Re: [PATCH RFC 0/4] net: add bpfilter

Hi David, On Mon, Feb 19, 2018 at 10:31:39AM -0500, David Miller wrote: > From: Harald Welte > Date: Mon, 19 Feb 2018 16:27:46 +0100 > > > On Mon, Feb 19, 2018 at 10:13:35AM -0500, David Miller wrote: > > > >> Florian, first of all, the whole "change the iptables binary"

Re: [PATCH nft] parser_bison: restore nft {import,export} ruleset

Hi Shyam, On Thu, Feb 15, 2018 at 01:25:04AM +0530, Shyam Saini wrote: > > On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: > >> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > >> > Hi Pablo, > >> > > >> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso > >>

Re: [nft PATCH] Enable automerge feature for anonymous sets

Hi Pablo, On Wed, Feb 07, 2018 at 12:39:43AM +0100, Pablo Neira Ayuso wrote: > On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote: > > Automatic merging of adjacent/overlapping ranges upon insertion has > > clear benefits performance- and readability-wise. The drawback

Re: [Bug 1224] nft export json fails with successful return code

Hi Pablo, On Tue, Feb 06, 2018 at 01:49:57PM +0100, Pablo Neira Ayuso wrote: > On Tue, Feb 06, 2018 at 01:40:34PM +0100, Phil Sutter wrote: > > On Tue, Feb 06, 2018 at 02:44:06AM +, bugzilla-dae...@netfilter.org > > wrote: > > > https://bugzilla.netfilter.

Re: [Bug 1224] nft export json fails with successful return code

On Tue, Feb 06, 2018 at 02:44:06AM +, bugzilla-dae...@netfilter.org wrote: > https://bugzilla.netfilter.org/show_bug.cgi?id=1224 [...] > --- Comment #1 from Shyam Saini --- > Hi Anthony, > > > I recently upgraded to nftables v0.8.2 and encountered a regression. > > >

[nft PATCH] tests/shell: Add back named_interval_automerging_0

Change the test to expect no automerging since it was disabled recently. Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/shell/testcases/sets/0002named_interval_automerging_0 | 12 1 file changed, 12 insertions(+) create mode 100755 tests/shell/testcase

Re: [nft PATCH RFC] libnftables: Implement JSON output support

On Wed, Jan 17, 2018 at 07:59:34PM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 17, 2018 at 07:56:30PM +0100, Phil Sutter wrote: > > On Wed, Jan 17, 2018 at 07:45:04PM +0100, Pablo Neira Ayuso wrote: > > [...] > > > > On Wed, Jan 17, 2018 at 01:50:26PM +01

Re: [nft PATCH RFC] libnftables: Implement JSON output support

On Wed, Jan 17, 2018 at 07:45:04PM +0100, Pablo Neira Ayuso wrote: [...] > > On Wed, Jan 17, 2018 at 01:50:26PM +0100, Pablo Neira Ayuso wrote: > > > On Wed, Jan 17, 2018 at 01:44:06PM +0100, Pablo Neira Ayuso wrote: > > > > On Wed, Jan 17, 2018 at 12:51:40

Re: [nft PATCH RFC] libnftables: Implement JSON output support

Hi Pablo, On Wed, Jan 17, 2018 at 01:44:06PM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 17, 2018 at 12:51:40PM +0100, Phil Sutter wrote: > > Although technically there already is support for JSON output via 'nft > > export json' command, it is hardly useable since it expor

[nft PATCH RFC] libnftables: Implement JSON output support

format support for regular 'nft list' commands. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Note that this is incomplete and merely meant as foundation for a discussion about the implementation. A few things I am not happy with: * The amount of ifdef's introduced is certainly not optimal, th

[nft PATCH 2/2] configure: Allow to disable man page building

. Signed-off-by: Phil Sutter <p...@nwl.cc> --- configure.ac | 33 + 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac index 22fb293c47035..1d588d5d37773 100644 --- a/configure.ac +++ b/configure.ac @@ -29,6 +29,12 @@ AC_ARG_

[nft PATCH 0/2] Allow to disable man page output

An option to disable man page creating on systems with broken docbook helps prevent build failures for them. While preparing above functionality (found in patch 2), I noticed the rather confusing help entry for debug option and fixed it while being at it (patch 1). Phil Sutter (2): configure

[nft PATCH 1/2] configure: Fix help text regarding --enable-debug

Debugging symbols are enabled by default, so list '--disable-debug' in help output rather than '--enable-debug'. This way it is also consistent with the parameter's description. Signed-off-by: Phil Sutter <p...@nwl.cc> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

Re: [ANNOUNCE] nftables 0.8.1 release

On Tue, Jan 16, 2018 at 03:53:30PM +0100, Pablo Neira Ayuso wrote: > On Tue, Jan 16, 2018 at 03:48:24PM +0100, Jan Engelhardt wrote: > > > > >nftables 0.8.1 > > > > > >This release contains mostly incremental fixes and documentation > > >updates, such as fixing up ./configure

[ebtables PATCH] Fix locking if LOCKDIR does not exist

rent option") Signed-off-by: Phil Sutter <p...@nwl.cc> --- libebtc.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libebtc.c b/libebtc.c index c0ff8ccfa66db..d47424872dc51 100644 --- a/libebtc.c +++ b/libebtc.c @@ -143,10 +143,16 @@ int use_lockfd; * or

Re: A bug in commit: Use flock() for --concurrent option

k file in place which > in turn made future ebtables processes wait indefinitely for the lock to > become free. > > Fix this by using flock(). This also simplifies code quite a bit because > there is no need for a custom signal handler or an __exit routine > anymore. > >

[nft PATCH v2] Don't merge adjacent/overlapping ranges

and the test in tests/shell which explicitly tests for this feature dropped. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Dropped newly introduced command line option again. - 0002named_interval_automerging_0 test dropped since without --merge option, it can't be

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

Hey! On Wed, Jan 10, 2018 at 01:08:01PM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 10, 2018 at 12:57:25PM +0100, Phil Sutter wrote: > > Hi Pablo, > > > > On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote: > > [...] > > > I would disab

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

Hi Pablo, On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote: [...] > I would disable this by default by now, no option. > > Then, revisit this later on to see if it's worth adding this, thanks! Should I drop everything that's needed to make it optional or just remove the option

[nft PATCH] Don't merge adjacent/overlapping ranges by default

and the other in tests/shell to call nft with --merge option. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/expression.h | 2 +- include/netlink.h | 2 ++ include/nftables.h | 1 + i

Re: libnftables extended API proposal

Hi Mark, On Tue, Jan 09, 2018 at 10:46:14PM -0600, mark diener wrote: > Why don't you just put a JSON layer above the c-based libnftl 0.9 ? > > That way, whatever is working in C-based API can then get JSON support > and disrupt the apple cart. > > Call it libnftljson-0.9.so, which is then

Re: libnftables extended API proposal

Hi Pablo, On Tue, Jan 02, 2018 at 07:02:19PM +0100, Pablo Neira Ayuso wrote: > On Fri, Dec 29, 2017 at 03:58:16PM +0100, Phil Sutter wrote: > > On Thu, Dec 28, 2017 at 08:21:41PM +0100, Pablo Neira Ayuso wrote: > > > On Sat, Dec 23, 2017 at 02:19:41PM +0100,

Re: libnftables extended API proposal

On Thu, Dec 28, 2017 at 08:21:41PM +0100, Pablo Neira Ayuso wrote: > Hi Phil, > > On Sat, Dec 23, 2017 at 02:19:41PM +0100, Phil Sutter wrote: > > On Fri, Dec 22, 2017 at 09:39:03PM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Dec 22, 2017 at 04:30:49PM +0100, Phil Sutter

Re: libnftables extended API proposal

On Fri, Dec 22, 2017 at 09:39:03PM +0100, Pablo Neira Ayuso wrote: > On Fri, Dec 22, 2017 at 04:30:49PM +0100, Phil Sutter wrote: > > Hi Pablo, > > > > On Fri, Dec 22, 2017 at 02:49:06PM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Dec 22, 2017 at 02:08

Re: libnftables extended API proposal

Hi Pablo, On Fri, Dec 22, 2017 at 02:49:06PM +0100, Pablo Neira Ayuso wrote: > On Fri, Dec 22, 2017 at 02:08:16PM +0100, Phil Sutter wrote: > > On Wed, Dec 20, 2017 at 11:23:36PM +0100, Pablo Neira Ayuso wrote: > > > On Wed, Dec 20, 2017 at 01:32:25PM +0100,

Re: libnftables extended API proposal

Hi Pablo, On Wed, Dec 20, 2017 at 11:23:36PM +0100, Pablo Neira Ayuso wrote: > On Wed, Dec 20, 2017 at 01:32:25PM +0100, Phil Sutter wrote: > [...] > > On Tue, Dec 19, 2017 at 12:00:48AM +0100, Pablo Neira Ayuso wrote: > > > On Sat, Dec 16, 2017 at 05:06:51PM +01

Re: libnftables extended API proposal

Hi Pablo, On Tue, Dec 19, 2017 at 12:00:48AM +0100, Pablo Neira Ayuso wrote: > On Sat, Dec 16, 2017 at 05:06:51PM +0100, Phil Sutter wrote: > > On Sun, Dec 10, 2017 at 10:55:40PM +0100, Pablo Neira Ayuso wrote: > > > On Thu, Dec 07, 2017 at 12:34:31PM +0100, Phil Sutter wrote: &

Re: [PATCH nf] netfilter: nf_tables: fix chain filter in nf_tables_dump_rules()

chars") This really fixes: b7263e071aba7 ("netfilter: nf_tables: Allow chain name of up to 255 chars") > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Apart from that: Acked-by: Phil Sutter <p...@nwl.cc> Thanks, Phil -- To unsubscribe from this list: send the lin

Re: libnftables extended API proposal

Hi Pablo, On Sun, Dec 10, 2017 at 10:55:40PM +0100, Pablo Neira Ayuso wrote: > On Thu, Dec 07, 2017 at 12:34:31PM +0100, Phil Sutter wrote: > > On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Dec 05, 2017 at 02:43:17PM +0100,

[libnftnl PATCH 5/6] src/set_elem: Don't return garbage in nftnl_set_elems_parse()

This might happen if netlink message is malformed (no nested attributes are present), so treat this as an error and return -1 instead of garbage to caller. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/set_elem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[libnftnl PATCH 3/6] src/object: Avoid returning garbage in nftnl_obj_do_parse()

It may happen that 'perr' variable does not get initialized, so making parameter 'err' point to it in any case is error-prone. Avoid this by initializing 'perr' upon declaration. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/object.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

[libnftnl PATCH 6/6] src/trace: Check return value of mnl_attr_parse_nested()

This is done everywhere else as well, so certainly not a bad thing here either. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/trace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/trace.c b/src/trace.c index bd05d3c58d2fa..b016e723a7ded 100644 --- a/src/t

[libnftnl PATCH 4/6] src/ruleset: Avoid reading garbage in nftnl_ruleset_cb()

If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid this by using a C99-style initializer for 'ctx' which sets all omitted fields to zero. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/ruleset.

[libnftnl PATCH 2/6] src/gen: Remove a pointless call to mnl_nlmsg_get_payload()

It is a common idiom in all *_nlmsg_parse() functions, but nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the compiler probably can't eliminate it since there could be a side-effect. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/gen.c | 4 ++-- 1 file changed, 2 inse

[libnftnl PATCH 1/6] nftnl_data_reg_snprintf: Add a missing break

The code works fine as-is, but if reg_type == DATA_VALUE && output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case and therefore pointlessly check output_format again. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expr/data_reg.c | 1 + 1 file changed, 1 inse

[libnftnl PATCH 0/6] Another round of Covscan indicated fixes

This series fixes potential issues identified by a recent Covscan run. Phil Sutter (6): nftnl_data_reg_snprintf: Add a missing break src/gen: Remove a pointless call to mnl_nlmsg_get_payload() src/object: Avoid returning garbage in nftnl_obj_do_parse() src/ruleset: Avoid reading garbage

[nft PATCH] tests/py: trivial: Fix error message

The error message for failed chain creation quotes the chain's name but lacked the closing tick. Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/py/nft-test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py index 9ad9771

[nft PATCH] Fix protocol context update on big-endian systems

), a necessary requirement for the introduced wrapper to function at all. - (left->flags & EXPR_F_PROTOCOL) != 0 -> The crucial missing check which led to the problem. Suggested-by: Florian Westphal <f...@strlen.de> Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/expression.h

Re: libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)

Hi Pablo, On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote: > On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote: [...] > > After tweaking the parser a bit, I can use it now to parse just a > > set_list_member_expr and use the struct expr it ret

libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)

Hi Pablo, Since I was about to start explaining my extended API idea as part of my reply, let's take this on-list and I'll give a full overview. On Mon, Dec 04, 2017 at 07:46:04PM +0100, Pablo Neira Ayuso wrote: [...] > Kernel code to check if an element is exists is already upstream, it's > in

[nft PATCH v2] Make libnftables a local static library

This changes Makefiles so that libnftables is built into a static library which is not installed. This allows for incompatible changes while still providing a library to link to for testing purposes. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Keep it a libtool l

Re: [nft PATCH] Make libnftables a local static library

On Thu, Nov 30, 2017 at 06:36:04PM +0100, Jan Engelhardt wrote: > > On Thursday 2017-11-30 18:11, Phil Sutter wrote: > > >This changes Makefiles so that libnftables is built into a static > >library which is not installed. This allows for incompatible changes > >whil

[nft PATCH] Make libnftables a local static library

This changes Makefiles so that libnftables is built into a static library which is not installed. This allows for incompatible changes while still providing a library to link to for testing purposes. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Makefile.am | 3 --- src/Makefile.a

Re: [nft PATCH] libnftables: Fix for multiple context instances

On Mon, Nov 20, 2017 at 05:53:13PM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 20, 2017 at 04:58:22PM +0100, Phil Sutter wrote: > > On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote: > > > On Mon, Nov 20, 2017 at 01:54:18PM +0100, Phil Sutter wrote: > >

[nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0

table definition works via nft -f") Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/shell/testcases/nft-f/0008split_tables_0 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008spli

Re: [nft PATCH] libnftables: Fix for multiple context instances

On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 20, 2017 at 01:54:18PM +0100, Phil Sutter wrote: > > On Mon, Nov 20, 2017 at 01:37:26PM +0100, Pablo Neira Ayuso wrote: > > > On Thu, Nov 16, 2017 at 08:10:24PM +0100, Phil Sutter wrote: > >

[nft PATCH] libnftables: Ensure output_fp is never NULL

stream. If applications desire to drop all output, they are supposed to open /dev/null and assign that. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/libnftables.c | 10 -- src/main.c| 1 - src/rule.c| 6 +- 3 files changed, 5 insertions(+), 12 deletions(-)

Re: [nft PATCH] libnftables: Fix for multiple context instances

On Mon, Nov 20, 2017 at 01:37:26PM +0100, Pablo Neira Ayuso wrote: > On Thu, Nov 16, 2017 at 08:10:24PM +0100, Phil Sutter wrote: > > If a second context is created, the second call to nft_ctx_free() leads > > to freeing invalid pointers in nft_exit(). Fix this by introducing

Re: [nft PATCH RFC] libnftables: Make output_fp default to /dev/null

On Mon, Nov 20, 2017 at 01:33:13PM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 20, 2017 at 01:32:04PM +0100, Pablo Neira Ayuso wrote: > > Hi Phil, > > > > On Thu, Nov 16, 2017 at 08:14:15PM +0100, Phil Sutter wrote: > > > Ensure output_fp is never NULL which

[nft PATCH RFC] libnftables: Make output_fp default to /dev/null

Ensure output_fp is never NULL which allows to drop all respective checks. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Hi Pablo, This is how I understood your suggestion to use /dev/null. While implementing it though, I had an idea for a much simpler solution, namely just rejectin

[nft PATCH] libnftables: Fix for multiple context instances

this using a mutex in a way that once nft_init() returns, the first call to that function running in parallel is guaranteed to be finished - otherwise it could happen that things being initialized in one thread are already accessed in another one. Signed-off-by: Phil Sutter <p...@nwl.cc> --

Re: [nft PATCH 2/2] monitor: Make JSON output respect output_fp

On Thu, Nov 16, 2017 at 03:12:06PM +0100, Pablo Neira Ayuso wrote: > On Thu, Nov 16, 2017 at 02:58:21PM +0100, Phil Sutter wrote: > > On Thu, Nov 16, 2017 at 02:54:44PM +0100, Pablo Neira Ayuso wrote: > > > On Thu, Nov 16, 2017 at 02:38:24PM +0100, Pablo Neira Ayuso wrote: >

Re: [nft PATCH] libnftables: Split code into frontend and library

On Thu, Nov 16, 2017 at 02:56:30PM +0100, Pablo Neira Ayuso wrote: > On Thu, Nov 16, 2017 at 02:34:48PM +0100, Pablo Neira Ayuso wrote: > > On Tue, Nov 14, 2017 at 09:17:10PM +0100, Phil Sutter wrote: > > > This finally creates the libnftables shared object. > >

Re: [nft PATCH 2/2] monitor: Make JSON output respect output_fp

On Thu, Nov 16, 2017 at 02:38:24PM +0100, Pablo Neira Ayuso wrote: > On Thu, Nov 16, 2017 at 09:06:29AM +0100, Phil Sutter wrote: > > This introduces a rather nasty macro to call nftnl_*_fprintf() only if > > output_fp is valid. On the other hand, it allows to pull the common &g

Re: [nft PATCH v3] libnftables: Unexport enum nftables_exit_codes

Hi Pablo, On Thu, Nov 16, 2017 at 02:33:32PM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 13, 2017 at 03:08:16PM +0100, Phil Sutter wrote: > > Apart from SUCCESS/FAILURE, these codes were not used by library > > functions simply because NOMEM and NONL conditions lead to c

[nft PATCH 1/2] Make 'nft export' respect output_fp

Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/rule.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/rule.c b/src/rule.c index 6a322167b8265..5a6c602505455 100644 --- a/src/rule.c +++ b/src/rule.c @@ -1153,6 +1153,10 @@ static int do_command_delete(

[nft PATCH 2/2] monitor: Make JSON output respect output_fp

This introduces a rather nasty macro to call nftnl_*_fprintf() only if output_fp is valid. On the other hand, it allows to pull the common parts (format argument, event conversion) into a single place. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/netlink.

[nft PATCH] libnftables: Split code into frontend and library

(, , scanner); So this patch contains a workaround, namely declaring both functions in src/parser_bison.y. During linking the objects are found, so this is rather a matter of cosmetics. Signed-off-by: Phil Sutter <p...@nwl.cc> --- .gitignore | 3 +++ Makefile.am| 3 +++ config

[nft PATCH v3] libnftables: Unexport enum nftables_exit_codes

will then contain more details about what happened and/or there are messages in erec. Calls to exit()/return in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Fixed return code of main() if nft_run_cmd_from_*() fails, this broke tests

Re: [nft PATCH v2] libnftables: Unexport enum nftables_exit_codes

On Mon, Nov 13, 2017 at 02:53:50PM +0100, Pablo Neira Ayuso wrote: > On Mon, Nov 13, 2017 at 02:49:04PM +0100, Phil Sutter wrote: > > On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote: > &

Re: [nft PATCH v2] libnftables: Unexport enum nftables_exit_codes

On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote: > On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote: > > diff --git a/src/main.c b/src/main.c > > index 529bedffc2e3b..8d03f8989b1fc 100644 > > --- a/src/main.c > > +++ b/src/main.c > > @

Re: [nft PATCH v2] libnftables: Unexport enum nftables_exit_codes

On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote: > On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote: > > diff --git a/src/main.c b/src/main.c > > index 529bedffc2e3b..8d03f8989b1fc 100644 > > --- a/src/main.c > > +++ b/src/main.c > > @

[nft PATCH] Eliminate struct mnl_ctx

context though, the ad-hoc netlink_ctx definition from cache_init() is moved into cache_update() to have it available there already. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/mnl.h | 72 -- include/netlink.h | 2 +- src/mnl.c

[nft PATCH v2] libnftables: Unexport enum nftables_exit_codes

will then contain more details about what happened and/or there are messages in erec. Calls to exit() in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Fixed return code of main() if nft_run_cmd_from_*() fails, this broke tests/shell. --- i

Re: [nft PATCH] libnftables: Unexport enum nftables_exit_codes

On Thu, Nov 09, 2017 at 02:25:26PM +0100, Phil Sutter wrote: > Apart from SUCCESS/FAILURE, these codes were not used by library > functions simply because NOMEM and NONL conditions lead to calling > exit() instead of propagating the error condition back up the call > stack. >

[nft PATCH] libnftables: Unexport enum nftables_exit_codes

will then contain more details about what happened and/or there are messages in erec. Calls to exit() in main() are adjusted to stay compatible. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nftables.h | 7 +++ include/nftables/nftables.h | 10 -- src/libnfta

[nft PATCH] libnftables: Flush iface cache after command execution

only calls nft_run_cmd_from_buffer(), flush caches in nft_run_cmd_from_filename() as well for matters of consistency. Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/libnftables.c | 2 ++ 1 file changed, 2 insertions(+) diff

nft: I broke interactive mode with iface changes

Hi, When preparing my patch 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes"), I missed that 'nft -i' was explicitly dropping the interface cache after every command, so now it won't recognize interface changes anymore. Sadly, there is no lightweight method available to detect an

[nft PATCH] libnftables: Get rid of explicit cache flushes

) compare that stored value to the current generation ID received from kernel - if the stored value is zero (i.e. no previous cache update did happen) or if it doesn't match the kernel's value (i.e. cache is outdated) the cache is flushed and fully initialized again. Signed-off-by: Phil Sutter <

Re: [nft PATCH v2 2/4] libnftables: Introduce nft_ctx_flush_cache()

Hi, On Tue, Oct 24, 2017 at 05:52:59PM +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 23, 2017 at 05:33:17PM +0200, Phil Sutter wrote: [...] > > diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h > > index 44d3e95d399e6..1207f10cd2457 100644 > > -

Re: [nft PATCH v2 1/4] libnftables: Move library stuff out of main.c

Hi Pablo, On Tue, Oct 24, 2017 at 05:48:00PM +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 23, 2017 at 05:33:16PM +0200, Phil Sutter wrote: [...] > > +/** > > + * Exit codes returned by nft_run_cmd_from_*() > > + */ > > +enum nftables_exit_codes { > >

Re: [nft PATCH v2 0/4] libnftables preparations

On Tue, Oct 24, 2017 at 05:20:33PM +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 23, 2017 at 05:33:15PM +0200, Phil Sutter wrote: > > The following series prepares libnftables libarary split-off by moving > > API functions into src/libnftables.c, introducing > > includ

Re: [PATCH nft] src: add nft_ prefix to everything exposed through include/nftables/nftables.h

filter.org> Acked-by: Phil Sutter <p...@nwl.cc> Thanks for sorting this for me, Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[nft PATCH v2 1/4] libnftables: Move library stuff out of main.c

This creates src/libnftables.c and include/nftables/nftables.h which will become the central elements of libnftables. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/Makefile.am | 3 +- include/nftables.h | 27 + include/nftables/Makefile.am | 1 + i

[nft PATCH v2 4/4] libnftables: Introduce getters and setters for everything

th()-> add an include path to the list * nft_ctx_clear_include_paths() -> flush the list of include paths Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nftables.h | 4 +- include/nftables/nftables.h | 19 + src/libnftables.c | 101 +

[nft PATCH v2 2/4] libnftables: Introduce nft_ctx_flush_cache()

that there is no need for explicit cache update routine since cache is populated during command execution depending on whether it is needed or not. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nftables/nftables.h | 1 + src/cli.c | 3 +-- src/libnftables.c | 9 +++-- 3

[nft PATCH v2 0/4] libnftables preparations

and avoid moving header file content back and forth between nftables.h and nftables/nftables.h. - Improved patch descriptions. Phil Sutter (4): libnftables: Move library stuff out of main.c libnftables: Introduce nft_ctx_flush_cache() cli: Use nft_run_cmd_from_buffer() libnftables: Introdu

[nft PATCH v2 3/4] cli: Use nft_run_cmd_from_buffer()

. * Error messages are printed to stderr instead of cli_nft->output. This could be fixed by introducing an 'error_output' field in nft_ctx for nft_run_cmd_from_buffer() to use when printing error messages. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/cli.h | 6 ++ include/n

Re: [nft PATCH 6/7] libnftables: Provide an API for include path handling

On Fri, Oct 20, 2017 at 09:16:43PM +0200, Pablo Neira Ayuso wrote: > On Fri, Oct 20, 2017 at 07:16:20PM +0200, Phil Sutter wrote: > > Hi, > > > > On Fri, Oct 20, 2017 at 02:17:00PM +0200, Pablo Neira Ayuso wrote: > > > On Thu, Oct 19, 2017 at 10:18

Re: [nft PATCH 4/7] cli: Use nft_run_cmd_from_buffer()

On Fri, Oct 20, 2017 at 09:18:07PM +0200, Pablo Neira Ayuso wrote: > On Fri, Oct 20, 2017 at 07:10:18PM +0200, Phil Sutter wrote: > > On Fri, Oct 20, 2017 at 02:15:34PM +0200, Pablo Neira Ayuso wrote: > > > On Thu, Oct 19, 2017 at 10:18:44AM +0200, Phil Sutter wrote: > >

Re: [nft PATCH 3/7] libnftables: Introduce nft_ctx_flush_cache()

On Fri, Oct 20, 2017 at 09:10:31PM +0200, Pablo Neira Ayuso wrote: > On Fri, Oct 20, 2017 at 07:05:13PM +0200, Phil Sutter wrote: > > Hi, > > > > On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote: > > > On Thu, Oct 19, 2017 at 10:18

Re: [nft PATCH 6/7] libnftables: Provide an API for include path handling

Hi, On Fri, Oct 20, 2017 at 02:17:00PM +0200, Pablo Neira Ayuso wrote: > On Thu, Oct 19, 2017 at 10:18:46AM +0200, Phil Sutter wrote: [...] > > +int nft_ctx_add_include_path(struct nft_ctx *ctx, const char *path) > > Do we want to accept runtime addition/removal o

Re: [nft PATCH 4/7] cli: Use nft_run_cmd_from_buffer()

On Fri, Oct 20, 2017 at 02:15:34PM +0200, Pablo Neira Ayuso wrote: > On Thu, Oct 19, 2017 at 10:18:44AM +0200, Phil Sutter wrote: > > This simplifies CLI code and allows to reduce libnftables API by not > > exporting nft_run(). > > > > Since nft_run_cmd_from_buf

Re: [nft PATCH 3/7] libnftables: Introduce nft_ctx_flush_cache()

Hi, On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote: > On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote: [...] > > +void nft_ctx_flush_cache(struct nft_ctx *ctx) > > +{ > > + iface_cache_release(); > > + cache_release(>cache); &g

Re: [nft PATCH 2/7] libnftables: Move library stuff out of main.c

Hi, On Fri, Oct 20, 2017 at 02:12:02PM +0200, Pablo Neira Ayuso wrote: > On Thu, Oct 19, 2017 at 10:18:42AM +0200, Phil Sutter wrote: [...] > > diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h > > new file mode 100644 > > index 0..052a77bfb5

Re: [nft PATCH 7/7] libnftables: Add remaining getters and setters

Hi Pablo, On Fri, Oct 20, 2017 at 02:18:53PM +0200, Pablo Neira Ayuso wrote: [...] > Oh, I see. Now these structure definitions are coming back to > include/nftables.h. I'm telling this because of what I mentioned in > 2/7. I have to admit, it was quite entertaining watching you following my

[iptables PATCH] libxt_recent: Remove ineffective checks for info->name

strings as --name argument. So simply get rid of the checks altogether. Signed-off-by: Phil Sutter <p...@nwl.cc> --- extensions/libxt_recent.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c index e1801f1

[nft PATCH 5/7] libnftables: Introduce nft_ctx_set_dry_run()

Provide a convenient interface to configure dry run mode. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nftables/nftables.h | 3 +++ src/libnftables.c | 5 + src/main.c | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/include/nf

[nft PATCH 2/7] libnftables: Move library stuff out of main.c

Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/Makefile.am | 3 +- include/nftables.h | 65 +-- include/nftables/Makefile.am | 1 + include/nftables/nftables.h | 88 +++ src/Makefile.am | 3 +- src/libnftables.c

[nft PATCH 6/7] libnftables: Provide an API for include path handling

In order to keep the API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate nft_ctx field include_paths instead. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nftables/nftables.h | 6 +++--- src/libnftables.c | 34 -- src/

[nft PATCH 3/7] libnftables: Introduce nft_ctx_flush_cache()

This allows an application to explicitly flush caches associated with a given nft context. Note that this is a bit inconsistent in that it releases the global interface cache, but nft_ctx_free() does the same so at least it's not a regression. Signed-off-by: Phil Sutter <p...@nwl

[nft PATCH 0/7] libnftables preparations

of that struct's internals. The 'nft' binary will become the first "demo" user of libnftables and acts as a reference for library design and usability. Phil Sutter (7): nft_ctx_free: Fix for wrong argument passed to cache_release libnftables: Move library stuff out of main.c libnftables:

[nft PATCH 1/7] nft_ctx_free: Fix for wrong argument passed to cache_release

nft_ctx_free() should not refer to the global 'nft' variable, this will break as soon as the function is moved away from main.c. In order to use the cache reference from passed argument, the latter must not be const. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/main.c | 4 ++--

[nft PATCH 4/7] cli: Use nft_run_cmd_from_buffer()

put' field in nft_ctx for nft_run_cmd_from_buffer() to use when printing error messages. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/cli.h | 6 ++ include/nftables/nftables.h | 5 - src/cli.c | 24 +++- src/libn

[nft PATCH 7/7] libnftables: Add remaining getters and setters

Provide API functions for remaining context settings changed by main.c, then hide struct nft_ctx definition from applications. This allows us to later change data structures internally without risk of breaking applications. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/nfta

[libnftnl PATCH v3] expr: Introduce nftnl_expr_fprintf()

Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v2: - Fix src/libnftnl.map update. Changes since v1: - Update src/libnftnl.map. --- include/libnftnl/expr.h | 1 + src/expr.c

Re: [libnftnl PATCH v2] expr: Introduce nftnl_expr_fprintf()

Hi, Actually, I don't quite get the suggested change: On Tue, Oct 17, 2017 at 01:31:50PM +0200, Pablo Neira Ayuso wrote: > @@ -308,3 +307,7 @@ global: > > local: *; > }; > + > +LIBNFTNL_6 { > + nftnl_expr_fprintf; > +} LIBMNL_5; Why LIBMNL_5? Shouldn't this be LIBNFTNL_5? Cheers, Phil --

Re: [libnftnl PATCH v2] expr: Introduce nftnl_expr_fprintf()

On Tue, Oct 17, 2017 at 01:31:50PM +0200, Pablo Neira Ayuso wrote: > On Tue, Oct 17, 2017 at 01:22:18PM +0200, Phil Sutter wrote: > > Implement expression printing into a FILE pointer analogous to > > nftnl_rule_fprintf(). > > > > Signed-off-by: Phil Sutter <p...@nwl

[libnftnl PATCH v2] expr: Introduce nftnl_expr_fprintf()

Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Update src/libnftnl.map --- include/libnftnl/expr.h | 1 + src/expr.c | 14 ++ src/libnftnl.map| 1 + 3

Re: libnftables, next steps

Hi Pablo, On Mon, Oct 16, 2017 at 12:19:51PM +0200, Pablo Neira Ayuso wrote: > On Thu, Oct 05, 2017 at 12:51:52AM +0200, Phil Sutter wrote: [...] > > * Create src/nftables_common.c and include/nftables_common.h to hold > > nft_run() and nft_netlink(). > > Why not j

<    1   2   3   4   5   6   7   8   9   >