Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Netfilter Development <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst
Date: Sat, 20 Jan 2018 13:47:33 +0100	[thread overview]
Message-ID: <20180120124733.p5lnv4jcqai3xehs@salvia> (raw)
In-Reply-To: <20180120092144.hmw3lufspn25lgc2@salvia>

On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote:
> > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote:
> > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote:
> > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote:
> > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote:
> > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote:
> > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote:
> > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE:
> > > > > > > > > [...]
> > >
> > > Another alternative is:
> > >
> > > # iptables-restore-translate -f your_iptables_ruleset
> > >
> > > Hm, this is not documented in the wiki for some reason.
> >
> > Yes it is - section "Moving from iptables to nftables" under "Basic operation".
> > >
> > Although I now use nft (script attached), I just realised that since libvirt
> > sets up iptables rules, I could demo iptables-restore-translate working on them.
> >
> > > iptables-save > save.txt
> > > iptables-restore-translate -f save.txt
> > all looked good *except*
> > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > Just for fun, I thought I'd see what iptables-compat did with that:
> > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> > There was no error message and iptables-compat returned 0. But now:
> > > iptables-compat -t mangle -L
> > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.
> > and:
> > > nft list ruleset
> > > Segmentation fault (core dumped)
>
> This patch broke nft list ruleset:
>
> commit bce55916b51ec1a4c23322781e3b0c698ecc9561
> Author: Varsha Rao <rvarsha016@gmail.com>
> Date:   Wed Aug 16 19:48:13 2017 +0530
>
>     src: Remove xt_stmt_() functions.

I have revert it and push it out.

BTW, not related to this problem, the -j CHECKSUM --checksum-fill is
something that libvirt generates or you using it there?

During the last Netfilter workshop, we have had some discussions on
this features, and people felt this is something actually not useful
these days, so we kept it back in nftables.

If there's a usecase for this, we can of course reconsider.

Thanks!

next prev parent reply	other threads:[~2018-01-20 12:47 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-28  7:28 [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst Harsha Sharma
2017-12-28 10:52 ` Pablo Neira Ayuso
2017-12-30 22:51   ` Duncan Roe
2017-12-30 23:16     ` Pablo Neira Ayuso
2018-01-02 22:47       ` Duncan Roe
2018-01-03 13:53         ` Pablo Neira Ayuso
2018-01-15  1:45         ` Duncan Roe
2018-01-16  1:23           ` Pablo Neira Ayuso
     [not found]           ` <20180116011537.b4xm2mxlabn5tsfl@salvia>
     [not found]             ` <20180116124143.5s6exg3467ozmobb@salvia>
     [not found]               ` <20180116204554.GA27044@dimstar.local.net>
     [not found]                 ` <20180116215217.GA27232@dimstar.local.net>
     [not found]                   ` <20180116223930.ftuagn4vtkvd2nka@salvia>
     [not found]                     ` <20180119014815.GA4882@dimstar.local.net>
     [not found]                       ` <20180119022722.duu5l3esazkox43z@salvia>
     [not found]                         ` <20180119022757.z5ir6zcytaabqntc@salvia>
2018-01-20  6:11                           ` Duncan Roe
2018-01-20  9:21                             ` Pablo Neira Ayuso
2018-01-20 12:47                               ` Pablo Neira Ayuso [this message]
2018-01-20 13:35                                 ` Duncan Roe
2018-01-20 13:42                                 ` Duncan Roe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180120124733.p5lnv4jcqai3xehs@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).