[PATCH nft] update gitignore

Add new internal libraries generated since [1] to the .gitignore file. [1]: 0b3ccd27e12d ("build: Restore per object CFLAGS") Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitigno

[PATCH nft] src: do not print limit keyword inside object definition

table ip limits { limit foo { limit rate 5/second ^ } } This behaviour is inconsistent and breaks the restoration of saved rule-sets with "nft -f". Fixes: c0697eabe832 ("src: add stateful object support for limit") Signed-off-by: Pablo M.

[PATCH nft] tests: py: add tests for limit stateful object

The patch also reorganizes ip/objects.t file. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- tests/py/any/objects.t| 2 ++ tests/py/ip/objects.t | 20 +--- tests/py/ip/objects.t.payload | 16 3 files changed, 35 insertions

Re: [PATCH nft 2/2] src: limit stateful object support

2017-08-23 23:51 GMT+02:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Wed, Aug 23, 2017 at 11:06:14PM +0200, Pablo M. Bermudo Garay wrote: >> Maybe the commit title is confusing, since "limit" seems the typical >> imperative mood instead of a noun. >>

Re: [PATCH nft 2/2] src: limit stateful object support

Maybe the commit title is confusing, since "limit" seems the typical imperative mood instead of a noun. Pablo, should I resend the patches with a better title? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

[PATCH nft 1/2] parser: fix typo

Separator was misspelled as "seperator" in a symbol name. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- src/parser_bison.y | 74 +++--- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/src/pars

[PATCH nft 2/2] src: limit stateful object support

This patch adds support for a new type of stateful object: limit. Creation, deletion and listing operations are supported. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/linux/netfilter/nf_tables.h | 3 +- include/rule.h | 13 + i

[PATCH libnftnl] src: limit stateful object support

This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/libnftnl/object.h | 8 ++ include/linux/netfilter/nf_tables.h | 3 +- include/obj.h | 8 ++ src/Makef

[PATCH nf-next 3/3] netfilter: nft_limit: add stateful object type

Register a new limit stateful object type into the stateful object infrastructure. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 3 +- net/netfilter/nft_limit.c| 118 ++- 2 files c

[PATCH nf-next 2/3] netfilter: nft_limit: replace pkt_bytes with bytes

Just a small refactor patch in order to improve the code readability. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/uapi/linux/netfilter/nf_tables.h | 2 +- net/netfilter/nft_limit.c| 30 +++--- 2 files changed, 16 inse

[PATCH nft-sync] fix build

nft-sync development has been stalled for two years. Since then the libnftnl API has changed, breaking the build. Apply the required changes to make the project build again. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/mnl.h | 13 +++-- src/mnl.c

[PATCH iptables 1/2] xtables-compat-restore: fix several memory leaks

: xtables_ip4_restore_main (xtables-restore.c:534) Fix these memory leaks. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft.c | 10 +++--- iptables/xtables-restore.c | 8 +++- iptables/xtables.c | 2 ++ 3 files changed, 16 insertions(+), 4 del

[PATCH iptables 2/2] xtables-compat: fix memory leak when listing

-compat-multi) ==1604==by 0x10F636: main (in /usr/local/sbin/xtables-compat-multi) Fix these memory leaks. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft-ipv4.c | 2 ++ iptables/nft-ipv6.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/iptables/nft-

[PATCH nft 2/2] src: add --check option flag

Sometimes it can be useful to test if a command is valid without applying any change to the rule-set. This commit adds a new option flag (-c | --check) that performs a dry run execution of the commands. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- doc/nft.xml

[PATCH nft 1/2] src: add new generic context structure nft_ctx

The new structure nft_ctx is meant to be used as a generic container of context information. This is a preparatory patch. So at the moment the struct just carry output_ctx on his path through main.c and cli.c. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include

[PATCH iptables 2/3] libip6t_icmp6: xlate: remove leftover space

This change should have been included in commit f035be35c749 ("xtables-translate: fix multiple spaces issue"), but was forgotten. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- extensions/libip6t_icmp6.c | 2 -- 1 file changed, 2 deletions(-) diff --

[PATCH iptables 3/3] xtables-translate: fix double space before comment

he target translation. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft-ipv4.c | 2 +- iptables/nft-ipv6.c | 2 +- iptables/xtables-translate.c | 11 ++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/iptables/nft-ipv4.c

[PATCH iptables 1/3] tests: xlate: generalize owner

The owner name was hard-coded in the owner extension translation test. The translation process requires the user to exist in the system, so this commit replaces it with the usual UID_MIN value (1000). Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- extensions/libxt_owner.

Re: [nft RFC PATCH] expression: print sets and maps in pretty format

2017-04-25 14:35 GMT+02:00 Arturo Borrero Gonzalez : > Print elements per line instead of all in a single line. > The elements which can be 'short' are printed 5 per line, > and others, like IPv4 addresses are printed 2 per line. The default terminfo tab size is 8. Why not

[PATCH iptables 2/2] tests: xlate: check if it is being run as root

Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- xlate-test.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xlate-test.py b/xlate-test.py index 37760e9..43c4be1 100755 --- a/xlate-test.py +++ b/xlate-test.py @@ -72,7 +72,9 @@ def load_test_files():

[PATCH iptables 1/2] tests: xlate: remove python 3.5 dependency

This commit replaces subprocess.run (introduced in python 3.5) with subprocess.Popen (supported since the first version of python 3). Furthermore, the output has been improved when ip[6]tables-translate exits with non-zero return code. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.

Re: [PATCH iptables] tests: add regression tests for xtables-translate

> Nice... But how this works? :) > > # python xlate-test.py > Traceback (most recent call last): > File "xlate-test.py", line 85, in > main() > File "xlate-test.py", line 78, in main > load_test_files() > File "xlate-test.py", line 65, in load_test_files > run_test(test,

[PATCH iptables] tests: add regression tests for xtables-translate

A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- extensions/generic.txlate| 5 +++ extensions/libip6t_DNAT.txlate | 11 + extensions/li

[PATCH iptables v3] xtables-translate-restore: do not escape quotes

If quotes are escaped, nft -f is unable to parse and load the translated ruleset. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- Changes in v3: - Add a new field to the iptables_command_state struct instead of propagate 'bool restore' argument. iptables/xsh

[PATCH iptables v3 1/2] xtables-compat: check if nft ruleset is compatible

by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- Changes in V3: - Simplify code. iptables/nft.c | 194 iptables/nft.h | 2 + iptables/xtables-save.c

[PATCH iptables v3 2/2] xtables-compat: add rule cache

causing changes in the ruleset must invalidate the cache, a function called flush_rule_cache has been introduced for this purpose. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- Changes in V3: - Simplify code. - Update commit message. iptables/nft.

[PATCH iptables v2 1/2] xtables-compat: check if nft ruleset is compatible

by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft.c | 192 iptables/nft.h | 2 + iptables/xtables-save.c | 5 ++ iptables/xtables.c | 5 ++ 4

[PATCH iptables v2 2/2] xtables-translate-restore: do not escape quotes

If quotes are escaped, nft -f is unable to parse and load the translated ruleset. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- Changes in v2: - Do not use strcmp against 'program_name' global, propagate 'bool restore' argument instead. iptables/nft-ipv4.c

[PATCH iptables v2 1/2] xtables-translate: add escape_quotes option to comment_xlate

The comment_xlate function was not supporting this option that is necessary in some situations. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- Changes in v2: - Ensure that the comment string is null-terminated. extensions/libxt_comment.c | 11 ++- iptables/nft-

[PATCH iptables 1/3] xtables-compat: remove useless functions

for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft.c | 38 ++ iptables/nft.h | 3 --- 2 files changed, 14 insertions(+), 27 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 05ba57a..247a60a

[PATCH iptables 3/3] xtables-compat: add rule cache

has been introduced for this purpose. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft.c | 35 +++ iptables/nft.h | 1 + 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/iptables/nft.c b/iptables/nft.c index 7

[PATCH iptables 2/3] xtables-compat: check if nft ruleset is compatible

. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft.c | 166 iptables/nft.h | 2 + iptables/xtables-save.c | 5 ++ iptables/xtables.c | 5 ++ 4 files changed, 178 insertions(+) diff --git a/ip

Re: [PATCH iptables 1/2] xtables-translate: add escape_quotes option to comment_xlate

2016-08-17 16:23 GMT+02:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote: >> The comment_xlate function was not supporting this option that is >> necessary in some situations. > > I have applied what

[PATCH iptables 2/2] xtables-translate-restore: do not escape quotes

If quotes are escaped, nft -f is unable to parse and load the translated ruleset. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/xtables-translate.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/iptables/xtables-translate.c b/iptables/x

[PATCH iptables 1/2] xtables-translate: add escape_quotes option to comment_xlate

The comment_xlate function was not supporting this option that is necessary in some situations. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- extensions/libxt_comment.c | 9 - iptables/nft-ipv4.c| 2 +- iptables/nft-ipv6.c| 2 +- 3 files chang

[PATCH iptables] xtables-compat: fix comments listing

ip[6]tables-compat -L was not printing the comments since commit d64ef34a9961 ("iptables-compat: use nft built-in comments support"). This patch solves the issue. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft-shared.c | 26 ++

Re: [PATCH iptables 2/2] xtables-translate: fix issue with quotes

2016-07-25 17:31 GMT+02:00 Pablo Neira Ayuso <pa...@netfilter.org>: > On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: >> Some translations included escaped quotes when they were called from >> nft: >> >> $ sudo nft list ruleset >>

[PATCH iptables 2/2] xtables-translate: fix issue with quotes

0 bytes 0 ^^ ^^ } } This behavior is only correct when xlate functions are called from a xtables-translate command. This patch solves that issue if nft revision is using the field added to the xt_xlate struct with "xtables-translate: add new field to identify the caller" commit. Signed-off-by: Pablo M.

[PATCH nft v5 2/3] src: expose delinearize/linearize structures and stmt_error()

From: Pablo Neira Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support preparatory patch. Changes in v5:

[PATCH nft v5 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h

From: Pablo Neira The xt over nft support that comes in follow up patches need this, and update the corresponding Makefile.am. Based on patch from Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support

[PATCH nft v5 3/3] src: add xt compat support

for all their rules. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- New version of the original work made by Arturo and Pablo. Changes in

[PATCH iptables] xtables-translate: fix multiple spaces issue

,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.

[PATCH nft v4 3/3] src: add xt compat support

rs can (re)load it using "nft -f" and get nft native support for all their rules. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> ---

[PATCH nft v4 2/3] src: expose delinearize/linearize structures and stmt_error()

From: Pablo Neira Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support preparatory patch. Changes in v4:

[PATCH nft v4 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h

From: Pablo Neira The xt over nft support that comes in follow up patches need this, and update the corresponding Makefile.am. Based on patch from Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support

[nft PATCH 3/3 v3] src: add xt compat support

rs can (re)load it using "nft -f" and get nft native support for all their rules. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> ---

[nft PATCH 2/3 v3] src: expose delinearize/linearize structures and stmt_error()

From: Pablo Neira Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support preparatory patch. include/erec.h

[nft PATCH 1/3 v3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h

From: Pablo Neira The xt over nft support that comes in follow up patches need this, and update the corresponding Makefile.am. Based on patch from Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso --- Resubmission of xt compat support

[PATCH iptables] iptables-compat: use nft built-in comments support

After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- iptables/nft-ipv4.

[PATCH nft v2] evaluate: fix "list set" unexpected behaviour

et_service elements = { 192.168.1.101 : http-alt} } } Now an error is shown: # nft list set filter test :1:1-20: Error: Could not process rule: Set 'test' does not exist list set filter test Signed-off-by: Pablo M. Bermudo Garay <pablo

Re: [PATCH nft] evaluate: fix "list set" unexpected behaviour

2016-06-01 11:20 GMT+02:00 Pablo Neira Ayuso : > I'd suggest: > > set == NULL && set->flags & (SET_F_EVAL | SET_F_MAP) Oh, sure. Thank you for pointing that out. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH nft] evaluate: fix "list set" unexpected behaviour

et_service elements = { 192.168.1.101 : http-alt} } } Now an error is shown: # nft list set filter test :1:1-20: Error: Could not process rule: Set 'test' does not exist list set filter test Signed-off-by: Pablo M. Bermudo Garay <pablo

[PATCH nft 2/2] src: add support for display maps content

elements = { 2001:db8::ff00:42:8329 : http} } } Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/rule.h | 1 + src/evaluate.c | 10 ++ src/parser_bison.y | 4 src/rule.c | 2 ++ 4 files changed, 17 insertions(+) diff

[PATCH nft] rule: add support for display flow tables content

This commit adds a new command that displays the definition of a single flow table: If no family is specified, ip is assumed. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/rule.h | 1 + src/evaluate.c | 11 +++ src/parser_bison.y | 4 src/

[PATCH nft] rule: add 'list flow tables' support

This commit adds a new command that lists flow tables: # nft list flow tables [family] Only the declaration is displayed. If no family is specified, all flow tables of all families are listed. Signed-off-by: Pablo M. Bermudo Garay <pablo...@gmail.com> --- include/rule.h | 1