Message ID | 20151206033214.GA5939@gmail.com |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote: > Add translation of the metainformation mark to nft. Much better, but I still need some changes. Could you include in the description the commands and the result of testing this, eg. $ iptables-xlate -I INPUT -m mark --mark 20 nft add rule filter INPUT mark 20 Several examples like that would be good covering all possible cases, just to make sure you're testing all possible branches in the code (even if this kind of manual way, there are better ways to cover-test this in an automated way but this simple testing is fine by now). More comments below. > Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> > --- > Changes in v2: > Fix syntax according to nft and remove trailing whitespaces > > extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 62 insertions(+), 2 deletions(-) > > diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c > index 7f8c995..b0c06c2 100644 > --- a/extensions/libxt_mark.c > +++ b/extensions/libxt_mark.c > @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric) > > if (info->invert) > printf(" !"); > - > + > print_mark(info->mark, info->mask); > } > > @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match) > > if (info->invert) > printf(" !"); > - > + > printf(" --mark"); > print_mark(info->mark, info->mask); > } > > +static void > +print_mark_xlate(struct xt_buf *buf, > + unsigned int mark, unsigned int mask) > +{ > + if (mask != 0xffffffffU) > + xt_buf_add(buf, " & x%x == x%x", mark, mask); > + else > + xt_buf_add(buf, " & x%x", mark); > +} > + > +static void > +mark_mt_xlate_print(const struct xt_entry_match *match, > + struct xt_buf *buf, int numeric) > +{ > + const struct xt_mark_mtinfo1 *info = (const void *)match->data; > + > + if (info->invert) > + xt_buf_add(buf, " !="); > + print_mark_xlate(buf, info->mark, info->mask); > +} > + > +static int > +mark_mt_xlate(const struct xt_entry_match *match, > + struct xt_buf *buf, int numeric) > +{ > + const struct xt_mark_mtinfo1 *info = (const void *)match->data; > + > + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); > + print_mark_xlate(buf, info->mark, info->mask); > + xt_buf_add(buf, " "); ^^^^^^^^ This indentation is not correct. > + > + return 1; > +} > + > +static void > +mark_xlate_print(const struct xt_entry_match *match, > + struct xt_buf *buf, int numeric) > +{ > + const struct xt_mark_info *info = (const void *)match->data; > + > + if (info->invert) > + xt_buf_add(buf, " !="); > + print_mark_xlate(buf, info->mark, info->mask); ^^^ Same here. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote: >> Add translation of the metainformation mark to nft. > > Much better, but I still need some changes. > > Could you include in the description the commands and the result of > testing this, eg. > > $ iptables-xlate -I INPUT -m mark --mark 20 > nft add rule filter INPUT mark 20 > Hi Pablo, I don't get these results. I get the following: nft # -I INPUT -m mark --mark 123 What could be the reason for this? A bug in the code or some dependency? I have checked the code. It seems to follow the correct pattern as per the latest 6 patches. Could you please help? > Several examples like that would be good covering all possible cases, > just to make sure you're testing all possible branches in the code > (even if this kind of manual way, there are better ways to cover-test > this in an automated way but this simple testing is fine by now). > > More comments below. > >> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> >> --- >> Changes in v2: >> Fix syntax according to nft and remove trailing whitespaces >> >> extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++-- >> 1 file changed, 62 insertions(+), 2 deletions(-) >> >> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c >> index 7f8c995..b0c06c2 100644 >> --- a/extensions/libxt_mark.c >> +++ b/extensions/libxt_mark.c >> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric) >> >> if (info->invert) >> printf(" !"); >> - >> + >> print_mark(info->mark, info->mask); >> } >> >> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match) >> >> if (info->invert) >> printf(" !"); >> - >> + >> printf(" --mark"); >> print_mark(info->mark, info->mask); >> } >> >> +static void >> +print_mark_xlate(struct xt_buf *buf, >> + unsigned int mark, unsigned int mask) >> +{ >> + if (mask != 0xffffffffU) >> + xt_buf_add(buf, " & x%x == x%x", mark, mask); >> + else >> + xt_buf_add(buf, " & x%x", mark); >> +} >> + >> +static void >> +mark_mt_xlate_print(const struct xt_entry_match *match, >> + struct xt_buf *buf, int numeric) >> +{ >> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >> + >> + if (info->invert) >> + xt_buf_add(buf, " !="); >> + print_mark_xlate(buf, info->mark, info->mask); >> +} >> + >> +static int >> +mark_mt_xlate(const struct xt_entry_match *match, >> + struct xt_buf *buf, int numeric) >> +{ >> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >> + >> + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); >> + print_mark_xlate(buf, info->mark, info->mask); >> + xt_buf_add(buf, " "); > ^^^^^^^^ > > This indentation is not correct. > I'm using checkpatch to look for indentation errors now. Sorry for the inconvenience caused. Thank you >> + >> + return 1; >> +} >> + >> +static void >> +mark_xlate_print(const struct xt_entry_match *match, >> + struct xt_buf *buf, int numeric) >> +{ >> + const struct xt_mark_info *info = (const void *)match->data; >> + >> + if (info->invert) >> + xt_buf_add(buf, " !="); >> + print_mark_xlate(buf, info->mark, info->mask); > ^^^ > > Same here. > > Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 16, 2015 at 2:49 PM, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote: >>> Add translation of the metainformation mark to nft. >> >> Much better, but I still need some changes. >> >> Could you include in the description the commands and the result of >> testing this, eg. >> >> $ iptables-xlate -I INPUT -m mark --mark 20 >> nft add rule filter INPUT mark 20 >> > > Hi Pablo, > > I don't get these results. > I get the following: > nft # -I INPUT -m mark --mark 123 > > What could be the reason for this? A bug in the code or some > dependency? I have checked the code. It seems to follow the correct > pattern as per the latest 6 patches. > Could you please help? > >> Several examples like that would be good covering all possible cases, >> just to make sure you're testing all possible branches in the code >> (even if this kind of manual way, there are better ways to cover-test >> this in an automated way but this simple testing is fine by now). >> >> More comments below. >> >>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> >>> --- >>> Changes in v2: >>> Fix syntax according to nft and remove trailing whitespaces >>> >>> extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++-- >>> 1 file changed, 62 insertions(+), 2 deletions(-) >>> >>> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c >>> index 7f8c995..b0c06c2 100644 >>> --- a/extensions/libxt_mark.c >>> +++ b/extensions/libxt_mark.c >>> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric) >>> >>> if (info->invert) >>> printf(" !"); >>> - >>> + >>> print_mark(info->mark, info->mask); >>> } >>> >>> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match) >>> >>> if (info->invert) >>> printf(" !"); >>> - >>> + >>> printf(" --mark"); >>> print_mark(info->mark, info->mask); >>> } >>> >>> +static void >>> +print_mark_xlate(struct xt_buf *buf, >>> + unsigned int mark, unsigned int mask) >>> +{ >>> + if (mask != 0xffffffffU) >>> + xt_buf_add(buf, " & x%x == x%x", mark, mask); >>> + else >>> + xt_buf_add(buf, " & x%x", mark); >>> +} >>> + >>> +static void >>> +mark_mt_xlate_print(const struct xt_entry_match *match, >>> + struct xt_buf *buf, int numeric) >>> +{ >>> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >>> + >>> + if (info->invert) >>> + xt_buf_add(buf, " !="); >>> + print_mark_xlate(buf, info->mark, info->mask); >>> +} >>> + >>> +static int >>> +mark_mt_xlate(const struct xt_entry_match *match, >>> + struct xt_buf *buf, int numeric) >>> +{ >>> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >>> + >>> + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); >>> + print_mark_xlate(buf, info->mark, info->mask); >>> + xt_buf_add(buf, " "); >> ^^^^^^^^ >> >> This indentation is not correct. >> > > I'm using checkpatch to look for indentation errors now. Sorry for the > inconvenience caused. > > Thank you > >>> + >>> + return 1; >>> +} >>> + >>> +static void >>> +mark_xlate_print(const struct xt_entry_match *match, >>> + struct xt_buf *buf, int numeric) >>> +{ >>> + const struct xt_mark_info *info = (const void *)match->data; >>> + >>> + if (info->invert) >>> + xt_buf_add(buf, " !="); >>> + print_mark_xlate(buf, info->mark, info->mask); >> ^^^ >> >> Same here. >> >> Thanks. Hi, While writing another patch, I realized I've done some mismatch in the name of print functions (comparing with the patch for libxt_tcp). Could you please suggest me the correct naming convention for them if this is the case. I've tried some but they don't seem to be working. If the reason is something else please let me know. Also, please tell how the functions are logged in the binary iptables-translate. Thank you -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Dec 18, 2015 at 3:56 AM, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > On Wed, Dec 16, 2015 at 2:49 PM, Shivani Bhardwaj <shivanib134@gmail.com> wrote: >> On Wed, Dec 9, 2015 at 6:56 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >>> On Sun, Dec 06, 2015 at 09:02:14AM +0530, Shivani Bhardwaj wrote: >>>> Add translation of the metainformation mark to nft. >>> >>> Much better, but I still need some changes. >>> >>> Could you include in the description the commands and the result of >>> testing this, eg. >>> >>> $ iptables-xlate -I INPUT -m mark --mark 20 >>> nft add rule filter INPUT mark 20 >>> >> >> Hi Pablo, >> >> I don't get these results. >> I get the following: >> nft # -I INPUT -m mark --mark 123 >> >> What could be the reason for this? A bug in the code or some >> dependency? I have checked the code. It seems to follow the correct >> pattern as per the latest 6 patches. >> Could you please help? >> >>> Several examples like that would be good covering all possible cases, >>> just to make sure you're testing all possible branches in the code >>> (even if this kind of manual way, there are better ways to cover-test >>> this in an automated way but this simple testing is fine by now). >>> >>> More comments below. >>> >>>> Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> >>>> --- >>>> Changes in v2: >>>> Fix syntax according to nft and remove trailing whitespaces >>>> >>>> extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++-- >>>> 1 file changed, 62 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c >>>> index 7f8c995..b0c06c2 100644 >>>> --- a/extensions/libxt_mark.c >>>> +++ b/extensions/libxt_mark.c >>>> @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric) >>>> >>>> if (info->invert) >>>> printf(" !"); >>>> - >>>> + >>>> print_mark(info->mark, info->mask); >>>> } >>>> >>>> @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match) >>>> >>>> if (info->invert) >>>> printf(" !"); >>>> - >>>> + >>>> printf(" --mark"); >>>> print_mark(info->mark, info->mask); >>>> } >>>> >>>> +static void >>>> +print_mark_xlate(struct xt_buf *buf, >>>> + unsigned int mark, unsigned int mask) >>>> +{ >>>> + if (mask != 0xffffffffU) >>>> + xt_buf_add(buf, " & x%x == x%x", mark, mask); >>>> + else >>>> + xt_buf_add(buf, " & x%x", mark); >>>> +} >>>> + >>>> +static void >>>> +mark_mt_xlate_print(const struct xt_entry_match *match, >>>> + struct xt_buf *buf, int numeric) >>>> +{ >>>> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >>>> + >>>> + if (info->invert) >>>> + xt_buf_add(buf, " !="); >>>> + print_mark_xlate(buf, info->mark, info->mask); >>>> +} >>>> + >>>> +static int >>>> +mark_mt_xlate(const struct xt_entry_match *match, >>>> + struct xt_buf *buf, int numeric) >>>> +{ >>>> + const struct xt_mark_mtinfo1 *info = (const void *)match->data; >>>> + >>>> + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); >>>> + print_mark_xlate(buf, info->mark, info->mask); >>>> + xt_buf_add(buf, " "); >>> ^^^^^^^^ >>> >>> This indentation is not correct. >>> >> >> I'm using checkpatch to look for indentation errors now. Sorry for the >> inconvenience caused. >> >> Thank you >> >>>> + >>>> + return 1; >>>> +} >>>> + >>>> +static void >>>> +mark_xlate_print(const struct xt_entry_match *match, >>>> + struct xt_buf *buf, int numeric) >>>> +{ >>>> + const struct xt_mark_info *info = (const void *)match->data; >>>> + >>>> + if (info->invert) >>>> + xt_buf_add(buf, " !="); >>>> + print_mark_xlate(buf, info->mark, info->mask); >>> ^^^ >>> >>> Same here. >>> >>> Thanks. > > Hi, > > While writing another patch, I realized I've done some mismatch in the > name of print functions (comparing with the patch for libxt_tcp). > Could you please suggest me the correct naming convention for them if > this is the case. I've tried some but they don't seem to be working. > > If the reason is something else please let me know. > > Also, please tell how the functions are logged in the binary iptables-translate. > > Thank you Hi, So far, I've been able to figure out that the problem is arising because of wrong return value by the function xlate of xtables-translate. This return value is further dependent on a function cb() which I am not able to understand. Could you please help me with this? Thank you -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote: > Hi, > > So far, I've been able to figure out that the problem is arising > because of wrong return value by the function xlate of > xtables-translate. This return value is further dependent on a > function cb() which I am not able to understand. Could you please help > me with this? I'm getting this here: libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not used [-Wunused-function] mark_mt_xlate_print(const struct xt_entry_match *match, ^ libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used [-Wunused-function] mark_xlate_print(const struct xt_entry_match *match, ^ These two functions are unused, so there is some problem there. But, anyway after applying you patch I can see: # iptables-translate -I INPUT -m mark --mark 10 nft insert rule ip filter INPUT ct mark & xa counter So this kind of work already. Be careful about shared libraries for extensions (here I have them at /usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables) The thing is that probably you have an older iptables installation, so you iptables-translate binary refers to the old .so file which has no translation. So make sure you don't have several .so in your setup, probably that's the problem. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote: >> Hi, >> >> So far, I've been able to figure out that the problem is arising >> because of wrong return value by the function xlate of >> xtables-translate. This return value is further dependent on a >> function cb() which I am not able to understand. Could you please help >> me with this? > > I'm getting this here: > > libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not > used [-Wunused-function] > mark_mt_xlate_print(const struct xt_entry_match *match, > ^ > libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used > [-Wunused-function] > mark_xlate_print(const struct xt_entry_match *match, > ^ > > These two functions are unused, so there is some problem there. > > But, anyway after applying you patch I can see: > > # iptables-translate -I INPUT -m mark --mark 10 > nft insert rule ip filter INPUT ct mark & xa counter > > So this kind of work already. > > Be careful about shared libraries for extensions (here I have them at > /usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables) > > The thing is that probably you have an older iptables installation, so > you iptables-translate binary refers to the old .so file which has no > translation. > > So make sure you don't have several .so in your setup, probably that's > the problem. I had multiple .so files. Thanks a lot. It works now. Also, I have done some other patches but I need to know if the syntax I have used in them goes in accordance with nftables. Is there any source to see that? I'm able to figure out some by seeing the examples on wiki page. But, I'm confused with some other ones. Thank you -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Dec 18, 2015 at 09:39:49AM +0530, Shivani Bhardwaj wrote: >> Hi, >> >> So far, I've been able to figure out that the problem is arising >> because of wrong return value by the function xlate of >> xtables-translate. This return value is further dependent on a >> function cb() which I am not able to understand. Could you please help >> me with this? > > I'm getting this here: > > libxt_mark.c:116:1: warning: ‘mark_mt_xlate_print’ defined but not > used [-Wunused-function] > mark_mt_xlate_print(const struct xt_entry_match *match, > ^ > libxt_mark.c:140:1: warning: ‘mark_xlate_print’ defined but not used > [-Wunused-function] > mark_xlate_print(const struct xt_entry_match *match, > ^ > > These two functions are unused, so there is some problem there. > > But, anyway after applying you patch I can see: > > # iptables-translate -I INPUT -m mark --mark 10 > nft insert rule ip filter INPUT ct mark & xa counter > > So this kind of work already. > Hi, I just tried adding this rule to nft. It does not work. It only works for integer values of mark. nft shows syntax error for ampersand and hex values. Isn't there something wrong? Please let me know. Thank you > Be careful about shared libraries for extensions (here I have them at > /usr/lib/xtables/*.so or maybe you have it at /usr/local/lib/xtables) > > The thing is that probably you have an older iptables installation, so > you iptables-translate binary refers to the old .so file which has no > translation. > > So make sure you don't have several .so in your setup, probably that's > the problem. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote: > On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > But, anyway after applying you patch I can see: > > > > # iptables-translate -I INPUT -m mark --mark 10 > > nft insert rule ip filter INPUT ct mark & xa counter > > > > So this kind of work already. > > > > Hi, > > I just tried adding this rule to nft. It does not work. It only works > for integer values of mark. nft shows syntax error for ampersand and > hex values. > > Isn't there something wrong? Please let me know. The line above should be: nft insert rule ip filter INPUT ct mark & 0xa counter You have to add a simple table and chain configuration to test it: nft add table filter nft add chain filter INPUT { type filter hook input priority 0\; } The two lines above create a filter table, then it adds an INPUT chain to that table. The correct translation for: iptables-translate -I INPUT -m mark --mark 10 is: nft insert rule ip filter INPUT ct mark 0xa counter Then for: iptables-translate -I INPUT -m mark --mark 10/10 is: nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter You have to take the time to find the right translation too and make sure they work. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote: >> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > But, anyway after applying you patch I can see: >> > >> > # iptables-translate -I INPUT -m mark --mark 10 >> > nft insert rule ip filter INPUT ct mark & xa counter >> > >> > So this kind of work already. >> > >> >> Hi, >> >> I just tried adding this rule to nft. It does not work. It only works >> for integer values of mark. nft shows syntax error for ampersand and >> hex values. >> >> Isn't there something wrong? Please let me know. > > The line above should be: > > nft insert rule ip filter INPUT ct mark & 0xa counter > One more question. Why ct mark when we have no conntrack information in this module? Shouldn't ct mark be a complete module of conntrack? > You have to add a simple table and chain configuration to test it: > > nft add table filter > nft add chain filter INPUT { type filter hook input priority 0\; } > > The two lines above create a filter table, then it adds an INPUT chain > to that table. > > The correct translation for: > > iptables-translate -I INPUT -m mark --mark 10 > > is: > > nft insert rule ip filter INPUT ct mark 0xa counter > > Then for: > > iptables-translate -I INPUT -m mark --mark 10/10 > > is: > > nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter > > You have to take the time to find the right translation too and make > sure they work. > > Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Dec 19, 2015 at 11:41 PM, Shivani Bhardwaj <shivanib134@gmail.com> wrote: > On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote: >>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >>> > But, anyway after applying you patch I can see: >>> > >>> > # iptables-translate -I INPUT -m mark --mark 10 >>> > nft insert rule ip filter INPUT ct mark & xa counter >>> > >>> > So this kind of work already. >>> > >>> >>> Hi, >>> >>> I just tried adding this rule to nft. It does not work. It only works >>> for integer values of mark. nft shows syntax error for ampersand and >>> hex values. >>> >>> Isn't there something wrong? Please let me know. >> >> The line above should be: >> >> nft insert rule ip filter INPUT ct mark & 0xa counter >> > Ampersand again causes syntax error. However, it works fine as below: nft insert rule ip filter INPUT ct mark 0xa counter Please tell me if this is wrong. > One more question. Why ct mark when we have no conntrack information > in this module? Shouldn't ct mark be a complete module of conntrack? > >> You have to add a simple table and chain configuration to test it: >> >> nft add table filter >> nft add chain filter INPUT { type filter hook input priority 0\; } >> >> The two lines above create a filter table, then it adds an INPUT chain >> to that table. >> >> The correct translation for: >> >> iptables-translate -I INPUT -m mark --mark 10 >> >> is: >> >> nft insert rule ip filter INPUT ct mark 0xa counter >> >> Then for: >> >> iptables-translate -I INPUT -m mark --mark 10/10 >> >> is: >> >> nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter >> >> You have to take the time to find the right translation too and make >> sure they work. >> >> Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Dec 20, 2015 at 12:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Sat, Dec 19, 2015 at 11:51:14PM +0530, Shivani Bhardwaj wrote: >> On Sat, Dec 19, 2015 at 11:41 PM, Shivani Bhardwaj >> <shivanib134@gmail.com> wrote: >> > On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> >> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote: >> >>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> >>> > But, anyway after applying you patch I can see: >> >>> > >> >>> > # iptables-translate -I INPUT -m mark --mark 10 >> >>> > nft insert rule ip filter INPUT ct mark & xa counter >> >>> > >> >>> > So this kind of work already. >> >>> > >> >>> >> >>> Hi, >> >>> >> >>> I just tried adding this rule to nft. It does not work. It only works >> >>> for integer values of mark. nft shows syntax error for ampersand and >> >>> hex values. >> >>> >> >>> Isn't there something wrong? Please let me know. >> >> >> >> The line above should be: >> >> >> >> nft insert rule ip filter INPUT ct mark & 0xa counter >> >> >> > >> >> Ampersand again causes syntax error. However, it works fine as below: >> >> nft insert rule ip filter INPUT ct mark 0xa counter > > Yes, that is fine as I indicated in a previous email. Thank you. Could you please tell why ct mark and not simply mark? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Dec 20, 2015 at 01:06:33AM +0530, Shivani Bhardwaj wrote: > On Sun, Dec 20, 2015 at 12:04 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Sat, Dec 19, 2015 at 11:51:14PM +0530, Shivani Bhardwaj wrote: > >> Ampersand again causes syntax error. However, it works fine as below: > >> > >> nft insert rule ip filter INPUT ct mark 0xa counter > > > > Yes, that is fine as I indicated in a previous email. > > Thank you. > Could you please tell why ct mark and not simply mark? This should obviously be simply mark, not ct mark. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_mark.c b/extensions/libxt_mark.c index 7f8c995..b0c06c2 100644 --- a/extensions/libxt_mark.c +++ b/extensions/libxt_mark.c @@ -75,7 +75,7 @@ mark_print(const void *ip, const struct xt_entry_match *match, int numeric) if (info->invert) printf(" !"); - + print_mark(info->mark, info->mask); } @@ -97,11 +97,69 @@ mark_save(const void *ip, const struct xt_entry_match *match) if (info->invert) printf(" !"); - + printf(" --mark"); print_mark(info->mark, info->mask); } +static void +print_mark_xlate(struct xt_buf *buf, + unsigned int mark, unsigned int mask) +{ + if (mask != 0xffffffffU) + xt_buf_add(buf, " & x%x == x%x", mark, mask); + else + xt_buf_add(buf, " & x%x", mark); +} + +static void +mark_mt_xlate_print(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_mark_mtinfo1 *info = (const void *)match->data; + + if (info->invert) + xt_buf_add(buf, " !="); + print_mark_xlate(buf, info->mark, info->mask); +} + +static int +mark_mt_xlate(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_mark_mtinfo1 *info = (const void *)match->data; + + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); + print_mark_xlate(buf, info->mark, info->mask); + xt_buf_add(buf, " "); + + return 1; +} + +static void +mark_xlate_print(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_mark_info *info = (const void *)match->data; + + if (info->invert) + xt_buf_add(buf, " !="); + print_mark_xlate(buf, info->mark, info->mask); +} + +static int +mark_xlate(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_mark_info *info = (const void *)match->data; + + xt_buf_add(buf, "ct mark %s", info->invert ? " !=" : ""); + print_mark_xlate(buf, info->mark, info->mask); + xt_buf_add(buf, " "); + + return 1; +} + static struct xtables_match mark_mt_reg[] = { { .family = NFPROTO_UNSPEC, @@ -115,6 +173,7 @@ static struct xtables_match mark_mt_reg[] = { .save = mark_save, .x6_parse = mark_parse, .x6_options = mark_mt_opts, + .xlate = mark_xlate, }, { .version = XTABLES_VERSION, @@ -128,6 +187,7 @@ static struct xtables_match mark_mt_reg[] = { .save = mark_mt_save, .x6_parse = mark_mt_parse, .x6_options = mark_mt_opts, + .xlate = mark_mt_xlate, }, };
Add translation of the metainformation mark to nft. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> --- Changes in v2: Fix syntax according to nft and remove trailing whitespaces extensions/libxt_mark.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 62 insertions(+), 2 deletions(-)