| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule filter input iifname { "lo", "eth0" } counter
Now the listing shows:
iifname { "lo", "eth0"}
instead of:
iifname { "", ""}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fix fallout from the automake conversion. Display after configuration
if it is enabled or not.
Reported-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Small syntax update suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Free allocated memory for ->desc.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Don't use arbitrary amounts of spaces. The remaining table is
properly aligned, fix the new types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Use proper english for full randomization option.
Signed-off-by: Patrick McHardy
|
|
|
|
|
|
| |
Just setting the .sym_tbl correctly is all we need.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft list sets
Segmentation fault
# nft list sets
<cmdline>:1:1-9: Error: Could not receive sets from kernel: Protocol error
list sets
^^^^^^^^^
Fix same bug in `nft list tables'.
Don't cleanup the table object for these commands since it is NULL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We have to switch the byteorder of the element in
netlink_delinearize_setelem() for non-range values only.
This fixes the listing of:
nft add rule filter input ct mark { 0x10-0x20 } counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
integer_type
nft list table filter
...
cpu { 50331648, 33554432, 0, 16777216} counter packets 8 bytes 344
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rules with header fields that rely on the generic integer datatype
from sets are not matching, eg.
nft add rule filter input udp length { 9 } counter
This set member is an integer represented in host byte order, which
obviously doesn't match the header field (in network byte order).
Since the integer datatype has no specific byteorder, we have to rely
on the expression byteorder instead when configuring the context,
before we evaluate the list of set members.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use constant_data_ptr() to point to the right memory position on
big endian when exporting data that is stored in a larger variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Christophe Leroy <christophe.leroy@c-s.fr>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The name of datatypes can be used in set definition so they should
follow the same logic (and maybe not contain space to avoid problem
with parsing).
This patch adds an underscore to the name of the icmp* code
datatype.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new ERROR symbol to handle scanning of too large values.
<cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:
BUG: nft: scanner.l:470: nft_lex: Assertion `0' failed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Set missing field on meta expression clone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we add this rule:
nft add rule filter input meta length 33-55
the listing shows:
meta length >= 33 meta length <= 754974720
The two meta statements share the same left-hand side, thus, only the
first one is converted from network byte order to host byte order.
Update netlink_get_register() to return a clone so each left-hand side
has its own left-hand side.
Moreover, release the existing register before overriding it with fresh
expressions in netlink_set_register().
Thefore, if you manipulate a register from any of the existing parse
functions, you have to re-set it again to place fresh modified clone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current code is causing a failure in adding a set containing
a really long list of elements. The failure occurs as soon as
the line is longer than flex read buffer.
When a line is longer than scanner buffer size, the code in YY_INPUT
forces a rewind to the beginning of the string because it does not
find a end of line. The result is that the string is never parsed.
This patch updates the code by rewinding till we found a space.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example:
# nft add rule filter input ct state 8 accept
Segmentation fault
leads to a crash because we have the following datatype relation:
ct_state -> bitmask -> integer
The bitmask, which is an intermediate basetype, has no parse()
function, this leads to a crash in symbolic_constant_parse().
Patrick suggested to walk down the chain until we find a parser
function.
Reported-by: leroy christophe <christophe.leroy@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:
Rule:
nft add bridge filter input ether type vlan reject with tcp reset
Output:
<cmdline>:1:46-51: Error: cannot reject this ether type
add rule bridge filter input ether type vlan reject with tcp reset
~~~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The missing \ at the end of the line causes LIBMNL_CFLAGS and LIBNFTNL_CFLAGS
to be ignored. This causes build failure if the libmnl or libnftnl headers are
not in a path that's already searched by the C compiler.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
nft add map filter my_vmap { type ipv4_addr : verdict\; }
nft add element filter my_vmap { 1.0.0.0 : drop}
nft add rule filter input ip saddr vmap @my_vmap
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add -DDEBUG to enable --debug option by default as it used to be before
the autotools conversion.
Fixes: 5fa8e49 ("build: autotools conversion")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We will likely have new ones in the future, silently skip them. If the
user wants to see them, it just needs to upgrade.
This is currently causing us problems with kernels that deliver the
generation counter event.
term1# nft add table test
term2# nft monitor
nft: netlink.c:2063: netlink_events_cb: Assertion `0' failed.
Aborted
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) This removes former Makefiles and install-sh (which is now
automagically imported via autoreconf).
Makefile.defs.in
Makefile.in
Makefile.rules.in
src/Makefile.in
install-sh (now automagically imported via autoreconf).
2) CFLAGS are left almost same, they are integrated into Make_global.am.
Use AM_CPPFLAGS to set the CFLAGS set by pkgconfig.
3) Add m4 directory to the tree which only contains the .gitignore
file. Update .gitignore file to skip autogenerated files.
4) include <config.h> whenever required.
5) Minor adjustments to scanner.l and parser_bison.y to compile cleanly
with autotools.
6) Add %option outfile=lex.yy.c to scanner.l, otherwise I hit this error
here:
gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DDEFAULT_INCLUDE_PATH="\"/usr/etc\"" -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wsign-compare -Winit-self -Wformat-nonliteral -Wformat-security -Wmissing-format-attribute -Wcast-align -Wundef -Wbad-function-cast -g -O2 -MT mnl.o -MD -MP -MF $depbase.Tpo -c -o mnl.o mnl.c &&\
mv -f $depbase.Tpo $depbase.Po
/bin/sh ../build-aux/ylwrap scanner.l lex.yy.c scanner.c -- flex
make[3]: *** [scanner.c] Error 1
make[3]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables'
make: *** [all] Error 2
7) Add Makefile.am for include/ (contributed by Giorgio Dal Molin).
The doc/ and files/ conversion to automake will come in follow up
patches but 'make distcheck' already works.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Needed by follow up patches to use autotools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The conversion to the autotools need this.
Make sure you remove the autogenerated parser.c and parser.h from
your tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new attribute of meta is "cgroup".
Example of use in nft:
# nft add rule ip test output meta cgroup != 0x100001 counter drop
Moreover, this adds tests to the meta.t test file.
The kernel support is addedin the commit:
ce67417 ("netfilter: nft_meta: add cgroup support")
The libnftnl support is add in the commit:
1d4a480 ("expr: meta: Add cgroup support")
More information about the steps to use cgroup:
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt
More info about cgroup in iptables:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the parser to permit both nat_flags and port specification
in the redirect expression.
The resulting syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
The port specification requires a bit of context regardin the transport
protocol. Some examples:
% nft add rule nat prerouting tcp dport 22 redirect :23
% nft add rule add prerouting udp dport 53 redirect :5353
The nat_flags argument is the last argument:
% nft add rule nat prerouting tdp dport 80 redirect :8080 random
The port specification can be a range:
% nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random
While at it, the regression tests files are updated.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the default behaviour of nft to not translate IP
addresses to hostnames when printing rules if no options are passed.
The options regarding translations after this patch are:
<no -n/-N> show IP addresses numerically (default behaviour)
-n show IP addresses numerically
-nn show Internet services and uid/gid numerically
-nnn show protocols numerically
-N (--reversedns) translate IP addresses to names
The idea is to avoid breaking existing scripts that most likely rely on
'-n' to save the ruleset, so we reduce the impact of this patch and
provide a default behaviour that doesn't generate network traffic when
listing / saving the ruleset.
Joint work with Pablo.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
src/netlink.c:179: Memory allocation failure
This shouldn't happen, so this allows us to identify at what point the
memory allocation failure has happened. It may be helpful to identify
bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds redirect support for nft.
The syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the new devgroup datatype to get the group name from
/etc/iproute2/group file.
Example of use:
nft add rule ip test input meta iifgroup 0 counter
nft add rule ip test input meta iifgroup default counter
Moreover, It adds tests in meta.t test file.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we add a rule like:
nft add rule bridge filter input ether type ip reject with icmpv6 type no-route
We throw an error like:
<cmdline>:1:44-49: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
Now, we are going to show in which part of the rule, we have the conflict:
<cmdline>:1:51-75: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
inet tables
In rules like:
nft add rule inet filter input reject
or
nft add rule bridge filter input reject
we use icmpx to reject it. But if we have network context, we also use type of
reject. With this patch, we check the network context. If we don't have context,
we still use icmpx. However, if we have rules with network context like:
nft add rule inet meta nfproto ipv4 reject
or
nft add rule bridge ether type ipv6 reject
We are going to use icmp or icmpv6 to reject it taking into account the network
context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Inet tables, we have to check the network context in rules that we use
icmp or icmpv6 reason in reject. To be sure that the context is the correct.
However, for icmpx and tcp reject, we don't need to check it.
In Bridge tables, ee have vlan and arp traffic and they are not supported.
For this things, we have to check the network context. For example:
nft add rule bridge test-bridge input \
ether type arp reject with icmp type host-unreachable
or
nft add rule bridge test-bridge input \
ether type vlan reject with tcp reset
In that cases, we have to throw an error. Moreover, we have to accept rules
that the network context is Ipv4 and Ipv6. For example:
nft add rule -nnn bridge test-bridge input \
ip protocol tcp reject with tcp reset
Moreover, this patch refactor the code for check the family for bridge and inet
tables.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule bridge test-bridge input ether type ip \
reject with icmpv6 type no-route
This rule pass the evaluation step but the network context is incompatible with
the reject reason. In that cases, we have to throw an error like "conflicting
protocols specified: ip vs ip6"
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The 'struct mnl_socket *nf_sock' parameter is useless and perturbing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example:
nft add rule inet filter input meta l4proto udp reject with tcp reset
If we try to check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use this rule:
nft add rule bridge filter input \
ether type ip reject with icmp type host-unreachable
or that:
nft add rule inet filter input \
meta nfproto ipv4 reject with icmp type host-unreachable
we have a segfault because we add a network dependency when we already have
network context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you add the rule:
nft add rule inet filter input reject with icmpx type host-unreachable
nft list table inet filter
shows:
table inet filter {
chain input {
reject with icmpx type 2
}
}
We have to attach the icmpx datatype when we list the rules that use it. With
this patch if we list the ruleset, the output is:
table inet filter {
chain input {
reject with icmpx type host-unreachable
}
}
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use a rule:
nft add rule bridge filter input \
ether type ip reject with icmp type host-unreachable
or this:
nft add rule inet filter input \
meta nfproto ipv4 reject with icmp type host-unreachable
we have a segfault because we add a network dependency when we already have
network context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This makes nftables a bit more embedded-friendly.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds masquerade support for nft.
The syntax is:
% nft add rule nat postrouting masquerade [flags]
Currently, flags are:
random, random-fully, persistent
Example:
% nft add rule nat postrouting masquerade random,persistent
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This is more robust than the current 'else' fallback. If we run a
newer kernel with old nft binaries, unknown messages will be
misinterpreted as deletions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Postpone the event type interpretation to the evaluation step.
This patch also fixes the combination of event and object types,
which was broken. The export code needed to be adjusted too.
The new and destroy are not tokens that can be recognized by
the scanner anymore, so this also implicitly restores 'ct state'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds more configuration options to the nat expression.
The syntax is as follow:
% nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags]
Flags are: random, persistent, random-fully.
Example:
% nft add rule nat postrouting dnat 1.1.1.1 random,persistent
A requirement is to cache some [recent] copies of kernel headers.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to use the reject action in rules. For example:
nft add rule filter input udp dport 22 reject
In this rule, we assume that the reason is network unreachable. Also
we can specify the reason with the option "with" and the reason. For example:
nft add rule filter input tcp dport 22 reject with icmp type host-unreachable
In the bridge tables and inet tables, we can use this action too. For example:
nft add rule inet filter input reject with icmp type host-unreachable
In this rule above, this generates a meta nfproto dependency to match
ipv4 traffic because we use a icmpv4 reason to reject.
If the reason is not specified, we infer it from the context.
Moreover, we have the new icmpx datatype. You can use this datatype for
the bridge and the inet tables to simplify your ruleset. For example:
nft add rule inet filter input reject with icmpx type host-unreachable
We have four icmpx reason and the mapping is:
ICMPX reason | ICMPv6 | ICMPv4
| |
admin-prohibited | admin-prohibited | admin-prohibited
port-unreachable | port-unreachable | port-unreachable
no-route | no-route | net-unreachable
host-unreachable | addr-unreachable | host-unreachable
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, this function finds the symbol inside the table. If the symbol
doesn't exist we use the basetype to parse it and create the constant
expression. Otherwise, return an error message.
This a refactorization to reuse this code in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|