Re: [PATCH nft 1/2] parser: fix typo

[Pablo Neira Ayuso]

On Wed, Aug 23, 2017 at 10:42:55PM +0200, Pablo M. Bermudo Garay wrote:
> Separator was misspelled as "seperator" in a symbol name.

Applied this one, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next v2 1/3] netfilter: convert hook list to an array

[Florian Westphal]

From: Aaron Conole 

This converts the storage and layout of netfilter hook entries from a
linked list to an array.  After this commit, hook entries will be
stored adjacent in memory.  The next pointer is no longer required.

The ops pointers are stored at the end of the array as they are only
used in the register/unregister path and in the legacy br_netfilter code.

nf_unregister_net_hooks() is slower than needed as it just calls
nf_unregister_net_hook in a loop (i.e. at least n synchronize_net()
calls), this will be addressed in followup patch.

Test setup:
 - ixgbe 10gbit
 - netperf UDP_STREAM, 64 byte packets
 - 5 hooks: (raw + mangle prerouting, mangle+filter input, inet filter):
empty mangle and raw prerouting, mangle and filter input hooks:
353.9
this patch:
364.2

Signed-off-by: Aaron Conole 
Signed-off-by: Florian Westphal 
---
 Change since v1: use kvzalloc (Eric).

 include/linux/netdevice.h |   2 +-
 include/linux/netfilter.h |  45 +++---
 include/linux/netfilter_ingress.h |   4 +-
 include/net/netfilter/nf_queue.h  |   2 +-
 include/net/netns/netfilter.h |   2 +-
 net/bridge/br_netfilter_hooks.c   |  19 ++-
 net/netfilter/core.c  | 297 --
 net/netfilter/nf_internals.h  |   3 +-
 net/netfilter/nf_queue.c  |  67 +
 9 files changed, 307 insertions(+), 134 deletions(-)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 614642eb7eb7..ca0a30127300 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1811,7 +1811,7 @@ struct net_device {
 #endif
struct netdev_queue __rcu *ingress_queue;
 #ifdef CONFIG_NETFILTER_INGRESS
-   struct nf_hook_entry __rcu *nf_hooks_ingress;
+   struct nf_hook_entries __rcu *nf_hooks_ingress;
 #endif
 
unsigned char   broadcast[MAX_ADDR_LEN];
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 22f081065d49..f84bca1703cd 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -72,25 +72,32 @@ struct nf_hook_ops {
 };
 
 struct nf_hook_entry {
-   struct nf_hook_entry __rcu  *next;
nf_hookfn   *hook;
void*priv;
-   const struct nf_hook_ops*orig_ops;
 };
 
-static inline void
-nf_hook_entry_init(struct nf_hook_entry *entry,const struct 
nf_hook_ops *ops)
-{
-   entry->next = NULL;
-   entry->hook = ops->hook;
-   entry->priv = ops->priv;
-   entry->orig_ops = ops;
-}
+struct nf_hook_entries {
+   u16 num_hook_entries;
+   /* padding */
+   struct nf_hook_entryhooks[];
+
+   /* trailer: pointers to original orig_ops of each hook.
+*
+* This is not part of struct nf_hook_entry since its only
+* needed in slow path (hook register/unregister).
+*
+* const struct nf_hook_ops *orig_ops[]
+*/
+};
 
-static inline int
-nf_hook_entry_priority(const struct nf_hook_entry *entry)
+static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct 
nf_hook_entries *e)
 {
-   return entry->orig_ops->priority;
+   unsigned int n = e->num_hook_entries;
+   const void *hook_end;
+
+   hook_end = >hooks[n]; /* this is *past* ->hooks[]! */
+
+   return (struct nf_hook_ops **)hook_end;
 }
 
 static inline int
@@ -100,12 +107,6 @@ nf_hook_entry_hookfn(const struct nf_hook_entry *entry, 
struct sk_buff *skb,
return entry->hook(entry->priv, skb, state);
 }
 
-static inline const struct nf_hook_ops *
-nf_hook_entry_ops(const struct nf_hook_entry *entry)
-{
-   return entry->orig_ops;
-}
-
 static inline void nf_hook_state_init(struct nf_hook_state *p,
  unsigned int hook,
  u_int8_t pf,
@@ -168,7 +169,7 @@ extern struct static_key 
nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
 #endif
 
 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
-struct nf_hook_entry *entry);
+const struct nf_hook_entries *e, unsigned int i);
 
 /**
  * nf_hook - call a netfilter hook
@@ -182,7 +183,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, 
struct net *net,
  struct net_device *indev, struct net_device *outdev,
  int (*okfn)(struct net *, struct sock *, struct 
sk_buff *))
 {
-   struct nf_hook_entry *hook_head;
+   struct nf_hook_entries *hook_head;
int ret = 1;
 
 #ifdef HAVE_JUMP_LABEL
@@ -200,7 +201,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, 
struct net *net,
nf_hook_state_init(, hook, pf, indev, outdev,
   sk, net, okfn);
 
-   ret = nf_hook_slow(skb, , hook_head);
+   ret = nf_hook_slow(skb, , hook_head, 0);
   

Re: [PATCH nft] files: add arp filter and add in/output to nat skeleton

[Pablo Neira Ayuso]

On Wed, Aug 23, 2017 at 05:56:12PM +0200, Florian Westphal wrote:
> Signed-off-by: Florian Westphal 

Acked-by: Pablo Neira Ayuso 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft v2] files: add arp filter and add in/output to nat skeleton

[Florian Westphal]

Signed-off-by: Florian Westphal 
---
 v2: forgot to git-add arp-filter...

 files/nftables/Makefile.am | 3 ++-
 files/nftables/arp-filter  | 6 ++
 files/nftables/ipv4-nat| 6 --
 files/nftables/ipv6-nat| 6 --
 4 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 files/nftables/arp-filter

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index a4c7ac7c980b..77d5c2a66e8f 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -1,6 +1,7 @@
 
 pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA = bridge-filter   \
+dist_pkgsysconf_DATA = arp-filter  \
+   bridge-filter   \
inet-filter \
ipv4-filter \
ipv4-mangle \
diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter
new file mode 100644
index ..bcabf28ad99c
--- /dev/null
+++ b/files/nftables/arp-filter
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table arp filter {
+   chain input { type filter hook input priority 0; }
+   chain output{ type filter hook output priority 0; }
+}
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
index 01c6c3d8d6a1..130a729b1d36 100644
--- a/files/nftables/ipv4-nat
+++ b/files/nftables/ipv4-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table nat {
-   chain prerouting{ type nat hook prerouting priority -150; }
-   chain postrouting   { type nat hook postrouting priority -150; }
+   chain prerouting{ type nat hook prerouting priority -100; }
+   chain input { type nat hook input priority 100; }
+   chain output{ type nat hook output priority -100; }
+   chain postrouting   { type nat hook postrouting priority 100; }
 }
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
index 3f57c56dea78..e7816860f4a7 100644
--- a/files/nftables/ipv6-nat
+++ b/files/nftables/ipv6-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table ip6 nat {
-   chain prerouting{ type nat hook prerouting priority -150; }
-   chain postrouting   { type nat hook postrouting priority -150; }
+   chain prerouting{ type nat hook prerouting priority -100; }
+   chain input { type nat hook input priority 100; }
+   chain output{ type nat hook output priority -100; }
+   chain postrouting   { type nat hook postrouting priority 100; }
 }
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 2/2] src: limit stateful object support

[Pablo M. Bermudo Garay]

Maybe the commit title is confusing, since "limit" seems the typical
imperative mood instead of a noun.

Pablo, should I resend the patches with a better title?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 1/3] netfilter: convert hook list to an array

[Aaron Conole]

Eric Dumazet  writes:

> On Wed, 2017-08-23 at 17:26 +0200, Florian Westphal wrote:
>> From: Aaron Conole 
>
> ...
>
>> -static struct nf_hook_entry __rcu **nf_hook_entry_head(struct net
>> *net, const struct nf_hook_ops *reg)
>> +static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
>> +{
>> +struct nf_hook_entries *e;
>> +size_t alloc = sizeof(*e) +
>> +   sizeof(struct nf_hook_entry) * num +
>> +   sizeof(struct nf_hook_ops *) * num;
>> +
>> +if (num == 0)
>> +return NULL;
>> +
>> +e = kvmalloc(alloc, GFP_KERNEL);
>> +if (e) {
>> +memset(e, 0, alloc);
>> +e->num_hook_entries = num;
>> +}
>
>
> nit:
>
>   e = kvzalloc(alloc, GFP_KERNEL);
>   if (e)
>   e->num_hook_entries = num;

d'oh!  Thanks for spotting.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft 1/2] parser: fix typo

[Pablo M. Bermudo Garay]

Separator was misspelled as "seperator" in a symbol name.

Signed-off-by: Pablo M. Bermudo Garay 
---
 src/parser_bison.y | 74 +++---
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 18be53e..ca86df5 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -699,7 +699,7 @@ input   :   /* empty */
}
;
 
-stmt_seperator :   NEWLINE
+stmt_separator :   NEWLINE
|   SEMICOLON
;
 
@@ -707,7 +707,7 @@ opt_newline :   NEWLINE
|   /* empty */
;
 
-common_block   :   INCLUDE QUOTED_STRING   stmt_seperator
+common_block   :   INCLUDE QUOTED_STRING   stmt_separator
{
if (scanner_include_file(scanner, $2, &@$) < 0) 
{
xfree($2);
@@ -715,7 +715,7 @@ common_block:   INCLUDE 
QUOTED_STRING   stmt_seperator
}
xfree($2);
}
-   |   DEFINE  identifier  '=' 
initializer_exprstmt_seperator
+   |   DEFINE  identifier  '=' 
initializer_exprstmt_separator
{
struct scope *scope = current_scope(state);
 
@@ -728,7 +728,7 @@ common_block:   INCLUDE 
QUOTED_STRING   stmt_seperator
symbol_bind(scope, $2, $4);
xfree($2);
}
-   |   error   stmt_seperator
+   |   error   stmt_separator
{
if (++state->nerrs == max_errors)
YYABORT;
@@ -737,8 +737,8 @@ common_block:   INCLUDE 
QUOTED_STRING   stmt_seperator
;
 
 line   :   common_block{ $$ = NULL; }
-   |   stmt_seperator  { $$ = NULL; }
-   |   base_cmdstmt_seperator  { $$ = $1; }
+   |   stmt_separator  { $$ = NULL; }
+   |   base_cmdstmt_separator  { $$ = $1; }
|   base_cmdTOKEN_EOF
{
/*
@@ -851,7 +851,7 @@ add_cmd :   TABLE   
table_spec
{
$$ = cmd_alloc(CMD_ADD, CMD_OBJ_QUOTA, &$2, 
&@$, $3);
}
-   |   CT  STRING  obj_specct_obj_alloc
'{' ct_block '}'stmt_seperator
+   |   CT  STRING  obj_specct_obj_alloc
'{' ct_block '}'stmt_separator
{
struct error_record *erec;
int type;
@@ -930,7 +930,7 @@ create_cmd  :   TABLE   table_spec
{
$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_QUOTA, &$2, 
&@$, $3);
}
-   |   CT  STRING  obj_specct_obj_alloc
'{' ct_block '}'stmt_seperator
+   |   CT  STRING  obj_specct_obj_alloc
'{' ct_block '}'stmt_separator
{
struct error_record *erec;
int type;
@@ -1238,11 +1238,11 @@ table_options   :   FLAGS   STRING
 
 table_block:   /* empty */ { $$ = $-1; }
|   table_block common_block
-   |   table_block stmt_seperator
-   |   table_block table_options   stmt_seperator
+   |   table_block stmt_separator
+   |   table_block table_options   stmt_separator
|   table_block CHAIN   chain_identifier
chain_block_alloc   '{' 
chain_block '}'
-   stmt_seperator
+   stmt_separator
{
$4->location = @3;
handle_merge(&$4->handle, &$3);
@@ -1253,7 +1253,7 @@ table_block   :   /* empty */ { $$ = 
$-1; }
}
 

[PATCH nft 2/2] src: limit stateful object support

[Pablo M. Bermudo Garay]

This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.

Signed-off-by: Pablo M. Bermudo Garay 
---
 include/linux/netfilter/nf_tables.h |   3 +-
 include/rule.h  |  13 +
 include/statement.h |   1 +
 src/evaluate.c  |   5 ++
 src/netlink.c   |  19 +++
 src/parser_bison.y  | 101 ++--
 src/rule.c  |  43 ++-
 src/scanner.l   |   1 +
 src/statement.c |   3 +-
 9 files changed, 183 insertions(+), 6 deletions(-)

diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index 5441b19..f328944 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1278,7 +1278,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_COUNTER 1
 #define NFT_OBJECT_QUOTA   2
 #define NFT_OBJECT_CT_HELPER   3
-#define __NFT_OBJECT_MAX   4
+#define NFT_OBJECT_LIMIT   4
+#define __NFT_OBJECT_MAX   5
 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/include/rule.h b/include/rule.h
index 10ac0e2..94f7bb5 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -272,6 +272,14 @@ struct ct_helper {
uint8_t l4proto;
 };
 
+struct limit {
+   uint64_trate;
+   uint64_tunit;
+   uint32_tburst;
+   uint32_ttype;
+   uint32_tflags;
+};
+
 /**
  * struct obj - nftables stateful object statement
  *
@@ -291,6 +299,7 @@ struct obj {
struct counter  counter;
struct quotaquota;
struct ct_helperct_helper;
+   struct limitlimit;
};
 };
 
@@ -357,6 +366,8 @@ enum cmd_ops {
  * @CMD_OBJ_COUNTERS:  multiple counters
  * @CMD_OBJ_QUOTA: quota
  * @CMD_OBJ_QUOTAS:multiple quotas
+ * @CMD_OBJ_LIMIT: limit
+ * @CMD_OBJ_LIMITS:multiple limits
  */
 enum cmd_obj {
CMD_OBJ_INVALID,
@@ -381,6 +392,8 @@ enum cmd_obj {
CMD_OBJ_QUOTAS,
CMD_OBJ_CT_HELPER,
CMD_OBJ_CT_HELPERS,
+   CMD_OBJ_LIMIT,
+   CMD_OBJ_LIMITS,
 };
 
 struct export {
diff --git a/include/statement.h b/include/statement.h
index 6d8aaa8..2f702c3 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -325,5 +325,6 @@ extern void stmt_list_free(struct list_head *list);
 extern void stmt_print(const struct stmt *stmt, struct output_ctx *octx);
 
 const char *get_rate(uint64_t byte_rate, uint64_t *rate);
+const char *get_unit(uint64_t u);
 
 #endif /* NFTABLES_STATEMENT_H */
diff --git a/src/evaluate.c b/src/evaluate.c
index 3989d5e..a92a66d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2997,6 +2997,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct 
cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+   case CMD_OBJ_LIMIT:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3022,6 +3023,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, 
struct cmd *cmd)
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
+   case CMD_OBJ_LIMIT:
return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
@@ -3111,9 +3113,12 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, 
struct cmd *cmd)
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_COUNTER);
case CMD_OBJ_CT_HELPER:
return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER);
+   case CMD_OBJ_LIMIT:
+   return cmd_evaluate_list_obj(ctx, cmd, NFT_OBJECT_LIMIT);
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
case CMD_OBJ_CT_HELPERS:
+   case CMD_OBJ_LIMITS:
case CMD_OBJ_SETS:
if (cmd->handle.table == NULL)
return 0;
diff --git a/src/netlink.c b/src/netlink.c
index f6eb08f..a165809 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -328,6 +328,13 @@ alloc_nftnl_obj(const struct handle *h, struct obj *obj)
nftnl_obj_set_u16(nlo, NFTNL_OBJ_CT_HELPER_L3PROTO,
  obj->ct_helper.l3proto);
break;
+   case NFT_OBJECT_LIMIT:
+   nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_RATE, obj->limit.rate);
+   nftnl_obj_set_u64(nlo, NFTNL_OBJ_LIMIT_UNIT, obj->limit.unit);
+   nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_BURST, obj->limit.burst);
+   nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_TYPE, obj->limit.type);
+   nftnl_obj_set_u32(nlo, NFTNL_OBJ_LIMIT_FLAGS, obj->limit.flags);
+   break;
default:
BUG("Unknown type %d\n", 

[PATCH libnftnl] src: limit stateful object support

[Pablo M. Bermudo Garay]

This patch adds support for a new type of stateful object: limit.

Signed-off-by: Pablo M. Bermudo Garay 
---
 include/libnftnl/object.h   |   8 ++
 include/linux/netfilter/nf_tables.h |   3 +-
 include/obj.h   |   8 ++
 src/Makefile.am |   1 +
 src/obj/limit.c | 238 
 src/object.c|   3 +-
 6 files changed, 259 insertions(+), 2 deletions(-)
 create mode 100644 src/obj/limit.c

diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index ccd9d19..1c3bc7c 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -40,6 +40,14 @@ enum {
NFTNL_OBJ_CT_HELPER_L4PROTO,
 };
 
+enum {
+   NFTNL_OBJ_LIMIT_RATE= NFTNL_OBJ_BASE,
+   NFTNL_OBJ_LIMIT_UNIT,
+   NFTNL_OBJ_LIMIT_BURST,
+   NFTNL_OBJ_LIMIT_TYPE,
+   NFTNL_OBJ_LIMIT_FLAGS,
+};
+
 struct nftnl_obj;
 
 struct nftnl_obj *nftnl_obj_alloc(void);
diff --git a/include/linux/netfilter/nf_tables.h 
b/include/linux/netfilter/nf_tables.h
index 2e174d8..874fa3f 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1278,7 +1278,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_COUNTER 1
 #define NFT_OBJECT_QUOTA   2
 #define NFT_OBJECT_CT_HELPER   3
-#define __NFT_OBJECT_MAX   4
+#define NFT_OBJECT_LIMIT   4
+#define __NFT_OBJECT_MAX   5
 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/include/obj.h b/include/obj.h
index d90919f..d17d63a 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -35,6 +35,13 @@ struct nftnl_obj {
uint8_t l4proto;
charname[16];
} ct_helper;
+   struct nftnl_obj_limit {
+   uint64_trate;
+   uint64_tunit;
+   uint32_tburst;
+   uint32_ttype;
+   uint32_tflags;
+   } limit;
} data;
 };
 
@@ -55,6 +62,7 @@ struct obj_ops {
 extern struct obj_ops obj_ops_counter;
 extern struct obj_ops obj_ops_quota;
 extern struct obj_ops obj_ops_ct_helper;
+extern struct obj_ops obj_ops_limit;
 
 #define nftnl_obj_data(obj) (void *)>data
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 77b67b2..59ddf6a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -55,4 +55,5 @@ libnftnl_la_SOURCES = utils.c \
  obj/counter.c \
  obj/ct_helper.c   \
  obj/quota.c   \
+ obj/limit.c   \
  libnftnl.map
diff --git a/src/obj/limit.c b/src/obj/limit.c
new file mode 100644
index 000..8cf0faa
--- /dev/null
+++ b/src/obj/limit.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2017 Pablo M. Bermudo Garay 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#include "internal.h"
+#include 
+#include 
+
+#include "obj.h"
+
+static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type,
+  const void *data, uint32_t data_len)
+{
+   struct nftnl_obj_limit *limit = nftnl_obj_data(e);
+
+   switch (type) {
+   case NFTNL_OBJ_LIMIT_RATE:
+   limit->rate = *((uint64_t *)data);
+   break;
+   case NFTNL_OBJ_LIMIT_UNIT:
+   limit->unit = *((uint64_t *)data);
+   break;
+   case NFTNL_OBJ_LIMIT_BURST:
+   limit->burst = *((uint32_t *)data);
+   break;
+   case NFTNL_OBJ_LIMIT_TYPE:
+   limit->type = *((uint32_t *)data);
+   break;
+   case NFTNL_OBJ_LIMIT_FLAGS:
+   limit->flags = *((uint32_t *)data);
+   break;
+   default:
+   return -1;
+   }
+   return 0;
+}
+
+static const void *nftnl_obj_limit_get(const struct nftnl_obj *e,
+  uint16_t type, uint32_t *data_len)
+{
+   struct nftnl_obj_limit *limit = nftnl_obj_data(e);
+
+   switch (type) {
+   case NFTNL_OBJ_LIMIT_RATE:
+   *data_len = sizeof(limit->rate);
+   return >rate;
+   case NFTNL_OBJ_LIMIT_UNIT:
+   *data_len = sizeof(limit->unit);
+   return >unit;
+   case NFTNL_OBJ_LIMIT_BURST:
+   *data_len = sizeof(limit->burst);
+   return >burst;
+   case NFTNL_OBJ_LIMIT_TYPE:
+   *data_len = sizeof(limit->type);
+   return >type;
+   case NFTNL_OBJ_LIMIT_FLAGS:
+   *data_len = sizeof(limit->flags);
+

[PATCH nf-next 3/3] netfilter: nft_limit: add stateful object type

[Pablo M. Bermudo Garay]

Register a new limit stateful object type into the stateful object
infrastructure.

Signed-off-by: Pablo M. Bermudo Garay 
---
 include/uapi/linux/netfilter/nf_tables.h |   3 +-
 net/netfilter/nft_limit.c| 118 ++-
 2 files changed, 119 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index dc7661c293b8..ca5c36876bac 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1278,7 +1278,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_COUNTER 1
 #define NFT_OBJECT_QUOTA   2
 #define NFT_OBJECT_CT_HELPER   3
-#define __NFT_OBJECT_MAX   4
+#define NFT_OBJECT_LIMIT   4
+#define __NFT_OBJECT_MAX   5
 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index d66b4de5b07c..b6903df21fc4 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -226,14 +226,129 @@ static struct nft_expr_type nft_limit_type __read_mostly 
= {
.owner  = THIS_MODULE,
 };
 
+static void nft_limit_obj_pkts_eval(struct nft_object *obj,
+   struct nft_regs *regs,
+   const struct nft_pktinfo *pkt)
+{
+   struct nft_limit_pkts *priv = nft_obj_data(obj);
+
+   if (nft_limit_eval(>limit, priv->cost))
+   regs->verdict.code = NFT_BREAK;
+}
+
+static int nft_limit_obj_pkts_init(const struct nft_ctx *ctx,
+  const struct nlattr * const tb[],
+  struct nft_object *obj)
+{
+   struct nft_limit_pkts *priv = nft_obj_data(obj);
+   int err;
+
+   err = nft_limit_init(>limit, tb);
+   if (err < 0)
+   return err;
+
+   priv->cost = div64_u64(priv->limit.nsecs, priv->limit.rate);
+   return 0;
+}
+
+static int nft_limit_obj_pkts_dump(struct sk_buff *skb,
+  struct nft_object *obj,
+  bool reset)
+{
+   const struct nft_limit_pkts *priv = nft_obj_data(obj);
+
+   return nft_limit_dump(skb, >limit, NFT_LIMIT_PKTS);
+}
+
+static const struct nft_object_ops nft_limit_obj_pkts_ops = {
+   .size   = NFT_EXPR_SIZE(sizeof(struct nft_limit_pkts)),
+   .init   = nft_limit_obj_pkts_init,
+   .eval   = nft_limit_obj_pkts_eval,
+   .dump   = nft_limit_obj_pkts_dump,
+};
+
+static void nft_limit_obj_bytes_eval(struct nft_object *obj,
+struct nft_regs *regs,
+const struct nft_pktinfo *pkt)
+{
+   struct nft_limit *priv = nft_obj_data(obj);
+   u64 cost = div64_u64(priv->nsecs * pkt->skb->len, priv->rate);
+
+   if (nft_limit_eval(priv, cost))
+   regs->verdict.code = NFT_BREAK;
+}
+
+static int nft_limit_obj_bytes_init(const struct nft_ctx *ctx,
+   const struct nlattr * const tb[],
+   struct nft_object *obj)
+{
+   struct nft_limit *priv = nft_obj_data(obj);
+
+   return nft_limit_init(priv, tb);
+}
+
+static int nft_limit_obj_bytes_dump(struct sk_buff *skb,
+   struct nft_object *obj,
+   bool reset)
+{
+   const struct nft_limit *priv = nft_obj_data(obj);
+
+   return nft_limit_dump(skb, priv, NFT_LIMIT_BYTES);
+}
+
+static const struct nft_object_ops nft_limit_obj_bytes_ops = {
+   .size   = sizeof(struct nft_limit),
+   .init   = nft_limit_obj_bytes_init,
+   .eval   = nft_limit_obj_bytes_eval,
+   .dump   = nft_limit_obj_bytes_dump,
+};
+
+static const struct nft_object_ops *
+nft_limit_obj_select_ops(const struct nft_ctx *ctx,
+const struct nlattr * const tb[])
+{
+   if (!tb[NFTA_LIMIT_TYPE])
+   return _limit_obj_pkts_ops;
+
+   switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
+   case NFT_LIMIT_PKTS:
+   return _limit_obj_pkts_ops;
+   case NFT_LIMIT_BYTES:
+   return _limit_obj_bytes_ops;
+   }
+   return ERR_PTR(-EOPNOTSUPP);
+}
+
+static struct nft_object_type nft_limit_obj __read_mostly = {
+   .select_ops = nft_limit_obj_select_ops,
+   .type   = NFT_OBJECT_LIMIT,
+   .maxattr= NFTA_LIMIT_MAX,
+   .policy = nft_limit_policy,
+   .owner  = THIS_MODULE,
+};
+
 static int __init nft_limit_module_init(void)
 {
-   return nft_register_expr(_limit_type);
+   int err;
+
+   err = nft_register_obj(_limit_obj);
+   if (err < 0)
+   return err;
+
+   err = nft_register_expr(_limit_type);
+   if (err < 0)
+   goto err1;
+
+   return 0;
+err1:
+   

[PATCH nf-next 2/3] netfilter: nft_limit: replace pkt_bytes with bytes

[Pablo M. Bermudo Garay]

Just a small refactor patch in order to improve the code readability.

Signed-off-by: Pablo M. Bermudo Garay 
---
 include/uapi/linux/netfilter/nf_tables.h |  2 +-
 net/netfilter/nft_limit.c| 30 +++---
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h 
b/include/uapi/linux/netfilter/nf_tables.h
index be25cf69295b..dc7661c293b8 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -946,7 +946,7 @@ enum nft_ct_attributes {
 
 enum nft_limit_type {
NFT_LIMIT_PKTS,
-   NFT_LIMIT_PKT_BYTES
+   NFT_LIMIT_BYTES
 };
 
 enum nft_limit_flags {
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index 18dd57a52651..d66b4de5b07c 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -165,9 +165,9 @@ static const struct nft_expr_ops nft_limit_pkts_ops = {
.dump   = nft_limit_pkts_dump,
 };
 
-static void nft_limit_pkt_bytes_eval(const struct nft_expr *expr,
-struct nft_regs *regs,
-const struct nft_pktinfo *pkt)
+static void nft_limit_bytes_eval(const struct nft_expr *expr,
+struct nft_regs *regs,
+const struct nft_pktinfo *pkt)
 {
struct nft_limit *priv = nft_expr_priv(expr);
u64 cost = div64_u64(priv->nsecs * pkt->skb->len, priv->rate);
@@ -176,29 +176,29 @@ static void nft_limit_pkt_bytes_eval(const struct 
nft_expr *expr,
regs->verdict.code = NFT_BREAK;
 }
 
-static int nft_limit_pkt_bytes_init(const struct nft_ctx *ctx,
-   const struct nft_expr *expr,
-   const struct nlattr * const tb[])
+static int nft_limit_bytes_init(const struct nft_ctx *ctx,
+   const struct nft_expr *expr,
+   const struct nlattr * const tb[])
 {
struct nft_limit *priv = nft_expr_priv(expr);
 
return nft_limit_init(priv, tb);
 }
 
-static int nft_limit_pkt_bytes_dump(struct sk_buff *skb,
-   const struct nft_expr *expr)
+static int nft_limit_bytes_dump(struct sk_buff *skb,
+   const struct nft_expr *expr)
 {
const struct nft_limit *priv = nft_expr_priv(expr);
 
-   return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES);
+   return nft_limit_dump(skb, priv, NFT_LIMIT_BYTES);
 }
 
-static const struct nft_expr_ops nft_limit_pkt_bytes_ops = {
+static const struct nft_expr_ops nft_limit_bytes_ops = {
.type   = _limit_type,
.size   = NFT_EXPR_SIZE(sizeof(struct nft_limit)),
-   .eval   = nft_limit_pkt_bytes_eval,
-   .init   = nft_limit_pkt_bytes_init,
-   .dump   = nft_limit_pkt_bytes_dump,
+   .eval   = nft_limit_bytes_eval,
+   .init   = nft_limit_bytes_init,
+   .dump   = nft_limit_bytes_dump,
 };
 
 static const struct nft_expr_ops *
@@ -211,8 +211,8 @@ nft_limit_select_ops(const struct nft_ctx *ctx,
switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
case NFT_LIMIT_PKTS:
return _limit_pkts_ops;
-   case NFT_LIMIT_PKT_BYTES:
-   return _limit_pkt_bytes_ops;
+   case NFT_LIMIT_BYTES:
+   return _limit_bytes_ops;
}
return ERR_PTR(-EOPNOTSUPP);
 }
-- 
2.14.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH] Keep cache in struct nft_ctx

[Pablo Neira Ayuso]

On Tue, Aug 22, 2017 at 02:40:04PM +0200, Phil Sutter wrote:
> This is preliminary work for Eric's libnftables patchset.

Applied, thanks Phil.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 1/3] netfilter: convert hook list to an array

[Eric Dumazet]

On Wed, 2017-08-23 at 17:26 +0200, Florian Westphal wrote:
> From: Aaron Conole 

...

> -static struct nf_hook_entry __rcu **nf_hook_entry_head(struct net *net, 
> const struct nf_hook_ops *reg)
> +static struct nf_hook_entries *allocate_hook_entries_size(u16 num)
> +{
> + struct nf_hook_entries *e;
> + size_t alloc = sizeof(*e) +
> +sizeof(struct nf_hook_entry) * num +
> +sizeof(struct nf_hook_ops *) * num;
> +
> + if (num == 0)
> + return NULL;
> +
> + e = kvmalloc(alloc, GFP_KERNEL);
> + if (e) {
> + memset(e, 0, alloc);
> + e->num_hook_entries = num;
> + }


nit:

e = kvzalloc(alloc, GFP_KERNEL);
if (e)
e->num_hook_entries = num;


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nft] files: add arp filter and add in/output to nat skeleton

[Florian Westphal]

Signed-off-by: Florian Westphal 
---
 files/nftables/Makefile.am | 3 ++-
 files/nftables/ipv4-nat| 6 --
 files/nftables/ipv6-nat| 6 --
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index a4c7ac7c980b..77d5c2a66e8f 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -1,6 +1,7 @@
 
 pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA = bridge-filter   \
+dist_pkgsysconf_DATA = arp-filter  \
+   bridge-filter   \
inet-filter \
ipv4-filter \
ipv4-mangle \
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
index 01c6c3d8d6a1..130a729b1d36 100644
--- a/files/nftables/ipv4-nat
+++ b/files/nftables/ipv4-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table nat {
-   chain prerouting{ type nat hook prerouting priority -150; }
-   chain postrouting   { type nat hook postrouting priority -150; }
+   chain prerouting{ type nat hook prerouting priority -100; }
+   chain input { type nat hook input priority 100; }
+   chain output{ type nat hook output priority -100; }
+   chain postrouting   { type nat hook postrouting priority 100; }
 }
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
index 3f57c56dea78..e7816860f4a7 100644
--- a/files/nftables/ipv6-nat
+++ b/files/nftables/ipv6-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table ip6 nat {
-   chain prerouting{ type nat hook prerouting priority -150; }
-   chain postrouting   { type nat hook postrouting priority -150; }
+   chain prerouting{ type nat hook prerouting priority -100; }
+   chain input { type nat hook input priority 100; }
+   chain output{ type nat hook output priority -100; }
+   chain postrouting   { type nat hook postrouting priority 100; }
 }
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next 2/3] netfilter: debug: check for sorted array

[Florian Westphal]

Make sure our grow/shrink routine places them in the correct order.

Signed-off-by: Florian Westphal 
---
 net/netfilter/core.c | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 6212958c9c58..8ca26729430b 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -159,6 +159,27 @@ nf_hook_entries_grow(const struct nf_hook_entries *old,
return new;
 }
 
+static void hooks_validate(const struct nf_hook_entries *hooks)
+{
+#ifdef CONFIG_DEBUG_KERNEL
+   struct nf_hook_ops **orig_ops;
+   int prio = INT_MIN;
+   size_t i = 0;
+
+   orig_ops = nf_hook_entries_get_hook_ops(hooks);
+
+   for (i = 0; i < hooks->num_hook_entries; i++) {
+   if (orig_ops[i] == _ops)
+   continue;
+
+   WARN_ON(orig_ops[i]->priority < prio);
+
+   if (orig_ops[i]->priority > prio)
+   prio = orig_ops[i]->priority;
+   }
+#endif
+}
+
 /*
  * __nf_hook_entries_try_shrink - try to shrink hook array
  *
@@ -212,6 +233,7 @@ static void *__nf_hook_entries_try_shrink(struct 
nf_hook_entries __rcu **pp)
new_ops[j] = (void *)orig_ops[i];
j++;
}
+   hooks_validate(new);
 out_assign:
rcu_assign_pointer(*pp, new);
return old;
@@ -263,6 +285,7 @@ int nf_register_net_hook(struct net *net, const struct 
nf_hook_ops *reg)
if (IS_ERR(new_hooks))
return PTR_ERR(new_hooks);
 
+   hooks_validate(new_hooks);
 #ifdef CONFIG_NETFILTER_INGRESS
if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
net_inc_ingress_queue();
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH nf-next 1/3] netfilter: convert hook list to an array

[Florian Westphal]

From: Aaron Conole 

This converts the storage and layout of netfilter hook entries from a
linked list to an array.  After this commit, hook entries will be
stored adjacent in memory.  The next pointer is no longer required.

The ops pointers are stored at the end of the array as they are only
used in the register/unregister path and in the legacy br_netfilter code.

nf_unregister_net_hooks() is slower than needed as it just calls
nf_unregister_net_hook in a loop (i.e. at least n synchronize_net()
calls), this will be addressed in followup patch.

Test setup:
 - ixgbe 10gbit
 - netperf UDP_STREAM, 64 byte packets
 - 5 empty base hooks (2 * prerouting, 3 * input):

before: 353.9 mbit/s
after: 364.2 mbit/s

Signed-off-by: Aaron Conole 
Signed-off-by: Florian Westphal 
---
 NB: I did this test after merging
 net-next into my working branch.

 include/linux/netdevice.h |   2 +-
 include/linux/netfilter.h |  45 +++---
 include/linux/netfilter_ingress.h |   4 +-
 include/net/netfilter/nf_queue.h  |   2 +-
 include/net/netns/netfilter.h |   2 +-
 net/bridge/br_netfilter_hooks.c   |  19 ++-
 net/netfilter/core.c  | 299 --
 net/netfilter/nf_internals.h  |   3 +-
 net/netfilter/nf_queue.c  |  67 +
 9 files changed, 309 insertions(+), 134 deletions(-)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 614642eb7eb7..ca0a30127300 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1811,7 +1811,7 @@ struct net_device {
 #endif
struct netdev_queue __rcu *ingress_queue;
 #ifdef CONFIG_NETFILTER_INGRESS
-   struct nf_hook_entry __rcu *nf_hooks_ingress;
+   struct nf_hook_entries __rcu *nf_hooks_ingress;
 #endif
 
unsigned char   broadcast[MAX_ADDR_LEN];
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 22f081065d49..f84bca1703cd 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -72,25 +72,32 @@ struct nf_hook_ops {
 };
 
 struct nf_hook_entry {
-   struct nf_hook_entry __rcu  *next;
nf_hookfn   *hook;
void*priv;
-   const struct nf_hook_ops*orig_ops;
 };
 
-static inline void
-nf_hook_entry_init(struct nf_hook_entry *entry,const struct 
nf_hook_ops *ops)
-{
-   entry->next = NULL;
-   entry->hook = ops->hook;
-   entry->priv = ops->priv;
-   entry->orig_ops = ops;
-}
+struct nf_hook_entries {
+   u16 num_hook_entries;
+   /* padding */
+   struct nf_hook_entryhooks[];
+
+   /* trailer: pointers to original orig_ops of each hook.
+*
+* This is not part of struct nf_hook_entry since its only
+* needed in slow path (hook register/unregister).
+*
+* const struct nf_hook_ops *orig_ops[]
+*/
+};
 
-static inline int
-nf_hook_entry_priority(const struct nf_hook_entry *entry)
+static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct 
nf_hook_entries *e)
 {
-   return entry->orig_ops->priority;
+   unsigned int n = e->num_hook_entries;
+   const void *hook_end;
+
+   hook_end = >hooks[n]; /* this is *past* ->hooks[]! */
+
+   return (struct nf_hook_ops **)hook_end;
 }
 
 static inline int
@@ -100,12 +107,6 @@ nf_hook_entry_hookfn(const struct nf_hook_entry *entry, 
struct sk_buff *skb,
return entry->hook(entry->priv, skb, state);
 }
 
-static inline const struct nf_hook_ops *
-nf_hook_entry_ops(const struct nf_hook_entry *entry)
-{
-   return entry->orig_ops;
-}
-
 static inline void nf_hook_state_init(struct nf_hook_state *p,
  unsigned int hook,
  u_int8_t pf,
@@ -168,7 +169,7 @@ extern struct static_key 
nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
 #endif
 
 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
-struct nf_hook_entry *entry);
+const struct nf_hook_entries *e, unsigned int i);
 
 /**
  * nf_hook - call a netfilter hook
@@ -182,7 +183,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, 
struct net *net,
  struct net_device *indev, struct net_device *outdev,
  int (*okfn)(struct net *, struct sock *, struct 
sk_buff *))
 {
-   struct nf_hook_entry *hook_head;
+   struct nf_hook_entries *hook_head;
int ret = 1;
 
 #ifdef HAVE_JUMP_LABEL
@@ -200,7 +201,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, 
struct net *net,
nf_hook_state_init(, hook, pf, indev, outdev,
   sk, net, okfn);
 
-   ret = nf_hook_slow(skb, , hook_head);
+   ret = nf_hook_slow(skb, , hook_head, 0);
}
rcu_read_unlock();
 

[PATCH nf-next 0/3] netfilter: convert hook list to an array

[Florian Westphal]

This series converts netfilters linked-list to an array.
This improves cache utilization as the next hook will be either
in same or next cacheline.

Tested:
- nfqueue test program still works
- ip and ebtables rule counters increment
- nftables can register base chains

Joint work with Aaron Conole.

Aaron Conole (1):
  netfilter: convert hook list to an array

Florian Westphal (4):
  netfilter: debug: check for sorted array
  netfilter: core: batch nf_unregister_net_hooks synchronize_net calls

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] tests: json: Add test cases for json format

[Arturo Borrero Gonzalez]

On 22 August 2017 at 11:30, Shyam Saini  wrote:
>
> Should I send the version 2 of this patch with this script?
>

Yes,

my suggestion is:

* create a new testcase in nftables: tests/shell/testcases/import/yourscript_0
* put all the json files in: tests/shell/testcases/import/json and
read them from yourscript_0

in the script use the $NFT environment variable to call nft.

This way we avoid adding a new testsuite just for this and reuse existing code.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html