Hi Jozsef,
On Sat, Oct 27, 2018 at 06:05:43PM +0200, Jozsef Kadlecsik wrote:
> The ip_set() macro is called when either ip_set_ref_lock held only
> or no lock/nfnl mutex is held at dumping. Take this into account
> properly.
>
> Signed-off-by: Jozsef Kadlecsik
> ---
>
On Mon, Oct 29, 2018 at 06:50:13PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> > @Phil, thinking here we could probably get rid of
> > NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
> > NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
> >
> >
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Fixes: baa4e0e3fa5f ("src: add NFT_CTX_OUTPUT_NUMERIC_PROTO")
Reported-by: Phil Sutter
Signed-off-by:
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
v3: Expose this -p option, Phil has a usecase for this.
doc/nft.txt | 4
src/main.c | 7 ++-
2 files changed,
Hi,
On Sat, Oct 27, 2018 at 01:05:45PM -0700, Cameron Norman wrote:
> The attached patch fixes building ulogd2 with musl libc. It is being
> used on Void Linux right now.
>
> https://bugzilla.netfilter.org/show_bug.cgi?id=1278
>
> Thanks,
> --
> Cameron Nemo
> diff --git a/src/ulogd.c
On Sat, Oct 27, 2018 at 06:05:38PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please pull the next patches for the nf tree:
>
> - Decrease refcount synchronously on deletion and replace by
> Stefano Brivio, which fixes the reference counter shown in
> userspace.
> - Allow CIDR 0 in
On Thu, Oct 25, 2018 at 7:56 AM Taehee Yoo wrote:
>
> nf_conncount_tuple is an element of nft_connlimit and that is deleted by
> conn_free(). elements can be deleted by both GC routine and
> data path functions(nf_conncount_lookup, nf_conncount_add) and they
> calls conn_free() to free elements.
On Thu, Oct 25, 2018 at 7:56 AM Taehee Yoo wrote:
>
> conn_free() holds lock with spin_lock(). and it is called by both
> nf_conncount_lookup() and nf_conncount_gc_list().
> nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> is process context. so that spin_lock() is not
On Fri, Oct 19, 2018 at 12:27:57AM +0900, Taehee Yoo wrote:
> xt_rateest_net_exit() was added to check whether rules are flushed
> successfully. but ->net_exit() callback is called earlier than
> ->destroy() callback.
> So that ->net_exit() callback can't check that.
>
> test commands:
>%ip
On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> conn_free() holds lock with spin_lock(). and it is called by both
> nf_conncount_lookup() and nf_conncount_gc_list().
> nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> is process context. so that spin_lock() is
Pablo Neira Ayuso wrote:
> On Thu, Oct 25, 2018 at 11:56:12PM +0900, Taehee Yoo wrote:
> > conn_free() holds lock with spin_lock(). and it is called by both
> > nf_conncount_lookup() and nf_conncount_gc_list().
> > nf_conncount_lookup() is bottom-half context and nf_conncount_gc_list()
> > is
On Sun, Oct 21, 2018 at 12:00:08AM +0900, Taehee Yoo wrote:
> When IDLETIMER rule is added, sysfs file is created under
> /sys/class/xt_idletimer/timers/
> But some label name shouldn't be used.
> ".", "..", "power", "uevent", "subsystem", etc...
> So that sysfs filename checking routine is
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_json()
Fix missing conversion to use NFT_CTX_OUTPUT_JSON.
Remove json field from struct output_ctx.
doc/libnftables.adoc | 16 +++-
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_stateless()
Fix missing conversion to use NFT_CTX_OUTPUT_STATELESS.
Remove stateless field from struct output_ctx.
Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_handle()
Fix missing conversion to use NFT_CTX_OUTPUT_HANDLE.
Remove handle field from struct output_ctx.
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit
Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
the kernel.
Signed-off-by: Pablo Neira Ayuso
---
v2: Add nft_output_echo()
Fix missing conversion to use NFT_CTX_OUTPUT_ECHO.
Remove echo field from struct output_ctx.
doc/libnftables.adoc | 15
Yes, we can do that.
On Mon, Oct 29, 2018 at 2:11 PM Pablo Neira Ayuso wrote:
>
> Hi,
>
> On Sat, Oct 27, 2018 at 01:05:45PM -0700, Cameron Norman wrote:
> > The attached patch fixes building ulogd2 with musl libc. It is being
> > used on Void Linux right now.
> >
> >
Hi,
On Mon, Oct 29, 2018 at 12:33:36PM +0100, Pablo Neira Ayuso wrote:
> This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
> which was added during the development cycle before 0.9.1 is released.
>
> After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
>
Hi,
On Mon, Oct 29, 2018 at 12:33:37PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
> output flags interface.
>
> Signed-off-by: Pablo Neira Ayuso
> ---
> v2: Add nft_output_stateless()
> Fix missing conversion to use
Hi Phil,
I would probably keep back this patch, it's too fine grain. Instead I
would turn -n into 'display everything numerically' after this
patchset.
Hence, we have the fine grain toggles for stateless, reverse dns,
service, guid and chain priority. Then the global toggles to turn
everything
On Mon, Oct 29, 2018 at 01:23:04PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 12:33:38PM +0100, Pablo Neira Ayuso wrote:
> > Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
> > objects from new output flags interface.
> >
> > Signed-off-by: Pablo Neira Ayuso
>
>
On Mon, Oct 29, 2018 at 01:34:23PM +0100, Phil Sutter wrote:
> On Mon, Oct 29, 2018 at 01:07:28PM +0100, Pablo Neira Ayuso wrote:
> > Like iptables-save, print UID and GID as numeric values by default.
> >
> > Add a new option `-u' to print the UID and GID names as defined by
> > /etc/passwd and
Hi,
On Mon, Oct 29, 2018 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
[...]
> @@ -1354,10 +1354,11 @@ json_t *objref_stmt_json(const struct stmt *stmt,
> struct output_ctx *octx)
> json_t *meter_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
> {
> json_t *root, *tmp;
> +
Hi,
On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
>
> Signed-off-by: Pablo Neira Ayuso
[...]
> diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
> index 8b7aee9af134..5a3562c3266c 100644
> ---
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
include/nftables.h | 5 +
include/nftables/libnftables.h | 1 +
src/datatype.c | 2 +-
On Mon, Oct 29, 2018 at 01:48:49PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
On Mon, Oct 29, 2018 at 12:33:38PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
> objects from new output flags interface.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
One minor nit here as well:
[...]
> diff --git
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
This patch adds nft_output_save_flags() and nft_output_restore_flags()
to temporarily disable stateful printing
Signed-off-by: Pablo Neira Ayuso
---
v3: Use nft_output_save_flags() and
On Mon, Oct 29, 2018 at 12:33:40PM +0100, Pablo Neira Ayuso wrote:
> Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
> the kernel.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
On Mon, Oct 29, 2018 at 01:07:28PM +0100, Pablo Neira Ayuso wrote:
> Like iptables-save, print UID and GID as numeric values by default.
>
> Add a new option `-u' to print the UID and GID names as defined by
> /etc/passwd and /etc/group.
>
> Note that -n is ignored after this patch, since
By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Signed-off-by: Pablo Neira Ayuso
---
doc/libnftables.adoc | 3 +++
doc/nft.txt| 4
include/nftables.h | 5 +
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Signed-off-by: Pablo Neira Ayuso
---
v2: update documentation.
Rename to NUMERIC_PROTO.
doc/libnftables.adoc | 3 +++
doc/nft.txt
On Mon, Oct 29, 2018 at 02:15:34PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 01:31:00PM +0100, Pablo Neira Ayuso wrote:
> [...]
> > @@ -1354,10 +1354,11 @@ json_t *objref_stmt_json(const struct stmt *stmt,
> > struct output_ctx *octx)
> > json_t *meter_stmt_json(const struct
Like iptables-save, print UID and GID as numeric values by default.
Add a new option `-u' to print the UID and GID names as defined by
/etc/passwd and /etc/group.
Note that -n is ignored after this patch, since default are numeric
printing for UID and GID.
Signed-off-by: Pablo Neira Ayuso
---
On Mon, Oct 29, 2018 at 01:09:31PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 12:33:37PM +0100, Pablo Neira Ayuso wrote:
> > Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
> > output flags interface.
> >
> > Signed-off-by: Pablo Neira Ayuso
> > ---
> >
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Signed-off-by: Pablo Neira Ayuso
---
v3: Refer to flag, not function, in the documentation.
add missing #ifdef HAVE_LIBJANSSON in src/main.c
- Both requested by Phil.
doc/libnftables.adoc | 18 +-
Hi,
On Mon, Oct 29, 2018 at 01:43:00PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Oct 29, 2018 at 01:29:32PM +0100, Phil Sutter wrote:
> > On Mon, Oct 29, 2018 at 12:33:39PM +0100, Pablo Neira Ayuso wrote:
[...]
> > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > index
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. This new flag allows us to print it as a number.
libnftables internally uses this to print layer 4 protocol as numbers
when part of a range.
Signed-off-by: Pablo Neira Ayuso
---
This patch was "src: add -p to
By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Signed-off-by: Pablo Neira Ayuso
---
v2: Rebase on top of "src: add NFT_CTX_OUTPUT_NUMERIC_PROTO"
doc/libnftables.adoc | 3 +++
doc/nft.txt| 4
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
On Sat, Oct 27, 2018 at 12:15:50PM +0200, Phil Sutter wrote:
> Since this pseudo log level fundamentally changes behaviour of log
> statement, dedicate this mode a separate paragraph.
Applied, thanks Phil.
On Mon, Oct 29, 2018 at 02:55:15PM +0100, Pablo Neira Ayuso wrote:
> Hi Phil,
>
> I would probably keep back this patch, it's too fine grain. Instead I
> would turn -n into 'display everything numerically' after this
> patchset.
>
> Hence, we have the fine grain toggles for stateless, reverse
On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> The basic principle is to not return a JSON object freshly created from
> netlink responses, but just update the existing user-provided one to
> make sure callers get back exactly what they expect.
Applied, thanks Phil.
> To achieve
On Mon, Oct 29, 2018 at 05:49:56PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Oct 29, 2018 at 05:46:29PM +0100, Phil Sutter wrote:
> > Hi,
> >
> > On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> > > We keep printing layer 4 protocols as literals since we do not use
> > >
@Phil, thinking here we could probably get rid of
NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
There's no option for -p anymore, so we could simply things a bit
before.
On Mon, Oct 29, 2018 at 04:03:32PM +0100, Pablo Neira Ayuso wrote:
> This
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Fixes: baa4e0e3fa5f ("src: add NFT_CTX_OUTPUT_NUMERIC_PROTO")
Reported-by: Phil Sutter
Signed-off-by:
On Mon, Oct 29, 2018 at 06:31:10PM +0100, Pablo Neira Ayuso wrote:
> @Phil, thinking here we could probably get rid of
> NFT_CTX_OUTPUT_NUMERIC_PROTO, since it is contained already in
> NFT_CTX_OUTPUT_NUMERIC_SYMBOL.
>
> There's no option for -p anymore, so we could simply things a bit
> before.
On Mon, Oct 29, 2018 at 04:20:52PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Oct 26, 2018 at 11:42:05AM +0200, Phil Sutter wrote:
> > The first test in there shows how the current cache update strategy
> > causes trouble. The second test shows that proposed "locking" of cache
> > when local
On Mon, Oct 29, 2018 at 05:46:29PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> > We keep printing layer 4 protocols as literals since we do not use
> > /etc/protocols. Add -p option to print layer 4 protocols numerically.
> >
> >
Hi,
On Mon, Oct 29, 2018 at 04:19:03PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> > The basic principle is to not return a JSON object freshly created from
> > netlink responses, but just update the existing user-provided one to
> > make sure
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Reported-by: Phil Sutter
Signed-off-by: Pablo Neira Ayuso
---
Based on my recent patches, still not
On Mon, Oct 29, 2018 at 03:31:38PM +0100, Pablo Neira Ayuso wrote:
> By default base chains are printed using default hook priority
> definitions. Add -y option to print them as numbers.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
On Mon, Oct 29, 2018 at 05:54:25PM +0100, Phil Sutter wrote:
> Hi,
>
> On Mon, Oct 29, 2018 at 04:19:03PM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Oct 26, 2018 at 03:01:38PM +0200, Phil Sutter wrote:
> > > The basic principle is to not return a JSON object freshly created from
> > > netlink
Hi,
On Mon, Oct 29, 2018 at 02:10:27PM +0100, Pablo Neira Ayuso wrote:
> We keep printing layer 4 protocols as literals since we do not use
> /etc/protocols. Add -p option to print layer 4 protocols numerically.
>
> Signed-off-by: Pablo Neira Ayuso
Acked-by: Phil Sutter
One question:
[...]
On Mon, Oct 29, 2018 at 03:31:37PM +0100, Pablo Neira Ayuso wrote:
> We keep printing layer 4 protocols as literals since we do not use
> /etc/protocols. This new flag allows us to print it as a number.
>
> libnftables internally uses this to print layer 4 protocol as numbers
> when part of a
58 matches
Mail list logo
