Steven Barth | 1 Oct 23:59 2014

[nft PATCH] build: allow disabling libreadline-support

This makes nftables a bit more embedded-friendly.

Signed-off-by: Steven Barth <cyrus <at> openwrt.org>
---
 configure.ac    | 11 +++++++++--
 src/Makefile.in |  2 ++
 src/main.c      |  6 ++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 3a7647f..a19da5d 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -71,8 +71,15  <at>  <at>  AC_CHECK_LIB([nftnl], [nft_rule_alloc], ,
 AC_CHECK_LIB([gmp], [__gmpz_init], ,
 	     AC_MSG_ERROR([No suitable version of libgmp found]))

-AC_CHECK_LIB([readline], [readline], ,
-	     AC_MSG_ERROR([No suitable version of libreadline found]))
+
+AC_ARG_WITH([libreadline], [AS_HELP_STRING([--without-libreadline],
+            [Disable libreadline support (no interactive CLI)])], [],
+            [with_libreadline=yes])
+AS_IF([test "x$with_libreadline" != xno], [
+AC_CHECK_LIB([readline],[readline], , AC_MSG_ERROR([No suitable version of libreadline found]))
+])
+AC_SUBST(with_libreadline)
+

 # Checks for header files.
(Continue reading)

Giuseppe Longo | 1 Oct 16:47 2014
Picon

[PATCH 1/3] xtables: bootstrap xtables-eb for nftables

This patch bootstraps xtables-eb for the nftables compatibility layer

Signed-off-by: Giuseppe Longo <giuseppelng <at> gmail.com>
---
 include/linux/netfilter_bridge.h            |   33 +
 include/linux/netfilter_bridge/ebtables.h   |  276 +++++++
 include/linux/netfilter_bridge/ethernetdb.h |   58 ++
 iptables/Makefile.am                        |    6 +-
 iptables/getethertype.c                     |  161 ++++
 iptables/nft.c                              |   28 +
 iptables/nft.h                              |    9 +
 iptables/xtables-compat-multi               |  210 +++++
 iptables/xtables-compat-multi.c             |    1 +
 iptables/xtables-eb-standalone.c            |   87 ++
 iptables/xtables-eb.c                       | 1186 +++++++++++++++++++++++++++
 iptables/xtables-ebtables.h                 |   49 ++
 iptables/xtables-multi.c                    |    1 +
 iptables/xtables-multi.h                    |    1 +
 14 files changed, 2104 insertions(+), 2 deletions(-)
 create mode 100644 include/linux/netfilter_bridge.h
 create mode 100644 include/linux/netfilter_bridge/ebtables.h
 create mode 100644 include/linux/netfilter_bridge/ethernetdb.h
 create mode 100644 iptables/getethertype.c
 create mode 100755 iptables/xtables-compat-multi
 create mode 100644 iptables/xtables-eb-standalone.c
 create mode 100644 iptables/xtables-eb.c
 create mode 100644 iptables/xtables-ebtables.h

diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
new file mode 100644
(Continue reading)

Pablo Neira Ayuso | 30 Sep 19:53 2014

merge of iptables-tests to master

Hi,

Short notice. I'll merge the automated regression tests for iptables
in this branch.

http://git.netfilter.org/iptables/log/?h=tests

By this week. They have remained in a separated branch for quite some
time. They should help to catch problems in the iptables-nftables
compatibility layer.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso | 30 Sep 19:45 2014

[PATCH iptables-compat] iptables-compat: get rid of error reporting via perror

The compat layer should report problems in the iptables way instead.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 iptables/nft.c                   |   80 +++++++++++---------------------------
 iptables/xtables-config-parser.y |   10 ++---
 iptables/xtables-events.c        |   30 +++++---------
 3 files changed, 35 insertions(+), 85 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index a4cea22..91e9133 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
 <at>  <at>  -61,10 +61,8  <at>  <at>  int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
 	int ret;
 	char buf[MNL_SOCKET_BUFFER_SIZE];

-	if (mnl_socket_sendto(h->nl, nlh, nlh->nlmsg_len) < 0) {
-		perror("mnl_socket_send");
+	if (mnl_socket_sendto(h->nl, nlh, nlh->nlmsg_len) < 0)
 		return -1;
-	}

 	ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf));
 	while (ret > 0) {
 <at>  <at>  -212,26 +210,21  <at>  <at>  static int mnl_nft_batch_talk(struct nft_handle *h)
 	int err = 0;

 	ret = mnl_nft_socket_sendmsg(h->nl);
-	if (ret == -1) {
(Continue reading)

Pablo Neira Ayuso | 30 Sep 19:35 2014

[PATCH iptables-compat 1/2] iptables-compat: nft: use nft_batch_begin and nft_batch_end from libnftnl

Use the existing functions in libnftnl to begin and end a batch.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 iptables/nft.c |   26 +++++---------------------
 1 file changed, 5 insertions(+), 21 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index e3b07e0..8c91e99 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
 <at>  <at>  -240,34 +240,18  <at>  <at>  static int mnl_nft_batch_talk(struct nft_handle *h)
 	return err ? -1 : 0;
 }

-static void mnl_nft_batch_put(struct mnl_nlmsg_batch *batch, int type,
-			      uint32_t seq)
+static void mnl_nft_batch_begin(struct mnl_nlmsg_batch *batch, uint32_t seq)
 {
-	struct nlmsghdr *nlh;
-	struct nfgenmsg *nfg;
-
-	nlh = mnl_nlmsg_put_header(mnl_nlmsg_batch_current(batch));
-	nlh->nlmsg_type = type;
-	nlh->nlmsg_flags = NLM_F_REQUEST;
-	nlh->nlmsg_seq = seq;
-
-	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
-	nfg->nfgen_family = AF_INET;
-	nfg->version = NFNETLINK_V0;
(Continue reading)

Pablo Neira Ayuso | 30 Sep 19:34 2014

[PATCH nft] mnl: use nft_batch_begin and nft_batch_end from libnftnl

Use the existing functions in libnftnl to begin and end a batch.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 src/mnl.c |   25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index b01e91c..bc8b7ea 100644
--- a/src/mnl.c
+++ b/src/mnl.c
 <at>  <at>  -192,33 +192,20  <at>  <at>  static void nft_batch_continue(void)
 		nft_batch_page_add();
 }

-static uint32_t mnl_batch_put(int type)
+uint32_t mnl_batch_begin(void)
 {
-	struct nlmsghdr *nlh;
-	struct nfgenmsg *nfg;
-
-	nlh = mnl_nlmsg_put_header(nft_nlmsg_batch_current());
-	nlh->nlmsg_type = type;
-	nlh->nlmsg_flags = NLM_F_REQUEST;
-	nlh->nlmsg_seq = mnl_seqnum_alloc();
+	uint32_t seq = mnl_seqnum_alloc();

-	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
-	nfg->nfgen_family = AF_INET;
-	nfg->version = NFNETLINK_V0;
(Continue reading)

Alvaro Neira Ayuso | 30 Sep 17:21 2014
Picon

[nft PATCH 1/4 v3] payload: generate dependency in the appropriate byteorder

If we add a dependency, the constant expression on the right
hand side must be represented in the appropriate order.

Example without this patch:

  nft add rule bridge filter input reject with icmp-host-unreach --debug netlink

  [ payload load 2b  <at>  link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000800 ]
  [ reject type 0 code 1 ]

When we create the payload expression we have the right value in host endian but
this has to be in big endian.

With this patch, if we add the same rule:

  nft add rule bridge filter input reject with icmp-host-unreach --debug netlink

  [ payload load 2b  <at>  link header + 12 => reg 1 ]
  [ cmp eq reg 1 0x00000008 ]
  [ reject type 0 code 1 ]

The new dependency is converted to big endian.

Signed-off-by: Alvaro Neira Ayuso <alvaroneay <at> gmail.com>
---
[no changes in v3]

 src/payload.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
(Continue reading)

Pablo Neira Ayuso | 30 Sep 14:48 2014

[PATCH iptables-compat] iptables-compat: fix address prefix

This patch fixes:

 # iptables-compat -I INPUT -s 1.2.3.0/24

generates this bytecode:

ip filter INPUT 20
  [ payload load 4b  <at>  network header + 12 => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00030201 ]
  [ counter pkts 0 bytes 0 ]

and it displays:

 # iptables-compat-save
...
-A INPUT -s 1.2.3.0/24

ip6tables-compat and arptables-compat are also fixed.

This patch uses the new context structure to annotate payload, meta
and bitwise, so it interprets the cmp expression based on the context.
This provides a rudimentary way to delinearize the iptables-compat
rule-set, but it should be enough for the built-in xtables selectors
since we still use the xtables extensions.

Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 iptables/nft-arp.c    |   62 +++++++++++++++++++++++-----------
 iptables/nft-ipv4.c   |   74 +++++++++++++++++++---------------------
(Continue reading)

Ken-ichirou MATSUZAWA | 30 Sep 11:02 2014
Picon

[PATCH lnfct] qa: build unshared nfct environment

nssocket forks and change netns pre-establishd by ip(8), serves its
socket descriptor to parent via nssocket().  Since this socket is
isolated, it can be used to create regression tests for conntrack.

This also adds a conntrack event testcase as a first user.
A ct_echo_event.sh script is provided to build and run this test
automatically:

  # ./qa/ct_echo_event.sh
  make: Entering directory...
  ...debug output like:
      [NEW] tcp      6 2 SYN_SENT src=10.255.255.249 dst=10.255.255.250 sport...
   [UPDATE] tcp      6 2 SYN_RECV src=10.255.255.249 dst=10.255.255.250 sport...
  ...
  [DESTROY] icmp     1 src=10.255.255.249 dst=10.255.255.250 type=8 code=0...
  # echo $?
  0

Signed-off-by: Ken-ichirou MATSUZAWA <chamas <at> h4.dion.ne.jp>

---
 .gitignore          |   1 +
 configure.ac        |   3 +
 qa/Makefile.am      |   8 +-
 qa/ct_echo_event.c  | 423 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 qa/ct_echo_event.sh |  78 ++++++++++
 qa/inetd.conf       |   7 +
 qa/nssocket.c       | 423 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 qa/nssocket.h       |  77 ++++++++++
 8 files changed, 1019 insertions(+), 1 deletion(-)
(Continue reading)

Pablo Neira Ayuso | 30 Sep 11:03 2014

Re: [libnftnl PATCH 2/2] examples: nft-set-parse-add: give batching support

On Mon, Sep 29, 2014 at 05:35:44PM +0200, Arturo Borrero Gonzalez wrote:
> El 29/09/2014 17:02, "Pablo Neira Ayuso" <pablo <at> netfilter.org> escribió:
> >
> > On Fri, Sep 26, 2014 at 08:34:48PM +0200, Arturo Borrero Gonzalez wrote:
> > >  <at>  <at>  -66,6 +67,8  <at>  <at>  static struct nft_set *set_parse_file(const char
> *file, uint16_t format)
> > >       }
> > >
> > >       nft_parse_err_free(err);
> > > +
> > > +     nft_set_attr_set_u32(s, NFT_SET_ATTR_ID, 1);
> > >       return s;
> > >
> > >  }
> >
> > I guess this works if you parse one single set definition in a file.
> > With more than one set, this will break.
> >
> > IIRC, Alvaro started a patch time ago to add a new interface to
> > libnftnl to handle the set internal id which was incomplete.
> >
> > Cc'ing him to know its status.
> 
> Yes, there is a issue here. But this code example just parse one set.

Right. Then applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Pablo Neira Ayuso | 30 Sep 10:59 2014

[PATCH net-next] netfilter: bridge: build br_nf_core only if required

From: Florian Westphal <fw <at> strlen.de>

Eric reports build failure with
CONFIG_BRIDGE_NETFILTER=n

We insist to build br_nf_core.o unconditionally, but we must only do so
if br_netfilter was enabled, else it fails to build due to
functions being defined to empty stubs (and some structure members
being defined out).

Also, BRIDGE_NETFILTER=y|m makes no sense when BRIDGE=n.

Fixes: 34666d467 (netfilter: bridge: move br_netfilter out of the core)
Reported-by: Eric Dumazet <eric.dumazet <at> gmail.com>
Signed-off-by: Florian Westphal <fw <at> strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo <at> netfilter.org>
---
 net/Kconfig         |    2 +-
 net/bridge/Makefile |    5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/Kconfig b/net/Kconfig
index dc5d700..d6b138e 100644
--- a/net/Kconfig
+++ b/net/Kconfig
 <at>  <at>  -177,7 +177,7  <at>  <at>  config NETFILTER_ADVANCED

 config BRIDGE_NETFILTER
 	tristate "Bridged IP/ARP packets filtering"
-	depends on (BRIDGE || BRIDGE=n)
(Continue reading)


Gmane