Re: [PATCH nft] configure: Require newer version of libxtables

On Thu, Feb 02, 2017 at 09:22:55AM -0200, Elise Lennion wrote: > Currently, the configure script requires xtables v1.6.0 when the option > --with-xtables is given. However, nftables-0.7 build fails with this > version, xtables v1.6.1 is the minimum required to have libxtables > support. > > Fixes(

Re: [PATCH nft] statement: Print NAT IPv4 address in nat_stmt_print()

On Fri, Feb 03, 2017 at 04:50:38PM -0200, Elise Lennion wrote: > The case which "nat.addr != NULL && nat.proto != NULL && type != ipv6" > wasn't caught in nat_stmt_print(). Now all cases should be considered. > > Also, the if statements were reorganized to get rid of one nested if. > > Fixes(Bug

Re: [PATCH nftables] statement: fix print of ip dnat address

On Fri, Feb 03, 2017 at 03:25:45PM +0100, Florian Westphal wrote: > the change causes non-ipv6 addresses to not be printed at all in case > a nfproto was given. > > Also add a test case to catch this. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117 > Fixes: 5ab0e10fc6e2c22363a ("s

Re: [PATCH nft v2 2/2] src: Always print range expressions numerically

On Thu, Feb 02, 2017 at 10:31:56AM -0200, Elise Lennion wrote: > Because the rules are more legible this way. Also, the parser doesn't > accept strings on ranges, so, printing ranges numerically better match > the rules definition. Also applied, thanks. -- To unsubscribe from this list: send the l

Re: [PATCH nft v2 1/2] main: Validate the number of numeric options

On Thu, Feb 02, 2017 at 10:25:53AM -0200, Elise Lennion wrote: > The number of numeric options influences the behavior and the user > should be warned if a invalid number is used. Applied, thanks Elise. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

[PATCH nf-next,v2 7/7] netfilter: nf_tables: add bitmap set type

This patch adds a new bitmap set type. This bitmap uses two bits to represent one element. These two bits determine the element state in the current and the future generation that fits into the nf_tables commit protocol. When dumping elements back to userspace, the two bits are expanded into a stru

[PATCH nf-next,v2 6/7] netfilter: nf_tables: add space notation to sets

The space notation allows us to classify the set backend implementation based on the amount of required memory. This provides an order of the set representation scalability in terms of memory. The size field is still left in place so use this if the userspace provides no explicit number of elements

[PATCH nf-next,v2 3/7] netfilter: nf_tables: rename deactivate_one() to flush()

Although semantics are similar to deactivate() with no implicit element lookup, this is only called from the set flush path, so better rename this to flush(). Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/netfilter/nf_tables.h | 8 net/netfilter/nf_tables_api.c |

[PATCH nf-next,v2 5/7] netfilter: nf_tables: rename struct nft_set_estimate class field

Use lookup as field name instead, to prepare the introduction of the memory class in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nf_tables_api.c | 12 ++-- net/netfilter/nft_set_hash.c | 2 +

[PATCH nf-next,v2 2/7] netfilter: nf_tables: use struct nft_set_iter in set element flush

Instead of struct nft_set_dump_args, remove unnecessary wrapper structure. Signed-off-by: Pablo Neira Ayuso --- v2: No changes net/netfilter/nf_tables_api.c | 12 +--- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_a

[PATCH nf-next,v2 4/7] netfilter: nf_tables: add flush field to struct nft_set_iter

This provides context to walk callback iterator, thus, we know if the walk happens from the set flush path. This is required by the new bitmap set type coming in a follow up patch which has no real struct nft_set_ext, so it has to allocate it based on the two bit compact element representation. Si

[PATCH nf-next,v2 1/7] netfilter: nf_tables: pass netns to set->ops->remove()

This new parameter is required by the new bitmap set type that comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso --- v2: Rebase on top of fixes for net, err6 in nft_add_set_elem() needs ctx->net. include/net/netfilter/nf_tables.h | 3 ++- net/netfilter/nf_tables_api.c | 6 +++---

[PATCH iptables 2/2] xshared: using the blocking file lock request when we wait indefinitely

From: Liping Zhang When using "-w" to avoid concurrent instances, we try to do flock() every one second until it success. But one second maybe too long in some situations, and it's hard to select a suitable interval time. So when using "iptables -w", use the F_SETLKW to obtain the file lock, it

[PATCH iptables 1/2] xshared: do not lock again and again if "-w" option is not specified

From: Liping Zhang After running the following commands, some confusing messages was printed out: # while : ; do iptables -A INPUT & iptables -D INPUT & done [...] Another app is currently holding the xtables lock; still -9s 0us time ahead to have a chance to grab the lock... Anot