Message ID | 20171228072833.9980-1-harshasharmaiitr@gmail.com |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [v2] extensions: libxt_hashlimit: Do not print default timeout and burst | expand |
Cc'ing Duncan. On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote: > Do not print timeout and burst in case default values are used. > For e.g. > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport > --hashlimit-name http1 -j DROP > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . > ip saddr limit rate over 200/second } counter drop This is what I was asking for. Applied, thanks Harsha. @Duncan: I think you can update the wiki again after this, given that now those values should not be printed. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote: > Cc'ing Duncan. No need - I'm on netfilter-devel ;) > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote: > > Do not print timeout and burst in case default values are used. > > For e.g. > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport > > --hashlimit-name http1 -j DROP > > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . > > ip saddr limit rate over 200/second } counter drop > > This is what I was asking for. > > Applied, thanks Harsha. > > @Duncan: I think you can update the wiki again after this, given that > now those values should not be printed. I tested after applying the patch and now the second example is broken: > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop The traling "burst 6 packets" should not be there. I propose to leave the wiki until this is fixed. Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Harsha, On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote: > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote: > > Cc'ing Duncan. > > No need - I'm on netfilter-devel ;) > > > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote: > > > Do not print timeout and burst in case default values are used. > > > For e.g. > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport > > > --hashlimit-name http1 -j DROP > > > > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . > > > ip saddr limit rate over 200/second } counter drop > > > > This is what I was asking for. > > > > Applied, thanks Harsha. > > > > @Duncan: I think you can update the wiki again after this, given that > > now those values should not be printed. > > I tested after applying the patch and now the second example is broken: > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop > > The traling "burst 6 packets" should not be there. Please, send a new patch to fix this as Duncan spots. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote: > Hi Harsha, > > On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote: > > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote: > > > Cc'ing Duncan. > > > > No need - I'm on netfilter-devel ;) > > > > > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote: > > > > Do not print timeout and burst in case default values are used. > > > > For e.g. > > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > > > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport > > > > --hashlimit-name http1 -j DROP > > > > > > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . > > > > ip saddr limit rate over 200/second } counter drop > > > > > > This is what I was asking for. > > > > > > Applied, thanks Harsha. > > > > > > @Duncan: I think you can update the wiki again after this, given that > > > now those values should not be printed. > > > > I tested after applying the patch and now the second example is broken: > > > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP > > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop > > > > The traling "burst 6 packets" should not be there. > It gets worse. Substitute 1000 for 3000 in the above: > $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop Because I happened to specify the arbitrary default in my iptables command, it did not propogate to nft at all. I am working on a patch, Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote: > Hi Pablo, > > On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote: > > Hi Harsha, > > > > On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote: > > > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote: > > > > Cc'ing Duncan. > > > > > > No need - I'm on netfilter-devel ;) > > > > > > > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote: > > > > > Do not print timeout and burst in case default values are used. > > > > > For e.g. > > > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > > > > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport > > > > > --hashlimit-name http1 -j DROP > > > > > > > > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . > > > > > ip saddr limit rate over 200/second } counter drop > > > > > > > > This is what I was asking for. > > > > > > > > Applied, thanks Harsha. > > > > > > > > @Duncan: I think you can update the wiki again after this, given that > > > > now those values should not be printed. > > > > > > I tested after applying the patch and now the second example is broken: > > > > > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP > > > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop > > > > > > The traling "burst 6 packets" should not be there. > > > It gets worse. Substitute 1000 for 3000 in the above: > > > $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop OK, so the problem is the extra "burst 6 packets". This patch should fix this. diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 472d8e7f6cc2..3fa5719127db 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -1350,10 +1350,12 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name, if (cfg->mode & XT_HASHLIMIT_BYTES) print_bytes_rate_xlate(xl, cfg); - else + else { print_packets_rate_xlate(xl, cfg->avg, revision); - if (cfg->burst != 5) - xt_xlate_add(xl, " burst %lu packets", cfg->burst); + if (cfg->burst != XT_HASHLIMIT_BURST) + xt_xlate_add(xl, " burst %lu packets", cfg->burst); + + } xt_xlate_add(xl, "}"); return ret;
On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote: > On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote: ... > > > > @Duncan: I think you can update the wiki again after this, given that > > > > now those values should not be printed. > > > The examples now work as intended, so I updated the wiki. (INPUT is now being translated to input btw). It is still the case that if the iptables command specifies default burst or timeout then nothing is output for these, including the yetch case of specifying a limit (with or w/out a burst) and getting no timeout. I plan to look into that in February but have been rather busy getting ready for LCA2018 where I'm giving a talk (on nftables). Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe wrote: > On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote: > > On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote: > ... > > > > > @Duncan: I think you can update the wiki again after this, given that > > > > > now those values should not be printed. > > > > > The examples now work as intended, so I updated the wiki. (INPUT is now being > translated to input btw). > > It is still the case that if the iptables command specifies default burst or > timeout then nothing is output for these, including the yetch case of specifying > a limit (with or w/out a burst) and getting no timeout. I think we should always print the timeout. This timeout depends on umult which depends on the specified rate, inconditionally. Burst, I think it's fine if we just provide a shorter translation default value is specified. Well, now the translation is correct as we don't print burst twice. Anyway, if the translation is semantically correct and it works fine, then this is fair good enough. We're just provide a quick translation to ease migration, users will have to look into specific nftables details sooner or later I guess. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > [...] > > Another alternative is: > > # iptables-restore-translate -f your_iptables_ruleset > > Hm, this is not documented in the wiki for some reason. Yes it is - section "Moving from iptables to nftables" under "Basic operation". > Although I now use nft (script attached), I just realised that since libvirt sets up iptables rules, I could demo iptables-restore-translate working on them. > iptables-save > save.txt > iptables-restore-translate -f save.txt all looked good *except* > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill Just for fun, I thought I'd see what iptables-compat did with that: > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill There was no error message and iptables-compat returned 0. But now: > iptables-compat -t mangle -L > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. and: > nft list ruleset > Segmentation fault (core dumped) Where to next? Cheers ... Duncan. #!/usr/sbin/nft -f flush ruleset # filter table (Firewall function) # ====== ===== ========= ========= table ip IP \ { set TCP_DROP \ { type inet_service elements = { 37, 111, 6000 } } ;# set PROTO set UDP_DROP \ { type inet_service elements = { 37, 137, 138, 512 } } ;# set PROTO set TCP_ACCEPT { type inet_service; flags interval; } # A chain to inspect incoming (to this box) packets from cable modem chain FILTER_INPUT \ { type filter hook input priority 0; policy accept; iif ne "wlan0" accept # Allow icmp but not too many # (only limit pings and other info requests) # N.B. This has to come before allowing related packets icmp type { echo-request, timestamp-request, info-request } \ limit rate 5/second counter accept # Drop the excess icmp type { echo-request, timestamp-request, info-request } counter drop # All other icmp is OK meta l4proto icmp counter accept # Allow established and related pkts ct state established,related counter accept # Drop connection attempts to ports we want to keep private # (because we allow connections from some source ports)(?) # (i.e. drop these w/out logging) tcp dport @TCP_DROP counter drop udp dport @UDP_DROP counter drop # Allow bootps->bootpc udp # (i.e. allow dhcp requests / responses) udp sport . udp dport { 67 . 68 } counter accept # Allow DNS replies udp sport 53 counter accept # Allow server ports tcp dport @TCP_ACCEPT counter accept # bittorrent UDP uses port 1900 at both ends (not in /etc/service) udp sport . udp dport { 1900 . 1900 } counter accept # Drop everything else, logging interesting ones (tcp SYN mainly) counter jump logdrop } ;# chain FILTER_INPUT chain logdrop \ { meta pkttype { broadcast } counter drop tcp flags & fin == fin counter drop counter log prefix "nft: " level debug drop } ;# chain logdrop } ;# table ip IP list ruleset
On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote: > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > > [...] > > > > Another alternative is: > > > > # iptables-restore-translate -f your_iptables_ruleset > > > > Hm, this is not documented in the wiki for some reason. > > Yes it is - section "Moving from iptables to nftables" under "Basic operation". > > > Although I now use nft (script attached), I just realised that since libvirt > sets up iptables rules, I could demo iptables-restore-translate working on them. > > > iptables-save > save.txt > > iptables-restore-translate -f save.txt > all looked good *except* > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > Just for fun, I thought I'd see what iptables-compat did with that: > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > There was no error message and iptables-compat returned 0. But now: > > iptables-compat -t mangle -L > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. > and: > > nft list ruleset > > Segmentation fault (core dumped) This patch broke nft list ruleset: commit bce55916b51ec1a4c23322781e3b0c698ecc9561 Author: Varsha Rao <rvarsha016@gmail.com> Date: Wed Aug 16 19:48:13 2017 +0530 src: Remove xt_stmt_() functions. Investigating. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote: > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote: > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > > > [...] > > > > > > Another alternative is: > > > > > > # iptables-restore-translate -f your_iptables_ruleset > > > > > > Hm, this is not documented in the wiki for some reason. > > > > Yes it is - section "Moving from iptables to nftables" under "Basic operation". > > > > > Although I now use nft (script attached), I just realised that since libvirt > > sets up iptables rules, I could demo iptables-restore-translate working on them. > > > > > iptables-save > save.txt > > > iptables-restore-translate -f save.txt > > all looked good *except* > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > Just for fun, I thought I'd see what iptables-compat did with that: > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > There was no error message and iptables-compat returned 0. But now: > > > iptables-compat -t mangle -L > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. > > and: > > > nft list ruleset > > > Segmentation fault (core dumped) > > This patch broke nft list ruleset: > > commit bce55916b51ec1a4c23322781e3b0c698ecc9561 > Author: Varsha Rao <rvarsha016@gmail.com> > Date: Wed Aug 16 19:48:13 2017 +0530 > > src: Remove xt_stmt_() functions. I have revert it and push it out. BTW, not related to this problem, the -j CHECKSUM --checksum-fill is something that libvirt generates or you using it there? During the last Netfilter workshop, we have had some discussions on this features, and people felt this is something actually not useful these days, so we kept it back in nftables. If there's a usecase for this, we can of course reconsider. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 20, 2018 at 01:47:33PM +0100, Pablo Neira Ayuso wrote: > On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote: > > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote: > > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > > > > [...] > > > > > > > > Another alternative is: > > > > > > > > # iptables-restore-translate -f your_iptables_ruleset > > > > > > > > Hm, this is not documented in the wiki for some reason. > > > > > > Yes it is - section "Moving from iptables to nftables" under "Basic operation". > > > > > > > Although I now use nft (script attached), I just realised that since libvirt > > > sets up iptables rules, I could demo iptables-restore-translate working on them. > > > > > > > iptables-save > save.txt > > > > iptables-restore-translate -f save.txt > > > all looked good *except* > > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > > Just for fun, I thought I'd see what iptables-compat did with that: > > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > > There was no error message and iptables-compat returned 0. But now: > > > > iptables-compat -t mangle -L > > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. > > > and: > > > > nft list ruleset > > > > Segmentation fault (core dumped) > > > > This patch broke nft list ruleset: > > > > commit bce55916b51ec1a4c23322781e3b0c698ecc9561 > > Author: Varsha Rao <rvarsha016@gmail.com> > > Date: Wed Aug 16 19:48:13 2017 +0530 > > > > src: Remove xt_stmt_() functions. > > I have revert it and push it out. > > BTW, not related to this problem, the -j CHECKSUM --checksum-fill is > something that libvirt generates or you using it there? > > During the last Netfilter workshop, we have had some discussions on > this features, and people felt this is something actually not useful > these days, so we kept it back in nftables. > > If there's a usecase for this, we can of course reconsider. > > Thanks! -j CHECKSUM --checksum-fill is something that libvirt generates, Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 20, 2018 at 01:47:33PM +0100, Pablo Neira Ayuso wrote: > On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote: > > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote: > > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > > > > [...] > > > > > > > > Another alternative is: > > > > > > > > # iptables-restore-translate -f your_iptables_ruleset > > > > > > > > Hm, this is not documented in the wiki for some reason. > > > > > > Yes it is - section "Moving from iptables to nftables" under "Basic operation". > > > > > > > Although I now use nft (script attached), I just realised that since libvirt > > > sets up iptables rules, I could demo iptables-restore-translate working on them. > > > > > > > iptables-save > save.txt > > > > iptables-restore-translate -f save.txt > > > all looked good *except* > > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > > Just for fun, I thought I'd see what iptables-compat did with that: > > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > > There was no error message and iptables-compat returned 0. But now: > > > > iptables-compat -t mangle -L > > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. > > > and: > > > > nft list ruleset > > > > Segmentation fault (core dumped) > > > > This patch broke nft list ruleset: > > > > commit bce55916b51ec1a4c23322781e3b0c698ecc9561 > > Author: Varsha Rao <rvarsha016@gmail.com> > > Date: Wed Aug 16 19:48:13 2017 +0530 > > > > src: Remove xt_stmt_() functions. > > I have revert it and push it out. > > BTW, not related to this problem, the -j CHECKSUM --checksum-fill is > something that libvirt generates or you using it there? > > During the last Netfilter workshop, we have had some discussions on > this features, and people felt this is something actually not useful > these days, so we kept it back in nftables. > > If there's a usecase for this, we can of course reconsider. > > Thanks! -j CHECKSUM --checksum-fill is something that libvirt generates, Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index ffe342a7..472d8e7f 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -7,7 +7,7 @@ * Based on ipt_limit.c by * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> * Hervé Eychenne <rv@wallfire.org> - * + * * Error corections by nmalykh@bilim.com (22.01.2005) */ #define _BSD_SOURCE 1 @@ -1209,7 +1209,7 @@ static const struct rates rates_xlate[] = { { "second", XT_HASHLIMIT_SCALE_v2 } }; static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg, - uint64_t burst, int revision) + int revision) { unsigned int i; const struct rates *_rates = (revision == 1) ? @@ -1220,8 +1220,8 @@ static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg, _rates[i].mult / avg < _rates[i].mult % avg) break; - xt_xlate_add(xl, " %llu/%s burst %lu packets", - _rates[i-1].mult / avg, _rates[i-1].name, burst); + xt_xlate_add(xl, " %llu/%s ", + _rates[i-1].mult / avg, _rates[i-1].name); } static void print_bytes_rate_xlate(struct xt_xlate *xl, @@ -1341,7 +1341,9 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name, xt_xlate_add(xl, "flow table %s {", name); ret = hashlimit_mode_xlate(xl, cfg->mode, family, cfg->srcmask, cfg->dstmask); - xt_xlate_add(xl, " timeout %us limit rate", cfg->expire / 1000); + if (cfg->expire != 1000) + xt_xlate_add(xl, " timeout %us", cfg->expire / 1000); + xt_xlate_add(xl, " limit rate"); if (cfg->mode & XT_HASHLIMIT_INVERT) xt_xlate_add(xl, " over"); @@ -1349,8 +1351,9 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name, if (cfg->mode & XT_HASHLIMIT_BYTES) print_bytes_rate_xlate(xl, cfg); else - print_packets_rate_xlate(xl, cfg->avg, cfg->burst, revision); - + print_packets_rate_xlate(xl, cfg->avg, revision); + if (cfg->burst != 5) + xt_xlate_add(xl, " burst %lu packets", cfg->burst); xt_xlate_add(xl, "}"); return ret; @@ -1365,7 +1368,8 @@ static int hashlimit_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "flow table %s {", info->name); ret = hashlimit_mode_xlate(xl, info->cfg.mode, NFPROTO_IPV4, 32, 32); xt_xlate_add(xl, " timeout %us limit rate", info->cfg.expire / 1000); - print_packets_rate_xlate(xl, info->cfg.avg, info->cfg.burst, 1); + print_packets_rate_xlate(xl, info->cfg.avg, 1); + xt_xlate_add(xl, " burst %lu packets", info->cfg.burst); xt_xlate_add(xl, "}"); return ret;
Do not print timeout and burst in case default values are used. For e.g. iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200/sec --hashlimit-mode srcip,dstport --hashlimit-name http1 -j DROP nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport . ip saddr limit rate over 200/second } counter drop Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> --- Changes in v2: -Simple comparison for default values extensions/libxt_hashlimit.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)