summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* src: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ in osf.cFernando Fernandez Mancera2018-08-071-3/+1
| | | | | | | | As no "genre" in pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce passive OS fingerprint matchingFernando Fernandez Mancera2018-08-047-0/+84
| | | | | | | | | | | | | | Add support for "osf" expression. Example: table ip foo { chain bar { type filter hook input priority 0; policy accept; osf name "Linux" counter packets 3 bytes 132 } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Expose socket mark via socket expressionMáté Eckl2018-08-034-7/+22
| | | | | | | | This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add tproxy supportMáté Eckl2018-08-036-0/+267
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for transparent proxy functionality which is supported in ip, ip6 and inet tables. The syntax is the following: tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>} It looks for a socket listening on the specified address or port and assigns it to the matching packet. In an inet table, a packet matches for both families until address is specified. Network protocol family has to be specified **only** in inet tables if address is specified. As transparent proxy support is implemented for sockets with layer 4 information, a transport protocol header criterion has to be set in the same rule. eg. 'meta l4proto tcp' or 'udp dport 4444' Example ruleset: table ip x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to 1.1.1.1 udp dport ssh tproxy to :2222 } } table ip6 x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to [dead::beef] udp dport ssh tproxy to :2222 } } table inet x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport 321 tproxy to :ssh tcp dport 99 tproxy ip to 1.1.1.1:999 udp dport 155 tproxy ip6 to [dead::beef]:smux } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: always prefix 'meta' for almost all tokensFlorian Westphal2018-07-211-16/+13
| | | | | | | | | | | | | | | | | | got following bug report: nft add ... ct mark set mark and 0x10 ... always sets 0. What reporter meant to write instead was 'ct mark', not 'mark'. We can't just remove support for 'mark' and force 'meta mark', but we can start to discourage it by printing meta prefix too. Later on, we could start to print deprecation warning if needed. Followup patch can also change "iifname" etc. to "meta iifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: list only the table containing objectHarsha Sharma2018-07-101-7/+5
| | | | | | | | | | | | | | | | | | | For e.g. % nft list ct helper ip raw cthelp1 table ip filter { } table ip raw { ct helper cthelp1 { type "ftp" protocol tcp l3proto ip } } With this patch, print only table raw. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: set: print dynamic flag when setFlorian Westphal2018-07-071-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: skip evaluation of datatype concatenationsPablo Neira Ayuso2018-07-071-4/+5
| | | | | | | | | These are not really expressions, so there is not value in place. The expr_evaluate_concat() is called from set_evaluate() to calculate the total length of the tuple. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1265 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --literal optionPablo Neira Ayuso2018-07-073-11/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: limit: don't print default burst valueFlorian Westphal2018-07-041-1/+1
| | | | | | | | | | | | limit http-traffic { rate 1/second } gets printed as limit http-traffic { rate 1/second burst 5 packets } caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0 to return 'DUMP FAIL'. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: Refactor meta_may_dependency_kill()Phil Sutter2018-06-261-40/+43
| | | | | | | | | | | | | | | | The original intent was to fix a bug: The following rule in inet table: | meta nfproto ipv4 icmpv6 type echo-reply Was added correctly but when printing the meta match was falsely removed. The fix is to deny dependency killing if RHS family of nfproto match doesn't match RHS family of l4proto match. Adding this to the already large conditional led to even more unreadable code, therefore this patch tries to clean that up (and also removes the partial code duplication. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: trace: fix policy printingFlorian Westphal2018-06-261-1/+30
| | | | | | | | | | | | | | | | | | | | policy type is erronously handled via verdict, this is wrong. It is a different event type and needs to be handled as such. before: trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 42b54e71 inet filter input verdict continue trace id 42b54e71 inet filter input after: trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 9f40c5c7 inet filter input verdict continue trace id 9f40c5c7 inet filter input policy drop Reported-by: vtol@gmx.net Signed-off-by: Florian Westphal <fw@strlen.de>
* Makefile: Introduce Make_global.amPhil Sutter2018-06-181-1/+3
| | | | | | | | | Analogous to libnftnl's build system, define libnftables interface version in a variable in Make_global.am. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Do not convert tabs into spacesPhil Sutter2018-06-181-15/+1
| | | | | | | | | | | | | | | | | | | | | Commit 2f86dd5a43baf ("erec: Review erec_print()") changed erec_print() function to expect tabs in input by replacing the whitespace character in the marker line at the same offset with a tab character so that the marker aligns with the offending part of input. The need for that came from JSON input not having its tabs converted to spaces, which erec_print() didn't expect. Above change though has a shortcoming: When reading standard syntax input from a file, Flex code converts tabs into spaces. Location information is taken from this converted input, but when printing an error message, the offending input line is read from the input file directly (which still contains tabs). The solution is to simply drop said tab conversion from scanner.l. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-185-11/+10
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix exit_cookie()Phil Sutter2018-06-181-0/+2
| | | | | | | | | | | | | | | | | | The output and error buffer feature depends on cookie->orig_fp to indicate the current status of buffering: If it is set, a prior call to init_cookie() is assumed. Though exit_cookie() missed to reset that pointer to NULL. causing weird behaviour in applications if they do: | nft = nft_ctx_new(0); | nft_ctx_buffer_output(nft); | nft_ctx_unbuffer_output(nft); | nft_ctx_buffer_output(nft); While being at it, apply the same fix to error path in init_cookie() as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dynamic flag and use itPablo Neira Ayuso2018-06-122-0/+3
| | | | | | | We need to signal the kernel to use a set backend that supports dynamic updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add stolen verdictFlorian Westphal2018-06-121-1/+5
| | | | | | | | | | | | | | | using fwd statement causes crash when using nft trace: trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue) trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0" BUG: invalid verdict value 2 nft: datatype.c:282: verdict_type_print: Assertion `0' failed. ADd stolen verdict (2) and remove the BUG statement. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1261 Signed-off-by: Florian Westphal <fw@strlen.de>
* JSON: Support latest enhancements of fwd statementPhil Sutter2018-06-112-4/+49
| | | | | | | | | | | | | JSON equivalent of fwd statement was too primitive to support the added address and family parameters, so make its value an object and accept the device expression as value of a "dev" property in there. Then add optional "addr" and "family" properties to it. While being at it, add a testcase to make sure the extended syntax works right. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for connlimit statementPhil Sutter2018-06-113-0/+30
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for socket expressionPhil Sutter2018-06-113-0/+31
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Don't print burst if equal to 5Phil Sutter2018-06-111-1/+1
| | | | | | | | Analogous to commit 3dddef928d80d ("statement: don't print burst if equals 5"), don't print the default burst value. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Call verdict maps 'vmap' in JSON as wellPhil Sutter2018-06-112-2/+8
| | | | | | | This way JSON format is more consistent with the standard one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: netlink_delinarize: don't stop when encountering unsupported expressionFlorian Westphal2018-06-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The error message is still shown, but try to make sense of further expressions (if any). I tried to replace the expression by a textual representation. Two variants I tested are: 1. append as comment: ip saddr 127.0.0.2 drop comment "unknown expression 'foo'" This allows nft -f, but it adds/alters a comment. 2. substitute in-place (i.e., add a constant expression with the error message instead of 'unkown' message: unknown expression "foo" ip saddr 127.0.0.2 drop This won't allow 'nft -f' however. I'm not sure this is a problem, in any case we lose information if we can't find an expression (e.g. added by newer version). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: do not reset generation ID on ruleset flushPablo Neira Ayuso2018-06-072-3/+21
| | | | | | | | If 'flush ruleset' command is done, release the cache but still keep the generation ID around. Hence, follow up calls to cache_update() will assume that cache is updated and will not perform a netlink dump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce socket matchingMáté Eckl2018-06-067-0/+117
| | | | | | | | | | | | | | | | For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: extend fwd statement to support address and familyPablo Neira Ayuso2018-06-067-19/+117
| | | | | | | | Allow to forward packets through to explicit destination and interface. nft add rule netdev x y fwd ip to 192.168.2.200 device eth0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: connlimit supportPablo Neira Ayuso2018-06-065-2/+72
| | | | | | | | | | | | | | This patch adds support for the new connlimit stateful expression, that provides a mapping with the connlimit iptables extension through meters. eg. nft add rule filter input tcp dport 22 \ meter test { ip saddr ct count over 2 } counter reject This limits the maximum amount incoming of SSH connections per source address up to 2 simultaneous connections. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: Eliminate misuse of AF_*Máté Eckl2018-06-062-5/+5
| | | | | | | | | Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of AF_INET was misleading when checking the proto family. Same with AF_INET6. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: explicitly deny concatenated types in interval setsPhil Sutter2018-06-061-0/+4
| | | | | | | | | | | | | | | | | | | | | Previously, this triggered a program abort: | # nft add table ip t | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }' | # nft add element ip t my_set '{10.0.0.1 . tcp }' | BUG: invalid range expression type concat | nft: expression.c:1085: range_expr_value_low: Assertion `0' failed. With this patch in place, the 'add set' command above gives an error message: | # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }' | Error: concatenated types not supported in interval sets | add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* log: Add support for audit loggingPhil Sutter2018-06-033-3/+10
| | | | | | | | | | | This is implemented via a pseudo log level. The kernel ignores any other parameter, so reject those at evaluation stage. Audit logging is therefore simply a matter of: | log level audit Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review large number parsing/printingPhil Sutter2018-06-032-25/+29
| | | | | | | | | When parsing large (uint64_t) values, capital 'I' has to be used in format string. While being at it, make sure JSON output code handles those variables correctly, too. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Fix replace command parserPhil Sutter2018-06-031-1/+2
| | | | | | | | This was completely broken. Yet another indicator the JSON API part of testsuite is insufficient. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Fix add rule with indexPhil Sutter2018-06-031-1/+1
| | | | | | | | | This was missed by commit fb557b5546084 ("JSON: Sort out rule position and handles in general"): When adding a rule, the parser would still expect "pos" property instead of "index". Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Simplify verdict statement parsingPhil Sutter2018-06-031-36/+3
| | | | | | | | Reuse verdict expression parsing routine. Since the statement simply wraps an expression, this change is an obvious one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Simplify wildcard expressionPhil Sutter2018-06-031-12/+11
| | | | | | | | Instead of dedicating an object for it ('{ "*": null }'), just use a string consisting of an asterisk as sole character. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Merge wildcard_rhs_expr and wildcard_stmt_exprPhil Sutter2018-06-031-18/+7
| | | | | | | | The two are absolutely identical, just referenced at different places. Since there is no need for the distinction, just merge them into one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Simplify immediate value parsingPhil Sutter2018-06-011-45/+31
| | | | | | | | | | | | | | | Since an explicit "immediate" expression doesn't exist in JSON (the values are represented as plain JSON string/integer/boolean types), there is no need for json_parse_immediate_expr() to comply to the common expression parser parameter format. Apart from that: * Drop CTX_F_RHS checks - caller assures sane context already. * Improve error message a bit for denied JSON types. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Fix parsing of meter statement keyPhil Sutter2018-06-011-2/+2
| | | | | | | | | The key must be a set elem expression, but if a "regular" expression was provided (which should be commonly accepted in case no set elem specific properties are required), the resulting object tree crashed libnftables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Improve prefix expression parsing error message a bitPhil Sutter2018-06-011-1/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Simplify tcp option expression parsing a bitPhil Sutter2018-06-011-3/+2
| | | | | | | | When parsing the optional "field" property, use return code of json_unpack() directly to check if it was present or not. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Fix parsing and printing of limit objectsPhil Sutter2018-06-012-44/+48
| | | | | | | | Fix parsing and printing of named limit objects by aligning the code with parser/printer of anonymous ones. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review set elem expressionsPhil Sutter2018-06-012-14/+7
| | | | | | | | | | | | * There is no need to prefix element-specific properties with 'elem_', they can't conflict. * In json_parse_set_stmt(), searching for above properties is pointless since that's already done by called function. * Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt(): json_parse_flagged_expr() may return NULL. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review meter statement supportPhil Sutter2018-06-012-7/+9
| | | | | | | | | Meter name being optional seems to come from old flow statement, so don't support this. Also add size support as was recently added to standard syntax. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Sort out rule position and handles in generalPhil Sutter2018-06-012-29/+22
| | | | | | | | | | | | | | | | | | | | | | | | First of all, don't print the position property when listing rules. This was there only because libnftnl JSON output has it too, but since the preferred way to *add* a rule at some location is via 'handle' keyword, keeping "position" in output would be non-intuitive. Changing "position" property name to "handle" instead is also a no-go since that would clash with the real rule handle. Secondly, turn all handle output on regardless of octx->handle setting. For a programmatic API like JSON, this should be fine. Thirdly, fix rule locations when parsing JSON: Respect "handle" property for CMD_INSERT and CMD_ADD and ignore "pos" at all (actually even a typo, should have read "position"). Also support "index" property recently added to standard syntax. Finally, adjust nft-test.py for the above changes: There is no "position" property to drop from rule output, and "handle" property will always be present. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Disallow non-array concat expression valuesPhil Sutter2018-06-011-3/+1
| | | | | | | | Concat expressions with just a single element don't make sense, so there's no point in supporting a shorter syntax for this. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Use "type" for CT helper objectPhil Sutter2018-06-012-3/+3
| | | | | | | Property name "helper" was a bit unclear, "type" is better. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* objref: Use "ct helper" for NFT_OBJECT_CT_HELPERPhil Sutter2018-06-012-2/+2
| | | | | | | | | Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper" for consistency. Note that this is not used in regular nft output since objref_stmt_print() treats this object type separately. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: old kernels are allowing burst zero, don't print itPablo Neira Ayuso2018-05-301-1/+1
| | | | | | | | Don't print limit burst zero which was the default value in old kernels, this is not allowed in more recent kernels that now operate like iptables xt_limit which is what users are expecting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: don't print burst if equals 5Pablo Neira Ayuso2018-05-291-1/+1
| | | | | | | This is the default value we use if not specified, don't print it just like we do in iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>