Re: Proposal: rename of arptables.git and ebtables.git
On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote: > On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: >> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: >>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >>>> Hi, >>>> >>>> Now that the iptables.git repo offers arptables-nft and ebtables-nft, >>>> arptables.git holds arptables-legacy, etc, why we don't just rename the >>>> repos? >>>> >>>> * from arptables.git to arptables-legacy.git >>>> * from ebtables.git to ebtables-legacy.git >>>> >>>> This rename should help distros understand the differences between them >>>> and better accommodate the packaging of all the related tooling. >>>> >>>> Mind that the rename may have side effects in tarball >>>> generation/publishing etc. I would expect the new arptables tarball to >>>> include the '-legacy' keyword, and same for ebtables. >>>> >>>> If we go ahead with the rename, a new release is worth having, >>>> announcing these changes as well. >>>> >>> >>> Also, >>> >>> please consider applying the attached patch. >>> >> >> ping :-) > > Phil suggested no rename of the trees, I can update the description in > git.netfilter.org to place LEGACY there. Concern as you mentioned is > that it may break existing links/scripts. Not sure git support > redirections from old repo URI to new one... > Most people use these tools from distributions and if using directly from git.netfilter.org they won't have problems finding a new URL. If manually downloading tarball from netfilter.org, even less problem. Distro packagers would have to refresh the upstream URL, sure, but that's really a minor thing compared to the big -legacy -nft movement, which requires a lot of other renaming and adjustments anyway. My suggestion of the rename of the .git repo is because I already detected several confused people who don't understand the relationship between arptables-legacy, arptables-nft and the .git repos they are served from (and same for ebtables). Also, worth considering that having the repo clearly stating -legacy in the name will help raise awareness of the -nft version, which could serve as another motivation to encourage migration. I don't even have a strong opinion on this :-) it was just a proposal bc I see several benefits. > I think it's fine to apply a patch to add the "-legacy" postfix as we > do in iptables. > > Are you OK with this approach? > I would apply the -legacy renaming patch regardless. We already did this with arptables after the agreement @ NFWS. In fact, me sending the patch now (instead of last summer) is just my lack of time to write it earlier :-) Also, once the patch is applied, we should consider a release of both arptables and ebtables now that iptables contains the -nft variant and is being used in the wild.
Re: Proposal: rename of arptables.git and ebtables.git
On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >> Hi, >> >> Now that the iptables.git repo offers arptables-nft and ebtables-nft, >> arptables.git holds arptables-legacy, etc, why we don't just rename the >> repos? >> >> * from arptables.git to arptables-legacy.git >> * from ebtables.git to ebtables-legacy.git >> >> This rename should help distros understand the differences between them >> and better accommodate the packaging of all the related tooling. >> >> Mind that the rename may have side effects in tarball >> generation/publishing etc. I would expect the new arptables tarball to >> include the '-legacy' keyword, and same for ebtables. >> >> If we go ahead with the rename, a new release is worth having, >> announcing these changes as well. >> > > Also, > > please consider applying the attached patch. > ping :-)
[PATCH nft] tests: fix return codes
Please, consider merging the attached patch. thanks. commit 3497067ca187047c61d89ccad6eab4ebf5df9219 Author: Arturo Borrero Gonzalez Date: Wed Nov 28 14:31:57 2018 +0100 tests: fix return codes Try to return != 0 if a testsuite fails. Signed-off-by: Arturo Borrero Gonzalez diff --git a/tests/build/run-tests.sh b/tests/build/run-tests.sh index 626f6fd..b0560da 100755 --- a/tests/build/run-tests.sh +++ b/tests/build/run-tests.sh @@ -52,4 +52,4 @@ done rm -rf $tmpdir echo "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" -exit 0 +exit $failed diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh index f408988..0478cf6 100755 --- a/tests/monitor/run-tests.sh +++ b/tests/monitor/run-tests.sh @@ -17,7 +17,7 @@ fi testdir=$(mktemp -d) if [ ! -d $testdir ]; then echo "Failed to create test directory" >&2 - exit 0 + exit 1 fi trap "rm -rf $testdir; $nft flush ruleset" EXIT diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index 5b0ec41..fdca5fb 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -152,4 +152,4 @@ echo "" msg_info "results: [OK] $ok [FAILED] $failed [TOTAL] $((ok+failed))" kernel_cleanup -exit 0 +exit $failed
Re: Proposal: rename of arptables.git and ebtables.git
On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: > Hi, > > Now that the iptables.git repo offers arptables-nft and ebtables-nft, > arptables.git holds arptables-legacy, etc, why we don't just rename the > repos? > > * from arptables.git to arptables-legacy.git > * from ebtables.git to ebtables-legacy.git > > This rename should help distros understand the differences between them > and better accommodate the packaging of all the related tooling. > > Mind that the rename may have side effects in tarball > generation/publishing etc. I would expect the new arptables tarball to > include the '-legacy' keyword, and same for ebtables. > > If we go ahead with the rename, a new release is worth having, > announcing these changes as well. > Also, please consider applying the attached patch. thanks. commit ee8a588338e7c75e90fcc49a69e3d3b018063828 Author: Arturo Borrero Gonzalez Date: Wed Nov 28 13:47:28 2018 +0100 ebtables: legacy renaming The original ebtables tool is now the legacy version, let's rename it. A more uptodate client of the ebtables tool is provided in the iptables tarball (ebtables-nft). The new tool was formerly known as ebtables-compat. The new -legacy binary has no problem if called via a symlink with the 'ebtables' name, so users can still name this binary with whatever name. Signed-off-by: Arturo Borrero Gonzalez diff --git a/Makefile.am b/Makefile.am index 14938fe..b16a4d6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,11 +26,11 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_srcdir}/include \ -DEBTD_PIPE=\"${PIPE}\" -DEBTD_PIPE_DIR=\"${PIPE_DIR}\" AM_CFLAGS = ${regular_CFLAGS} -sbin_PROGRAMS = ebtables ebtablesd ebtablesu ebtables-restore +sbin_PROGRAMS = ebtables-legacy ebtablesd ebtablesu ebtables-legacy-restore EXTRA_PROGRAMS = static examples/ulog/test_ulog sysconf_DATA = ethertypes -sbin_SCRIPTS = ebtables-save -man8_MANS = ebtables.8 +sbin_SCRIPTS = ebtables-legacy-save +man8_MANS = ebtables-legacy.8 lib_LTLIBRARIES = libebtc.la libebtc_la_SOURCES = \ @@ -47,21 +47,22 @@ libebtc_la_SOURCES = \ extensions/ebtable_nat.c # Make sure ebtables.c can be built twice libebtc_la_CPPFLAGS = ${AM_CPPFLAGS} -ebtables_SOURCES = ebtables-standalone.c -ebtables_LDADD = libebtc.la +ebtables_legacy_SOURCES = ebtables-standalone.c +ebtables_legacy_LDADD = libebtc.la ebtablesd_LDADD = libebtc.la -ebtables_restore_LDADD = libebtc.la +ebtables_legacy_restore_SOURCES = ebtables-restore.c +ebtables_legacy_restore_LDADD = libebtc.la static_SOURCES = ebtables.c static_LDFLAGS = -static static_LDADD = libebtc.la examples_ulog_test_ulog_SOURCES = examples/ulog/test_ulog.c getethertype.c daemon: ebtablesd ebtablesu -exec: ebtables ebtables-restore +exec: ebtables-legacy ebtables-legacy-restore -CLEANFILES = ebtables-save ebtables.sysv ebtables-config ebtables.8 +CLEANFILES = ebtables-legacy-save ebtables.sysv ebtables-config ebtables-legacy.8 -ebtables-save: ebtables-save.in ${top_builddir}/config.status +ebtables-legacy-save: ebtables-save.in ${top_builddir}/config.status ${AM_V_GEN}sed -e 's![@]sbindir@!${sbindir}!g' <$< >$@ ebtables.sysv: ebtables.sysv.in ${top_builddir}/config.status @@ -70,7 +71,7 @@ ebtables.sysv: ebtables.sysv.in ${top_builddir}/config.status ebtables-config: ebtables-config.in ${top_builddir}/config.status ${AM_V_GEN}sed -e 's![@]sysconfigdir@!${sysconfigdir}!g' <$< >$@ -ebtables.8: ebtables.8.in ${top_builddir}/config.status +ebtables-legacy.8: ebtables-legacy.8.in ${top_builddir}/config.status ${AM_V_GEN}sed -e 's![@]PACKAGE_VERSION!${PACKAGE_VERSION}!g' \ -e 's![@]PACKAGE_DATE@!${PROGDATE}!g' \ -e 's![@]LOCKFILE@!${LOCKFILE}!g' <$< >$@ diff --git a/ebtables.8.in b/ebtables-legacy.8.in similarity index 98% rename from ebtables.8.in rename to ebtables-legacy.8.in index 3e97c84..3417045 100644 --- a/ebtables.8.in +++ b/ebtables-legacy.8.in @@ -24,7 +24,7 @@ .\" .\" .SH NAME -ebtables (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration +ebtables-legacy (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration (legacy) .SH SYNOPSIS .BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target" .br @@ -50,6 +50,18 @@ ebtables (@PACKAGE_VERSION@) \- Ethernet bridge frame table administration .br .BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save .br + +.SH LEGACY +This tool uses the old xtables/setsockopt framework, and is a legacy version +of ebtables. That means that a new, more modern tool exists with the same +functionality using the nf_tables framework and you are encouraged to migrate now. +The new binaries (known as ebtables-nft and formerly known as ebtables-compat) +uses the same syntax an
Proposal: rename of arptables.git and ebtables.git
Hi, Now that the iptables.git repo offers arptables-nft and ebtables-nft, arptables.git holds arptables-legacy, etc, why we don't just rename the repos? * from arptables.git to arptables-legacy.git * from ebtables.git to ebtables-legacy.git This rename should help distros understand the differences between them and better accommodate the packaging of all the related tooling. Mind that the rename may have side effects in tarball generation/publishing etc. I would expect the new arptables tarball to include the '-legacy' keyword, and same for ebtables. If we go ahead with the rename, a new release is worth having, announcing these changes as well.
[PATCH iptables] old patch from Debian for iptables-apply
Hi, this is an old patch from Debian to do some upgrades to iptables-apply. Please, consider merging it to master. The piece of code itself is pretty old, uses some Debian-specific constructs, and tries to call fail2ban sysvinit script. So a lot of wrong stuff that temps me to just drop the code (or at least, don't install it). But hey, I'm sure there are people out there using it so... regards. From: Laurence J. Lane Subject: [PATCH] iptables: update iptables-apply to v1.1 This is GW's update to iptables-apply. It does a code cleanup and adds two options: one runs a command and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- iptables-apply | 310 iptables-apply.8.in | 48 +--- 2 files changed, 247 insertions(+), 111 deletions(-) --- a/iptables/iptables-apply +++ b/iptables/iptables-apply @@ -1,174 +1,294 @@ #!/bin/bash -# # iptables-apply -- a safer way to update iptables remotely # -# Copyright © Martin F. Krafft +# Usage: +# iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} +# +# Versions: +# * 1.0 Copyright 2006 Martin F. Krafft +# Original version +# * 1.1 Copyright 2010 GW http://gw.tnode.com/> +# Added parameter -c (run command) +# Added parameter -w (save successfully applied rules to file) +# Major code cleanup +# # Released under the terms of the Artistic Licence 2.0 # set -eu -PROGNAME="${0##*/}"; -VERSION=1.0 +PROGNAME="${0##*/}" +VERSION=1.1 + + +### Default settings + +DEF_TIMEOUT=10 + +MODE=0 # apply rulesfile mode +# MODE=1 # run command mode + +case "$PROGNAME" in + (*6*) + SAVE=ip6tables-save + RESTORE=ip6tables-restore + DEF_RULESFILE="/etc/network/ip6tables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/ip6tables.up.run" + ;; + (*) + SAVE=iptables-save + RESTORE=iptables-restore + DEF_RULESFILE="/etc/network/iptables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/iptables.up.run" + ;; +esac + -TIMEOUT=10 +### Functions -function blurb() -{ - cat <<-_eof +function blurb() { + cat <<-__EOF__ $PROGNAME $VERSION -- a safer way to update iptables remotely - _eof + __EOF__ } -function copyright() -{ - cat <<-_eof - $PROGNAME is C Martin F. Krafft . - - The program has been published under the terms of the Artistic Licence 2.0 - _eof +function copyright() { + cat <<-__EOF__ + $PROGNAME has been published under the terms of the Artistic Licence 2.0. + + Original version - Copyright 2006 Martin F. Krafft . + Version 1.1 - Copyright 2010 GW http://gw.tnode.com/>. + __EOF__ } -function about() -{ +function about() { blurb echo copyright } -function usage() -{ - cat <<-_eof - Usage: $PROGNAME [options] ruleset - - The script will try to apply a new ruleset (as output by iptables-save/read - by iptables-restore) to iptables, then prompt the user whether the changes - are okay. If the new ruleset cut the existing connection, the user will not - be able to answer affirmatively. In this case, the script rolls back to the - previous ruleset. - - The following options may be specified, using standard conventions: - - -t | --timeout Specify the timeout in seconds (default: $TIMEOUT) - -V | --version Display version information - -h | --help Display this help text - _eof +function usage() { + blurb + echo + cat <<-__EOF__ + Usage: + $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} + + The script will try to apply a new rulesfile (as output by iptables-save, + read by iptables-restore) or run a command to configure iptables and then + prompt the user whether the changes are okay. If the new iptables rules cut + the existing connection, the user will not be able to answer affirmatively. + In this case, the script rolls back to the previous working iptables rules + after the timeout expires. + + Successfully applied rules can also be written to savefile and later used + to roll back to this state. This can be used to implement a store last good + configuration mechanism when experimenting with an iptables setup script: + $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD + + When called as ip6tables-apply, the script will use ip6tables-save/-restore + and IPv6 default values instead. Default value for rulesfile is + '$DEF_RULESFILE'. + + Options: + + -t seconds, --timeout seconds + Specify the timeout in seconds (default: $DEF_TIMEOUT). + -w savefile, --write savefile + Specify the savefile where successfully applied rules will be written to + (default if empty string is given: $DEF_SAVEFILE). + -c runcmd, --command runcmd + Run command runcmd to con
[arptables PATCH] arptables: legacy renaming
The original arptables tool is now the legacy version, let's rename it. A more uptodate client of the arptables tool is provided in the iptables tarball. The new tool was formerly known as arptables-compat. The new -legacy binary should have no problem if called via a symlink. Signed-off-by: Arturo Borrero Gonzalez --- Makefile | 12 +- arptables-legacy.8 | 352 arptables.8| 340 -- arptables.c|2 4 files changed, 359 insertions(+), 347 deletions(-) create mode 100644 arptables-legacy.8 delete mode 100644 arptables.8 diff --git a/Makefile b/Makefile index 139c9ca..5f3f812 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ man8dir=$(MANDIR)/man8 SYSCONFIGDIR:=/etc/sysconfig DESTDIR:= -MANS = arptables.8 arptables-save.8 arptables-restore.8 +MANS = arptables-legacy.8 arptables-save.8 arptables-restore.8 COPT_FLAGS:=-O2 CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ -DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG @@ -21,7 +21,7 @@ endif include extensions/Makefile -all: arptables libarptc/libarptc.a +all: arptables-legacy libarptc/libarptc.a arptables.o: arptables.c $(CC) $(CFLAGS) -c -o $@ $< @@ -35,10 +35,10 @@ libarptc/libarptc.o: libarptc/libarptc.c libarptc/libarptc_incl.c libarptc/libarptc.a: libarptc/libarptc.o $(AR) rcs $@ $< -arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) +arptables-legacy: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -$(DESTDIR)$(BINDIR)/arptables: arptables +$(DESTDIR)$(BINDIR)/arptables-legacy: arptables-legacy mkdir -p $(DESTDIR)$(BINDIR) install -m 0755 $< $@ @@ -58,11 +58,11 @@ install-man: $(MANS) install -m 0644 $^ $(DESTDIR)$(man8dir)/ .PHONY: install -install: install-man $(DESTDIR)$(BINDIR)/arptables scripts +install: install-man $(DESTDIR)$(BINDIR)/arptables-legacy scripts .PHONY: clean clean: - rm -f arptables + rm -f arptables-legacy rm -f *.o *~ rm -f extensions/*.o extensions/*~ rm -f libarptc/*.o libarptc/*~ libarptc/*.a diff --git a/arptables-legacy.8 b/arptables-legacy.8 new file mode 100644 index 000..3ce99e3 --- /dev/null +++ b/arptables-legacy.8 @@ -0,0 +1,352 @@ +.TH ARPTABLES 8 "June 2018" +.\" +.\" Man page originally written by Jochen Friedrich , +.\" maintained by Bart De Schuymer. +.\" It is based on the iptables man page. +.\" +.\" Iptables page by Herve Eychenne March 2000. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +arptables \- ARP table administration (legacy) +.SH SYNOPSIS +.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] +.br +.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ] +.br +.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ] +.br +.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ] +.br +.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain" +.br +.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name" +.br +.BR "arptables " [ "-t table" ] " -P chain target " [ options ] + +.SH LEGACY +This tool uses the old xtables/setsockopt framework, and is a legacy version +of arptables. That means that a new, more modern tool exists with the same +functionality using the nf_tables framework and you are encouraged to migrate now. +The new binaries (formerly known as -compat) uses the same syntax and +semantics than this legacy one. + +You can still use this legacy tool. You should probably get some specific +information from your Linux distribution or vendor. +More do
Re: [PATCH xtables] xtables: add nf_tables vs. legacy postfix to version strings
On 18 June 2018 at 14:19, Florian Westphal wrote: > -V now yields: > arptables vlibxtables.so.12 (nf_tables) > ebtables 1.6.2 (nf_tables) > ip6tables v1.6.2 (legacy) > ip6tables v1.6.2 (nf_tables) > ip6tables-restore v1.6.2 (nf_tables) > ip6tables-save v1.6.2 (nf_tables) > ip6tables-restore v1.6.2 (legacy) > ip6tables-restore-translate v1.6.2 > ip6tables-save v1.6.2 (legacy) > ip6tables-translate v1.6.2 (nf_tables) > iptables v1.6.2 (legacy) > iptables v1.6.2 (nf_tables) > iptables-restore v1.6.2 (nf_tables) > iptables-save v1.6.2 (nf_tables) > iptables-restore v1.6.2 (legacy) > iptables-restore-translate v1.6.2 > iptables-save v1.6.2 (legacy) > iptables-translate v1.6.2 (nf_tables) > > Suggested-by: Harald Welte > Signed-off-by: Florian Westphal Acked-by: Arturo Borrero Gonzalez -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH] Makefile: Introduce Make_global.am
On 18 June 2018 at 10:43, Phil Sutter wrote: > Analogous to libnftnl's build system, define libnftables interface > version in a variable in Make_global.am. > > Suggested-by: Pablo Neira Ayuso > Signed-off-by: Phil Sutter > --- > Make_global.am | 21 + > src/Makefile.am | 4 +++- > 2 files changed, 24 insertions(+), 1 deletion(-) > create mode 100644 Make_global.am > Acked-by: Arturo Borrero Gonzalez -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint
On 17 June 2018 at 13:30, Arturo Borrero Gonzalez wrote: > On 17 June 2018 at 09:22, Phil Sutter wrote: >> With libnftables documentation being upstream and one confirmed external >> user (nftlb), time to break the API! >> >> First of all, the command buffer passed to nft_run_cmd_from_buffer may >> (and should) be const. One should consider it a bug if that function >> ever changed it's content. >> >> On the other hand, there is no point in passing the buffer's length as >> separate argument: NULL bytes are not expected to occur in the input, so >> it is safe to rely upon strlen(). Also, the actual parsers don't require >> a buffer length passed to them, either. The only use-case for it is when >> reallocating the buffer to append a final newline character, there >> strlen() is perfectly sufficient. >> >> Suggested-by: Harald Welte >> Cc: Laura Garcia Liebana >> Cc: Eric Leblond >> Signed-off-by: Phil Sutter > > We should bump the library SONAME with this change to reflect the API change. > > Please send a follow-up patch (or v2 if you want). We would probably need something like in libnftnl: LIBVERSION=10:0:3 http://git.netfilter.org/libnftnl/tree/Make_global.am -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint
On 17 June 2018 at 09:22, Phil Sutter wrote: > With libnftables documentation being upstream and one confirmed external > user (nftlb), time to break the API! > > First of all, the command buffer passed to nft_run_cmd_from_buffer may > (and should) be const. One should consider it a bug if that function > ever changed it's content. > > On the other hand, there is no point in passing the buffer's length as > separate argument: NULL bytes are not expected to occur in the input, so > it is safe to rely upon strlen(). Also, the actual parsers don't require > a buffer length passed to them, either. The only use-case for it is when > reallocating the buffer to append a final newline character, there > strlen() is perfectly sufficient. > > Suggested-by: Harald Welte > Cc: Laura Garcia Liebana > Cc: Eric Leblond > Signed-off-by: Phil Sutter We should bump the library SONAME with this change to reflect the API change. Please send a follow-up patch (or v2 if you want). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH nft] parser: Set base chain prios with textual names
On 4 June 2018 at 11:58, Máté Eckl wrote: > What I'm not sure of is: > - Are these token values considered user-friendly or usable? > - Is printing of these values with their names desired? > > What do you think? > > -- 8< -- > This patch adds the possibility to use textual names to set the chain priority > to basic values so that numeric values do not need to be learnt any more for > basic usage. > > Example: > nft> add table inet x > nft> add chain inet x y {type filter hook prerouting priority > PRIO_MANGLE ;} > nft> list ruleset > table inet x { > chain y { > type filter hook prerouting priority -150; policy > accept; > } > } > I believe the idea is good. But also, you should print the friendly names instead of the magic numbers :-P -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] ulogd: json: send messages to a remote host / unix socket
On 27 May 2018 at 00:55, Andreas Jaggiwrote: > Hi Arturo > > Thanks for the review, find below the reworked patch. > Let me know if there are other parts to improve. > Thanks Andreas! the patch looks great. Minor nitpicks below. > +static int _connect_socket_unix(struct ulogd_pluginstance *pi) > +{ > + struct json_priv *op = (struct json_priv *) >private; > + struct sockaddr_un u_addr; > + int sfd; > + > + if (op->sock != -1) { > + close(op->sock); > + op->sock = -1; > + } ^^^ this socket closing could be your new close_socket() function, right? > + ulogd_log(ULOGD_DEBUG, "connecting to unix:%s\n", > + file_ce(pi->config_kset).u.string); > + > + sfd = socket(AF_UNIX, SOCK_STREAM, 0); > + if (sfd == -1) { > + return -1; > + } > + u_addr.sun_family = AF_UNIX; > + strncpy(u_addr.sun_path, file_ce(pi->config_kset).u.string, > + sizeof(u_addr.sun_path) - 1); > + if (connect(sfd, (struct sockaddr *) _addr, sizeof(struct > sockaddr_un)) == -1) { > + close(sfd); > + return -1; > + } > + > + op->sock = sfd; > + > + return 0; > +} > + > +static int _connect_socket_net(struct ulogd_pluginstance *pi) > +{ > + struct json_priv *op = (struct json_priv *) >private; > + struct addrinfo hints; > + struct addrinfo *result, *rp; > + int sfd, s; > + > + if (op->sock != -1) { > + close(op->sock); > + op->sock = -1; > + } > + ^^^ same here > + ulogd_log(ULOGD_DEBUG, "connecting to %s:%s\n", > + host_ce(pi->config_kset).u.string, > + port_ce(pi->config_kset).u.string); > + > + memset(, 0, sizeof(struct addrinfo)); > + hints.ai_family = AF_UNSPEC; > + hints.ai_socktype = op->mode == JSON_MODE_UDP ? SOCK_DGRAM : > SOCK_STREAM; > + hints.ai_protocol = 0; > + hints.ai_flags = 0; > + > + s = getaddrinfo(host_ce(pi->config_kset).u.string, > + port_ce(pi->config_kset).u.string, , ); > + if (s != 0) { > + ulogd_log(ULOGD_ERROR, "getaddrinfo: %s\n", gai_strerror(s)); > + return -1; > + } > + > + for (rp = result; rp != NULL; rp = rp->ai_next) { > + int on = 1; > + > + sfd = socket(rp->ai_family, rp->ai_socktype, > + rp->ai_protocol); > + if (sfd == -1) > + continue; > + > + setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, > + (char *) , sizeof(on)); > + > + if (connect(sfd, rp->ai_addr, rp->ai_addrlen) != -1) > + break; > + > + close(sfd); > + } > + > + freeaddrinfo(result); > + > + if (rp == NULL) { > + return -1; > + } > + > + op->sock = sfd; > + > + return 0; > +} > + > +static int _connect_socket(struct ulogd_pluginstance *pi) > +{ > + struct json_priv *op = (struct json_priv *) >private; > + > + if (op->mode == JSON_MODE_UNIX) > + return _connect_socket_unix(pi); > + else > + return _connect_socket_net(pi); > +} > + > +static int json_interp_socket(struct ulogd_pluginstance *upi, char *buf, int > buflen) > +{ > + struct json_priv *opi = (struct json_priv *) >private; > + int ret = 0; > + > + if (opi->sock != -1) > + ret = send(opi->sock, buf, buflen, MSG_NOSIGNAL); > + free(buf); > + if (ret != buflen) { > + ulogd_log(ULOGD_ERROR, "Failure sending message: %s\n", > + strerror(errno)); > + if (ret == -1 || opi->sock == -1) > + return _connect_socket(upi); > + else > + return ULOGD_IRET_ERR; > + } > + > + return ULOGD_IRET_OK; > +} > + > +static int json_interp_file(struct ulogd_pluginstance *upi, char *buf) > +{ > + struct json_priv *opi = (struct json_priv *) >private; > + > + fprintf(opi->of, "%s", buf); > + free(buf); > + > + if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0) > + fflush(opi->of); > + > + return ULOGD_IRET_OK; > +} > + > #define MAX_LOCAL_TIME_STRING 38 > > static int json_interp(struct ulogd_pluginstance *upi) > { > struct json_priv *opi = (struct json_priv *) >private; > unsigned int i; > + char *buf; > + int buflen; > json_t *msg; > > msg = json_object(); > @@ -218,34 +389,65 @@ static int json_interp(struct ulogd_pluginstance *upi) > } > } > > - json_dumpf(msg, opi->of, 0); > - fprintf(opi->of, "\n"); > > + buf = json_dumps(msg, 0); > json_decref(msg); > + if (buf == NULL) { > +
Re: [PATCH nftlb] build: use autotools
On 11 May 2018 at 12:20, Pablo Neira Ayusowrote: > - Add configure.ac and Makefile.am files. > - Update .gitignore file to ignore autogenerated scripts by autotools. > > Signed-off-by: Pablo Neira Ayuso It seems we can drop libmnl and libnftnl dependencies. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] ulogd: json: send messages to a remote host / unix socket
On 1 May 2018 at 14:16, Andreas Jaggiwrote: > Extend the JSON output plugin so that the generated JSON stream can be > sent to a remote host via TCP/UDP or to a local unix socket. > > Signed-off-by: Andreas Jaggi > --- > output/ulogd_output_JSON.c | 225 + > ulogd.conf.in | 11 ++ > 2 files changed, 214 insertions(+), 22 deletions(-) > HI Andreas, thanks for working on this. Some review below. > +static int _connect_socket(struct ulogd_pluginstance *pi) > +{ > + struct json_priv *op = (struct json_priv *) >private; > + struct addrinfo hints; > + struct addrinfo *result, *rp; > + struct sockaddr_un u_addr; > + int sfd, s; > + > + if ( op->sock != -1 ) { > + close(op->sock); > + op->sock = -1; > + } > + if ( op->mode == JSON_MODE_UNIX ) { > + ulogd_log(ULOGD_DEBUG, "connecting to unix:%s\n", > file_ce(pi->config_kset).u.string); > + > + sfd = socket(AF_UNIX, SOCK_STREAM, 0); > + if (sfd == -1 ) { > + ulogd_log(ULOGD_ERROR, "Could not connect\n"); > + return -1; > + } > + u_addr.sun_family = AF_UNIX; > + strncpy(u_addr.sun_path, file_ce(pi->config_kset).u.string, > sizeof(u_addr.sun_path) - 1); > + if ( connect(sfd, (struct sockaddr *) _addr, sizeof(struct > sockaddr_un)) == -1 ) { > + ulogd_log(ULOGD_ERROR, "Could not connect\n"); > + close(sfd); > + return -1; > + } > + } else { > + ulogd_log(ULOGD_DEBUG, "connecting to %s:%s\n", > host_ce(pi->config_kset).u.string, port_ce(pi->config_kset).u.string); > + > + memset(, 0, sizeof(struct addrinfo)); > + hints.ai_family = AF_UNSPEC; > + hints.ai_socktype = op->mode == JSON_MODE_UDP ? SOCK_DGRAM : > SOCK_STREAM; > + hints.ai_protocol = 0; > + hints.ai_flags = 0; > + > + s = getaddrinfo(host_ce(pi->config_kset).u.string, > port_ce(pi->config_kset).u.string, , ); > + if (s != 0) { > + ulogd_log(ULOGD_ERROR, "getaddrinfo: %s\n", > gai_strerror(s)); > + return -1; > + } > + > + for (rp = result; rp != NULL; rp = rp->ai_next) { > + int on = 1; > + > + sfd = socket(rp->ai_family, rp->ai_socktype, > + rp->ai_protocol); > + if (sfd == -1) > + continue; > + > + setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, > + (char *) , sizeof(on)); > + > + if (connect(sfd, rp->ai_addr, rp->ai_addrlen) != -1) > + break; > + > + close(sfd); > + } > + > + freeaddrinfo(result); > + > + if (rp == NULL) { > + ulogd_log(ULOGD_ERROR, "Could not connect\n"); > + return -1; > + } > + } > + > + op->sock = sfd; > + > + return 0; > +} > + could we split the function above in smaller chunks? something like _connect_socket_unix() and _connect_socket_net() > @@ -218,13 +331,41 @@ static int json_interp(struct ulogd_pluginstance *upi) > } > } > > - json_dumpf(msg, opi->of, 0); > - fprintf(opi->of, "\n"); > > + buf = json_dumps(msg, 0); > json_decref(msg); > - > - if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0) > - fflush(opi->of); > + if (buf == NULL) { > + ulogd_log(ULOGD_ERROR, "Could not create message\n"); > + return ULOGD_IRET_ERR; > + } > + buflen = strlen(buf); > + buf = realloc(buf, sizeof(char)*(buflen+2)); > + if (buf == NULL) { > + ulogd_log(ULOGD_ERROR, "Could not create message\n"); > + return ULOGD_IRET_ERR; > + } > + strncat(buf, "\n", 1); > + buflen++; > + > + if ( opi->mode == JSON_MODE_FILE ) { > + fprintf(opi->of, "%s", buf); > + free(buf); > + if (upi->config_kset->ces[JSON_CONF_SYNC].u.value != 0) > + fflush(opi->of); > + } else { > + if ( opi->sock != -1 ) { > + ret = send(opi->sock, buf, buflen, MSG_NOSIGNAL); > + } > + free(buf); > + if (ret != buflen) { > + ulogd_log(ULOGD_ERROR, "Failure sending message: > %s\n", strerror(errno)); > + if (ret == -1 || opi->sock == -1) { > + return
Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists
On 4 May 2018 at 11:49, Pablo Neira Ayusowrote: > > +int nft_table_flush(struct nft_handle *h, const char *table) > +{ > + struct nftnl_table *r; > + int ret = 0; > + > + nft_fn = nft_table_flush; > + > + r = nftnl_table_alloc(); > + if (r == NULL) > + goto err; > + > + nftnl_table_set_str(r, NFTNL_TABLE_NAME, table); > + > + batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r); > +err: > + /* the core expects 1 for success and 0 for error */ > + return ret == 0 ? 1 : 0; > +} > + it seems ret is never set to something meaningful? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[arptables PATCH] arptables: cleanup sysvinit script
This file belong to downstream distributions. Also, it's unmaintained. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- Makefile |8 +--- arptables.sysv | 103 2 files changed, 2 insertions(+), 109 deletions(-) delete mode 100644 arptables.sysv diff --git a/Makefile b/Makefile index 7bead0d..139c9ca 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,6 @@ LIBDIR:=$(PREFIX)/lib BINDIR:=$(PREFIX)/sbin MANDIR:=$(PREFIX)/man man8dir=$(MANDIR)/man8 -INITDIR:=/etc/rc.d/init.d SYSCONFIGDIR:=/etc/sysconfig DESTDIR:= @@ -46,15 +45,12 @@ $(DESTDIR)$(BINDIR)/arptables: arptables tmp1:=$(shell printf $(BINDIR) | sed 's/\//\\\//g') tmp2:=$(shell printf $(SYSCONFIGDIR) | sed 's/\//\\\//g') .PHONY: scripts -scripts: arptables-save arptables-restore arptables.sysv +scripts: arptables-save arptables-restore cat arptables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-save_ install -m 0755 arptables-save_ $(DESTDIR)$(BINDIR)/arptables-save cat arptables-restore | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-restore_ install -m 0755 arptables-restore_ $(DESTDIR)$(BINDIR)/arptables-restore - cat arptables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > arptables.sysv_ - if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi - if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi - rm -f arptables-save_ arptables-restore_ arptables.sysv_ + rm -f arptables-save_ arptables-restore_ .PHONY: install-man install-man: $(MANS) diff --git a/arptables.sysv b/arptables.sysv deleted file mode 100644 index ea5cf09..000 --- a/arptables.sysv +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# -# init script for arptables -# -# Original by Dag Wieers <d...@wieers.com>. -# Modified/changed to arptables by -# Rok Papez <rok.pa...@arnes.si>. -# -# chkconfig: - 16 84 -# description: Arp filtering tables -# -# config: __SYSCONFIG__/arptables - -source /etc/init.d/functions -source /etc/sysconfig/network - -# Check that networking is up. -[ ${NETWORKING} = "no" ] && exit 0 - -[ -x __EXEC_PATH__/arptables ] || exit 1 -[ -x __EXEC_PATH__/arptables-save ] || exit 1 -[ -x __EXEC_PATH__/arptables-restore ] || exit 1 - -[ "$1" != "save" -o -r __SYSCONFIG__/arptables ] || exit 1 - -RETVAL=0 -prog="arptables" -desc="Arp filtering" - -start() { - echo -n $"Starting $desc ($prog): " - __EXEC_PATH__/arptables-restore < __SYSCONFIG__/arptables || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog startup" - rm -f /var/lock/subsys/$prog - else - failure "$prog startup" - fi - - echo - return $RETVAL -} - -stop() { - echo -n $"Stopping $desc ($prog): " - __EXEC_PATH__/arptables-restore < /dev/null || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog shutdown" - rm -f %{_localstatedir}/lock/subsys/$prog - else - failure "$prog shutdown" - fi - - echo - return $RETVAL -} - -restart() { - stop - start -} - -save() { - echo -n $"Saving $desc ($prog): " - __EXEC_PATH__/arptables-save > __SYSCONFIG__/arptables || RETVAL=1 - - if [ $RETVAL -eq 0 ]; then - success "$prog saved" - else - failure "$prog saved" - fi - echo -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart|reload) - restart - ;; - condrestart) - [ -e /var/lock/subsys/$prog ] && restart - RETVAL=$? - ;; - save) - save - ;; - status) - __EXEC_PATH__/arptables-save - RETVAL=$? - ;; - *) - echo $"Usage $0 {start|stop|restart|condrestart|save|status}" - RETVAL=1 -esac - -exit $RETVAL -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH v2] libnftables: fix header export
On 2 May 2018 at 14:02, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> Instruct Make to actually install the header to the system, otherwise >> users won't see the header in their system after running 'make install'. >> >> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> >> --- >> v2: don't rename the header, given it has been released already > > I would prefer to see the rename anyway for consistency with other > netfilter.org libraries, which all use lib prefix. > > So, I would prefer to apply v1 instead. > > Any objections? Makes sense. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH v2] libnftables: fix header export
Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: don't rename the header, given it has been released already include/nftables/Makefile.am |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/nftables/Makefile.am b/include/nftables/Makefile.am index 9e31d51..2b43d7f 100644 --- a/include/nftables/Makefile.am +++ b/include/nftables/Makefile.am @@ -1 +1 @@ -noinst_HEADERS = nftables.h +pkginclude_HEADERS = nftables.h -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH] libnftables: fix header export
Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Also, export main libnftables header with a proper name, since we have another private header called 'nftables.h' (i.e, let's be concrete with the naming). Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- include/nftables.h |2 +- include/nftables/Makefile.am |2 +- include/nftables/libnftables.h |0 src/libnftables.c |2 +- src/main.c |2 +- 5 files changed, 4 insertions(+), 4 deletions(-) rename include/nftables/{nftables.h => libnftables.h} (100%) diff --git a/include/nftables.h b/include/nftables.h index 5f2da8b..f525ba6 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -5,7 +5,7 @@ #include #include #include -#include +#include struct cookie { FILE *fp; diff --git a/include/nftables/Makefile.am b/include/nftables/Makefile.am index 9e31d51..5cfb0c6 100644 --- a/include/nftables/Makefile.am +++ b/include/nftables/Makefile.am @@ -1 +1 @@ -noinst_HEADERS = nftables.h +pkginclude_HEADERS = libnftables.h diff --git a/include/nftables/nftables.h b/include/nftables/libnftables.h similarity index 100% rename from include/nftables/nftables.h rename to include/nftables/libnftables.h diff --git a/src/libnftables.c b/src/libnftables.c index fe5143f..df4f092 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -6,7 +6,7 @@ * published by the Free Software Foundation. * */ -#include +#include #include #include #include diff --git a/src/main.c b/src/main.c index 1f08dfe..d26ea01 100644 --- a/src/main.c +++ b/src/main.c @@ -18,7 +18,7 @@ #include #include -#include +#include #include #include -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANNOUNCE] libnetfilter-conntrack 1.0.7 release
Hi! The Netfilter project proudly presents: libnetfilter-conntrack 1.0.7 This release includes some fixes and improvements since last release: * new synproxy support * don't crash on NULL labelmap * expose a copy of nf_conntrack_common.h This library is a dependency of conntrack-tools, and we recommend you run the latest version of both software packages. See changelog that comes attached to this email for more details. You can download it from: * https://netfilter.org/projects/libnetfilter_conntrack/downloads.html * ftp://ftp.netfilter.org/pub/libnetfilter_conntrack/ In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling! Ken-ichirou MATSUZAWA (2): conntrack: fix missing break in setobjopt_undo_dnat() conntrack: revert getobjopt_is_nat() condition Marcos Paulo de Souza (1): labels: don't crash on NULL labelmap Pablo Neira Ayuso (2): include: expose a copy of nf_conntrack_common.h conntrack: add synproxy support Richard Weinberger (1): libnetfilter_conntrack: bump version to 1.0.7
[ANNOUNCE] conntrack-tools 1.4.5 release
Hi! The Netfilter project proudly presents: conntrack-tooks 1.4.5 This release includes several fixes since last release and also several enhancements for the conntrackd daemon: * new synproxy support * manpages updates * improved logging support (both stdout/stderr and log files) * new mdns ct helper * some more messages on what the daemon is doing * deprecate unix backlog configuration * drop old/obsolete/deprecated conntrackd.conf config options * improved support for UPnP in the ssdp ct helper * improvements to the relationship with libsystemd * add stronger TCP flags support, some weirdness are fixed by this This release includes the new `StartupResync ` config option, which instructs conntrackd to request a complete conntrack table resync against the other node at startup. This is useful to get in sync with another node which has been running while we were down. If you are updating your conntrackd deployment to this release from a very old one, mind the deprecated config options. You may be required to refresh your conntrackd.conf config file. In the case of the conntrack CLI tool: * new support for IPv6 NAT In the case of the nfct CLI tool: * some improvements to the build (-z lazy) Please note you need libnetfilter-conntrack version >= 1.0.7 to build conntrack-tools version 1.4.5. See changelog that comes attached to this email for more details. You can download it from: * https://netfilter.org/projects/conntrack-tools/downloads.html * ftp://ftp.netfilter.org/pub/conntrack-tools/ In case of bugs and feature request, file them via: * https://bugzilla.netfilter.org Happy firewalling! Arturo Borrero (4): src/main: refresh help message conntrackd.8: refresh file conntrackd.8: add reference to systemd doc/manual: include some bits about init systems Arturo Borrero Gonzalez (23): sync-mode: print errno message on failure log: print messages to stdout/sderr if running in console mode log: introduce a mechanism to know if log was initialized conntrackd: replace error reporting in the config parser with dlog() conntrackd: replace fprintf calls with dlog() conntrack-tools: update Arturo Borrero Gonzalez email address src: add log message when resync is requested by other node systemd: fix missing log.h include config: drop old/obsolete/deprecated conntrackd.conf config options conntrackd: factorice tx_queue functions conntrackd: factorize resync operations conntrackd: consolidate more code to use resync_send() conntrackd: request resync at startup conntrackd: evaluate configuration earlier conntrackd: cleanup if failed forking conntrackd: deprecate unix backlog configuration conntrackd: make the daemon run in RT mode by default conntrackd: remove warning for -S conntrack.8: refresh manpage conntrackd.conf.5: fix sentence about systemd tests: reallocate cli testing script systemd: default to use libsystemd if build with support for it conntrack-tools 1.4.5 release Chieh-Min Wang (1): conntrack: Show multiple CPUs stats from proc Kevin Cernekee (7): conntrackd: cthelper: ftp: Set match offset/len for PORT mangling conntrackd: cthelper: ftp: Fix debug print conntrackd: cthelper: Add new mdns helper Link nfct and helper modules with `-z lazy` conntrackd: cthelper: Don't leak nat_tuple conntrackd: cthelper: Free pktb after use conntrackd: cthelper: ssdp: Track UPnP eventing Neil Wilson (1): conntrack: Support IPv6 NAT Nicolas Dichtel (1): conntrackd: remove use of HAVE_INET_PTON_IPV6 Pablo Neira Ayuso (8): helper: remove copy and paste from uapi kernel header conntrack: send mark filter to kernel iff set conntrackd: config: Do not strdup() tokens conntrackd: Remove obsolete rule to catch ambiguous Checksum option conntrackd: CommitTimeout breaks DisableExternalCache set On src: add ARRAY_SIZE definition conntrackd: add TCP flags support src: synproxy support Steve Langasek (1): tests: don't fail on modprobe since the driver might be built-in Stijn Tintel (1): conntrackd: cthelper: ssdp: fix build with musl
[ANNOUNCE] ulogd2 2.0.7 release
Hi! The Netfilter project proudly presents: ulogd2 2.0.7 This release includes several fixes since last release and also several enhancements: * fixed several crash conditions * fixes for the JSON output * several improvements to the build process, some warnings fixed * daemon now uses RT scheduler by default * better Unix signal handling * code and files cleanups Starting with this release, ulogd2 will load all plugins from the plugins directory if no 'plugin=' directive was specified in the config file. The default directory is something like /usr/local/lib/ulogd/ or /usr/lib/ulogd/, depending on your build. See ChangeLog that comes attached to this email for more details. You can download it from: * https://netfilter.org/projects/ulogd/downloads.html * ftp://ftp.netfilter.org/pub/ulogd2/ In case of bugs and feature request, please file them via: * https://bugzilla.netfilter.org Happy firewalling! PD: Please note, we don't have a 2.0.6 release. Alex Xu (1): sqlite3: Remove unused "buffer" option. Arturo Borrero Gonzalez (5): ulogd: use a RT scheduler by default ulogd: load all plugins by default ulogd2: cleanup downstream files Set release number to 2.0.7. remove ulogd2.rotate and ulogd2.spec from Makefile.am Eric Leblond (8): ulogd: add missing newline in log message ulogd: fix indentation in acinclude.m4 ulogd: add automake option ulogd: use strncpy instead of memcpy ulogd.conf: fix incorrect stack Set release number to 2.0.6. ulogd: fix crash when plugin version are incorrect ip2bin: fix plugin link for some compiler Felix Janda (4): Sync with kernel headers Define _GNU_SOURCE to get members of tcphdr ulogd: Use /dev/null as dummy logfile when logging to syslog Use stdint types everywhere Harald Welte (1): configure.ac: Add --without-{mysql,pgsql} Helmut Schaa (1): ulogd: fix cross compilation errors with mysql_config Hironobu Ishii (1): ulogd: restructures signal handling by self-pipe trick Kaarle Ritvanen (2): harmonize log file defaults with ulogd.conf rotate all default output files Liping Zhang (1): ulogd: fix crash when ipv4 packet is truncated Vincent Bernat (2): json: output messages in JSONv1 format json: append timezone information to ISO 8601 date
[conntrack-tools PATCH v2] systemd: default to use libsystemd if build with support for it
We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- conntrackd.8 |5 + conntrackd.conf.5|7 --- doc/stats/conntrackd.conf|2 +- doc/sync/alarm/conntrackd.conf |2 +- doc/sync/ftfw/conntrackd.conf|2 +- doc/sync/notrack/conntrackd.conf |2 +- src/read_config_yy.y |4 7 files changed, 13 insertions(+), 11 deletions(-) diff --git a/conntrackd.8 b/conntrackd.8 index 6ccf261..de1e80c 100644 --- a/conntrackd.8 +++ b/conntrackd.8 @@ -1,4 +1,4 @@ -.TH CONNTRACKD 8 "Aug 30, 2016" "" "" +.TH CONNTRACKD 8 "Apr 16, 2018" "" "" .\" Man page written by Pablo Neira Ayuso <pa...@netfilter.org> (Dec 2007) @@ -149,9 +149,6 @@ the configuration file, ignore this notice. Starting with the 1.4.4 release, \fBconntrackd\fP includes integration with \fBsystemd(1)\fP to use an unit file of \fIType=notify\fP and watchdog support. -The daemon should be configured at build time to include such support -and \fBconntrackd.conf(5)\fP should contain \fBSystemd on\fP. - .SH INCOMPATIBILITIES During the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, \fBconntrackd\fP >= 0.9.9 will not work diff --git a/conntrackd.conf.5 b/conntrackd.conf.5 index 7c5c29f..79a5bba 100644 --- a/conntrackd.conf.5 +++ b/conntrackd.conf.5 @@ -1,5 +1,5 @@ .\" -.\" (C) Copyright 2015, Arturo Borrero Gonzalez <art...@debian.org> +.\" (C) Copyright 2015-2018, Arturo Borrero Gonzalez <art...@netfilter.org> .\" .\" %%%LICENSE_START(GPLv2+_DOC_FULL) .\" This is free documentation; you can redistribute it and/or @@ -22,7 +22,7 @@ .\" <http://www.gnu.org/licenses/>. .\" %%%LICENSE_END .\" -.TH CONNTRACKD.CONF 5 "January 24, 2018" +.TH CONNTRACKD.CONF 5 "Apr 16, 2018" .SH NAME conntrackd.conf \- configuration file for conntrackd daemon @@ -476,7 +476,8 @@ Note: \fBsystemd(1)\fP watchdog is supported as well. Example: Systemd on -By default runtime support is disabled. +By default runtime support is enabled if conntrackd was built with the systemd +feature. Otherwise is off. .TP .BI "Nice " diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index ba957a1..9918bbb 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -6,7 +6,7 @@ General { # Enable systemd support. If conntrackd is compiled with the proper # configuration, you can use a systemd service unit of Type=notify # and use conntrackd with systemd watchdog as well. - # Default is: off + # Default is: on if built with --enable-systemd, off otherwhise # #Systemd on diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index 831be15..b689ae6 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -221,7 +221,7 @@ General { # Enable systemd support. If conntrackd is compiled with the proper # configuration, you can use a systemd service unit of Type=notify # and use conntrackd with systemd watchdog as well. - # Default is: off + # Default is: on if built using --enable-systemd, off otherwhise # #Systemd on diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index 9da0fb6..8267659 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -244,7 +244,7 @@ General { # Enable systemd support. If conntrackd is compiled with the proper # configuration, you can use a systemd service unit of Type=notify # and use conntrackd with systemd watchdog as well. - # Default is: off + # Default is: on if built with --enable-systemd, off otherwhise # #Systemd on diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 600fc89..8445b7d 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -283,7 +283,7 @@ General { # Enable systemd support. If conntrackd is compiled with the proper # configuration, you can use a systemd service unit of Type=notify # and use conntrackd with systemd watchdog as well. - # Default is: off + # Default is: on if built with --enable-systemd, off otherwhise # #Systemd on diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 32cca3c..6de8c6c 10064
[conntrack-tools PATCH] tests: reallocate cli testing script
Move this to test/ Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/cli/test.sh | 106 --- tests/conntrack/cli-test.sh | 106 +++ 2 files changed, 106 insertions(+), 106 deletions(-) delete mode 100644 doc/cli/test.sh create mode 100644 tests/conntrack/cli-test.sh diff --git a/doc/cli/test.sh b/doc/cli/test.sh deleted file mode 100644 index 2a0fef7..000 --- a/doc/cli/test.sh +++ /dev/null @@ -1,106 +0,0 @@ -CONNTRACK=conntrack - -SRC=1.1.1.1 -DST=2.2.2.2 -SPORT=2005 -DPORT=21 - -case $1 in - dump) - echo "Dumping conntrack table" - $CONNTRACK -L - ;; - flush) - echo "Flushing conntrack table" - $CONNTRACK -F - ;; - new) - echo "creating a new conntrack" - $CONNTRACK -I --orig-src $SRC --orig-dst $DST \ ---reply-src $DST --reply-dst $SRC -p tcp \ ---orig-port-src $SPORT --orig-port-dst $DPORT \ ---reply-port-src $DPORT --reply-port-dst $SPORT \ - --state LISTEN -u SEEN_REPLY -t 50 - ;; - new-simple) - echo "creating a new conntrack (simplified)" - $CONNTRACK -I -s $SRC -d $DST \ - -p tcp --sport $SPORT --dport $DPORT \ - --state LISTEN -u SEEN_REPLY -t 50 - ;; - new-nat) - echo "creating a new conntrack (NAT)" - $CONNTRACK -I -s $SRC -d $DST \ - -p tcp --sport $SPORT --dport $DPORT \ - --state LISTEN -u SEEN_REPLY -t 50 --dst-nat 8.8.8.8 - ;; - get) - echo "getting a conntrack" - $CONNTRACK -G -s $SRC -d $DST \ - -p tcp --sport $SPORT --dport $DPORT - ;; - change) - echo "change a conntrack" - $CONNTRACK -U -s $SRC -d $DST \ - -p tcp --sport $SPORT --dport $DPORT \ - --state TIME_WAIT -u ASSURED,SEEN_REPLY -t 500 - ;; - delete) - $CONNTRACK -D -s $SRC -d $DST \ - -p tcp --sport $SPORT --dport $DPORT - ;; - output) - proc=$(cat /proc/net/ip_conntrack | wc -l) - netl=$($CONNTRACK -L | wc -l) - count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count) - if [ $proc -ne $netl ]; then - echo "proc is $proc and netl is $netl and count is $count" - else - if [ $proc -ne $count ]; then - echo "proc is $proc and netl is $netl and count is $count" - else - echo "now $proc" - fi - fi - ;; - dump-expect) - $CONNTRACK -L expect - ;; - flush-expect) - $CONNTRACK -F expect - ;; - create-expect) - # requires modprobe ip_conntrack_ftp - $CONNTRACK -I expect --orig-src $SRC --orig-dst $DST \ - --tuple-src 4.4.4.4 --tuple-dst 5.5.5.5 \ - --mask-src 255.255.255.0 --mask-dst 255.255.255.255 \ - -p tcp --orig-port-src $SPORT --orig-port-dst $DPORT \ - -t 200 --tuple-port-src 10240 --tuple-port-dst 10241\ - --mask-port-src 10 --mask-port-dst 300 - ;; - get-expect) - $CONNTRACK -G expect --orig-src 4.4.4.4 --orig-dst 5.5.5.5 \ - --p tcp --orig-port-src 10240 --orig-port-dst 10241 - ;; - delete-expect) - $CONNTRACK -D expect --orig-src 4.4.4.4 \ - --orig-dst 5.5.5.5 -p tcp --orig-port-src 10240 \ - --orig-port-dst 10241 - ;; - *) - echo "Usage: $0 [dump" - echo " |new" - echo " |new-simple" - echo " |new-nat" - echo " |get" - echo " |change" - echo " |delete" - echo " |output" - echo " |flush" - echo " |dump-expect" - echo " |flush-expect" - echo " |create-expect" - echo " |get-expect" - echo " |delete-expect]" - ;; -esac diff --git a/tests/conntrack/cli-test.sh b/tests/conntrack/cli-test.sh new file mode 100644 index 000..2a0fef7 --- /dev/null +++ b/tests/co
[conntrack-tools PATCH] systemd: default to use libsystemd if build with support for it
We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/read_config_yy.y |4 1 file changed, 4 insertions(+) diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 32cca3c..6de8c6c 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1626,6 +1626,10 @@ init_config(char *filename) CONFIG(stats).syslog_facility = -1; CONFIG(netlink).subsys_id = -1; +#ifdef BUILD_SYSTEMD +CONFIG(systemd) = 1; +#endif /* BUILD_SYSTEMD */ + /* Initialize list of user-space helpers */ INIT_LIST_HEAD((cthelper).list); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH] conntrackd: add missing fall-through annotation in switch statements
Modern GCC compilers will warn if an explicit comment isn't present. Perhaps this should be better done with a proper compiler instruction, but the code comment is more similar to the rest of the codebase. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/cache-ct.c |2 ++ src/cache-exp.c |1 + src/tcp.c |1 + 3 files changed, 4 insertions(+) diff --git a/src/cache-ct.c b/src/cache-ct.c index f86d143..fa5072c 100644 --- a/src/cache-ct.c +++ b/src/cache-ct.c @@ -266,6 +266,7 @@ static int cache_ct_commit(struct cache *c, struct nfct_handle *h, int clientfd) STATE_SYNC(commit).stats.ok = c->stats.commit_ok; STATE_SYNC(commit).stats.fail = c->stats.commit_fail; STATE_SYNC(commit).clientfd = clientfd; + /* fall-through */ case COMMIT_STATE_MASTER: STATE_SYNC(commit).current = hashtable_iterate_limit(c->h, , @@ -280,6 +281,7 @@ static int cache_ct_commit(struct cache *c, struct nfct_handle *h, int clientfd) } STATE_SYNC(commit).current = 0; STATE_SYNC(commit).state = COMMIT_STATE_RELATED; + /* fall-through */ case COMMIT_STATE_RELATED: STATE_SYNC(commit).current = hashtable_iterate_limit(c->h, , diff --git a/src/cache-exp.c b/src/cache-exp.c index 9183b2c..acdae10 100644 --- a/src/cache-exp.c +++ b/src/cache-exp.c @@ -236,6 +236,7 @@ cache_exp_commit(struct cache *c, struct nfct_handle *h, int clientfd) STATE_SYNC(commit).stats.ok = c->stats.commit_ok; STATE_SYNC(commit).stats.fail = c->stats.commit_fail; STATE_SYNC(commit).clientfd = clientfd; + /* fall-through */ case COMMIT_STATE_MASTER: STATE_SYNC(commit).current = hashtable_iterate_limit(c->h, , diff --git a/src/tcp.c b/src/tcp.c index c8f2544..91fe524 100644 --- a/src/tcp.c +++ b/src/tcp.c @@ -300,6 +300,7 @@ ssize_t tcp_send(struct tcp_sock *m, const void *data, int size) /* we got connected :) */ m->state = TCP_CLIENT_CONNECTED; } + /* fall through */ case TCP_CLIENT_CONNECTED: ret = sendto(m->fd, data, size, 0, (struct sockaddr *) >addr, m->sockaddr_len); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ulogd PATCH] ulogd2: cleanup downstream files
These files are outdated and they belong to downstream users (distributions). Providing outdated and unmaintained files here serves no purpose other than confusing users and annoy packagers. If an user is using ulogd2 directly from the source tarball, I would expect it to be proficient enough to generate these files by itself. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- ulogd.init | 61 ulogd.logrotate |7 --- ulogd.spec | 119 --- 3 files changed, 187 deletions(-) delete mode 100755 ulogd.init delete mode 100644 ulogd.logrotate delete mode 100644 ulogd.spec diff --git a/ulogd.init b/ulogd.init deleted file mode 100755 index b678652..000 --- a/ulogd.init +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -# -# chkconfig: 345 81 19 -# description: ulogd is the userspace logging daemon for netfilter/iptables -# - - -. /etc/rc.d/init.d/functions - - -function start() -{ - printf "Starting %s: " "ulogd" - daemon /usr/sbin/ulogd -d - echo - touch /var/lock/subsys/ulogd -} - - -function stop() -{ - printf "Stopping %s: " "ulogd" - killproc ulogd - echo - rm -f /var/lock/subsys/ulogd -} - - -function reload() -{ - pid=`pidof ulogd` - if [ "x$pid" != "x" ]; then - kill -HUP $pid 2>/dev/null - fi - touch /var/lock/subsys/ulogd -} - - -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - start - ;; - reload) - reload - ;; - status) - status ulogd - ;; - *) - printf "Usage: %s {start|stop|status|restart|reload}\n" "ulogd" - exit 1 -esac - -exit 0 diff --git a/ulogd.logrotate b/ulogd.logrotate deleted file mode 100644 index 8470811..000 --- a/ulogd.logrotate +++ /dev/null @@ -1,7 +0,0 @@ -/var/log/ulogd* { -missingok -sharedscripts -postrotate - /bin/killall -HUP ulogd 2> /dev/null || true -endscript -} diff --git a/ulogd.spec b/ulogd.spec deleted file mode 100644 index c22b287..000 --- a/ulogd.spec +++ /dev/null @@ -1,119 +0,0 @@ -Summary: ulogd - The userspace logging daemon for netfilter -Name: ulogd -Version: 2.00beta -Release: 1gm -License: GPL -Group: Network -Source: http://ftp.netfilter.org/pub/ulogd/%{name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-root -Packager: Harald Welte <lafo...@netfilter.org> -BuildRequires: MySQL-devel postgresql-devel libpcap-devel libnfnetlink libnetfilter_conntrack libnetfilter_log -#BuildRequires: mysql-devel - -%package mysql -Summary: MySQL output plugin for ulogd-2.x -Group: Network - -%package pgsql -Summary: PostgreSQL output plugin for ulogd-2.x -Group: Network - -%package pcap -Summary: libpcap output plugin for ulogd-2.x -Group: Network - -%package nflog -Summary: netfilter_log input plugin for ulogd-2.x -Group: Network - -%package ctnl -Summary: netfilter_conntrack input plugin for ulogd-2.x -Group: Network - -%description -ulogd is an universal logging daemon for the ULOG target of netfilter, the -Linux 2.4 firewalling subsystem. ulogd is able to log packets in variuos -formats to different targets (text files, databases, etc..). It has an -easy-to-use plugin interface to add new protocols and new output targets. - -%description mysql -ulogd-mysql is a MySQL output plugin for ulogd. It enables logging of -firewall information into a MySQL database. - -%description pgsql -ulogd-mysql is a PostgreSQL output plugin for ulogd. It enables logging of -firewall information into a PostgreSQL database. - -%prep -%setup - -%build -%configure --with-mysql=/usr/lib/mysql --with-pgsql=/usr/lib/postgresql -make - -%install -rm -rf %{buildroot} -mkdir -p %{buildroot}/%{_sysconfdir} -mkdir -p %{buildroot}/%{_libdir}/ulogd -mkdir -p %{buildroot}/%{_sbindir}/sbin -mkdir -p %{buildroot}/%{_mandir}/man8 -make DESTDIR=%{buildroot} install - -mkdir -p %{buildroot}/%{_sysconfdir}/rc.d/init.d -install ulogd.init %{buildroot}/%{_sysconfdir}/rc.d/init.d/ulogd -install ulogd.8 %{buildroot}/%{_mandir}/man8/ulogd.8 - -%clean -rm -rf %{buildroot} - -%files -%defattr(0644,root,root,0755) -%attr(0755,root,root) %{_sbindir}/ulogd -%{_sysconfdir}/ulogd.conf -%{_sysconfdir}/rc.d/init.d/ulogd -%{_mandir}/man8/* -%dir %{_libdir}/ulogd -%{_libdir}/ulogd/ulogd_BASE.so -%{_libdir}/ulogd/ulogd_LOCAL.so -%{_libdir}/ulogd/ulogd_LOGEMU.so -%{_libdir}/ulogd/ulogd_OPRINT.so -%{_libdir}/ulogd/ulogd_PWSNIFF.so -%{_libdir}/ulogd/ulogd_PCAP.so -%doc COPYING AUTHORS README -%doc doc/ulogd.txt doc/ulogd.a4.ps doc/ulogd.html - -%files mysql -%defattr(0644,root,root,0755) -%{_libdir}/ulogd/ulogd_MYSQL.so - -%files pgsql -%defattr(0644,root,root,0755) -%{_libdir}/ulogd/ulogd_PGSQL.so - -%changelog -* Sat Aug 25 2003 Harald Welte <lafo...@gnum
Re: [PATCH libnftnl] examples: add nft-ct-helper-{add,get,del}
On 19 March 2018 at 18:19, Yang Zheng <tomsun@gmail.com> wrote: > nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the > specified table. > It would be great if you extend a bit the commit message with your tests: % ./nft-ct-helper-get % ./nft-ct-helper-add % ./nft-ct-helper-get [...] % ./nft-ct-helper-del % ./nft-ct-helper-get So other people know about the expected results when running this. > Signed-off-by: Yang Zheng <tomsun@gmail.com> > --- > examples/Makefile.am | 14 +++- > examples/nft-ct-helper-add.c | 149 ++ > examples/nft-ct-helper-del.c | 124 +++ > examples/nft-ct-helper-get.c | 150 > +++ > 4 files changed, 436 insertions(+), 1 deletion(-) > create mode 100644 examples/nft-ct-helper-add.c > create mode 100644 examples/nft-ct-helper-del.c > create mode 100644 examples/nft-ct-helper-get.c > Other than that, it LGTM: Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH 0/6] A set of patches resulting from running tests/shell
On 19 March 2018 at 18:02, Phil Sutter <p...@nwl.cc> wrote: > This series is the result of me trying to get all tests in tests/shell > to pass. Sadly I wasn't fully successful, these two still fail: > > - testcases/sets/0028autoselect_0 > - testcases/sets/0031set_timeout_size_0 > > I had a look at the latter, the problem seems to be that nft_set_hash.c > in kernel prefers nft_hash_fast_ops for four byte keys ignoring the fact > that NFT_SET_TIMEOUT support is required. > > Phil Sutter (6): > Support 'nft -f -' to read from stdin > tests/shell: Fix dump of chains/0016delete_handle_0 > tests/shell: Fix flowtable test cases > flowtable: Make parsing a little more robust > tests/shell: Fix sporadic fail of include/0007glob_double_0 > tests/shell: Allow to specify multiple testcases > Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[iptables PATCH] iptables: add xtables-translate.8 manpage
This new manpage describes how to operate the translation tools for nftables. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- iptables/Makefile.am |3 + iptables/xtables-translate.8 | 134 ++ 2 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 iptables/xtables-translate.8 diff --git a/iptables/Makefile.am b/iptables/Makefile.am index d0060c60..7fc34830 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -58,7 +58,8 @@ sbin_PROGRAMS += xtables-compat-multi endif man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 iptables-extensions.8 xtables-compat.8 + ip6tables-save.8 iptables-extensions.8 \ + xtables-compat.8 xtables-translate.8 CLEANFILES = iptables.8 \ xtables-config-parser.c xtables-config-syntax.c diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8 new file mode 100644 index ..1968239b --- /dev/null +++ b/iptables/xtables-translate.8 @@ -0,0 +1,134 @@ +.\" +.\" (C) Copyright 2018, Arturo Borrero Gonzalez <art...@netfilter.org> +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" <http://www.gnu.org/licenses/>. +.\" %%%LICENSE_END +.\" +.TH XTABLES-TRANSLATE 8 "Mar 16, 2018" + +.SH NAME +xtables-translate \- translation tools to migrate from iptables to nftables + +.SH DESCRIPTION +There is a set of tools to help the system administrator translate a given +ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP. + +The available commands are: + +.IP \[bu] 2 +iptables-translate +.IP \[bu] +iptables-restore-translate +.IP \[bu] 2 +ip6tables-translate +.IP \[bu] +ip6tables-restore-translate + +.SH USAGE +They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and +output the native \fBnftables(8)\fP syntax. + +The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax +produced by \fBiptables-save(8)\fP. Likewise, the +\fBip6tables-restore-translate\fP tool reads one produced by +\fBip6tables-save(8)\fP. + +The \fBiptables-translate\fP reads a command line as if it was entered to +\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it +was entered to \fBip6tables(8)\fP. + +.SH EXAMPLES +Basic operation examples. + +Single command translation: + +.nf +root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +nft add rule ip filter INPUT tcp dport 22 ct state new counter accept + +root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT +nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept +.fi + +Whole ruleset translation: + +.nf +root@machine:~# iptables-save > save.txt +root@machine:~# cat save.txt +# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016 +*filter +:INPUT ACCEPT [5166:1752111] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [5058:628693] +-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +COMMIT +# Completed on Sat Dec 24 14:26:40 2016 + +root@machine:~# iptables-restore-translate -f save.txt +# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016 +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; } +add chain ip filter FORWARD { type filter hook forward priority 0; } +add chain ip filter OUTPUT { type filter hook output priority 0; } +add rule ip filter FORWARD tcp dport 22 ct state new counter accept + +root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft +root@machine:~# nft -f ruleset.nft +root@machine:~# nft list ruleset +table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept; +
Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables
On 12 March 2018 at 12:36, Florian Westphalwrote: > + > +install-data-hook: > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* > -- The shebang in those files is static now (#!/usr/sbin/nft -f) Perhaps we should differentiate between files we use for development and example files for the tarball (downstream users) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH v2 1/3] nftables: rearrange files and examples
On 10 March 2018 at 09:28, Duncan Roewrote: > > Up to Release 0.8.2, it used to be the case that after *make install*, these > example files would show up in /etc/nftables. > > Now they don't. > > I think this is a regression which needs to be addressed, We wanted to provide a collection of examples of what nftables can do, for people who may be external to the project. More examples may be added in the short term, I would like to see that directory full of nft scripts. I'm not sure if we should install all of them to /etc/ with make install. Any proposal? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] src: move monitor code to src/monitor.c
On 7 March 2018 at 13:36, Phil Sutter <p...@nwl.cc> wrote: > On Wed, Mar 07, 2018 at 01:22:21PM +0100, Pablo Neira Ayuso wrote: >> netlink.c is rather large file, move the monitor code to its own file. >> >> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> > > Acked-by: Phil Sutter <p...@nwl.cc> Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC nft] tests: shell: autogenerate dump verification
On 6 March 2018 at 11:47, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> On 5 March 2018 at 23:57, Laura Garcia Liebana <nev...@gmail.com> wrote: >> >> > 141 files changed, 837 insertions(+), 526 deletions(-) >> >> Better place a new script as a testcase, and all the required dump >> files somewhere for it to read them. >> Also, we have several testscases which are very long (we generate lots >> of sets elements, for example) and I don't think it makes sense to >> have them in plain text in the git tree. > > How would you verify that output didn't change without storing > 'known state' somewhere? > Or did you mean 'skip listing verification for some tests'? > > I don't think its a big deal and would not worry about the size. > >> Anyway, we don't seem to be saving LOCs. > > Yes but it decouples script from expected output, i think thats an > improvement. > > Next step f.e. could be to make sure we don't choke when we try > to feed rule listing back to nftables via -f. Ok, makes sense. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC nft] tests: shell: autogenerate dump verification
On 5 March 2018 at 23:57, Laura Garcia Liebanawrote: > 141 files changed, 837 insertions(+), 526 deletions(-) Better place a new script as a testcase, and all the required dump files somewhere for it to read them. Also, we have several testscases which are very long (we generate lots of sets elements, for example) and I don't think it makes sense to have them in plain text in the git tree. Mind that this testsuite is mean to be generic, we have now shell scripts, but we may have python code or even C in the future, and the main runner script is intended to only launch them. Anyway, we don't seem to be saving LOCs. BTW make sure you use the NFT environment variable, so we can tests arbitrary nft binaries. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] tests: shell: set timeout and size combination coverage
On 5 March 2018 at 16:29, Pablo Neira Ayusowrote: > Signed-off-by: Pablo Neira Ayuso > --- > tests/shell/testcases/sets/0031set_timeout_size_0 | 15 +++ > 1 file changed, 15 insertions(+) > create mode 100755 tests/shell/testcases/sets/0031set_timeout_size_0 > > diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 > b/tests/shell/testcases/sets/0031set_timeout_size_0 > new file mode 100755 > index ..ef65972aa020 > --- /dev/null > +++ b/tests/shell/testcases/sets/0031set_timeout_size_0 > @@ -0,0 +1,15 @@ > +#!/bin/bash > + > +tmpfile=$(mktemp) > +if [ ! -w $tmpfile ] ; then > + echo "Failed to create tmp file" >&2 > + exit 0 > +fi > + > +trap "rm -rf $tmpfile" EXIT # cleanup if aborted > + > +echo "add table x > +add set x y { type ipv4_addr; size 128; timeout 30s; }" ^^^ probably missing > $tmpfile > + > +set -e > +$NFT -f $tmpfile -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Contribute to Net-filter Development && G-Soc 2018
On 3 March 2018 at 22:17, Himanshu Sagarwrote: > Hi All, > > Himanshu here. > > Having used iptables and ebtables in U.G. projects, I acknowledge dev > team's effort in making this a reality. I'm interested in contributing > to net-filter development and if I'm able to fix few bugs before > deadline(so that I consider myself good enough), I would like to put > up a request for taking Task 1 or 2(here : > http://people.netfilter.org/pablo/nf-ideas-2018.txt) as GSoc 2018 > Project. I did following to get started: > > 1. I did an empty search(no search query) on Bugzilla and found two > "targets" for me to fix: > a. A printing > bug(https://bugzilla.netfilter.org/show_bug.cgi?id=1211), just to get > started. > b. Another somewhat advanced > bug(https://bugzilla.netfilter.org/show_bug.cgi?id=1161), to get hands > dirty. This bug causes entire pipeline to fail and should provide a > better insight/overview to me. > 2. I pulled out code corresponding to 1.a (iptables:1.6.1), and > compiled it. After staring at code, for some time, I believe "static > int list_entries" function at line 913 is the culprit. > > Question : > A. Are these bugs a sensible choice? > B. Which order would you suggest for reading and messing with code? > for e.g read this part first, then this and so on. Hi, thanks for your interest in the Netfilter project! we are focusing in this round of GSoC in nftables, as stated in the ideas document: 8< In this edition, we propose that the students focus again on the nftables [1] project, the successor of the popular iptables [2] firewalling tool. [...] 8< Those bugs are part iptables, so I would suggest you focus on nftables-related code. Also, in that same document: === 8< If you are a student willing to participate in GSoC 2018 and you're interested in any of our tasks, please subscribe to this mailing list: https://lists.netfilter.org/mailman/listinfo/gsoc2013 Subscribing to this mailing list requires approval from the administrator, so please be patient, we'll accept it asap. You can use this mailing list to ask your questions regarding Netfilter's task during the GSoC 2018. === 8< === So, let's please move to the gsoc-specifyc mailing list, where there are already several students asking questions about nftables. The ideas document contains valuable information, please make sure you read it in detail. best regards! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] parser: support of maps with timeout
On 2 March 2018 at 11:47, Pablo Neira Ayusowrote: > On Fri, Mar 02, 2018 at 10:50:18AM +0100, Laura Garcia Liebana wrote: >> Support of key and value association with a certain timeout. >> >> Example: >> >> nft add map nftlb mapa { type inet_service: ipv4_addr\; >> timeout 5s\; } >> >> Results in: >> >> table ip nftlb { >> map mapa { >> type inet_service : ipv4_addr >> timeout 5s >> } >> } > > Applied, thanks Laura. Good work. @Laura could we have testcases for this? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[iptables PATCH] iptables: add xtables-compat.8 manpage
Copied back from the downstream Debian package. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- iptables/Makefile.am |2 - iptables/xtables-compat.8 | 177 + 2 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 iptables/xtables-compat.8 diff --git a/iptables/Makefile.am b/iptables/Makefile.am index f92cc4ff..d0060c60 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -58,7 +58,7 @@ sbin_PROGRAMS += xtables-compat-multi endif man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 iptables-extensions.8 + ip6tables-save.8 iptables-extensions.8 xtables-compat.8 CLEANFILES = iptables.8 \ xtables-config-parser.c xtables-config-syntax.c diff --git a/iptables/xtables-compat.8 b/iptables/xtables-compat.8 new file mode 100644 index ..90f887e1 --- /dev/null +++ b/iptables/xtables-compat.8 @@ -0,0 +1,177 @@ +.\" +.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <art...@netfilter.org> +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" <http://www.gnu.org/licenses/>. +.\" %%%LICENSE_END +.\" +.TH XTABLES-COMPAT 8 "Feb 25, 2017" + +.SH NAME +xtables-compat \- compat tools to migrate from iptables to nftables + +.SH DESCRIPTION +\fBxtables-compat\fP is set of tools to help the system administrator migrate the +ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP to \fBnftables(8)\fP. + +The \fBxtables-compat\fP set is composed of several commands: +.IP \[bu] 2 +iptables-compat +.IP \[bu] +iptables-compat-save +.IP \[bu] +iptables-compat-restore +.IP \[bu] +ip6tables-compat +.IP \[bu] +ip6tables-compat-save +.IP \[bu] +ip6tables-compat-restore +.IP \[bu] +arptables-compat +.IP \[bu] +ebtables-compat + +These tools use the libxtables framework extensions and hook to the nf_tables +kernel subsystem using the \fBnft_compat\fP module. + +.SH USAGE +The compat tools set allows you to manage the nf_tables backend using the +native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and +\fBebtables(8)\fP. + +You should use the compat tools exactly the same way as you would use the +corresponding original tool. + +Adding a rule will result in that rule being added to the nf_tables kernel +subsystem instead. +Listing the ruleset will use the nf_tables backend as well. + +When these tools were designed, the main idea was to replace each legacy binary +with a symlink to the corresponding compat tool, for example: + +.nf + /sbin/iptables --> /usr/sbin/iptables-compat + /sbin/ip6tables --> /usr/sbin/ip6tables-compat + /sbin/arptables --> /usr/sbin/arptables-compat + /sbin/ebtables --> /usr/sbin/ebtables-compat +.fi + +.SH EXAMPLES +One basic example is creating the skeleton ruleset in nf_tables from the +compat tools, in a fresh machine: + +.nf + root@machine:~# iptables-compat -L + [...] + root@machine:~# ip6tables-compat -L + [...] + root@machine:~# arptables-compat -L + [...] + root@machine:~# ebtables-compat -L + [...] + root@machine:~# nft list ruleset + table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } + } + table ip6 filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { +
[nft PATCH v3 2/3] examples: add ct helper examples
Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos v3: fix typo in shebang reported by Florian files/examples/ct_helpers.nft | 43 + 1 file changed, 43 insertions(+) create mode 100755 files/examples/ct_helpers.nft diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft new file mode 100755 index 000..07ebb2a --- /dev/null +++ b/files/examples/ct_helpers.nft @@ -0,0 +1,43 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use ct helpers in the nftables framework. +# Note that nftables includes interesting improvements compared to how this +# was done with iptables, such as loading multiple helpers with a single rule +# This script is meant to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.8 +# For up-to-date information please visit https://wiki.nftables.org + +# Using ct helpers is an important security feature when doing stateful +# firewalling, since it mitigate certain networking attacks. +# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ + + +flush ruleset +table inet filter { + # declare helpers of this table + ct helper ftp-standard { + type "ftp" protocol tcp; + l3proto inet + } + ct helper sip-5060 { + type "sip" protocol udp; + l3proto inet + } + ct helper tftp-69 { + type "tftp" protocol udp + l3proto inet + } + + chain input { + type filter hook input priority 0; policy drop; + ct state established,related accept + + # assign a single helper in a single rule + tcp dport 21 ct helper set "ftp-standard" + + # assign multiple helpers in a single rule + ct helper set udp dport map { + 69 : "tftp-69", \ + 5060 : "sip-5060" } + } +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH] meta: introduce datatype ifname_type
This new datatype is a string subtype. It will allow us to build named maps/sets using meta keys like 'iifname', 'oifname', 'ibriport' or 'obriport'. Example: table inet t { set s { type ifname elements = { "eth0", "eth1" } } chain c { iifname @s accept oifname @s accept } } Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/nft.xml|8 ++--- include/datatype.h |2 + include/meta.h |1 + src/datatype.c |1 + src/evaluate.c | 19 +-- src/meta.c | 17 +++--- src/netlink_delinearize.c | 27 +++ src/netlink_linearize.c| 14 +--- .../shell/testcases/maps/0007named_ifname_dtype_0 | 35 .../shell/testcases/sets/0029named_ifname_dtype_0 | 35 10 files changed, 134 insertions(+), 25 deletions(-) create mode 100755 tests/shell/testcases/maps/0007named_ifname_dtype_0 create mode 100755 tests/shell/testcases/sets/0029named_ifname_dtype_0 diff --git a/doc/nft.xml b/doc/nft.xml index 9d21e9a..6748265 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2572,7 +2572,7 @@ filter output icmpv6 type { echo-request, echo-reply } iifname Input interface name - string + ifname iiftype @@ -2587,7 +2587,7 @@ filter output icmpv6 type { echo-request, echo-reply } oifname Output interface name - string + ifname oiftype @@ -2612,12 +2612,12 @@ filter output icmpv6 type { echo-request, echo-reply } ibriport Input bridge interface name - string + ifname obriport Output bridge interface name - string + ifname pkttype diff --git a/include/datatype.h b/include/datatype.h index cc4cb07..dd94e80 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -41,6 +41,7 @@ * @TYPE_ICMPX_CODE: icmpx code (integer subtype) * @TYPE_DEVGROUP: devgroup code (integer subtype) * @TYPE_DSCP: Differentiated Services Code Point (integer subtype) + * @TYPE_IFNAME: interface name (string subtype) */ enum datatypes { TYPE_INVALID, @@ -84,6 +85,7 @@ enum datatypes { TYPE_FIB_ADDR, TYPE_BOOLEAN, TYPE_CT_EVENTBIT, +TYPE_IFNAME, __TYPE_MAX }; #define TYPE_MAX (__TYPE_MAX - 1) diff --git a/include/meta.h b/include/meta.h index 47b16c4..6086a71 100644 --- a/include/meta.h +++ b/include/meta.h @@ -38,5 +38,6 @@ extern const struct datatype gid_type; extern const struct datatype uid_type; extern const struct datatype devgroup_type; extern const struct datatype pkttype_type; +extern const struct datatype ifname_type; #endif /* NFTABLES_META_H */ diff --git a/src/datatype.c b/src/datatype.c index 93726ca..324ac80 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -68,6 +68,7 @@ static const struct dataty
Re: [PATCH] xtables-compat-multi.c: Allow symlink of ebtables
On 25 February 2018 at 08:14, Duncan Roewrote: > This patch allows one to force a subsystem that one does not wish to modify > (e.g. libvirt) to use the ebtables compatibility layer. > > ebtables-compat was already a symlink to xtables-compat-multi but ebtables > was a > stand-alone program. So one could move it out of the way before making the > symlink as below: > > lrwxrwxrwx 1 root root 20 Feb 24 11:03 ebtables -> xtables-compat-multi > -rwxr-xr-x 1 root root75176 Feb 24 11:03 ebtables.orig > > With this patch, kernel modules ebtable_filter & ebtables are no longer > loaded. > > Signed-off-by: Duncan Roe Thanks, good to see people using nftables for virtualization environments. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH v2 1/3] nftables: rearrange files and examples
On 24 February 2018 at 23:07, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> Concatenate all family/hook examples into a single one by means of includes. >> >> Put all example files under examples/. Use the '.nft' prefix and mark >> them as executable files. Use a static shebang declaration, since these >> are examples meant for final systems and users. >> >> While at it, refresh also the sets_and_maps.nft example file and also >> add the 'netdev-ingress.nft' example file. > > Looks good, two more nits: > > Any reason why this doesn't use > #! @sbindir@nft -f ? > I didn't expect we were using these files for development activities. My idea was to use just the static shebang for the purpose of being an example in final users systems (which would likely use /usr/sbin/nft). Also, this way the examples are readable & copy-ready for users in both the git repo and the tarball. (with static I mean: don't have it replaced by make). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH v2 3/3] files: add load balance example
Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos files/examples/load_balancing.nft | 54 + 1 file changed, 54 insertions(+) create mode 100755 files/examples/load_balancing.nft diff --git a/files/examples/load_balancing.nft b/files/examples/load_balancing.nft new file mode 100755 index 000..2f03d27 --- /dev/null +++ b/files/examples/load_balancing.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to implement load balancing using the nftables +# framework. +# This script is meant to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.7 +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +table ip nat { + chain prerouting { + type nat hook prerouting priority -300; + # round-robing load balancing between the 2 IPv4 addresses: + dnat to numgen inc mod 2 map { + 0 : 192.168.10.100, \ + 1 : 192.168.20.200 } + # emulate flow distribution with different backend weights using intervals: + dnat to numgen inc mod 10 map { + 0-5 : 192.168.10.100, \ + 6-9 : 192.168.20.200 } + # tcp port based distribution is also possible: + ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map { + 0 : 4040 ,\ + 1 : 4050 } + # consistent hash-based distribution: + dnat to jhash ip saddr . tcp dport mod 2 map { + 0 : 192.168.20.100, \ + 1 : 192.168.30.100 } + } +} + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; + # using stateless NAT, round-robing distribution (you could use hashing too): + tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 } + } +} + +table netdev mytable { + chain ingress { + # mind the NIC devices, they must exist in the system + type filter hook ingress device eth0 priority 0; + # using Direct Server Return (DSR), connectionless approach: + udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + # using Direct Server Return (DSR), connection-oriented flows: +tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + } +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH v2 1/3] nftables: rearrange files and examples
Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: address comments by Florian & Pablo. Fix some typos Makefile.am |6 ++-- configure.ac |2 - files/Makefile.am |1 - files/examples/arp-filter.nft |6 files/examples/bridge-filter.nft |7 files/examples/families_and_hooks.nft | 32 files/examples/inet-filter.nft|7 files/examples/ipv4-filter.nft|7 files/examples/ipv4-mangle.nft|5 +++ files/examples/ipv4-nat.nft |8 + files/examples/ipv4-raw.nft |6 files/examples/ipv6-filter.nft|7 files/examples/ipv6-mangle.nft|5 +++ files/examples/ipv6-nat.nft |8 + files/examples/ipv6-raw.nft |6 files/examples/netdev-ingress.nft |7 files/examples/sets_and_maps | 53 files/examples/sets_and_maps.nft | 54 + files/nftables/Makefile.am| 16 -- files/nftables/arp-filter |6 files/nftables/bridge-filter |7 files/nftables/inet-filter|7 files/nftables/ipv4-filter|7 files/nftables/ipv4-mangle|5 --- files/nftables/ipv4-nat |8 - files/nftables/ipv4-raw |6 files/nftables/ipv6-filter|7 files/nftables/ipv6-mangle|5 --- files/nftables/ipv6-nat |8 - files/nftables/ipv6-raw |6 30 files changed, 168 insertions(+), 147 deletions(-) delete mode 100644 files/Makefile.am create mode 100755 files/examples/arp-filter.nft create mode 100755 files/examples/bridge-filter.nft create mode 100755 files/examples/families_and_hooks.nft create mode 100755 files/examples/inet-filter.nft create mode 100755 files/examples/ipv4-filter.nft create mode 100755 files/examples/ipv4-mangle.nft create mode 100755 files/examples/ipv4-nat.nft create mode 100755 files/examples/ipv4-raw.nft create mode 100755 files/examples/ipv6-filter.nft create mode 100755 files/examples/ipv6-mangle.nft create mode 100755 files/examples/ipv6-nat.nft create mode 100755 files/examples/ipv6-raw.nft create mode 100755 files/examples/netdev-ingress.nft delete mode 100755 files/examples/sets_and_maps create mode 100755 files/examples/sets_and_maps.nft delete mode 100644 files/nftables/Makefile.am delete mode 100644 files/nftables/arp-filter delete mode 100644 files/nftables/bridge-filter delete mode 100644 files/nftables/inet-filter delete mode 100644 files/nftables/ipv4-filter delete mode 100644 files/nftables/ipv4-mangle delete mode 100644 files/nftables/ipv4-nat delete mode 100644 files/nftables/ipv4-raw delete mode 100644 files/nftables/ipv6-filter delete mode 100644 files/nftables/ipv6-mangle delete mode 100644 files/nftables/ipv6-nat delete mode 100644 files/nftables/ipv6-raw diff --git a/Makefile.am b/Makefile.am index 10aa40f..5ef61be 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src \ include \ - doc \ - files + doc -EXTRA_DIST = tests +EXTRA_DIST = tests \ + files diff --git a/configure.ac b/configure.ac index 1a38653..408a6bc 100644 --- a/configure.ac +++ b/configure.ac @@ -140,8 +140,6 @@ AC_CONFIG_FILES([ \ include/linux/netfilter_ipv4/Makefile \ include/linux/netfilter_ipv6/Makefile \ doc/Makefile\ - files/Makefile \ - files/nftables/Makefile \ ]) AC_OUTPUT diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index a8394c0..000 --- a/files/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = nftables diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft new file mode 100755 index 000..13166bd --- /dev/null +++ b/files/examples/arp-filter.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output{ type filter hook output priority 0; } +} diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nf
[nft PATCH v2 2/3] examples: add ct helper examples
Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos files/examples/ct_helpers.nft | 43 + 1 file changed, 43 insertions(+) create mode 100755 files/examples/ct_helpers.nft diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft new file mode 100755 index 000..fecdea6 --- /dev/null +++ b/files/examples/ct_helpers.nft @@ -0,0 +1,43 @@ +#!/usr/sin/nft -f + +# This example file shows how to use ct helpers in the nftables framework. +# Note that nftables includes interesting improvements compared to how this +# was done with iptables, such as loading multiple helpers with a single rule +# This script is meant to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.8 +# For up-to-date information please visit https://wiki.nftables.org + +# Using ct helpers is an important security feature when doing stateful +# firewalling, since it mitigate certain networking attacks. +# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ + + +flush ruleset +table inet filter { + # declare helpers of this table + ct helper ftp-standard { + type "ftp" protocol tcp; + l3proto inet + } + ct helper sip-5060 { + type "sip" protocol udp; + l3proto inet + } + ct helper tftp-69 { + type "tftp" protocol udp + l3proto inet + } + + chain input { + type filter hook input priority 0; policy drop; + ct state established,related accept + + # assign a single helper in a single rule + tcp dport 21 ct helper set "ftp-standard" + + # assign multiple helpers in a single rule + ct helper set udp dport map { + 69 : "tftp-69", \ + 5060 : "sip-5060" } + } +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[NFT PATCH 3/3] files: add load balance example
Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- files/examples/load_balancing.nft | 54 + 1 file changed, 54 insertions(+) create mode 100755 files/examples/load_balancing.nft diff --git a/files/examples/load_balancing.nft b/files/examples/load_balancing.nft new file mode 100755 index 000..128a443 --- /dev/null +++ b/files/examples/load_balancing.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to implement load balancing using the nftables +# framework. +# This script is mean to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.7 +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +table ip nat { + chain prerouting { + type nat hook prerouting priority -300; + # round-robing load balancing between the 2 IPv4 addresses: + dnat to numgen inc mod 2 map { + 0 : 192.168.10.100, \ + 1 : 192.168.20.200 } + # emulate flow distribution with different backend weights using intervals: + dnat to numgen inc mod 10 map { + 0-5 : 192.168.10.100, \ + 6-9 : 192.168.20.200 } + # tcp port based distribution is also possible: + ip protocol tcp dnat to 192.168.1.100 : numgen inc mod 2 map { + 0 : 4040 ,\ + 1 : 4050 } + # consistent hash-based distribution: + dnat to jhash ip saddr . tcp dport mod 2 map { + 0 : 192.168.20.100, \ + 1 : 192.168.30.100 } + } +} + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; + # using stateless NAT, round-robing distribution (you could use hashing too): + tcp dport 80 notrack ip daddr set numgen inc mod 2 map { 0 : 192.168.1.100, 1 : 192.168.1.101 } + } +} + +table netdev mytable { + chain ingress { + # mind the NIC devices, they should exist + type filter hook ingress device eth0 priority 0; + # using Direct Server Return (DSR), connectionless approach: + udp dport 53 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set numgen inc mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + # using Direct Server Return (DSR), connection-oriented flows: +tcp dport 80 ether saddr set aa:bb:cc:dd:ff:ee ether daddr set jhash ip saddr . tcp sport mod 2 map { + 0 : aa:aa:aa:aa:aa:aa, + 1 : bb:bb:bb:bb:bb:bb } fwd to eth1 + } +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[NFT PATCH 2/3] examples: add ct helper examples
Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- files/examples/ct_helpers.nft | 43 + 1 file changed, 43 insertions(+) create mode 100755 files/examples/ct_helpers.nft diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft new file mode 100755 index 000..e01bfad --- /dev/null +++ b/files/examples/ct_helpers.nft @@ -0,0 +1,43 @@ +#!/usr/sin/nft -f + +# This example file shows how to use ct helpers in the nftables framework. +# Note that nftables includes interesting improvements compared to how this +# was done with iptables, such as loading multiple helpers with a single rule +# This script is mean to be loaded with `nft -f ` +# You require linux kernel >= 4.12 and nft >= 0.8 +# For up-to-date information please visit https://wiki.nftables.org + +# Using ct helpers is an important security feature when doing stateful +# firewalling, since it mitigate certain networking attacks. +# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/ + + +flush ruleset +table inet filter { + # declare helpers of this table + ct helper ftp-standard { + type "ftp" protocol tcp; + l3proto inet + } + ct helper sip-5060 { + type "sip" protocol udp; + l3proto inet + } + ct helper tftp-69 { + type "tftp" protocol udp + l3proto inet + } + + chain input { + type filter hook input priority 0; policy drop; + ct state established,related accept + + # assign a single helper in a single rule + tcp dport 21 ct helper set "ftp-standard" + + # assign multiple helpers in a single rule + ct helper set udp dport map { + 69 : "tftp-69", \ + 5060 : "sip-5060" } + } +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC 0/4] net: add bpfilter
On 19 February 2018 at 16:36, David Millerwrote: > > In my opinion, any resistence to integration with eBPF and XDP will > lead to even less adoption of netfilter as a technology. > > Therefore my plan is to move everything to be integrated around these > important core technologies. For the purposes of integration, code > coverage, performance, and the ability to juxtapose different bits of > eBPF code into larger optimized code streams that can also be > offloaded into hardware. Thanks for sharing your plans. I'll share mine. Debian already recommends using nftables rather than iptables. Probably in the next release cycle we (Debian) will give even more prominence to nftables by linking iptables to iptables-compat, as an opt-in for users, so we don't break systems. By the next-next release cycle (4+ years or so?) we will probably have enough confidence with compat/translation tools that Debian could fully wipe the old iptables binary to use just the nftables framework. Same for ip6tables, arptables, ebtables. Does this sound reasonable to you? Yes, probably major datacenters (google? facebook?, amazon?) they don't even care about what Debian is doing, since they are crafting their own distro anyway. But there are *a lot* of other people that do care about these migration plans. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC 0/4] net: add bpfilter
On 19 February 2018 at 16:27, David Millerwrote: > From: Florian Westphal > Date: Mon, 19 Feb 2018 16:15:55 +0100 > >> Would you be willing to merge nftables into kernel tools directory >> then? > > Did you miss the part where I explained that people explicitly disable > NFTABLES in their kernel configs in most if not all large datacenters? hey, you already shared several statements regarding nftables which are not true. Lots and lots of people are using distribution kernels, which contains NF_TABLES config enabled (all major distros have it) I believe people who build their own kernels are very few if you compare with the number of people who don't (but yeah, they usually have more money). This may sounds as a joke, but there are *a lot* of people running productions servers with bluetooth drivers enabled in the kconfig. So, I can confirm that: Lots of people and institutions are using nftables already. Lots of people and institutions are considering transition to nftables it from iptables. Lots of people are running simple commodity hardware and know nothing about smartnics or any kind of offloading -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH RFC 0/4] net: add bpfilter
On 19 February 2018 at 16:36, David Millerwrote: > > I think netfilter is at a real crossroads right now. > I don't think so. The Netfilter Project and the Netfilter Community already "agreed" on nftables and we are working on it. But this isn't a secret, right? We have been open-discussing and open-working on this for *years* now. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: question about UNDEFINE/REDEFINE
On 23 January 2018 at 04:40, David Fabianwrote: > Hello Pablo, > > Dne úterý 23. ledna 2018 12:07:28 CET, Pablo Neira Ayuso napsal(a): >> I'm asking here because I would need to understand better how you've >> structured your scripts, if you could explain a bit more, we would >> appreciate. > > I have packed an excerpt of a playground FW with two VLANs 3 and 54. The > configuration already uses my redefine keyword. > > ftp://ftp.bosson.eu/pub/tmp/nftables_excerpt.tar.gz > > The intended use case is to call nft -f fw-on and reload the firewall from > scratch every time there is a config change. I don't know how a cmdline > parameter would help us with it. Maybe if we would wrap nft calls with bash > scripts but that would defeat the purpose of using the nft scripting > capabilities in the first place. > > The most important for us is to have the FW logically structured for every > customer and every FW rule related to a customer should be in his/her VLAN > config file. > Your approach (redefining variables) doesn't save so much typing at the end of the day. My suggestion is to simply create one variable per value: define INET_IFACES_VLAN43 = { bond0.x, bond3.y} define INET_IFACES_VLAN3 = { bond3.x, bond3.y} define XXX_VLAN43 = xxx define XXX_VLAN3 = xxx you could generate such a file, something like 'defines.nft' and include it once in your main ruleset file. If you will perform many updates to this file, you could even maintain this in git to keep track of changes. Example: https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example Other option is you create some kind of shell wrapper to replace variable names before running nft -f (something like make .in files), but that's even uglier? I don't know. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time
On 19 January 2018 at 13:47, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > Several reasons for this: > > * Several modules maintain internal version numbers, that they print at > boot/module load time, that are not exposed to userspace, as a > primitive mechanism to make revision number control from the earlier > days of Netfilter. > > * IPset shows the protocol version at boot/module load time, instead > display this via module description, as Jozsef suggested. > > * Remove copyright notice at boot/module load time in two spots, the > Netfilter codebase is a collective development effort, if we would > have to display copyrights for each contributor at boot/module load > time for each extensions we have, we would probably fill up logs with > lots of useless information - from a technical standpoint. > > So let's be consistent and remove them all. > > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH] doc/nft.xml: mention nftables earlier
Mention nftables earlier in the documentation, so users have more context on what we are talking about. This is Debian bug #887718, which contains: <<< Currently one must read down 100 lines before it is even mentioned. You might want to make the connection between "nft" and "nftables" as early as the NAME or DESCRIPTION. >>> Requested-by: Dan Jacobson <jida...@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/nft.xml |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index e515b11..9e979af 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -38,7 +38,7 @@ vi:ts=4 sw=4 nft - Administration tool for packet filtering and classification + Administration tool of the nftables framework for packet filtering and classification @@ -73,8 +73,9 @@ vi:ts=4 sw=4 Description - nft is used to set up, maintain and inspect packet - filtering and classification rules in the Linux kernel. + nft is the command line tool used to set up, maintain and inspect packet + filtering and classification rules in the Linux kernel, in the nftables framework. + The Linux kernel subsystem is known as nf_tables, and 'nf' stands for Netfilter. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nf-next] netfilter: meta: secpath support
On 1 December 2017 at 13:40, Florian Westphalwrote: > replacement for iptables "-m policy --dir in --policy {ipsec,none}". > > Signed-off-by: Florian Westphal > --- > include/uapi/linux/netfilter/nf_tables.h | 2 ++ > net/netfilter/nft_meta.c | 39 > > 2 files changed, 41 insertions(+) > > diff --git a/include/uapi/linux/netfilter/nf_tables.h > b/include/uapi/linux/netfilter/nf_tables.h > index a3ee277b17a1..2efbf9744c2a 100644 > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { > * @NFT_META_OIFGROUP: packet output interface group > * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) > * @NFT_META_PRANDOM: a 32bit pseudo-random number > + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) > */ > enum nft_meta_keys { > NFT_META_LEN, > @@ -804,6 +805,7 @@ enum nft_meta_keys { > NFT_META_OIFGROUP, > NFT_META_CGROUP, > NFT_META_PRANDOM, > + NFT_META_SECPATH, > }; > > /** > diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c > index 5a60eb23a7ed..63a013ad4077 100644 > --- a/net/netfilter/nft_meta.c > +++ b/net/netfilter/nft_meta.c > @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr, > *dest = prandom_u32_state(state); > break; > } > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + nft_reg_store8(dest, !!skb->sp); > + break; > +#endif > default: > WARN_ON(1); > goto err; > @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > prandom_init_once(_prandom_state); > len = sizeof(u32); > break; > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + len = sizeof(u8); > + break; > +#endif > default: > return -EOPNOTSUPP; > } > @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > } > EXPORT_SYMBOL_GPL(nft_meta_get_init); > > +int nft_meta_get_validate(const struct nft_ctx *ctx, > + const struct nft_expr *expr, > + const struct nft_data **data) > +{ > + const struct nft_meta *priv = nft_expr_priv(expr); > + unsigned int hooks; > + > + if (priv->key != NFT_META_SECPATH) > + return 0; > + Would it worth adding here something like this? #ifnfdef CONFIG_XFRM return -EOPNOTSUPP; #endif I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right? > + switch (ctx->afi->family) { > + case NFPROTO_NETDEV: > + hooks = 1 << NF_NETDEV_INGRESS; > + break; > + case NFPROTO_IPV4: > + case NFPROTO_IPV6: > + case NFPROTO_INET: > + hooks = (1 << NF_INET_PRE_ROUTING) | > + (1 << NF_INET_LOCAL_IN) | > + (1 << NF_INET_FORWARD); > + break; > + default: > + return -EOPNOTSUPP; > + } > + > + return nft_chain_validate_hooks(ctx->chain, hooks); > +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] src: deprecate "flow table" syntax, replace it by "meter"
On 23 November 2017 at 15:23, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > According to bugzilla 1137: "flow tables" should not be syntactically > unique. > > "Flow tables are always named, but they don't conform to the way sets, > maps, and dictionaries work in terms of "add" and "delete" and all that. > > They are also "flow tables" instead of one word like "flows" or > "throttle" or something. > > It seems weird to just have these break the syntactic expectations." > > Personally, I never liked the reference to "table" since we have very > specific semantics in terms of what a "table" is netfilter for long > time. > > This patch promotes "meter" as the new keyword. The former syntax is > still accepted for a while, just to reduce chances of breaking things. > At some point the former syntax will just be removed. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> > I agree. What about adding a warning in case of using the old syntax? Something like: WARNING: this syntax is deprecated and will be deleted in the future, use 'meter' instead. Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> > diff --git a/src/evaluate.c b/src/evaluate.c > index fd61e7530d2e..3d4824ff80d6 100644 > --- a/src/evaluate.c > +++ b/src/evaluate.c > @@ -2021,37 +2021,37 @@ static int stmt_evaluate_payload(struct eval_ctx > *ctx, struct stmt *stmt) > return expr_evaluate(ctx, >payload.val); > } > > -static int stmt_evaluate_flow(struct eval_ctx *ctx, struct stmt *stmt) > +static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) > { > struct expr *key, *set, *setref; > > expr_set_context(>ectx, NULL, 0); > - if (expr_evaluate(ctx, >flow.key) < 0) > + if (expr_evaluate(ctx, >meter.key) < 0) > return -1; > - if (expr_is_constant(stmt->flow.key)) > - return expr_error(ctx->msgs, stmt->flow.key, > + if (expr_is_constant(stmt->meter.key)) > + return expr_error(ctx->msgs, stmt->meter.key, > "Flow key expression can not be constant"); ^ line below contains flow instead of meter > - if (stmt->flow.key->comment) > - return expr_error(ctx->msgs, stmt->flow.key, > + if (stmt->meter.key->comment) > + return expr_error(ctx->msgs, stmt->meter.key, > "Flow key expression can not contain > comments"); ^ same here -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nftables: lockout with 0008split_tables_0 test
On 21 November 2017 at 19:39, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > On 21 November 2017 at 18:09, Florian Westphal <f...@strlen.de> wrote: >> >> Yes, thats expected. >> First ssh base chain gets invoked, which accepts any packet >> either by verdict or policy. >> >> Then next base chain gets consulted which drops the packet. >> >> I would suggest to either swap the policies or duplicate the ssh >> rule into the input chain too. > > This is something which is actually confusing our users. > I just took the time to extend a bit the documentation: > > https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains > > Of course, feel free to edit the docs :-) Unrelated, but I would like to mention other thing that lacks documentation: the interaction of packet flows between families/hooks * Does a packet traversing a chain in the ip family traverse again chains in the inet family? Same the other way around * Does a packet accepted in the netdev/ingress family/hook gets evaluated again in ip/ip6/inet families/hooks? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: nftables: lockout with 0008split_tables_0 test
On 21 November 2017 at 18:09, Florian Westphalwrote: > > Yes, thats expected. > First ssh base chain gets invoked, which accepts any packet > either by verdict or policy. > > Then next base chain gets consulted which drops the packet. > > I would suggest to either swap the policies or duplicate the ssh > rule into the input chain too. This is something which is actually confusing our users. I just took the time to extend a bit the documentation: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains Of course, feel free to edit the docs :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: conntracd init.d reload is broken on Centos6
Please avoid top-posting. On 17 November 2017 at 23:55, Jason Hendrywrote: > Turns out sending conntrackd a -HUP signal causes it to die. I can not > find any documentation/reference on what signals conntrackd accepts, > is there one to tell it to reload its config? We are running > conntrackd 0.9.14 > That's a very old version of conntrackd (8+ years ago?). Please use a newer version. ATM conntrackd is unable to reload config. This is something I would like to improve in the future. > Can you also clarify the effect of restarting conntrackd, is it a safe > operation to do? Will it cause any interruption to connections? Will > it re-sync with the kernel state table? Will it re-sync with its peer? > Connections are in the kernel and those are not affected by conntrackd restart. Depending on your conntrackd config you may lose state updates which are in the conntrackd cache but not in the kernel yet. In newer versions of conntrackd there is a StartupResync option to request resync with other node at startup. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ulogd2 PATCH] ulogd2: new config behaviour: load all plugins by default
This new configuration behaviour option eases a bit the configuration of ulogd2 by allowing to load all plugins in one go, without having to know their full path. Choosing concrete plugins and using full path for them is great for some environmnets, but I don't think it's a common case. The common case is to load all plugins, even ignoring where do they live in the filesystem. Even worse, the full path may be architecture-dependant, which makes copying the ulogd.conf file between machines unnecesarily complex. To experiment this new behaviour, don't put any 'plugin=' directive in the config file. Plugins will be loaded from a default directory, choosen at build/configure time (--with-ulogd2libdir). If no specified, this is something like '/usr/local/lib/ulogd/'. This new configuration option doesn't implement any special logic. We simply open the dir and try to load all files ending with '.so'. The log message level for plugins loading is increased so users can see by default which plugins are loaded. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- configure.ac | 30 +++--- src/ulogd.c | 40 +++- ulogd.conf.in | 33 + 3 files changed, 83 insertions(+), 20 deletions(-) diff --git a/configure.ac b/configure.ac index e661981..b3441e4 100644 --- a/configure.ac +++ b/configure.ac @@ -36,9 +36,6 @@ dnl Checks for library functions. AC_FUNC_VPRINTF AC_CHECK_FUNCS(socket strerror) -regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter" -AC_SUBST([regular_CFLAGS]) - AC_SEARCH_LIBS([pthread_create], [pthread], [libpthread_LIBS="$LIBS"; LIBS=""]) AC_SUBST([libpthread_LIBS]) @@ -153,6 +150,16 @@ else enable_jansson="no" fi +AC_ARG_WITH([ulogd2libdir], + AS_HELP_STRING([--with-ulogd2libdir=PATH], +[Default directory to load ulogd2 plugin from [[LIBDIR/ulogd]]]), +[ulogd2libdir="$withval"], +[ulogd2libdir="${libdir}/ulogd"]) +AC_SUBST([ulogd2libdir]) + +regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter -DULOGD2_LIBDIR=\\\"\${ulogd2libdir}\\\""; +AC_SUBST([regular_CFLAGS]) + dnl AC_SUBST(DATABASE_DIR) dnl AC_SUBST(DATABASE_LIB) dnl AC_SUBST(DATABASE_LIB_DIR) @@ -176,8 +183,25 @@ AC_CONFIG_FILES(include/Makefile include/ulogd/Makefile include/libipulog/Makefi src/Makefile Makefile Rules.make) AC_OUTPUT +define([EXPAND_VARIABLE], +[$2=[$]$1 +if test $prefix = 'NONE'; then +prefix="/usr/local" +fi +while true; do + case "[$]$2" in +*\[$]* ) eval "$2=[$]$2" ;; +*) break ;; + esac +done +eval "$2=[$]$2" +])dnl EXPAND_VARIABLE + +EXPAND_VARIABLE(ulogd2libdir, e_ulogd2libdir) + echo " Ulogd configuration: + Default plugins directory: ${e_ulogd2libdir} Input plugins: NFLOG plugin: ${enable_nflog} NFCT plugin: ${enable_nfct} diff --git a/src/ulogd.c b/src/ulogd.c index 68f..b8bc57c 100644 --- a/src/ulogd.c +++ b/src/ulogd.c @@ -404,7 +404,7 @@ void ulogd_register_plugin(struct ulogd_plugin *me) me->name); exit(EXIT_FAILURE); } - ulogd_log(ULOGD_DEBUG, "registering plugin `%s'\n", me->name); + ulogd_log(ULOGD_NOTICE, "registering plugin `%s'\n", me->name); llist_add(>list, _plugins); } else { get_plugin_infos(me); @@ -728,6 +728,41 @@ static int load_plugin(const char *file) return 0; } +static int load_all_plugins(void) +{ + DIR *d; + struct dirent *dent; + char path[PATH_MAX]; + + d = opendir(ULOGD2_LIBDIR); + if (d == NULL) { + ulogd_log(ULOGD_ERROR, "load_all_plugins: opendir(%s): %s\n", + ULOGD2_LIBDIR, strerror(errno)); + return -1; + } + + ulogd_log(ULOGD_NOTICE, "loading all plugins at %s\n", ULOGD2_LIBDIR); + + while ((dent = readdir(d)) != NULL) { + if (strcmp(dent->d_name, ".") == 0 || + strcmp(dent->d_name, "..") == 0) + continue; + + int len = strlen(dent->d_name); + if (len < 3) + continue; + + if (strcmp(>d_name[len - 3], ".so") != 0) + continue; + + snprintf(path, sizeof(path), "%s/%s", ULOGD2_LIBDIR, +dent->d_name); + if (load_plugin(path) != 0) + return -1; + } + return 0; +} + /* find an output key in a given stack, starting at 'start' */ static struct ulogd_key * find_okey_in_stack(char *name, @@ -925,6 +960,9 @@ stat
Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins
On 2 October 2017 at 12:44, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Sep 30, 2017 at 12:43:36PM +0200, Arturo Borrero Gonzalez wrote: >> On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote: >> > On Sat, Sep 30, 2017 at 11:48:11AM +0200, Arturo Borrero Gonzalez wrote: >> >> On 30 September 2017 at 11:43, Arturo Borrero Gonzalez >> >> <art...@netfilter.org> wrote: >> >> > >> >> > Ok, but how could we avoid putting there a complex, arch-dependant path? >> >> >> >> i.e, in Debian this means a path like: >> >> >> >> /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so >> >> >> >> so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly. >> >> If the config file is copied to a machine with a different arch, amd64 >> >> for example, then path should be modified to: >> >> >> >> /usr/lib/x86_64-linux-gnu/ulogd/ >> >> >> >> Complex and ugly. We should avoid that. I think we should offer a >> >> default at build/configure time. >> > >> > I think @pkglibdir@ in ulogd.conf.in will set this to the >> > corresponding arch-dependent folder at configure/build time, right? >> >> The point is to don't have the ugly string in the config file. >> Transparent to the user. Simplify the config file. > > OK. > > What if we default to loading all plugins if user specifies no > "plugin=" at all in the configuration file? > > No worries in terms of breaking backward compatibility, so far ulogd2 > just bails out if no plugin is available. > > That would simplify the configuration file as you're searching for. Ok, will do that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins
On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Sep 30, 2017 at 11:48:11AM +0200, Arturo Borrero Gonzalez wrote: >> On 30 September 2017 at 11:43, Arturo Borrero Gonzalez >> <art...@netfilter.org> wrote: >> > >> > Ok, but how could we avoid putting there a complex, arch-dependant path? >> >> i.e, in Debian this means a path like: >> >> /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so >> >> so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly. >> If the config file is copied to a machine with a different arch, amd64 >> for example, then path should be modified to: >> >> /usr/lib/x86_64-linux-gnu/ulogd/ >> >> Complex and ugly. We should avoid that. I think we should offer a >> default at build/configure time. > > I think @pkglibdir@ in ulogd.conf.in will set this to the > corresponding arch-dependent folder at configure/build time, right? The point is to don't have the ugly string in the config file. Transparent to the user. Simplify the config file. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins
On 30 September 2017 at 11:43, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > > Ok, but how could we avoid putting there a complex, arch-dependant path? i.e, in Debian this means a path like: /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so so user should use /usr/lib/mips64el-linux-gnuabi64/ which is very ugly. If the config file is copied to a machine with a different arch, amd64 for example, then path should be modified to: /usr/lib/x86_64-linux-gnu/ulogd/ Complex and ugly. We should avoid that. I think we should offer a default at build/configure time. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins
On 29 September 2017 at 13:39, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > Hi Arturo, > > On Mon, Sep 25, 2017 at 01:19:27PM +0200, Arturo Borrero Gonzalez wrote: >> diff --git a/ulogd.conf.in b/ulogd.conf.in >> index a987d64..fe54420 100644 >> --- a/ulogd.conf.in >> +++ b/ulogd.conf.in >> @@ -24,6 +24,16 @@ logfile="/var/log/ulogd.log" >> # 2. options for each plugin in seperate section below >> >> >> +# load all the plugins in one go. Then, there is no need to specify each >> +# plugin individually. There are two ways of using this clause, by leaving >> it >> +# blank (default) or by using a filesystem path. If blank a default >> directory >> +# configured at build time will be used (--with-ulogd2libdir). >> +# >> +# Examples: >> +# >> +# load_all_plugins= >> +# load_all_plugins=/usr/local/lib/ulogd/ >> + >> plugin="@pkglibdir@/ulogd_inppkt_NFLOG.so" >> #plugin="@pkglibdir@/ulogd_inppkt_ULOG.so" >> #plugin="@pkglibdir@/ulogd_inppkt_UNIXSOCK.so" > > Just an idea, probably better something like: > > plugin="@pkglibdir@/" > > I mean, if you specify a directory, then this means "include every > ulogd_*.so file there", it's easy to check via stat() if this is path > represents a directory, so you can skip string handling tricks. Ok, but how could we avoid putting there a complex, arch-dependant path? My first idea was to have the new config directive to don't accept any path and having the default set at build/configure time. For the sake of flexibility I added in the last moment the option for the user to give a path and override the one set at build/configure time. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH] conntrack.8: refresh manpage
Refresh manpage, fixing typos, rearranging some sentences, introducing line breaks at max. 80 columns, markup fixes, and so on. Apart of some minor cosmetics fixes, no actual content is changed. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- conntrack.8 | 167 --- 1 file changed, 101 insertions(+), 66 deletions(-) diff --git a/conntrack.8 b/conntrack.8 index e8e4480..e069dfe 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -1,4 +1,4 @@ -.TH CONNTRACK 8 "Aug 24, 2015" "" "" +.TH CONNTRACK 8 "Sep 26, 2017" "" "" .\" Man page written by Harald Welte <lafo...@netfilter.org (Jun 2005) .\" Maintained by Pablo Neira Ayuso <pa...@netfilter.org (May 2007) @@ -24,17 +24,20 @@ conntrack \- command line interface for netfilter connection tracking .br .BR "conntrack -S " .SH DESCRIPTION -.B conntrack -provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. -Using -.B conntrack -, you can dump a list of all (or a filtered selection of) currently tracked -connections, delete connections from the state table, and even add new ones. -.PP +The \fBconntrack\fP utilty provides a full featured userspace interface to the +Netfilter connection tracking system that is intended to replace the old +/proc/net/ip_conntrack interface. This tool can be used to search, list, +inspect and maintain the connection tracking subsystem of the Linux kernel. + +Using \fBconntrack\fP, you can dump a list of all (or a filtered selection of) +currently tracked connections, delete connections from the state table, and +even add new ones. + In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection. + .SH TABLES -The connection tracking subsystem maintains two internal tables: +The connection tracking subsystem maintains several internal tables: .TP .BR "conntrack" : This is the default table. It contains a list of all currently tracked @@ -44,30 +47,31 @@ through the system. .TP .BR "expect" : This is the table of expectations. Connection tracking expectations are the -mechanism used to "expect" RELATED connections to existing ones. Expectations -are generally used by "connection tracking helpers" (sometimes called -application level gateways [ALGs]) for more complex protocols such as FTP, -SIP, H.323. +mechanism used to "expect" \fBRELATED\fP connections to existing ones. +Expectations are generally used by "connection tracking helpers" (sometimes +called application level gateways [ALGs]) for more complex protocols such as +FTP, SIP or H.323. .TP .BR "dying" : This table shows the conntrack entries, that have expired and that have been -destroyed by the connection tracking system itself, or via the conntrack utility. +destroyed by the connection tracking system itself, or via the \fBconntrack\fP +utility. .TP .BR "unconfirmed" : -This table shows new entries, that are not yet inserted into the conntrack table. -These entries are attached to packets that are traversing the stack, +This table shows new entries, that are not yet inserted into the conntrack +table. These entries are attached to packets that are traversing the stack, but did not reach the confirmation point at the postrouting hook. -.PP -The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. -Under normal operation, it is hard to see entries in any of them. + +The tables "dying" and "unconfirmed" are basically only useful for debugging +purposes. Under normal operation, it is hard to see entries in any of them. There are corner cases, where it is valid to see entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and -the dying table, eg. when conntrackd runs in event reliable mode. -.PP +the dying table, eg. when \fBconntrackd(8)\fP runs in event reliable mode. + .SH OPTIONS -The options recognized by -.B conntrack -can be divided into several different groups. +The options recognized by \fBconntrack\fP can be divided into several different +groups. + .SS COMMANDS These options specify the particular operation to perform. Only one of them can be specified at any given time. @@ -98,6 +102,7 @@ Show the table counter. .TP .BI "-S, --stats " Show the in-kernel connection tracking system statistics. + .SS PARAMETERS .TP .BI "-z, --zero " @@ -107,9 +112,9 @@ combination with the "\-L, \-\-dump" command options. .BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] &qu
[ulogd2 PATCH] ulogd2: add new config option: load_all_plugins
This new configuration option eases a bit the configuration of ulogd2 by allowing to load all plugins in one go, without having to know their full path. Choosing concrete plugins and using full path for them is great for some environmnets, but I don't think it's a common case. The common case is to load all plugins, even ignoring where do they live in the filesystem. Even worse, the full path may be architecture-dependant, which makes copying the ulogd.conf file between machines unnecesarily complex. There are two ways of using this new config directive: 1) leave it empty (i.e. 'load_all_plugins=') 2) use a path (i.e. 'load_all_plugins='/usr/local/lib/mydir/') In the first case, plugins will be loaded from a default directory, choosen at build/configure time (--with-ulogd2libdir). If no specified, this is something like '/usr/local/lib/ulogd/'. In the second case, the user is responsible of providing a sensible path. The 'load_all_plugins' directive may be combined with the old 'plugin' directive to load other custom-made plugins elsewhere, like always. The 'plugin' directive is keep unchanged. This new configuration option doesn't implement any special logic. We simply open the dir and try to load all files ending with '.so'. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- configure.ac | 30 +++--- src/ulogd.c | 49 - ulogd.conf.in | 10 ++ 3 files changed, 85 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index e661981..b3441e4 100644 --- a/configure.ac +++ b/configure.ac @@ -36,9 +36,6 @@ dnl Checks for library functions. AC_FUNC_VPRINTF AC_CHECK_FUNCS(socket strerror) -regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter" -AC_SUBST([regular_CFLAGS]) - AC_SEARCH_LIBS([pthread_create], [pthread], [libpthread_LIBS="$LIBS"; LIBS=""]) AC_SUBST([libpthread_LIBS]) @@ -153,6 +150,16 @@ else enable_jansson="no" fi +AC_ARG_WITH([ulogd2libdir], + AS_HELP_STRING([--with-ulogd2libdir=PATH], +[Default directory to load ulogd2 plugin from [[LIBDIR/ulogd]]]), +[ulogd2libdir="$withval"], +[ulogd2libdir="${libdir}/ulogd"]) +AC_SUBST([ulogd2libdir]) + +regular_CFLAGS="-Wall -Wextra -Wno-unused-parameter -DULOGD2_LIBDIR=\\\"\${ulogd2libdir}\\\""; +AC_SUBST([regular_CFLAGS]) + dnl AC_SUBST(DATABASE_DIR) dnl AC_SUBST(DATABASE_LIB) dnl AC_SUBST(DATABASE_LIB_DIR) @@ -176,8 +183,25 @@ AC_CONFIG_FILES(include/Makefile include/ulogd/Makefile include/libipulog/Makefi src/Makefile Makefile Rules.make) AC_OUTPUT +define([EXPAND_VARIABLE], +[$2=[$]$1 +if test $prefix = 'NONE'; then +prefix="/usr/local" +fi +while true; do + case "[$]$2" in +*\[$]* ) eval "$2=[$]$2" ;; +*) break ;; + esac +done +eval "$2=[$]$2" +])dnl EXPAND_VARIABLE + +EXPAND_VARIABLE(ulogd2libdir, e_ulogd2libdir) + echo " Ulogd configuration: + Default plugins directory: ${e_ulogd2libdir} Input plugins: NFLOG plugin: ${enable_nflog} NFCT plugin: ${enable_nfct} diff --git a/src/ulogd.c b/src/ulogd.c index 68f..5ae8498 100644 --- a/src/ulogd.c +++ b/src/ulogd.c @@ -124,10 +124,11 @@ static LLIST_HEAD(ulogd_pi_stacks); static int load_plugin(const char *file); static int create_stack(const char *file); static int logfile_open(const char *name); +static int load_all_plugins(); static void cleanup_pidfile(); static struct config_keyset ulogd_kset = { - .num_ces = 4, + .num_ces = 5, .ces = { { .key = "logfile", @@ -153,6 +154,12 @@ static struct config_keyset ulogd_kset = { .options = CONFIG_OPT_MULTI, .u.parser = _stack, }, + { + .key = "load_all_plugins", + .type = CONFIG_TYPE_CALLBACK, + .options = CONFIG_OPT_NONE, + .u.parser = _all_plugins, + }, }, }; @@ -728,6 +735,46 @@ static int load_plugin(const char *file) return 0; } +static int load_all_plugins(const char *arg) +{ + DIR *d; + struct dirent *dent; + char path[PATH_MAX]; + const char *dir; + + if (strcmp(arg, "load_all_plugins") == 0) /* no argument in conf */ + dir = ULOGD2_LIBDIR; + else + dir = arg; + + d = opendir(dir); + if (d == NULL) { + ulogd_log(ULOGD_ERROR, "load_all_plugins: opendir(%s): %s\n", + dir, strerror(errno)); + return -1; + } + + ulogd_log(ULOGD_NOTICE, "loading all plugins at %s\n", dir); + +
Re: [RFC PATCH nft V4] src: Add import command for json
On 20 September 2017 at 12:14, Shyam Saini <mayhs11sa...@gmail.com> wrote: > This new operation allows to import ruleset in json to make > incremental changes using the parse functions of libnftnl. > > A basic way to test this new functionality is: > > % cat file.json | nft import json > > where the file.json is a ruleset exported in json format. > > Highly based on work from Alvaro Neira <alvaron...@gmail.com> > and Arturo Borrero <art...@netfilter.org> > > Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> > Signed-off-by: Shyam Saini <mayhs11sa...@gmail.com> > --- > V4: > Fix coding style issues > Avoid nested function calls (As Suggested by Arturo ) LGTM Thanks Shyam! Just tested this patch, along with the one adding the testcase. All seems fine. @Pablo, please, review and apply. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [ulogd2 PATCH] ulogd: use a RT scheduler by default
On 7 September 2017 at 13:36, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > Is common that ulogd runs in scenarios where a lot of packets are to be > logged. > If there are more packets than ulogd can handle, users can start seing log > messages like this: > > ulogd[556]: We are losing events. Please, consider using the clauses \ > `netlink_socket_buffer_size' and `netlink_socket_buffer_maxsize' > > Which means that Netlink buffer overrun have happened. > There are several approaches to prevent this situation: > > * in the ruleset, limit the amount of packet queued for log > * in the ruleset, instruct the kernel to use a queue-threshold > * from userspace, increment Netlink buffer sizes > * from userspace, configure ulogd to run as high priority process > > The first 3 method can be configured by users at runtime. > This patch deals with the last method. SCHED_RR is configured by default, > with no associated configuration parameter for users, since I believe > this is common enough, and should produce no harm. > > A similar approach is used in the conntrackd daemon. > > Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> > --- > src/ulogd.c | 15 +++ > 1 file changed, 15 insertions(+) > Eric did ACK this via IRC, please someone push the patch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH nft V3] src: Add import command for json
On 11 September 2017 at 18:53, Shyam Sainiwrote: > This new operation allows to import ruleset in json to make > incremental changes using the parse functions of libnftnl. > > A basic way to test this new functionality is: > > % cat file.json | nft import json > > where the file.json is a ruleset exported in json format. > > Highly based on work from Alvaro Neira > and Arturo Borrero > > Signed-off-by: Shyam Saini > --- > V3: >Follow kernel coding style > --- Hi Shyam, almost there. Still some changes required in the coding style. See below. BTW, you forgot to include the Acked-by: line I mentioned in the last email. > include/netlink.h | 9 ++ > include/rule.h | 14 +-- > src/evaluate.c | 2 + > src/netlink.c | 288 > + > src/parser_bison.y | 38 +-- > src/rule.c | 45 +++-- > src/scanner.l | 1 + > 7 files changed, 370 insertions(+), 27 deletions(-) > > diff --git a/include/netlink.h b/include/netlink.h > index b395cf1cd9ad..b63740b38c2a 100644 > --- a/include/netlink.h > +++ b/include/netlink.h > @@ -225,4 +225,13 @@ bool netlink_batch_supported(struct mnl_socket *nf_sock, > uint32_t *seqnum); > > int netlink_echo_callback(const struct nlmsghdr *nlh, void *data); > > +struct ruleset_parse { > + struct netlink_ctx *nl_ctx; > + struct cmd *cmd; > +}; > + > +struct nftnl_parse_ctx; > + > +int netlink_markup_parse_cb(const struct nftnl_parse_ctx *ctx); > + > #endif /* NFTABLES_NETLINK_H */ > diff --git a/include/rule.h b/include/rule.h > index 631a1bcdf84e..56dee9766b2b 100644 > --- a/include/rule.h > +++ b/include/rule.h > @@ -327,6 +327,7 @@ uint32_t obj_type_to_cmd(uint32_t type); > * @CMD_RESET: reset container > * @CMD_FLUSH: flush container > * @CMD_RENAME:rename object > + * @CMD_IMPORT:import a ruleset in a given format > * @CMD_EXPORT:export the ruleset in a given format > * @CMD_MONITOR: event listener > * @CMD_DESCRIBE: describe an expression > @@ -342,6 +343,7 @@ enum cmd_ops { > CMD_RESET, > CMD_FLUSH, > CMD_RENAME, > + CMD_IMPORT, > CMD_EXPORT, > CMD_MONITOR, > CMD_DESCRIBE, > @@ -361,7 +363,7 @@ enum cmd_ops { > * @CMD_OBJ_RULESET: ruleset > * @CMD_OBJ_EXPR: expression > * @CMD_OBJ_MONITOR: monitor > - * @CMD_OBJ_EXPORT:export > + * @CMD_OBJ_MARKUP:import/export > * @CMD_OBJ_COUNTER: counter > * @CMD_OBJ_COUNTERS: multiple counters > * @CMD_OBJ_QUOTA: quota > @@ -381,7 +383,7 @@ enum cmd_obj { > CMD_OBJ_RULESET, > CMD_OBJ_EXPR, > CMD_OBJ_MONITOR, > - CMD_OBJ_EXPORT, > + CMD_OBJ_MARKUP, > CMD_OBJ_FLOWTABLE, > CMD_OBJ_FLOWTABLES, > CMD_OBJ_MAP, > @@ -396,12 +398,12 @@ enum cmd_obj { > CMD_OBJ_LIMITS, > }; > > -struct export { > +struct markup { > uint32_tformat; > }; > > -struct export *export_alloc(uint32_t format); > -void export_free(struct export *e); > +struct markup *markup_alloc(uint32_t format); > +void markup_free(struct markup *m); > > enum { > CMD_MONITOR_OBJ_ANY, > @@ -454,7 +456,7 @@ struct cmd { > struct chain*chain; > struct table*table; > struct monitor *monitor; > - struct export *export; > + struct markup *markup; > struct obj *object; > }; > const void *arg; > diff --git a/src/evaluate.c b/src/evaluate.c > index e767542a868e..2275a3026255 100644 > --- a/src/evaluate.c > +++ b/src/evaluate.c > @@ -3407,6 +3407,8 @@ int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd) > return 0; > case CMD_MONITOR: > return cmd_evaluate_monitor(ctx, cmd); > + case CMD_IMPORT: > + return 0; > default: > BUG("invalid command operation %u\n", cmd->op); > }; > diff --git a/src/netlink.c b/src/netlink.c > index 291bbdeeaa68..de4d284d5e9b 100644 > --- a/src/netlink.c > +++ b/src/netlink.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -3030,6 +3031,293 @@ int netlink_monitor(struct netlink_mon_handler > *monhandler, > return mnl_nft_event_listener(, netlink_events_cb, monhandler); > } > > +static int netlink_markup_setelems(const struct nftnl_parse_ctx *ctx) > +{ > + const struct ruleset_parse *rp; > + struct nftnl_set *set; > + uint32_t cmd; > + int ret = -1; > + > + set = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_SET); > + rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA); > + > + cmd = nftnl_ruleset_ctx_get_u32(ctx,
Re: [RFC PATCH nft V2] src: Add import command for json
On 10 September 2017 at 14:31, Shyam Saini <mayhs11sa...@gmail.com> wrote: > This new operation allows to import ruleset in json to make > incremental changes using the parse functions of libnftnl. > > A basic way to test this new functionality is: > > % cat file.json | nft import json > > where the file.json is a ruleset exported in json format. > > Highly based on work from Alvaro Neira <alvaron...@gmail.com> > and Arturo Borrero <art...@netfilter.org>. > > Signed-off-by: Shyam Saini <mayhs11sa...@gmail.com> > --- > V2: > Build Patch over updated repository. Hi Shyam, I was able to test this with the testcase you provided in the other patch! great! :-) One last thing, the coding style should be fixed before we can merge this into master. Examples below. We follow linux kernel coding style [0]. There is a script to check coding style [1], but beware of some false positives (regarding the commit message). Other than that, the patch looks fine. Please, address the coding style issues, and resend with: Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> > + > +static int netlink_markup_build_rule(const struct nftnl_parse_ctx *ctx, > + uint32_t cmd, struct > nftnl_rule *rule) > +{ ^^^ bad alignment, indentation, produces long lines. > + > +static int netlink_markup_chain(const struct nftnl_parse_ctx *ctx) > +{ > + const struct ruleset_parse *rp; > + struct nftnl_chain *chain; > + uint32_t cmd; > + int ret = -1; > + > + chain = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_CHAIN); > + rp = nftnl_ruleset_ctx_get(ctx, NFTNL_RULESET_CTX_DATA); > + > + nftnl_chain_unset(chain, NFTNL_CHAIN_HANDLE); > + > + cmd = nftnl_ruleset_ctx_get_u32(ctx, NFTNL_RULESET_CTX_CMD); > + switch (cmd) { > + case NFTNL_CMD_ADD: > + ret = mnl_nft_chain_batch_add(chain, rp->nl_ctx->batch, 0, > rp->nl_ctx->seqnum); > + break; > + case NFTNL_CMD_DELETE: > + ret = mnl_nft_chain_batch_del(chain, rp->nl_ctx->batch, 0, > rp->nl_ctx->seqnum); ^^ too long lines [0] https://www.kernel.org/doc/html/v4.10/process/coding-style.html [1] https://github.com/torvalds/linux/blob/master/scripts/checkpatch.pl -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ulogd2 PATCH] ulogd: use a RT scheduler by default
Is common that ulogd runs in scenarios where a lot of packets are to be logged. If there are more packets than ulogd can handle, users can start seing log messages like this: ulogd[556]: We are losing events. Please, consider using the clauses \ `netlink_socket_buffer_size' and `netlink_socket_buffer_maxsize' Which means that Netlink buffer overrun have happened. There are several approaches to prevent this situation: * in the ruleset, limit the amount of packet queued for log * in the ruleset, instruct the kernel to use a queue-threshold * from userspace, increment Netlink buffer sizes * from userspace, configure ulogd to run as high priority process The first 3 method can be configured by users at runtime. This patch deals with the last method. SCHED_RR is configured by default, with no associated configuration parameter for users, since I believe this is common enough, and should produce no harm. A similar approach is used in the conntrackd daemon. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/ulogd.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/src/ulogd.c b/src/ulogd.c index b85d0ee..68f 100644 --- a/src/ulogd.c +++ b/src/ulogd.c @@ -64,6 +64,7 @@ #include #include #include +#include #include #include #ifdef DEBUG @@ -1395,6 +1396,19 @@ static void signal_handler_task(int signal) deliver_signal_pluginstances(signal); } +static void set_scheduler(void) +{ + struct sched_param schedparam; + int sched_type; + + schedparam.sched_priority = sched_get_priority_max(SCHED_RR); + sched_type = SCHED_RR; + + if (sched_setscheduler(0, sched_type, ) < 0) + fprintf(stderr, "WARNING: scheduler configuration failed:" + " %s\n", strerror(errno)); +} + static void print_usage(void) { printf("ulogd Version %s\n", VERSION); @@ -1589,6 +1603,7 @@ int main(int argc, char* argv[]) signal(SIGALRM, _handler); signal(SIGUSR1, _handler); signal(SIGUSR2, _handler); + set_scheduler(); ulogd_log(ULOGD_INFO, "initialization finished, entering main loop\n"); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH RFC] Convert man page source to asciidoc
On 6 September 2017 at 10:41, Phil Sutterwrote: > Beware: The conversion is incomplete and merely serves as base for > discussion. > > This patch converts nft.xml into asciidoc markup, top down until (and > including) stateful objects description. I stopped there because it's > the first chance of demonstrating my idea of splitting the documentation > into smaller pieces for convenience and maintainability. > > Regarding package dependencies, this "just" exchanges docbook with > asciidoc - dblatex is still required for PDF creation. > Hi Phil, thanks for your initiative and hard work, it's really appreciated :-) Regarding the change, why asciidoc? why not markdown, or org-mode or reStructuredText? There are many markup languages, it reminds me to xkcd #927 [0]. I would prefer if we stick to groff, which seems to be the standard in Linux. Regarding the separation of text in different includes, why not creating different manpages? Netfilter did this in the past with iptables(8) and iptables-extensions(8). Brainstorming: * nft(8) <-- main document, general info * nft-ct(8) <-- concrete info for ct objects * nft-counter(8) <-- concrete info for counter objets * nft-flowtables(8) <-- about flow tables * nft-quota(8) <--- concrete info for quotas * nft-performance(8) <--- concrete info about nftables sets, maps, dicts, concatenations, etc. * nft-ha(8) <--- for HA environments, loadbalancing etc [0] https://xkcd.com/927/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH V2] tests: shell: Add tests for json import
On 4 September 2017 at 14:39, Shyam Sainiwrote: >>> These test cases can be used to test upcoming "import json" command. >>> Hi Shyam, your v3 looks fine. I was going to test it out, but it seems the first patch [0] in the series requires a refresh. Please, refresh this first patch. thanks for your work! [0] http://patchwork.ozlabs.org/patch/803561/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH V2] tests: shell: Add tests for json import
On 3 September 2017 at 01:32, Shyam Sainiwrote: > These test cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules > json_import_0 ->script that runs json run-tests.sh > > For Example: > $ ./run-tests.sh testcases/import/json_import_0 > > Below mentioned files contains individual rules in json format and > are added for the reference: > rules_ipv4*->ip table rules files > rules_ipv6*->ip6 table rules files > rules_arp* ->arp table rules files > rules_bridge* ->bridge table rules files > > Signed-off-by: Shyam Saini > --- This is v2: generally in this patch section we include patch changelog information. Please, take a look at this when sending v3 :-) > tests/shell/testcases/import/all_ruleset_list | 46 ++ > tests/shell/testcases/import/json_import_0 | 72 > ++ > .../testcases/import/rules_arp_hlen_range.json | 1 + > tests/shell/testcases/import/rules_arp_htype.json | 1 + > .../testcases/import/rules_arp_operation.json | 1 + > .../import/rules_arp_operation_check.json | 1 + > .../shell/testcases/import/rules_arp_ptype_ip.json | 1 + > .../shell/testcases/import/rules_bridge_vlan.json | 1 + > .../testcases/import/rules_bridge_vlan_id.json | 1 + > ...bridge_vlan_id_saddr_udp_dport_drop_domain.json | 1 + > .../import/rules_ipv4_ct_state_accept.json | 1 + > .../rules_ipv4_icmp_type_echo-request_accept.json | 1 + > .../rules_ipv4_icmp_type_echo-request_counter.json | 1 + > .../import/rules_ipv4_iifname_accept.json | 1 + > .../import/rules_ipv4_saddr_daddr_counter.json | 1 + > .../testcases/import/rules_ipv4_set_elements.json | 1 + > .../import/rules_ipv4_tcp_dport_http_ssh.json | 1 + > .../testcases/import/rules_ipv4_tcp_flags.json | 1 + > .../import/rules_ipv6_daddr_udp_dport_counter.json | 1 + > ...es_ipv6_daddr_udp_dport_counter_masquerade.json | 1 + > .../testcases/import/rules_ipv6_icmpv6_id.json | 1 + > ...iifname_ct_state_tcp_dport_vmap_masquerade.json | 1 + > .../import/rules_ipv6_l4proto_tcp_masquerade.json | 1 + > ...dport_ssh_daddr_mapping_ether_saddr_accept.json | 1 + > 24 files changed, 140 insertions(+) > create mode 100644 tests/shell/testcases/import/all_ruleset_list > create mode 100755 tests/shell/testcases/import/json_import_0 > create mode 100644 tests/shell/testcases/import/rules_arp_hlen_range.json > create mode 100644 tests/shell/testcases/import/rules_arp_htype.json > create mode 100644 tests/shell/testcases/import/rules_arp_operation.json > create mode 100644 > tests/shell/testcases/import/rules_arp_operation_check.json > create mode 100644 tests/shell/testcases/import/rules_arp_ptype_ip.json > create mode 100644 tests/shell/testcases/import/rules_bridge_vlan.json > create mode 100644 tests/shell/testcases/import/rules_bridge_vlan_id.json > create mode 100644 > tests/shell/testcases/import/rules_bridge_vlan_id_saddr_udp_dport_drop_domain.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_ct_state_accept.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_accept.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_icmp_type_echo-request_counter.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_iifname_accept.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_saddr_daddr_counter.json > create mode 100644 tests/shell/testcases/import/rules_ipv4_set_elements.json > create mode 100644 > tests/shell/testcases/import/rules_ipv4_tcp_dport_http_ssh.json > create mode 100644 tests/shell/testcases/import/rules_ipv4_tcp_flags.json > create mode 100644 > tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter.json > create mode 100644 > tests/shell/testcases/import/rules_ipv6_daddr_udp_dport_counter_masquerade.json > create mode 100644 tests/shell/testcases/import/rules_ipv6_icmpv6_id.json > create mode 100644 > tests/shell/testcases/import/rules_ipv6_iifname_ct_state_tcp_dport_vmap_masquerade.json > create mode 100644 > tests/shell/testcases/import/rules_ipv6_l4proto_tcp_masquerade.json > create mode 100644 > tests/shell/testcases/import/rules_ipv6_tcp_dport_ssh_daddr_mapping_ether_saddr_accept.json > > diff --git a/tests/shell/testcases/import/all_ruleset_list > b/tests/shell/testcases/import/all_ruleset_list > new file mode 100644 > index ..4e25a76d8016 > --- /dev/null > +++ b/tests/shell/testcases/import/all_ruleset_list > @@ -0,0 +1,46 @@ > +table ip mangle { > +set blackhole { > +type ipv4_addr > +elements = { 192.168.1.4, 192.168.1.5 } > +} > + > +chain prerouting { > +
Re: [PATCH] examples: Fix memory leaks detected by Valgrind
Thanks Shyam, Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> in the future, please add a tag to the [PATCH] header, like "[PATCH libnftnl]" so we can easily know to which tree this patch should be applied to. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] tests: json: Add test cases for json format
On 24 August 2017 at 14:08, Shyam Sainiwrote: >> That was quick and dirty code for you to get the idea. >> Please follow the example of other testcases [0] to compare ruleset, >> create tempfiles and so on. >> > > One issue with this approach, incase of set rules > nft will throw this error > "Error: Could not process rule: File exists" > So, i need to flush ruleset before import them with json. > Is it okay? > yes, something like: nft export nft flush ruleset nft import we can later on investigate how to do something like: nft export json | nft import json >> >> Please, if possible, try to add a testcase that is [OK]. Not sure what >> is wrong with the dup statement. >> > I tried, but they always throw the same error. > Shouldn't we keep them in testsuite so that we know that these set of > rules needs to be fixed. > yes, but the point is to try to fix the issue or at least identify where the issue is. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] tests: json: Add test cases for json format
On 24 August 2017 at 10:49, Shyam Sainiwrote: > These test cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules Wait. You are generating the JSON files from this ruleset, right? Then, why not simplify the tests by: * load a ruleset model (your all_ruleset_list file) * export it in JSON format (nft export json) * import it again in JSON format (nft import) * comparte resulting ruleset (nft list ruleset) with the original file (all_ruleset_list file) This way we test in the same run all the JSON code paths. You will need a simple testcase, like this: === 8< === #!/bin/bash set -e TMP=$(mktmp) RULESET="table ip { ... } " echo $RULESET > $TMP $NFT -f $TMP $NFT export json > $TMP cat $TMP | $NFT import json) RESULT=$($NFT list ruleset) # compare result and initial ruleset, if fail show diff === 8< === That was quick and dirty code for you to get the idea. Please follow the example of other testcases [0] to compare ruleset, create tempfiles and so on. Please, if possible, try to add a testcase that is [OK]. Not sure what is wrong with the dup statement. thanks Shyam! [0] http://git.netfilter.org/nftables/tree/tests/shell/testcases/netns/0001nft-f_0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] tests: json: Add test cases for json format
On 22 August 2017 at 11:30, Shyam Sainiwrote: > > Should I send the version 2 of this patch with this script? > Yes, my suggestion is: * create a new testcase in nftables: tests/shell/testcases/import/yourscript_0 * put all the json files in: tests/shell/testcases/import/json and read them from yourscript_0 in the script use the $NFT environment variable to call nft. This way we avoid adding a new testsuite just for this and reuse existing code. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] tests: json: Add test cases for json format
On 21 August 2017 at 22:55, Shyam Sainiwrote: > These cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules > rules_ipv4*->ip table > rules_ipv6*->ip6 table > rules_arp* ->arp table > rules_bridge* ->bridge table > > At this point of time some tests may fails. > For example: > dup to 172.20.0.2 > ether daddr 00:01:02:03:04:05 ether saddr set ff:fe:dc:ba:98:76 drop > Hi Shyam, thanks for your work! A question: How are we supposed to run these tests? At least, any hint would be welcome in the commit message. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [nft PATCH 0/16] introduce libnftables
On 16 August 2017 at 22:42, Eric Leblondwrote: > > Hello, > > This patchset adds a basi high level libnftables to nftables code. > It is currently supporting running a command from a buffer or from > a file as well as batch support allowing to chain commands and commit > them at once. > > The API is mostly using existing structures such as nft_ctx that are > updated to contain enough information. It also adds a structure > dedicated to batch. > Great work Eric, thanks! Some comments below. > A simple program running a command is the following: > > nft_global_init(); > nft = nft_context_new(); > nft_context_set_print_func(nft, my_print, buf); ^^^ A minor thing: Did you evaluate merging these two? Setting the print function directly when allocating a new context. > rc = nft_run_command_from_buffer(nft, CMD, sizeof(CMD)); > if (rc != NFT_EXIT_SUCCESS) { > nft_get_error(nft, err_buf, sizeof(err_buf)); > printf("%s\n", err_buf); > return -1; > } > nft_context_free(nft); > nft_global_deinit(); > > Transaction support is similar with: > > nft = nft_context_new(); > batch = nft_batch_start(nft); > if (nft_batch_add(nft, batch, ADD1, strlen(ADD1)) !=0) { > printf("FAIL add 1\n"); > goto out; > } > if (nft_batch_add(nft, batch, ADD2, strlen(ADD2)) !=0) { > printf("FAIL add 2\n"); > goto out; > } > if (nft_batch_commit(nft, batch) != 0) { ^^^ error handling here is like in the other case? i.e. running nft_get_error() ? > goto out; > } > > out: > nft_batch_free(batch); > nft_context_free(nft); > nft_global_deinit(); > > The library provides a way to get standard output via > nft_context_set_print_func > and error handling is done via nft_get_error that get error message in a > buffer. > > This is early stage code as it does not feature things like set handling but > IMO > it can already be used as a starting point to build more things. > Any special challenge with sets? On a side note, I remember in NFWS 2017 we discussed the possibility of libnftables being a separate source project, i.e a standalone repository. Now that I see your patches, what I see is that libnftables is mostly all the code, while nft itself is very little code. Still, with my Debian hat, I think that different repositories is good to have. One more comment: perhaps is good idea to release nftables v0.8 before introducing this code into the repository. We may end not releasing nftables in quite a long time. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH] tests: don't fail on modprobe since the driver might be built-in
From: Steve Langasek <steve.langa...@ubuntu.com> Any of these nf drivers could be built-ins instead of modules; don't cause the testsuite to fail on modprobe, instead let it proceed and succeed/fail later based on actual test results. Ideally we would check up front if the driver is loaded rather than trying to modprobe and ignoring failures, but there doesn't seem to be a reliable place to check this in the kernel filesystem. Signed-off-by: Steve Langasek <steve.langa...@ubuntu.com> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- tests/conntrack/run-test.sh | 14 -- tests/nfct/run-test.sh | 14 -- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/tests/conntrack/run-test.sh b/tests/conntrack/run-test.sh index 1403e2c..1c1f8e4 100644 --- a/tests/conntrack/run-test.sh +++ b/tests/conntrack/run-test.sh @@ -10,10 +10,12 @@ gcc test-conntrack.c -o test # # XXX: module auto-load not support by nfnetlink_cttimeout yet :-( # -modprobe nf_conntrack_ipv4 -modprobe nf_conntrack_ipv6 -modprobe nf_conntrack_proto_udplite -modprobe nf_conntrack_proto_sctp -modprobe nf_conntrack_proto_dccp -modprobe nf_conntrack_proto_gre +# any or all of these might be built-ins rather than modules, so don't error +# out on failure from modprobe +modprobe nf_conntrack_ipv4 || true +modprobe nf_conntrack_ipv6 || true +modprobe nf_conntrack_proto_udplite || true +modprobe nf_conntrack_proto_sctp || true +modprobe nf_conntrack_proto_dccp || true +modprobe nf_conntrack_proto_gre || true ./test testcases diff --git a/tests/nfct/run-test.sh b/tests/nfct/run-test.sh index 851ee75..f5f220b 100644 --- a/tests/nfct/run-test.sh +++ b/tests/nfct/run-test.sh @@ -11,10 +11,12 @@ gcc test.c -o test # # XXX: module auto-load not support by nfnetlink_cttimeout yet :-( # -modprobe nf_conntrack_ipv4 -modprobe nf_conntrack_ipv6 -modprobe nf_conntrack_proto_udplite -modprobe nf_conntrack_proto_sctp -modprobe nf_conntrack_proto_dccp -modprobe nf_conntrack_proto_gre +# any or all of these might be built-ins rather than modules, so don't error +# out on failure from modprobe +modprobe nf_conntrack_ipv4 || true +modprobe nf_conntrack_ipv6 || true +modprobe nf_conntrack_proto_udplite || true +modprobe nf_conntrack_proto_sctp || true +modprobe nf_conntrack_proto_dccp || true +modprobe nf_conntrack_proto_gre || true ./test timeout -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH] conntrackd: remove warning for -S
Remove the warning message for the -S option which has been deprecated for years now. Users calling conntrackd with this switch activated will now get an error. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/main.c |3 --- 1 file changed, 3 deletions(-) diff --git a/src/main.c b/src/main.c index 3b19160..7062e12 100644 --- a/src/main.c +++ b/src/main.c @@ -281,9 +281,6 @@ int main(int argc, char *argv[]) action = STATS; } break; - case 'S': - dlog(LOG_WARNING,"-S option is obsolete. Ignoring."); - break; case 'n': set_operation_mode(, REQUEST, argv); action = REQUEST_DUMP; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH] monitor: add debug messages
Add some debug messages in the monitor/trace code paths to ease development and debugging in case of errors. After this patch, running 'nft monitor --debug=mnl,netlink' is more verbose. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/mnl.c |7 +++ src/netlink.c | 39 +++ 2 files changed, 46 insertions(+) diff --git a/src/mnl.c b/src/mnl.c index da7c090..cf060a4 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -1139,6 +1139,13 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock, fprintf(stdout, "# ERROR: %s\n", strerror(errno)); break; } + +#ifdef DEBUG + if (debug_level & DEBUG_MNL) { + mnl_nlmsg_fprintf(stdout, buf, sizeof(buf), + sizeof(struct nfgenmsg)); + } +#endif /* DEBUG */ ret = mnl_cb_run(buf, ret, 0, 0, cb, cb_data); if (ret <= 0) break; diff --git a/src/netlink.c b/src/netlink.c index 880502c..50ed25f 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -2877,12 +2877,51 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, return MNL_CB_OK; } +#ifdef DEBUG +/* only those which could be useful listening to events */ +static const char *const nftnl_msg_types[NFT_MSG_MAX] = { + [NFT_MSG_NEWTABLE] = "NFT_MSG_NEWTABLE", + [NFT_MSG_DELTABLE] = "NFT_MSG_DELTABLE", + [NFT_MSG_NEWCHAIN] = "NFT_MSG_NEWCHAIN", + [NFT_MSG_DELCHAIN] = "NFT_MSG_DELCHAIN", + [NFT_MSG_NEWSET]= "NFT_MSG_NEWSET", + [NFT_MSG_DELSET]= "NFT_MSG_DELSET", + [NFT_MSG_NEWSETELEM]= "NFT_MSG_NEWSETELEM", + [NFT_MSG_DELSETELEM]= "NFT_MSG_DELSETELEM", + [NFT_MSG_NEWRULE] = "NFT_MSG_NEWRULE", + [NFT_MSG_DELRULE] = "NFT_MSG_DELRULE", + [NFT_MSG_TRACE] = "NFT_MSG_TRACE", + [NFT_MSG_NEWGEN]= "NFT_MSG_NEWGEN", + [NFT_MSG_NEWOBJ]= "NFT_MSG_NEWOBJ", + [NFT_MSG_DELOBJ]= "NFT_MSG_DELOBJ", +}; + +static const char *nftnl_msgtype2str(uint16_t type) +{ + if (type >= NFT_MSG_MAX || !nftnl_msg_types[type]) + return "unknown"; + + return nftnl_msg_types[type]; +} +#endif /* DEBUG */ + +static void netlink_events_debug(uint16_t type) +{ +#ifdef DEBUG + if (!(debug_level & DEBUG_NETLINK)) + return; + + printf("netlink event: %s\n", nftnl_msgtype2str(type)); +#endif /* DEBUG */ +} + static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) { int ret = MNL_CB_OK; uint16_t type = NFNL_MSG_TYPE(nlh->nlmsg_type); struct netlink_mon_handler *monh = (struct netlink_mon_handler *)data; + netlink_events_debug(type); netlink_events_cache_update(monh, nlh, type); if (!(monh->monitor_flags & (1 << type))) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] monitor: fix printing of range elements in named sets
On 11 July 2017 at 20:11, Phil Sutter <p...@nwl.cc> wrote: > Hi, > > On Thu, Jul 06, 2017 at 04:36:45PM +0200, Arturo Borrero Gonzalez wrote: >> If you add set elements to interval sets, the output is wrong. >> Fix this by caching first element of the range (first event), >> then wait for the second element of the range (second event) to >> print them both at the same time. > > As promised, I am preparing my own solution for side-by-side comparison. > Though I'm running into problems and want to use the occasion to discuss > them first: > > What I wasn't able to solve yet are half-open ranges, like so: > > | nft add set ip t portrange { type inet_service; flags interval; } > | nft add element ip t portrange { 1024-65535 } > > In this case there is only a single element with value 1024 which > doesn't have EXPR_F_INTERVAL_END set. Looking at > interval_map_decompose(), this is identified to be a range till the end > of the scope if it's the last element in the set. > > In monitor code though, I can't predict whether an interval end element > will come afterwards or not, so I end up caching the element and > everything turns into a mess. I'm pretty sure your solution has the same > problem, could you check that? > > Right now, I only see two ways to get this sorted: > > 1) Change kernel code to always include both start end end of a range in >a single notification. This would eliminate the need for any caching >in netlink_events_setelem_cb() altogether! > > 2) Change monitor code to cache all events until the final NFTA_GEN_ID >message, then handle all messages at once. > > What do you think? > We should avoid touching the kernel for this. Anyway, my patch doesn't solve the same issue for deleting range elements. In this patch I added the logic in netlink_events_setelem_cb() and probably a better place for this is in the netlink_events_cache_update() routine. I'm sending a patch to add a bit of debugging to the monitor code path meanwhile we solve this issue. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] monitor: fix printing of range elements in named sets
If you add set elements to interval sets, the output is wrong. Fix this by caching first element of the range (first event), then wait for the second element of the range (second event) to print them both at the same time. We also avoid printing the first null element required in the RB tree. Before this patch: % nft add element t s {10-20, 30-40} add element ip t s { 0 } add element ip t s { 10 } add element ip t s { ftp } add element ip t s { 30 } add element ip t s { 41 } After this patch: % nft add element t s {10-20, 30-40} add element ip t s { 10-20 } add element ip t s { 30-40 } CC: Phil Sutter <p...@nwl.cc> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- This was discussed during Netfilter Workshop 2017 in Faro, Portugal. I think Phil has another patch to address this issue from a different approach. include/rule.h |2 ++ src/netlink.c | 50 ++ 2 files changed, 52 insertions(+) diff --git a/include/rule.h b/include/rule.h index 7424b21..1b44e4c 100644 --- a/include/rule.h +++ b/include/rule.h @@ -217,6 +217,7 @@ extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle); * @datalen: mapping data len * @objtype: mapping object type * @init: initializer + * @rg_cache: cached range element (left) * @policy:set mechanism policy * @desc: set mechanism desc */ @@ -234,6 +235,7 @@ struct set { unsigned intdatalen; uint32_tobjtype; struct expr *init; + struct expr *rg_cache; uint32_tpolicy; struct { uint32_tsize; diff --git a/src/netlink.c b/src/netlink.c index 880502c..ad0e712 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -2198,6 +2198,46 @@ out: return MNL_CB_OK; } +/* returns true if the event should be ignored (i.e. null element) */ +static bool netlink_event_ignore_range_event(struct nftnl_set_elem *nlse) +{ +uint32_t flags = 0; + + if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS)) + flags = nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_FLAGS); + if (!(flags & NFT_SET_ELEM_INTERVAL_END)) + return false; + + if (nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_KEY) != 0) + return false; + + return true; +} + +/* returns true if the we cached the range element */ +static bool netlink_event_range_cache(struct set *cached_set, + struct set *dummyset) +{ + struct expr *elem; + + /* not an interval ? */ + if (!(cached_set->flags & NFT_SET_INTERVAL)) + return false; + + /* cache first element of the range */ + elem = list_entry(dummyset->init->expressions.prev, struct expr, list); + if (!(elem->flags & EXPR_F_INTERVAL_END)) { + cached_set->rg_cache = expr_clone(elem); + return true; + } + + /* we have all the information now */ + compound_expr_add(dummyset->init, cached_set->rg_cache); + interval_map_decompose(dummyset->init); + + return false; +} + static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, struct netlink_mon_handler *monh) { @@ -2240,6 +2280,11 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, nlse = nftnl_set_elems_iter_next(nlsei); while (nlse != NULL) { + if (netlink_event_ignore_range_event(nlse)) { + set_free(dummyset); + nftnl_set_elems_iter_destroy(nlsei); + goto out; + } if (netlink_delinearize_setelem(nlse, dummyset) < 0) { set_free(dummyset); nftnl_set_elems_iter_destroy(nlsei); @@ -2251,6 +2296,10 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, switch (type) { case NFT_MSG_NEWSETELEM: + if (netlink_event_range_cache(set, dummyset)) { + set_free(dummyset); + goto out; + } printf("add "); break; case NFT_MSG_DELSETELEM: @@ -2264,6 +2313,7 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, expr_print(dummyset->init, monh->ctx->octx); printf("\n"); + expr_free(set->rg_cache); set_free(dummyset); break; case NFTNL_OUTPUT_XML: -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a
Re: using nft & iptables nat in parallel
On 14 June 2017 at 11:58, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@debian.org> wrote: >> I'm curious, What is the use case of using both nftables and iptables >> at the same time? >> Some missing functionality in nft? >> Perhaps some ipt->nft partial migration procedure? > > Yes, partial migration. > > Right now there are an awful lot of tools out there (docker, libvirt, > kubernetes, ..) that call iptables(-restore) directly (or inject them via > firewalld). > Well, just quickly checked firewalld code [0]. It relies so massively in ipXtables/ipset that I bet a migration to nftables would require a major rewrite. Not sure if iptables-compat address this case, or even a high level libnftables. [0] https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/ipXtables.py -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: using nft & iptables nat in parallel
On 14 June 2017 at 11:24, Florian Westphalwrote: > > Another side effect is that this avoids the need to add (in nft case) > the 'empty' nat base chains to take care of reply translation. > good! > Thoughts? > I'm curious, What is the use case of using both nftables and iptables at the same time? Some missing functionality in nft? Perhaps some ipt->nft partial migration procedure? > > This would also possibly allow us to add nat hooks in the INET family. good! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH v2] conntrackd: make the daemon run in RT mode by default
In order to prevent netlink buffer overrun, conntrackd is recommended to run at max priority. Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority. This is common among other HA daemons. For example corosync uses SCHED_RR by default. The scheduler configuration option is kept in order to allow admins to perform fine-tuning, but it is deleted from example configuration files. Note that this default sched priority is so high that it makes the nice value useless, so deprecate the nice configuration. Anyway the nice value can be set externally at runtime using nice/renice. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: refresh manpages, keep scheduler configuration options while deprecating nice conntrackd.conf.5| 35 --- doc/helper/conntrackd.conf | 21 - doc/stats/conntrackd.conf| 19 --- doc/sync/alarm/conntrackd.conf | 21 - doc/sync/ftfw/conntrackd.conf| 21 - doc/sync/notrack/conntrackd.conf | 21 - include/conntrackd.h |1 - src/main.c | 28 src/read_config_yy.y |3 ++- src/run.c| 25 + 10 files changed, 39 insertions(+), 156 deletions(-) diff --git a/conntrackd.conf.5 b/conntrackd.conf.5 index a395e14..2ce6aa3 100644 --- a/conntrackd.conf.5 +++ b/conntrackd.conf.5 @@ -22,7 +22,7 @@ .\" <http://www.gnu.org/licenses/>. .\" %%%LICENSE_END .\" -.TH CONNTRACKD.CONF 5 "May 09, 2017" +.TH CONNTRACKD.CONF 5 "June 09, 2017" .SH NAME conntrackd.conf \- configuration file for conntrackd daemon @@ -480,14 +480,10 @@ By default runtime support is disabled. .TP .BI "Nice " -Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most -favorable scheduling) to 19 (least favorable). Using a very low value reduces -the chances to lose state-change events. - -Example: Nice -20 - -Default is 0 but this example sets it to most favourable scheduling as -this is generally a good idea. +Deprecated. Conntrackd ignores this option and it will be removed in the +future. Please note that you can run \fBnice(1)\fP and \fBrenice(1)\fP +externally. Also note that \fBconntrackd(8)\fP now uses by default a RT +scheduler. .TP .BI "HashSize " @@ -731,8 +727,9 @@ Example: Select a different scheduler for the daemon, you can select between \fBRR\fP and \fBFIFO\fP and the process priority. -See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler -reduces the chances to overrun the Netlink buffer. +Using a RT scheduler reduces the chances to overrun the Netlink buffer and +\fBconntrackd(8)\fP uses by default \fBRR\fP unless \fBFIFO\fP is selected. +See \fBsched_setscheduler(2)\fP for more information. Example: .nf @@ -746,12 +743,15 @@ Example: .BI "Type " Supported values are \fBRR\fP or \fBFIFO\fP. +Default: RR + .TP .BI "Priority " Value of the scheduler priority. - Minimum is 0, maximum is 99. +Default: 99 (as returned by \fBsched_get_priority_max(2)\fP for \fBSCHED_RR\fP) + .SH STATS This top-level section indicates \fBconntrackd(8)\fP to work as a statistic collector for the nf_conntrack linux kernel subsystem. @@ -904,7 +904,6 @@ Stats { } General { Systemd on - Nice -1 HashSize 8192 HashLimit 65535 Syslog on @@ -969,11 +968,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on @@ -1031,11 +1025,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index 1746bfd..4148544 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -103,27 +103,6 @@ Helper { # General { # - # Set the nice value of the daemon, this value goes from -20 - # (most favorable scheduling) to 19 (least favorable). Using a - # very low value reduces the chances to lose state-change events. - # Default is 0 but this example file sets it to most favourable - # scheduling as this is generally a good idea. See man nice(1) for - # more information. - # - Nice -20 - - # - # Select a different scheduler for the daemon, you can select between - # RR and FIFO and the process priority (min
Re: [conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run
On 9 June 2017 at 15:06, Arturo Borrero Gonzalez <art...@debian.org> wrote: > at max priority. oops, ugly. Resending -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run
at max priority. Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority. This is common among other HA daemons. For example corosync uses SCHED_RR by default. The scheduler configuration option is keep in order to allow admins to perform fine-tuning, but it is deleted from example configuration files. Note that this default sched priority is so high that it makes the nice value useless, so deprecate the nice configuration. Anyway the nice value can be set externally at runtime using nice/renice. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: refresh manpages, keep scheduler configuration options conntrackd.conf.5| 35 --- doc/helper/conntrackd.conf | 21 - doc/stats/conntrackd.conf| 19 --- doc/sync/alarm/conntrackd.conf | 21 - doc/sync/ftfw/conntrackd.conf| 21 - doc/sync/notrack/conntrackd.conf | 21 - include/conntrackd.h |1 - src/main.c | 28 src/read_config_yy.y |3 ++- src/run.c| 25 + 10 files changed, 39 insertions(+), 156 deletions(-) diff --git a/conntrackd.conf.5 b/conntrackd.conf.5 index a395e14..2ce6aa3 100644 --- a/conntrackd.conf.5 +++ b/conntrackd.conf.5 @@ -22,7 +22,7 @@ .\" <http://www.gnu.org/licenses/>. .\" %%%LICENSE_END .\" -.TH CONNTRACKD.CONF 5 "May 09, 2017" +.TH CONNTRACKD.CONF 5 "June 09, 2017" .SH NAME conntrackd.conf \- configuration file for conntrackd daemon @@ -480,14 +480,10 @@ By default runtime support is disabled. .TP .BI "Nice " -Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most -favorable scheduling) to 19 (least favorable). Using a very low value reduces -the chances to lose state-change events. - -Example: Nice -20 - -Default is 0 but this example sets it to most favourable scheduling as -this is generally a good idea. +Deprecated. Conntrackd ignores this option and it will be removed in the +future. Please note that you can run \fBnice(1)\fP and \fBrenice(1)\fP +externally. Also note that \fBconntrackd(8)\fP now uses by default a RT +scheduler. .TP .BI "HashSize " @@ -731,8 +727,9 @@ Example: Select a different scheduler for the daemon, you can select between \fBRR\fP and \fBFIFO\fP and the process priority. -See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler -reduces the chances to overrun the Netlink buffer. +Using a RT scheduler reduces the chances to overrun the Netlink buffer and +\fBconntrackd(8)\fP uses by default \fBRR\fP unless \fBFIFO\fP is selected. +See \fBsched_setscheduler(2)\fP for more information. Example: .nf @@ -746,12 +743,15 @@ Example: .BI "Type " Supported values are \fBRR\fP or \fBFIFO\fP. +Default: RR + .TP .BI "Priority " Value of the scheduler priority. - Minimum is 0, maximum is 99. +Default: 99 (as returned by \fBsched_get_priority_max(2)\fP for \fBSCHED_RR\fP) + .SH STATS This top-level section indicates \fBconntrackd(8)\fP to work as a statistic collector for the nf_conntrack linux kernel subsystem. @@ -904,7 +904,6 @@ Stats { } General { Systemd on - Nice -1 HashSize 8192 HashLimit 65535 Syslog on @@ -969,11 +968,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on @@ -1031,11 +1025,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index 1746bfd..4148544 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -103,27 +103,6 @@ Helper { # General { # - # Set the nice value of the daemon, this value goes from -20 - # (most favorable scheduling) to 19 (least favorable). Using a - # very low value reduces the chances to lose state-change events. - # Default is 0 but this example file sets it to most favourable - # scheduling as this is generally a good idea. See man nice(1) for - # more information. - # - Nice -20 - - # - # Select a different scheduler for the daemon, you can select between - # RR and FIFO and the process priority (minimum is 0, maximum is 99). - # See man sched_setscheduler(2) for more inform
Re: [PATCH] tests: shell: Add test for ambguity while setting the value
On 9 June 2017 at 11:30, Shyam Sainiwrote: > This test checks bug identified and fixed in the commit mentioned below > In a statement if there are multiple src data then it would be > totally ambiguous to decide which value to set. > > We don't add this test in python testsuite, because there we only have > "ok" and "fail" as return code. So, we can't detect 134 != 1 there. > (both 1 and 134 stats failure) > > Test: 986dea8 ("evaluate: avoid reference to multiple src data in statements > which set values") > Signed-off-by: Shyam Saini > --- > .../testcases/sets/0023unknown_value_to_use_0 | 34 > ++ > 1 file changed, 34 insertions(+) > create mode 100755 tests/shell/testcases/sets/0023unknown_value_to_use_0 > Thanks Shyam, minor things below, almost there! Please send an v2 with the requested changes, as you could see, they are cosmetic changes > diff --git a/tests/shell/testcases/sets/0023unknown_value_to_use_0 > b/tests/shell/testcases/sets/0023unknown_value_to_use_0 > new file mode 100755 > index 000..011cedd > --- /dev/null > +++ b/tests/shell/testcases/sets/0023unknown_value_to_use_0 > @@ -0,0 +1,34 @@ > +#!/bin/bash > + > + # This test checks bug identified and fixed in the commit Id > "986dea8". > + # i.e, If in a statement there are multiple src data then it would > be totally ambiguous to decide which value to set. > + > + # Before this commit 986dea8, nft returns 134 which indicates the bug > but after this commit it returns 1. > + # We don't add this test in python testsuite, because there we can't > detect 134 != 1 (returns code stating failure) > + Better remove the indentations. > +declare -a rules=( > +"tcp dport set {1, 2, 3}" "udp dport set {1, 2, 3}" > +"meta pkttype set {unicast, multicast, broadcast}" > +"meta mark set {0x, 0xcc}" > +"ct mark set {0x11333, 0x11}" "ct zone set {123, 127}" > +"ct label set {123, 127}" > +"ct event set {new, related, destroy, label}" > +"ether daddr set {01:00:5e:00:01:01, 01:00:5e:00:02:02}" > +"ip saddr set {192.19.1.2, 191.1.22.1}" > +) > + I don't really like this approach of using a bash array, I think it makes things harder to understand and requires to decode the rather complex bash variable expansions, but hey, it works, so OK. I left this up to you. > +$NFT add table t > +$NFT add chain t c > + > +for (( i = 0 ; i < ${#rules[@]} ; i++ )) > +do > + $1 $1 <-- what does this? I think we can safely remote it. > + `$NFT add rule t c ${rules[$i]} 2>>/dev/null` No need to run command in `a subshell`. BTW this $(syntax) is preferred. Also, no need to redirect stderr, we are actually interested in it. In fact, if you delete the redirection and you run this test: % sudo ./run-tests.sh testcases/sets/0023unknown_value_to_use_0 I: using nft binary ../../src/nft I: [OK]testcases/sets/0023unknown_value_to_use_0 :1:28-36: Error: you cannot use a set here, unknown value to use add rule t c tcp dport set {1, 2, 3} ~~^ :1:28-36: Error: you cannot use a set here, unknown value to use add rule t c udp dport set {1, 2, 3} ~~^ [...] :1:30-67: Error: you cannot use a set here, unknown value to use add rule t c ether daddr set {01:00:5e:00:01:01, 01:00:5e:00:02:02} ^^ :1:27-50: Error: you cannot use a set here, unknown value to use add rule t c ip saddr set {192.19.1.2, 191.1.22.1} ~ I: results: [OK] 1 [FAILED] 0 [TOTAL] 1 You get access to the actual error messages, which is useful to see that the return code of 1 maps to the error message itself. Still, if you run the complete testsuite (i.e, not a single test), you can hide/show these messages using the '-v' switch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.
On 8 June 2017 at 12:17, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Jun 07, 2017 at 09:40:53PM +0200, Arturo Borrero Gonzalez wrote: >> On 7 June 2017 at 10:35, Ismo Puustinen <ismo.puusti...@intel.com> wrote: >> > >> > +static int directoryfilter(const struct dirent *de) >> > +{ >> > + if (strcmp(de->d_name, ".") == 0 || >> > + strcmp(de->d_name, "..") == 0) >> > + return 0; >> > + >> > + /* Accept other filenames. If we want to enable filtering based on >> > +* filename suffix (*.nft), this would be the place to do it. >> > +*/ >> > + >> >> This filter by suffix is good to have IMHO. >> I guess that forcing users to explicitly create a file for nftables >> (or at least give a specific suffix) reduces chances for user errors. > > You mean, this new include directory feature just takes *.nft files, > right? > Yes, > Then, to keep it consistent, we should also display a warning in > include file with no .nft postfix. At deprecate the existing behaviour > at some point, ie. bail out if you include a file that has no trailing > .nft in its name. > > If we follow this path, all ruleset file will end up using .nft as > a trailer in the name. > but perhaps it makes sense to differentiate two cases: * include a single file: accept arbitrary names * include a whole dir: accept only files ending in .nft This seems to be what sysctl(8) does when loading a single file vs a directory. I'm thinking in a case where you have a README in the directory or other unrelated file. If the idea is to allow drop files (a good idea indeed), then being explicit is a good approach. > Is there any other similar software following this approach? How is > 'ferm' doing this? ferm seems to load arbitrary files. In the docs they suggest using .ferm files but the code seems to allow whatever. However, they have a set of regexp hardcoded to avoid loading things like backups file an the like. So, yes, probably forcing to .nft is sensible. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default
On 6 June 2017 at 13:10, Pablo Neira Ayusowrote: > > But I think we should keep the Nice and Scheduler clauses. Just in > case anyone wants to do this fine grain tunning. > The nice value can be changed at runtime externally: using the nice/renice commands Perhaps is a bit redundant to have it included in the conntrackd code. Also, nice values are somehow overridden by either SCHED_RR (our default) or SCHED_FIFO. Not sure if it makes sense to run in RT and then lower priority by means of nice. I'm tempted to just remove the nice thing in v2, what do you think? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.
On 7 June 2017 at 10:35, Ismo Puustinenwrote: > > +static int directoryfilter(const struct dirent *de) > +{ > + if (strcmp(de->d_name, ".") == 0 || > + strcmp(de->d_name, "..") == 0) > + return 0; > + > + /* Accept other filenames. If we want to enable filtering based on > +* filename suffix (*.nft), this would be the place to do it. > +*/ > + This filter by suffix is good to have IMHO. I guess that forcing users to explicitly create a file for nftables (or at least give a specific suffix) reduces chances for user errors. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH 1/4] conntrackd: evaluate configuration earlier
Run the evaluation step sooner in the conntrackd startup routine. Don't close log or unlink lockfile at this stage. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/main.c | 20 +--- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/main.c b/src/main.c index fb20f1d..4b6d17d 100644 --- a/src/main.c +++ b/src/main.c @@ -338,6 +338,15 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } + /* +* Evaluate configuration +*/ + if (evaluate() == -1) { + dlog(LOG_ERR, "conntrackd cannot start, please review your " +"configuration"); + exit(EXIT_FAILURE); + } + if (type == REQUEST) { if (do_local_request(action, , local_step) == -1) { dlog(LOG_ERR, "can't connect: is conntrackd " @@ -383,17 +392,6 @@ int main(int argc, char *argv[]) } /* -* Evaluate configuration -*/ - if (evaluate() == -1) { - dlog(LOG_ERR, "conntrackd cannot start, please review your " -"configuration"); - close_log(); - unlink(CONFIG(lockfile)); - exit(EXIT_FAILURE); - } - - /* * initialization process */ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default
In order to prevent netlink buffer overrun, conntrackd is recommended to run at max priority. Make conntrackd to use a RT (SHED_RR) scheduler by default at max priority. This is common among other HA daemons. For example corosync uses SCHED_RR by default. This change should help ease the configuration of conntrackd. Note that a sched priority that high makes the nice value useless, so deprecate both options now. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5| 46 +++--- doc/helper/conntrackd.conf | 21 - doc/stats/conntrackd.conf| 19 doc/sync/alarm/conntrackd.conf | 21 - doc/sync/ftfw/conntrackd.conf| 21 - doc/sync/notrack/conntrackd.conf | 21 - include/conntrackd.h |5 src/main.c | 28 --- src/read_config_yy.y | 21 + src/run.c| 18 +++ 10 files changed, 28 insertions(+), 193 deletions(-) diff --git a/conntrackd.conf.5 b/conntrackd.conf.5 index 94de327..1e56a1f 100644 --- a/conntrackd.conf.5 +++ b/conntrackd.conf.5 @@ -480,14 +480,8 @@ By default runtime support is disabled. .TP .BI "Nice " -Set the \fBnice(1)\fP value of the daemon, this value goes from -20 (most -favorable scheduling) to 19 (least favorable). Using a very low value reduces -the chances to lose state-change events. - -Example: Nice -20 - -Default is 0 but this example sets it to most favourable scheduling as -this is generally a good idea. +Deprecated. This option will be removed in the future. +Conntrackd now uses by default a RT scheduler. .TP .BI "HashSize " @@ -731,29 +725,8 @@ Example: .fi .SS SCHEDULER -Select a different scheduler for the daemon, you can select between \fBRR\fP -and \fBFIFO\fP and the process priority. - -See \fBsched_setscheduler(2)\fP for more information. Using a RT scheduler -reduces the chances to overrun the Netlink buffer. - -Example: -.nf - Scheduler { - Type FIFO - Priority 99 - } -.fi - -.TP -.BI "Type " -Supported values are \fBRR\fP or \fBFIFO\fP. - -.TP -.BI "Priority " -Value of the scheduler priority. - -Minimum is 0, maximum is 99. +Deprecated. This section will be removed in the future. +Conntrackd now uses by default a RT scheduler. .SH STATS This top-level section indicates \fBconntrackd(8)\fP to work as a statistic @@ -907,7 +880,6 @@ Stats { } General { Systemd on - Nice -1 HashSize 8192 HashLimit 65535 Syslog on @@ -973,11 +945,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on @@ -1036,11 +1003,6 @@ Sync { } General { Systemd on - Nice -20 - Scheduler { - Type FIFO - Priority 99 - } HashSize 32768 HashLimit 131072 LogFile on diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index 7eae8bc..abc4087 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -103,27 +103,6 @@ Helper { # General { # - # Set the nice value of the daemon, this value goes from -20 - # (most favorable scheduling) to 19 (least favorable). Using a - # very low value reduces the chances to lose state-change events. - # Default is 0 but this example file sets it to most favourable - # scheduling as this is generally a good idea. See man nice(1) for - # more information. - # - Nice -20 - - # - # Select a different scheduler for the daemon, you can select between - # RR and FIFO and the process priority (minimum is 0, maximum is 99). - # See man sched_setscheduler(2) for more information. Using a RT - # scheduler reduces the chances to overrun the Netlink buffer. - # - # Scheduler { - # Type FIFO - # Priority 99 - # } - - # # Logfile: on (/var/log/conntrackd.log), off, or a filename # Default: off # diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index 6a9aec8..e62ad4b 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -11,25 +11,6 @@ General { #Systemd on # - # Set the nice value of the daemon. This value goes from -20 - # (most favorable scheduling) to 19 (least favorable). Using a - # negative value reduces the chances to lose state-change events. - # Defa
[conntrack-tools PATCH 4/4] conntrackd: deprecate unix backlog configuration
This configuration option doesn't add any value to users. Use the magic value of 100 (i.e, the socket will keep 100 pending connections), which I think is fair enough for what conntrackd can do in the unix socket. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5|8 +--- doc/helper/conntrackd.conf |1 - doc/stats/conntrackd.conf|1 - doc/sync/alarm/conntrackd.conf |1 - doc/sync/ftfw/conntrackd.conf|1 - doc/sync/notrack/conntrackd.conf |1 - include/local.h |1 - src/local.c |4 +++- src/read_config_yy.y |2 +- 9 files changed, 5 insertions(+), 15 deletions(-) diff --git a/conntrackd.conf.5 b/conntrackd.conf.5 index 1e56a1f..4785f47 100644 --- a/conntrackd.conf.5 +++ b/conntrackd.conf.5 @@ -603,7 +603,6 @@ Example: .nf UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } .fi @@ -615,9 +614,7 @@ Example: Path /var/run/conntrackd.ctl .TP .BI "Backlog " -Number of items in the backlog. - -Example: Backlog 20 +Deprecated option. .SS FILTER Event filtering. This clause allows you to filter certain traffic. @@ -886,7 +883,6 @@ General { LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } NetlinkBufferSize 262142 NetlinkBufferSizeMaxGrowth 655355 @@ -952,7 +948,6 @@ General { LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } NetlinkBufferSize 2097152 NetlinkBufferSizeMaxGrowth 8388608 @@ -1010,7 +1005,6 @@ General { LockFile /var/lock/conntrack.lock UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } NetlinkBufferSize 2097152 NetlinkBufferSizeMaxGrowth 8388608 diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf index abc4087..4148544 100644 --- a/doc/helper/conntrackd.conf +++ b/doc/helper/conntrackd.conf @@ -124,6 +124,5 @@ General { # UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } } diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf index e62ad4b..ba957a1 100644 --- a/doc/stats/conntrackd.conf +++ b/doc/stats/conntrackd.conf @@ -43,7 +43,6 @@ General { # UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } # diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf index f609310..831be15 100644 --- a/doc/sync/alarm/conntrackd.conf +++ b/doc/sync/alarm/conntrackd.conf @@ -262,7 +262,6 @@ General { # UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } # diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf index f500637..9da0fb6 100644 --- a/doc/sync/ftfw/conntrackd.conf +++ b/doc/sync/ftfw/conntrackd.conf @@ -285,7 +285,6 @@ General { # UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } # diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf index 718668d..600fc89 100644 --- a/doc/sync/notrack/conntrackd.conf +++ b/doc/sync/notrack/conntrackd.conf @@ -324,7 +324,6 @@ General { # UNIX { Path /var/run/conntrackd.ctl - Backlog 20 } # diff --git a/include/local.h b/include/local.h index f9121b1..22859d7 100644 --- a/include/local.h +++ b/include/local.h @@ -6,7 +6,6 @@ #endif struct local_conf { - int backlog; int reuseaddr; char path[UNIX_PATH_MAX]; }; diff --git a/src/local.c b/src/local.c index 3395b4c..2b67885 100644 --- a/src/local.c +++ b/src/local.c @@ -26,6 +26,8 @@ #include #include +#define UNIX_SOCKET_BACKLOG 100 + int local_server_create(struct local_server *server, struct local_conf *conf) { int fd; @@ -53,7 +55,7 @@ int local_server_create(struct local_server *server, struct local_conf *conf) return -1; } - if (listen(fd, conf->backlog) == -1) { + if (listen(fd, UNIX_SOCKET_BACKLOG) == -1) { close(fd); unlink(conf->path); return -1; diff --git a/src/read_config_yy.y b/src/read_config_yy.y index ef6b284..5dca1f6 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -650,7 +650,7 @@ unix_option : T_PATH T_PATH_VAL unix_option : T_BACKLOG T_NUMBER { - conf.local.backlog = $2; + dlog(LOG_WARNING, "deprecated unix backlog configuration."); }; sync: T_SYNC '{' sync_list '}' -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo
[conntrack-tools PATCH 3/4] conntrackd: cleanup if failed forking
Close the logs and lockfile if error while forking. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/main.c |2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main.c b/src/main.c index bab7772..3b19160 100644 --- a/src/main.c +++ b/src/main.c @@ -386,6 +386,8 @@ int main(int argc, char *argv[]) if ((pid = fork()) == -1) { dlog(LOG_ERR, "fork has failed: %s", strerror(errno)); + close_log(); + unlink(CONFIG(lockfile)); exit(EXIT_FAILURE); } else if (pid) { sd_ct_mainpid(pid); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[nft PATCH v2] evaluate: avoid reference to multiple src data in statements which set values
Prevent this assert: % nft [..] tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted We can't use a set here because we will not known which value to use. With this patch, a proper error message is reported to users: % nft add rule t c tcp dport set {1, 2, 3, 4, 5} :1:28-42: Error: you cannot use a set here, unknown value to use add rule t c tcp dport set {1, 2, 3, 4, 5} ~~^^^ % nft add rule t c tcp dport set @s :1:28-29: Error: you cannot reference a set here, unknown value to use add rule t c tcp dport set @s ~~^^ This error is reported to all statements which set values. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: check all statements which set values as well src/evaluate.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 27cee98..095d3fa 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1759,6 +1759,21 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, "datatype mismatch: expected %s, " "expression has type %s", dtype->desc, (*expr)->dtype->desc); + + /* we are setting a value, we can't use a set */ + switch ((*expr)->ops->type) { + case EXPR_SET: + return stmt_binary_error(ctx, (*expr), stmt, +"you cannot use a set here, unknown " +"value to use"); + case EXPR_SET_REF: + return stmt_binary_error(ctx, (*expr), stmt, +"you cannot reference a set here, " +"unknown value to use"); + default: + break; + } + return 0; } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html