[v2] extensions: libxt_mark: Add translation to nft

Message ID	20151206033214.GA5939@gmail.com
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Date: Sun, 6 Dec 2015 09:02:14 +0530 From: Shivani Bhardwaj <shivanib134@gmail.com> To: netfilter-devel@vger.kernel.org Subject: [PATCH v2] extensions: libxt_mark: Add translation to nft Message-ID: <20151206033214.GA5939@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Shivani Bhardwaj Dec. 6, 2015, 3:32 a.m. UTC

Add translation of the metainformation mark to nft.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
Changes in v2:
	Fix syntax according to nft and remove trailing whitespaces

 extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 62 insertions(+), 2 deletions(-)

Pablo Neira Ayuso Dec. 9, 2015, 1:26 p.m. UTC | #1

On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote:
> Add translation of the metainformation mark to nft.

Much better, but I still need some changes.

Could you include in the description the commands and the result of
testing this, eg.

$ iptables-xlate -I INPUT -m mark --mark 20
nft add rule filter INPUT mark 20

Several examples like that would be good covering all possible cases,
just to make sure you're testing all possible branches in the code
(even if this kind of manual way, there are better ways to cover-test
this in an automated way but this simple testing is fine by now).

More comments below.

> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
> ---
> Changes in v2:
> 	Fix syntax according to nft and remove trailing whitespaces
> 
>  extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 62 insertions(+), 2 deletions(-)
> 
> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
> index 7f8c995..b0c06c2 100644
> --- a/extensions/libxt_mark.c
> +++ b/extensions/libxt_mark.c
> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric)
>  
>  	if (info->invert)
>  		printf(" !");
> -	
> +
>  	print_mark(info->mark, info->mask);
>  }
>  
> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match)
>  
>  	if (info->invert)
>  		printf(" !");
> -	
> +
>  	printf(" --mark");
>  	print_mark(info->mark, info->mask);
>  }
>  
> +static void
> +print_mark_xlate(struct xt_buf *buf,
> +		 unsigned int mark, unsigned int mask)
> +{
> +        if (mask != 0xffffffffU)
> +                xt_buf_add(buf, " & x%x == x%x", mark, mask);
> +        else
> +                xt_buf_add(buf, " & x%x", mark);
> +}
> +
> +static void
> +mark_mt_xlate_print(const struct xt_entry_match *match,
> +		    struct xt_buf *buf, int numeric)
> +{
> +	const struct xt_mark_mtinfo1 *info = (const void *)match->data;
> +
> +	if (info->invert)
> +		xt_buf_add(buf, " !=");
> +	print_mark_xlate(buf, info->mark, info->mask);
> +}
> +
> +static int
> +mark_mt_xlate(const struct xt_entry_match *match,
> +	      struct xt_buf *buf, int numeric)
> +{
> +	const struct xt_mark_mtinfo1 *info = (const void *)match->data;
> +
> +	xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : "");
> +        print_mark_xlate(buf, info->mark, info->mask);
> +        xt_buf_add(buf, " ");
   ^^^^^^^^

This indentation is not correct.

> +
> +        return 1;
> +}
> +
> +static void
> +mark_xlate_print(const struct xt_entry_match *match,
> +		 struct xt_buf *buf, int numeric)
> +{
> +	const struct xt_mark_info *info = (const void *)match->data;
> +
> +        if (info->invert)
> +                xt_buf_add(buf, " !=");
> +        print_mark_xlate(buf, info->mark, info->mask);
        ^^^

Same here.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 16, 2015, 9:19 a.m. UTC | #2

On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote:
>> Add translation of the metainformation mark to nft.
>
> Much better, but I still need some changes.
>
> Could you include in the description the commands and the result of
> testing this, eg.
>
> $ iptables-xlate -I INPUT -m mark --mark 20
> nft add rule filter INPUT mark 20
>

Hi Pablo,

I don't get these results.
I get the following:
nft # -I INPUT -m mark --mark 123

What could be the reason for this? A bug in the code or some
dependency? I have checked the code. It seems to follow the correct
pattern as per the latest 6 patches.
Could you please help?

> Several examples like that would be good covering all possible cases,
> just to make sure you're testing all possible branches in the code
> (even if this kind of manual way, there are better ways to cover-test
> this in an automated way but this simple testing is fine by now).
>
> More comments below.
>
>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
>> ---
>> Changes in v2:
>>       Fix syntax according to nft and remove trailing whitespaces
>>
>>  extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++--
>>  1 file changed, 62 insertions(+), 2 deletions(-)
>>
>> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
>> index 7f8c995..b0c06c2 100644
>> --- a/extensions/libxt_mark.c
>> +++ b/extensions/libxt_mark.c
>> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric)
>>
>>       if (info->invert)
>>               printf(" !");
>> -
>> +
>>       print_mark(info->mark, info->mask);
>>  }
>>
>> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match)
>>
>>       if (info->invert)
>>               printf(" !");
>> -
>> +
>>       printf(" --mark");
>>       print_mark(info->mark, info->mask);
>>  }
>>
>> +static void
>> +print_mark_xlate(struct xt_buf *buf,
>> +              unsigned int mark, unsigned int mask)
>> +{
>> +        if (mask != 0xffffffffU)
>> +                xt_buf_add(buf, " & x%x == x%x", mark, mask);
>> +        else
>> +                xt_buf_add(buf, " & x%x", mark);
>> +}
>> +
>> +static void
>> +mark_mt_xlate_print(const struct xt_entry_match *match,
>> +                 struct xt_buf *buf, int numeric)
>> +{
>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>> +
>> +     if (info->invert)
>> +             xt_buf_add(buf, " !=");
>> +     print_mark_xlate(buf, info->mark, info->mask);
>> +}
>> +
>> +static int
>> +mark_mt_xlate(const struct xt_entry_match *match,
>> +           struct xt_buf *buf, int numeric)
>> +{
>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>> +
>> +     xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : "");
>> +        print_mark_xlate(buf, info->mark, info->mask);
>> +        xt_buf_add(buf, " ");
>    ^^^^^^^^
>
> This indentation is not correct.
>

I'm using checkpatch to look for indentation errors now. Sorry for the
inconvenience caused.

Thank you

>> +
>> +        return 1;
>> +}
>> +
>> +static void
>> +mark_xlate_print(const struct xt_entry_match *match,
>> +              struct xt_buf *buf, int numeric)
>> +{
>> +     const struct xt_mark_info *info = (const void *)match->data;
>> +
>> +        if (info->invert)
>> +                xt_buf_add(buf, " !=");
>> +        print_mark_xlate(buf, info->mark, info->mask);
>         ^^^
>
> Same here.
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 17, 2015, 10:26 p.m. UTC | #3

On Wed, Dec 16, 2015 at 2:49 PM, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
> On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote:
>>> Add translation of the metainformation mark to nft.
>>
>> Much better, but I still need some changes.
>>
>> Could you include in the description the commands and the result of
>> testing this, eg.
>>
>> $ iptables-xlate -I INPUT -m mark --mark 20
>> nft add rule filter INPUT mark 20
>>
>
> Hi Pablo,
>
> I don't get these results.
> I get the following:
> nft # -I INPUT -m mark --mark 123
>
> What could be the reason for this? A bug in the code or some
> dependency? I have checked the code. It seems to follow the correct
> pattern as per the latest 6 patches.
> Could you please help?
>
>> Several examples like that would be good covering all possible cases,
>> just to make sure you're testing all possible branches in the code
>> (even if this kind of manual way, there are better ways to cover-test
>> this in an automated way but this simple testing is fine by now).
>>
>> More comments below.
>>
>>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
>>> ---
>>> Changes in v2:
>>>       Fix syntax according to nft and remove trailing whitespaces
>>>
>>>  extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++--
>>>  1 file changed, 62 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
>>> index 7f8c995..b0c06c2 100644
>>> --- a/extensions/libxt_mark.c
>>> +++ b/extensions/libxt_mark.c
>>> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric)
>>>
>>>       if (info->invert)
>>>               printf(" !");
>>> -
>>> +
>>>       print_mark(info->mark, info->mask);
>>>  }
>>>
>>> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match)
>>>
>>>       if (info->invert)
>>>               printf(" !");
>>> -
>>> +
>>>       printf(" --mark");
>>>       print_mark(info->mark, info->mask);
>>>  }
>>>
>>> +static void
>>> +print_mark_xlate(struct xt_buf *buf,
>>> +              unsigned int mark, unsigned int mask)
>>> +{
>>> +        if (mask != 0xffffffffU)
>>> +                xt_buf_add(buf, " & x%x == x%x", mark, mask);
>>> +        else
>>> +                xt_buf_add(buf, " & x%x", mark);
>>> +}
>>> +
>>> +static void
>>> +mark_mt_xlate_print(const struct xt_entry_match *match,
>>> +                 struct xt_buf *buf, int numeric)
>>> +{
>>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>>> +
>>> +     if (info->invert)
>>> +             xt_buf_add(buf, " !=");
>>> +     print_mark_xlate(buf, info->mark, info->mask);
>>> +}
>>> +
>>> +static int
>>> +mark_mt_xlate(const struct xt_entry_match *match,
>>> +           struct xt_buf *buf, int numeric)
>>> +{
>>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>>> +
>>> +     xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : "");
>>> +        print_mark_xlate(buf, info->mark, info->mask);
>>> +        xt_buf_add(buf, " ");
>>    ^^^^^^^^
>>
>> This indentation is not correct.
>>
>
> I'm using checkpatch to look for indentation errors now. Sorry for the
> inconvenience caused.
>
> Thank you
>
>>> +
>>> +        return 1;
>>> +}
>>> +
>>> +static void
>>> +mark_xlate_print(const struct xt_entry_match *match,
>>> +              struct xt_buf *buf, int numeric)
>>> +{
>>> +     const struct xt_mark_info *info = (const void *)match->data;
>>> +
>>> +        if (info->invert)
>>> +                xt_buf_add(buf, " !=");
>>> +        print_mark_xlate(buf, info->mark, info->mask);
>>         ^^^
>>
>> Same here.
>>
>> Thanks.

Hi,

While writing another patch, I realized I've done some mismatch in the
name of print functions (comparing with the patch for libxt_tcp).
Could you please suggest me the correct naming convention for them if
this is the case. I've tried some but they don't seem to be working.

If the reason is something else please let me know.

Also, please tell how the functions are logged in the binary iptables-translate.

Thank you
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 18, 2015, 4:09 a.m. UTC | #4

On Fri, Dec 18, 2015 at 3:56 AM, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
> On Wed, Dec 16, 2015 at 2:49 PM, Shivani Bhardwaj <shivanib134@gmail.com> wrote:
>> On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>> On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote:
>>>> Add translation of the metainformation mark to nft.
>>>
>>> Much better, but I still need some changes.
>>>
>>> Could you include in the description the commands and the result of
>>> testing this, eg.
>>>
>>> $ iptables-xlate -I INPUT -m mark --mark 20
>>> nft add rule filter INPUT mark 20
>>>
>>
>> Hi Pablo,
>>
>> I don't get these results.
>> I get the following:
>> nft # -I INPUT -m mark --mark 123
>>
>> What could be the reason for this? A bug in the code or some
>> dependency? I have checked the code. It seems to follow the correct
>> pattern as per the latest 6 patches.
>> Could you please help?
>>
>>> Several examples like that would be good covering all possible cases,
>>> just to make sure you're testing all possible branches in the code
>>> (even if this kind of manual way, there are better ways to cover-test
>>> this in an automated way but this simple testing is fine by now).
>>>
>>> More comments below.
>>>
>>>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
>>>> ---
>>>> Changes in v2:
>>>>       Fix syntax according to nft and remove trailing whitespaces
>>>>
>>>>  extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++--
>>>>  1 file changed, 62 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c
>>>> index 7f8c995..b0c06c2 100644
>>>> --- a/extensions/libxt_mark.c
>>>> +++ b/extensions/libxt_mark.c
>>>> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric)
>>>>
>>>>       if (info->invert)
>>>>               printf(" !");
>>>> -
>>>> +
>>>>       print_mark(info->mark, info->mask);
>>>>  }
>>>>
>>>> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match)
>>>>
>>>>       if (info->invert)
>>>>               printf(" !");
>>>> -
>>>> +
>>>>       printf(" --mark");
>>>>       print_mark(info->mark, info->mask);
>>>>  }
>>>>
>>>> +static void
>>>> +print_mark_xlate(struct xt_buf *buf,
>>>> +              unsigned int mark, unsigned int mask)
>>>> +{
>>>> +        if (mask != 0xffffffffU)
>>>> +                xt_buf_add(buf, " & x%x == x%x", mark, mask);
>>>> +        else
>>>> +                xt_buf_add(buf, " & x%x", mark);
>>>> +}
>>>> +
>>>> +static void
>>>> +mark_mt_xlate_print(const struct xt_entry_match *match,
>>>> +                 struct xt_buf *buf, int numeric)
>>>> +{
>>>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>>>> +
>>>> +     if (info->invert)
>>>> +             xt_buf_add(buf, " !=");
>>>> +     print_mark_xlate(buf, info->mark, info->mask);
>>>> +}
>>>> +
>>>> +static int
>>>> +mark_mt_xlate(const struct xt_entry_match *match,
>>>> +           struct xt_buf *buf, int numeric)
>>>> +{
>>>> +     const struct xt_mark_mtinfo1 *info = (const void *)match->data;
>>>> +
>>>> +     xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : "");
>>>> +        print_mark_xlate(buf, info->mark, info->mask);
>>>> +        xt_buf_add(buf, " ");
>>>    ^^^^^^^^
>>>
>>> This indentation is not correct.
>>>
>>
>> I'm using checkpatch to look for indentation errors now. Sorry for the
>> inconvenience caused.
>>
>> Thank you
>>
>>>> +
>>>> +        return 1;
>>>> +}
>>>> +
>>>> +static void
>>>> +mark_xlate_print(const struct xt_entry_match *match,
>>>> +              struct xt_buf *buf, int numeric)
>>>> +{
>>>> +     const struct xt_mark_info *info = (const void *)match->data;
>>>> +
>>>> +        if (info->invert)
>>>> +                xt_buf_add(buf, " !=");
>>>> +        print_mark_xlate(buf, info->mark, info->mask);
>>>         ^^^
>>>
>>> Same here.
>>>
>>> Thanks.
>
> Hi,
>
> While writing another patch, I realized I've done some mismatch in the
> name of print functions (comparing with the patch for libxt_tcp).
> Could you please suggest me the correct naming convention for them if
> this is the case. I've tried some but they don't seem to be working.
>
> If the reason is something else please let me know.
>
> Also, please tell how the functions are logged in the binary iptables-translate.
>
> Thank you

Hi,

So far, I've been able to figure out that the problem is arising
because of wrong return value by the function xlate of
xtables-translate. This return value is further dependent on a
function cb() which I am not able to understand. Could you please help
me with this?

Thank you
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso Dec. 18, 2015, 9:40 p.m. UTC | #5

On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote:
> Hi,
> 
> So far, I've been able to figure out that the problem is arising
> because of wrong return value by the function xlate of
> xtables-translate. This return value is further dependent on a
> function cb() which I am not able to understand. Could you please help
> me with this?

I'm getting this here:

libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not
used [-Wunused-function]
 mark_mt_xlate_print(const struct xt_entry_match *match,
 ^
libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used
[-Wunused-function]
 mark_xlate_print(const struct xt_entry_match *match,
 ^

These two functions are unused, so there is some problem there.

But, anyway after applying you patch I can see:

# iptables-translate -I INPUT -m mark --mark 10
nft insert rule ip filter INPUT ct mark  & xa counter 

So this kind of work already.

Be careful about shared libraries for extensions (here I have them at
/usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables)

The thing is that probably you have an older iptables installation, so
you iptables-translate binary refers to the old .so file which has no
translation.

So make sure you don't have several .so in your setup, probably that's
the problem.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 19, 2015, 5:56 a.m. UTC | #6

On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote:
>> Hi,
>>
>> So far, I've been able to figure out that the problem is arising
>> because of wrong return value by the function xlate of
>> xtables-translate. This return value is further dependent on a
>> function cb() which I am not able to understand. Could you please help
>> me with this?
>
> I'm getting this here:
>
> libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not
> used [-Wunused-function]
>  mark_mt_xlate_print(const struct xt_entry_match *match,
>  ^
> libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used
> [-Wunused-function]
>  mark_xlate_print(const struct xt_entry_match *match,
>  ^
>
> These two functions are unused, so there is some problem there.
>
> But, anyway after applying you patch I can see:
>
> # iptables-translate -I INPUT -m mark --mark 10
> nft insert rule ip filter INPUT ct mark  & xa counter
>
> So this kind of work already.
>
> Be careful about shared libraries for extensions (here I have them at
> /usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables)
>
> The thing is that probably you have an older iptables installation, so
> you iptables-translate binary refers to the old .so file which has no
> translation.
>
> So make sure you don't have several .so in your setup, probably that's
> the problem.

I had multiple .so files. Thanks a lot. It works now. Also, I have
done some other patches but I need to know if the syntax I have used
in them goes in accordance with nftables. Is there any source to see
that? I'm able to figure out some by seeing the examples on wiki page.
But, I'm confused with some other ones.

Thank you
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 19, 2015, 2:26 p.m. UTC | #7

On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote:
>> Hi,
>>
>> So far, I've been able to figure out that the problem is arising
>> because of wrong return value by the function xlate of
>> xtables-translate. This return value is further dependent on a
>> function cb() which I am not able to understand. Could you please help
>> me with this?
>
> I'm getting this here:
>
> libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not
> used [-Wunused-function]
>  mark_mt_xlate_print(const struct xt_entry_match *match,
>  ^
> libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used
> [-Wunused-function]
>  mark_xlate_print(const struct xt_entry_match *match,
>  ^
>
> These two functions are unused, so there is some problem there.
>
> But, anyway after applying you patch I can see:
>
> # iptables-translate -I INPUT -m mark --mark 10
> nft insert rule ip filter INPUT ct mark  & xa counter
>
> So this kind of work already.
>

Hi,

I just tried adding this rule to nft. It does not work. It only works
for integer values of mark. nft shows syntax error for ampersand and
hex values.
Isn't there something wrong? Please let me know.

Thank you

> Be careful about shared libraries for extensions (here I have them at
> /usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables)
>
> The thing is that probably you have an older iptables installation, so
> you iptables-translate binary refers to the old .so file which has no
> translation.
>
> So make sure you don't have several .so in your setup, probably that's
> the problem.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso Dec. 19, 2015, 5:47 p.m. UTC | #8

On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote:
> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > But, anyway after applying you patch I can see:
> >
> > # iptables-translate -I INPUT -m mark --mark 10
> > nft insert rule ip filter INPUT ct mark  & xa counter
> >
> > So this kind of work already.
> >
> 
> Hi,
> 
> I just tried adding this rule to nft. It does not work. It only works
> for integer values of mark. nft shows syntax error for ampersand and
> hex values.
>
> Isn't there something wrong? Please let me know.

The line above should be:

nft insert rule ip filter INPUT ct mark & 0xa counter

You have to add a simple table and chain configuration to test it:

nft add table filter
nft add chain filter INPUT { type filter hook input priority 0\; }

The two lines above create a filter table, then it adds an INPUT chain
to that table.

The correct translation for:

iptables-translate -I INPUT -m mark --mark 10

is:

nft insert rule ip filter INPUT ct mark 0xa counter

Then for:

iptables-translate -I INPUT -m mark --mark 10/10

is:

nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter

You have to take the time to find the right translation too and make
sure they work.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 19, 2015, 6:11 p.m. UTC | #9

On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote:
>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > But, anyway after applying you patch I can see:
>> >
>> > # iptables-translate -I INPUT -m mark --mark 10
>> > nft insert rule ip filter INPUT ct mark  & xa counter
>> >
>> > So this kind of work already.
>> >
>>
>> Hi,
>>
>> I just tried adding this rule to nft. It does not work. It only works
>> for integer values of mark. nft shows syntax error for ampersand and
>> hex values.
>>
>> Isn't there something wrong? Please let me know.
>
> The line above should be:
>
> nft insert rule ip filter INPUT ct mark & 0xa counter
>

One more question. Why ct mark when we have no conntrack information
in this module? Shouldn't ct mark be a complete module of conntrack?

> You have to add a simple table and chain configuration to test it:
>
> nft add table filter
> nft add chain filter INPUT { type filter hook input priority 0\; }
>
> The two lines above create a filter table, then it adds an INPUT chain
> to that table.
>
> The correct translation for:
>
> iptables-translate -I INPUT -m mark --mark 10
>
> is:
>
> nft insert rule ip filter INPUT ct mark 0xa counter
>
> Then for:
>
> iptables-translate -I INPUT -m mark --mark 10/10
>
> is:
>
> nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter
>
> You have to take the time to find the right translation too and make
> sure they work.
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 19, 2015, 6:21 p.m. UTC | #10

On Sat, Dec 19, 2015 at 11:41 PM, Shivani Bhardwaj
<shivanib134@gmail.com> wrote:
> On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote:
>>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>> > But, anyway after applying you patch I can see:
>>> >
>>> > # iptables-translate -I INPUT -m mark --mark 10
>>> > nft insert rule ip filter INPUT ct mark  & xa counter
>>> >
>>> > So this kind of work already.
>>> >
>>>
>>> Hi,
>>>
>>> I just tried adding this rule to nft. It does not work. It only works
>>> for integer values of mark. nft shows syntax error for ampersand and
>>> hex values.
>>>
>>> Isn't there something wrong? Please let me know.
>>
>> The line above should be:
>>
>> nft insert rule ip filter INPUT ct mark & 0xa counter
>>
>

Ampersand again causes syntax error. However, it works fine as below:

nft insert rule ip filter INPUT ct mark 0xa counter

Please tell me if this is wrong.

> One more question. Why ct mark when we have no conntrack information
> in this module? Shouldn't ct mark be a complete module of conntrack?
>
>> You have to add a simple table and chain configuration to test it:
>>
>> nft add table filter
>> nft add chain filter INPUT { type filter hook input priority 0\; }
>>
>> The two lines above create a filter table, then it adds an INPUT chain
>> to that table.
>>
>> The correct translation for:
>>
>> iptables-translate -I INPUT -m mark --mark 10
>>
>> is:
>>
>> nft insert rule ip filter INPUT ct mark 0xa counter
>>
>> Then for:
>>
>> iptables-translate -I INPUT -m mark --mark 10/10
>>
>> is:
>>
>> nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter
>>
>> You have to take the time to find the right translation too and make
>> sure they work.
>>
>> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Shivani Bhardwaj Dec. 19, 2015, 7:36 p.m. UTC | #11

On Sun, Dec 20, 2015 at 12:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sat, Dec 19, 2015 at 11:51:14PM +0530, Shivani Bhardwaj wrote:
>> On Sat, Dec 19, 2015 at 11:41 PM, Shivani Bhardwaj
>> <shivanib134@gmail.com> wrote:
>> > On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> >> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote:
>> >>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> >>> > But, anyway after applying you patch I can see:
>> >>> >
>> >>> > # iptables-translate -I INPUT -m mark --mark 10
>> >>> > nft insert rule ip filter INPUT ct mark  & xa counter
>> >>> >
>> >>> > So this kind of work already.
>> >>> >
>> >>>
>> >>> Hi,
>> >>>
>> >>> I just tried adding this rule to nft. It does not work. It only works
>> >>> for integer values of mark. nft shows syntax error for ampersand and
>> >>> hex values.
>> >>>
>> >>> Isn't there something wrong? Please let me know.
>> >>
>> >> The line above should be:
>> >>
>> >> nft insert rule ip filter INPUT ct mark & 0xa counter
>> >>
>> >
>>
>> Ampersand again causes syntax error. However, it works fine as below:
>>
>> nft insert rule ip filter INPUT ct mark 0xa counter
>
> Yes, that is fine as I indicated in a previous email.

Thank you.
Could you please tell why ct mark and not simply mark?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso Dec. 20, 2015, 2:18 a.m. UTC | #12

On Sun, Dec 20, 2015 at 01:06:33AM +0530, Shivani Bhardwaj wrote:
> On Sun, Dec 20, 2015 at 12:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Sat, Dec 19, 2015 at 11:51:14PM +0530, Shivani Bhardwaj wrote:
> >> Ampersand again causes syntax error. However, it works fine as below:
> >>
> >> nft insert rule ip filter INPUT ct mark 0xa counter
> >
> > Yes, that is fine as I indicated in a previous email.
> 
> Thank you.
> Could you please tell why ct mark and not simply mark?

This should obviously be simply mark, not ct mark.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v2] extensions: libxt_mark: Add translation to nft

Commit Message

Comments

Patch