This tests the selectiveness of flush command on structures that use the
generic set infrastructure (sets, maps and flow tables).
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
.../testcases/sets/0022type_selective_flush_0 | 41 ++
1 file chang
The add / delete operations weren't documented yet. They fit better
in the sets and maps blocks since these operations are used to directly
modify their content.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
doc/nft.xm
This patch enables the command flush on flow tables, which removes all
entries in it:
$ nft flush flow table filter ft-https
Command above flushes flow table 'ft-https' in table 'filter'.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/parser_bison.y | 4
1 file chan
This patch enables the command flush on maps, which removes all
entries in it:
$ nft flush map filter map1
Command above flushes map 'map1' in table 'filter'.
The documentation was updated accordingly.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
doc/nft.xml
The translation isn't supported when --hashlimit-mode isn't specified.
Also, the following options don't apply to flow tables:
--hashlimit-htable-size
--hashlimit-htable-max
--hashlimit-htable-gcinterval
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
extensions/libxt_hashlimit.c
This patch adds the missing documentation for maps. Also, updates sets
policy to match maps.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
doc/nft.xml | 105 +++-
1 file changed, 104 insertions(+), 1 deletion(-)
diff
}
quota https-quota2 {
2 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/statement.c | 15 +--
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/src/statement.c b/src/statement.c
index 3beb86a..7ffd25f 100644
---
This patch adds the missing documentation for sets.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
doc/nft.xml | 124
1 file changed, 124 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index ac31c3b..be729a8
This patch adds documentation for stateful objects and updates
tables description to mention them.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Added a title to counter and quota tables.
doc/nft.xml | 136 +++-
() by internal lookup table)
Fixes(Bug 1118 - nft: nft -f and nft list ruleset use different sets of
service -> port mappings)
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/datatype.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/dat
cept dest IP:PORT)
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/statement.c | 31 ---
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/src/statement.c b/src/statement.c
index 9cdabbb..0585d66 100644
--- a/src/statement.c
+++ b/sr
Because the rules are more legible this way. Also, the parser doesn't
accept strings on ranges, so, printing ranges numerically better match
the rules definition.
Fixes(Bug 1046 - mobility header with range gives illegible rule).
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
--
The number of numeric options influences the behavior and the user
should be warned if a invalid number is used.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Was split from a bigger patch. Now an error is triggered when a
invalid number of numeric options is used, i
Currently, the configure script requires xtables v1.6.0 when the option
--with-xtables is given. However, nftables-0.7 build fails with this
version, xtables v1.6.1 is the minimum required to have libxtables
support.
Fixes(Bug 1110 - Build failure if --with-xtables).
Signed-off-by: Elise Lennion
of
NUMERIC_ALL, so the option -nnn doesn't affect symbolic constants.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
include/nftables.h | 1 +
src/datatype.c | 11 +++
src/expression.c | 2 ++
src/main.c | 3 ++-
src/meta.c | 4 ++--
5 files chang
}
}
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v3: Created in v3.
src/evaluate.c | 10 --
src/parser_bison.y | 8
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index ed41bd8..379f9d7 100644
--- a/src/evaluate.c
tables
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v3: Created in v3.
tests/py/nft-test.py | 131 +++
1 file changed, 131 insertions(+)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 62b7942..2500921
table ip filter {
quota https-quota {
25 mbytes used 278 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: No changes.
v3: Fixed a bug, which counters with the same name in different tables
were listed. Also, removed some code dupli
table ip filter {
quota https-quota {
25 mbytes used 278 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: No change on this one.
src/evaluate.c | 18 ++
src/rule.c | 6 +-
2 files changed, 23 insertions
Pablo Neira Ayuso <pa...@netfilter.org>.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Only list tables with counters and quotas that are reseted, on v1
tables without stateful object were listed.
include/mnl.h | 4 ++--
include/netlink.h | 3 ++-
sr
This tests for a bug where elements can't be added after flushing a
full set with the flag NFTNL_SET_DESC_SIZE set.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
tests/shell/testcases/sets/0017add_after_flush_0 | 12
1 file changed, 12 insertions(+)
create mode
{
quota https-quota {
25 mbytes used 625 kbytes
}
}
Heavily based on work from Pablo Neira Ayuso <pa...@netfilter.org>.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
include/mnl.h | 4 ++--
include/netlink.h | 3 ++-
src/evaluat
This tests for a bug where a repeated element is added and the set
elements counter is incorrectly increased.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
tests/shell/testcases/sets/0016element_leak_0 | 11 +++
1 file changed, 11 insertions(+)
create mode 100755
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
include/nftables.h | 2 +-
src/main.c | 4 ++--
src/statement.c| 4
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/include/nftables.h b/include/nftables.h
index 760bbff..6f54155 100644
--- a/i
To don't trigger false errors because of unrelated traffic on the
tested machine.
Tests, which have rules with counter and 'ok' result, are updated to
avoid new Warnings.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
tests/py/ip/flowtable.t | 2 +-
tests
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
doc/nft.xml | 11 +++
1 file changed, 11 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index a421278..78e112f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -49,6 +49,9 @@ vi:ts=4 sw=4
ttps quota 25 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
include/nftables.h | 1 +
src/main.c | 12 +++-
src/rule.c | 6 +-
src/statement.c| 9 +++--
4 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/in
used 9 kbytes
}
}
With stateless option, -s:
table ip x {
chain y {
type filter hook output priority 0; policy accept;
tcp dport https counter
tcp dport https quota 1025 mbytes
}
}
Signed-off-by: Elise Lennion <elise.l
use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples
consistent and avoid code duplication.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
examples/nft-map-add.c | 38 +++---
examples/nft-rule-add.
Test adding elements to simple and interval maps.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
.../testcases/maps/0003map_add_many_elements_0 | 61
.../testcases/maps/0004interval_map_create_once_0 | 60
..
So users can better track their ruleset via git.
Without sorting, the elements can be listed in a different order
every time the set is created, generating unnecessary git changes.
Mergesort is used. Doesn't sort sets with 'flags interval' set on.
Signed-off-by: Elise Lennion <elise.l
cache_update() fetches set elements, when the set is big and sorted
this leads to an unnecessary delay on 'nft flush ruleset'.
There is only a possible call to cache_flush() after the update, so
this update isn't needed.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/eval
so the user know how we express it.
The base was added to all symbol tables, which are associated with
datatype->sym_tbl, so they are displayed in the right base.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
src/ct.c | 3 +++
src/datatype.c | 4
src/express
On Wed, Dec 07, 2016 at 08:25:10PM +0100, Pablo Neira Ayuso wrote:
> Hi Elise,
>
> On Wed, Dec 07, 2016 at 05:03:31PM -0200, Elise Lennion wrote:
> > nft describe displays, to the user, which values are available for a
> > selector,
> > then the values s
nft describe displays, to the user, which values are available for a selector,
then the values should be in host byte order.
Reported-by: Pablo Neira Ayuso <pa...@netfilter.org>
Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-b
Because a linear search is used, which is slower.
This approach demands that the symbol_table have a variable with its
size, also, it must be sorted by value.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: This patch has no v1.
v3: Removed gcc_workaround in
and registered ports of my
local /etc/services file, from Ubuntu 16.04. Service numbers are
converted to respect network byte order.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Used symbol_table to list the services and put them in another
file. Also used network byte
Because a linear search is used, which is slower.
This approach demands that the symbol_table have a variable with its
size, also, it must be sorted by value.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: This patch has no v1.
include/datatype.h | 2 ++
src/data
and registered ports of my
local /etc/services file, from Ubuntu 16.04. Service numbers are
converted to respect network byte order.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Used symbol_table to list the services and put them in another
file. Also used network byte
Calls to erec_queue() from yyerror() already have "syntax error" in the
body of the message, then __error() must be used.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v3: Separate changes in different patches
src/parser_bison.y | 2 +-
1 file changed, 1 insertio
Error messages in nft from parser_bison should state "syntax error" to
keep consistency. A new error type was defined to include this message.
Signed-off-by: Elise Lennion <elise.lenn...@gmail.com>
---
v2: Create new error_record_type instead of modify the message within
the err
On Wed, Nov 16, 2016 at 07:43:20PM -0200, Elise Lennion wrote:
> Error messages in nft from parser_bison should state "syntax error" to
> keep consistency. A new error type was defined to include this message.
>
> Signed-off-by: Elise Lennion <elise.lenn...@gmail.com
42 matches
Mail list logo