[PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Harsha Sharma]

Do not print timeout and burst in case default values are used.
For e.g.
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200/sec --hashlimit-mode srcip,dstport
--hashlimit-name http1 -j DROP

nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
ip saddr limit rate over 200/second } counter drop

Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
---
Changes in v2:
 -Simple comparison for default values

 extensions/libxt_hashlimit.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index ffe342a7..472d8e7f 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -7,7 +7,7 @@
  * Based on ipt_limit.c by
  * Jérôme de Vivie   <devivie@info.enserb.u-bordeaux.fr>
  * Hervé Eychenne    <rv@wallfire.org>
- * 
+ *
  * Error corections by nmalykh@bilim.com (22.01.2005)
  */
 #define _BSD_SOURCE 1
@@ -1209,7 +1209,7 @@ static const struct rates rates_xlate[] = {
 	{ "second", XT_HASHLIMIT_SCALE_v2 } };
 
 static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg,
-				     uint64_t burst, int revision)
+				     int revision)
 {
 	unsigned int i;
 	const struct rates *_rates = (revision == 1) ?
@@ -1220,8 +1220,8 @@ static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg,
 		    _rates[i].mult / avg < _rates[i].mult % avg)
 			break;
 
-	xt_xlate_add(xl, " %llu/%s burst %lu packets",
-		     _rates[i-1].mult / avg, _rates[i-1].name, burst);
+	xt_xlate_add(xl, " %llu/%s ",
+		     _rates[i-1].mult / avg, _rates[i-1].name);
 }
 
 static void print_bytes_rate_xlate(struct xt_xlate *xl,
@@ -1341,7 +1341,9 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
 	xt_xlate_add(xl, "flow table %s {", name);
 	ret = hashlimit_mode_xlate(xl, cfg->mode, family,
 				   cfg->srcmask, cfg->dstmask);
-	xt_xlate_add(xl, " timeout %us limit rate", cfg->expire / 1000);
+	if (cfg->expire != 1000)
+		xt_xlate_add(xl, " timeout %us", cfg->expire / 1000);
+	xt_xlate_add(xl, " limit rate");
 
 	if (cfg->mode & XT_HASHLIMIT_INVERT)
 		xt_xlate_add(xl, " over");
@@ -1349,8 +1351,9 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
 	if (cfg->mode & XT_HASHLIMIT_BYTES)
 		print_bytes_rate_xlate(xl, cfg);
 	else
-		print_packets_rate_xlate(xl, cfg->avg, cfg->burst, revision);
-
+		print_packets_rate_xlate(xl, cfg->avg, revision);
+	if (cfg->burst != 5)
+		xt_xlate_add(xl, " burst %lu packets", cfg->burst);
 	xt_xlate_add(xl, "}");
 
 	return ret;
@@ -1365,7 +1368,8 @@ static int hashlimit_xlate(struct xt_xlate *xl,
 	xt_xlate_add(xl, "flow table %s {", info->name);
 	ret = hashlimit_mode_xlate(xl, info->cfg.mode, NFPROTO_IPV4, 32, 32);
 	xt_xlate_add(xl, " timeout %us limit rate", info->cfg.expire / 1000);
-	print_packets_rate_xlate(xl, info->cfg.avg, info->cfg.burst, 1);
+	print_packets_rate_xlate(xl, info->cfg.avg, 1);
+	xt_xlate_add(xl, " burst %lu packets", info->cfg.burst);
 	xt_xlate_add(xl, "}");
 
 	return ret;
-- 
2.11.0

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

Cc'ing Duncan.

On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote:
> Do not print timeout and burst in case default values are used.
> For e.g.
> iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> --hashlimit-above 200/sec --hashlimit-mode srcip,dstport
> --hashlimit-name http1 -j DROP
> 
> nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
> ip saddr limit rate over 200/second } counter drop

This is what I was asking for.

Applied, thanks Harsha.

@Duncan: I think you can update the wiki again after this, given that
now those values should not be printed.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote:
> Cc'ing Duncan.

No need - I'm on netfilter-devel ;)
>
> On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote:
> > Do not print timeout and burst in case default values are used.
> > For e.g.
> > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport
> > --hashlimit-name http1 -j DROP
> >
> > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
> > ip saddr limit rate over 200/second } counter drop
>
> This is what I was asking for.
>
> Applied, thanks Harsha.
>
> @Duncan: I think you can update the wiki again after this, given that
> now those values should not be printed.

I tested after applying the patch and now the second example is broken:

> iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop

The traling "burst 6 packets" should not be there.

I propose to leave the wiki until this is fixed.

Cheers ... Duncan.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

Hi Harsha,

On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote:
> On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote:
> > Cc'ing Duncan.
> 
> No need - I'm on netfilter-devel ;)
> >
> > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote:
> > > Do not print timeout and burst in case default values are used.
> > > For e.g.
> > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport
> > > --hashlimit-name http1 -j DROP
> > >
> > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
> > > ip saddr limit rate over 200/second } counter drop
> >
> > This is what I was asking for.
> >
> > Applied, thanks Harsha.
> >
> > @Duncan: I think you can update the wiki again after this, given that
> > now those values should not be printed.
> 
> I tested after applying the patch and now the second example is broken:
> 
> > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
> 
> The traling "burst 6 packets" should not be there.

Please, send a new patch to fix this as Duncan spots.

Thanks.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

Hi Pablo,

On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote:
> Hi Harsha,
>
> On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote:
> > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote:
> > > Cc'ing Duncan.
> >
> > No need - I'm on netfilter-devel ;)
> > >
> > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote:
> > > > Do not print timeout and burst in case default values are used.
> > > > For e.g.
> > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> > > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport
> > > > --hashlimit-name http1 -j DROP
> > > >
> > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
> > > > ip saddr limit rate over 200/second } counter drop
> > >
> > > This is what I was asking for.
> > >
> > > Applied, thanks Harsha.
> > >
> > > @Duncan: I think you can update the wiki again after this, given that
> > > now those values should not be printed.
> >
> > I tested after applying the patch and now the second example is broken:
> >
> > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
> >
> > The traling "burst 6 packets" should not be there.
>
It gets worse. Substitute 1000 for 3000 in the above:

> $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP
> nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop

Because I happened to specify the arbitrary default in my iptables command, it
did not propogate to nft at all.

I am working on a patch,

Cheers ... Duncan.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 2172 bytes --]

On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote:
> Hi Pablo,
> 
> On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote:
> > Hi Harsha,
> >
> > On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote:
> > > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso wrote:
> > > > Cc'ing Duncan.
> > >
> > > No need - I'm on netfilter-devel ;)
> > > >
> > > > On Thu, Dec 28, 2017 at 12:58:33PM +0530, Harsha Sharma wrote:
> > > > > Do not print timeout and burst in case default values are used.
> > > > > For e.g.
> > > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> > > > > --hashlimit-above 200/sec --hashlimit-mode srcip,dstport
> > > > > --hashlimit-name http1 -j DROP
> > > > >
> > > > > nft add rule ip filter INPUT tcp dport 80 flow table http1 { tcp dport .
> > > > > ip saddr limit rate over 200/second } counter drop
> > > >
> > > > This is what I was asking for.
> > > >
> > > > Applied, thanks Harsha.
> > > >
> > > > @Duncan: I think you can update the wiki again after this, given that
> > > > now those values should not be printed.
> > >
> > > I tested after applying the patch and now the second example is broken:
> > >
> > > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> > > > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
> > >
> > > The traling "burst 6 packets" should not be there.
> >
> It gets worse. Substitute 1000 for 3000 in the above:
> 
> > $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop

OK, so the problem is the extra "burst 6 packets".

This patch should fix this.

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 643 bytes --]

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 472d8e7f6cc2..3fa5719127db 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -1350,10 +1350,12 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
 
 	if (cfg->mode & XT_HASHLIMIT_BYTES)
 		print_bytes_rate_xlate(xl, cfg);
-	else
+	else {
 		print_packets_rate_xlate(xl, cfg->avg, revision);
-	if (cfg->burst != 5)
-		xt_xlate_add(xl, " burst %lu packets", cfg->burst);
+		if (cfg->burst != XT_HASHLIMIT_BURST)
+			xt_xlate_add(xl, " burst %lu packets", cfg->burst);
+
+	}
 	xt_xlate_add(xl, "}");
 
 	return ret;

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote:
> On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote:
...
> > > > @Duncan: I think you can update the wiki again after this, given that
> > > > now those values should not be printed.
> > >
The examples now work as intended, so I updated the wiki. (INPUT is now being
translated to input btw).

It is still the case that if the iptables command specifies default burst or
timeout then nothing is output for these, including the yetch case of specifying
a limit (with or w/out a burst) and getting no timeout.

I plan to look into that in February but have been rather busy getting ready for
LCA2018 where I'm giving a talk (on nftables).

Cheers ... Duncan.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe wrote:
> On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote:
> > On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote:
> ...
> > > > > @Duncan: I think you can update the wiki again after this, given that
> > > > > now those values should not be printed.
> > > >
> The examples now work as intended, so I updated the wiki. (INPUT is now being
> translated to input btw).
> 
> It is still the case that if the iptables command specifies default burst or
> timeout then nothing is output for these, including the yetch case of specifying
> a limit (with or w/out a burst) and getting no timeout.

I think we should always print the timeout. This timeout depends on
umult which depends on the specified rate, inconditionally.

Burst, I think it's fine if we just provide a shorter translation
default value is specified.

Well, now the translation is correct as we don't print burst twice.

Anyway, if the translation is semantically correct and it works fine,
then this is fair good enough.

We're just provide a quick translation to ease migration, users will
have to look into specific nftables details sooner or later I guess.

Thanks.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

[-- Attachment #1: Type: text/plain, Size: 1618 bytes --]

On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > [...]
>
> Another alternative is:
>
> # iptables-restore-translate -f your_iptables_ruleset
>
> Hm, this is not documented in the wiki for some reason.

Yes it is - section "Moving from iptables to nftables" under "Basic operation".
>
Although I now use nft (script attached), I just realised that since libvirt
sets up iptables rules, I could demo iptables-restore-translate working on them.

> iptables-save > save.txt
> iptables-restore-translate -f save.txt
all looked good *except*
> # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
Just for fun, I thought I'd see what iptables-compat did with that:
> iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
There was no error message and iptables-compat returned 0. But now:
> iptables-compat -t mangle -L
> ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
and:
> nft list ruleset
> Segmentation fault (core dumped)

Where to next?

Cheers ... Duncan.

[-- Attachment #2: rc.nftable_filter --]
[-- Type: text/plain, Size: 2161 bytes --]

#!/usr/sbin/nft -f
flush ruleset

# filter table (Firewall function)
# ====== ===== ========= =========

table ip IP \
{
  set TCP_DROP \
  {
    type inet_service
    elements = { 37, 111, 6000 }
  }                                ;# set PROTO
  set UDP_DROP \
  {
    type inet_service
    elements = { 37, 137, 138, 512 }
  }                                ;# set PROTO
  set TCP_ACCEPT { type inet_service; flags interval; }

  # A chain to inspect incoming (to this box) packets from cable modem

  chain FILTER_INPUT \
  {
    type filter hook input priority 0; policy accept;
    iif ne "wlan0" accept

    # Allow icmp but not too many
    # (only limit pings and other info requests)
    # N.B. This has to come before allowing related packets
    icmp type { echo-request, timestamp-request, info-request } \
      limit rate 5/second counter accept

    # Drop the excess
    icmp type { echo-request, timestamp-request, info-request } counter drop

    # All other icmp is OK
    meta l4proto icmp counter accept

    # Allow established and related pkts
    ct state established,related counter accept

    # Drop connection attempts to ports we want to keep private
    # (because we allow connections from some source ports)(?)
    # (i.e. drop these w/out logging)
    tcp dport @TCP_DROP counter drop
    udp dport @UDP_DROP counter drop

    # Allow bootps->bootpc udp
    # (i.e. allow dhcp requests / responses)
    udp sport . udp dport { 67 . 68 } counter accept

    # Allow DNS replies
    udp sport 53 counter accept

    # Allow server ports
    tcp dport @TCP_ACCEPT counter accept

    # bittorrent UDP uses port 1900 at both ends (not in /etc/service)
    udp sport . udp dport { 1900 . 1900 } counter accept

    # Drop everything else, logging interesting ones (tcp SYN mainly)
    counter jump logdrop
  }                                ;# chain FILTER_INPUT

  chain logdrop \
  {
    meta pkttype { broadcast } counter drop
    tcp flags & fin == fin counter drop
    counter log prefix "nft: " level debug drop
  }                                ;# chain logdrop
}                                  ;# table ip IP
list ruleset

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote:
> On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > > [...]
> >
> > Another alternative is:
> >
> > # iptables-restore-translate -f your_iptables_ruleset
> >
> > Hm, this is not documented in the wiki for some reason.
> 
> Yes it is - section "Moving from iptables to nftables" under "Basic operation".
> >
> Although I now use nft (script attached), I just realised that since libvirt
> sets up iptables rules, I could demo iptables-restore-translate working on them.
> 
> > iptables-save > save.txt
> > iptables-restore-translate -f save.txt
> all looked good *except*
> > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> Just for fun, I thought I'd see what iptables-compat did with that:
> > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> There was no error message and iptables-compat returned 0. But now:
> > iptables-compat -t mangle -L
> > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
> and:
> > nft list ruleset
> > Segmentation fault (core dumped)

This patch broke nft list ruleset:

commit bce55916b51ec1a4c23322781e3b0c698ecc9561                                  
Author: Varsha Rao <rvarsha016@gmail.com>                                        
Date:   Wed Aug 16 19:48:13 2017 +0530                                           
                                                                                 
    src: Remove xt_stmt_() functions.    

Investigating.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Pablo Neira Ayuso]

On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote:
> > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > > > [...]
> > >
> > > Another alternative is:
> > >
> > > # iptables-restore-translate -f your_iptables_ruleset
> > >
> > > Hm, this is not documented in the wiki for some reason.
> >
> > Yes it is - section "Moving from iptables to nftables" under "Basic operation".
> > >
> > Although I now use nft (script attached), I just realised that since libvirt
> > sets up iptables rules, I could demo iptables-restore-translate working on them.
> >
> > > iptables-save > save.txt
> > > iptables-restore-translate -f save.txt
> > all looked good *except*
> > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > Just for fun, I thought I'd see what iptables-compat did with that:
> > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > There was no error message and iptables-compat returned 0. But now:
> > > iptables-compat -t mangle -L
> > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
> > and:
> > > nft list ruleset
> > > Segmentation fault (core dumped)
>
> This patch broke nft list ruleset:
>
> commit bce55916b51ec1a4c23322781e3b0c698ecc9561
> Author: Varsha Rao <rvarsha016@gmail.com>
> Date:   Wed Aug 16 19:48:13 2017 +0530
>
>     src: Remove xt_stmt_() functions.

I have revert it and push it out.

BTW, not related to this problem, the -j CHECKSUM --checksum-fill is
something that libvirt generates or you using it there?

During the last Netfilter workshop, we have had some discussions on
this features, and people felt this is something actually not useful
these days, so we kept it back in nftables.

If there's a usecase for this, we can of course reconsider.

Thanks!

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

On Sat, Jan 20, 2018 at 01:47:33PM +0100, Pablo Neira Ayuso wrote:
> On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote:
> > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote:
> > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > > > > [...]
> > > >
> > > > Another alternative is:
> > > >
> > > > # iptables-restore-translate -f your_iptables_ruleset
> > > >
> > > > Hm, this is not documented in the wiki for some reason.
> > >
> > > Yes it is - section "Moving from iptables to nftables" under "Basic operation".
> > > >
> > > Although I now use nft (script attached), I just realised that since libvirt
> > > sets up iptables rules, I could demo iptables-restore-translate working on them.
> > >
> > > > iptables-save > save.txt
> > > > iptables-restore-translate -f save.txt
> > > all looked good *except*
> > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > > Just for fun, I thought I'd see what iptables-compat did with that:
> > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > > There was no error message and iptables-compat returned 0. But now:
> > > > iptables-compat -t mangle -L
> > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
> > > and:
> > > > nft list ruleset
> > > > Segmentation fault (core dumped)
> >
> > This patch broke nft list ruleset:
> >
> > commit bce55916b51ec1a4c23322781e3b0c698ecc9561
> > Author: Varsha Rao <rvarsha016@gmail.com>
> > Date:   Wed Aug 16 19:48:13 2017 +0530
> >
> >     src: Remove xt_stmt_() functions.
>
> I have revert it and push it out.
>
> BTW, not related to this problem, the -j CHECKSUM --checksum-fill is
> something that libvirt generates or you using it there?
>
> During the last Netfilter workshop, we have had some discussions on
> this features, and people felt this is something actually not useful
> these days, so we kept it back in nftables.
>
> If there's a usecase for this, we can of course reconsider.
>
> Thanks!

-j CHECKSUM --checksum-fill is something that libvirt generates,

Cheers ... Duncan.

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

[Duncan Roe]

On Sat, Jan 20, 2018 at 01:47:33PM +0100, Pablo Neira Ayuso wrote:
> On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote:
> > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote:
> > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > > > > [...]
> > > >
> > > > Another alternative is:
> > > >
> > > > # iptables-restore-translate -f your_iptables_ruleset
> > > >
> > > > Hm, this is not documented in the wiki for some reason.
> > >
> > > Yes it is - section "Moving from iptables to nftables" under "Basic operation".
> > > >
> > > Although I now use nft (script attached), I just realised that since libvirt
> > > sets up iptables rules, I could demo iptables-restore-translate working on them.
> > >
> > > > iptables-save > save.txt
> > > > iptables-restore-translate -f save.txt
> > > all looked good *except*
> > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > > Just for fun, I thought I'd see what iptables-compat did with that:
> > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > > There was no error message and iptables-compat returned 0. But now:
> > > > iptables-compat -t mangle -L
> > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
> > > and:
> > > > nft list ruleset
> > > > Segmentation fault (core dumped)
> >
> > This patch broke nft list ruleset:
> >
> > commit bce55916b51ec1a4c23322781e3b0c698ecc9561
> > Author: Varsha Rao <rvarsha016@gmail.com>
> > Date:   Wed Aug 16 19:48:13 2017 +0530
> >
> >     src: Remove xt_stmt_() functions.
>
> I have revert it and push it out.
>
> BTW, not related to this problem, the -j CHECKSUM --checksum-fill is
> something that libvirt generates or you using it there?
>
> During the last Netfilter workshop, we have had some discussions on
> this features, and people felt this is something actually not useful
> these days, so we kept it back in nftables.
>
> If there's a usecase for this, we can of course reconsider.
>
> Thanks!

-j CHECKSUM --checksum-fill is something that libvirt generates,

Cheers ... Duncan.