h
index ab04591..e
On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> +static int __multiport_xlate_v1(const void *ip,
> + const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct
101 - 200 of 243 matches
Mail list logo