| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ebtables-nft has always supported both intra- and extrapositioned
negations but defaulted to intrapositioned when printing/saving rules.
With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
though, it started to warn about intrapositioned negations. So change
the default to avoid mandatory warnings when e.g. loading previously
dumped rulesets.
Also adjust test cases, help texts and ebtables-nft.8 accordingly.
Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Corrections for several spelling mistakes, typo's and non-native usages in
man-pages and error-messages.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Fixes: v1.8.10-28-g4b0c168a
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
"-" is the dash, "\-" is minus as we know, but groff lists some more
characters: "^" is "modifier circumflex" and "~" is "modifier tilde",
which, too, need to be escaped for our use.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sparked by a recent LWN article[1], sweeps over the iptables manpages
for incorrectly encoded dashes was made by Phil Sutter and myself.
An ASCII minushyphen in the source manpage translates to a hyphen in
output, so one has to use the sequence "\-" to get a minushyphen in
the output, as groff_char(7) explains.
[1] https://lwn.net/Articles/947941/ (paywalled until about 2023-11-06)
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
For ranges, en dashes should be used; cf. e.g.
https://en.wikipedia.org/wiki/Dash#En_dash .
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts the following commits:
b14c971db6db0 ("tests: Test compat mode")
11c464ed015b5 ("Add --compat option to *tables-nft and *-nft-restore commands")
ca709b5784c98 ("nft: Introduce and use bool nft_handle::compat")
402b9b3c07c81 ("nft: Pass nft_handle to add_{target,action}()")
This implementation of a compatibility mode implements rules using
xtables extensions if possible and thus relies upon existence of those
in kernel space. Assuming no viable replacement for the internal
mechanics of this mode will be found in foreseeable future, it will
effectively block attempts at deprecating and removing of these xtables
extensions in favor of nftables expressions and thus hinder upstream's
future plans for iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flag sets nft_handle::compat boolean, indicating a compatible rule
implementation is wanted. Users expecting their created rules to be
fetched from kernel by an older version of *tables-nft may use this to
avoid potential compatibility issues.
Changes since v1:
- Expect short option '-C' in {ip,ip6,eb}tables-nft-restore command line
parser
- Support -C/--compat in arptables-nft-restore, too
- Update man pages with the new flag
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use new 'meta broute set 1' to emulate -t broute. If '-t broute' is given,
automatically translate -j DROP to 'meta broute set 1 accept' internally.
Reverse translation zaps the broute and pretends verdict was DROP.
Note that BROUTING is internally handled via PREROUTING, i.e. 'redirect'
and 'nat' targets are not available, they will need to be emulated via
nft expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Accept '-v' flag in both ebtables-nft and ebtables-nft-restore. Mostly
interesting because it allows for netlink debug output when specified
multiple times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Drop any reference to them (and the environment variable) but list them
in BUGS section hinting at ebtables-save and -restore tools.
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Powered by Stefano's support for concatenated ranges, a full among match
replacement can be implemented. The trick is to add MAC-only elements as
a concatenation of MAC and zero-length prefix, i.e. a range from
0.0.0.0 till 255.255.255.255.
Although not quite needed, detection of pure MAC-only matches is left in
place. For those, no implicit 'meta protocol' match is added (which is
required otherwise at least to keep nft output correct) and no concat
type is used for the set.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Support among match as far as possible given the limitations of nftables
sets, namely limited to homogeneous MAC address only or MAC and IP
address only matches.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change content to match nft-variant, most notably:
* There is no broute table, drop all references to it
* Comment out description of among and string matches, we don't support
them (yet)
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
This is a 1:1 copy from legacy ebtables repository.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
