Hi David,
On Mon, Feb 19, 2018 at 10:31:39AM -0500, David Miller wrote:
> From: Harald Welte
> Date: Mon, 19 Feb 2018 16:27:46 +0100
>
> > On Mon, Feb 19, 2018 at 10:13:35AM -0500, David Miller wrote:
> >
> >> Florian, first of all, the whole "change the iptables binary"
Hi Shyam,
On Thu, Feb 15, 2018 at 01:25:04AM +0530, Shyam Saini wrote:
> > On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote:
> >> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote:
> >> > Hi Pablo,
> >> >
> >> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso
> >>
Hi Pablo,
On Wed, Feb 07, 2018 at 12:39:43AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Feb 06, 2018 at 07:18:47PM +0100, Phil Sutter wrote:
> > Automatic merging of adjacent/overlapping ranges upon insertion has
> > clear benefits performance- and readability-wise. The drawback
Hi Pablo,
On Tue, Feb 06, 2018 at 01:49:57PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Feb 06, 2018 at 01:40:34PM +0100, Phil Sutter wrote:
> > On Tue, Feb 06, 2018 at 02:44:06AM +, bugzilla-dae...@netfilter.org
> > wrote:
> > > https://bugzilla.netfilter.
On Tue, Feb 06, 2018 at 02:44:06AM +, bugzilla-dae...@netfilter.org wrote:
> https://bugzilla.netfilter.org/show_bug.cgi?id=1224
[...]
> --- Comment #1 from Shyam Saini ---
> Hi Anthony,
>
> > I recently upgraded to nftables v0.8.2 and encountered a regression.
> >
>
Change the test to expect no automerging since it was disabled recently.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
tests/shell/testcases/sets/0002named_interval_automerging_0 | 12
1 file changed, 12 insertions(+)
create mode 100755 tests/shell/testcase
On Wed, Jan 17, 2018 at 07:59:34PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 17, 2018 at 07:56:30PM +0100, Phil Sutter wrote:
> > On Wed, Jan 17, 2018 at 07:45:04PM +0100, Pablo Neira Ayuso wrote:
> > [...]
> > > > On Wed, Jan 17, 2018 at 01:50:26PM +01
On Wed, Jan 17, 2018 at 07:45:04PM +0100, Pablo Neira Ayuso wrote:
[...]
> > On Wed, Jan 17, 2018 at 01:50:26PM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Jan 17, 2018 at 01:44:06PM +0100, Pablo Neira Ayuso wrote:
> > > > On Wed, Jan 17, 2018 at 12:51:40
Hi Pablo,
On Wed, Jan 17, 2018 at 01:44:06PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 17, 2018 at 12:51:40PM +0100, Phil Sutter wrote:
> > Although technically there already is support for JSON output via 'nft
> > export json' command, it is hardly useable since it expor
format support for regular 'nft list' commands.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Note that this is incomplete and merely meant as foundation for a
discussion about the implementation. A few things I am not happy with:
* The amount of ifdef's introduced is certainly not optimal, th
.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
configure.ac | 33 +
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/configure.ac b/configure.ac
index 22fb293c47035..1d588d5d37773 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,6 +29,12 @@ AC_ARG_
An option to disable man page creating on systems with broken docbook
helps prevent build failures for them.
While preparing above functionality (found in patch 2), I noticed the
rather confusing help entry for debug option and fixed it while being at
it (patch 1).
Phil Sutter (2):
configure
Debugging symbols are enabled by default, so list '--disable-debug' in
help output rather than '--enable-debug'. This way it is also consistent
with the parameter's description.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
On Tue, Jan 16, 2018 at 03:53:30PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Jan 16, 2018 at 03:48:24PM +0100, Jan Engelhardt wrote:
> >
> > >nftables 0.8.1
> > >
> > >This release contains mostly incremental fixes and documentation
> > >updates, such as fixing up ./configure
rent option")
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
libebtc.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libebtc.c b/libebtc.c
index c0ff8ccfa66db..d47424872dc51 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -143,10 +143,16 @@ int use_lockfd;
* or
k file in place which
> in turn made future ebtables processes wait indefinitely for the lock to
> become free.
>
> Fix this by using flock(). This also simplifies code quite a bit because
> there is no need for a custom signal handler or an __exit routine
> anymore.
>
>
and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v1:
- Dropped newly introduced command line option again.
- 0002named_interval_automerging_0 test dropped since without --merge
option, it can't be
Hey!
On Wed, Jan 10, 2018 at 01:08:01PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 10, 2018 at 12:57:25PM +0100, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote:
> > [...]
> > > I would disab
Hi Pablo,
On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote:
[...]
> I would disable this by default by now, no option.
>
> Then, revisit this later on to see if it's worth adding this, thanks!
Should I drop everything that's needed to make it optional or just
remove the option
and the other in tests/shell to call nft with --merge
option.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/expression.h | 2 +-
include/netlink.h | 2 ++
include/nftables.h | 1 +
i
Hi Mark,
On Tue, Jan 09, 2018 at 10:46:14PM -0600, mark diener wrote:
> Why don't you just put a JSON layer above the c-based libnftl 0.9 ?
>
> That way, whatever is working in C-based API can then get JSON support
> and disrupt the apple cart.
>
> Call it libnftljson-0.9.so, which is then
Hi Pablo,
On Tue, Jan 02, 2018 at 07:02:19PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 29, 2017 at 03:58:16PM +0100, Phil Sutter wrote:
> > On Thu, Dec 28, 2017 at 08:21:41PM +0100, Pablo Neira Ayuso wrote:
> > > On Sat, Dec 23, 2017 at 02:19:41PM +0100,
On Thu, Dec 28, 2017 at 08:21:41PM +0100, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> On Sat, Dec 23, 2017 at 02:19:41PM +0100, Phil Sutter wrote:
> > On Fri, Dec 22, 2017 at 09:39:03PM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Dec 22, 2017 at 04:30:49PM +0100, Phil Sutter
On Fri, Dec 22, 2017 at 09:39:03PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 22, 2017 at 04:30:49PM +0100, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Fri, Dec 22, 2017 at 02:49:06PM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Dec 22, 2017 at 02:08
Hi Pablo,
On Fri, Dec 22, 2017 at 02:49:06PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 22, 2017 at 02:08:16PM +0100, Phil Sutter wrote:
> > On Wed, Dec 20, 2017 at 11:23:36PM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Dec 20, 2017 at 01:32:25PM +0100,
Hi Pablo,
On Wed, Dec 20, 2017 at 11:23:36PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Dec 20, 2017 at 01:32:25PM +0100, Phil Sutter wrote:
> [...]
> > On Tue, Dec 19, 2017 at 12:00:48AM +0100, Pablo Neira Ayuso wrote:
> > > On Sat, Dec 16, 2017 at 05:06:51PM +01
Hi Pablo,
On Tue, Dec 19, 2017 at 12:00:48AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Dec 16, 2017 at 05:06:51PM +0100, Phil Sutter wrote:
> > On Sun, Dec 10, 2017 at 10:55:40PM +0100, Pablo Neira Ayuso wrote:
> > > On Thu, Dec 07, 2017 at 12:34:31PM +0100, Phil Sutter wrote:
&
chars")
This really fixes:
b7263e071aba7 ("netfilter: nf_tables: Allow chain name of up to 255 chars")
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
Apart from that:
Acked-by: Phil Sutter <p...@nwl.cc>
Thanks, Phil
--
To unsubscribe from this list: send the lin
Hi Pablo,
On Sun, Dec 10, 2017 at 10:55:40PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Dec 07, 2017 at 12:34:31PM +0100, Phil Sutter wrote:
> > On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote:
> > > On Tue, Dec 05, 2017 at 02:43:17PM +0100,
This might happen if netlink message is malformed (no nested attributes
are present), so treat this as an error and return -1 instead of
garbage to caller.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/set_elem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
It may happen that 'perr' variable does not get initialized, so making
parameter 'err' point to it in any case is error-prone. Avoid this by
initializing 'perr' upon declaration.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
This is done everywhere else as well, so certainly not a bad thing here
either.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/trace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/trace.c b/src/trace.c
index bd05d3c58d2fa..b016e723a7ded 100644
--- a/src/t
If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is
left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid
this by using a C99-style initializer for 'ctx' which sets all omitted
fields to zero.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/ruleset.
It is a common idiom in all *_nlmsg_parse() functions, but
nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the
compiler probably can't eliminate it since there could be a side-effect.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/gen.c | 4 ++--
1 file changed, 2 inse
The code works fine as-is, but if reg_type == DATA_VALUE &&
output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case
and therefore pointlessly check output_format again.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/expr/data_reg.c | 1 +
1 file changed, 1 inse
This series fixes potential issues identified by a recent Covscan run.
Phil Sutter (6):
nftnl_data_reg_snprintf: Add a missing break
src/gen: Remove a pointless call to mnl_nlmsg_get_payload()
src/object: Avoid returning garbage in nftnl_obj_do_parse()
src/ruleset: Avoid reading garbage
The error message for failed chain creation quotes the chain's name but
lacked the closing tick.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
tests/py/nft-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 9ad9771
), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.
Suggested-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/expression.h
Hi Pablo,
On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
[...]
> > After tweaking the parser a bit, I can use it now to parse just a
> > set_list_member_expr and use the struct expr it ret
Hi Pablo,
Since I was about to start explaining my extended API idea as part of my
reply, let's take this on-list and I'll give a full overview.
On Mon, Dec 04, 2017 at 07:46:04PM +0100, Pablo Neira Ayuso wrote:
[...]
> Kernel code to check if an element is exists is already upstream, it's
> in
This changes Makefiles so that libnftables is built into a static
library which is not installed. This allows for incompatible changes
while still providing a library to link to for testing purposes.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v1:
- Keep it a libtool l
On Thu, Nov 30, 2017 at 06:36:04PM +0100, Jan Engelhardt wrote:
>
> On Thursday 2017-11-30 18:11, Phil Sutter wrote:
>
> >This changes Makefiles so that libnftables is built into a static
> >library which is not installed. This allows for incompatible changes
> >whil
This changes Makefiles so that libnftables is built into a static
library which is not installed. This allows for incompatible changes
while still providing a library to link to for testing purposes.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Makefile.am | 3 ---
src/Makefile.a
On Mon, Nov 20, 2017 at 05:53:13PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 04:58:22PM +0100, Phil Sutter wrote:
> > On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote:
> > > On Mon, Nov 20, 2017 at 01:54:18PM +0100, Phil Sutter wrote:
> >
table definition works via
nft -f")
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
tests/shell/testcases/nft-f/0008split_tables_0 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/shell/testcases/nft-f/0008split_tables_0
b/tests/shell/testcases/nft-f/0008spli
On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 01:54:18PM +0100, Phil Sutter wrote:
> > On Mon, Nov 20, 2017 at 01:37:26PM +0100, Pablo Neira Ayuso wrote:
> > > On Thu, Nov 16, 2017 at 08:10:24PM +0100, Phil Sutter wrote:
> >
stream.
If applications desire to drop all output, they are supposed to open
/dev/null and assign that.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/libnftables.c | 10 --
src/main.c| 1 -
src/rule.c| 6 +-
3 files changed, 5 insertions(+), 12 deletions(-)
On Mon, Nov 20, 2017 at 01:37:26PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 16, 2017 at 08:10:24PM +0100, Phil Sutter wrote:
> > If a second context is created, the second call to nft_ctx_free() leads
> > to freeing invalid pointers in nft_exit(). Fix this by introducing
On Mon, Nov 20, 2017 at 01:33:13PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 01:32:04PM +0100, Pablo Neira Ayuso wrote:
> > Hi Phil,
> >
> > On Thu, Nov 16, 2017 at 08:14:15PM +0100, Phil Sutter wrote:
> > > Ensure output_fp is never NULL which
Ensure output_fp is never NULL which allows to drop all respective
checks.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Hi Pablo,
This is how I understood your suggestion to use /dev/null. While
implementing it though, I had an idea for a much simpler solution,
namely just rejectin
this
using a mutex in a way that once nft_init() returns, the first call to
that function running in parallel is guaranteed to be finished -
otherwise it could happen that things being initialized in one thread
are already accessed in another one.
Signed-off-by: Phil Sutter <p...@nwl.cc>
--
On Thu, Nov 16, 2017 at 03:12:06PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 16, 2017 at 02:58:21PM +0100, Phil Sutter wrote:
> > On Thu, Nov 16, 2017 at 02:54:44PM +0100, Pablo Neira Ayuso wrote:
> > > On Thu, Nov 16, 2017 at 02:38:24PM +0100, Pablo Neira Ayuso wrote:
>
On Thu, Nov 16, 2017 at 02:56:30PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 16, 2017 at 02:34:48PM +0100, Pablo Neira Ayuso wrote:
> > On Tue, Nov 14, 2017 at 09:17:10PM +0100, Phil Sutter wrote:
> > > This finally creates the libnftables shared object.
> >
On Thu, Nov 16, 2017 at 02:38:24PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Nov 16, 2017 at 09:06:29AM +0100, Phil Sutter wrote:
> > This introduces a rather nasty macro to call nftnl_*_fprintf() only if
> > output_fp is valid. On the other hand, it allows to pull the common
&g
Hi Pablo,
On Thu, Nov 16, 2017 at 02:33:32PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 13, 2017 at 03:08:16PM +0100, Phil Sutter wrote:
> > Apart from SUCCESS/FAILURE, these codes were not used by library
> > functions simply because NOMEM and NONL conditions lead to c
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/rule.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/rule.c b/src/rule.c
index 6a322167b8265..5a6c602505455 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1153,6 +1153,10 @@ static int do_command_delete(
This introduces a rather nasty macro to call nftnl_*_fprintf() only if
output_fp is valid. On the other hand, it allows to pull the common
parts (format argument, event conversion) into a single place.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/netlink.
(, , scanner);
So this patch contains a workaround, namely declaring both functions
in src/parser_bison.y. During linking the objects are found, so this is
rather a matter of cosmetics.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
.gitignore | 3 +++
Makefile.am| 3 +++
config
will then contain more details about what happened and/or
there are messages in erec.
Calls to exit()/return in main() are adjusted to stay compatible.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v1:
- Fixed return code of main() if nft_run_cmd_from_*() fails, this broke
tests
On Mon, Nov 13, 2017 at 02:53:50PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 13, 2017 at 02:49:04PM +0100, Phil Sutter wrote:
> > On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote:
> &
On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote:
> > diff --git a/src/main.c b/src/main.c
> > index 529bedffc2e3b..8d03f8989b1fc 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @
On Mon, Nov 13, 2017 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Nov 10, 2017 at 12:27:15PM +0100, Phil Sutter wrote:
> > diff --git a/src/main.c b/src/main.c
> > index 529bedffc2e3b..8d03f8989b1fc 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @
context though, the ad-hoc
netlink_ctx definition from cache_init() is moved into cache_update() to
have it available there already.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/mnl.h | 72 --
include/netlink.h | 2 +-
src/mnl.c
will then contain more details about what happened and/or
there are messages in erec.
Calls to exit() in main() are adjusted to stay compatible.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v1:
- Fixed return code of main() if nft_run_cmd_from_*() fails, this broke
tests/shell.
---
i
On Thu, Nov 09, 2017 at 02:25:26PM +0100, Phil Sutter wrote:
> Apart from SUCCESS/FAILURE, these codes were not used by library
> functions simply because NOMEM and NONL conditions lead to calling
> exit() instead of propagating the error condition back up the call
> stack.
>
will then contain more details about what happened and/or
there are messages in erec.
Calls to exit() in main() are adjusted to stay compatible.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nftables.h | 7 +++
include/nftables/nftables.h | 10 --
src/libnfta
only calls nft_run_cmd_from_buffer(), flush caches in
nft_run_cmd_from_filename() as well for matters of consistency.
Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes")
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/libnftables.c | 2 ++
1 file changed, 2 insertions(+)
diff
Hi,
When preparing my patch 94a945ffa81b7 ("libnftables: Get rid of explicit
cache flushes"), I missed that 'nft -i' was explicitly dropping the
interface cache after every command, so now it won't recognize interface
changes anymore. Sadly, there is no lightweight method available to
detect an
) compare that
stored value to the current generation ID received from kernel - if the
stored value is zero (i.e. no previous cache update did happen) or if it
doesn't match the kernel's value (i.e. cache is outdated) the cache is
flushed and fully initialized again.
Signed-off-by: Phil Sutter <
Hi,
On Tue, Oct 24, 2017 at 05:52:59PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 23, 2017 at 05:33:17PM +0200, Phil Sutter wrote:
[...]
> > diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> > index 44d3e95d399e6..1207f10cd2457 100644
> > -
Hi Pablo,
On Tue, Oct 24, 2017 at 05:48:00PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 23, 2017 at 05:33:16PM +0200, Phil Sutter wrote:
[...]
> > +/**
> > + * Exit codes returned by nft_run_cmd_from_*()
> > + */
> > +enum nftables_exit_codes {
> >
On Tue, Oct 24, 2017 at 05:20:33PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 23, 2017 at 05:33:15PM +0200, Phil Sutter wrote:
> > The following series prepares libnftables libarary split-off by moving
> > API functions into src/libnftables.c, introducing
> > includ
filter.org>
Acked-by: Phil Sutter <p...@nwl.cc>
Thanks for sorting this for me,
Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
This creates src/libnftables.c and include/nftables/nftables.h which
will become the central elements of libnftables.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/Makefile.am | 3 +-
include/nftables.h | 27 +
include/nftables/Makefile.am | 1 +
i
th()-> add an include path to the list
* nft_ctx_clear_include_paths() -> flush the list of include paths
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nftables.h | 4 +-
include/nftables/nftables.h | 19 +
src/libnftables.c | 101 +
that there is no need for explicit cache update routine since cache
is populated during command execution depending on whether it is needed
or not.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nftables/nftables.h | 1 +
src/cli.c | 3 +--
src/libnftables.c | 9 +++--
3
and avoid
moving header file content back and forth between nftables.h and
nftables/nftables.h.
- Improved patch descriptions.
Phil Sutter (4):
libnftables: Move library stuff out of main.c
libnftables: Introduce nft_ctx_flush_cache()
cli: Use nft_run_cmd_from_buffer()
libnftables: Introdu
.
* Error messages are printed to stderr instead of cli_nft->output.
This could be fixed by introducing an 'error_output' field in nft_ctx
for nft_run_cmd_from_buffer() to use when printing error messages.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/cli.h | 6 ++
include/n
On Fri, Oct 20, 2017 at 09:16:43PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 20, 2017 at 07:16:20PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Fri, Oct 20, 2017 at 02:17:00PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 19, 2017 at 10:18
On Fri, Oct 20, 2017 at 09:18:07PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 20, 2017 at 07:10:18PM +0200, Phil Sutter wrote:
> > On Fri, Oct 20, 2017 at 02:15:34PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 19, 2017 at 10:18:44AM +0200, Phil Sutter wrote:
> >
On Fri, Oct 20, 2017 at 09:10:31PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 20, 2017 at 07:05:13PM +0200, Phil Sutter wrote:
> > Hi,
> >
> > On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Oct 19, 2017 at 10:18
Hi,
On Fri, Oct 20, 2017 at 02:17:00PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 19, 2017 at 10:18:46AM +0200, Phil Sutter wrote:
[...]
> > +int nft_ctx_add_include_path(struct nft_ctx *ctx, const char *path)
>
> Do we want to accept runtime addition/removal o
On Fri, Oct 20, 2017 at 02:15:34PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 19, 2017 at 10:18:44AM +0200, Phil Sutter wrote:
> > This simplifies CLI code and allows to reduce libnftables API by not
> > exporting nft_run().
> >
> > Since nft_run_cmd_from_buf
Hi,
On Fri, Oct 20, 2017 at 02:13:26PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 19, 2017 at 10:18:43AM +0200, Phil Sutter wrote:
[...]
> > +void nft_ctx_flush_cache(struct nft_ctx *ctx)
> > +{
> > + iface_cache_release();
> > + cache_release(>cache);
&g
Hi,
On Fri, Oct 20, 2017 at 02:12:02PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 19, 2017 at 10:18:42AM +0200, Phil Sutter wrote:
[...]
> > diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> > new file mode 100644
> > index 0..052a77bfb5
Hi Pablo,
On Fri, Oct 20, 2017 at 02:18:53PM +0200, Pablo Neira Ayuso wrote:
[...]
> Oh, I see. Now these structure definitions are coming back to
> include/nftables.h. I'm telling this because of what I mentioned in
> 2/7.
I have to admit, it was quite entertaining watching you following my
strings as --name argument. So simply get rid of the
checks altogether.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
extensions/libxt_recent.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index e1801f1
Provide a convenient interface to configure dry run mode.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nftables/nftables.h | 3 +++
src/libnftables.c | 5 +
src/main.c | 2 +-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/nf
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/Makefile.am | 3 +-
include/nftables.h | 65 +--
include/nftables/Makefile.am | 1 +
include/nftables/nftables.h | 88 +++
src/Makefile.am | 3 +-
src/libnftables.c
In order to keep the API simple, remove INCLUDE_PATHS_MAX restraint and
dynamically allocate nft_ctx field include_paths instead.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nftables/nftables.h | 6 +++---
src/libnftables.c | 34 --
src/
This allows an application to explicitly flush caches associated with a
given nft context.
Note that this is a bit inconsistent in that it releases the global
interface cache, but nft_ctx_free() does the same so at least it's not a
regression.
Signed-off-by: Phil Sutter <p...@nwl
of that struct's internals.
The 'nft' binary will become the first "demo" user of libnftables and
acts as a reference for library design and usability.
Phil Sutter (7):
nft_ctx_free: Fix for wrong argument passed to cache_release
libnftables: Move library stuff out of main.c
libnftables:
nft_ctx_free() should not refer to the global 'nft' variable, this will
break as soon as the function is moved away from main.c. In order to use
the cache reference from passed argument, the latter must not be const.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
src/main.c | 4 ++--
put' field in nft_ctx
for nft_run_cmd_from_buffer() to use when printing error messages.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/cli.h | 6 ++
include/nftables/nftables.h | 5 -
src/cli.c | 24 +++-
src/libn
Provide API functions for remaining context settings changed by main.c,
then hide struct nft_ctx definition from applications. This allows us to
later change data structures internally without risk of breaking
applications.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
include/nfta
Implement expression printing into a FILE pointer analogous to
nftnl_rule_fprintf().
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v2:
- Fix src/libnftnl.map update.
Changes since v1:
- Update src/libnftnl.map.
---
include/libnftnl/expr.h | 1 +
src/expr.c
Hi,
Actually, I don't quite get the suggested change:
On Tue, Oct 17, 2017 at 01:31:50PM +0200, Pablo Neira Ayuso wrote:
> @@ -308,3 +307,7 @@ global:
>
> local: *;
> };
> +
> +LIBNFTNL_6 {
> + nftnl_expr_fprintf;
> +} LIBMNL_5;
Why LIBMNL_5? Shouldn't this be LIBNFTNL_5?
Cheers, Phil
--
On Tue, Oct 17, 2017 at 01:31:50PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 17, 2017 at 01:22:18PM +0200, Phil Sutter wrote:
> > Implement expression printing into a FILE pointer analogous to
> > nftnl_rule_fprintf().
> >
> > Signed-off-by: Phil Sutter <p...@nwl
Implement expression printing into a FILE pointer analogous to
nftnl_rule_fprintf().
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
Changes since v1:
- Update src/libnftnl.map
---
include/libnftnl/expr.h | 1 +
src/expr.c | 14 ++
src/libnftnl.map| 1 +
3
Hi Pablo,
On Mon, Oct 16, 2017 at 12:19:51PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 05, 2017 at 12:51:52AM +0200, Phil Sutter wrote:
[...]
> > * Create src/nftables_common.c and include/nftables_common.h to hold
> > nft_run() and nft_netlink().
>
> Why not j
501 - 600 of 849 matches
Mail list logo