diff mbox

extensions: libxt_statistic: Add translation to nft

Message ID 20160229212216.GA29706@sonyv
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

nevola Feb. 29, 2016, 9:22 p.m. UTC 
Add translation for random to nftables.

Examples:

$ iptables-translate -A INPUT -m statistic --mode random --probability
0.1 -j ACCEPT
nft add rule ip filter INPUT meta random 0.10000000009 counter accept

$ iptables-translate -A INPUT -m statistic --mode random ! --probability
0.1 -j ACCEPT
nft add rule ip filter INPUT meta random != 0.10000000009 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
 extensions/libxt_statistic.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comments

Shivani Bhardwaj March 1, 2016, 9:51 a.m. UTC | #1 
On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nevola@gmail.com> wrote:

Hi Laura,

> Add translation for random to nftables.
>
Here, you are providing translation for module statistic, random is
just a mode for matching the rule. Please make sure to use correct
module name in the commit message next time.

> Examples:
>
> $ iptables-translate -A INPUT -m statistic --mode random --probability
> 0.1 -j ACCEPT
> nft add rule ip filter INPUT meta random 0.10000000009 counter accept
>
> $ iptables-translate -A INPUT -m statistic --mode random ! --probability
> 0.1 -j ACCEPT
> nft add rule ip filter INPUT meta random != 0.10000000009 counter accept
>

The match statistic is not yet supported in nftables, so these
translations are not going to work. You can track the supported
extensions here:
http://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables,
you can edit any discrepancies you find on this page.

> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> ---
>  extensions/libxt_statistic.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
> index b6ae5f5..95d588c 100644
> --- a/extensions/libxt_statistic.c
> +++ b/extensions/libxt_statistic.c
> @@ -133,6 +133,20 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
>         print_match(info, "--");
>  }
>
> +static int statistic_xlate(const struct xt_entry_match *match,
> +                          struct xt_xlate *xl, int numeric)
> +{
> +       const struct xt_statistic_info *info = (void *)match->data;
> +
> +       if (info->mode == XT_STATISTIC_MODE_RANDOM) {
> +               xt_xlate_add(xl, "meta random%s %.11f ",
> +                            (info->flags & XT_STATISTIC_INVERT) ? " !=" : "",
> +                            1.0 * info->u.random.probability / 0x80000000);
> +       }
> +
> +       return 1;
> +}
> +
>  static struct xtables_match statistic_match = {
>         .family         = NFPROTO_UNSPEC,
>         .name           = "statistic",
> @@ -145,6 +159,7 @@ static struct xtables_match statistic_match = {
>         .print          = statistic_print,
>         .save           = statistic_save,
>         .x6_options     = statistic_opts,
> +       .xlate          = statistic_xlate,
>  };
>
The way you've written the code to carry out the translation is correct.
Please make sure to check your patches with checkpatch to avoid coding
style errors.

Thanks,
Shivani

>  void _init(void)
> --
> 2.7.0
>
> --
> You received this message because you are subscribed to the Google Groups "outreachy-kernel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to outreachy-kernel+unsubscribe@googlegroups.com.
> To post to this group, send email to outreachy-kernel@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/outreachy-kernel/20160229212216.GA29706%40sonyv.
> For more options, visit https://groups.google.com/d/optout.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 1, 2016, 10:13 a.m. UTC | #2 
On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nevola@gmail.com> wrote:
> 
> Hi Laura,
> 
> > Add translation for random to nftables.
> >
> Here, you are providing translation for module statistic, random is
> just a mode for matching the rule. Please make sure to use correct
> module name in the commit message next time.
> 
> > Examples:
> >
> > $ iptables-translate -A INPUT -m statistic --mode random --probability
> > 0.1 -j ACCEPT
> > nft add rule ip filter INPUT meta random 0.10000000009 counter accept
> >
> > $ iptables-translate -A INPUT -m statistic --mode random ! --probability
> > 0.1 -j ACCEPT
> > nft add rule ip filter INPUT meta random != 0.10000000009 counter accept
> >
> 
> The match statistic is not yet supported in nftables, so these
> translations are not going to work. You can track the supported
> extensions here:
> http://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables,
> you can edit any discrepancies you find on this page.

I'm seeing here that there are partial translations that are not in
the tree.

I would like to have them merged upstream, no need to wait to fully
support every extension, we can document these limitations in the wiki
and the commit log.

IIRC, if the .xlate indirection returns 0, then it means no
translation is available. We can use that for things that we don't
support yet.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
nevola March 1, 2016, 3:49 p.m. UTC | #3 
On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nevola@gmail.com> wrote:
> 
> Hi Laura,
> 
> > Add translation for random to nftables.
> >
> Here, you are providing translation for module statistic, random is
> just a mode for matching the rule. Please make sure to use correct
> module name in the commit message next time.
> 

Hi Shivani,

The translation is only for random due to the mode nth is not implemented in nft yet.


> > Examples:
> >
> > $ iptables-translate -A INPUT -m statistic --mode random --probability
> > 0.1 -j ACCEPT
> > nft add rule ip filter INPUT meta random 0.10000000009 counter accept
> >
> > $ iptables-translate -A INPUT -m statistic --mode random ! --probability
> > 0.1 -j ACCEPT
> > nft add rule ip filter INPUT meta random != 0.10000000009 counter accept
> >
> 
> The match statistic is not yet supported in nftables, so these
> translations are not going to work. You can track the supported
> extensions here:
> http://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables,
> you can edit any discrepancies you find on this page.
> 

The nf-next branch includes the random feature and it's working perfectly for me. Should I have to update something in the wiki?


> > Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> > ---
> >  extensions/libxt_statistic.c | 15 +++++++++++++++
> >  1 file changed, 15 insertions(+)
> >
> > diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
> > index b6ae5f5..95d588c 100644
> > --- a/extensions/libxt_statistic.c
> > +++ b/extensions/libxt_statistic.c
> > @@ -133,6 +133,20 @@ static void statistic_save(const void *ip, const struct xt_entry_match *match)
> >         print_match(info, "--");
> >  }
> >
> > +static int statistic_xlate(const struct xt_entry_match *match,
> > +                          struct xt_xlate *xl, int numeric)
> > +{
> > +       const struct xt_statistic_info *info = (void *)match->data;
> > +
> > +       if (info->mode == XT_STATISTIC_MODE_RANDOM) {
> > +               xt_xlate_add(xl, "meta random%s %.11f ",
> > +                            (info->flags & XT_STATISTIC_INVERT) ? " !=" : "",
> > +                            1.0 * info->u.random.probability / 0x80000000);
> > +       }
> > +
> > +       return 1;
> > +}
> > +
> >  static struct xtables_match statistic_match = {
> >         .family         = NFPROTO_UNSPEC,
> >         .name           = "statistic",
> > @@ -145,6 +159,7 @@ static struct xtables_match statistic_match = {
> >         .print          = statistic_print,
> >         .save           = statistic_save,
> >         .x6_options     = statistic_opts,
> > +       .xlate          = statistic_xlate,
> >  };
> >
> The way you've written the code to carry out the translation is correct.

Ok, thanks for your confirmation.

> Please make sure to check your patches with checkpatch to avoid coding
> style errors.
> 

Sure,

Thanks!

> Thanks,
> Shivani
> 
> >  void _init(void)
> > --
> > 2.7.0
> >
> > --
> > You received this message because you are subscribed to the Google Groups "outreachy-kernel" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to outreachy-kernel+unsubscribe@googlegroups.com.
> > To post to this group, send email to outreachy-kernel@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/outreachy-kernel/20160229212216.GA29706%40sonyv.
> > For more options, visit https://groups.google.com/d/optout.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
nevola March 1, 2016, 3:56 p.m. UTC | #4 
On Tue, Mar 01, 2016 at 11:13:31AM +0100, Pablo Neira Ayuso wrote:
> 
> I would like to have them merged upstream, no need to wait to fully
> support every extension, we can document these limitations in the wiki
> and the commit log.
> 
> IIRC, if the .xlate indirection returns 0, then it means no
> translation is available. We can use that for things that we don't
> support yet.
>

Hi Pablo, should I have to include this in the patch?

Thanks.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 1, 2016, 7 p.m. UTC | #5 
On Tue, Mar 01, 2016 at 04:56:59PM +0100, Laura Garcia wrote:
> On Tue, Mar 01, 2016 at 11:13:31AM +0100, Pablo Neira Ayuso wrote:
> > 
> > I would like to have them merged upstream, no need to wait to fully
> > support every extension, we can document these limitations in the wiki
> > and the commit log.
> > 
> > IIRC, if the .xlate indirection returns 0, then it means no
> > translation is available. We can use that for things that we don't
> > support yet.
> >
> 
> Hi Pablo, should I have to include this in the patch?

Yes please.

Address Shivani's feedback and send a v2. Thanks Laura.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 1, 2016, 7:20 p.m. UTC | #6 
On Tue, Mar 01, 2016 at 04:49:36PM +0100, Laura Garcia wrote:
> On Tue, Mar 01, 2016 at 03:21:24PM +0530, Shivani Bhardwaj wrote:
> > On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana <nevola@gmail.com> wrote:
> > 
> > Hi Laura,
> > 
> > > Add translation for random to nftables.
> > >
> > Here, you are providing translation for module statistic, random is
> > just a mode for matching the rule. Please make sure to use correct
> > module name in the commit message next time.
> > 
> 
> Hi Shivani,
> 
> The translation is only for random due to the mode nth is not implemented in nft yet.
> 
> 
> > > Examples:
> > >
> > > $ iptables-translate -A INPUT -m statistic --mode random --probability
> > > 0.1 -j ACCEPT
> > > nft add rule ip filter INPUT meta random 0.10000000009 counter accept
> > >
> > > $ iptables-translate -A INPUT -m statistic --mode random ! --probability
> > > 0.1 -j ACCEPT
> > > nft add rule ip filter INPUT meta random != 0.10000000009 counter accept
> > >
> > 
> > The match statistic is not yet supported in nftables, so these
> > translations are not going to work. You can track the supported
> > extensions here:
> > http://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables,
> > you can edit any discrepancies you find on this page.
> > 
> 
> The nf-next branch includes the random feature and it's working
> perfectly for me. Should I have to update something in the wiki?

The nf-next tree is OK for this. The sooner we get a translation, the
better.

Yes please, update the wiki page once this hits the master branch.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index b6ae5f5..95d588c 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -133,6 +133,20 @@  static void statistic_save(const void *ip, const struct xt_entry_match *match)
 	print_match(info, "--");
 }
 
+static int statistic_xlate(const struct xt_entry_match *match,
+			   struct xt_xlate *xl, int numeric)
+{
+	const struct xt_statistic_info *info = (void *)match->data;
+
+	if (info->mode == XT_STATISTIC_MODE_RANDOM) {
+		xt_xlate_add(xl, "meta random%s %.11f ",
+			     (info->flags & XT_STATISTIC_INVERT) ? " !=" : "",
+			     1.0 * info->u.random.probability / 0x80000000);
+	}
+
+	return 1;
+}
+
 static struct xtables_match statistic_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "statistic",
@@ -145,6 +159,7 @@  static struct xtables_match statistic_match = {
 	.print		= statistic_print,
 	.save		= statistic_save,
 	.x6_options	= statistic_opts,
+	.xlate		= statistic_xlate,
 };
 
 void _init(void)