Re: Proposal: rename of arptables.git and ebtables.git

On 12/4/18 11:57 AM, Pablo Neira Ayuso wrote: > On Tue, Dec 04, 2018 at 11:50:46AM +0100, Arturo Borrero Gonzalez wrote: >> On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: >>> On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >>>> Hi, >>>> >>&g

Re: Proposal: rename of arptables.git and ebtables.git

On 11/28/18 2:10 PM, Arturo Borrero Gonzalez wrote: > On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: >> Hi, >> >> Now that the iptables.git repo offers arptables-nft and ebtables-nft, >> arptables.git holds arptables-legacy, etc, why we don't just rename

[PATCH nft] tests: fix return codes

Please, consider merging the attached patch. thanks. commit 3497067ca187047c61d89ccad6eab4ebf5df9219 Author: Arturo Borrero Gonzalez Date: Wed Nov 28 14:31:57 2018 +0100 tests: fix return codes Try to return != 0 if a testsuite fails. Signed-off-by: Arturo Borrero

Re: Proposal: rename of arptables.git and ebtables.git

On 11/28/18 1:44 PM, Arturo Borrero Gonzalez wrote: > Hi, > > Now that the iptables.git repo offers arptables-nft and ebtables-nft, > arptables.git holds arptables-legacy, etc, why we don't just rename the > repos? > > * from arptables.git to arptables-legacy.git

Proposal: rename of arptables.git and ebtables.git

Hi, Now that the iptables.git repo offers arptables-nft and ebtables-nft, arptables.git holds arptables-legacy, etc, why we don't just rename the repos? * from arptables.git to arptables-legacy.git * from ebtables.git to ebtables-legacy.git This rename should help distros understand the

[PATCH iptables] old patch from Debian for iptables-apply

and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- iptables-apply | 310

[arptables PATCH] arptables: legacy renaming

-by: Arturo Borrero Gonzalez --- Makefile | 12 +- arptables-legacy.8 | 352 arptables.8| 340 -- arptables.c|2 4 files changed, 359 insertions(+), 347 deletions

Re: [PATCH xtables] xtables: add nf_tables vs. legacy postfix to version strings

> iptables-restore v1.6.2 (legacy) > iptables-restore-translate v1.6.2 > iptables-save v1.6.2 (legacy) > iptables-translate v1.6.2 (nf_tables) > > Suggested-by: Harald Welte > Signed-off-by: Florian Westphal Acked-by: Arturo Borrero Gonzalez -- To unsubscribe from this list: se

Re: [nft PATCH] Makefile: Introduce Make_global.am

++ > src/Makefile.am | 4 +++- > 2 files changed, 24 insertions(+), 1 deletion(-) > create mode 100644 Make_global.am > Acked-by: Arturo Borrero Gonzalez -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@v

Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint

On 17 June 2018 at 13:30, Arturo Borrero Gonzalez wrote: > On 17 June 2018 at 09:22, Phil Sutter wrote: >> With libnftables documentation being upstream and one confirmed external >> user (nftlb), time to break the API! >> >> First of all, the command buffer passed to

Re: [nft PATCH] libnftables: Simplify nft_run_cmd_from_buffer footprint

On 17 June 2018 at 09:22, Phil Sutter wrote: > With libnftables documentation being upstream and one confirmed external > user (nftlb), time to break the API! > > First of all, the command buffer passed to nft_run_cmd_from_buffer may > (and should) be const. One should consider it a bug if that

Re: [RFC PATCH nft] parser: Set base chain prios with textual names

On 4 June 2018 at 11:58, Máté Eckl wrote: > What I'm not sure of is: > - Are these token values considered user-friendly or usable? > - Is printing of these values with their names desired? > > What do you think? > > -- 8< -- > This patch adds the possibility to use textual names

Re: [PATCH] ulogd: json: send messages to a remote host / unix socket

On 27 May 2018 at 00:55, Andreas Jaggi wrote: > Hi Arturo > > Thanks for the review, find below the reworked patch. > Let me know if there are other parts to improve. > Thanks Andreas! the patch looks great. Minor nitpicks below. > +static int

Re: [PATCH nftlb] build: use autotools

On 11 May 2018 at 12:20, Pablo Neira Ayuso wrote: > - Add configure.ac and Makefile.am files. > - Update .gitignore file to ignore autogenerated scripts by autotools. > > Signed-off-by: Pablo Neira Ayuso It seems we can drop libmnl and libnftnl

Re: [PATCH] ulogd: json: send messages to a remote host / unix socket

On 1 May 2018 at 14:16, Andreas Jaggi wrote: > Extend the JSON output plugin so that the generated JSON stream can be > sent to a remote host via TCP/UDP or to a local unix socket. > > Signed-off-by: Andreas Jaggi > --- >

Re: [PATCH iptables-compat 2/3] iptables-compat: do not fail on restore if user chain exists

On 4 May 2018 at 11:49, Pablo Neira Ayuso wrote: > > +int nft_table_flush(struct nft_handle *h, const char *table) > +{ > + struct nftnl_table *r; > + int ret = 0; > + > + nft_fn = nft_table_flush; > + > + r = nftnl_table_alloc(); > + if (r ==

[arptables PATCH] arptables: cleanup sysvinit script

This file belong to downstream distributions. Also, it's unmaintained. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- Makefile |8 +--- arptables.sysv | 103 2 files changed, 2 insertions(+), 109 del

Re: [nft PATCH v2] libnftables: fix header export

On 2 May 2018 at 14:02, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> Instruct Make to actually install the header to the system, otherwise >> users won't see the header in their system after running 'make install'.

[nft PATCH v2] libnftables: fix header export

Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: don't rename the header, given it has been released already include/nf

[nft PATCH] libnftables: fix header export

). Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- include/nftables.h |2 +- include/nftables/Makefile.am |2 +- include/nftables/libnftables.h |0 src/libnftables.c |2 +- src/main.c |2 +- 5 files chan

[ANNOUNCE] libnetfilter-conntrack 1.0.7 release

Hi! The Netfilter project proudly presents: libnetfilter-conntrack 1.0.7 This release includes some fixes and improvements since last release: * new synproxy support * don't crash on NULL labelmap * expose a copy of nf_conntrack_common.h This library is a dependency of

[ANNOUNCE] conntrack-tools 1.4.5 release

ual: include some bits about init systems Arturo Borrero Gonzalez (23): sync-mode: print errno message on failure log: print messages to stdout/sderr if running in console mode log: introduce a mechanism to know if log was initialized conntrackd: replace error report

[ANNOUNCE] ulogd2 2.0.7 release

://bugzilla.netfilter.org Happy firewalling! PD: Please note, we don't have a 2.0.6 release. Alex Xu (1): sqlite3: Remove unused "buffer" option. Arturo Borrero Gonzalez (5): ulogd: use a RT scheduler by default ulogd: load all plugins by default ulogd2: cleanup downst

[conntrack-tools PATCH v2] systemd: default to use libsystemd if build with support for it

users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- conntrackd.8 |5 + conntrackd.conf.5|7 --- doc/stats/conntrackd.conf|2 +

[conntrack-tools PATCH] tests: reallocate cli testing script

Move this to test/ Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/cli/test.sh | 106 --- tests/conntrack/cli-test.sh | 106 +++ 2 files changed, 106 insertions(+), 106 del

[conntrack-tools PATCH] systemd: default to use libsystemd if build with support for it

users are asking for a full revert of commit c01d0d9138112ec95ee316385ea2687dd94fa4e3. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/read_config_yy.y |4 1 file changed, 4 insertions(+) diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 32cca3c..6

[conntrack-tools PATCH] conntrackd: add missing fall-through annotation in switch statements

Modern GCC compilers will warn if an explicit comment isn't present. Perhaps this should be better done with a proper compiler instruction, but the code comment is more similar to the rest of the codebase. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/cache-ct.c

[ulogd PATCH] ulogd2: cleanup downstream files

to generate these files by itself. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- ulogd.init | 61 ulogd.logrotate |7 --- ulogd.spec | 119 --- 3 files changed, 187 del

Re: [PATCH libnftnl] examples: add nft-ct-helper-{add,get,del}

0644 examples/nft-ct-helper-add.c > create mode 100644 examples/nft-ct-helper-del.c > create mode 100644 examples/nft-ct-helper-get.c > Other than that, it LGTM: Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line &

Re: [nft PATCH 0/6] A set of patches resulting from running tests/shell

shell: Fix dump of chains/0016delete_handle_0 > tests/shell: Fix flowtable test cases > flowtable: Make parsing a little more robust > tests/shell: Fix sporadic fail of include/0007glob_double_0 > tests/shell: Allow to specify multiple testcases > Acked-by: Arturo Borrero Gonz

[iptables PATCH] iptables: add xtables-translate.8 manpage

This new manpage describes how to operate the translation tools for nftables. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- iptables/Makefile.am |3 + iptables/xtables-translate.8 | 134 ++ 2 files changed, 136 inse

Re: [PATCH nft] src: install table skeleton files to sysconfdir/nftables

On 12 March 2018 at 12:36, Florian Westphal wrote: > + > +install-data-hook: > + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* > -- The shebang in those files is static now (#!/usr/sbin/nft -f) Perhaps we should differentiate between files we use for

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

On 10 March 2018 at 09:28, Duncan Roe wrote: > > Up to Release 0.8.2, it used to be the case that after *make install*, these > example files would show up in /etc/nftables. > > Now they don't. > > I think this is a regression which needs to be addressed, We wanted to

Re: [PATCH nft] src: move monitor code to src/monitor.c

> > > Acked-by: Phil Sutter <p...@nwl.cc> Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [RFC nft] tests: shell: autogenerate dump verification

On 6 March 2018 at 11:47, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> On 5 March 2018 at 23:57, Laura Garcia Liebana <nev...@gmail.com> wrote: >> >> > 141 files changed, 837 insertions(+), 526 de

Re: [RFC nft] tests: shell: autogenerate dump verification

On 5 March 2018 at 23:57, Laura Garcia Liebana wrote: > 141 files changed, 837 insertions(+), 526 deletions(-) Better place a new script as a testcase, and all the required dump files somewhere for it to read them. Also, we have several testscases which are very long (we

Re: [PATCH nft] tests: shell: set timeout and size combination coverage

On 5 March 2018 at 16:29, Pablo Neira Ayuso wrote: > Signed-off-by: Pablo Neira Ayuso > --- > tests/shell/testcases/sets/0031set_timeout_size_0 | 15 +++ > 1 file changed, 15 insertions(+) > create mode 100755

Re: Contribute to Net-filter Development && G-Soc 2018

On 3 March 2018 at 22:17, Himanshu Sagar wrote: > Hi All, > > Himanshu here. > > Having used iptables and ebtables in U.G. projects, I acknowledge dev > team's effort in making this a reality. I'm interested in contributing > to net-filter development and if I'm able to

Re: [PATCH nft] parser: support of maps with timeout

On 2 March 2018 at 11:47, Pablo Neira Ayuso wrote: > On Fri, Mar 02, 2018 at 10:50:18AM +0100, Laura Garcia Liebana wrote: >> Support of key and value association with a certain timeout. >> >> Example: >> >> nft add map nftlb mapa { type inet_service: ipv4_addr\; >> timeout

[iptables PATCH] iptables: add xtables-compat.8 manpage

Copied back from the downstream Debian package. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- iptables/Makefile.am |2 - iptables/xtables-compat.8 | 177 + 2 files changed, 178 insertions(+), 1 deletion(-) creat

[nft PATCH v3 2/3] examples: add ct helper examples

Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos v3: fix typo in shebang reported by Florian files/examples/ct_helpers.nft

[nft PATCH] meta: introduce datatype ifname_type

"eth1" } } chain c { iifname @s accept oifname @s accept } } Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/nft.xml|8 ++--- include/datatype.h

Re: [PATCH] xtables-compat-multi.c: Allow symlink of ebtables

On 25 February 2018 at 08:14, Duncan Roe wrote: > This patch allows one to force a subsystem that one does not wish to modify > (e.g. libvirt) to use the ebtables compatibility layer. > > ebtables-compat was already a symlink to xtables-compat-multi but ebtables > was

Re: [nft PATCH v2 1/3] nftables: rearrange files and examples

On 24 February 2018 at 23:07, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@netfilter.org> wrote: >> Concatenate all family/hook examples into a single one by means of includes. >> >> Put all example files under examples/. Use t

[nft PATCH v2 3/3] files: add load balance example

Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos files/examples/load_balancing.nft | 54 +

[nft PATCH v2 1/3] nftables: rearrange files and examples

the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: address comments by Florian & Pablo. Fix some typos Makefile.am |6 ++-- co

[nft PATCH v2 2/3] examples: add ct helper examples

Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- v2: fix some typos files/examples/ct_helpers.nft | 43 +

[NFT PATCH 3/3] files: add load balance example

Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- files/examples/load_balancing.nft | 54 + 1 file chang

[NFT PATCH 2/3] examples: add ct helper examples

Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- files/examples/ct_helpers.nft | 43 + 1 file changed, 43 inse

Re: [PATCH RFC 0/4] net: add bpfilter

On 19 February 2018 at 16:36, David Miller wrote: > > In my opinion, any resistence to integration with eBPF and XDP will > lead to even less adoption of netfilter as a technology. > > Therefore my plan is to move everything to be integrated around these > important core

Re: [PATCH RFC 0/4] net: add bpfilter

On 19 February 2018 at 16:27, David Miller wrote: > From: Florian Westphal > Date: Mon, 19 Feb 2018 16:15:55 +0100 > >> Would you be willing to merge nftables into kernel tools directory >> then? > > Did you miss the part where I explained that people

Re: [PATCH RFC 0/4] net: add bpfilter

On 19 February 2018 at 16:36, David Miller wrote: > > I think netfilter is at a real crossroads right now. > I don't think so. The Netfilter Project and the Netfilter Community already "agreed" on nftables and we are working on it. But this isn't a secret, right? We have

Re: question about UNDEFINE/REDEFINE

On 23 January 2018 at 04:40, David Fabian wrote: > Hello Pablo, > > Dne úterý 23. ledna 2018 12:07:28 CET, Pablo Neira Ayuso napsal(a): >> I'm asking here because I would need to understand better how you've >> structured your scripts, if you could explain a bit more, we

Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time

o let's be consistent and remove them all. > > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[nft PATCH] doc/nft.xml: mention nftables earlier

"nftables" as early as the NAME or DESCRIPTION. >>> Requested-by: Dan Jacobson <jida...@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- doc/nft.xml |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/n

Re: [PATCH nf-next] netfilter: meta: secpath support

On 1 December 2017 at 13:40, Florian Westphal wrote: > replacement for iptables "-m policy --dir in --policy {ipsec,none}". > > Signed-off-by: Florian Westphal > --- > include/uapi/linux/netfilter/nf_tables.h | 2 ++ > net/netfilter/nft_meta.c |

Re: [PATCH nft] src: deprecate "flow table" syntax, replace it by "meter"

to reduce chances of breaking things. > At some point the former syntax will just be removed. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> > I agree. What about adding a warning in case of using th

Re: nftables: lockout with 0008split_tables_0 test

On 21 November 2017 at 19:39, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > On 21 November 2017 at 18:09, Florian Westphal <f...@strlen.de> wrote: >> >> Yes, thats expected. >> First ssh base chain gets invoked, which accepts any packet >> eithe

Re: nftables: lockout with 0008split_tables_0 test

On 21 November 2017 at 18:09, Florian Westphal wrote: > > Yes, thats expected. > First ssh base chain gets invoked, which accepts any packet > either by verdict or policy. > > Then next base chain gets consulted which drops the packet. > > I would suggest to either swap the

Re: conntracd init.d reload is broken on Centos6

Please avoid top-posting. On 17 November 2017 at 23:55, Jason Hendry wrote: > Turns out sending conntrackd a -HUP signal causes it to die. I can not > find any documentation/reference on what signals conntrackd accepts, > is there one to tell it to reload its config? We are

[ulogd2 PATCH] ulogd2: new config behaviour: load all plugins by default

ending with '.so'. The log message level for plugins loading is increased so users can see by default which plugins are loaded. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- configure.ac | 30 +++--- src/ulogd.c

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

On 2 October 2017 at 12:44, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Sep 30, 2017 at 12:43:36PM +0200, Arturo Borrero Gonzalez wrote: >> On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote: >> > On Sat, Sep 30, 2017 at 11

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

On 30 September 2017 at 12:12, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sat, Sep 30, 2017 at 11:48:11AM +0200, Arturo Borrero Gonzalez wrote: >> On 30 September 2017 at 11:43, Arturo Borrero Gonzalez >> <art...@netfilter.org> wrote: >> > >

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

On 30 September 2017 at 11:43, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > > Ok, but how could we avoid putting there a complex, arch-dependant path? i.e, in Debian this means a path like: /usr/lib/mips64el-linux-gnuabi64/ulogd/ulogd_filter_IFINDEX.so so user should

Re: [ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

On 29 September 2017 at 13:39, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > Hi Arturo, > > On Mon, Sep 25, 2017 at 01:19:27PM +0200, Arturo Borrero Gonzalez wrote: >> diff --git a/ulogd.conf.in b/ulogd.conf.in >> index a987d64..fe54420 100644 >> --- a/ulo

[conntrack-tools PATCH] conntrack.8: refresh manpage

Refresh manpage, fixing typos, rearranging some sentences, introducing line breaks at max. 80 columns, markup fixes, and so on. Apart of some minor cosmetics fixes, no actual content is changed. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- conntrack.8

[ulogd2 PATCH] ulogd2: add new config option: load_all_plugins

logic. We simply open the dir and try to load all files ending with '.so'. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- configure.ac | 30 +++--- src/ulogd.c | 49 - ulogd.conf.in | 10 +++

Re: [RFC PATCH nft V4] src: Add import command for json

ft import json > > where the file.json is a ruleset exported in json format. > > Highly based on work from Alvaro Neira <alvaron...@gmail.com> > and Arturo Borrero <art...@netfilter.org> > > Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> > Signe

Re: [ulogd2 PATCH] ulogd: use a RT scheduler by default

On 7 September 2017 at 13:36, Arturo Borrero Gonzalez <art...@netfilter.org> wrote: > Is common that ulogd runs in scenarios where a lot of packets are to be > logged. > If there are more packets than ulogd can handle, users can start seing log > messages like this: > > u

Re: [RFC PATCH nft V3] src: Add import command for json

On 11 September 2017 at 18:53, Shyam Saini wrote: > This new operation allows to import ruleset in json to make > incremental changes using the parse functions of libnftnl. > > A basic way to test this new functionality is: > > % cat file.json | nft import json > > where

Re: [RFC PATCH nft V2] src: Add import command for json

s a script to check coding style [1], but beware of some false positives (regarding the commit message). Other than that, the patch looks fine. Please, address the coding style issues, and resend with: Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org>

[ulogd2 PATCH] ulogd: use a RT scheduler by default

, and should produce no harm. A similar approach is used in the conntrackd daemon. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/ulogd.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/src/ulogd.c b/src/ulogd.c index b85d0ee..68f 100644 ---

Re: [nft PATCH RFC] Convert man page source to asciidoc

On 6 September 2017 at 10:41, Phil Sutter wrote: > Beware: The conversion is incomplete and merely serves as base for > discussion. > > This patch converts nft.xml into asciidoc markup, top down until (and > including) stateful objects description. I stopped there because it's > the

Re: [nft PATCH V2] tests: shell: Add tests for json import

On 4 September 2017 at 14:39, Shyam Saini wrote: >>> These test cases can be used to test upcoming "import json" command. >>> Hi Shyam, your v3 looks fine. I was going to test it out, but it seems the first patch [0] in the series requires a refresh. Please, refresh

Re: [nft PATCH V2] tests: shell: Add tests for json import

On 3 September 2017 at 01:32, Shyam Saini wrote: > These test cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules > json_import_0 ->script

Re: [PATCH] examples: Fix memory leaks detected by Valgrind

Thanks Shyam, Acked-by: Arturo Borrero Gonzalez <art...@netfilter.org> in the future, please add a tag to the [PATCH] header, like "[PATCH libnftnl]" so we can easily know to which tree this patch should be applied to. -- To unsubscribe from this list: send the line "unsubs

Re: [PATCH V2] tests: json: Add test cases for json format

On 24 August 2017 at 14:08, Shyam Saini wrote: >> That was quick and dirty code for you to get the idea. >> Please follow the example of other testcases [0] to compare ruleset, >> create tempfiles and so on. >> > > One issue with this approach, incase of set rules > nft

Re: [PATCH V2] tests: json: Add test cases for json format

On 24 August 2017 at 10:49, Shyam Saini wrote: > These test cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules Wait. You are generating the JSON

Re: [PATCH] tests: json: Add test cases for json format

On 22 August 2017 at 11:30, Shyam Saini wrote: > > Should I send the version 2 of this patch with this script? > Yes, my suggestion is: * create a new testcase in nftables: tests/shell/testcases/import/yourscript_0 * put all the json files in:

Re: [PATCH] tests: json: Add test cases for json format

On 21 August 2017 at 22:55, Shyam Saini wrote: > These cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules > rules_ipv4*->ip table >

Re: [nft PATCH 0/16] introduce libnftables

On 16 August 2017 at 22:42, Eric Leblond wrote: > > Hello, > > This patchset adds a basi high level libnftables to nftables code. > It is currently supporting running a command from a buffer or from > a file as well as batch support allowing to chain commands and commit > them at

[conntrack-tools PATCH] tests: don't fail on modprobe since the driver might be built-in

loaded rather than trying to modprobe and ignoring failures, but there doesn't seem to be a reliable place to check this in the kernel filesystem. Signed-off-by: Steve Langasek <steve.langa...@ubuntu.com> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- tests/conntrack/

[conntrack-tools PATCH] conntrackd: remove warning for -S

Remove the warning message for the -S option which has been deprecated for years now. Users calling conntrackd with this switch activated will now get an error. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/main.c |3 --- 1 file changed, 3 deletions(-) diff

[nft PATCH] monitor: add debug messages

Add some debug messages in the monitor/trace code paths to ease development and debugging in case of errors. After this patch, running 'nft monitor --debug=mnl,netlink' is more verbose. Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- src/mnl.c |7 +++ src/net

Re: [PATCH] monitor: fix printing of range elements in named sets

On 11 July 2017 at 20:11, Phil Sutter <p...@nwl.cc> wrote: > Hi, > > On Thu, Jul 06, 2017 at 04:36:45PM +0200, Arturo Borrero Gonzalez wrote: >> If you add set elements to interval sets, the output is wrong. >> Fix this by caching first element of the range

[PATCH] monitor: fix printing of range elements in named sets

} CC: Phil Sutter <p...@nwl.cc> Signed-off-by: Arturo Borrero Gonzalez <art...@netfilter.org> --- This was discussed during Netfilter Workshop 2017 in Faro, Portugal. I think Phil has another patch to address this issue from a different approach. include/rule.h |2 ++ src/netli

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:58, Florian Westphal <f...@strlen.de> wrote: > Arturo Borrero Gonzalez <art...@debian.org> wrote: >> I'm curious, What is the use case of using both nftables and iptables >> at the same time? >> Some missing functionality in nft? >>

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:24, Florian Westphal wrote: > > Another side effect is that this avoids the need to add (in nft case) > the 'empty' nat base chains to take care of reply translation. > good! > Thoughts? > I'm curious, What is the use case of using both nftables and

[conntrack-tools PATCH v2] conntrackd: make the daemon run in RT mode by default

. The code is moved to the init() routine. In case of error setting the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: refresh manpages, keep scheduler configuration options

Re: [conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run

On 9 June 2017 at 15:06, Arturo Borrero Gonzalez <art...@debian.org> wrote: > at max priority. oops, ugly. Resending -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at htt

[conntrack-tools PATCH v2] In order to prevent netlink buffer overrun, conntrackd is recommended to run

the scheduler, the system default will be used. Report a message to the user and continue working. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: refresh manpages, keep scheduler configuration options conntrackd.conf.5| 35 --

Re: [PATCH] tests: shell: Add test for ambguity while setting the value

On 9 June 2017 at 11:30, Shyam Saini wrote: > This test checks bug identified and fixed in the commit mentioned below > In a statement if there are multiple src data then it would be > totally ambiguous to decide which value to set. > > We don't add this test in python

Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.

On 8 June 2017 at 12:17, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Jun 07, 2017 at 09:40:53PM +0200, Arturo Borrero Gonzalez wrote: >> On 7 June 2017 at 10:35, Ismo Puustinen <ismo.puusti...@intel.com> wrote: >> > >> > +static int

Re: [conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default

On 6 June 2017 at 13:10, Pablo Neira Ayuso wrote: > > But I think we should keep the Nice and Scheduler clauses. Just in > case anyone wants to do this fine grain tunning. > The nice value can be changed at runtime externally: using the nice/renice commands Perhaps is a bit

Re: [PATCH 1/3] scanner: add files in include dirs in alphabetical order.

On 7 June 2017 at 10:35, Ismo Puustinen wrote: > > +static int directoryfilter(const struct dirent *de) > +{ > + if (strcmp(de->d_name, ".") == 0 || > + strcmp(de->d_name, "..") == 0) > + return 0; > + > + /* Accept other

[conntrack-tools PATCH 1/4] conntrackd: evaluate configuration earlier

Run the evaluation step sooner in the conntrackd startup routine. Don't close log or unlink lockfile at this stage. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/main.c | 20 +--- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/ma

[conntrack-tools PATCH 2/4] conntrackd: make the daemon run in RT mode by default

-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.conf.5| 46 +++--- doc/helper/conntrackd.conf | 21 - doc/stats/conntrackd.conf| 19 doc/sync/alarm/conntrackd.conf

[conntrack-tools PATCH 4/4] conntrackd: deprecate unix backlog configuration

This configuration option doesn't add any value to users. Use the magic value of 100 (i.e, the socket will keep 100 pending connections), which I think is fair enough for what conntrackd can do in the unix socket. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- conntrackd.

[conntrack-tools PATCH 3/4] conntrackd: cleanup if failed forking

Close the logs and lockfile if error while forking. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- src/main.c |2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main.c b/src/main.c index bab7772..3b19160 100644 --- a/src/main.c +++ b/src/main.c @@ -386,6 +386,8

[nft PATCH v2] evaluate: avoid reference to multiple src data in statements which set values

, unknown value to use add rule t c tcp dport set @s ~~^^ This error is reported to all statements which set values. Signed-off-by: Arturo Borrero Gonzalez <art...@debian.org> --- v2: check all statements which set values as well src/evaluate.c | 15

  1   2   3   >