On Tue, Aug 23, 2016 at 10:14:47AM -0400, Brian Haley wrote:
>
> iptables-restore was missing -n, -T and -M from the
> usage message, added them to match the man page.
> Cleaned-up other *restore files as well.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilte
Currently, if you add a base chain whose name clashes with an existing
non-base chain, nf_tables doesn't complain about this. Similarly, if you
update the chain type, the hook number and priority.
With this patch, nf_tables bails out in case any of this unsupported
operations occur by returning EB
Introduce a new function to wrap the code that parses the chain hook
configuration so we can reuse this code to validate chain updates.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 152 +-
1 file changed, 89 insertions(+), 63 deleti
On Mon, Aug 22, 2016 at 08:34:41PM -0700, Kevin Cernekee wrote:
> On Wed, Aug 17, 2016 at 6:12 PM, Pablo Neira Ayuso
> wrote:
> > Looking at ctnetlink, it should be possible to make it via
> > CTA_EXPECT_HELP_NAME. Thus, by when we find a matching expectation,
> > the helper is set to this new co
This patch modifies the grammar to explicitly indicate what you want to
export, eg.
# nft export ruleset json
This leaves room to extend this later on to support other object types,
such as integrating conntrack into nft.
This also leaves the syntax in consistent state wrt. other existing
objec
table ip filter {
chain input {
type filter hook input priority 0;
flow table xyz { ip saddr & 255.255.255.0 counter packets 0
bytes 0}
}
}
Signed-off-by: Pablo Neira Ayuso
---
src/evaluate.c | 14 +-
src/parser_bison.y | 6 +
iptables-restore was missing -n, -T and -M from the
usage message, added them to match the man page.
Cleaned-up other *restore files as well.
Signed-off-by: Brian Haley
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 9393924..dc0acb0 100644
--- a/iptables/ip6table
On 08/23/2016 08:10 AM, Pablo Neira Ayuso wrote:
On Mon, Aug 22, 2016 at 02:47:15PM -0400, Brian Haley wrote:
iptables-restore was missing -n, -T and -M from the
usage message, added them to match the man page.
Signed-off-by: Brian Haley
diff --git a/iptables/ip6tables-restore.c b/iptables/i
On Mon, Aug 22, 2016 at 02:47:15PM -0400, Brian Haley wrote:
>
> iptables-restore was missing -n, -T and -M from the
> usage message, added them to match the man page.
>
> Signed-off-by: Brian Haley
>
> diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
> index 9393924..dc
On Mon, Aug 22, 2016 at 12:56:15PM +0200, Pablo M. Bermudo Garay wrote:
> If quotes are escaped, nft -f is unable to parse and load the translated
> ruleset.
>
> Signed-off-by: Pablo M. Bermudo Garay
> ---
>
> Changes in v2:
> - Do not use strcmp against 'program_name' global, propagate 'bool
On Mon, Aug 22, 2016 at 12:56:14PM +0200, Pablo M. Bermudo Garay wrote:
> The comment_xlate function was not supporting this option that is
> necessary in some situations.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to maj
On Mon, Aug 22, 2016 at 05:11:19PM +0200, Pablo M. Bermudo Garay wrote:
> This patch adds a cache of rules within the nft handle. This feature is
> more useful after the new checks of ruleset compatibility, since the
> rule list is loaded twice consecutively.
>
> Now all the operations causing cha
On Tue, Aug 23, 2016 at 01:58:14PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 22, 2016 at 05:11:19PM +0200, Pablo M. Bermudo Garay wrote:
> > This patch adds a cache of rules within the nft handle. This feature is
> > more useful after the new checks of ruleset compatibility, since the
> > rule
On Tue, Aug 23, 2016 at 09:40:45AM +0200, Carlos Falgueras García wrote:
> This patch separates the rule identification from the rule localization, so
> the logic moves from the evaluator to the parser. This allows to revert the
> patch "evaluate: improve rule managment checks"
> (4176c7d30c2ff1b3f
On Tue, Aug 23, 2016 at 10:20:31AM +0200, Sabrina Dubroca wrote:
> commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with
> identical name") added a second lookup in case the extension that was
> found during the first lookup matched another extension with the same
> name, but didn't
commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with
identical name") added a second lookup in case the extension that was
found during the first lookup matched another extension with the same
name, but didn't release the reference on the incorrect module.
Fixes: bcf493428840 ("net
This patch separates the rule identification from the rule localization, so
the logic moves from the evaluator to the parser. This allows to revert the
patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.
Signed-off-by: Carlos Falguera
17 matches
Mail list logo
