Re: Proposal: rename of arptables.git and ebtables.git

2018-12-05 Thread Arturo Borrero Gonzalez 
On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote:
> On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote:
>> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
>>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
>>>> Hi,
>>>>
>>>> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
>>>> arptables.git holds arptables-legacy, etc, why we don't just rename the
>>>> repos?
>>>>
>>>> * from arptables.git to arptables-legacy.git
>>>> * from ebtables.git to ebtables-legacy.git
>>>>
>>>> This rename should help distros understand the differences between them
>>>> and better accommodate the packaging of all the related tooling.
>>>>
>>>> Mind that the rename may have side effects in tarball
>>>> generation/publishing etc. I would expect the new arptables tarball to
>>>> include the '-legacy' keyword, and same for ebtables.
>>>>
>>>> If we go ahead with the rename, a new release is worth having,
>>>> announcing these changes as well.
>>>>
>>>
>>> Also,
>>>
>>> please consider applying the attached patch.
>>>
>>
>> ping :-)
> 
> Phil suggested no rename of the trees, I can update the description in
> git.netfilter.org to place LEGACY there. Concern as you mentioned is
> that it may break existing links/scripts. Not sure git support
> redirections from old repo URI to new one...
> 

Most people use these tools from distributions and if using directly
from git.netfilter.org they won't have problems finding a new URL. If
manually downloading tarball from netfilter.org, even less problem.
Distro packagers would have to refresh the upstream URL, sure, but
that's really a minor thing compared to the big -legacy -nft movement,
which requires a lot of other renaming and adjustments anyway.

My suggestion of the rename of the .git repo is because I already
detected several confused people who don't understand the relationship
between arptables-legacy, arptables-nft and the .git repos they are
served from (and same for ebtables).

Also, worth considering that having the repo clearly stating -legacy in
the name will help raise awareness of the -nft version, which could
serve as another motivation to encourage migration.

I don't even have a strong opinion on this :-) it was just a proposal bc
I see several benefits.

> I think it's fine to apply a patch to add the "-legacy" postfix as we
> do in iptables.
> 
> Are you OK with this approach?
> 

I would apply the -legacy renaming patch regardless. We already did this
with arptables after the agreement @ NFWS. In fact, me sending the patch
now (instead of last summer) is just my lack of time to write it earlier :-)

Also, once the patch is applied, we should consider a release of both
arptables and ebtables now that iptables contains the -nft variant and
is being used in the wild.

Re: Proposal: rename of arptables.git and ebtables.git

2018-12-04 Thread Arturo Borrero Gonzalez 
On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote:
> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
>> Hi,
>>
>> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
>> arptables.git holds arptables-legacy, etc, why we don't just rename the
>> repos?
>>
>> * from arptables.git to arptables-legacy.git
>> * from ebtables.git to ebtables-legacy.git
>>
>> This rename should help distros understand the differences between them
>> and better accommodate the packaging of all the related tooling.
>>
>> Mind that the rename may have side effects in tarball
>> generation/publishing etc. I would expect the new arptables tarball to
>> include the '-legacy' keyword, and same for ebtables.
>>
>> If we go ahead with the rename, a new release is worth having,
>> announcing these changes as well.
>>
> 
> Also,
> 
> please consider applying the attached patch.
> 

ping :-)

[PATCH nft] tests: fix return codes

2018-11-28 Thread Arturo Borrero Gonzalez 
Please,

consider merging the attached patch.

thanks.
commit 3497067ca187047c61d89ccad6eab4ebf5df9219
Author: Arturo Borrero Gonzalez 
Date:   Wed Nov 28 14:31:57 2018 +0100

tests: fix return codes

Try to return != 0 if a testsuite fails.

Signed-off-by: Arturo Borrero Gonzalez 

diff --git a/tests/build/run-tests.sh b/tests/build/run-tests.sh
index 626f6fd..b0560da 100755
--- a/tests/build/run-tests.sh
+++ b/tests/build/run-tests.sh
@@ -52,4 +52,4 @@ done
 rm -rf $tmpdir
 
 echo "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))"
-exit 0
+exit $failed
diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
index f408988..0478cf6 100755
--- a/tests/monitor/run-tests.sh
+++ b/tests/monitor/run-tests.sh
@@ -17,7 +17,7 @@ fi
 testdir=$(mktemp -d)
 if [ ! -d $testdir ]; then
 	echo "Failed to create test directory" >&2
-	exit 0
+	exit 1
 fi
 trap "rm -rf $testdir; $nft flush ruleset" EXIT
 
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
index 5b0ec41..fdca5fb 100755
--- a/tests/shell/run-tests.sh
+++ b/tests/shell/run-tests.sh
@@ -152,4 +152,4 @@ echo ""
 msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))"
 
 kernel_cleanup
-exit 0
+exit $failed

Re: Proposal: rename of arptables.git and ebtables.git

2018-11-28 Thread Arturo Borrero Gonzalez 
On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote:
> Hi,
> 
> Now that the iptables.git repo offers arptables-nft and ebtables-nft,
> arptables.git holds arptables-legacy, etc, why we don't just rename the
> repos?
> 
> * from arptables.git to arptables-legacy.git
> * from ebtables.git to ebtables-legacy.git
> 
> This rename should help distros understand the differences between them
> and better accommodate the packaging of all the related tooling.
> 
> Mind that the rename may have side effects in tarball
> generation/publishing etc. I would expect the new arptables tarball to
> include the '-legacy' keyword, and same for ebtables.
> 
> If we go ahead with the rename, a new release is worth having,
> announcing these changes as well.
> 

Also,

please consider applying the attached patch.

thanks.
commit ee8a588338e7c75e90fcc49a69e3d3b018063828
Author: Arturo Borrero Gonzalez 
Date:   Wed Nov 28 13:47:28 2018 +0100

ebtables: legacy renaming

The original ebtables tool is now the legacy version, let's rename it.

A more uptodate client of the ebtables tool is provided in the iptables
tarball (ebtables-nft). The new tool was formerly known as ebtables-compat.

The new -legacy binary has no problem if called via a symlink with the
'ebtables' name, so users can still name this binary with whatever name.

Signed-off-by: Arturo Borrero Gonzalez 

diff --git a/Makefile.am b/Makefile.am
index 14938fe..b16a4d6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -26,11 +26,11 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_srcdir}/include \
 	-DEBTD_PIPE=\"${PIPE}\" -DEBTD_PIPE_DIR=\"${PIPE_DIR}\"
 AM_CFLAGS = ${regular_CFLAGS}
 
-sbin_PROGRAMS = ebtables ebtablesd ebtablesu ebtables-restore
+sbin_PROGRAMS = ebtables-legacy ebtablesd ebtablesu ebtables-legacy-restore
 EXTRA_PROGRAMS = static examples/ulog/test_ulog
 sysconf_DATA = ethertypes
-sbin_SCRIPTS = ebtables-save
-man8_MANS = ebtables.8
+sbin_SCRIPTS = ebtables-legacy-save
+man8_MANS = ebtables-legacy.8
 lib_LTLIBRARIES = libebtc.la
 
 libebtc_la_SOURCES = \
@@ -47,21 +47,22 @@ libebtc_la_SOURCES = \
 	extensions/ebtable_nat.c
 # Make sure ebtables.c can be built twice
 libebtc_la_CPPFLAGS = ${AM_CPPFLAGS}
-ebtables_SOURCES = ebtables-standalone.c
-ebtables_LDADD = libebtc.la
+ebtables_legacy_SOURCES = ebtables-standalone.c
+ebtables_legacy_LDADD = libebtc.la
 ebtablesd_LDADD = libebtc.la
-ebtables_restore_LDADD = libebtc.la
+ebtables_legacy_restore_SOURCES = ebtables-restore.c
+ebtables_legacy_restore_LDADD = libebtc.la
 static_SOURCES = ebtables.c
 static_LDFLAGS = -static
 static_LDADD = libebtc.la
 examples_ulog_test_ulog_SOURCES = examples/ulog/test_ulog.c getethertype.c
 
 daemon: ebtablesd ebtablesu
-exec: ebtables ebtables-restore
+exec: ebtables-legacy ebtables-legacy-restore
 
-CLEANFILES = ebtables-save ebtables.sysv ebtables-config ebtables.8
+CLEANFILES = ebtables-legacy-save ebtables.sysv ebtables-config ebtables-legacy.8
 
-ebtables-save: ebtables-save.in ${top_builddir}/config.status
+ebtables-legacy-save: ebtables-save.in ${top_builddir}/config.status
 	${AM_V_GEN}sed -e 's![@]sbindir@!${sbindir}!g' <$< >$@
 
 ebtables.sysv: ebtables.sysv.in ${top_builddir}/config.status
@@ -70,7 +71,7 @@ ebtables.sysv: ebtables.sysv.in ${top_builddir}/config.status
 ebtables-config: ebtables-config.in ${top_builddir}/config.status
 	${AM_V_GEN}sed -e 's![@]sysconfigdir@!${sysconfigdir}!g' <$< >$@
 
-ebtables.8: ebtables.8.in ${top_builddir}/config.status
+ebtables-legacy.8: ebtables-legacy.8.in ${top_builddir}/config.status
 	${AM_V_GEN}sed -e 's![@]PACKAGE_VERSION!${PACKAGE_VERSION}!g' \
 		-e 's![@]PACKAGE_DATE@!${PROGDATE}!g' \
 		-e 's![@]LOCKFILE@!${LOCKFILE}!g' <$< >$@
diff --git a/ebtables.8.in b/ebtables-legacy.8.in
similarity index 98%
rename from ebtables.8.in
rename to ebtables-legacy.8.in
index 3e97c84..3417045 100644
--- a/ebtables.8.in
+++ b/ebtables-legacy.8.in
@@ -24,7 +24,7 @@
 .\" 
 .\"
 .SH NAME
-ebtables (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration
+ebtables-legacy (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration (legacy)
 .SH SYNOPSIS
 .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
 .br
@@ -50,6 +50,18 @@ ebtables (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration
 .br
 .BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
 .br
+
+.SH LEGACY
+This tool uses the old xtables/setsockopt framework, and is a legacy version
+of ebtables. That means that a new, more modern tool exists with the same
+functionality using the nf_tables framework and you are encouraged to migrate now.
+The new binaries (known as ebtables-nft and formerly known as ebtables-compat)
+uses the same syntax an

Proposal: rename of arptables.git and ebtables.git

2018-11-28 Thread Arturo Borrero Gonzalez 
Hi,

Now that the iptables.git repo offers arptables-nft and ebtables-nft,
arptables.git holds arptables-legacy, etc, why we don't just rename the
repos?

* from arptables.git to arptables-legacy.git
* from ebtables.git to ebtables-legacy.git

This rename should help distros understand the differences between them
and better accommodate the packaging of all the related tooling.

Mind that the rename may have side effects in tarball
generation/publishing etc. I would expect the new arptables tarball to
include the '-legacy' keyword, and same for ebtables.

If we go ahead with the rename, a new release is worth having,
announcing these changes as well.

[PATCH iptables] old patch from Debian for iptables-apply

2018-10-24 Thread Arturo Borrero Gonzalez 
Hi,

this is an old patch from Debian to do some upgrades to iptables-apply.
Please, consider merging it to master.

The piece of code itself is pretty old, uses some Debian-specific
constructs, and tries to call fail2ban sysvinit script. So a lot of
wrong stuff that temps me to just drop the code (or at least, don't
install it).
But hey, I'm sure there are people out there using it so...

regards.
From: Laurence J. Lane 
Subject: [PATCH] iptables: update iptables-apply to v1.1

This is GW's update to iptables-apply. It does a code
cleanup and adds two options: one runs a command and
the other writes the sucessful rules file.

I modified the script to use mktemp instead of tempfile. I also
fixed a couple of hyphens in the man page addition.

Signed-off-by: Laurence J. Lane 
Signed-off-by: Arturo Borrero Gonzalez 
---
 iptables-apply  |  310 
 iptables-apply.8.in |   48 +---
 2 files changed, 247 insertions(+), 111 deletions(-)

--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -1,174 +1,294 @@
 #!/bin/bash
-#
 # iptables-apply -- a safer way to update iptables remotely
 #
-# Copyright © Martin F. Krafft 
+# Usage:
+#   iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
+#
+# Versions:
+#   * 1.0 Copyright 2006 Martin F. Krafft 
+# Original version
+#   * 1.1 Copyright 2010 GW http://gw.tnode.com/>
+# Added parameter -c (run command)
+# Added parameter -w (save successfully applied rules to file)
+# Major code cleanup
+#
 # Released under the terms of the Artistic Licence 2.0
 #
 set -eu
 
-PROGNAME="${0##*/}";
-VERSION=1.0
+PROGNAME="${0##*/}"
+VERSION=1.1
+
+
+### Default settings
+
+DEF_TIMEOUT=10
+
+MODE=0  # apply rulesfile mode
+# MODE=1  # run command mode
+
+case "$PROGNAME" in
+	(*6*)
+		SAVE=ip6tables-save
+		RESTORE=ip6tables-restore
+		DEF_RULESFILE="/etc/network/ip6tables.up.rules"
+		DEF_SAVEFILE="$DEF_RULESFILE"
+		DEF_RUNCMD="/etc/network/ip6tables.up.run"
+		;;
+	(*)
+		SAVE=iptables-save
+		RESTORE=iptables-restore
+		DEF_RULESFILE="/etc/network/iptables.up.rules"
+		DEF_SAVEFILE="$DEF_RULESFILE"
+		DEF_RUNCMD="/etc/network/iptables.up.run"
+		;;
+esac
+
 
-TIMEOUT=10
+### Functions
 
-function blurb()
-{
-	cat <<-_eof
+function blurb() {
+	cat <<-__EOF__
 	$PROGNAME $VERSION -- a safer way to update iptables remotely
-	_eof
+	__EOF__
 }
 
-function copyright()
-{
-	cat <<-_eof
-	$PROGNAME is C Martin F. Krafft .
-
-	The program has been published under the terms of the Artistic Licence 2.0
-	_eof
+function copyright() {
+	cat <<-__EOF__
+	$PROGNAME has been published under the terms of the Artistic Licence 2.0.
+
+	Original version - Copyright 2006 Martin F. Krafft .
+	Version 1.1 - Copyright 2010 GW http://gw.tnode.com/>.
+	__EOF__
 }
 
-function about()
-{
+function about() {
 	blurb
 	echo
 	copyright
 }
 
-function usage()
-{
-	cat <<-_eof
-	Usage: $PROGNAME [options] ruleset
-
-	The script will try to apply a new ruleset (as output by iptables-save/read
-	by iptables-restore) to iptables, then prompt the user whether the changes
-	are okay. If the new ruleset cut the existing connection, the user will not
-	be able to answer affirmatively. In this case, the script rolls back to the
-	previous ruleset.
-
-	The following options may be specified, using standard conventions:
-
-	-t | --timeout	Specify the timeout in seconds (default: $TIMEOUT)
-	-V | --version	Display version information
-	-h | --help	Display this help text
-	_eof
+function usage() {
+	blurb
+	echo
+	cat <<-__EOF__
+	Usage:
+	  $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
+
+	The script will try to apply a new rulesfile (as output by iptables-save,
+	read by iptables-restore) or run a command to configure iptables and then
+	prompt the user whether the changes are okay. If the new iptables rules cut
+	the existing connection, the user will not be able to answer affirmatively.
+	In this case, the script rolls back to the previous working iptables rules
+	after the timeout expires.
+
+	Successfully applied rules can also be written to savefile and later used
+	to roll back to this state. This can be used to implement a store last good
+	configuration mechanism when experimenting with an iptables setup script:
+	  $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD
+
+	When called as ip6tables-apply, the script will use ip6tables-save/-restore
+	and IPv6 default values instead. Default value for rulesfile is
+	'$DEF_RULESFILE'.
+
+	Options:
+
+	-t seconds, --timeout seconds
+	  Specify the timeout in seconds (default: $DEF_TIMEOUT).
+	-w savefile, --write savefile
+	  Specify the savefile where successfully applied rules will be written to
+	  (default if empty string is given: $DEF_SAVEFILE).
+	-c runcmd, --command runcmd
+	  Run command runcmd to con

[arptables PATCH] arptables: legacy renaming

2018-06-20 Thread Arturo Borrero Gonzalez 
The original arptables tool is now the legacy version, let's rename it.

A more uptodate client of the arptables tool is provided in the iptables
tarball. The new tool was formerly known as arptables-compat.

The new -legacy binary should have no problem if called via a symlink.

Signed-off-by: Arturo Borrero Gonzalez 
---
 Makefile   |   12 +-
 arptables-legacy.8 |  352 
 arptables.8|  340 --
 arptables.c|2 
 4 files changed, 359 insertions(+), 347 deletions(-)
 create mode 100644 arptables-legacy.8
 delete mode 100644 arptables.8

diff --git a/Makefile b/Makefile
index 139c9ca..5f3f812 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ man8dir=$(MANDIR)/man8
 SYSCONFIGDIR:=/etc/sysconfig
 DESTDIR:=
 
-MANS = arptables.8 arptables-save.8 arptables-restore.8
+MANS = arptables-legacy.8 arptables-save.8 arptables-restore.8
 
 COPT_FLAGS:=-O2
 CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ 
-DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG
@@ -21,7 +21,7 @@ endif
 
 include extensions/Makefile
 
-all: arptables libarptc/libarptc.a
+all: arptables-legacy libarptc/libarptc.a
 
 arptables.o: arptables.c
$(CC) $(CFLAGS) -c -o $@ $<
@@ -35,10 +35,10 @@ libarptc/libarptc.o: libarptc/libarptc.c 
libarptc/libarptc_incl.c
 libarptc/libarptc.a: libarptc/libarptc.o
$(AR) rcs $@ $<
 
-arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS)
+arptables-legacy: arptables-standalone.o arptables.o libarptc/libarptc.o 
$(EXT_OBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
 
-$(DESTDIR)$(BINDIR)/arptables: arptables
+$(DESTDIR)$(BINDIR)/arptables-legacy: arptables-legacy
mkdir -p $(DESTDIR)$(BINDIR)
install -m 0755 $< $@
 
@@ -58,11 +58,11 @@ install-man: $(MANS)
install -m 0644 $^ $(DESTDIR)$(man8dir)/
 
 .PHONY: install
-install: install-man $(DESTDIR)$(BINDIR)/arptables scripts
+install: install-man $(DESTDIR)$(BINDIR)/arptables-legacy scripts
 
 .PHONY: clean
 clean:
-   rm -f arptables
+   rm -f arptables-legacy
rm -f *.o *~
rm -f extensions/*.o extensions/*~
rm -f libarptc/*.o libarptc/*~ libarptc/*.a
diff --git a/arptables-legacy.8 b/arptables-legacy.8
new file mode 100644
index 000..3ce99e3
--- /dev/null
+++ b/arptables-legacy.8
@@ -0,0 +1,352 @@
+.TH ARPTABLES 8  "June 2018"
+.\"
+.\" Man page originally written by Jochen Friedrich ,
+.\" maintained by Bart De Schuymer.
+.\" It is based on the iptables man page.
+.\"
+.\" Iptables page by Herve Eychenne March 2000.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+arptables \- ARP table administration (legacy)
+.SH SYNOPSIS
+.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ 
options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification 
" [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
+.br
+.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
+.br
+.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
+.br
+.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+
+.SH LEGACY
+This tool uses the old xtables/setsockopt framework, and is a legacy version
+of arptables. That means that a new, more modern tool exists with the same
+functionality using the nf_tables framework and you are encouraged to migrate 
now.
+The new binaries (formerly known as -compat) uses the same syntax and
+semantics than this legacy one.
+
+You can still use this legacy tool. You should probably get some specific
+information from your Linux distribution or vendor.
+More do

Re: [PATCH xtables] xtables: add nf_tables vs. legacy postfix to version strings

2018-06-19 Thread Arturo Borrero Gonzalez 
On 18 June 2018 at 14:19, Florian Westphal  wrote:
> -V now yields:
> arptables vlibxtables.so.12 (nf_tables)
> ebtables 1.6.2 (nf_tables)
> ip6tables v1.6.2 (legacy)
> ip6tables v1.6.2 (nf_tables)
> ip6tables-restore v1.6.2 (nf_tables)
> ip6tables-save v1.6.2 (nf_tables)
> ip6tables-restore v1.6.2 (legacy)
> ip6tables-restore-translate v1.6.2
> ip6tables-save v1.6.2 (legacy)
> ip6tables-translate v1.6.2 (nf_tables)
> iptables v1.6.2 (legacy)
> iptables v1.6.2 (nf_tables)
> iptables-restore v1.6.2 (nf_tables)
> iptables-save v1.6.2 (nf_tables)
> iptables-restore v1.6.2 (legacy)
> iptables-restore-translate v1.6.2
> iptables-save v1.6.2 (legacy)
> iptables-translate v1.6.2 (nf_tables)
>
> Suggested-by: Harald Welte 
> Signed-off-by: Florian Westphal 

Acked-by: Arturo Borrero Gonzalez 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH] Makefile: Introduce Make_global.am

2018-06-19 Thread Arturo Borrero Gonzalez 
On 18 June 2018 at 10:43, Phil Sutter  wrote:
> Analogous to libnftnl's build system, define libnftables interface
> version in a variable in Make_global.am.
>
> Suggested-by: Pablo Neira Ayuso 
> Signed-off-by: Phil Sutter 
> ---
>  Make_global.am  | 21 +
>  src/Makefile.am |  4 +++-
>  2 files changed, 24 insertions(+), 1 deletion(-)
>  create mode 100644 Make_global.am
>

Acked-by: Arturo Borrero Gonzalez 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint

2018-06-17 Thread Arturo Borrero Gonzalez 
On 17 June 2018 at 13:30, Arturo Borrero Gonzalez  wrote:
> On 17 June 2018 at 09:22, Phil Sutter  wrote:
>> With libnftables documentation being upstream and one confirmed external
>> user (nftlb), time to break the API!
>>
>> First of all, the command buffer passed to nft_run_cmd_from_buffer may
>> (and should) be const. One should consider it a bug if that function
>> ever changed it's content.
>>
>> On the other hand, there is no point in passing the buffer's length as
>> separate argument: NULL bytes are not expected to occur in the input, so
>> it is safe to rely upon strlen(). Also, the actual parsers don't require
>> a buffer length passed to them, either. The only use-case for it is when
>> reallocating the buffer to append a final newline character, there
>> strlen() is perfectly sufficient.
>>
>> Suggested-by: Harald Welte 
>> Cc: Laura Garcia Liebana 
>> Cc: Eric Leblond 
>> Signed-off-by: Phil Sutter 
>
> We should bump the library SONAME with this change to reflect the API change.
>
> Please send a follow-up patch (or v2 if you want).

We would probably need something like in libnftnl:

LIBVERSION=10:0:3

http://git.netfilter.org/libnftnl/tree/Make_global.am
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint

2018-06-17 Thread Arturo Borrero Gonzalez 
On 17 June 2018 at 09:22, Phil Sutter  wrote:
> With libnftables documentation being upstream and one confirmed external
> user (nftlb), time to break the API!
>
> First of all, the command buffer passed to nft_run_cmd_from_buffer may
> (and should) be const. One should consider it a bug if that function
> ever changed it's content.
>
> On the other hand, there is no point in passing the buffer's length as
> separate argument: NULL bytes are not expected to occur in the input, so
> it is safe to rely upon strlen(). Also, the actual parsers don't require
> a buffer length passed to them, either. The only use-case for it is when
> reallocating the buffer to append a final newline character, there
> strlen() is perfectly sufficient.
>
> Suggested-by: Harald Welte 
> Cc: Laura Garcia Liebana 
> Cc: Eric Leblond 
> Signed-off-by: Phil Sutter 

We should bump the library SONAME with this change to reflect the API change.

Please send a follow-up patch (or v2 if you want).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH nft] parser: Set base chain prios with textual names

2018-06-04 Thread Arturo Borrero Gonzalez 
On 4 June 2018 at 11:58, Máté Eckl  wrote:
> What I'm not sure of is:
> - Are these token values considered user-friendly or usable?
> - Is printing of these values with their names desired?
>
> What do you think?
>
> -- 8< --
> This patch adds the possibility to use textual names to set the chain priority
> to basic values so that numeric values do not need to be learnt any more for
> basic usage.
>
> Example:
> nft> add table inet x
> nft> add chain inet x y {type filter hook prerouting priority 
> PRIO_MANGLE ;}
> nft> list ruleset
> table inet x {
> chain y {
> type filter hook prerouting priority -150; policy 
> accept;
> }
> }
>

I believe the idea is good. But also, you should print the friendly
names instead of the magic numbers :-P
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ulogd: json: send messages to a remote host / unix socket

2018-05-28 Thread Arturo Borrero Gonzalez 
On 27 May 2018 at 00:55, Andreas Jaggi  wrote:
> Hi Arturo
>
> Thanks for the review, find below the reworked patch.
> Let me know if there are other parts to improve.
>


Thanks Andreas! the patch looks great.
Minor nitpicks below.


> +static int _connect_socket_unix(struct ulogd_pluginstance *pi)
> +{
> +   struct json_priv *op = (struct json_priv *) >private;
> +   struct sockaddr_un u_addr;
> +   int sfd;
> +
> +   if (op->sock != -1) {
> +   close(op->sock);
> +   op->sock = -1;
> +   }

^^^
this socket closing could be your new close_socket() function, right?

> +   ulogd_log(ULOGD_DEBUG, "connecting to unix:%s\n",
> + file_ce(pi->config_kset).u.string);
> +
> +   sfd = socket(AF_UNIX, SOCK_STREAM, 0);
> +   if (sfd == -1) {
> +   return -1;
> +   }
> +   u_addr.sun_family = AF_UNIX;
> +   strncpy(u_addr.sun_path, file_ce(pi->config_kset).u.string,
> +   sizeof(u_addr.sun_path) - 1);
> +   if (connect(sfd, (struct sockaddr *) _addr, sizeof(struct 
> sockaddr_un)) == -1) {
> +   close(sfd);
> +   return -1;
> +   }
> +
> +   op->sock = sfd;
> +
> +   return 0;
> +}
> +
> +static int _connect_socket_net(struct ulogd_pluginstance *pi)
> +{
> +   struct json_priv *op = (struct json_priv *) >private;
> +   struct addrinfo hints;
> +   struct addrinfo *result, *rp;
> +   int sfd, s;
> +
> +   if (op->sock != -1) {
> +   close(op->sock);
> +   op->sock = -1;
> +   }
> +

^^^
same here


> +   ulogd_log(ULOGD_DEBUG, "connecting to %s:%s\n",
> + host_ce(pi->config_kset).u.string,
> + port_ce(pi->config_kset).u.string);
> +
> +   memset(, 0, sizeof(struct addrinfo));
> +   hints.ai_family = AF_UNSPEC;
> +   hints.ai_socktype = op->mode == JSON_MODE_UDP ? SOCK_DGRAM : 
> SOCK_STREAM;
> +   hints.ai_protocol = 0;
> +   hints.ai_flags = 0;
> +
> +   s = getaddrinfo(host_ce(pi->config_kset).u.string,
> +   port_ce(pi->config_kset).u.string, , );
> +   if (s != 0) {
> +   ulogd_log(ULOGD_ERROR, "getaddrinfo: %s\n", gai_strerror(s));
> +   return -1;
> +   }
> +
> +   for (rp = result; rp != NULL; rp = rp->ai_next) {
> +   int on = 1;
> +
> +   sfd = socket(rp->ai_family, rp->ai_socktype,
> +   rp->ai_protocol);
> +   if (sfd == -1)
> +   continue;
> +
> +   setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR,
> +  (char *) , sizeof(on));
> +
> +   if (connect(sfd, rp->ai_addr, rp->ai_addrlen) != -1)
> +   break;
> +
> +   close(sfd);
> +   }
> +
> +   freeaddrinfo(result);
> +
> +   if (rp == NULL) {
> +   return -1;
> +   }
> +
> +   op->sock = sfd;
> +
> +   return 0;
> +}
> +
> +static int _connect_socket(struct ulogd_pluginstance *pi)
> +{
> +   struct json_priv *op = (struct json_priv *) >private;
> +
> +   if (op->mode == JSON_MODE_UNIX)
> +   return _connect_socket_unix(pi);
> +   else
> +   return _connect_socket_net(pi);
> +}
> +
> +static int json_interp_socket(struct ulogd_pluginstance *upi, char *buf, int 
> buflen)
> +{
> +   struct json_priv *opi = (struct json_priv *) >private;
> +   int ret = 0;
> +
> +   if (opi->sock != -1)
> +   ret = send(opi->sock, buf, buflen, MSG_NOSIGNAL);
> +   free(buf);
> +   if (ret != buflen) {
> +   ulogd_log(ULOGD_ERROR, "Failure sending message: %s\n",
> + strerror(errno));
> +   if (ret == -1 || opi->sock == -1)
> +   return _connect_socket(upi);
> +   else
> +   return ULOGD_IRET_ERR;
> +   }
> +
> +   return ULOGD_IRET_OK;
> +}
> +
> +static int json_interp_file(struct ulogd_pluginstance *upi, char *buf)
> +{
> +   struct json_priv *opi = (struct json_priv *) >private;
> +
> +   fprintf(opi->of, "%s", buf);
> +   free(buf);
> +
> +   if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0)
> +   fflush(opi->of);
> +
> +   return ULOGD_IRET_OK;
> +}
> +
>  #define MAX_LOCAL_TIME_STRING 38
>
>  static int json_interp(struct ulogd_pluginstance *upi)
>  {
> struct json_priv *opi = (struct json_priv *) >private;
> unsigned int i;
> +   char *buf;
> +   int buflen;
> json_t *msg;
>
> msg = json_object();
> @@ -218,34 +389,65 @@ static int json_interp(struct ulogd_pluginstance *upi)
> }
> }
>
> -   json_dumpf(msg, opi->of, 0);
> -   fprintf(opi->of, "\n");
>
> +   buf = json_dumps(msg, 0);
> json_decref(msg);
> +   if (buf == NULL) {
> +

Re: [PATCH nftlb] build: use autotools

2018-05-11 Thread Arturo Borrero Gonzalez 
On 11 May 2018 at 12:20, Pablo Neira Ayuso  wrote:
> - Add configure.ac and Makefile.am files.
> - Update .gitignore file to ignore autogenerated scripts by autotools.
>
> Signed-off-by: Pablo Neira Ayuso 

It seems we can drop libmnl and libnftnl dependencies.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ulogd: json: send messages to a remote host / unix socket

2018-05-09 Thread Arturo Borrero Gonzalez 
On 1 May 2018 at 14:16, Andreas Jaggi  wrote:
> Extend the JSON output plugin so that the generated JSON stream can be
> sent to a remote host via TCP/UDP or to a local unix socket.
>
> Signed-off-by: Andreas Jaggi 
> ---
>  output/ulogd_output_JSON.c | 225 +
>  ulogd.conf.in  |  11 ++
>  2 files changed, 214 insertions(+), 22 deletions(-)
>

HI Andreas, thanks for working on this.

Some review below.

> +static int _connect_socket(struct ulogd_pluginstance *pi)
> +{
> +   struct json_priv *op = (struct json_priv *) >private;
> +   struct addrinfo hints;
> +   struct addrinfo *result, *rp;
> +   struct sockaddr_un u_addr;
> +   int sfd, s;
> +
> +   if ( op->sock != -1 ) {
> +   close(op->sock);
> +   op->sock = -1;
> +   }
> +   if ( op->mode == JSON_MODE_UNIX ) {
> +   ulogd_log(ULOGD_DEBUG, "connecting to unix:%s\n", 
> file_ce(pi->config_kset).u.string);
> +
> +   sfd = socket(AF_UNIX, SOCK_STREAM, 0);
> +   if (sfd == -1 ) {
> +   ulogd_log(ULOGD_ERROR, "Could not connect\n");
> +   return -1;
> +   }
> +   u_addr.sun_family = AF_UNIX;
> +   strncpy(u_addr.sun_path, file_ce(pi->config_kset).u.string, 
> sizeof(u_addr.sun_path) - 1);
> +   if ( connect(sfd, (struct sockaddr *) _addr, sizeof(struct 
> sockaddr_un)) == -1 ) {
> +   ulogd_log(ULOGD_ERROR, "Could not connect\n");
> +   close(sfd);
> +   return -1;
> +   }
> +   } else {
> +   ulogd_log(ULOGD_DEBUG, "connecting to %s:%s\n", 
> host_ce(pi->config_kset).u.string, port_ce(pi->config_kset).u.string);
> +
> +   memset(, 0, sizeof(struct addrinfo));
> +   hints.ai_family = AF_UNSPEC;
> +   hints.ai_socktype = op->mode == JSON_MODE_UDP ? SOCK_DGRAM : 
> SOCK_STREAM;
> +   hints.ai_protocol = 0;
> +   hints.ai_flags = 0;
> +
> +   s = getaddrinfo(host_ce(pi->config_kset).u.string, 
> port_ce(pi->config_kset).u.string, , );
> +   if (s != 0) {
> +   ulogd_log(ULOGD_ERROR, "getaddrinfo: %s\n", 
> gai_strerror(s));
> +   return -1;
> +   }
> +
> +   for (rp = result; rp != NULL; rp = rp->ai_next) {
> +   int on = 1;
> +
> +   sfd = socket(rp->ai_family, rp->ai_socktype,
> +   rp->ai_protocol);
> +   if (sfd == -1)
> +   continue;
> +
> +   setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR,
> +  (char *) , sizeof(on));
> +
> +   if (connect(sfd, rp->ai_addr, rp->ai_addrlen) != -1)
> +   break;
> +
> +   close(sfd);
> +   }
> +
> +   freeaddrinfo(result);
> +
> +   if (rp == NULL) {
> +   ulogd_log(ULOGD_ERROR, "Could not connect\n");
> +   return -1;
> +   }
> +   }
> +
> +   op->sock = sfd;
> +
> +   return 0;
> +}
> +



could we split the function above in smaller chunks?

something like _connect_socket_unix() and _connect_socket_net()


> @@ -218,13 +331,41 @@ static int json_interp(struct ulogd_pluginstance *upi)
> }
> }
>
> -   json_dumpf(msg, opi->of, 0);
> -   fprintf(opi->of, "\n");
>
> +   buf = json_dumps(msg, 0);
> json_decref(msg);
> -
> -   if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0)
> -   fflush(opi->of);
> +   if (buf == NULL) {
> +   ulogd_log(ULOGD_ERROR, "Could not create message\n");
> +   return ULOGD_IRET_ERR;
> +   }
> +   buflen = strlen(buf);
> +   buf = realloc(buf, sizeof(char)*(buflen+2));
> +   if (buf == NULL) {
> +   ulogd_log(ULOGD_ERROR, "Could not create message\n");
> +   return ULOGD_IRET_ERR;
> +   }
> +   strncat(buf, "\n", 1);
> +   buflen++;
> +
> +   if ( opi->mode == JSON_MODE_FILE ) {
> +   fprintf(opi->of, "%s", buf);
> +   free(buf);
> +   if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0)
> +   fflush(opi->of);
> +   } else {
> +   if ( opi->sock != -1 ) {
> +   ret = send(opi->sock, buf, buflen, MSG_NOSIGNAL);
> +   }
> +   free(buf);
> +   if (ret != buflen) {
> +   ulogd_log(ULOGD_ERROR, "Failure sending message: 
> %s\n", strerror(errno));
> +   if (ret == -1 || opi->sock == -1) {
> +   return

Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists

2018-05-04 Thread Arturo Borrero Gonzalez 
On 4 May 2018 at 11:49, Pablo Neira Ayuso  wrote:
>
> +int nft_table_flush(struct nft_handle *h, const char *table)
> +{
> +   struct nftnl_table *r;
> +   int ret = 0;
> +
> +   nft_fn = nft_table_flush;
> +
> +   r = nftnl_table_alloc();
> +   if (r == NULL)
> +   goto err;
> +
> +   nftnl_table_set_str(r, NFTNL_TABLE_NAME, table);
> +
> +   batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r);
> +err:
> +   /* the core expects 1 for success and 0 for error */
> +   return ret == 0 ? 1 : 0;
> +}
> +

it seems ret is never set to something meaningful?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[arptables PATCH] arptables: cleanup sysvinit script

2018-05-03 Thread Arturo Borrero Gonzalez 
This file belong to downstream distributions. Also, it's unmaintained.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 Makefile   |8 +---
 arptables.sysv |  103 
 2 files changed, 2 insertions(+), 109 deletions(-)
 delete mode 100644 arptables.sysv

diff --git a/Makefile b/Makefile
index 7bead0d..139c9ca 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,6 @@ LIBDIR:=$(PREFIX)/lib
 BINDIR:=$(PREFIX)/sbin
 MANDIR:=$(PREFIX)/man
 man8dir=$(MANDIR)/man8
-INITDIR:=/etc/rc.d/init.d
 SYSCONFIGDIR:=/etc/sysconfig
 DESTDIR:=
 
@@ -46,15 +45,12 @@ $(DESTDIR)$(BINDIR)/arptables: arptables
 tmp1:=$(shell printf $(BINDIR) | sed 's/\//\\\//g')
 tmp2:=$(shell printf $(SYSCONFIGDIR) | sed 's/\//\\\//g')
 .PHONY: scripts
-scripts: arptables-save arptables-restore arptables.sysv
+scripts: arptables-save arptables-restore
cat arptables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-save_
install -m 0755 arptables-save_ $(DESTDIR)$(BINDIR)/arptables-save
cat arptables-restore | sed 's/__EXEC_PATH__/$(tmp1)/g' > 
arptables-restore_
install -m 0755 arptables-restore_ $(DESTDIR)$(BINDIR)/arptables-restore
-   cat arptables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 
's/__SYSCONFIG__/$(tmp2)/g' > arptables.sysv_
-   if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
-   if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ 
$(DESTDIR)$(INITDIR)/arptables; fi
-   rm -f arptables-save_ arptables-restore_ arptables.sysv_
+   rm -f arptables-save_ arptables-restore_
 
 .PHONY: install-man
 install-man: $(MANS)
diff --git a/arptables.sysv b/arptables.sysv
deleted file mode 100644
index ea5cf09..000
--- a/arptables.sysv
+++ /dev/null
@@ -1,103 +0,0 @@
-#!/bin/bash
-#
-# init script for arptables
-#
-# Original by Dag Wieers <d...@wieers.com>.
-# Modified/changed to arptables by
-#  Rok Papez <rok.pa...@arnes.si>.
-#
-# chkconfig: - 16 84
-# description: Arp filtering tables
-#
-# config: __SYSCONFIG__/arptables
-
-source /etc/init.d/functions
-source /etc/sysconfig/network
-
-# Check that networking is up.
-[ ${NETWORKING} = "no" ] && exit 0
-
-[ -x __EXEC_PATH__/arptables ] || exit 1
-[ -x __EXEC_PATH__/arptables-save ] || exit 1
-[ -x __EXEC_PATH__/arptables-restore ] || exit 1
-
-[ "$1" != "save" -o -r __SYSCONFIG__/arptables ] || exit 1
-
-RETVAL=0
-prog="arptables"
-desc="Arp filtering"
-
-start() {
-   echo -n $"Starting $desc ($prog): "
-   __EXEC_PATH__/arptables-restore < __SYSCONFIG__/arptables || RETVAL=1
-
-   if [ $RETVAL -eq 0 ]; then
-   success "$prog startup"
-   rm -f /var/lock/subsys/$prog
-   else
-   failure "$prog startup"
-   fi
-
-   echo
-   return $RETVAL
-}
-
-stop() {
-   echo -n $"Stopping $desc ($prog): "
-   __EXEC_PATH__/arptables-restore < /dev/null || RETVAL=1
-
-   if [ $RETVAL -eq 0 ]; then
-   success "$prog shutdown"
-   rm -f %{_localstatedir}/lock/subsys/$prog
-   else
-   failure "$prog shutdown"
-   fi
-
-   echo
-   return $RETVAL
-}
-
-restart() {
-   stop
-   start
-}
-
-save() {
-   echo -n $"Saving $desc ($prog): "
-   __EXEC_PATH__/arptables-save > __SYSCONFIG__/arptables || RETVAL=1
-
-   if [ $RETVAL -eq 0 ]; then
-   success "$prog saved"
-   else
-   failure "$prog saved"
-   fi
-   echo
-}
-
-case "$1" in
-  start)
-   start
-   ;;
-  stop)
-   stop
-   ;;
-  restart|reload)
-   restart
-   ;;
-  condrestart)
-   [ -e /var/lock/subsys/$prog ] && restart
-   RETVAL=$?
-   ;;
-  save)
-   save
-   ;;
-  status)
-   __EXEC_PATH__/arptables-save
-   RETVAL=$?
-   ;;
-  *)
-   echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
-   RETVAL=1
-esac
-
-exit $RETVAL

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH v2] libnftables: fix header export

2018-05-02 Thread Arturo Borrero Gonzalez 
On 2 May 2018 at 14:02, Florian Westphal <f...@strlen.de> wrote:
> Arturo Borrero Gonzalez <art...@netfilter.org> wrote:
>> Instruct Make to actually install the header to the system, otherwise
>> users won't see the header in their system after running 'make install'.
>>
>> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
>> ---
>> v2: don't rename the header, given it has been released already
>
> I would prefer to see the rename anyway for consistency with other
> netfilter.org libraries, which all use lib prefix.
>
> So, I would prefer to apply v1 instead.
>
> Any objections?

Makes sense.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v2] libnftables: fix header export

2018-05-02 Thread Arturo Borrero Gonzalez 
Instruct Make to actually install the header to the system, otherwise
users won't see the header in their system after running 'make install'.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
v2: don't rename the header, given it has been released already

 include/nftables/Makefile.am |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/nftables/Makefile.am b/include/nftables/Makefile.am
index 9e31d51..2b43d7f 100644
--- a/include/nftables/Makefile.am
+++ b/include/nftables/Makefile.am
@@ -1 +1 @@
-noinst_HEADERS = nftables.h
+pkginclude_HEADERS = nftables.h

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH] libnftables: fix header export

2018-05-01 Thread Arturo Borrero Gonzalez 
Instruct Make to actually install the header to the system, otherwise
users won't see the header in their system after running 'make install'.

Also, export main libnftables header with a proper name, since we have another
private header called 'nftables.h' (i.e, let's be concrete with the naming).

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 include/nftables.h |2 +-
 include/nftables/Makefile.am   |2 +-
 include/nftables/libnftables.h |0 
 src/libnftables.c  |2 +-
 src/main.c |2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)
 rename include/nftables/{nftables.h => libnftables.h} (100%)

diff --git a/include/nftables.h b/include/nftables.h
index 5f2da8b..f525ba6 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -5,7 +5,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 
 struct cookie {
FILE *fp;
diff --git a/include/nftables/Makefile.am b/include/nftables/Makefile.am
index 9e31d51..5cfb0c6 100644
--- a/include/nftables/Makefile.am
+++ b/include/nftables/Makefile.am
@@ -1 +1 @@
-noinst_HEADERS = nftables.h
+pkginclude_HEADERS = libnftables.h
diff --git a/include/nftables/nftables.h b/include/nftables/libnftables.h
similarity index 100%
rename from include/nftables/nftables.h
rename to include/nftables/libnftables.h
diff --git a/src/libnftables.c b/src/libnftables.c
index fe5143f..df4f092 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -6,7 +6,7 @@
  * published by the Free Software Foundation.
  *
  */
-#include 
+#include 
 #include 
 #include 
 #include 
diff --git a/src/main.c b/src/main.c
index 1f08dfe..d26ea01 100644
--- a/src/main.c
+++ b/src/main.c
@@ -18,7 +18,7 @@
 #include 
 #include 
 
-#include 
+#include 
 #include 
 #include 
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ANNOUNCE] libnetfilter-conntrack 1.0.7 release

2018-05-01 Thread Arturo Borrero Gonzalez 
Hi!

The Netfilter project proudly presents:

libnetfilter-conntrack 1.0.7

This release includes some fixes and improvements since last release:
 * new synproxy support
 * don't crash on NULL labelmap
 * expose a copy of nf_conntrack_common.h

This library is a dependency of conntrack-tools, and we recommend you run the
latest version of both software packages.

See changelog that comes attached to this email for more details.

You can download it from:

* https://netfilter.org/projects/libnetfilter_conntrack/downloads.html
* ftp://ftp.netfilter.org/pub/libnetfilter_conntrack/

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!
Ken-ichirou MATSUZAWA (2):
  conntrack: fix missing break in setobjopt_undo_dnat()
  conntrack: revert getobjopt_is_nat() condition

Marcos Paulo de Souza (1):
  labels: don't crash on NULL labelmap

Pablo Neira Ayuso (2):
  include: expose a copy of nf_conntrack_common.h
  conntrack: add synproxy support

Richard Weinberger (1):
  libnetfilter_conntrack: bump version to 1.0.7

[ANNOUNCE] conntrack-tools 1.4.5 release

2018-05-01 Thread Arturo Borrero Gonzalez 
Hi!

The Netfilter project proudly presents:

conntrack-tooks 1.4.5

This release includes several fixes since last release and also several
enhancements for the conntrackd daemon:
 * new synproxy support
 * manpages updates
 * improved logging support (both stdout/stderr and log files)
 * new mdns ct helper
 * some more messages on what the daemon is doing
 * deprecate unix backlog configuration
 * drop old/obsolete/deprecated conntrackd.conf config options
 * improved support for UPnP in the ssdp ct helper
 * improvements to the relationship with libsystemd
 * add stronger TCP flags support, some weirdness are fixed by this

This release includes the new `StartupResync ` config option, which
instructs conntrackd to request a complete conntrack table resync
against the other
node at startup. This is useful to get in sync with another node which has
been running while we were down.

If you are updating your conntrackd deployment to this release from a very old
one, mind the deprecated config options. You may be required to refresh your
conntrackd.conf config file.

In the case of the conntrack CLI tool:
 * new support for IPv6 NAT

In the case of the nfct CLI tool:
 * some improvements to the build (-z lazy)

Please note you need libnetfilter-conntrack version >= 1.0.7 to build
conntrack-tools version 1.4.5.

See changelog that comes attached to this email for more details.

You can download it from:

* https://netfilter.org/projects/conntrack-tools/downloads.html
* ftp://ftp.netfilter.org/pub/conntrack-tools/

In case of bugs and feature request, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!
Arturo Borrero (4):
  src/main: refresh help message
  conntrackd.8: refresh file
  conntrackd.8: add reference to systemd
  doc/manual: include some bits about init systems

Arturo Borrero Gonzalez (23):
  sync-mode: print errno message on failure
  log: print messages to stdout/sderr if running in console mode
  log: introduce a mechanism to know if log was initialized
  conntrackd: replace error reporting in the config parser with dlog()
  conntrackd: replace fprintf calls with dlog()
  conntrack-tools: update Arturo Borrero Gonzalez email address
  src: add log message when resync is requested by other node
  systemd: fix missing log.h include
  config: drop old/obsolete/deprecated conntrackd.conf config options
  conntrackd: factorice tx_queue functions
  conntrackd: factorize resync operations
  conntrackd: consolidate more code to use resync_send()
  conntrackd: request resync at startup
  conntrackd: evaluate configuration earlier
  conntrackd: cleanup if failed forking
  conntrackd: deprecate unix backlog configuration
  conntrackd: make the daemon run in RT mode by default
  conntrackd: remove warning for -S
  conntrack.8: refresh manpage
  conntrackd.conf.5: fix sentence about systemd
  tests: reallocate cli testing script
  systemd: default to use libsystemd if build with support for it
  conntrack-tools 1.4.5 release

Chieh-Min Wang (1):
  conntrack: Show multiple CPUs stats from proc

Kevin Cernekee (7):
  conntrackd: cthelper: ftp: Set match offset/len for PORT mangling
  conntrackd: cthelper: ftp: Fix debug print
  conntrackd: cthelper: Add new mdns helper
  Link nfct and helper modules with `-z lazy`
  conntrackd: cthelper: Don't leak nat_tuple
  conntrackd: cthelper: Free pktb after use
  conntrackd: cthelper: ssdp: Track UPnP eventing

Neil Wilson (1):
  conntrack: Support IPv6 NAT

Nicolas Dichtel (1):
  conntrackd: remove use of HAVE_INET_PTON_IPV6

Pablo Neira Ayuso (8):
  helper: remove copy and paste from uapi kernel header
  conntrack: send mark filter to kernel iff set
  conntrackd: config: Do not strdup() tokens
  conntrackd: Remove obsolete rule to catch ambiguous Checksum option
  conntrackd: CommitTimeout breaks DisableExternalCache set On
  src: add ARRAY_SIZE definition
  conntrackd: add TCP flags support
  src: synproxy support

Steve Langasek (1):
  tests: don't fail on modprobe since the driver might be built-in

Stijn Tintel (1):
  conntrackd: cthelper: ssdp: fix build with musl

[ANNOUNCE] ulogd2 2.0.7 release

2018-04-27 Thread Arturo Borrero Gonzalez 
Hi!

The Netfilter project proudly presents:

ulogd2 2.0.7

This release includes several fixes since last release and also several
enhancements:
 * fixed several crash conditions
 * fixes for the JSON output
 * several improvements to the build process, some warnings fixed
 * daemon now uses RT scheduler by default
 * better Unix signal handling
 * code and files cleanups

Starting with this release, ulogd2 will load all plugins from the plugins
directory if no 'plugin=' directive was specified in the config file.
The default directory is something like /usr/local/lib/ulogd/ or
/usr/lib/ulogd/, depending on your build.

See ChangeLog that comes attached to this email for more details.

You can download it from:

* https://netfilter.org/projects/ulogd/downloads.html
* ftp://ftp.netfilter.org/pub/ulogd2/

In case of bugs and feature request, please file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

PD: Please note, we don't have a 2.0.6 release.
Alex Xu (1):
  sqlite3: Remove unused "buffer" option.

Arturo Borrero Gonzalez (5):
  ulogd: use a RT scheduler by default
  ulogd: load all plugins by default
  ulogd2: cleanup downstream files
  Set release number to 2.0.7.
  remove ulogd2.rotate and ulogd2.spec from Makefile.am

Eric Leblond (8):
  ulogd: add missing newline in log message
  ulogd: fix indentation in acinclude.m4
  ulogd: add automake option
  ulogd: use strncpy instead of memcpy
  ulogd.conf: fix incorrect stack
  Set release number to 2.0.6.
  ulogd: fix crash when plugin version are incorrect
  ip2bin: fix plugin link for some compiler

Felix Janda (4):
  Sync with kernel headers
  Define _GNU_SOURCE to get members of tcphdr
  ulogd: Use /dev/null as dummy logfile when logging to syslog
  Use stdint types everywhere

Harald Welte (1):
  configure.ac: Add --without-{mysql,pgsql}

Helmut Schaa (1):
  ulogd: fix cross compilation errors with mysql_config

Hironobu Ishii (1):
  ulogd: restructures signal handling by self-pipe trick

Kaarle Ritvanen (2):
  harmonize log file defaults with ulogd.conf
  rotate all default output files

Liping Zhang (1):
  ulogd: fix crash when ipv4 packet is truncated

Vincent Bernat (2):
  json: output messages in JSONv1 format
  json: append timezone information to ISO 8601 date

[conntrack-tools PATCH v2] systemd: default to use libsystemd if build with support for it

2018-04-16 Thread Arturo Borrero Gonzalez 
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.

This eases some downstream use cases when dealing with default configs to
be shipped to final users.

This could be a mid-point solution, given some users are asking for a full
revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 conntrackd.8 |5 +
 conntrackd.conf.5|7 ---
 doc/stats/conntrackd.conf|2 +-
 doc/sync/alarm/conntrackd.conf   |2 +-
 doc/sync/ftfw/conntrackd.conf|2 +-
 doc/sync/notrack/conntrackd.conf |2 +-
 src/read_config_yy.y |4 
 7 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/conntrackd.8 b/conntrackd.8
index 6ccf261..de1e80c 100644
--- a/conntrackd.8
+++ b/conntrackd.8
@@ -1,4 +1,4 @@
-.TH CONNTRACKD 8 "Aug 30, 2016" "" ""
+.TH CONNTRACKD 8 "Apr 16, 2018" "" ""
 
 .\" Man page written by Pablo Neira Ayuso <pa...@netfilter.org> (Dec 2007)
 
@@ -149,9 +149,6 @@ the configuration file, ignore this notice.
 Starting with the 1.4.4 release, \fBconntrackd\fP includes integration with
 \fBsystemd(1)\fP to use an unit file of \fIType=notify\fP and watchdog support.
 
-The daemon should be configured at build time to include such support
-and \fBconntrackd.conf(5)\fP should contain \fBSystemd on\fP.
-
 .SH INCOMPATIBILITIES
 During the 0.9.9 development, some important changes in the replication message
 format were introduced. Therefore, \fBconntrackd\fP >= 0.9.9 will not work
diff --git a/conntrackd.conf.5 b/conntrackd.conf.5
index 7c5c29f..79a5bba 100644
--- a/conntrackd.conf.5
+++ b/conntrackd.conf.5
@@ -1,5 +1,5 @@
 .\"
-.\" (C) Copyright 2015, Arturo Borrero Gonzalez <art...@debian.org>
+.\" (C) Copyright 2015-2018, Arturo Borrero Gonzalez <art...@netfilter.org>
 .\"
 .\" %%%LICENSE_START(GPLv2+_DOC_FULL)
 .\" This is free documentation; you can redistribute it and/or
@@ -22,7 +22,7 @@
 .\" <http://www.gnu.org/licenses/>.
 .\" %%%LICENSE_END
 .\"
-.TH CONNTRACKD.CONF 5 "January 24, 2018"
+.TH CONNTRACKD.CONF 5 "Apr 16, 2018"
 
 .SH NAME
 conntrackd.conf \- configuration file for conntrackd daemon
@@ -476,7 +476,8 @@ Note: \fBsystemd(1)\fP watchdog is supported as well.
 
 Example: Systemd on
 
-By default runtime support is disabled.
+By default runtime support is enabled if conntrackd was built with the systemd
+feature. Otherwise is off.
 
 .TP
 .BI "Nice "
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index ba957a1..9918bbb 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -6,7 +6,7 @@ General {
# Enable systemd support. If conntrackd is compiled with the proper
# configuration, you can use a systemd service unit of Type=notify
# and use conntrackd with systemd watchdog as well.
-   # Default is: off
+   # Default is: on if built with --enable-systemd, off otherwhise
#
#Systemd on
 
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 831be15..b689ae6 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -221,7 +221,7 @@ General {
# Enable systemd support. If conntrackd is compiled with the proper
# configuration, you can use a systemd service unit of Type=notify
# and use conntrackd with systemd watchdog as well.
-   # Default is: off
+   # Default is: on if built using --enable-systemd, off otherwhise
#
#Systemd on
 
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 9da0fb6..8267659 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -244,7 +244,7 @@ General {
# Enable systemd support. If conntrackd is compiled with the proper
# configuration, you can use a systemd service unit of Type=notify
# and use conntrackd with systemd watchdog as well.
-   # Default is: off
+   # Default is: on if built with --enable-systemd, off otherwhise
#
#Systemd on
 
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 600fc89..8445b7d 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -283,7 +283,7 @@ General {
# Enable systemd support. If conntrackd is compiled with the proper
# configuration, you can use a systemd service unit of Type=notify
# and use conntrackd with systemd watchdog as well.
-   # Default is: off
+   # Default is: on if built with --enable-systemd, off otherwhise
#
#Systemd on
 
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 32cca3c..6de8c6c 10064

[conntrack-tools PATCH] tests: reallocate cli testing script

2018-04-16 Thread Arturo Borrero Gonzalez 
Move this to test/

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 doc/cli/test.sh |  106 ---
 tests/conntrack/cli-test.sh |  106 +++
 2 files changed, 106 insertions(+), 106 deletions(-)
 delete mode 100644 doc/cli/test.sh
 create mode 100644 tests/conntrack/cli-test.sh

diff --git a/doc/cli/test.sh b/doc/cli/test.sh
deleted file mode 100644
index 2a0fef7..000
--- a/doc/cli/test.sh
+++ /dev/null
@@ -1,106 +0,0 @@
-CONNTRACK=conntrack
-
-SRC=1.1.1.1
-DST=2.2.2.2
-SPORT=2005
-DPORT=21
-
-case $1 in
-   dump)
-   echo "Dumping conntrack table"
-   $CONNTRACK -L
-   ;;
-   flush)
-   echo "Flushing conntrack table"
-   $CONNTRACK -F
-   ;;
-   new)
-   echo "creating a new conntrack"
-   $CONNTRACK -I --orig-src $SRC --orig-dst $DST \
---reply-src $DST --reply-dst $SRC -p tcp \
---orig-port-src $SPORT  --orig-port-dst $DPORT \
---reply-port-src $DPORT --reply-port-dst $SPORT \
-   --state LISTEN -u SEEN_REPLY -t 50
-   ;;
-   new-simple)
-   echo "creating a new conntrack (simplified)"
-   $CONNTRACK -I -s $SRC -d $DST \
-   -p tcp --sport $SPORT  --dport $DPORT \
-   --state LISTEN -u SEEN_REPLY -t 50
-   ;;
-   new-nat)
-   echo "creating a new conntrack (NAT)"
-   $CONNTRACK -I -s $SRC -d $DST \
-   -p tcp --sport $SPORT  --dport $DPORT \
-   --state LISTEN -u SEEN_REPLY -t 50 --dst-nat 8.8.8.8
-   ;;
-   get)
-   echo "getting a conntrack"
-   $CONNTRACK -G -s $SRC -d $DST \
-   -p tcp --sport $SPORT --dport $DPORT
-   ;;
-   change)
-   echo "change a conntrack"
-   $CONNTRACK -U -s $SRC -d $DST \
-   -p tcp --sport $SPORT --dport $DPORT \
-   --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500
-   ;;
-   delete)
-   $CONNTRACK -D -s $SRC -d $DST \
-   -p tcp --sport $SPORT --dport $DPORT
-   ;;
-   output)
-   proc=$(cat /proc/net/ip_conntrack | wc -l)
-   netl=$($CONNTRACK -L | wc -l)
-   count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
-   if [ $proc -ne $netl ]; then
-   echo "proc is $proc and netl is $netl and count is 
$count"
-   else
-   if [ $proc -ne $count ]; then
-   echo "proc is $proc and netl is $netl and count 
is $count"
-   else
-   echo "now $proc"
-   fi
-   fi
-   ;;
-   dump-expect)
-   $CONNTRACK -L expect
-   ;;
-   flush-expect)
-   $CONNTRACK -F expect
-   ;;
-   create-expect)
-   # requires modprobe ip_conntrack_ftp
-   $CONNTRACK -I expect --orig-src $SRC --orig-dst $DST \
-   --tuple-src 4.4.4.4 --tuple-dst 5.5.5.5 \
-   --mask-src 255.255.255.0 --mask-dst 255.255.255.255 \
-   -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \
-   -t 200 --tuple-port-src 10240 --tuple-port-dst 10241\
-   --mask-port-src 10 --mask-port-dst 300
-   ;;
-   get-expect)
-   $CONNTRACK -G expect --orig-src 4.4.4.4 --orig-dst 5.5.5.5 \
-   --p tcp --orig-port-src 10240 --orig-port-dst 10241
-   ;;
-   delete-expect)
-   $CONNTRACK -D expect --orig-src 4.4.4.4 \
-   --orig-dst 5.5.5.5 -p tcp --orig-port-src 10240 \
-   --orig-port-dst 10241
-   ;;
-   *)
-   echo "Usage: $0 [dump"
-   echo "  |new"
-   echo "  |new-simple"
-   echo "  |new-nat"
-   echo "  |get"
-   echo "  |change"
-   echo "  |delete"
-   echo "  |output"
-   echo "  |flush"
-   echo "  |dump-expect"
-   echo "  |flush-expect"
-   echo "  |create-expect"
-   echo "  |get-expect"
-   echo "  |delete-expect]"
-   ;;
-esac
diff --git a/tests/conntrack/cli-test.sh b/tests/conntrack/cli-test.sh
new file mode 100644
index 000..2a0fef7
--- /dev/null
+++ b/tests/co

[conntrack-tools PATCH] systemd: default to use libsystemd if build with support for it

2018-04-16 Thread Arturo Borrero Gonzalez 
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.

This eases some downstream use cases when dealing with default configs to
be shipped to final users.

This could be a mid-point solution, given some users are asking for a full
revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 src/read_config_yy.y |4 
 1 file changed, 4 insertions(+)

diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 32cca3c..6de8c6c 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1626,6 +1626,10 @@ init_config(char *filename)
CONFIG(stats).syslog_facility = -1;
CONFIG(netlink).subsys_id = -1;
 
+#ifdef BUILD_SYSTEMD
+CONFIG(systemd) = 1;
+#endif /* BUILD_SYSTEMD */
+
/* Initialize list of user-space helpers */
INIT_LIST_HEAD((cthelper).list);
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH] conntrackd: add missing fall-through annotation in switch statements

2018-04-16 Thread Arturo Borrero Gonzalez 
Modern GCC compilers will warn if an explicit comment isn't present.
Perhaps this should be better done with a proper compiler instruction,
but the code comment is more similar to the rest of the codebase.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 src/cache-ct.c  |2 ++
 src/cache-exp.c |1 +
 src/tcp.c   |1 +
 3 files changed, 4 insertions(+)

diff --git a/src/cache-ct.c b/src/cache-ct.c
index f86d143..fa5072c 100644
--- a/src/cache-ct.c
+++ b/src/cache-ct.c
@@ -266,6 +266,7 @@ static int cache_ct_commit(struct cache *c, struct 
nfct_handle *h, int clientfd)
STATE_SYNC(commit).stats.ok = c->stats.commit_ok;
STATE_SYNC(commit).stats.fail = c->stats.commit_fail;
STATE_SYNC(commit).clientfd = clientfd;
+   /* fall-through */
case COMMIT_STATE_MASTER:
STATE_SYNC(commit).current =
hashtable_iterate_limit(c->h, ,
@@ -280,6 +281,7 @@ static int cache_ct_commit(struct cache *c, struct 
nfct_handle *h, int clientfd)
}
STATE_SYNC(commit).current = 0;
STATE_SYNC(commit).state = COMMIT_STATE_RELATED;
+   /* fall-through */
case COMMIT_STATE_RELATED:
STATE_SYNC(commit).current =
hashtable_iterate_limit(c->h, ,
diff --git a/src/cache-exp.c b/src/cache-exp.c
index 9183b2c..acdae10 100644
--- a/src/cache-exp.c
+++ b/src/cache-exp.c
@@ -236,6 +236,7 @@ cache_exp_commit(struct cache *c, struct nfct_handle *h, 
int clientfd)
STATE_SYNC(commit).stats.ok = c->stats.commit_ok;
STATE_SYNC(commit).stats.fail = c->stats.commit_fail;
STATE_SYNC(commit).clientfd = clientfd;
+   /* fall-through */
case COMMIT_STATE_MASTER:
STATE_SYNC(commit).current =
hashtable_iterate_limit(c->h, ,
diff --git a/src/tcp.c b/src/tcp.c
index c8f2544..91fe524 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -300,6 +300,7 @@ ssize_t tcp_send(struct tcp_sock *m, const void *data, int 
size)
/* we got connected :) */
m->state = TCP_CLIENT_CONNECTED;
}
+   /* fall through */
case TCP_CLIENT_CONNECTED:
ret = sendto(m->fd, data, size, 0,
 (struct sockaddr *) >addr, m->sockaddr_len);

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ulogd PATCH] ulogd2: cleanup downstream files

2018-04-03 Thread Arturo Borrero Gonzalez 
These files are outdated and they belong to downstream users (distributions).
Providing outdated and unmaintained files here serves no purpose other than
confusing users and annoy packagers.

If an user is using ulogd2 directly from the source tarball, I would expect it
to be proficient enough to generate these files by itself.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 ulogd.init  |   61 
 ulogd.logrotate |7 ---
 ulogd.spec  |  119 ---
 3 files changed, 187 deletions(-)
 delete mode 100755 ulogd.init
 delete mode 100644 ulogd.logrotate
 delete mode 100644 ulogd.spec

diff --git a/ulogd.init b/ulogd.init
deleted file mode 100755
index b678652..000
--- a/ulogd.init
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-#
-# chkconfig: 345 81 19
-# description: ulogd is the userspace logging daemon for netfilter/iptables
-#
-
-
-. /etc/rc.d/init.d/functions
-
-
-function start()
-{
-   printf "Starting %s: " "ulogd"
-   daemon /usr/sbin/ulogd -d
-   echo
-   touch /var/lock/subsys/ulogd
-}
-
-
-function stop()
-{
-   printf "Stopping %s: " "ulogd"
-   killproc ulogd
-   echo
-   rm -f /var/lock/subsys/ulogd
-}
-
-
-function reload()
-{
-   pid=`pidof ulogd`
-   if [ "x$pid" != "x" ]; then
-   kill -HUP $pid 2>/dev/null
-   fi
-   touch /var/lock/subsys/ulogd
-}
-
-
-case "$1" in
-  start)
-   start
-   ;;
-  stop)
-   stop
-   ;;
-  restart)
-   stop
-   start
-   ;;
-  reload)
-   reload
-   ;;
-  status)
-   status ulogd
-   ;;
-  *)
-   printf "Usage: %s {start|stop|status|restart|reload}\n" "ulogd"
-   exit 1
-esac
-
-exit 0
diff --git a/ulogd.logrotate b/ulogd.logrotate
deleted file mode 100644
index 8470811..000
--- a/ulogd.logrotate
+++ /dev/null
@@ -1,7 +0,0 @@
-/var/log/ulogd* {
-missingok
-sharedscripts
-postrotate
-   /bin/killall -HUP ulogd 2> /dev/null || true
-endscript
-}
diff --git a/ulogd.spec b/ulogd.spec
deleted file mode 100644
index c22b287..000
--- a/ulogd.spec
+++ /dev/null
@@ -1,119 +0,0 @@
-Summary: ulogd - The userspace logging daemon for netfilter
-Name: ulogd
-Version: 2.00beta
-Release: 1gm
-License: GPL
-Group: Network
-Source: http://ftp.netfilter.org/pub/ulogd/%{name}-%{version}.tar.gz
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Packager: Harald Welte <lafo...@netfilter.org>
-BuildRequires: MySQL-devel postgresql-devel libpcap-devel libnfnetlink 
libnetfilter_conntrack libnetfilter_log
-#BuildRequires: mysql-devel
-
-%package mysql
-Summary: MySQL output plugin for ulogd-2.x
-Group: Network
-
-%package pgsql
-Summary: PostgreSQL output plugin for ulogd-2.x
-Group: Network
-
-%package pcap
-Summary: libpcap output plugin for ulogd-2.x
-Group: Network
-
-%package nflog
-Summary: netfilter_log input plugin for ulogd-2.x
-Group: Network
-
-%package ctnl
-Summary: netfilter_conntrack input plugin for ulogd-2.x
-Group: Network
-
-%description
-ulogd is an universal logging daemon for the ULOG target of netfilter, the
-Linux 2.4 firewalling subsystem. ulogd is able to log packets in variuos
-formats to different targets (text files, databases, etc..). It has an
-easy-to-use plugin interface to add new protocols and new output targets.
-
-%description mysql
-ulogd-mysql is a MySQL output plugin for ulogd. It enables logging of
-firewall information into a MySQL database.
-
-%description pgsql
-ulogd-mysql is a PostgreSQL output plugin for ulogd. It enables logging of
-firewall information into a PostgreSQL database.
-
-%prep
-%setup
-
-%build
-%configure --with-mysql=/usr/lib/mysql --with-pgsql=/usr/lib/postgresql
-make
-
-%install
-rm -rf %{buildroot}
-mkdir -p %{buildroot}/%{_sysconfdir}
-mkdir -p %{buildroot}/%{_libdir}/ulogd
-mkdir -p %{buildroot}/%{_sbindir}/sbin
-mkdir -p %{buildroot}/%{_mandir}/man8
-make DESTDIR=%{buildroot} install
-
-mkdir -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
-install ulogd.init %{buildroot}/%{_sysconfdir}/rc.d/init.d/ulogd
-install ulogd.8 %{buildroot}/%{_mandir}/man8/ulogd.8
-   
-%clean
-rm -rf %{buildroot}
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0755,root,root) %{_sbindir}/ulogd
-%{_sysconfdir}/ulogd.conf
-%{_sysconfdir}/rc.d/init.d/ulogd
-%{_mandir}/man8/*
-%dir %{_libdir}/ulogd
-%{_libdir}/ulogd/ulogd_BASE.so
-%{_libdir}/ulogd/ulogd_LOCAL.so
-%{_libdir}/ulogd/ulogd_LOGEMU.so
-%{_libdir}/ulogd/ulogd_OPRINT.so
-%{_libdir}/ulogd/ulogd_PWSNIFF.so
-%{_libdir}/ulogd/ulogd_PCAP.so
-%doc COPYING AUTHORS README
-%doc doc/ulogd.txt doc/ulogd.a4.ps doc/ulogd.html
-
-%files mysql
-%defattr(0644,root,root,0755)
-%{_libdir}/ulogd/ulogd_MYSQL.so
-
-%files pgsql
-%defattr(0644,root,root,0755)
-%{_libdir}/ulogd/ulogd_PGSQL.so
-
-%changelog
-* Sat Aug 25 2003 Harald Welte <lafo...@gnum

Re: [PATCH libnftnl] examples: add nft-ct-helper-{add,get,del}

2018-03-20 Thread Arturo Borrero Gonzalez 
On 19 March 2018 at 18:19, Yang Zheng <tomsun@gmail.com> wrote:
> nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the 
> specified table.
>

It would be great if you extend a bit the commit message with your tests:

% ./nft-ct-helper-get 

% ./nft-ct-helper-add 
% ./nft-ct-helper-get 
[...]
% ./nft-ct-helper-del 
% ./nft-ct-helper-get 


So other people know about the expected results when running this.

> Signed-off-by: Yang Zheng <tomsun@gmail.com>
> ---
>  examples/Makefile.am |  14 +++-
>  examples/nft-ct-helper-add.c | 149 ++
>  examples/nft-ct-helper-del.c | 124 +++
>  examples/nft-ct-helper-get.c | 150 
> +++
>  4 files changed, 436 insertions(+), 1 deletion(-)
>  create mode 100644 examples/nft-ct-helper-add.c
>  create mode 100644 examples/nft-ct-helper-del.c
>  create mode 100644 examples/nft-ct-helper-get.c
>

Other than that, it LGTM:

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH 0/6] A set of patches resulting from running tests/shell

2018-03-20 Thread Arturo Borrero Gonzalez 
On 19 March 2018 at 18:02, Phil Sutter <p...@nwl.cc> wrote:
> This series is the result of me trying to get all tests in tests/shell
> to pass. Sadly I wasn't fully successful, these two still fail:
>
> - testcases/sets/0028autoselect_0
> - testcases/sets/0031set_timeout_size_0
>
> I had a look at the latter, the problem seems to be that nft_set_hash.c
> in kernel prefers nft_hash_fast_ops for four byte keys ignoring the fact
> that NFT_SET_TIMEOUT support is required.
>
> Phil Sutter (6):
>   Support 'nft -f -' to read from stdin
>   tests/shell: Fix dump of chains/0016delete_handle_0
>   tests/shell: Fix flowtable test cases
>   flowtable: Make parsing a little more robust
>   tests/shell: Fix sporadic fail of include/0007glob_double_0
>   tests/shell: Allow to specify multiple testcases
>

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[iptables PATCH] iptables: add xtables-translate.8 manpage

2018-03-16 Thread Arturo Borrero Gonzalez 
This new manpage describes how to operate the translation tools for nftables.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 iptables/Makefile.am |3 +
 iptables/xtables-translate.8 |  134 ++
 2 files changed, 136 insertions(+), 1 deletion(-)
 create mode 100644 iptables/xtables-translate.8

diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index d0060c60..7fc34830 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -58,7 +58,8 @@ sbin_PROGRAMS += xtables-compat-multi
 endif
 man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
-   ip6tables-save.8 iptables-extensions.8 xtables-compat.8
+   ip6tables-save.8 iptables-extensions.8 \
+  xtables-compat.8 xtables-translate.8
 CLEANFILES   = iptables.8 \
   xtables-config-parser.c xtables-config-syntax.c
 
diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8
new file mode 100644
index ..1968239b
--- /dev/null
+++ b/iptables/xtables-translate.8
@@ -0,0 +1,134 @@
+.\"
+.\" (C) Copyright 2018, Arturo Borrero Gonzalez <art...@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-TRANSLATE 8 "Mar 16, 2018"
+
+.SH NAME
+xtables-translate \- translation tools to migrate from iptables to nftables
+
+.SH DESCRIPTION
+There is a set of tools to help the system administrator translate a given
+ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP.
+
+The available commands are:
+
+.IP \[bu] 2
+iptables-translate
+.IP \[bu]
+iptables-restore-translate
+.IP \[bu] 2
+ip6tables-translate
+.IP \[bu]
+ip6tables-restore-translate
+
+.SH USAGE
+They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and
+output the native \fBnftables(8)\fP syntax.
+
+The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax
+produced by \fBiptables-save(8)\fP. Likewise, the
+\fBip6tables-restore-translate\fP tool reads one produced by
+\fBip6tables-save(8)\fP.
+
+The \fBiptables-translate\fP reads a command line as if it was entered to
+\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it
+was entered to \fBip6tables(8)\fP.
+
+.SH EXAMPLES
+Basic operation examples.
+
+Single command translation:
+
+.nf
+root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack 
--ctstate NEW -j ACCEPT
+nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
+
+root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m 
multiport --dports 111,222 -j ACCEPT
+nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp 
dport { 111,222} counter accept
+.fi
+
+Whole ruleset translation:
+
+.nf
+root@machine:~# iptables-save > save.txt
+root@machine:~# cat save.txt
+# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
+*filter
+:INPUT ACCEPT [5166:1752111]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [5058:628693]
+-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Dec 24 14:26:40 2016
+
+root@machine:~# iptables-restore-translate -f save.txt
+# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; }
+add chain ip filter FORWARD { type filter hook forward priority 0; }
+add chain ip filter OUTPUT { type filter hook output priority 0; }
+add rule ip filter FORWARD tcp dport 22 ct state new counter accept
+
+root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
+root@machine:~# nft -f ruleset.nft
+root@machine:~# nft list ruleset
+table ip filter {
+   chain INPUT {
+   type filter hook input priority 0; policy accept;
+

Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables

2018-03-12 Thread Arturo Borrero Gonzalez 
On 12 March 2018 at 12:36, Florian Westphal  wrote:
> +
> +install-data-hook:
> +   ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
> --

The shebang in those files is static now (#!/usr/sbin/nft -f)

Perhaps we should differentiate between files we use for development
and example files for the tarball (downstream users)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

2018-03-10 Thread Arturo Borrero Gonzalez 
On 10 March 2018 at 09:28, Duncan Roe  wrote:
>
> Up to Release 0.8.2, it used to be the case that after *make install*, these
> example files would show up in /etc/nftables.
>
> Now they don't.
>
> I think this is a regression which needs to be addressed,

We wanted to provide a collection of examples of what nftables can do,
for people who may be external to the project.
More examples may be added in the short term, I would like to see that
directory full of nft scripts.

I'm not sure if we should install all of them to /etc/ with make
install. Any proposal?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] src: move monitor code to src/monitor.c

2018-03-07 Thread Arturo Borrero Gonzalez 
On 7 March 2018 at 13:36, Phil Sutter <p...@nwl.cc> wrote:
> On Wed, Mar 07, 2018 at 01:22:21PM +0100, Pablo Neira Ayuso wrote:
>> netlink.c is rather large file, move the monitor code to its own file.
>>
>> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>
> Acked-by: Phil Sutter <p...@nwl.cc>

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC nft] tests: shell: autogenerate dump verification

2018-03-06 Thread Arturo Borrero Gonzalez 
On 6 March 2018 at 11:47, Florian Westphal <f...@strlen.de> wrote:
> Arturo Borrero Gonzalez <art...@netfilter.org> wrote:
>> On 5 March 2018 at 23:57, Laura Garcia Liebana <nev...@gmail.com> wrote:
>>
>> >  141 files changed, 837 insertions(+), 526 deletions(-)
>>
>> Better place a new script as a testcase, and all the required dump
>> files somewhere for it to read them.
>> Also, we have several testscases which are very long (we generate lots
>> of sets elements, for example) and I don't think it makes sense to
>> have them in plain text in the git tree.
>
> How would you verify that output didn't change without storing
> 'known state' somewhere?
> Or did you mean 'skip listing verification for some tests'?
>
> I don't think its a big deal and would not worry about the size.
>
>> Anyway, we don't seem to be saving LOCs.
>
> Yes but it decouples script from expected output, i think thats an
> improvement.
>
> Next step f.e. could be to make sure we don't choke when we try
> to feed rule listing back to nftables via -f.

Ok, makes sense.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC nft] tests: shell: autogenerate dump verification

2018-03-06 Thread Arturo Borrero Gonzalez 
On 5 March 2018 at 23:57, Laura Garcia Liebana  wrote:

>  141 files changed, 837 insertions(+), 526 deletions(-)


Better place a new script as a testcase, and all the required dump
files somewhere for it to read them.
Also, we have several testscases which are very long (we generate lots
of sets elements, for example) and I don't think it makes sense to
have them in plain text in the git tree.
Mind that this testsuite is mean to be generic, we have now shell
scripts, but we may have python code or even C in the future, and the
main runner script is intended to only launch them.

Anyway, we don't seem to be saving LOCs.

BTW make sure you use the NFT environment variable, so we can tests
arbitrary nft binaries.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] tests: shell: set timeout and size combination coverage

2018-03-05 Thread Arturo Borrero Gonzalez 
On 5 March 2018 at 16:29, Pablo Neira Ayuso  wrote:
> Signed-off-by: Pablo Neira Ayuso 
> ---
>  tests/shell/testcases/sets/0031set_timeout_size_0 | 15 +++
>  1 file changed, 15 insertions(+)
>  create mode 100755 tests/shell/testcases/sets/0031set_timeout_size_0
>
> diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 
> b/tests/shell/testcases/sets/0031set_timeout_size_0
> new file mode 100755
> index ..ef65972aa020
> --- /dev/null
> +++ b/tests/shell/testcases/sets/0031set_timeout_size_0
> @@ -0,0 +1,15 @@
> +#!/bin/bash
> +
> +tmpfile=$(mktemp)
> +if [ ! -w $tmpfile ] ; then
> +   echo "Failed to create tmp file" >&2
> +   exit 0
> +fi
> +
> +trap "rm -rf $tmpfile" EXIT # cleanup if aborted
> +
> +echo "add table x
> +add set x y { type ipv4_addr; size 128; timeout 30s; }"

^^^

probably missing > $tmpfile

> +
> +set -e
> +$NFT -f $tmpfile
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Contribute to Net-filter Development && G-Soc 2018

2018-03-04 Thread Arturo Borrero Gonzalez 
On 3 March 2018 at 22:17, Himanshu Sagar  wrote:
> Hi All,
>
> Himanshu here.
>
> Having used iptables and ebtables in U.G. projects, I acknowledge dev
> team's effort in making this a reality. I'm interested in contributing
> to net-filter development and if I'm able to fix few bugs before
> deadline(so that I consider myself good enough), I would like to put
> up a request for taking Task 1 or 2(here :
> http://people.netfilter.org/pablo/nf-ideas-2018.txt) as GSoc 2018
> Project. I did following to get started:
>
> 1. I did an empty search(no search query) on Bugzilla and found two
> "targets" for me to fix:
> a. A printing
> bug(https://bugzilla.netfilter.org/show_bug.cgi?id=1211), just to get
> started.
> b. Another somewhat advanced
> bug(https://bugzilla.netfilter.org/show_bug.cgi?id=1161), to get hands
> dirty. This bug causes entire pipeline to fail and should provide a
> better insight/overview to me.
> 2.  I pulled out code corresponding to 1.a (iptables:1.6.1), and
> compiled it. After staring at code, for some time, I believe "static
> int list_entries" function at line 913 is the culprit.
>
> Question :
> A. Are these bugs a sensible choice?
> B. Which order would you suggest for reading and messing with code?
> for e.g read this part first, then this and so on.

Hi,

thanks for your interest in the Netfilter project!

we are focusing in this round of GSoC in nftables, as stated in the
ideas document:

 8< 
In this edition, we propose that the students focus again on the nftables [1]
project, the successor of the popular iptables [2] firewalling tool.
[...]
 8< 

Those bugs are part iptables, so I would suggest you focus on
nftables-related code.

Also, in that same document:

=== 8< 
If you are a student willing to participate in GSoC 2018 and you're interested
in any of our tasks, please subscribe to this mailing list:

https://lists.netfilter.org/mailman/listinfo/gsoc2013

Subscribing to this mailing list requires approval from the administrator, so
please be patient, we'll accept it asap. You can use this mailing list to ask
your questions regarding Netfilter's task during the GSoC 2018.
=== 8< ===

So, let's please move to the gsoc-specifyc mailing list, where there
are already several students asking questions about nftables.
The ideas document contains valuable information, please make sure you
read it in detail.

best regards!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] parser: support of maps with timeout

2018-03-02 Thread Arturo Borrero Gonzalez 
On 2 March 2018 at 11:47, Pablo Neira Ayuso  wrote:
> On Fri, Mar 02, 2018 at 10:50:18AM +0100, Laura Garcia Liebana wrote:
>> Support of key and value association with a certain timeout.
>>
>> Example:
>>
>> nft add map nftlb mapa { type inet_service: ipv4_addr\;
>>  timeout 5s\; }
>>
>> Results in:
>>
>> table ip nftlb {
>>   map mapa {
>>   type inet_service : ipv4_addr
>>   timeout 5s
>>   }
>> }
>
> Applied, thanks Laura.

Good work. @Laura could we have testcases for this?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[iptables PATCH] iptables: add xtables-compat.8 manpage

2018-02-25 Thread Arturo Borrero Gonzalez 
Copied back from the downstream Debian package.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 iptables/Makefile.am  |2 -
 iptables/xtables-compat.8 |  177 +
 2 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100644 iptables/xtables-compat.8

diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index f92cc4ff..d0060c60 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -58,7 +58,7 @@ sbin_PROGRAMS += xtables-compat-multi
 endif
 man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
-   ip6tables-save.8 iptables-extensions.8
+   ip6tables-save.8 iptables-extensions.8 xtables-compat.8
 CLEANFILES   = iptables.8 \
   xtables-config-parser.c xtables-config-syntax.c
 
diff --git a/iptables/xtables-compat.8 b/iptables/xtables-compat.8
new file mode 100644
index ..90f887e1
--- /dev/null
+++ b/iptables/xtables-compat.8
@@ -0,0 +1,177 @@
+.\"
+.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <art...@netfilter.org>
+.\"
+.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <http://www.gnu.org/licenses/>.
+.\" %%%LICENSE_END
+.\"
+.TH XTABLES-COMPAT 8 "Feb 25, 2017"
+
+.SH NAME
+xtables-compat \- compat tools to migrate from iptables to nftables
+
+.SH DESCRIPTION
+\fBxtables-compat\fP is set of tools to help the system administrator migrate 
the
+ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP to \fBnftables(8)\fP.
+
+The \fBxtables-compat\fP set is composed of several commands:
+.IP \[bu] 2
+iptables-compat
+.IP \[bu]
+iptables-compat-save
+.IP \[bu]
+iptables-compat-restore
+.IP \[bu]
+ip6tables-compat
+.IP \[bu]
+ip6tables-compat-save
+.IP \[bu]
+ip6tables-compat-restore
+.IP \[bu]
+arptables-compat
+.IP \[bu]
+ebtables-compat
+
+These tools use the libxtables framework extensions and hook to the nf_tables
+kernel subsystem using the \fBnft_compat\fP module.
+
+.SH USAGE
+The compat tools set allows you to manage the nf_tables backend using the
+native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and
+\fBebtables(8)\fP.
+
+You should use the compat tools exactly the same way as you would use the
+corresponding original tool.
+
+Adding a rule will result in that rule being added to the nf_tables kernel
+subsystem instead.
+Listing the ruleset will use the nf_tables backend as well.
+
+When these tools were designed, the main idea was to replace each legacy binary
+with a symlink to the corresponding compat tool, for example:
+
+.nf
+   /sbin/iptables  --> /usr/sbin/iptables-compat
+   /sbin/ip6tables --> /usr/sbin/ip6tables-compat
+   /sbin/arptables --> /usr/sbin/arptables-compat
+   /sbin/ebtables  --> /usr/sbin/ebtables-compat
+.fi
+
+.SH EXAMPLES
+One basic example is creating the skeleton ruleset in nf_tables from the
+compat tools, in a fresh machine:
+
+.nf
+   root@machine:~# iptables-compat -L
+   [...]
+   root@machine:~# ip6tables-compat -L
+   [...]
+   root@machine:~# arptables-compat -L
+   [...]
+   root@machine:~# ebtables-compat -L
+   [...]
+   root@machine:~# nft list ruleset
+   table ip filter {
+   chain INPUT {
+   type filter hook input priority 0; policy accept;
+   }
+
+   chain FORWARD {
+   type filter hook forward priority 0; policy accept;
+   }
+
+   chain OUTPUT {
+   type filter hook output priority 0; policy accept;
+   }
+   }
+   table ip6 filter {
+   chain INPUT {
+   type filter hook input priority 0; policy accept;
+   }
+
+   chain FORWARD {
+

[nft PATCH v3 2/3] examples: add ct helper examples

2018-02-25 Thread Arturo Borrero Gonzalez 
Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
v2: fix some typos
v3: fix typo in shebang reported by Florian

 files/examples/ct_helpers.nft |   43 +
 1 file changed, 43 insertions(+)
 create mode 100755 files/examples/ct_helpers.nft

diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft
new file mode 100755
index 000..07ebb2a
--- /dev/null
+++ b/files/examples/ct_helpers.nft
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to use ct helpers in the nftables framework.
+# Note that nftables includes interesting improvements compared to how this
+# was done with iptables, such as loading multiple helpers with a single rule
+# This script is meant to be loaded with `nft -f `
+# You require linux kernel >= 4.12 and nft >= 0.8
+# For up-to-date information please visit https://wiki.nftables.org
+
+# Using ct helpers is an important security feature when doing stateful
+# firewalling, since it mitigate certain networking attacks.
+# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+
+flush ruleset
+table inet filter {
+   # declare helpers of this table
+   ct helper ftp-standard {
+   type "ftp" protocol tcp;
+   l3proto inet
+   }
+   ct helper sip-5060 {
+   type "sip" protocol udp;
+   l3proto inet
+   }
+   ct helper tftp-69 {
+   type "tftp" protocol udp
+   l3proto inet
+   }
+
+   chain input {
+   type filter hook input priority 0; policy drop;
+   ct state established,related accept
+
+   # assign a single helper in a single rule
+   tcp dport 21 ct helper set "ftp-standard"
+
+   # assign multiple helpers in a single rule
+   ct helper set udp dport map {
+   69 : "tftp-69", \
+   5060 : "sip-5060" }
+   }
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH] meta: introduce datatype ifname_type

2018-02-25 Thread Arturo Borrero Gonzalez 
This new datatype is a string subtype.
It will allow us to build named maps/sets using meta keys like 'iifname',
'oifname', 'ibriport' or 'obriport'.

Example:

table inet t {
set s {
type ifname
elements = { "eth0",
 "eth1" }
}

chain c {
iifname @s accept
oifname @s accept
}
}

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 doc/nft.xml|8 ++---
 include/datatype.h |2 +
 include/meta.h |1 +
 src/datatype.c |1 +
 src/evaluate.c |   19 +--
 src/meta.c |   17 +++---
 src/netlink_delinearize.c  |   27 +++
 src/netlink_linearize.c|   14 +---
 .../shell/testcases/maps/0007named_ifname_dtype_0  |   35 
 .../shell/testcases/sets/0029named_ifname_dtype_0  |   35 
 10 files changed, 134 insertions(+), 25 deletions(-)
 create mode 100755 tests/shell/testcases/maps/0007named_ifname_dtype_0
 create mode 100755 tests/shell/testcases/sets/0029named_ifname_dtype_0

diff --git a/doc/nft.xml b/doc/nft.xml
index 9d21e9a..6748265 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2572,7 +2572,7 @@ filter output icmpv6 type { echo-request, echo-reply }


iifname
Input 
interface name
-   
string
+   
ifname



iiftype
@@ -2587,7 +2587,7 @@ filter output icmpv6 type { echo-request, echo-reply }


oifname
Output 
interface name
-   
string
+   
ifname



oiftype
@@ -2612,12 +2612,12 @@ filter output icmpv6 type { echo-request, echo-reply }


ibriport
Input 
bridge interface name
-   
string
+   
ifname



obriport
Output 
bridge interface name
-   
string
+   
ifname



pkttype
diff --git a/include/datatype.h b/include/datatype.h
index cc4cb07..dd94e80 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -41,6 +41,7 @@
  * @TYPE_ICMPX_CODE:   icmpx code (integer subtype)
  * @TYPE_DEVGROUP: devgroup code (integer subtype)
  * @TYPE_DSCP: Differentiated Services Code Point (integer subtype)
+ * @TYPE_IFNAME:   interface name (string subtype)
  */
 enum datatypes {
TYPE_INVALID,
@@ -84,6 +85,7 @@ enum datatypes {
TYPE_FIB_ADDR,
TYPE_BOOLEAN,
TYPE_CT_EVENTBIT,
+TYPE_IFNAME,
__TYPE_MAX
 };
 #define TYPE_MAX   (__TYPE_MAX - 1)
diff --git a/include/meta.h b/include/meta.h
index 47b16c4..6086a71 100644
--- a/include/meta.h
+++ b/include/meta.h
@@ -38,5 +38,6 @@ extern const struct datatype gid_type;
 extern const struct datatype uid_type;
 extern const struct datatype devgroup_type;
 extern const struct datatype pkttype_type;
+extern const struct datatype ifname_type;
 
 #endif /* NFTABLES_META_H */
diff --git a/src/datatype.c b/src/datatype.c
index 93726ca..324ac80 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -68,6 +68,7 @@ static const struct dataty

Re: [PATCH] xtables-compat-multi.c: Allow symlink of ebtables

2018-02-25 Thread Arturo Borrero Gonzalez 
On 25 February 2018 at 08:14, Duncan Roe  wrote:
> This patch allows one to force a subsystem that one does not wish to modify
> (e.g. libvirt) to use the ebtables compatibility layer.
>
> ebtables-compat was already a symlink to xtables-compat-multi but ebtables 
> was a
> stand-alone program. So one could move it out of the way before making the
> symlink as below:
>
>  lrwxrwxrwx 1 root root   20 Feb 24 11:03 ebtables -> xtables-compat-multi
>  -rwxr-xr-x 1 root root75176 Feb 24 11:03 ebtables.orig
>
> With this patch, kernel modules ebtable_filter & ebtables are no longer 
> loaded.
>
> Signed-off-by: Duncan Roe 

Thanks, good to see people using nftables for virtualization environments.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

2018-02-24 Thread Arturo Borrero Gonzalez 
On 24 February 2018 at 23:07, Florian Westphal <f...@strlen.de> wrote:
> Arturo Borrero Gonzalez <art...@netfilter.org> wrote:
>> Concatenate all family/hook examples into a single one by means of includes.
>>
>> Put all example files under examples/. Use the '.nft' prefix and mark
>> them as executable files. Use a static shebang declaration, since these
>> are examples meant for final systems and users.
>>
>> While at it, refresh also the sets_and_maps.nft example file and also
>> add the 'netdev-ingress.nft' example file.
>
> Looks good, two more nits:
>
> Any reason why this doesn't use
> #! @sbindir@nft -f ?
>

I didn't expect we were using these files for development activities.
My idea was to use just the static shebang for the purpose of being an
example in final users systems (which would likely use /usr/sbin/nft).
Also, this way the examples are readable & copy-ready for users in
both the git repo and the tarball.

(with static I mean: don't have it replaced by make).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v2 3/3] files: add load balance example

2018-02-24 Thread Arturo Borrero Gonzalez 
Include this example file in the tarball on how to do load balancing with
nftables, inspired from https://wiki.nftables.org

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
v2: fix some typos

 files/examples/load_balancing.nft |   54 +
 1 file changed, 54 insertions(+)
 create mode 100755 files/examples/load_balancing.nft

diff --git a/files/examples/load_balancing.nft 
b/files/examples/load_balancing.nft
new file mode 100755
index 000..2f03d27
--- /dev/null
+++ b/files/examples/load_balancing.nft
@@ -0,0 +1,54 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to implement load balancing using the nftables
+# framework.
+# This script is meant to be loaded with `nft -f `
+# You require linux kernel >= 4.12 and nft >= 0.7
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+table ip nat {
+   chain prerouting {
+   type nat hook prerouting priority -300;
+   # round-robing load balancing between the 2 IPv4 addresses:
+   dnat to numgen inc mod 2 map {
+   0 : 192.168.10.100, \
+   1 : 192.168.20.200 }
+   # emulate flow distribution with different backend weights 
using intervals:
+   dnat to numgen inc mod 10 map {
+   0-5 : 192.168.10.100, \
+   6-9 : 192.168.20.200 }
+   # tcp port based distribution is also possible:
+   ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map {
+   0 : 4040 ,\
+   1 : 4050 }
+   # consistent hash-based distribution:
+   dnat to jhash ip saddr . tcp dport mod 2 map {
+   0 : 192.168.20.100, \
+   1 : 192.168.30.100 }
+   }
+}
+
+table ip raw {
+   chain prerouting {
+   type filter hook prerouting priority -300;
+   # using stateless NAT, round-robing distribution (you could use 
hashing too):
+   tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 
192.168.1.100, 1 : 192.168.1.101 }
+   }
+}
+
+table netdev mytable {
+   chain ingress {
+   # mind the NIC devices, they must exist in the system
+   type filter hook ingress device eth0 priority 0;
+   # using Direct Server Return (DSR), connectionless approach:
+   udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set 
numgen inc mod 2 map {
+   0 : aa:aa:aa:aa:aa:aa,
+   1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+   # using Direct Server Return (DSR), connection-oriented flows:
+tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set 
jhash ip saddr . tcp sport mod 2 map {
+   0 : aa:aa:aa:aa:aa:aa,
+   1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+   }
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v2 1/3] nftables: rearrange files and examples

2018-02-24 Thread Arturo Borrero Gonzalez 
Concatenate all family/hook examples into a single one by means of includes.

Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.

While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
v2: address comments by Florian & Pablo. Fix some typos

 Makefile.am   |6 ++--
 configure.ac  |2 -
 files/Makefile.am |1 -
 files/examples/arp-filter.nft |6 
 files/examples/bridge-filter.nft  |7 
 files/examples/families_and_hooks.nft |   32 
 files/examples/inet-filter.nft|7 
 files/examples/ipv4-filter.nft|7 
 files/examples/ipv4-mangle.nft|5 +++
 files/examples/ipv4-nat.nft   |8 +
 files/examples/ipv4-raw.nft   |6 
 files/examples/ipv6-filter.nft|7 
 files/examples/ipv6-mangle.nft|5 +++
 files/examples/ipv6-nat.nft   |8 +
 files/examples/ipv6-raw.nft   |6 
 files/examples/netdev-ingress.nft |7 
 files/examples/sets_and_maps  |   53 
 files/examples/sets_and_maps.nft  |   54 +
 files/nftables/Makefile.am|   16 --
 files/nftables/arp-filter |6 
 files/nftables/bridge-filter  |7 
 files/nftables/inet-filter|7 
 files/nftables/ipv4-filter|7 
 files/nftables/ipv4-mangle|5 ---
 files/nftables/ipv4-nat   |8 -
 files/nftables/ipv4-raw   |6 
 files/nftables/ipv6-filter|7 
 files/nftables/ipv6-mangle|5 ---
 files/nftables/ipv6-nat   |8 -
 files/nftables/ipv6-raw   |6 
 30 files changed, 168 insertions(+), 147 deletions(-)
 delete mode 100644 files/Makefile.am
 create mode 100755 files/examples/arp-filter.nft
 create mode 100755 files/examples/bridge-filter.nft
 create mode 100755 files/examples/families_and_hooks.nft
 create mode 100755 files/examples/inet-filter.nft
 create mode 100755 files/examples/ipv4-filter.nft
 create mode 100755 files/examples/ipv4-mangle.nft
 create mode 100755 files/examples/ipv4-nat.nft
 create mode 100755 files/examples/ipv4-raw.nft
 create mode 100755 files/examples/ipv6-filter.nft
 create mode 100755 files/examples/ipv6-mangle.nft
 create mode 100755 files/examples/ipv6-nat.nft
 create mode 100755 files/examples/ipv6-raw.nft
 create mode 100755 files/examples/netdev-ingress.nft
 delete mode 100755 files/examples/sets_and_maps
 create mode 100755 files/examples/sets_and_maps.nft
 delete mode 100644 files/nftables/Makefile.am
 delete mode 100644 files/nftables/arp-filter
 delete mode 100644 files/nftables/bridge-filter
 delete mode 100644 files/nftables/inet-filter
 delete mode 100644 files/nftables/ipv4-filter
 delete mode 100644 files/nftables/ipv4-mangle
 delete mode 100644 files/nftables/ipv4-nat
 delete mode 100644 files/nftables/ipv4-raw
 delete mode 100644 files/nftables/ipv6-filter
 delete mode 100644 files/nftables/ipv6-mangle
 delete mode 100644 files/nftables/ipv6-nat
 delete mode 100644 files/nftables/ipv6-raw

diff --git a/Makefile.am b/Makefile.am
index 10aa40f..5ef61be 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4
 
 SUBDIRS =  src \
include \
-   doc \
-   files
+   doc
 
-EXTRA_DIST =   tests
+EXTRA_DIST =   tests   \
+   files
diff --git a/configure.ac b/configure.ac
index 1a38653..408a6bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -140,8 +140,6 @@ AC_CONFIG_FILES([   \
include/linux/netfilter_ipv4/Makefile   \
include/linux/netfilter_ipv6/Makefile   \
doc/Makefile\
-   files/Makefile  \
-   files/nftables/Makefile \
])
 AC_OUTPUT
 
diff --git a/files/Makefile.am b/files/Makefile.am
deleted file mode 100644
index a8394c0..000
--- a/files/Makefile.am
+++ /dev/null
@@ -1 +0,0 @@
-SUBDIRS = nftables
diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft
new file mode 100755
index 000..13166bd
--- /dev/null
+++ b/files/examples/arp-filter.nft
@@ -0,0 +1,6 @@
+#!/usr/sbin/nft -f
+
+table arp filter {
+   chain input { type filter hook input priority 0; }
+   chain output{ type filter hook output priority 0; }
+}
diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nf

[nft PATCH v2 2/3] examples: add ct helper examples

2018-02-24 Thread Arturo Borrero Gonzalez 
Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
v2: fix some typos

 files/examples/ct_helpers.nft |   43 +
 1 file changed, 43 insertions(+)
 create mode 100755 files/examples/ct_helpers.nft

diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft
new file mode 100755
index 000..fecdea6
--- /dev/null
+++ b/files/examples/ct_helpers.nft
@@ -0,0 +1,43 @@
+#!/usr/sin/nft -f
+
+# This example file shows how to use ct helpers in the nftables framework.
+# Note that nftables includes interesting improvements compared to how this
+# was done with iptables, such as loading multiple helpers with a single rule
+# This script is meant to be loaded with `nft -f `
+# You require linux kernel >= 4.12 and nft >= 0.8
+# For up-to-date information please visit https://wiki.nftables.org
+
+# Using ct helpers is an important security feature when doing stateful
+# firewalling, since it mitigate certain networking attacks.
+# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+
+flush ruleset
+table inet filter {
+   # declare helpers of this table
+   ct helper ftp-standard {
+   type "ftp" protocol tcp;
+   l3proto inet
+   }
+   ct helper sip-5060 {
+   type "sip" protocol udp;
+   l3proto inet
+   }
+   ct helper tftp-69 {
+   type "tftp" protocol udp
+   l3proto inet
+   }
+
+   chain input {
+   type filter hook input priority 0; policy drop;
+   ct state established,related accept
+
+   # assign a single helper in a single rule
+   tcp dport 21 ct helper set "ftp-standard"
+
+   # assign multiple helpers in a single rule
+   ct helper set udp dport map {
+   69 : "tftp-69", \
+   5060 : "sip-5060" }
+   }
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[NFT PATCH 3/3] files: add load balance example

2018-02-24 Thread Arturo Borrero Gonzalez 
Include this example file in the tarball on how to do load balancing with
nftables, inspired from https://wiki.nftables.org

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 files/examples/load_balancing.nft |   54 +
 1 file changed, 54 insertions(+)
 create mode 100755 files/examples/load_balancing.nft

diff --git a/files/examples/load_balancing.nft 
b/files/examples/load_balancing.nft
new file mode 100755
index 000..128a443
--- /dev/null
+++ b/files/examples/load_balancing.nft
@@ -0,0 +1,54 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to implement load balancing using the nftables
+# framework.
+# This script is mean to be loaded with `nft -f `
+# You require linux kernel >= 4.12 and nft >= 0.7
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+table ip nat {
+   chain prerouting {
+   type nat hook prerouting priority -300;
+   # round-robing load balancing between the 2 IPv4 addresses:
+   dnat to numgen inc mod 2 map {
+   0 : 192.168.10.100, \
+   1 : 192.168.20.200 }
+   # emulate flow distribution with different backend weights 
using intervals:
+   dnat to numgen inc mod 10 map {
+   0-5 : 192.168.10.100, \
+   6-9 : 192.168.20.200 }
+   # tcp port based distribution is also possible:
+   ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map {
+   0 : 4040 ,\
+   1 : 4050 }
+   # consistent hash-based distribution:
+   dnat to jhash ip saddr . tcp dport mod 2 map {
+   0 : 192.168.20.100, \
+   1 : 192.168.30.100 }
+   }
+}
+
+table ip raw {
+   chain prerouting {
+   type filter hook prerouting priority -300;
+   # using stateless NAT, round-robing distribution (you could use 
hashing too):
+   tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 
192.168.1.100, 1 : 192.168.1.101 }
+   }
+}
+
+table netdev mytable {
+   chain ingress {
+   # mind the NIC devices, they should exist
+   type filter hook ingress device eth0 priority 0;
+   # using Direct Server Return (DSR), connectionless approach:
+   udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set 
numgen inc mod 2 map {
+   0 : aa:aa:aa:aa:aa:aa,
+   1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+   # using Direct Server Return (DSR), connection-oriented flows:
+tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set 
jhash ip saddr . tcp sport mod 2 map {
+   0 : aa:aa:aa:aa:aa:aa,
+   1 : bb:bb:bb:bb:bb:bb } fwd to eth1
+   }
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[NFT PATCH 2/3] examples: add ct helper examples

2018-02-24 Thread Arturo Borrero Gonzalez 
Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 files/examples/ct_helpers.nft |   43 +
 1 file changed, 43 insertions(+)
 create mode 100755 files/examples/ct_helpers.nft

diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft
new file mode 100755
index 000..e01bfad
--- /dev/null
+++ b/files/examples/ct_helpers.nft
@@ -0,0 +1,43 @@
+#!/usr/sin/nft -f
+
+# This example file shows how to use ct helpers in the nftables framework.
+# Note that nftables includes interesting improvements compared to how this
+# was done with iptables, such as loading multiple helpers with a single rule
+# This script is mean to be loaded with `nft -f `
+# You require linux kernel >= 4.12 and nft >= 0.8
+# For up-to-date information please visit https://wiki.nftables.org
+
+# Using ct helpers is an important security feature when doing stateful
+# firewalling, since it mitigate certain networking attacks.
+# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+
+flush ruleset
+table inet filter {
+   # declare helpers of this table
+   ct helper ftp-standard {
+   type "ftp" protocol tcp;
+   l3proto inet
+   }
+   ct helper sip-5060 {
+   type "sip" protocol udp;
+   l3proto inet
+   }
+   ct helper tftp-69 {
+   type "tftp" protocol udp
+   l3proto inet
+   }
+
+   chain input {
+   type filter hook input priority 0; policy drop;
+   ct state established,related accept
+
+   # assign a single helper in a single rule
+   tcp dport 21 ct helper set "ftp-standard"
+
+   # assign multiple helpers in a single rule
+   ct helper set udp dport map {
+   69 : "tftp-69", \
+   5060 : "sip-5060" }
+   }
+}

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Arturo Borrero Gonzalez 
On 19 February 2018 at 16:36, David Miller  wrote:
>
> In my opinion, any resistence to integration with eBPF and XDP will
> lead to even less adoption of netfilter as a technology.
>
> Therefore my plan is to move everything to be integrated around these
> important core technologies.  For the purposes of integration, code
> coverage, performance, and the ability to juxtapose different bits of
> eBPF code into larger optimized code streams that can also be
> offloaded into hardware.

Thanks for sharing your plans. I'll share mine.

Debian already recommends using nftables rather than iptables.
Probably in the next release cycle we (Debian) will give even more
prominence to nftables by linking iptables to iptables-compat, as an
opt-in for users, so we don't break systems.
By the next-next release cycle (4+ years or so?) we will probably have
enough confidence with compat/translation tools that Debian could
fully wipe the old iptables binary to use just the nftables framework.
Same for ip6tables, arptables, ebtables.

Does this sound reasonable to you?

Yes, probably major datacenters (google? facebook?, amazon?) they
don't even care about what Debian is doing, since they are crafting
their own distro anyway.
But there are *a lot* of other people that do care about these migration plans.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Arturo Borrero Gonzalez 
On 19 February 2018 at 16:27, David Miller  wrote:
> From: Florian Westphal 
> Date: Mon, 19 Feb 2018 16:15:55 +0100
>
>> Would you be willing to merge nftables into kernel tools directory
>> then?
>
> Did you miss the part where I explained that people explicitly disable
> NFTABLES in their kernel configs in most if not all large datacenters?


hey, you already shared several statements regarding nftables which
are not true.

Lots and lots of people are using distribution kernels, which contains
NF_TABLES config enabled (all major distros have it)
I believe people who build their own kernels are very few if you
compare with the number of people who don't (but yeah, they usually
have more money).
This may sounds as a joke, but there are *a lot* of people running
productions servers with bluetooth drivers enabled in the kconfig.

So, I can confirm that:
Lots of people and institutions are using nftables already.
Lots of people and institutions are considering transition to nftables
it from iptables.
Lots of people are running simple commodity hardware and know nothing
about smartnics or any kind of offloading
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC 0/4] net: add bpfilter

2018-02-19 Thread Arturo Borrero Gonzalez 
On 19 February 2018 at 16:36, David Miller  wrote:
>
> I think netfilter is at a real crossroads right now.
>

I don't think so. The Netfilter Project and the Netfilter Community
already "agreed" on nftables and we are working on it.
But this isn't a secret, right? We have been open-discussing and
open-working on this for *years* now.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: question about UNDEFINE/REDEFINE

2018-01-26 Thread Arturo Borrero Gonzalez 
On 23 January 2018 at 04:40, David Fabian  wrote:
> Hello Pablo,
>
> Dne úterý 23. ledna 2018 12:07:28 CET, Pablo Neira Ayuso napsal(a):
>> I'm asking here because I would need to understand better how you've
>> structured your scripts, if you could explain a bit more, we would
>> appreciate.
>
> I have packed an excerpt of a playground FW with two VLANs 3 and 54. The
> configuration already uses my redefine keyword.
>
> ftp://ftp.bosson.eu/pub/tmp/nftables_excerpt.tar.gz
>
> The intended use case is to call nft -f fw-on and reload the firewall from
> scratch every time there is a config change. I don't know how a cmdline
> parameter would help us with it. Maybe if we would wrap nft calls with bash
> scripts but that would defeat the purpose of using the nft scripting
> capabilities in the first place.
>
> The most important for us is to have the FW logically structured for every
> customer and every FW rule related to a customer should be in his/her VLAN
> config file.
>

Your approach (redefining variables) doesn't save so much typing at
the end of the day.

My suggestion is to simply create one variable per value:

define INET_IFACES_VLAN43 = { bond0.x, bond3.y}
define INET_IFACES_VLAN3 = { bond3.x, bond3.y}
define XXX_VLAN43 = xxx
define XXX_VLAN3 = xxx

you could generate such a file, something like 'defines.nft' and
include it once in your main ruleset file.

If you will perform many updates to this file, you could even maintain
this in git to keep track of changes.
Example: 
https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example

Other option is you create some kind of shell wrapper to replace
variable names before running nft -f (something like make .in files),
but that's even uglier? I don't know.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time

2018-01-19 Thread Arturo Borrero Gonzalez 
On 19 January 2018 at 13:47, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> Several reasons for this:
>
> * Several modules maintain internal version numbers, that they print at
>   boot/module load time, that are not exposed to userspace, as a
>   primitive mechanism to make revision number control from the earlier
>   days of Netfilter.
>
> * IPset shows the protocol version at boot/module load time, instead
>   display this via module description, as Jozsef suggested.
>
> * Remove copyright notice at boot/module load time in two spots, the
>   Netfilter codebase is a collective development effort, if we would
>   have to display copyrights for each contributor at boot/module load
>   time for each extensions we have, we would probably fill up logs with
>   lots of useless information - from a technical standpoint.
>
> So let's be consistent and remove them all.
>
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH] doc/nft.xml: mention nftables earlier

2018-01-19 Thread Arturo Borrero Gonzalez 
Mention nftables earlier in the documentation, so users have more context on 
what
we are talking about.

This is Debian bug #887718, which contains:

<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early as the NAME or DESCRIPTION.
>>>

Requested-by: Dan Jacobson <jida...@jidanni.org>
Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 doc/nft.xml |7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index e515b11..9e979af 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -38,7 +38,7 @@ vi:ts=4 sw=4

nft

-   Administration tool for packet filtering and 
classification
+   Administration tool of the nftables framework for 
packet filtering and classification


 
@@ -73,8 +73,9 @@ vi:ts=4 sw=4

Description

-   nft is used to set up, maintain and inspect packet
-   filtering and classification rules in the Linux kernel.
+   nft is the command line tool used to set up, maintain 
and inspect packet
+   filtering and classification rules in the Linux kernel, 
in the nftables framework.
+   The Linux kernel subsystem is known as nf_tables, and 
'nf' stands for Netfilter.


 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next] netfilter: meta: secpath support

2017-12-01 Thread Arturo Borrero Gonzalez 
On 1 December 2017 at 13:40, Florian Westphal  wrote:
> replacement for iptables "-m policy --dir in --policy {ipsec,none}".
>
> Signed-off-by: Florian Westphal 
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nft_meta.c | 39 
> 
>  2 files changed, 41 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> b/include/uapi/linux/netfilter/nf_tables.h
> index a3ee277b17a1..2efbf9744c2a 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
>   * @NFT_META_OIFGROUP: packet output interface group
>   * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
>   * @NFT_META_PRANDOM: a 32bit pseudo-random number
> + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
>   */
>  enum nft_meta_keys {
> NFT_META_LEN,
> @@ -804,6 +805,7 @@ enum nft_meta_keys {
> NFT_META_OIFGROUP,
> NFT_META_CGROUP,
> NFT_META_PRANDOM,
> +   NFT_META_SECPATH,
>  };
>
>  /**
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 5a60eb23a7ed..63a013ad4077 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
> *dest = prandom_u32_state(state);
> break;
> }
> +#ifdef CONFIG_XFRM
> +   case NFT_META_SECPATH:
> +   nft_reg_store8(dest, !!skb->sp);
> +   break;
> +#endif
> default:
> WARN_ON(1);
> goto err;
> @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
> prandom_init_once(_prandom_state);
> len = sizeof(u32);
> break;
> +#ifdef CONFIG_XFRM
> +   case NFT_META_SECPATH:
> +   len = sizeof(u8);
> +   break;
> +#endif
> default:
> return -EOPNOTSUPP;
> }
> @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
>  }
>  EXPORT_SYMBOL_GPL(nft_meta_get_init);
>
> +int nft_meta_get_validate(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nft_data **data)
> +{
> +   const struct nft_meta *priv = nft_expr_priv(expr);
> +   unsigned int hooks;
> +
> +   if (priv->key != NFT_META_SECPATH)
> +   return 0;
> +

Would it worth adding here something like this?

#ifnfdef CONFIG_XFRM
return -EOPNOTSUPP;
#endif

I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right?

> +   switch (ctx->afi->family) {
> +   case NFPROTO_NETDEV:
> +   hooks = 1 << NF_NETDEV_INGRESS;
> +   break;
> +   case NFPROTO_IPV4:
> +   case NFPROTO_IPV6:
> +   case NFPROTO_INET:
> +   hooks = (1 << NF_INET_PRE_ROUTING) |
> +   (1 << NF_INET_LOCAL_IN) |
> +   (1 << NF_INET_FORWARD);
> +   break;
> +   default:
> +   return -EOPNOTSUPP;
> +   }
> +
> +   return nft_chain_validate_hooks(ctx->chain, hooks);
> +}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] src: deprecate "flow table" syntax, replace it by "meter"

2017-11-24 Thread Arturo Borrero Gonzalez 
On 23 November 2017 at 15:23, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> According to bugzilla 1137: "flow tables" should not be syntactically
> unique.
>
> "Flow tables are always named, but they don't conform to the way sets,
> maps, and dictionaries work in terms of "add" and "delete" and all that.
>
> They are also "flow tables" instead of one word like "flows" or
> "throttle" or something.
>
> It seems weird to just have these break the syntactic expectations."
>
> Personally, I never liked the reference to "table" since we have very
> specific semantics in terms of what a "table" is netfilter for long
> time.
>
> This patch promotes "meter" as the new keyword. The former syntax is
> still accepted for a while, just to reduce chances of breaking things.
> At some point the former syntax will just be removed.
>
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137
> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
>

I agree.

What about adding a warning in case of using the old syntax?
Something like:

WARNING: this syntax is deprecated and will be deleted in the future,
use 'meter' instead.

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>

> diff --git a/src/evaluate.c b/src/evaluate.c
> index fd61e7530d2e..3d4824ff80d6 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -2021,37 +2021,37 @@ static int stmt_evaluate_payload(struct eval_ctx 
> *ctx, struct stmt *stmt)
> return expr_evaluate(ctx, >payload.val);
>  }
>
> -static int stmt_evaluate_flow(struct eval_ctx *ctx, struct stmt *stmt)
> +static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt)
>  {
> struct expr *key, *set, *setref;
>
> expr_set_context(>ectx, NULL, 0);
> -   if (expr_evaluate(ctx, >flow.key) < 0)
> +   if (expr_evaluate(ctx, >meter.key) < 0)
> return -1;
> -   if (expr_is_constant(stmt->flow.key))
> -   return expr_error(ctx->msgs, stmt->flow.key,
> +   if (expr_is_constant(stmt->meter.key))
> +   return expr_error(ctx->msgs, stmt->meter.key,
>   "Flow key expression can not be constant");

^
line below contains flow instead of meter

> -   if (stmt->flow.key->comment)
> -   return expr_error(ctx->msgs, stmt->flow.key,
> +   if (stmt->meter.key->comment)
> +   return expr_error(ctx->msgs, stmt->meter.key,
>   "Flow key expression can not contain 
> comments");

^
same here
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nftables: lockout with 0008split_tables_0 test

2017-11-21 Thread Arturo Borrero Gonzalez 
On 21 November 2017 at 19:39, Arturo Borrero Gonzalez
<art...@netfilter.org> wrote:
> On 21 November 2017 at 18:09, Florian Westphal <f...@strlen.de> wrote:
>>
>> Yes, thats expected.
>> First ssh base chain gets invoked, which accepts any packet
>> either by verdict or policy.
>>
>> Then next base chain gets consulted which drops the packet.
>>
>> I would suggest to either swap the policies or duplicate the ssh
>> rule into the input chain too.
>
> This is something which is actually confusing our users.
> I just took the time to extend a bit the documentation:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>
> Of course, feel free to edit the docs :-)

Unrelated, but I would like to mention other thing that lacks
documentation: the interaction of packet flows between families/hooks

* Does a packet traversing a chain in the ip family traverse again
chains in the inet family? Same the other way around
* Does a packet accepted in the netdev/ingress family/hook gets
evaluated again in ip/ip6/inet families/hooks?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nftables: lockout with 0008split_tables_0 test

2017-11-21 Thread Arturo Borrero Gonzalez 
On 21 November 2017 at 18:09, Florian Westphal  wrote:
>
> Yes, thats expected.
> First ssh base chain gets invoked, which accepts any packet
> either by verdict or policy.
>
> Then next base chain gets consulted which drops the packet.
>
> I would suggest to either swap the policies or duplicate the ssh
> rule into the input chain too.

This is something which is actually confusing our users.
I just took the time to extend a bit the documentation:

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

Of course, feel free to edit the docs :-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: conntracd init.d reload is broken on Centos6

2017-11-18 Thread Arturo Borrero Gonzalez 
Please avoid top-posting.

On 17 November 2017 at 23:55, Jason Hendry  wrote:
> Turns out sending conntrackd a -HUP signal causes it to die. I can not
> find any documentation/reference on what signals conntrackd accepts,
> is there one to tell it to reload its config?  We are running
> conntrackd 0.9.14
>

That's a very old version of conntrackd (8+ years ago?). Please use a
newer version.

ATM conntrackd is unable to reload config. This is something I would
like to improve in the future.

> Can you also clarify the effect of restarting conntrackd, is it a safe
> operation to do? Will it cause any interruption to connections? Will
> it re-sync with the kernel state table? Will it re-sync with its peer?
>

Connections are in the kernel and those are not affected by conntrackd restart.
Depending on your conntrackd config you may lose state updates which
are in the conntrackd cache but not in the kernel yet.
In newer versions of conntrackd there is a StartupResync option to
request resync with other node at startup.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ulogd2 PATCH] ulogd2: new config behaviour: load all plugins by default

2017-10-02 Thread Arturo Borrero Gonzalez 
This new configuration behaviour option eases a bit the configuration of ulogd2
by allowing to load all plugins in one go, without having to know their full
path.

Choosing concrete plugins and using full path for them is great for some
environmnets, but I don't think it's a common case. The common case is to
load all plugins, even ignoring where do they live in the filesystem.

Even worse, the full path may be architecture-dependant, which makes copying
the ulogd.conf file between machines unnecesarily complex.

To experiment this new behaviour, don't put any 'plugin=' directive in the
config file. Plugins will be loaded from a default directory, choosen at
build/configure time (--with-ulogd2libdir). If no specified, this is something
like '/usr/local/lib/ulogd/'.

This new configuration option doesn't implement any special logic. We simply
open the dir and try to load all files ending with '.so'.

The log message level for plugins loading is increased so users can see by
default which plugins are loaded.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 configure.ac  |   30 +++---
 src/ulogd.c   |   40 +++-
 ulogd.conf.in |   33 +
 3 files changed, 83 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index e661981..b3441e4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,9 +36,6 @@ dnl Checks for library functions.
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS(socket strerror)
 
-regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter"
-AC_SUBST([regular_CFLAGS])
-
 AC_SEARCH_LIBS([pthread_create], [pthread], [libpthread_LIBS="$LIBS"; LIBS=""])
 AC_SUBST([libpthread_LIBS])
 
@@ -153,6 +150,16 @@ else
enable_jansson="no"
 fi
 
+AC_ARG_WITH([ulogd2libdir],
+   AS_HELP_STRING([--with-ulogd2libdir=PATH],
+[Default directory to load ulogd2 plugin from [[LIBDIR/ulogd]]]),
+[ulogd2libdir="$withval"],
+[ulogd2libdir="${libdir}/ulogd"])
+AC_SUBST([ulogd2libdir])
+
+regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter 
-DULOGD2_LIBDIR=\\\"\${ulogd2libdir}\\\"";
+AC_SUBST([regular_CFLAGS])
+
 dnl AC_SUBST(DATABASE_DIR)
 dnl AC_SUBST(DATABASE_LIB)
 dnl AC_SUBST(DATABASE_LIB_DIR)
@@ -176,8 +183,25 @@ AC_CONFIG_FILES(include/Makefile include/ulogd/Makefile 
include/libipulog/Makefi
  src/Makefile Makefile Rules.make)
 AC_OUTPUT
 
+define([EXPAND_VARIABLE],
+[$2=[$]$1
+if test $prefix = 'NONE'; then
+prefix="/usr/local"
+fi
+while true; do
+  case "[$]$2" in
+*\[$]* ) eval "$2=[$]$2" ;;
+*) break ;;
+  esac
+done
+eval "$2=[$]$2"
+])dnl EXPAND_VARIABLE
+
+EXPAND_VARIABLE(ulogd2libdir, e_ulogd2libdir)
+
 echo "
 Ulogd configuration:
+  Default plugins directory:   ${e_ulogd2libdir}
   Input plugins:
 NFLOG plugin:  ${enable_nflog}
 NFCT plugin:   ${enable_nfct}
diff --git a/src/ulogd.c b/src/ulogd.c
index 68f..b8bc57c 100644
--- a/src/ulogd.c
+++ b/src/ulogd.c
@@ -404,7 +404,7 @@ void ulogd_register_plugin(struct ulogd_plugin *me)
  me->name);
exit(EXIT_FAILURE);
}
-   ulogd_log(ULOGD_DEBUG, "registering plugin `%s'\n", me->name);
+   ulogd_log(ULOGD_NOTICE, "registering plugin `%s'\n", me->name);
llist_add(>list, _plugins);
} else {
get_plugin_infos(me);
@@ -728,6 +728,41 @@ static int load_plugin(const char *file)
return 0;
 }
 
+static int load_all_plugins(void)
+{
+   DIR *d;
+   struct dirent *dent;
+   char path[PATH_MAX];
+
+   d = opendir(ULOGD2_LIBDIR);
+   if (d == NULL) {
+   ulogd_log(ULOGD_ERROR, "load_all_plugins: opendir(%s): %s\n",
+ ULOGD2_LIBDIR, strerror(errno));
+   return -1;
+   }
+
+   ulogd_log(ULOGD_NOTICE, "loading all plugins at %s\n", ULOGD2_LIBDIR);
+
+   while ((dent = readdir(d)) != NULL) {
+   if (strcmp(dent->d_name, ".") == 0 ||
+   strcmp(dent->d_name, "..") == 0)
+   continue;
+
+   int len = strlen(dent->d_name);
+   if (len < 3)
+   continue;
+
+   if (strcmp(>d_name[len - 3], ".so") != 0)
+   continue;
+
+   snprintf(path, sizeof(path), "%s/%s", ULOGD2_LIBDIR,
+dent->d_name);
+   if (load_plugin(path) != 0)
+   return -1;
+   }
+   return 0;
+}
+
 /* find an output key in a given stack, starting at 'start' */
 static struct ulogd_key *
 find_okey_in_stack(char *name,
@@ -925,6 +960,9 @@ stat

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

2017-10-02 Thread Arturo Borrero Gonzalez 
On 2 October 2017 at 12:44, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sat, Sep 30, 2017 at 12:43:36PM +0200, Arturo Borrero Gonzalez wrote:
>> On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
>> > On Sat, Sep 30, 2017 at 11:48:11AM +0200, Arturo Borrero Gonzalez wrote:
>> >> On 30 September 2017 at 11:43, Arturo Borrero Gonzalez
>> >> <art...@netfilter.org> wrote:
>> >> >
>> >> > Ok, but how could we avoid putting there a complex, arch-dependant path?
>> >>
>> >> i.e, in Debian this means a path like:
>> >>
>> >> /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so
>> >>
>> >> so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly.
>> >> If the config file is copied to a machine with a different arch, amd64
>> >> for example, then path should be modified to:
>> >>
>> >> /usr/lib/x86_64-linux-gnu/ulogd/
>> >>
>> >> Complex and ugly. We should avoid that. I think we should offer a
>> >> default at build/configure time.
>> >
>> > I think @pkglibdir@ in ulogd.conf.in will set this to the
>> > corresponding arch-dependent folder at configure/build time, right?
>>
>> The point is to don't have the ugly string in the config file.
>> Transparent to the user. Simplify the config file.
>
> OK.
>
> What if we default to loading all plugins if user specifies no
> "plugin=" at all in the configuration file?
>
> No worries in terms of breaking backward compatibility, so far ulogd2
> just bails out if no plugin is available.
>
> That would simplify the configuration file as you're searching for.

Ok, will do that.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

2017-09-30 Thread Arturo Borrero Gonzalez 
On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sat, Sep 30, 2017 at 11:48:11AM +0200, Arturo Borrero Gonzalez wrote:
>> On 30 September 2017 at 11:43, Arturo Borrero Gonzalez
>> <art...@netfilter.org> wrote:
>> >
>> > Ok, but how could we avoid putting there a complex, arch-dependant path?
>>
>> i.e, in Debian this means a path like:
>>
>> /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so
>>
>> so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly.
>> If the config file is copied to a machine with a different arch, amd64
>> for example, then path should be modified to:
>>
>> /usr/lib/x86_64-linux-gnu/ulogd/
>>
>> Complex and ugly. We should avoid that. I think we should offer a
>> default at build/configure time.
>
> I think @pkglibdir@ in ulogd.conf.in will set this to the
> corresponding arch-dependent folder at configure/build time, right?

The point is to don't have the ugly string in the config file.
Transparent to the user. Simplify the config file.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

2017-09-30 Thread Arturo Borrero Gonzalez 
On 30 September 2017 at 11:43, Arturo Borrero Gonzalez
<art...@netfilter.org> wrote:
>
> Ok, but how could we avoid putting there a complex, arch-dependant path?

i.e, in Debian this means a path like:

/usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so

so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly.
If the config file is copied to a machine with a different arch, amd64
for example, then path should be modified to:

/usr/lib/x86_64-linux-gnu/ulogd/

Complex and ugly. We should avoid that. I think we should offer a
default at build/configure time.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

2017-09-30 Thread Arturo Borrero Gonzalez 
On 29 September 2017 at 13:39, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> Hi Arturo,
>
> On Mon, Sep 25, 2017 at 01:19:27PM +0200, Arturo Borrero Gonzalez wrote:
>> diff --git a/ulogd.conf.in b/ulogd.conf.in
>> index a987d64..fe54420 100644
>> --- a/ulogd.conf.in
>> +++ b/ulogd.conf.in
>> @@ -24,6 +24,16 @@ logfile="/var/log/ulogd.log"
>>  # 2. options for each plugin in seperate section below
>>
>>
>> +# load all the plugins in one go. Then, there is no need to specify each
>> +# plugin individually. There are two ways of using this clause, by leaving 
>> it
>> +# blank (default) or by using a filesystem path. If blank a default 
>> directory
>> +# configured at build time will be used (--with-ulogd2libdir).
>> +#
>> +# Examples:
>> +#
>> +# load_all_plugins=
>> +# load_all_plugins=/usr/local/lib/ulogd/
>> +
>>  plugin="@pkglibdir@/ulogd_inppkt_NFLOG.so"
>>  #plugin="@pkglibdir@/ulogd_inppkt_ULOG.so"
>>  #plugin="@pkglibdir@/ulogd_inppkt_UNIXSOCK.so"
>
> Just an idea, probably better something like:
>
> plugin="@pkglibdir@/"
>
> I mean, if you specify a directory, then this means "include every
> ulogd_*.so file there", it's easy to check via stat() if this is path
> represents a directory, so you can skip string handling tricks.

Ok, but how could we avoid putting there a complex, arch-dependant path?
My first idea was to have the new config directive to don't accept any
path and having the default set at build/configure time.
For the sake of flexibility I added in the last moment the option for
the user to give a path and override the one set at build/configure
time.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH] conntrack.8: refresh manpage

2017-09-26 Thread Arturo Borrero Gonzalez 
Refresh manpage, fixing typos, rearranging some sentences, introducing line
breaks at max. 80 columns, markup fixes, and so on.

Apart of some minor cosmetics fixes, no actual content is changed.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 conntrack.8 |  167 ---
 1 file changed, 101 insertions(+), 66 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index e8e4480..e069dfe 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@
-.TH CONNTRACK 8 "Aug 24, 2015" "" ""
+.TH CONNTRACK 8 "Sep 26, 2017" "" ""
 
 .\" Man page written by Harald Welte <lafo...@netfilter.org (Jun 2005)
 .\" Maintained by Pablo Neira Ayuso <pa...@netfilter.org (May 2007)
@@ -24,17 +24,20 @@ conntrack \- command line interface for netfilter 
connection tracking
 .br
 .BR "conntrack -S "
 .SH DESCRIPTION
-.B conntrack
-provides a full featured userspace interface to the netfilter connection 
tracking system that is intended to replace the old /proc/net/ip_conntrack 
interface. This tool can be used to search, list, inspect and maintain the 
connection tracking subsystem of the Linux kernel.
-Using 
-.B conntrack
-, you can dump a list of all (or a filtered selection of) currently tracked
-connections, delete connections from the state table, and even add new ones.
-.PP
+The \fBconntrack\fP utilty provides a full featured userspace interface to the
+Netfilter connection tracking system that is intended to replace the old
+/proc/net/ip_conntrack interface. This tool can be used to search, list,
+inspect and maintain the connection tracking subsystem of the Linux kernel.
+
+Using \fBconntrack\fP, you can dump a list of all (or a filtered selection of)
+currently tracked connections, delete connections from the state table, and
+even add new ones.
+
 In addition, you can also monitor connection tracking events, e.g. show an
 event message (one line) per newly established connection.
+
 .SH TABLES
-The connection tracking subsystem maintains two internal tables:
+The connection tracking subsystem maintains several internal tables:
 .TP
 .BR "conntrack" :
 This is the default table.  It contains a list of all currently tracked
@@ -44,30 +47,31 @@ through the system.
 .TP
 .BR "expect" :
 This is the table of expectations.  Connection tracking expectations are the
-mechanism used to "expect" RELATED connections to existing ones.  Expectations
-are generally used by "connection tracking helpers" (sometimes called
-application level gateways [ALGs]) for more complex protocols such as FTP,
-SIP, H.323.
+mechanism used to "expect" \fBRELATED\fP connections to existing ones.
+Expectations are generally used by "connection tracking helpers" (sometimes
+called application level gateways [ALGs]) for more complex protocols such as
+FTP, SIP or H.323.
 .TP
 .BR "dying" :
 This table shows the conntrack entries, that have expired and that have been
-destroyed by the connection tracking system itself, or via the conntrack 
utility.
+destroyed by the connection tracking system itself, or via the \fBconntrack\fP
+utility.
 .TP
 .BR "unconfirmed" :
-This table shows new entries, that are not yet inserted into the conntrack 
table.
-These entries are attached to packets that are traversing the stack,
+This table shows new entries, that are not yet inserted into the conntrack
+table. These entries are attached to packets that are traversing the stack,
 but did not reach the confirmation point at the postrouting hook.
-.PP
-The tables "dying" and "unconfirmed" are basically only useful for debugging 
purposes.
-Under normal operation, it is hard to see entries in any of them.
+
+The tables "dying" and "unconfirmed" are basically only useful for debugging
+purposes. Under normal operation, it is hard to see entries in any of them.
 There are corner cases, where it is valid to see entries in the
 unconfirmed table, eg. when packets that are enqueued via nfqueue, and
-the dying table, eg. when conntrackd runs in event reliable mode.
-.PP
+the dying table, eg. when \fBconntrackd(8)\fP runs in event reliable mode.
+
 .SH OPTIONS
-The options recognized by 
-.B conntrack
-can be divided into several different groups.
+The options recognized by \fBconntrack\fP can be divided into several different
+groups.
+
 .SS COMMANDS
 These options specify the particular operation to perform.  Only one of them
 can be specified at any given time.
@@ -98,6 +102,7 @@ Show the table counter.
 .TP
 .BI "-S, --stats "
 Show the in-kernel connection tracking system statistics.
+
 .SS PARAMETERS
 .TP
 .BI "-z, --zero "
@@ -107,9 +112,9 @@ combination with the "\-L, \-\-dump" command options.
 .BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] &qu

[ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

2017-09-25 Thread Arturo Borrero Gonzalez 
This new configuration option eases a bit the configuration of ulogd2 by
allowing to load all plugins in one go, without having to know their full path.

Choosing concrete plugins and using full path for them is great for some
environmnets, but I don't think it's a common case. The common case is to
load all plugins, even ignoring where do they live in the filesystem.

Even worse, the full path may be architecture-dependant, which makes copying
the ulogd.conf file between machines unnecesarily complex.

There are two ways of using this new config directive:

1) leave it empty   (i.e. 'load_all_plugins=')
2) use a path   (i.e. 'load_all_plugins='/usr/local/lib/mydir/')

In the first case, plugins will be loaded from a default directory, choosen at
build/configure time (--with-ulogd2libdir). If no specified, this is something
like '/usr/local/lib/ulogd/'.

In the second case, the user is responsible of providing a sensible path.

The 'load_all_plugins' directive may be combined with the old 'plugin'
directive to load other custom-made plugins elsewhere, like always.
The 'plugin' directive is keep unchanged.

This new configuration option doesn't implement any special logic. We simply
open the dir and try to load all files ending with '.so'.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 configure.ac  |   30 +++---
 src/ulogd.c   |   49 -
 ulogd.conf.in |   10 ++
 3 files changed, 85 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index e661981..b3441e4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,9 +36,6 @@ dnl Checks for library functions.
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS(socket strerror)
 
-regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter"
-AC_SUBST([regular_CFLAGS])
-
 AC_SEARCH_LIBS([pthread_create], [pthread], [libpthread_LIBS="$LIBS"; LIBS=""])
 AC_SUBST([libpthread_LIBS])
 
@@ -153,6 +150,16 @@ else
enable_jansson="no"
 fi
 
+AC_ARG_WITH([ulogd2libdir],
+   AS_HELP_STRING([--with-ulogd2libdir=PATH],
+[Default directory to load ulogd2 plugin from [[LIBDIR/ulogd]]]),
+[ulogd2libdir="$withval"],
+[ulogd2libdir="${libdir}/ulogd"])
+AC_SUBST([ulogd2libdir])
+
+regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter 
-DULOGD2_LIBDIR=\\\"\${ulogd2libdir}\\\"";
+AC_SUBST([regular_CFLAGS])
+
 dnl AC_SUBST(DATABASE_DIR)
 dnl AC_SUBST(DATABASE_LIB)
 dnl AC_SUBST(DATABASE_LIB_DIR)
@@ -176,8 +183,25 @@ AC_CONFIG_FILES(include/Makefile include/ulogd/Makefile 
include/libipulog/Makefi
  src/Makefile Makefile Rules.make)
 AC_OUTPUT
 
+define([EXPAND_VARIABLE],
+[$2=[$]$1
+if test $prefix = 'NONE'; then
+prefix="/usr/local"
+fi
+while true; do
+  case "[$]$2" in
+*\[$]* ) eval "$2=[$]$2" ;;
+*) break ;;
+  esac
+done
+eval "$2=[$]$2"
+])dnl EXPAND_VARIABLE
+
+EXPAND_VARIABLE(ulogd2libdir, e_ulogd2libdir)
+
 echo "
 Ulogd configuration:
+  Default plugins directory:   ${e_ulogd2libdir}
   Input plugins:
 NFLOG plugin:  ${enable_nflog}
 NFCT plugin:   ${enable_nfct}
diff --git a/src/ulogd.c b/src/ulogd.c
index 68f..5ae8498 100644
--- a/src/ulogd.c
+++ b/src/ulogd.c
@@ -124,10 +124,11 @@ static LLIST_HEAD(ulogd_pi_stacks);
 static int load_plugin(const char *file);
 static int create_stack(const char *file);
 static int logfile_open(const char *name);
+static int load_all_plugins();
 static void cleanup_pidfile();
 
 static struct config_keyset ulogd_kset = {
-   .num_ces = 4,
+   .num_ces = 5,
.ces = {
{
.key = "logfile",
@@ -153,6 +154,12 @@ static struct config_keyset ulogd_kset = {
.options = CONFIG_OPT_MULTI,
.u.parser = _stack,
},
+   {
+   .key = "load_all_plugins",
+   .type = CONFIG_TYPE_CALLBACK,
+   .options = CONFIG_OPT_NONE,
+   .u.parser = _all_plugins,
+   },
},
 };
 
@@ -728,6 +735,46 @@ static int load_plugin(const char *file)
return 0;
 }
 
+static int load_all_plugins(const char *arg)
+{
+   DIR *d;
+   struct dirent *dent;
+   char path[PATH_MAX];
+   const char *dir;
+
+   if (strcmp(arg, "load_all_plugins") == 0) /* no argument in conf */
+   dir = ULOGD2_LIBDIR;
+   else
+   dir = arg;
+
+   d = opendir(dir);
+   if (d == NULL) {
+   ulogd_log(ULOGD_ERROR, "load_all_plugins: opendir(%s): %s\n",
+ dir, strerror(errno));
+   return -1;
+   }
+
+   ulogd_log(ULOGD_NOTICE, "loading all plugins at %s\n", dir);
+
+

Re: [RFC PATCH nft V4] src: Add import command for json

2017-09-21 Thread Arturo Borrero Gonzalez 
On 20 September 2017 at 12:14, Shyam Saini <mayhs11sa...@gmail.com> wrote:
> This new operation allows to import ruleset in json to make
> incremental changes using the parse functions of libnftnl.
>
> A basic way to test this new functionality is:
>
>  % cat file.json | nft import json
>
> where the file.json is a ruleset exported in json format.
>
> Highly based on work from  Alvaro Neira <alvaron...@gmail.com>
> and Arturo Borrero <art...@netfilter.org>
>
> Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>
> Signed-off-by: Shyam Saini <mayhs11sa...@gmail.com>
> ---
> V4:
>   Fix coding style issues
>   Avoid nested function calls (As Suggested by Arturo )

LGTM

Thanks Shyam!

Just tested this patch, along with the one adding the testcase.
All seems fine.

@Pablo, please, review and apply.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ulogd2 PATCH] ulogd: use a RT scheduler by default

2017-09-19 Thread Arturo Borrero Gonzalez 
On 7 September 2017 at 13:36, Arturo Borrero Gonzalez
<art...@netfilter.org> wrote:
> Is common that ulogd runs in scenarios where a lot of packets are to be 
> logged.
> If there are more packets than ulogd can handle, users can start seing log
> messages like this:
>
>  ulogd[556]: We are losing events. Please, consider using the clauses \
>  `netlink_socket_buffer_size' and `netlink_socket_buffer_maxsize'
>
> Which means that Netlink buffer overrun have happened.
> There are several approaches to prevent this situation:
>
>  * in the ruleset, limit the amount of packet queued for log
>  * in the ruleset, instruct the kernel to use a queue-threshold
>  * from userspace, increment Netlink buffer sizes
>  * from userspace, configure ulogd to run as high priority process
>
> The first 3 method can be configured by users at runtime.
> This patch deals with the last method. SCHED_RR is configured by default,
> with no associated configuration parameter for users, since I believe
> this is common enough, and should produce no harm.
>
> A similar approach is used in the conntrackd daemon.
>
> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
> ---
>  src/ulogd.c |   15 +++
>  1 file changed, 15 insertions(+)
>

Eric did ACK this via IRC, please someone push the patch.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH nft V3] src: Add import command for json

2017-09-12 Thread Arturo Borrero Gonzalez 
On 11 September 2017 at 18:53, Shyam Saini  wrote:
> This new operation allows to import ruleset in json to make
> incremental changes using the parse functions of libnftnl.
>
> A basic way to test this new functionality is:
>
>  % cat file.json | nft import json
>
> where the file.json is a ruleset exported in json format.
>
> Highly based on work from  Alvaro Neira 
> and Arturo Borrero 
>
> Signed-off-by: Shyam Saini 
> ---
> V3:
>Follow kernel coding style
> ---

Hi Shyam,

almost there. Still some changes required in the coding style. See below.

BTW, you forgot to include the Acked-by: line I mentioned in the last email.

>  include/netlink.h  |   9 ++
>  include/rule.h |  14 +--
>  src/evaluate.c |   2 +
>  src/netlink.c  | 288 
> +
>  src/parser_bison.y |  38 +--
>  src/rule.c |  45 +++--
>  src/scanner.l  |   1 +
>  7 files changed, 370 insertions(+), 27 deletions(-)
>
> diff --git a/include/netlink.h b/include/netlink.h
> index b395cf1cd9ad..b63740b38c2a 100644
> --- a/include/netlink.h
> +++ b/include/netlink.h
> @@ -225,4 +225,13 @@ bool netlink_batch_supported(struct mnl_socket *nf_sock, 
> uint32_t *seqnum);
>
>  int netlink_echo_callback(const struct nlmsghdr *nlh, void *data);
>
> +struct ruleset_parse {
> +   struct netlink_ctx  *nl_ctx;
> +   struct cmd  *cmd;
> +};
> +
> +struct nftnl_parse_ctx;
> +
> +int netlink_markup_parse_cb(const struct nftnl_parse_ctx *ctx);
> +
>  #endif /* NFTABLES_NETLINK_H */
> diff --git a/include/rule.h b/include/rule.h
> index 631a1bcdf84e..56dee9766b2b 100644
> --- a/include/rule.h
> +++ b/include/rule.h
> @@ -327,6 +327,7 @@ uint32_t obj_type_to_cmd(uint32_t type);
>   * @CMD_RESET: reset container
>   * @CMD_FLUSH: flush container
>   * @CMD_RENAME:rename object
> + * @CMD_IMPORT:import a ruleset in a given format
>   * @CMD_EXPORT:export the ruleset in a given format
>   * @CMD_MONITOR:   event listener
>   * @CMD_DESCRIBE:  describe an expression
> @@ -342,6 +343,7 @@ enum cmd_ops {
> CMD_RESET,
> CMD_FLUSH,
> CMD_RENAME,
> +   CMD_IMPORT,
> CMD_EXPORT,
> CMD_MONITOR,
> CMD_DESCRIBE,
> @@ -361,7 +363,7 @@ enum cmd_ops {
>   * @CMD_OBJ_RULESET:   ruleset
>   * @CMD_OBJ_EXPR:  expression
>   * @CMD_OBJ_MONITOR:   monitor
> - * @CMD_OBJ_EXPORT:export
> + * @CMD_OBJ_MARKUP:import/export
>   * @CMD_OBJ_COUNTER:   counter
>   * @CMD_OBJ_COUNTERS:  multiple counters
>   * @CMD_OBJ_QUOTA: quota
> @@ -381,7 +383,7 @@ enum cmd_obj {
> CMD_OBJ_RULESET,
> CMD_OBJ_EXPR,
> CMD_OBJ_MONITOR,
> -   CMD_OBJ_EXPORT,
> +   CMD_OBJ_MARKUP,
> CMD_OBJ_FLOWTABLE,
> CMD_OBJ_FLOWTABLES,
> CMD_OBJ_MAP,
> @@ -396,12 +398,12 @@ enum cmd_obj {
> CMD_OBJ_LIMITS,
>  };
>
> -struct export {
> +struct markup {
> uint32_tformat;
>  };
>
> -struct export *export_alloc(uint32_t format);
> -void export_free(struct export *e);
> +struct markup *markup_alloc(uint32_t format);
> +void markup_free(struct markup *m);
>
>  enum {
> CMD_MONITOR_OBJ_ANY,
> @@ -454,7 +456,7 @@ struct cmd {
> struct chain*chain;
> struct table*table;
> struct monitor  *monitor;
> -   struct export   *export;
> +   struct markup   *markup;
> struct obj  *object;
> };
> const void  *arg;
> diff --git a/src/evaluate.c b/src/evaluate.c
> index e767542a868e..2275a3026255 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -3407,6 +3407,8 @@ int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
> return 0;
> case CMD_MONITOR:
> return cmd_evaluate_monitor(ctx, cmd);
> +   case CMD_IMPORT:
> +   return 0;
> default:
> BUG("invalid command operation %u\n", cmd->op);
> };
> diff --git a/src/netlink.c b/src/netlink.c
> index 291bbdeeaa68..de4d284d5e9b 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -24,6 +24,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -3030,6 +3031,293 @@ int netlink_monitor(struct netlink_mon_handler 
> *monhandler,
> return mnl_nft_event_listener(, netlink_events_cb, monhandler);
>  }
>
> +static int netlink_markup_setelems(const struct nftnl_parse_ctx *ctx)
> +{
> +   const struct ruleset_parse *rp;
> +   struct nftnl_set *set;
> +   uint32_t cmd;
> +   int ret = -1;
> +
> +   set = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_SET);
> +   rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
> +
> +   cmd = nftnl_ruleset_ctx_get_u32(ctx,

Re: [RFC PATCH nft V2] src: Add import command for json

2017-09-11 Thread Arturo Borrero Gonzalez 
On 10 September 2017 at 14:31, Shyam Saini <mayhs11sa...@gmail.com> wrote:
> This new operation allows to import ruleset in json to make
> incremental changes using the parse functions of libnftnl.
>
> A basic way to test this new functionality is:
>
>  % cat file.json | nft import json
>
> where the file.json is a ruleset exported in json format.
>
> Highly based on work from  Alvaro Neira <alvaron...@gmail.com>
> and Arturo Borrero <art...@netfilter.org>.
>
> Signed-off-by: Shyam Saini <mayhs11sa...@gmail.com>
> ---
> V2:
>   Build Patch over updated repository.


Hi Shyam,

I was able to test this with the testcase you provided in the other
patch! great! :-)

One last thing, the coding style should be fixed before we can merge
this into master. Examples below.
We follow linux kernel coding style [0]. There is a script to check
coding style [1], but beware of some false positives (regarding the
commit message).

Other than that, the patch looks fine. Please, address the coding
style issues, and resend with:

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>


> +
> +static int netlink_markup_build_rule(const struct nftnl_parse_ctx *ctx,
> +   uint32_t cmd, struct 
> nftnl_rule *rule)
> +{

^^^
bad alignment, indentation, produces long lines.

> +
> +static int netlink_markup_chain(const struct nftnl_parse_ctx *ctx)
> +{
> +   const struct ruleset_parse *rp;
> +   struct nftnl_chain *chain;
> +   uint32_t cmd;
> +   int ret = -1;
> +
> +   chain = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_CHAIN);
> +   rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA);
> +
> +   nftnl_chain_unset(chain, NFTNL_CHAIN_HANDLE);
> +
> +   cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD);
> +   switch (cmd) {
> +   case NFTNL_CMD_ADD:
> +   ret = mnl_nft_chain_batch_add(chain, rp->nl_ctx->batch, 0, 
> rp->nl_ctx->seqnum);
> +   break;
> +   case NFTNL_CMD_DELETE:
> +   ret = mnl_nft_chain_batch_del(chain, rp->nl_ctx->batch, 0, 
> rp->nl_ctx->seqnum);
^^
too long lines


[0] https://www.kernel.org/doc/html/v4.10/process/coding-style.html
[1] https://github.com/torvalds/linux/blob/master/scripts/checkpatch.pl
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[ulogd2 PATCH] ulogd: use a RT scheduler by default

2017-09-07 Thread Arturo Borrero Gonzalez 
Is common that ulogd runs in scenarios where a lot of packets are to be logged.
If there are more packets than ulogd can handle, users can start seing log
messages like this:

 ulogd[556]: We are losing events. Please, consider using the clauses \
 `netlink_socket_buffer_size' and `netlink_socket_buffer_maxsize'

Which means that Netlink buffer overrun have happened.
There are several approaches to prevent this situation:

 * in the ruleset, limit the amount of packet queued for log
 * in the ruleset, instruct the kernel to use a queue-threshold
 * from userspace, increment Netlink buffer sizes
 * from userspace, configure ulogd to run as high priority process

The first 3 method can be configured by users at runtime.
This patch deals with the last method. SCHED_RR is configured by default,
with no associated configuration parameter for users, since I believe
this is common enough, and should produce no harm.

A similar approach is used in the conntrackd daemon.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 src/ulogd.c |   15 +++
 1 file changed, 15 insertions(+)

diff --git a/src/ulogd.c b/src/ulogd.c
index b85d0ee..68f 100644
--- a/src/ulogd.c
+++ b/src/ulogd.c
@@ -64,6 +64,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #ifdef DEBUG
@@ -1395,6 +1396,19 @@ static void signal_handler_task(int signal)
deliver_signal_pluginstances(signal);
 }
 
+static void set_scheduler(void)
+{
+   struct sched_param schedparam;
+   int sched_type;
+
+   schedparam.sched_priority = sched_get_priority_max(SCHED_RR);
+   sched_type = SCHED_RR;
+
+   if (sched_setscheduler(0, sched_type, ) < 0)
+   fprintf(stderr, "WARNING: scheduler configuration failed:"
+   " %s\n", strerror(errno));
+}
+
 static void print_usage(void)
 {
printf("ulogd Version %s\n", VERSION);
@@ -1589,6 +1603,7 @@ int main(int argc, char* argv[])
signal(SIGALRM, _handler);
signal(SIGUSR1, _handler);
signal(SIGUSR2, _handler);
+   set_scheduler();
 
ulogd_log(ULOGD_INFO, 
  "initialization finished, entering main loop\n");

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH RFC] Convert man page source to asciidoc

2017-09-06 Thread Arturo Borrero Gonzalez 
On 6 September 2017 at 10:41, Phil Sutter  wrote:
> Beware: The conversion is incomplete and merely serves as base for
> discussion.
>
> This patch converts nft.xml into asciidoc markup, top down until (and
> including) stateful objects description. I stopped there because it's
> the first chance of demonstrating my idea of splitting the documentation
> into smaller pieces for convenience and maintainability.
>
> Regarding package dependencies, this "just" exchanges docbook with
> asciidoc - dblatex is still required for PDF creation.
>

Hi Phil,

thanks for your initiative and hard work, it's really appreciated :-)

Regarding the change, why asciidoc? why not markdown, or org-mode or
reStructuredText?
There are many markup languages, it reminds me to xkcd #927 [0].
I would prefer if we stick to groff, which seems to be the standard in Linux.

Regarding the separation of text in different includes, why not
creating different manpages?
Netfilter did this in the past with iptables(8) and iptables-extensions(8).

Brainstorming:
* nft(8) <-- main document, general info
* nft-ct(8) <-- concrete info for ct objects
* nft-counter(8) <-- concrete info for counter objets
* nft-flowtables(8) <-- about flow tables
* nft-quota(8) <--- concrete info for quotas
* nft-performance(8) <--- concrete info about nftables sets, maps,
dicts, concatenations, etc.
* nft-ha(8) <--- for HA environments, loadbalancing etc

[0] https://xkcd.com/927/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH V2] tests: shell: Add tests for json import

2017-09-05 Thread Arturo Borrero Gonzalez 
On 4 September 2017 at 14:39, Shyam Saini  wrote:
>>> These test cases can be used to test upcoming "import json" command.
>>>

Hi Shyam,

your v3 looks fine.

I was going to test it out, but it seems the first patch [0] in the
series requires a refresh.
Please, refresh this first patch.

thanks for your work!

[0] http://patchwork.ozlabs.org/patch/803561/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH V2] tests: shell: Add tests for json import

2017-09-04 Thread Arturo Borrero Gonzalez 
On 3 September 2017 at 01:32, Shyam Saini  wrote:
> These test cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list   ->contains list of all the individual rules
> json_import_0  ->script that runs json run-tests.sh
>
> For Example:
> $ ./run-tests.sh testcases/import/json_import_0
>
> Below mentioned files contains individual rules in json format and
> are added for the reference:
> rules_ipv4*->ip  table rules files
> rules_ipv6*->ip6 table rules files
> rules_arp* ->arp table rules files
> rules_bridge*  ->bridge table rules files
>
> Signed-off-by: Shyam Saini 
> ---

This is v2: generally in this patch section we include patch changelog
information.
Please, take a look at this when sending v3 :-)

>  tests/shell/testcases/import/all_ruleset_list  | 46 ++
>  tests/shell/testcases/import/json_import_0 | 72 
> ++
>  .../testcases/import/rules_arp_hlen_range.json |  1 +
>  tests/shell/testcases/import/rules_arp_htype.json  |  1 +
>  .../testcases/import/rules_arp_operation.json  |  1 +
>  .../import/rules_arp_operation_check.json  |  1 +
>  .../shell/testcases/import/rules_arp_ptype_ip.json |  1 +
>  .../shell/testcases/import/rules_bridge_vlan.json  |  1 +
>  .../testcases/import/rules_bridge_vlan_id.json |  1 +
>  ...bridge_vlan_id_saddr_udp_dport_drop_domain.json |  1 +
>  .../import/rules_ipv4_ct_state_accept.json |  1 +
>  .../rules_ipv4_icmp_type_echo-request_accept.json  |  1 +
>  .../rules_ipv4_icmp_type_echo-request_counter.json |  1 +
>  .../import/rules_ipv4_iifname_accept.json  |  1 +
>  .../import/rules_ipv4_saddr_daddr_counter.json |  1 +
>  .../testcases/import/rules_ipv4_set_elements.json  |  1 +
>  .../import/rules_ipv4_tcp_dport_http_ssh.json  |  1 +
>  .../testcases/import/rules_ipv4_tcp_flags.json |  1 +
>  .../import/rules_ipv6_daddr_udp_dport_counter.json |  1 +
>  ...es_ipv6_daddr_udp_dport_counter_masquerade.json |  1 +
>  .../testcases/import/rules_ipv6_icmpv6_id.json |  1 +
>  ...iifname_ct_state_tcp_dport_vmap_masquerade.json |  1 +
>  .../import/rules_ipv6_l4proto_tcp_masquerade.json  |  1 +
>  ...dport_ssh_daddr_mapping_ether_saddr_accept.json |  1 +
>  24 files changed, 140 insertions(+)
>  create mode 100644 tests/shell/testcases/import/all_ruleset_list
>  create mode 100755 tests/shell/testcases/import/json_import_0
>  create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_htype.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_operation.json
>  create mode 100644 
> tests/shell/testcases/import/rules_arp_operation_check.json
>  create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json
>  create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json
>  create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json
>  create mode 100644 
> tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_ct_state_accept.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_iifname_accept.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json
>  create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json
>  create mode 100644 
> tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json
>
> diff --git a/tests/shell/testcases/import/all_ruleset_list 
> b/tests/shell/testcases/import/all_ruleset_list
> new file mode 100644
> index ..4e25a76d8016
> --- /dev/null
> +++ b/tests/shell/testcases/import/all_ruleset_list
> @@ -0,0 +1,46 @@
> +table ip mangle {
> +set blackhole {
> +type ipv4_addr
> +elements = { 192.168.1.4, 192.168.1.5 }
> +}
> +
> +chain prerouting {
> +

Re: [PATCH] examples: Fix memory leaks detected by Valgrind

2017-08-29 Thread Arturo Borrero Gonzalez 
Thanks Shyam,

Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>

in the future, please add a tag to the [PATCH] header, like "[PATCH
libnftnl]" so we can easily know to which tree this patch should be
applied to.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH V2] tests: json: Add test cases for json format

2017-08-24 Thread Arturo Borrero Gonzalez 
On 24 August 2017 at 14:08, Shyam Saini  wrote:
>> That was quick and dirty code for you to get the idea.
>> Please follow the example of other testcases [0] to compare ruleset,
>> create tempfiles and so on.
>>
>
> One issue with this approach, incase of set rules
> nft will throw this error
> "Error: Could not process rule: File exists"
> So, i need to flush ruleset before import them with json.
> Is it okay?
>

yes, something like:

nft export
nft flush ruleset
nft import

we can later on investigate how to do something like:

nft export json | nft import json

>>
>> Please, if possible, try to add a testcase that is [OK]. Not sure what
>> is wrong with the dup statement.
>>
> I tried, but they always throw the same error.
> Shouldn't we keep them in testsuite so that we know that these set of
> rules needs to be fixed.
>

yes, but the point is to try to fix the issue or at least identify
where the issue is.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH V2] tests: json: Add test cases for json format

2017-08-24 Thread Arturo Borrero Gonzalez 
On 24 August 2017 at 10:49, Shyam Saini  wrote:
> These test cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list   ->contains list of all the individual rules

Wait. You are generating the JSON files from this ruleset, right?

Then, why not simplify the tests by:

 * load a ruleset model (your all_ruleset_list file)
 * export it in JSON format (nft export json)
 * import it again in JSON format (nft import)
 * comparte resulting ruleset (nft list ruleset) with the original
file (all_ruleset_list file)

This way we test in the same run all the JSON code paths.

You will need a simple testcase, like this:

=== 8< ===
#!/bin/bash
set -e
TMP=$(mktmp)
RULESET="table ip { ... } "
echo $RULESET > $TMP
$NFT -f $TMP
$NFT export json > $TMP
cat $TMP | $NFT import json)
RESULT=$($NFT list ruleset)
# compare result and initial ruleset, if fail show diff
=== 8< ===

That was quick and dirty code for you to get the idea.
Please follow the example of other testcases [0] to compare ruleset,
create tempfiles and so on.

Please, if possible, try to add a testcase that is [OK]. Not sure what
is wrong with the dup statement.

thanks Shyam!

[0] 
http://git.netfilter.org/nftables/tree/tests/shell/testcases/netns/0001nft-f_0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] tests: json: Add test cases for json format

2017-08-23 Thread Arturo Borrero Gonzalez 
On 22 August 2017 at 11:30, Shyam Saini  wrote:
>
> Should I send the version 2 of this patch with this script?
>

Yes,

my suggestion is:

* create a new testcase in nftables: tests/shell/testcases/import/yourscript_0
* put all the json files in: tests/shell/testcases/import/json and
read them from yourscript_0

in the script use the $NFT environment variable to call nft.

This way we avoid adding a new testsuite just for this and reuse existing code.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] tests: json: Add test cases for json format

2017-08-22 Thread Arturo Borrero Gonzalez 
On 21 August 2017 at 22:55, Shyam Saini  wrote:
> These cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list   ->contains list of all the individual rules
> rules_ipv4*->ip  table
> rules_ipv6*->ip6 table
> rules_arp* ->arp table
> rules_bridge*  ->bridge table
>
> At this point of time some tests may fails.
> For example:
>  dup to 172.20.0.2
>  ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop
>

Hi Shyam,

thanks for your work!

A question: How are we supposed to run these tests? At least, any hint
would be welcome in the commit message.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH 0/16] introduce libnftables

2017-08-17 Thread Arturo Borrero Gonzalez 
On 16 August 2017 at 22:42, Eric Leblond  wrote:
>
> Hello,
>
> This patchset adds a basi high level libnftables to nftables code.
> It is currently supporting running a command from a buffer or from
> a file as well as batch support allowing to chain commands and commit
> them at once.
>
> The API is mostly using existing structures such as nft_ctx that are
> updated to contain enough information. It also adds a structure
> dedicated to batch.
>

Great work Eric, thanks!

Some comments below.

> A simple program running a command is the following:
>
> nft_global_init();
> nft = nft_context_new();
> nft_context_set_print_func(nft, my_print, buf);

^^^
A minor thing: Did you evaluate merging these two? Setting the print
function directly when allocating a new context.


> rc = nft_run_command_from_buffer(nft, CMD, sizeof(CMD));
> if (rc != NFT_EXIT_SUCCESS) {
> nft_get_error(nft, err_buf, sizeof(err_buf));
> printf("%s\n", err_buf);
> return -1;
> }
> nft_context_free(nft);
> nft_global_deinit();
>
> Transaction support is similar with:
>
> nft = nft_context_new();
> batch = nft_batch_start(nft);
> if (nft_batch_add(nft, batch, ADD1, strlen(ADD1)) !=0) {
> printf("FAIL add 1\n");
> goto out;
> }
> if (nft_batch_add(nft, batch, ADD2, strlen(ADD2)) !=0) {
> printf("FAIL add 2\n");
> goto out;
> }
> if (nft_batch_commit(nft, batch) != 0) {

^^^
error handling here is like in the other case? i.e. running nft_get_error() ?

> goto out;
> }
>
> out:
> nft_batch_free(batch);
> nft_context_free(nft);
> nft_global_deinit();
>
> The library provides a way to get standard output via 
> nft_context_set_print_func
> and error handling is done via nft_get_error that get error message in a 
> buffer.
>
> This is early stage code as it does not feature things like set handling but 
> IMO
> it can already be used as a starting point to build more things.
>

Any special challenge with sets?

On a side note, I remember in NFWS 2017 we discussed the possibility
of libnftables being a separate source project, i.e a standalone
repository.
Now that I see your patches, what I see is that libnftables is mostly
all the code, while nft itself is very little code.
Still, with my Debian hat, I think that different repositories is good to have.

One more comment: perhaps is good idea to release nftables v0.8 before
introducing this code into the repository. We may end not releasing
nftables in quite a long time.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH] tests: don't fail on modprobe since the driver might be built-in

2017-08-15 Thread Arturo Borrero Gonzalez 
From: Steve Langasek <steve.langa...@ubuntu.com>

Any of these nf drivers could be built-ins instead of modules; don't cause
the testsuite to fail on modprobe, instead let it proceed and succeed/fail
later based on actual test results.

Ideally we would check up front if the driver is loaded rather than trying
to modprobe and ignoring failures, but there doesn't seem to be a reliable
place to check this in the kernel filesystem.

Signed-off-by: Steve Langasek <steve.langa...@ubuntu.com>
Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 tests/conntrack/run-test.sh |   14 --
 tests/nfct/run-test.sh  |   14 --
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/tests/conntrack/run-test.sh b/tests/conntrack/run-test.sh
index 1403e2c..1c1f8e4 100644
--- a/tests/conntrack/run-test.sh
+++ b/tests/conntrack/run-test.sh
@@ -10,10 +10,12 @@ gcc test-conntrack.c -o test
 #
 # XXX: module auto-load not support by nfnetlink_cttimeout yet :-(
 #
-modprobe nf_conntrack_ipv4
-modprobe nf_conntrack_ipv6
-modprobe nf_conntrack_proto_udplite
-modprobe nf_conntrack_proto_sctp
-modprobe nf_conntrack_proto_dccp
-modprobe nf_conntrack_proto_gre
+# any or all of these might be built-ins rather than modules, so don't error
+# out on failure from modprobe
+modprobe nf_conntrack_ipv4 || true
+modprobe nf_conntrack_ipv6 || true
+modprobe nf_conntrack_proto_udplite || true
+modprobe nf_conntrack_proto_sctp || true
+modprobe nf_conntrack_proto_dccp || true
+modprobe nf_conntrack_proto_gre || true
 ./test testcases
diff --git a/tests/nfct/run-test.sh b/tests/nfct/run-test.sh
index 851ee75..f5f220b 100644
--- a/tests/nfct/run-test.sh
+++ b/tests/nfct/run-test.sh
@@ -11,10 +11,12 @@ gcc test.c -o test
 #
 # XXX: module auto-load not support by nfnetlink_cttimeout yet :-(
 #
-modprobe nf_conntrack_ipv4
-modprobe nf_conntrack_ipv6
-modprobe nf_conntrack_proto_udplite
-modprobe nf_conntrack_proto_sctp
-modprobe nf_conntrack_proto_dccp
-modprobe nf_conntrack_proto_gre
+# any or all of these might be built-ins rather than modules, so don't error
+# out on failure from modprobe
+modprobe nf_conntrack_ipv4 || true
+modprobe nf_conntrack_ipv6 || true
+modprobe nf_conntrack_proto_udplite || true
+modprobe nf_conntrack_proto_sctp || true
+modprobe nf_conntrack_proto_dccp || true
+modprobe nf_conntrack_proto_gre || true
 ./test timeout

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH] conntrackd: remove warning for -S

2017-08-09 Thread Arturo Borrero Gonzalez 
Remove the warning message for the -S option which has been deprecated for
years now.

Users calling conntrackd with this switch activated will now get an error.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 src/main.c |3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/main.c b/src/main.c
index 3b19160..7062e12 100644
--- a/src/main.c
+++ b/src/main.c
@@ -281,9 +281,6 @@ int main(int argc, char *argv[])
action = STATS;
}
break;
-   case 'S':
-   dlog(LOG_WARNING,"-S option is obsolete. Ignoring.");
-   break;
case 'n':
set_operation_mode(, REQUEST, argv);
action = REQUEST_DUMP;

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH] monitor: add debug messages

2017-07-12 Thread Arturo Borrero Gonzalez 
Add some debug messages in the monitor/trace code paths to ease development
and debugging in case of errors.

After this patch, running 'nft monitor --debug=mnl,netlink' is more verbose.

Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---
 src/mnl.c |7 +++
 src/netlink.c |   39 +++
 2 files changed, 46 insertions(+)

diff --git a/src/mnl.c b/src/mnl.c
index da7c090..cf060a4 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1139,6 +1139,13 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock,
fprintf(stdout, "# ERROR: %s\n", strerror(errno));
break;
}
+
+#ifdef DEBUG
+   if (debug_level & DEBUG_MNL) {
+   mnl_nlmsg_fprintf(stdout, buf, sizeof(buf),
+ sizeof(struct nfgenmsg));
+   }
+#endif /* DEBUG */
ret = mnl_cb_run(buf, ret, 0, 0, cb, cb_data);
if (ret <= 0)
break;
diff --git a/src/netlink.c b/src/netlink.c
index 880502c..50ed25f 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -2877,12 +2877,51 @@ static int netlink_events_trace_cb(const struct 
nlmsghdr *nlh, int type,
return MNL_CB_OK;
 }
 
+#ifdef DEBUG
+/* only those which could be useful listening to events */
+static const char *const nftnl_msg_types[NFT_MSG_MAX] = {
+   [NFT_MSG_NEWTABLE]  = "NFT_MSG_NEWTABLE",
+   [NFT_MSG_DELTABLE]  = "NFT_MSG_DELTABLE",
+   [NFT_MSG_NEWCHAIN]  = "NFT_MSG_NEWCHAIN",
+   [NFT_MSG_DELCHAIN]  = "NFT_MSG_DELCHAIN",
+   [NFT_MSG_NEWSET]= "NFT_MSG_NEWSET",
+   [NFT_MSG_DELSET]= "NFT_MSG_DELSET",
+   [NFT_MSG_NEWSETELEM]= "NFT_MSG_NEWSETELEM",
+   [NFT_MSG_DELSETELEM]= "NFT_MSG_DELSETELEM",
+   [NFT_MSG_NEWRULE]   = "NFT_MSG_NEWRULE",
+   [NFT_MSG_DELRULE]   = "NFT_MSG_DELRULE",
+   [NFT_MSG_TRACE] = "NFT_MSG_TRACE",
+   [NFT_MSG_NEWGEN]= "NFT_MSG_NEWGEN",
+   [NFT_MSG_NEWOBJ]= "NFT_MSG_NEWOBJ",
+   [NFT_MSG_DELOBJ]= "NFT_MSG_DELOBJ",
+};
+
+static const char *nftnl_msgtype2str(uint16_t type)
+{
+   if (type >= NFT_MSG_MAX || !nftnl_msg_types[type])
+   return "unknown";
+
+   return nftnl_msg_types[type];
+}
+#endif /* DEBUG */
+
+static void netlink_events_debug(uint16_t type)
+{
+#ifdef DEBUG
+   if (!(debug_level & DEBUG_NETLINK))
+   return;
+
+   printf("netlink event: %s\n", nftnl_msgtype2str(type));
+#endif /* DEBUG */
+}
+
 static int netlink_events_cb(const struct nlmsghdr *nlh, void *data)
 {
int ret = MNL_CB_OK;
uint16_t type = NFNL_MSG_TYPE(nlh->nlmsg_type);
struct netlink_mon_handler *monh = (struct netlink_mon_handler *)data;
 
+   netlink_events_debug(type);
netlink_events_cache_update(monh, nlh, type);
 
if (!(monh->monitor_flags & (1 << type)))

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] monitor: fix printing of range elements in named sets

2017-07-12 Thread Arturo Borrero Gonzalez 
On 11 July 2017 at 20:11, Phil Sutter <p...@nwl.cc> wrote:
> Hi,
>
> On Thu, Jul 06, 2017 at 04:36:45PM +0200, Arturo Borrero Gonzalez wrote:
>> If you add set elements to interval sets, the output is wrong.
>> Fix this by caching first element of the range (first event),
>> then wait for the second element of the range (second event) to
>> print them both at the same time.
>
> As promised, I am preparing my own solution for side-by-side comparison.
> Though I'm running into problems and want to use the occasion to discuss
> them first:
>
> What I wasn't able to solve yet are half-open ranges, like so:
>
> | nft add set ip t portrange { type inet_service; flags interval; }
> | nft add element ip t portrange { 1024-65535 }
>
> In this case there is only a single element with value 1024 which
> doesn't have EXPR_F_INTERVAL_END set. Looking at
> interval_map_decompose(), this is identified to be a range till the end
> of the scope if it's the last element in the set.
>
> In monitor code though, I can't predict whether an interval end element
> will come afterwards or not, so I end up caching the element and
> everything turns into a mess. I'm pretty sure your solution has the same
> problem, could you check that?
>
> Right now, I only see two ways to get this sorted:
>
> 1) Change kernel code to always include both start end end of a range in
>a single notification. This would eliminate the need for any caching
>in netlink_events_setelem_cb() altogether!
>
> 2) Change monitor code to cache all events until the final NFTA_GEN_ID
>message, then handle all messages at once.
>
> What do you think?
>

We should avoid touching the kernel for this.

Anyway, my patch doesn't solve the same issue for deleting range elements.
In this patch I added the logic in netlink_events_setelem_cb() and
probably a better place for this
is in the netlink_events_cache_update() routine.

I'm sending a patch to add a bit of debugging to the monitor code path
meanwhile we solve this issue.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] monitor: fix printing of range elements in named sets

2017-07-06 Thread Arturo Borrero Gonzalez 
If you add set elements to interval sets, the output is wrong.
Fix this by caching first element of the range (first event),
then wait for the second element of the range (second event) to
print them both at the same time.

We also avoid printing the first null element required in the RB tree.

Before this patch:

% nft add element t s {10-20, 30-40}
add element ip t s { 0 }
add element ip t s { 10 }
add element ip t s { ftp }
add element ip t s { 30 }
add element ip t s { 41 }

After this patch:

% nft add element t s {10-20, 30-40}
add element ip t s { 10-20 }
add element ip t s { 30-40 }

CC: Phil Sutter <p...@nwl.cc>
Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org>
---

This was discussed during Netfilter Workshop 2017 in Faro, Portugal.
I think Phil has another patch to address this issue from a different
approach.

 include/rule.h |2 ++
 src/netlink.c  |   50 ++
 2 files changed, 52 insertions(+)

diff --git a/include/rule.h b/include/rule.h
index 7424b21..1b44e4c 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -217,6 +217,7 @@ extern struct rule *rule_lookup(const struct chain *chain, 
uint64_t handle);
  * @datalen:   mapping data len
  * @objtype:   mapping object type
  * @init:  initializer
+ * @rg_cache:  cached range element (left)
  * @policy:set mechanism policy
  * @desc:  set mechanism desc
  */
@@ -234,6 +235,7 @@ struct set {
unsigned intdatalen;
uint32_tobjtype;
struct expr *init;
+   struct expr *rg_cache;
uint32_tpolicy;
struct {
uint32_tsize;
diff --git a/src/netlink.c b/src/netlink.c
index 880502c..ad0e712 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -2198,6 +2198,46 @@ out:
return MNL_CB_OK;
 }
 
+/* returns true if the event should be ignored (i.e. null element) */
+static bool netlink_event_ignore_range_event(struct nftnl_set_elem *nlse)
+{
+uint32_t flags = 0;
+
+   if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS))
+   flags = nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_FLAGS);
+   if (!(flags & NFT_SET_ELEM_INTERVAL_END))
+   return false;
+
+   if (nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_KEY) != 0)
+   return false;
+
+   return true;
+}
+
+/* returns true if the we cached the range element */
+static bool netlink_event_range_cache(struct set *cached_set,
+ struct set *dummyset)
+{
+   struct expr *elem;
+
+   /* not an interval ? */
+   if (!(cached_set->flags & NFT_SET_INTERVAL))
+   return false;
+
+   /* cache first element of the range */
+   elem = list_entry(dummyset->init->expressions.prev, struct expr, list);
+   if (!(elem->flags & EXPR_F_INTERVAL_END)) {
+   cached_set->rg_cache = expr_clone(elem);
+   return true;
+   }
+
+   /* we have all the information now */
+   compound_expr_add(dummyset->init, cached_set->rg_cache);
+   interval_map_decompose(dummyset->init);
+
+   return false;
+}
+
 static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
 struct netlink_mon_handler *monh)
 {
@@ -2240,6 +2280,11 @@ static int netlink_events_setelem_cb(const struct 
nlmsghdr *nlh, int type,
 
nlse = nftnl_set_elems_iter_next(nlsei);
while (nlse != NULL) {
+   if (netlink_event_ignore_range_event(nlse)) {
+   set_free(dummyset);
+   nftnl_set_elems_iter_destroy(nlsei);
+   goto out;
+   }
if (netlink_delinearize_setelem(nlse, dummyset) < 0) {
set_free(dummyset);
nftnl_set_elems_iter_destroy(nlsei);
@@ -2251,6 +2296,10 @@ static int netlink_events_setelem_cb(const struct 
nlmsghdr *nlh, int type,
 
switch (type) {
case NFT_MSG_NEWSETELEM:
+   if (netlink_event_range_cache(set, dummyset)) {
+   set_free(dummyset);
+   goto out;
+   }
printf("add ");
break;
case NFT_MSG_DELSETELEM:
@@ -2264,6 +2313,7 @@ static int netlink_events_setelem_cb(const struct 
nlmsghdr *nlh, int type,
expr_print(dummyset->init, monh->ctx->octx);
printf("\n");
 
+   expr_free(set->rg_cache);
set_free(dummyset);
break;
case NFTNL_OUTPUT_XML:

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a

Re: using nft & iptables nat in parallel

2017-06-14 Thread Arturo Borrero Gonzalez 
On 14 June 2017 at 11:58, Florian Westphal <f...@strlen.de> wrote:
> Arturo Borrero Gonzalez <art...@debian.org> wrote:
>> I'm curious, What is the use case of using both nftables and iptables
>> at the same time?
>> Some missing functionality in nft?
>> Perhaps some ipt->nft partial migration procedure?
>
> Yes, partial migration.
>
> Right now there are an awful lot of tools out there (docker, libvirt,
> kubernetes, ..) that call iptables(-restore) directly (or inject them via
> firewalld).
>

Well, just quickly checked firewalld code [0].
It relies so massively in ipXtables/ipset that I bet a migration to
nftables would require a major rewrite.

Not sure if iptables-compat address this case, or even a high level libnftables.

[0] 
https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/ipXtables.py
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: using nft & iptables nat in parallel

2017-06-14 Thread Arturo Borrero Gonzalez 
On 14 June 2017 at 11:24, Florian Westphal  wrote:
>
> Another side effect is that this avoids the need to add (in nft case)
> the 'empty' nat base chains to take care of reply translation.
>

good!

> Thoughts?
>

I'm curious, What is the use case of using both nftables and iptables
at the same time?
Some missing functionality in nft?
Perhaps some ipt->nft partial migration procedure?

>
> This would also possibly allow us to add nat hooks in the INET family.

good!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH v2] conntrackd: make the daemon run in RT mode by default

2017-06-12 Thread Arturo Borrero Gonzalez 
In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
The scheduler configuration option is kept in order to allow admins to perform
fine-tuning, but it is deleted from example configuration files.

Note that this default sched priority is so high that it makes the nice value
useless, so deprecate the nice configuration. Anyway the nice value can be set
externally at runtime using nice/renice.

The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: refresh manpages, keep scheduler configuration options while deprecating
nice

 conntrackd.conf.5|   35 ---
 doc/helper/conntrackd.conf   |   21 -
 doc/stats/conntrackd.conf|   19 ---
 doc/sync/alarm/conntrackd.conf   |   21 -
 doc/sync/ftfw/conntrackd.conf|   21 -
 doc/sync/notrack/conntrackd.conf |   21 -
 include/conntrackd.h |1 -
 src/main.c   |   28 
 src/read_config_yy.y |3 ++-
 src/run.c|   25 +
 10 files changed, 39 insertions(+), 156 deletions(-)

diff --git a/conntrackd.conf.5 b/conntrackd.conf.5
index a395e14..2ce6aa3 100644
--- a/conntrackd.conf.5
+++ b/conntrackd.conf.5
@@ -22,7 +22,7 @@
 .\" <http://www.gnu.org/licenses/>.
 .\" %%%LICENSE_END
 .\"
-.TH CONNTRACKD.CONF 5 "May 09, 2017"
+.TH CONNTRACKD.CONF 5 "June 09, 2017"
 
 .SH NAME
 conntrackd.conf \- configuration file for conntrackd daemon
@@ -480,14 +480,10 @@ By default runtime support is disabled.
 
 .TP
 .BI "Nice "
-Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most
-favorable scheduling) to 19 (least favorable). Using a very low value reduces
-the chances to lose state-change events.
-
-Example: Nice -20
-
-Default is 0 but this example sets it to most favourable scheduling as
-this is generally a good idea.
+Deprecated. Conntrackd ignores this option and it will be removed in the
+future. Please note that you can run \fBnice(1)\fP and \fBrenice(1)\fP
+externally. Also note that \fBconntrackd(8)\fP now uses by default a RT
+scheduler.
 
 .TP
 .BI "HashSize "
@@ -731,8 +727,9 @@ Example:
 Select a different scheduler for the daemon, you can select between \fBRR\fP
 and \fBFIFO\fP and the process priority.
 
-See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler
-reduces the chances to overrun the Netlink buffer.
+Using a RT scheduler reduces the chances to overrun the Netlink buffer and
+\fBconntrackd(8)\fP uses by default \fBRR\fP unless \fBFIFO\fP is selected.
+See \fBsched_setscheduler(2)\fP for more information.
 
 Example:
 .nf
@@ -746,12 +743,15 @@ Example:
 .BI "Type "
 Supported values are \fBRR\fP or \fBFIFO\fP.
 
+Default: RR
+
 .TP
 .BI "Priority "
 Value of the scheduler priority.
-
 Minimum is 0, maximum is 99.
 
+Default: 99 (as returned by \fBsched_get_priority_max(2)\fP for \fBSCHED_RR\fP)
+
 .SH STATS
 This top-level section indicates \fBconntrackd(8)\fP to work as a statistic
 collector for the nf_conntrack linux kernel subsystem.
@@ -904,7 +904,6 @@ Stats {
 }
 General {
Systemd on
-   Nice -1
HashSize 8192
HashLimit 65535
Syslog on
@@ -969,11 +968,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
@@ -1031,11 +1025,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 1746bfd..4148544 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -103,27 +103,6 @@ Helper {
 #
 General {
#
-   # Set the nice value of the daemon, this value goes from -20
-   # (most favorable scheduling) to 19 (least favorable). Using a
-   # very low value reduces the chances to lose state-change events.
-   # Default is 0 but this example file sets it to most favourable
-   # scheduling as this is generally a good idea. See man nice(1) for
-   # more information.
-   #
-   Nice -20
-
-   #
-   # Select a different scheduler for the daemon, you can select between
-   # RR and FIFO and the process priority (min

Re: [conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run

2017-06-12 Thread Arturo Borrero Gonzalez 
On 9 June 2017 at 15:06, Arturo Borrero Gonzalez <art...@debian.org> wrote:
> at max priority.

oops, ugly. Resending
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run

2017-06-09 Thread Arturo Borrero Gonzalez 
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
The scheduler configuration option is keep in order to allow admins to perform
fine-tuning, but it is deleted from example configuration files.

Note that this default sched priority is so high that it makes the nice value
useless, so deprecate the nice configuration. Anyway the nice value can be set
externally at runtime using nice/renice.

The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: refresh manpages, keep scheduler configuration options

 conntrackd.conf.5|   35 ---
 doc/helper/conntrackd.conf   |   21 -
 doc/stats/conntrackd.conf|   19 ---
 doc/sync/alarm/conntrackd.conf   |   21 -
 doc/sync/ftfw/conntrackd.conf|   21 -
 doc/sync/notrack/conntrackd.conf |   21 -
 include/conntrackd.h |1 -
 src/main.c   |   28 
 src/read_config_yy.y |3 ++-
 src/run.c|   25 +
 10 files changed, 39 insertions(+), 156 deletions(-)

diff --git a/conntrackd.conf.5 b/conntrackd.conf.5
index a395e14..2ce6aa3 100644
--- a/conntrackd.conf.5
+++ b/conntrackd.conf.5
@@ -22,7 +22,7 @@
 .\" <http://www.gnu.org/licenses/>.
 .\" %%%LICENSE_END
 .\"
-.TH CONNTRACKD.CONF 5 "May 09, 2017"
+.TH CONNTRACKD.CONF 5 "June 09, 2017"
 
 .SH NAME
 conntrackd.conf \- configuration file for conntrackd daemon
@@ -480,14 +480,10 @@ By default runtime support is disabled.
 
 .TP
 .BI "Nice "
-Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most
-favorable scheduling) to 19 (least favorable). Using a very low value reduces
-the chances to lose state-change events.
-
-Example: Nice -20
-
-Default is 0 but this example sets it to most favourable scheduling as
-this is generally a good idea.
+Deprecated. Conntrackd ignores this option and it will be removed in the
+future. Please note that you can run \fBnice(1)\fP and \fBrenice(1)\fP
+externally. Also note that \fBconntrackd(8)\fP now uses by default a RT
+scheduler.
 
 .TP
 .BI "HashSize "
@@ -731,8 +727,9 @@ Example:
 Select a different scheduler for the daemon, you can select between \fBRR\fP
 and \fBFIFO\fP and the process priority.
 
-See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler
-reduces the chances to overrun the Netlink buffer.
+Using a RT scheduler reduces the chances to overrun the Netlink buffer and
+\fBconntrackd(8)\fP uses by default \fBRR\fP unless \fBFIFO\fP is selected.
+See \fBsched_setscheduler(2)\fP for more information.
 
 Example:
 .nf
@@ -746,12 +743,15 @@ Example:
 .BI "Type "
 Supported values are \fBRR\fP or \fBFIFO\fP.
 
+Default: RR
+
 .TP
 .BI "Priority "
 Value of the scheduler priority.
-
 Minimum is 0, maximum is 99.
 
+Default: 99 (as returned by \fBsched_get_priority_max(2)\fP for \fBSCHED_RR\fP)
+
 .SH STATS
 This top-level section indicates \fBconntrackd(8)\fP to work as a statistic
 collector for the nf_conntrack linux kernel subsystem.
@@ -904,7 +904,6 @@ Stats {
 }
 General {
Systemd on
-   Nice -1
HashSize 8192
HashLimit 65535
Syslog on
@@ -969,11 +968,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
@@ -1031,11 +1025,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 1746bfd..4148544 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -103,27 +103,6 @@ Helper {
 #
 General {
#
-   # Set the nice value of the daemon, this value goes from -20
-   # (most favorable scheduling) to 19 (least favorable). Using a
-   # very low value reduces the chances to lose state-change events.
-   # Default is 0 but this example file sets it to most favourable
-   # scheduling as this is generally a good idea. See man nice(1) for
-   # more information.
-   #
-   Nice -20
-
-   #
-   # Select a different scheduler for the daemon, you can select between
-   # RR and FIFO and the process priority (minimum is 0, maximum is 99).
-   # See man sched_setscheduler(2) for more inform

Re: [PATCH] tests: shell: Add test for ambguity while setting the value

2017-06-09 Thread Arturo Borrero Gonzalez 
On 9 June 2017 at 11:30, Shyam Saini  wrote:
> This test checks bug identified and fixed in the commit mentioned below
> In a statement if there are  multiple src data then it  would be
> totally ambiguous to decide which value to set.
>
> We don't add this test in python testsuite, because there we only have
> "ok"  and "fail"  as return code. So, we can't detect 134 != 1 there.
> (both 1 and 134 stats failure)
>
> Test: 986dea8 ("evaluate: avoid reference to multiple src data in statements 
> which set values")
> Signed-off-by: Shyam Saini 
> ---
>  .../testcases/sets/0023unknown_value_to_use_0  | 34 
> ++
>  1 file changed, 34 insertions(+)
>  create mode 100755 tests/shell/testcases/sets/0023unknown_value_to_use_0
>

Thanks Shyam,

minor things below, almost there!
Please send an v2 with the requested changes, as you could see, they
are cosmetic changes

> diff --git a/tests/shell/testcases/sets/0023unknown_value_to_use_0 
> b/tests/shell/testcases/sets/0023unknown_value_to_use_0
> new file mode 100755
> index 000..011cedd
> --- /dev/null
> +++ b/tests/shell/testcases/sets/0023unknown_value_to_use_0
> @@ -0,0 +1,34 @@
> +#!/bin/bash
> +
> +   # This test checks bug identified and fixed in the commit Id 
> "986dea8".
> +   # i.e, If in a statement there are  multiple src data then it would 
> be totally ambiguous to decide which value to set.
> +
> +   # Before this commit 986dea8, nft returns 134 which indicates the bug 
> but after this commit it returns 1.
> +   # We don't add this test in python testsuite, because there we can't 
> detect 134 != 1 (returns code stating failure)
> +

Better remove the indentations.

> +declare -a rules=(
> +"tcp dport set {1, 2, 3}" "udp dport set {1, 2, 3}"
> +"meta pkttype set {unicast, multicast, broadcast}"
> +"meta mark set {0x, 0xcc}"
> +"ct mark set {0x11333, 0x11}" "ct zone set {123, 127}"
> +"ct label set {123, 127}"
> +"ct event set {new, related, destroy, label}"
> +"ether daddr set {01:00:5e:00:01:01, 01:00:5e:00:02:02}"
> +"ip saddr set {192.19.1.2, 191.1.22.1}"
> +)
> +

I don't really like this approach of using a bash array,
I think it makes things harder to understand and requires to decode
the rather complex
bash variable expansions, but hey, it works, so OK.
I left this up to you.

> +$NFT add table t
> +$NFT add chain t c
> +
> +for (( i = 0 ; i < ${#rules[@]} ; i++ ))
> +do
> +   $1

$1 <-- what does this? I think we can safely remote it.

> +   `$NFT add rule t c ${rules[$i]} 2>>/dev/null`

No need to run command in `a subshell`. BTW this $(syntax) is preferred.

Also, no need to redirect stderr, we are actually interested in it.
In fact, if you delete the redirection and you run this test:

% sudo ./run-tests.sh testcases/sets/0023unknown_value_to_use_0
I: using nft binary ../../src/nft

I: [OK]testcases/sets/0023unknown_value_to_use_0
:1:28-36: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3}
 ~~^
:1:28-36: Error: you cannot use a set here, unknown value to use
add rule t c udp dport set {1, 2, 3}
 ~~^
[...]
:1:30-67: Error: you cannot use a set here, unknown value to use
add rule t c ether daddr set {01:00:5e:00:01:01, 01:00:5e:00:02:02}
 ^^
:1:27-50: Error: you cannot use a set here, unknown value to use
add rule t c ip saddr set {192.19.1.2, 191.1.22.1}
 ~

I: results: [OK] 1 [FAILED] 0 [TOTAL] 1

You get access to the actual error messages, which is useful to see
that the return code of 1 maps to
the error message itself.

Still, if you run the complete testsuite (i.e, not a single test), you
can hide/show these messages
using the '-v' switch.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.

2017-06-08 Thread Arturo Borrero Gonzalez 
On 8 June 2017 at 12:17, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Jun 07, 2017 at 09:40:53PM +0200, Arturo Borrero Gonzalez wrote:
>> On 7 June 2017 at 10:35, Ismo Puustinen <ismo.puusti...@intel.com> wrote:
>> >
>> > +static int directoryfilter(const struct dirent *de)
>> > +{
>> > +   if (strcmp(de->d_name, ".") == 0 ||
>> > +   strcmp(de->d_name, "..") == 0)
>> > +   return 0;
>> > +
>> > +   /* Accept other filenames. If we want to enable filtering based on
>> > +* filename suffix (*.nft), this would be the place to do it.
>> > +*/
>> > +
>>
>> This filter by suffix is good to have IMHO.
>> I guess that forcing users to explicitly create a file for nftables
>> (or at least give a specific suffix) reduces chances for user errors.
>
> You mean, this new include directory feature just takes *.nft files,
> right?
>

Yes,

> Then, to keep it consistent, we should also display a warning in
> include file with no .nft postfix. At deprecate the existing behaviour
> at some point, ie. bail out if you include a file that has no trailing
> .nft in its name.
>
> If we follow this path, all ruleset file will end up using .nft as
> a trailer in the name.
>

but perhaps it makes sense to differentiate two cases:
 * include a single file: accept arbitrary names
 * include a whole dir: accept only files ending in .nft

This seems to be what sysctl(8) does when loading a single file vs a directory.
I'm thinking in a case where you have a README in the directory or
other unrelated file.

If the idea is to allow drop files (a good idea indeed), then being
explicit is a good approach.

> Is there any other similar software following this approach? How is
> 'ferm' doing this?

ferm seems to load arbitrary files. In the docs they suggest using
.ferm files but the code
seems to allow whatever.
However, they have a set of regexp hardcoded to avoid loading things
like backups file an the like.
So, yes, probably forcing to .nft is sensible.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default

2017-06-07 Thread Arturo Borrero Gonzalez 
On 6 June 2017 at 13:10, Pablo Neira Ayuso  wrote:
>
> But I think we should keep the Nice and Scheduler clauses. Just in
> case anyone wants to do this fine grain tunning.
>

The nice value can be changed at runtime externally: using the
nice/renice commands
Perhaps is a bit redundant to have it included in the conntrackd code.
Also, nice values are somehow overridden by either SCHED_RR (our
default) or SCHED_FIFO.
Not sure if it makes sense to run in RT and then lower priority by
means of nice.

I'm tempted to just remove the nice thing in v2, what do you think?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.

2017-06-07 Thread Arturo Borrero Gonzalez 
On 7 June 2017 at 10:35, Ismo Puustinen  wrote:
>
> +static int directoryfilter(const struct dirent *de)
> +{
> +   if (strcmp(de->d_name, ".") == 0 ||
> +   strcmp(de->d_name, "..") == 0)
> +   return 0;
> +
> +   /* Accept other filenames. If we want to enable filtering based on
> +* filename suffix (*.nft), this would be the place to do it.
> +*/
> +

This filter by suffix is good to have IMHO.
I guess that forcing users to explicitly create a file for nftables
(or at least give a specific suffix) reduces chances for user errors.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH 1/4] conntrackd: evaluate configuration earlier

2017-06-06 Thread Arturo Borrero Gonzalez 
Run the evaluation step sooner in the conntrackd startup routine.
Don't close log or unlink lockfile at this stage.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
 src/main.c |   20 +---
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/main.c b/src/main.c
index fb20f1d..4b6d17d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -338,6 +338,15 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
 
+   /*
+* Evaluate configuration
+*/
+   if (evaluate() == -1) {
+   dlog(LOG_ERR, "conntrackd cannot start, please review your "
+"configuration");
+   exit(EXIT_FAILURE);
+   }
+
if (type == REQUEST) {
if (do_local_request(action, , local_step) == -1) {
dlog(LOG_ERR, "can't connect: is conntrackd "
@@ -383,17 +392,6 @@ int main(int argc, char *argv[])
}
 
/*
-* Evaluate configuration
-*/
-   if (evaluate() == -1) {
-   dlog(LOG_ERR, "conntrackd cannot start, please review your "
-"configuration");
-   close_log();
-   unlink(CONFIG(lockfile));
-   exit(EXIT_FAILURE);
-   }
-
-   /*
 * initialization process
 */
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default

2017-06-06 Thread Arturo Borrero Gonzalez 
In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority.
Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority.
This is common among other HA daemons. For example corosync uses SCHED_RR
by default.
This change should help ease the configuration of conntrackd.

Note that a sched priority that high makes the nice value useless, so deprecate
both options now.

The code is moved to the init() routine. In case of error setting the
scheduler, the system default will be used. Report a message to the user
and continue working.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
 conntrackd.conf.5|   46 +++---
 doc/helper/conntrackd.conf   |   21 -
 doc/stats/conntrackd.conf|   19 
 doc/sync/alarm/conntrackd.conf   |   21 -
 doc/sync/ftfw/conntrackd.conf|   21 -
 doc/sync/notrack/conntrackd.conf |   21 -
 include/conntrackd.h |5 
 src/main.c   |   28 ---
 src/read_config_yy.y |   21 +
 src/run.c|   18 +++
 10 files changed, 28 insertions(+), 193 deletions(-)

diff --git a/conntrackd.conf.5 b/conntrackd.conf.5
index 94de327..1e56a1f 100644
--- a/conntrackd.conf.5
+++ b/conntrackd.conf.5
@@ -480,14 +480,8 @@ By default runtime support is disabled.
 
 .TP
 .BI "Nice "
-Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most
-favorable scheduling) to 19 (least favorable). Using a very low value reduces
-the chances to lose state-change events.
-
-Example: Nice -20
-
-Default is 0 but this example sets it to most favourable scheduling as
-this is generally a good idea.
+Deprecated. This option will be removed in the future.
+Conntrackd now uses by default a RT scheduler.
 
 .TP
 .BI "HashSize "
@@ -731,29 +725,8 @@ Example:
 .fi
 
 .SS SCHEDULER
-Select a different scheduler for the daemon, you can select between \fBRR\fP
-and \fBFIFO\fP and the process priority.
-
-See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler
-reduces the chances to overrun the Netlink buffer.
-
-Example:
-.nf
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
-.fi
-
-.TP
-.BI "Type "
-Supported values are \fBRR\fP or \fBFIFO\fP.
-
-.TP
-.BI "Priority "
-Value of the scheduler priority.
-
-Minimum is 0, maximum is 99.
+Deprecated. This section will be removed in the future.
+Conntrackd now uses by default a RT scheduler.
 
 .SH STATS
 This top-level section indicates \fBconntrackd(8)\fP to work as a statistic
@@ -907,7 +880,6 @@ Stats {
 }
 General {
Systemd on
-   Nice -1
HashSize 8192
HashLimit 65535
Syslog on
@@ -973,11 +945,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
@@ -1036,11 +1003,6 @@ Sync {
 }
 General {
Systemd on
-   Nice -20
-   Scheduler {
-   Type FIFO
-   Priority 99
-   }
HashSize 32768
HashLimit 131072
LogFile on
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 7eae8bc..abc4087 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -103,27 +103,6 @@ Helper {
 #
 General {
#
-   # Set the nice value of the daemon, this value goes from -20
-   # (most favorable scheduling) to 19 (least favorable). Using a
-   # very low value reduces the chances to lose state-change events.
-   # Default is 0 but this example file sets it to most favourable
-   # scheduling as this is generally a good idea. See man nice(1) for
-   # more information.
-   #
-   Nice -20
-
-   #
-   # Select a different scheduler for the daemon, you can select between
-   # RR and FIFO and the process priority (minimum is 0, maximum is 99).
-   # See man sched_setscheduler(2) for more information. Using a RT
-   # scheduler reduces the chances to overrun the Netlink buffer.
-   #
-   # Scheduler {
-   #   Type FIFO
-   #   Priority 99
-   # }
-
-   #
# Logfile: on (/var/log/conntrackd.log), off, or a filename
# Default: off
#
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index 6a9aec8..e62ad4b 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -11,25 +11,6 @@ General {
#Systemd on
 
#
-   # Set the nice value of the daemon. This value goes from -20
-   # (most favorable scheduling) to 19 (least favorable). Using a
-   # negative value reduces the chances to lose state-change events.
-   # Defa

[conntrack-tools PATCH 4/4] conntrackd: deprecate unix backlog configuration

2017-06-06 Thread Arturo Borrero Gonzalez 
This configuration option doesn't add any value to users.
Use the magic value of 100 (i.e, the socket will keep 100 pending connections),
which I think is fair enough for what conntrackd can do in the unix socket.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
 conntrackd.conf.5|8 +---
 doc/helper/conntrackd.conf   |1 -
 doc/stats/conntrackd.conf|1 -
 doc/sync/alarm/conntrackd.conf   |1 -
 doc/sync/ftfw/conntrackd.conf|1 -
 doc/sync/notrack/conntrackd.conf |1 -
 include/local.h  |1 -
 src/local.c  |4 +++-
 src/read_config_yy.y |2 +-
 9 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/conntrackd.conf.5 b/conntrackd.conf.5
index 1e56a1f..4785f47 100644
--- a/conntrackd.conf.5
+++ b/conntrackd.conf.5
@@ -603,7 +603,6 @@ Example:
 .nf
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 .fi
 
@@ -615,9 +614,7 @@ Example: Path /var/run/conntrackd.ctl
 
 .TP
 .BI "Backlog "
-Number of items in the backlog.
-
-Example: Backlog 20
+Deprecated option.
 
 .SS FILTER
 Event filtering. This clause allows you to filter certain traffic.
@@ -886,7 +883,6 @@ General {
LockFile /var/lock/conntrack.lock
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
NetlinkBufferSize 262142
NetlinkBufferSizeMaxGrowth 655355
@@ -952,7 +948,6 @@ General {
LockFile /var/lock/conntrack.lock
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
NetlinkBufferSize 2097152
NetlinkBufferSizeMaxGrowth 8388608
@@ -1010,7 +1005,6 @@ General {
LockFile /var/lock/conntrack.lock
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
NetlinkBufferSize 2097152
NetlinkBufferSizeMaxGrowth 8388608
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index abc4087..4148544 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -124,6 +124,5 @@ General {
#
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 }
diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index e62ad4b..ba957a1 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -43,7 +43,6 @@ General {
#
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 
#
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index f609310..831be15 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -262,7 +262,6 @@ General {
#
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 
#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index f500637..9da0fb6 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -285,7 +285,6 @@ General {
#
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 
#
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 718668d..600fc89 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -324,7 +324,6 @@ General {
#
UNIX {
Path /var/run/conntrackd.ctl
-   Backlog 20
}
 
#
diff --git a/include/local.h b/include/local.h
index f9121b1..22859d7 100644
--- a/include/local.h
+++ b/include/local.h
@@ -6,7 +6,6 @@
 #endif
 
 struct local_conf {
-   int backlog;
int reuseaddr;
char path[UNIX_PATH_MAX];
 };
diff --git a/src/local.c b/src/local.c
index 3395b4c..2b67885 100644
--- a/src/local.c
+++ b/src/local.c
@@ -26,6 +26,8 @@
 #include 
 #include 
 
+#define UNIX_SOCKET_BACKLOG 100
+
 int local_server_create(struct local_server *server, struct local_conf *conf)
 {
int fd;
@@ -53,7 +55,7 @@ int local_server_create(struct local_server *server, struct 
local_conf *conf)
return -1;
}
 
-   if (listen(fd, conf->backlog) == -1) {
+   if (listen(fd, UNIX_SOCKET_BACKLOG) == -1) {
close(fd);
unlink(conf->path);
return -1;
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index ef6b284..5dca1f6 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -650,7 +650,7 @@ unix_option : T_PATH T_PATH_VAL
 
 unix_option : T_BACKLOG T_NUMBER
 {
-   conf.local.backlog = $2;
+   dlog(LOG_WARNING, "deprecated unix backlog configuration.");
 };
 
 sync: T_SYNC '{' sync_list '}'

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo

[conntrack-tools PATCH 3/4] conntrackd: cleanup if failed forking

2017-06-06 Thread Arturo Borrero Gonzalez 
Close the logs and lockfile if error while forking.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
 src/main.c |2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main.c b/src/main.c
index bab7772..3b19160 100644
--- a/src/main.c
+++ b/src/main.c
@@ -386,6 +386,8 @@ int main(int argc, char *argv[])
 
if ((pid = fork()) == -1) {
dlog(LOG_ERR, "fork has failed: %s", strerror(errno));
+   close_log();
+   unlink(CONFIG(lockfile));
exit(EXIT_FAILURE);
} else if (pid) {
sd_ct_mainpid(pid);

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[nft PATCH v2] evaluate: avoid reference to multiple src data in statements which set values

2017-05-26 Thread Arturo Borrero Gonzalez 
Prevent this assert:

% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted

We can't use a set here because we will not known which value to use.

With this patch, a proper error message is reported to users:

% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
 ~~^^^

% nft add rule t c tcp dport set @s
:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
 ~~^^

This error is reported to all statements which set values.

Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org>
---
v2: check all statements which set values as well

 src/evaluate.c |   15 +++
 1 file changed, 15 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 27cee98..095d3fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1759,6 +1759,21 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, 
struct stmt *stmt,
 "datatype mismatch: expected %s, "
 "expression has type %s",
 dtype->desc, (*expr)->dtype->desc);
+
+   /* we are setting a value, we can't use a set */
+   switch ((*expr)->ops->type) {
+   case EXPR_SET:
+   return stmt_binary_error(ctx, (*expr), stmt,
+"you cannot use a set here, unknown "
+"value to use");
+   case EXPR_SET_REF:
+   return stmt_binary_error(ctx, (*expr), stmt,
+"you cannot reference a set here, "
+"unknown value to use");
+   default:
+   break;
+   }
+
return 0;
 }
 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  1   2   3   >