| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example:
# nft add rule filter input ct state 8 accept
Segmentation fault
leads to a crash because we have the following datatype relation:
ct_state -> bitmask -> integer
The bitmask, which is an intermediate basetype, has no parse()
function, this leads to a crash in symbolic_constant_parse().
Patrick suggested to walk down the chain until we find a parser
function.
Reported-by: leroy christophe <christophe.leroy@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This suppresses several superfluous errors:
any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed.
any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed.
ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
This needs a space before the list of elements in the set, otherwise
bash here misinterprets the set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
queue options are now expressed as flags, so you have to use
comma separated values.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new attribute of meta is "cgroup".
Example of use in nft:
# nft add rule ip test output meta cgroup != 0x100001 counter drop
Moreover, this adds tests to the meta.t test file.
The kernel support is addedin the commit:
ce67417 ("netfilter: nft_meta: add cgroup support")
The libnftnl support is add in the commit:
1d4a480 ("expr: meta: Add cgroup support")
More information about the steps to use cgroup:
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt
More info about cgroup in iptables:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the new devgroup datatype to get the group name from
/etc/iproute2/group file.
Example of use:
nft add rule ip test input meta iifgroup 0 counter
nft add rule ip test input meta iifgroup default counter
Moreover, It adds tests in meta.t test file.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are false errors if you run the automated regression testing
without a wlan0 device in the system.
Delete references to 'wlan0' in test files or replaces 'wlan0' by 'lo'
or 'eth0' in the test files if it is possible.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
"any" folder contains the test files that are executed in ipv4, ipv6,
inet, arp, bridge family of tables.
These test files are executed with nft-tests.py
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
