A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.
Fixes: b9ccc07e3f31 ("netfilter: nft_hash: add map lookups for hashing
operations")
Signed-off-by: Laura Garcia Liebana
---
include/uapi/linux/netfilter/nf_tabl
5c0 ("expr: add map lookups for hash statements")
Laura Garcia Liebana (2):
Revert "expr: add map lookups for numgen statements"
Revert "expr: add map lookups for hash statements"
include/libnftnl/expr.h | 8 +++
include/linux/netfilter/n
A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.
Fixes: b97f45c2ebaa ("expr: add map lookups for numgen statements")
Signed-off-by: Laura Garcia Liebana
---
include/libnftnl/expr.h | 4 ++--
include/linux
A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.
Fixes: bb4b75aea5c0 ("expr: add map lookups for hash statements")
Signed-off-by: Laura Garcia Liebana
---
include/libnftnl/expr.h | 4 ++--
include/linux
xf410
"mark") at parser_json.c:2513
2513 if (!strcmp(str, obj_tbl[i]))
The obj_tbl array is allocated with the maximum element index even
if lower indexes are not populated, so it produces null pointer
items.
This patch ensures that the maximum number of
NFTA_SET_ELEM_EXPIRATION in order
to configure the expiration parameter per element, or
will use the timeout in the case that the expiration
is not set.
Signed-off-by: Laura Garcia Liebana
---
include/net/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_tables_api.c | 26 --
net
NFTA_SET_ELEM_EXPIRATION
from userspace to the kernel in order to set the
configured value.
Signed-off-by: Laura Garcia Liebana
---
src/set_elem.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/set_elem.c b/src/set_elem.c
index ff983a6..4796524 100644
--- a/src/set_elem.c
+++ b/src
NFTA_SET_ELEM_EXPIRATION in order
to configure the expiration parameter per element, or
will use the timeout in the case that the expiration
is not set.
Signed-off-by: Laura Garcia Liebana
---
v2:
- set always expiration 0 in nft_dynset_new()
include/net/netfilter/nf_tables.h | 2 +-
net/netfilter
NFTA_SET_ELEM_EXPIRATION in order
to configure the expiration parameter per element, or
will use the timeout in the case that the expiration
is not set.
Signed-off-by: Laura Garcia Liebana
---
v3:
- remove the expiration priv attribute
v2:
- set always expiration 0 in nft_dynset_new()
include/net
algorithms that uses the modulus parameter.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index fe93e731dc7f..b836d550b919 100644
--- a/net/netfilter/nft_h
ch file or directory
flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...)
^
This patch sets the cache flag properly to save this
case.
Fixes: 01e5c6f0ed031 ("src: add cache level flags")
Signed-off-by: Laura Garcia Liebana
The deletion os a flowtable after a flush in the same transaction
results in EBUSY. This patch adds an activation and deactivation of
flowtables in order to update the _use_ counter.
Signed-off-by: Laura Garcia Liebana
---
include/net/netfilter/nf_tables.h | 4
net/netfilter
The deletion of a flowtable after a flush in the same transaction
results in EBUSY. This patch adds an activation and deactivation of
flowtables in order to update the _use_ counter.
Signed-off-by: Laura Garcia Liebana
---
v2: simplify switch case
include/net/netfilter/nf_tables.h | 4
ip daddr \
mod 2 seed 0xdeadbeef offset 100' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash:
ip daddr \
mod 2 seed 0xdeadbeef offset 100' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash:
This patch makes a declaration of the json_events_cb() function
consistent.
Fixes: bb32d8db9a12 ("JSON: Add support for echo option")
Signed-off-by: Laura Garcia Liebana
---
include/json.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/json.h b/include/json.h
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed comes already come embedded into this new
expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
Support for the nft hash expression within libnftnl.
Signed-off-by: Laura Garcia Liebana
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 16 ++
include/linux/netfilter/nf_tables.h | 20 +++
src/Makefile.am | 1 +
src/expr/hash.c
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
Fix the direct assignment of offset and length attributes included in
nft_exthdr structure from u32 data to u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_exthdr.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_exthdr.c b/net
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
The following patchset adds a check during the load of an u32 value
into an u8 attribute which can cause an overflow.
Laura Garcia Liebana (5):
netfilter: nf_tables: Check u32 load in u8 nft_bitwise attribute
netfilter: nf_tables: Check u32 load in u8 nft_byteorder attribute
netfilter
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_bitwise.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index
Fix the direct assignment from u32 data input into the dlen attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_immediate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index db3b746
Fix the direct assignment from u32 data input into the family
attribute with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_nat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index ee2d717..74f8293 100644
--- a
Fix the direct assignment from u32 data input into the len and size
attributes with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_byteorder.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_byteorder.c b/net
Fix the direct assignment from u32 data input into the len attribute
with a size of u8.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_cmp.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index e25b35d
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
This patch adds a new hash expression, this provides jhash support but
this can be extended to support for other hash functions.
The modulus and seed already comes embedded into this new expression.
Use case example:
meta mark set hash ip saddr mod 10
Signed-off-by: Laura Garcia Liebana
Support for the nft hash expression in libnftnl.
Signed-off-by: Laura Garcia Liebana
---
include/buffer.h| 2 +
include/libnftnl/expr.h | 8 +
include/linux/netfilter/nf_tables.h | 21 +++
src/Makefile.am | 1 +
src/expr/hash.c
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana
---
Changes in V3:
- Include random number generation
- Rename nft_nth by nft_numgen
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/Kconfig
Support for the nft ng expression within libnftnl.
Signed-off-by: Laura Garcia Liebana
---
Changes in V2:
- Add test
- Rename nth expression to numgen
- Add support for types incremental and random
include/buffer.h| 1 +
include/libnftnl/expr.h
Fix the direct assignment from u32 data input into an attribute with a
size of u8.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana
---
Changes in V2:
- Collapse the 5 independent patches in just one
- Change description and subject
- Add bug link
net/netfilter
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana
---
Changes in V4:
- Rename prandom state identifier
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter/Kconfig| 6 +
net/netfilter/Makefile
Add support for the number generator expression in netfilter.
Signed-off-by: Laura Garcia Liebana
---
Changes in V5:
- Reorder the functions
- Add attributes checks
- Use switch instead of if statements
include/uapi/linux/netfilter/nf_tables.h | 25
net/netfilter
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V3:
- Use ERANGE instead of EINVAL when
Check for overflow of u8 fields from u32 netlink attributes and maximum
values.
Refer to 4da449ae1df
Signed-off-by: Laura Garcia Liebana
---
(was: netfilter: nf_tables: Check for overflow of u8 fields from u32
netlink attributes)
Changes in V4:
- Define NFT_CMP_MAX
include/uapi/linux
renamed to _modulus_ as the behaviour is similar to
other expresions with number limits(ex. nft_hash).
Signed-off-by: Laura Garcia Liebana
---
include/uapi/linux/netfilter/nf_tables.h | 6 --
net/netfilter/nft_numgen.c | 37 ++--
2 files changed, 25
attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Signed-off-by: Laura Garcia Liebana
---
include/buffer.h| 2 +-
include/libnftnl/expr.h | 3 +-
include/linux/netfilter/nf_tables.h | 6 ++-
src/expr/num
The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
other expresions with number limits (ex. nft_hash).
Renaming is possible because there isn't a kernel release yet with these
changes.
Signed-off-by: Laura Garcia Liebana
---
Changes in V2:
- Separate ch
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana
---
Changes in V2:
- Separate ch
.
Signed-off-by: Laura Garcia Liebana
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 13 +++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h
b/include/uapi/linux/netfilter/nf_tables.h
.
Signed-off-by: Laura Garcia Liebana
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/hash.c | 39 +++--
tests/nft-expr_hash-test.c | 4
4 files changed, 40 insertions(+), 6
.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Add check for hash + sum overflow.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_hash.c | 16 ++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux
The _modulus_ attribute will be reused as _until_, as it's similar to
other expressions with value limits (ex. hash).
Renaming is possible according to the kernel module ntf_numgen that has
not been released yet.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Separate ch
number generation.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_numgen.c | 9 +++--
2 files changed, 9 insertions(+), 2 deletions
increment number generation.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Separate _SUM_ changes with _until_ attribute renaming.
include/buffer.h| 1 +
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
src/expr
: Add hash offset value")
Reported-by: Liping Zhang
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index bd12f7a..09473b4 100644
--- a/net/netfilter/nft_ha
, 101, ...
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Rename SUM by OFFSET, as Pablo suggested.
- Include correct behavior for the
, ...
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Separate offset changes with _until_ attribute renaming, as
Pablo suggested.
Changes in v3:
- Use OFFSET attribute instead of SUM.
- Add offset support for random counter.
include
-by: Pablo Neira Ayuso
Signed-off-by: Laura Garcia Liebana
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 26 ++
net/netfilter/nft_bitwise.c | 10 +-
net/netfilter/nft_byteorder.c | 17 +++--
net/netfilter
during the configure of the
package.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Laura Garcia Liebana
---
configure.ac | 14 +-
include/hash.h | 10 ++
src/parser_bison.y | 5 +
tests/py/ip/hash.t | 2 ++
4 files changed, 30 insertions(+), 1 deletion(-)
di
This patchset provides several improvements for numgen and hash
expressions:
- support of OFFSET attribute for numgen and hash expressions
- makes SEED attribute optional and randomly generated
- fix the TYPE attribute to be treated as a register
Laura Garcia Liebana (4):
src: make hash
Add support to add an offset to the hash generator.
Example:
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-110.
Signed-off-by: Laura Garcia Liebana
---
include/expression.h| 1 +
include/hash.h | 3
Add support to add an offset to the numgen generated value.
Example:
ct mark set numgen inc mod 2 offset 100
This will generate marks with serie like 100, 101, 100, ...
Signed-off-by: Laura Garcia Liebana
---
include/expression.h| 1 +
include/linux/netfilter/nf_tables.h
Avoid to treat numgen type attribute as a register.
Fixes: 345236211715 ("src: add hash expression")
Signed-off-by: Laura Garcia Liebana
---
src/netlink_linearize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink_linearize.c b/src/netlink_lineari
ule x y meta mark set jhash ip saddr . ip daddr mod 2
In order to generate a resilient random number, the syscall
getrandom(2)[0] is used if detected. In other case, the trivial rand()
will be used.
[0] https://lwn.net/Articles/605828/
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Laura G
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Adapt the code to the repository changes.
- Include test payload
ule x y meta mark set jhash ip saddr . ip daddr mod 2
The kernel will take care of generate a random seed.
Signed-off-by: Laura Garcia Liebana
---
Changes in v3:
- The random generation is done in kernel side.
- Tests included.
src/parser_bison.y | 5 +
tests/py/ip/h
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana
---
Changes in v3:
- This patch depends on 1/4.
include/expression.h| 1
Use the function nft_parse_u32_check() to fetch the value and validate
the u32 attribute into the hash len u8 field.
This patch revisits 4da449ae1df9 ("netfilter: nft_exthdr: Add size check
on u8 nft_exthdr attributes").
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_
These changes add support for multi hash functions and include the
symmetric hash type.
As 2 different structures are needed, we're going to rename the
nft_hash structure to nft_jhash, and then provide support for
several hash functions before including the new type.
Laura Garcia Lieba
h mod 2
Signed-off-by: Laura Garcia Liebana
---
include/libnftnl/expr.h | 1 +
include/linux/netfilter/nf_tables.h | 13 +++
src/expr/hash.c | 46 -
tests/nft-expr_hash-test.c | 4
4 files change
This patch renames the local nft_hash structure and functions
to nft_jhash in order to prepare the nft_hash module code to
add new hash functions.
Signed-off-by: Laura Garcia Liebana
---
net/netfilter/nft_hash.c | 36 ++--
1 file changed, 18 insertions(+), 18
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana
---
include/uapi/linux/netfilter/nf_tables.h | 13 +
net/netfilter/nft_hash.c
h mod 2
Signed-off-by: Laura Garcia Liebana
---
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c | 3 ++-
src/hash.c
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana
---
v2:
- Avoid warning due to 'const' from symhash eval skb
include/uapi/linux/netfilter/n
h mod 2
Signed-off-by: Laura Garcia Liebana
---
v2:
- Discard new line remove
include/expression.h| 1 +
include/hash.h | 2 +-
include/linux/netfilter/nf_tables.h | 13 +
src/evaluate.c | 3 ++-
src/h
, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
By default, jenkins hash will be used if no hash type is
provided for compatibility reasons.
Signed-off-by: Laura Garcia Liebana
-
add rule ip filter INPUT meta random != 0.109 counter accept
Signed-off-by: Laura Garcia Liebana
---
extensions/libxt_statistic.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index b6ae5f5..95d588c 100644
random ! --probability
0.1 -j ACCEPT
nft add rule ip filter INPUT meta random != 0.109 counter accept
The .xlate indirection returns 0 if the translation is not available.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Return 0 if the translation is not supported, as
rule ip6 filter INPUT icmpv6 type address-unreachable counter log level
warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type 2 -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level
warn
Signed-off-by: Laura Garcia Liebana
---
extensions
icmp type host-unreachable counter log level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log
level warn
Signed-off-by: Laura Garcia Liebana
---
extensions/libipt_icmp.c | 33
INPUT icmpv6 type nd-neighbor-advert counter log level
warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type
packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level
warn
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection
-unreachable counter log
level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log
level warn
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection of not supported types in
-unreachable counter log
level warn
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
nft add rule ip filter INPUT icmp type != destination-unreachable counter log
level warn
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection of not supported types in
INPUT icmpv6 type nd-neighbor-advert counter log level
warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type
packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level
warn
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection
Enable support for router-advertisement and router-solicitation icmp types in
nft.
Example:
$ sudo nft add rule ip filter input icmp type router-advertisement counter
accept
$ sudo nft add rule ip filter input icmp type router-solicitation counter accept
Signed-off-by: Laura Garcia Liebana
-unreachable counter accept
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection of not supported types in nftables, as Shivani
-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection of not supported types in nftables, as Shivani suggested.
v3:
- Fix array iteration
Avoid to print the log level in the translation when the level is the
default value.
Example:
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
nft add rule ip filter INPUT icmp type != router-solicitation counter log
Signed-off-by: Laura Garcia Liebana
t.
$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT
nft add rule ip filter INPUT icmp counter accept
Signed-off-by: Laura Garcia Liebana
---
v2:
- Detection of not supported types in nftables, as Shivani suggested.
v3:
- Fix array iteration prot
iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana
---
extensions/libipt_REJECT.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/extensions/libipt_REJECT.c b/extensions
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana
---
extensions/libip6t_REJECT.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_REJECT.c b
iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana
---
v2:
- Fix default constant, as Pablo suggested.
extensions/libipt_REJECT.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion
ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana
---
v2:
- Remove default constant, as Pablo suggested.
extensions/libip6t_REJECT.c | 5 -
1 file changed, 4 insertions(+), 1
-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana
---
v7:
- Fix 'any' case, as Pablo suggested.
extensions/libipt_i
ccept
Signed-off-by: Laura Garcia Liebana
---
extensions/libxt_multiport.c | 103 +++
1 file changed, 103 insertions(+)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03af5a9..7dd12bd 100644
--- a/extensions/libxt_multiport.c
unter accept
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Add curley brackets to lists and range of ports.
extensions/libxt_multiport.c | 116 +++
1 file changed, 116 insertions(+)
diff --git a/extensions/libxt_multiport.c b/exten
ccept
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Add curley brackets to lists and range of ports.
Changes in v3:
- Avoid {} in port ranges
extensions/libxt_multiport.c | 118 +++
1 file changed, 118 insertions(+)
diff --
Fix the compression parameter index 'cpi' instead of 'cfi'.
Signed-off-by: Laura Garcia Liebana
---
doc/nft.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 22d023e..0ebf51a 100644
--- a/doc/nft.xml
+++ b/doc/nft.xm
x12 -j
ACCEPT
nft add rule ip filter INPUT comp cpi 18 counter accept
$ sudo iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j
ACCEPT
nft add rule ip filter INPUT comp cpi != 18 counter accept
Signed-off-by: Laura Garcia Liebana
---
extensions/libxt_ipcomp.c | 13 +
ip6 filter INPUT hbh hdrlength != 22 counter
Signed-off-by: Laura Garcia Liebana
---
extensions/libip6t_hbh.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..416681d 100644
--- a/extensions/libip6t_hbh.c
Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
instead. Update some FIXME datatypes.
Signed-off-by: Laura Garcia Liebana
---
doc/nft.xml | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/nft.
Signed-off-by: Laura Garcia Liebana
---
extensions/libip6t_frag.c | 31 +++
1 file changed, 31 insertions(+)
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 023df62..00ba00f 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
ccept
Signed-off-by: Laura Garcia Liebana
---
Changes in v4:
- Support != {} as already given
extensions/libxt_multiport.c | 115 +++
1 file changed, 115 insertions(+)
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 03
Check and update nft parameter datatypes.
Signed-off-by: Laura Garcia Liebana
---
doc/nft.xml | 42 --
1 file changed, 16 insertions(+), 26 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index b9f3c69..ea47e2b 100644
--- a/doc/nft.xml
+++ b/doc
ip6 filter INPUT ip6 dscp != 0x32 counter accept
Signed-off-by: Laura Garcia Liebana
---
extensions/libxt_dscp.c | 92 ++---
1 file changed, 79 insertions(+), 13 deletions(-)
diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 02b22a4
ip6 filter INPUT ip6 dscp != 0x32 counter accept
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Remove NFPROTO_UNSPEC register
extensions/libxt_dscp.c | 71 -
1 file changed, 58 insertions(+), 13 deletions(-)
diff --git a
0-200 frag frag-off 0 counter accept
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Include translation for fragfirst and fraglast.
- fraglen is marked as deprecated.
extensions/libip6t_frag.c | 33 +
1 file changed, 33 insertions(+)
di
1 - 100 of 135 matches
Mail list logo