summaryrefslogtreecommitdiffstats
path: root/iptables
Commit message (Collapse)AuthorAgeFilesLines
* nft: cache: Re-establish cache consistency checkPhil Sutter2020-05-111-0/+11
| | | | | | | | | | | | | Restore code ensuring __nft_build_cache() returns a consistent cache in which all ruleset elements belong to the same generation. This check was removed by commit 200bc39965149 ("nft: cache: Fix iptables-save segfault under stress") as it could lead to segfaults if a partial cache fetch was done while cache's chain list was traversed. With the new cache fetch logic, __nft_build_cache() is never called while holding references to cache entries. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Implement --valgrind modePhil Sutter2020-05-111-0/+47
| | | | | | | | | | | | | | | | | | Wrap every call to $XT_MULTI with valgrind, or actually a wrapper script which does the valgrind wrap and stores the log if it contains something relevant. Carefully name the wrapper script(s) so that test cases' checks on $XT_MULTI name stay intact. This mode slows down testsuite execution horribly. Luckily, it's not meant for constant use, though. For now, ignore commands with non-zero exit status - error paths typically hit direct exit() calls and therefore leave reachable memory in place. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Fix for '-F' in iptables dumpsPhil Sutter2020-05-111-0/+34
| | | | | | | | | | | When restoring a dump which contains an explicit flush command, previously added rules are removed from cache and the following commit will try to create netlink messages based on freed memory. Fix this by weeding any rule-based commands from obj_list if they address the same chain. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Optimize caching for flush commandPhil Sutter2020-05-113-1/+39
| | | | | | | | | | | | | | | | | | When flushing all chains and verbose mode is not enabled, nft_rule_flush() uses a shortcut: It doesn't specify a chain name for NFT_MSG_DELRULE, so the kernel will flush all existing chains without user space needing to know which they are. The above allows to avoid a chain cache, but there's a caveat: nft_xt_builtin_init() will create base chains as it assumes they are missing and thereby possibly overrides any non-default chain policies. Solve this by making nft_xt_builtin_init() cache-aware: If a command doesn't need a chain cache, there's no need to bother with creating any non-existing builtin chains, either. For the sake of completeness, also do nothing if cache is not initialized (although that shouldn't happen). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Fetch cache for specific chainsPhil Sutter2020-05-113-8/+81
| | | | | | | | | | | | | | | | | Iterate over command list and collect chains to cache. Insert them into a sorted list to pass to __nft_build_cache(). If a command is interested in all chains (e.g., --list), cmd->chain remains unset. To record this case reliably, use a boolean ('all_chains'). Otherwise, it is hard to distinguish between first call to nft_cache_level_set() and previous command with NULL cmd->chain value. When caching only specific chains, manually add builtin ones for the given table as well - otherwise nft_xt_builtin_init() will act as if they don't exist and possibly override non-default chain policies. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-cache: Introduce __fetch_chain_cache()Phil Sutter2020-05-111-20/+30
| | | | | | | Extract the inner part of fetch_chain_cache() into a dedicated function, preparing for individual chain caching. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-cache: Fetch cache per tablePhil Sutter2020-05-117-44/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | Restore per-table operation of cache routines as initially implemented in commit e2883c5531e6e ("nft-cache: Support partial cache per table"). As before, this doesn't limit fetching of tables (their number is supposed to be low) but instead limits fetching of sets, chains and rules to the specified table. For this to behave correctly when restoring without flushing over multiple tables, cache must be freed fully after each commit - otherwise the previous table's cache level is reused for the current one. The exception being fake cache, used for flushing restore: NFT_CL_FAKE is set just once at program startup, so it must stay set otherwise consecutive tables cause pointless cache fetching. The sole use-case requiring a multi-table cache, iptables-save, is indicated by req->table being NULL. Therefore, req->table assignment is a bit sloppy: All calls to nft_cache_level_set() are assumed to set the same table value, collision detection exists merely to catch programming mistakes. Make nft_fini() call nft_release_cache() instead of flush_chain_cache(), the former does a full cache deinit including cache_req contents. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Introduce struct nft_cache_reqPhil Sutter2020-05-112-16/+22
| | | | | | | | | | This embedded struct collects cache requirement info gathered from parsed nft_cmds and is interpreted by __nft_build_cache(). While being at it, remove unused parameters passed to the latter function, nft_handle pointer is sufficient. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Improve fake cache integrationPhil Sutter2020-05-113-15/+4
| | | | | | | | With NFT_CL_FAKE being highest cache level while at the same time __nft_build_cache() treating it equal to NFT_CL_TABLES, no special handling for fake cache is required anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Simplify rule and set fetchersPhil Sutter2020-05-111-15/+5
| | | | | | | | | | | | Since no incremental cache fetching happens anymore, code fetching rules for chains or elements for sets may safely assume that whatever is in cache also didn't get populated with rules or elements before. Therefore no (optional) chain name needs to be passed on to fetch_rule_cache() and fetch_set_cache() doesn't have to select for which sets in a table to call set_fetch_elem_cb(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: missing nft_fini() call in bridge familyPablo Neira Ayuso2020-05-111-0/+2
| | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: remove cache build callsPablo Neira Ayuso2020-05-113-42/+0
| | | | | | | | | The cache requirements are now calculated once from the parsing phase. There is no need to call __nft_build_cache() from several spots in the codepath anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: restore among supportPablo Neira Ayuso2020-05-113-2/+32
| | | | | | | Update among support to work again with the new parser and cache logic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: calculate cache requirements from list of commandsPablo Neira Ayuso2020-05-118-127/+119
| | | | | | | | | | | | | | | | | | | | This patch uses the new list of commands to calculate the cache requirements, the rationale after this updates is the following: #1 Parsing, that builds the list of commands and it also calculates cache level requirements. #2 Cache building. #3 Translate commands to jobs #4 Translate jobs to netlink This patch removes the pre-parsing code in xtables-restore.c to calculate the cache. After this patch, cache is calculated only once, there is no need to cancel and refetch for an in-transit transaction. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: split parsing from netlink commandsPablo Neira Ayuso2020-05-1115-143/+726
| | | | | | | | | | | | | | This patch updates the parser to generate a list of command objects. This list of commands is then transformed to a list of netlink jobs. This new command object stores the rule using the nftnl representation via nft_rule_new(). To reduce the number of updates in this patch, the nft_*_rule_find() functions have been updated to restore the native representation to skip the update of the rule comparison code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-restore: Table line to trigger implicit commitPhil Sutter2020-05-111-0/+4
| | | | | | | | | | | | | | Cache code is suited for holding multiple tables' data at once. The only users of that are xtables-save and ebtables-restore with its support for multiple tables and lack of explicit COMMIT lines. Remove the second user by introducing implicit commits upon table line parsing. This would allow to make cache single table only, but then xtables-save would fetch cache multiple times (once for each table) and therefore lose atomicity with regards to the acquired kernel ruleset image. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Fetch sets per tablePhil Sutter2020-05-111-11/+15
| | | | | | | Kernel accepts a table name when dumping sets, so make use of that in case a table was passed to fetch_set_cache() but no set name. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Init per table set list along with chain listPhil Sutter2020-05-111-15/+4
| | | | | | | This simplifies code a bit and also aligns set and chain lists handling in cache. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Eliminate init_chain_cache()Phil Sutter2020-05-111-12/+4
| | | | | | | The function is always called immediately after fetch_table_cache(), so merge it into the latter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-restore: Drop custom table flush routinePhil Sutter2020-05-113-30/+1
| | | | | | | | At least since flushing xtables-restore doesn't fetch chains from kernel anymore, problems with pending policy rule delete jobs can't happen anymore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: flush stdout after every verbose log.Maciej Żenczykowski2020-05-112-2/+6
| | | | | | | | | | | | | | | | | | | | | Ensures that each logged line is flushed to stdout after it's written, and not held in any buffer. Places to modify found via: git grep -C5 'fputs[(]buffer, stdout[)];' On Android iptables-restore -v is run as netd daemon's child process and fed actions via pipe. '#PING' is used to verify the child is still responsive, and thus needs to be unbuffered. Luckily if you're running iptables-restore in verbose mode you probably either don't care about performance or - like Android - actually need this. Test: builds, required on Android for ip6?tables-restore netd subprocess health monitoring. Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Add test for nfbz#1391Phil Sutter2020-04-281-0/+7
| | | | | | | | Problem is fixed since commit c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), looks like another case of use-after-free. Signed-off-by: Phil Sutter <phil@nwl.cc>
* iptables: include sys/time.h to fix lack of struct timeval declarationMaciej Żenczykowski2020-04-281-0/+1
| | | | | | | | | | | | | | | This fixes clang compiler warnings: iptables/xshared.h:176:50: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility] extern int xtables_lock_or_exit(int wait, struct timeval *tv); ^ iptables/xshared.h:179:57: error: declaration of 'struct timeval' will not be visible outside of this function [-Werror,-Wvisibility] void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); ^ Test: builds with less warnings Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Test -F in dump filesPhil Sutter2020-04-231-0/+12
| | | | | | | While not really useful, iptables-nft-restore shouldn't segfault either. This tests the problem described in nfbz#1407. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Extend ipt-restore/0004-restore-race_0Phil Sutter2020-04-231-3/+2
| | | | | | | | | Add a second table to dump/restore. This triggers failures after reverting c550c81fd373e ("nft: cache: Fix nft_release_cache() under stress"), hence acts as a reproducer for the bug fixed by that commit as well. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Improve ipt-restore/0001load-specific-table_0 a bitPhil Sutter2020-04-231-1/+1
| | | | | | | | Instead of reading from stdin, pass dump file as regular parameter. This way dump file name occurs in 'bash -x' output which helps finding out where things fail. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xshared: Drop pointless assignment in add_param_to_argv()Phil Sutter2020-04-231-1/+0
| | | | | | This must be a leftover from a previous cleanup. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-shared: skip check for jumpto if cs->target is unsetPablo Neira Ayuso2020-04-151-1/+2
| | | | | | | | | The command_jump() function leaves cs->target unset if the target is not found. Let's check if the jumpto string mismatches only in this case. https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Tested-by: Etienne Champetier <etienne.champetier@anevia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: cache: Fix iptables-save segfault under stressPhil Sutter2020-03-161-14/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If kernel ruleset is constantly changing, code called by nft_is_table_compatible() may crash: For each item in table's chain list, nft_is_chain_compatible() is called. This in turn calls nft_build_cache() to fetch chain's rules. Though if kernel genid has changed meanwhile, cache is flushed and rebuilt from scratch, thereby freeing table's chain list - the foreach loop in nft_is_table_compatible() then operates on freed memory. A simple reproducer (may need a few calls): | RULESET='*filter | :INPUT ACCEPT [10517:1483527] | :FORWARD ACCEPT [0:0] | :OUTPUT ACCEPT [1714:105671] | COMMIT | ' | | for ((i = 0; i < 100; i++)); do | iptables-nft-restore <<< "$RULESET" & | done & | iptables-nft-save To fix the problem, basically revert commit ab1cd3b510fa5 ("nft: ensure cache consistency") so that __nft_build_cache() no longer flushes the cache. Instead just record kernel's genid when fetching for the first time. If kernel rule set changes until the changes are committed, the commit simply fails and local cache is being rebuilt. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Fix for unused variable warningsPhil Sutter2020-03-161-3/+1
| | | | | | | Loop index variable was left in place after removing the loops. Fixes: 39ec645093baa ("nft: cache: Simplify chain list allocation") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Review flush_cache()Phil Sutter2020-03-061-9/+11
| | | | | | | | | While fixing for iptables-nft-restore under stress, I managed to hit NULL-pointer deref in flush_cache(). Given that nftnl_*_list_free() functions are not NULL-pointer tolerant, better make sure such are not passed by accident. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Simplify chain list allocationPhil Sutter2020-03-061-27/+19
| | | | | | | | | | Allocate chain lists right after fetching table cache, regardless of whether partial cache is fetched or not. Chain list pointers reside in struct nft_cache's table array and hence are present irrespective of actual tables in kernel. Given the small number of tables, there wasn't much overhead avoided by the conditional in fetch_chain_cache(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Make nft_rebuild_cache() respect fake cachePhil Sutter2020-03-062-4/+10
| | | | | | | | | | | | If transaction needed a refresh in nft_action(), restore with flush would fetch a full cache instead of merely refreshing table list contained in "fake" cache. To fix this, nft_rebuild_cache() must distinguish between fake cache and full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished from NFT_CL_RULES. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: cache: Fix nft_release_cache() under stressPhil Sutter2020-03-061-2/+8
| | | | | | | | | | | | | | | | | iptables-nft-restore calls nft_action(h, NFT_COMPAT_COMMIT) for each COMMIT line in input. When restoring a dump containing multiple large tables, chances are nft_rebuild_cache() has to run multiple times. If the above happens, consecutive table contents are added to __cache[1] which nft_rebuild_cache() then frees, so next commit attempt accesses invalid memory. Fix this by making nft_release_cache() (called after each successful commit) return things into pre-rebuild state again, but keeping the fresh cache copy. Fixes: f6ad231d698c7 ("nft: keep original cache in case of ERESTART") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Review nft_init()Phil Sutter2020-02-2410-42/+24
| | | | | | | | | | | | | | | | | Move common code into nft_init(), such as: * initial zeroing nft_handle fields * family ops lookup and assignment to 'ops' field * setting of 'family' field This requires minor adjustments in xtables_restore_main() so extra field initialization doesn't happen before nft_init() call. As a side-effect, this fixes segfaulting xtables-monitor binary when printing rules for trace event as in that code-path 'ops' field wasn't initialized. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Drop -4 and -6 support from xtables-{save,restore}Phil Sutter2020-02-242-18/+2
| | | | | | Legacy tools don't support those options, either. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables: Align effect of -4/-6 options with legacyPhil Sutter2020-02-242-13/+96
| | | | | | | | | | Legacy iptables doesn't accept -4 or -6 if they don't match the symlink's native family. The only exception to that is iptables-restore which simply ignores the lines introduced by non-matching options, which is useful to create combined dump files for feeding into both iptables-restore and ip6tables-restore. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Drop pointless assignmentPhil Sutter2020-02-181-1/+0
| | | | | | | | No need to set 'i' to zero here, it is not used before the next assignment. Fixes: 77e6a93d5c9dc ("xtables: add and set "implict" flag on transaction objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables: among: Support mixed MAC and MAC/IP entriesPhil Sutter2020-02-182-5/+19
| | | | | | | | | | | | | | Powered by Stefano's support for concatenated ranges, a full among match replacement can be implemented. The trick is to add MAC-only elements as a concatenation of MAC and zero-length prefix, i.e. a range from 0.0.0.0 till 255.255.255.255. Although not quite needed, detection of pure MAC-only matches is left in place. For those, no implicit 'meta protocol' match is added (which is required otherwise at least to keep nft output correct) and no concat type is used for the set. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Fix for iface++Phil Sutter2020-02-141-3/+3
| | | | | | | | | In legacy iptables, only the last plus sign remains special, any previous ones are taken literally. Therefore xtables-translate must not replace all of them with asterisk but just the last one. Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: Fix skip checks with --host modePhil Sutter2020-02-1413-84/+88
| | | | | | | | | | When testing host binaries, XT_MULTI variable contains just the program name without path component which most skip checks didn't expect. Fix them, and while being at it also reduce indenting level in two scripts by moving the skip check up front with an early exit call. Fixes: 416898e335322 ("tests/shell: Support testing host binaries") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-restore: fix for --noflush and empty linesPhil Sutter2020-02-122-3/+21
| | | | | | | | | | | | | | | | | | | | | | Lookahead buffer used for cache requirements estimate in restore --noflush separates individual lines with nul-chars. Two consecutive nul-chars are interpreted as end of buffer and remaining buffer content is skipped. Sadly, reading an empty line (i.e., one containing a newline character only) caused double nul-chars to appear in buffer as well, leading to premature stop when reading cached lines from buffer. To fix that, make use of xtables_restore_parse_line() skipping empty lines without calling strtok() and just leave the newline character in place. A more intuitive approach, namely skipping empty lines while buffering, is deliberately not chosen as that would cause wrong values in 'line' variable. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* xtables-translate: Fix for interface name corner-casesPhil Sutter2020-02-111-5/+28
| | | | | | | | | | | | | | | | | | There are two special situations xlate_ifname() didn't cover for: * Interface name containing '*': This went unchanged, creating a command nft wouldn't accept. Instead translate into '\*' which doesn't change semantics. * Interface name being '+': Can't translate into nft wildcard character as nft doesn't accept asterisk-only interface names. Instead decide what to do based on 'invert' value: Skip match creation if false, match against an invalid interface name if true. Also add a test to make sure future changes to this behaviour are noticed. Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Guard strcpy() call in xlate_ifname()Phil Sutter2019-12-061-3/+2
| | | | | | | | The function potentially fed overlong strings to strcpy(). Given that everything needed to avoid this is there, reorder code a bit to prevent those inputs, too. Fixes: 0ddd663e9c167 ("iptables-translate: add in/out ifname wildcard match translation to nft")
* xtables-restore: Avoid access of uninitialized dataPhil Sutter2019-12-061-1/+1
| | | | | | | When flushing, 'buffer' is not written to prior to checking its first byte's value. Therefore it needs to be initialized upon declaration. Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
* iptables-apply: script and manpage updategw.2010@tnode.com2019-12-052-106/+242
| | | | | | | | | | | | | | | | | | | This is GW's update to iptables-apply. It does a code cleanup and adds two options: one runs a command and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Arturo says: I'm not a strong supporter of this script, but there are many users of it, so better do things right and add this patch that should produce no harm anyway. This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: GW <gw.2010@tnode.com> Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: mention iptables-apply(8) in manpagesLaurence J. Lane2019-12-052-2/+2
| | | | | | | | | | | | Add iptables-apply(8) to the SEE ALSO section of *-save(8) and *-restore(8). Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: cleanup "allows to" usageLaurence J. Lane2019-12-051-2/+2
| | | | | | | | | | | | Gramatical cleanup. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: install iptables-apply script and manpageLaurence J. Lane2019-12-052-1/+7
| | | | | | | | | | | | | | | We have the iptables-apply script in the tree (and in the release tarball), but is not being installed anywhere. Same for the manpage. Arturo says: I'm not a strong supporter of this script, but there are many users of it, so better do things right and do a proper installation. This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-restore: Fix parser feed from line bufferPhil Sutter2019-12-042-1/+13
| | | | | | | | | | | | When called with --noflush, xtables-restore would trip over chain lines: Parser uses strtok() to separate chain name, policy and counters which inserts nul-chars into the source string. Therefore strlen() can't be used anymore to find end of line. Fix this by caching line length before calling xtables_restore_parse_line(). Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>