nftables - nft command line tool

	Commit message (Collapse)	Author	Age	Files	Lines
*	meters: do not set a defaut meter size from userspace	Florian Westphal	2018-05-29	1	-1/+1
\| \| \| \| \| \| \|	doing this breaks with older kernels as it will pick a set without and update callback. Signed-off-by: Florian Westphal <fw@strlen.de>
*	parser_bison: no need for 'name' token for meters	Pablo Neira Ayuso	2017-11-24	1	-1/+1
\| \| \| \| \| \| \|	Rework grammar to skip the 'name' token after 'meter' for named meters. For consistency with sets and maps in terms of syntax. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	src: deprecate "flow table" syntax, replace it by "meter"	Pablo Neira Ayuso	2017-11-24	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	According to bugzilla 1137: "flow tables" should not be syntactically unique. "Flow tables are always named, but they don't conform to the way sets, maps, and dictionaries work in terms of "add" and "delete" and all that. They are also "flow tables" instead of one word like "flows" or "throttle" or something. It seems weird to just have these break the syntactic expectations." Personally, I never liked the reference to "table" since we have very specific semantics in terms of what a "table" is netfilter for long time. This patch promotes "meter" as the new keyword. The former syntax is still accepted for a while, just to reduce chances of breaking things. At some point the former syntax will just be removed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
*	tests: py: Use stateless option on tests	Elise Lennion	2017-01-18	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \|	To don't trigger false errors because of unrelated traffic on the tested machine. Tests, which have rules with counter and 'ok' result, are updated to avoid new Warnings. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
*	mnl: don't send empty set elements netlink message to kernel	Pablo Neira Ayuso	2016-12-14	1	-0/+7
	The following command: # nft --debug=mnl add rule x y flow table xyz { ip saddr timeout 30s counter } breaks with EINVAL. The following netlink message is causing the problem: ... ---------------- ------------------ \| 0000000044 \| \| message length \| \| 02572 \| R--- \| \| type \| flags \| \| 0000000004 \| \| sequence number\| \| 0000000000 \| \| port ID \| ---------------- ------------------ \| 02 00 00 00 \| \| extra header \| \|00008\|--\|00002\| \|len \|flags\| type\| \| 78 79 7a 00 \| \| data \| x y z \|00008\|--\|00004\| \|len \|flags\| type\| \| 00 00 00 01 \| \| data \| \|00006\|--\|00001\| \|len \|flags\| type\| \| 78 00 00 00 \| \| data \| x ---------------- ------------------ ... This is incorrect since this describes no elements at all, so it is useless. Add upfront check before iterating over the list of set elements so the netlink message is not placed in the batch. This patch also adds a set so flow tables are minimally covered. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>