Discussion:
[iptables-compat PATCH 1/3] ebtables-compat: fix print_header
Giuseppe Longo
2014-10-16 14:29:51 UTC
Permalink
This prints the header like ebtables.

Signed-off-by: Giuseppe Longo <***@gmail.com>
---
iptables/nft-bridge.c | 3 +--
iptables/nft.c | 7 +++++--
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index ab97881..1fe10ed 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -362,8 +362,7 @@ static void nft_bridge_print_header(unsigned int format, const char *chain,
const struct xt_counters *counters,
bool basechain, uint32_t refs)
{
- /* FIXME: Giuseppe replace this with ebtables format */
- print_header(format, chain, pol, counters, basechain, refs);
+ printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol);
}

static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
diff --git a/iptables/nft.c b/iptables/nft.c
index bab2834..0cdf027 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2006,6 +2006,9 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
if (iter == NULL)
goto err;

+ if (h->family == NFPROTO_BRIDGE)
+ printf("Bridge table: %s\n\n", table);
+
c = nft_chain_list_iter_next(iter);
while (c != NULL) {
const char *chain_table =
@@ -2033,8 +2036,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
if (found)
printf("\n");

- ops->print_header(format, chain_name, policy_name[policy],
- &ctrs, basechain, refs);
+ ops->print_header(format, chain_name,
+ policy_name[policy], &ctrs, basechain, refs);

__nft_rule_list(h, chain_name, table,
rulenum, format, ops->print_firewall);
--
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Giuseppe Longo
2014-10-16 14:29:52 UTC
Permalink
This fixes a syntax error, remove ; in an if statement

Signed-off-by: Giuseppe Longo <***@gmail.com>
---
iptables/nft-shared.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 2b87092..d6f838c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -444,7 +444,7 @@ void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nft_rule_expr *e)
if (ctx->flags & NFT_XT_CTX_META)
ops->parse_meta(ctx, e, data);
/* bitwise context is interpreted from payload */
- if (ctx->flags & NFT_XT_CTX_PAYLOAD);
+ if (ctx->flags & NFT_XT_CTX_PAYLOAD)
ops->parse_payload(ctx, e, data);
}
--
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-10-20 09:01:53 UTC
Permalink
Post by Giuseppe Longo
This fixes a syntax error, remove ; in an if statement
Applied to master, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Giuseppe Longo
2014-10-16 14:29:53 UTC
Permalink
The offset variable (undefined) is passed to DEBUGP function,
so you get a compilation error if you try to build iptables
with debug enabled

Signed-off-by: Giuseppe Longo <***@gmail.com>
---
iptables/nft-ipv4.c | 2 +-
iptables/nft-ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index eedcb50..a2c5806 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -205,7 +205,7 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
cs->fw.ip.invflags |= IPT_INV_FRAG;
break;
default:
- DEBUGP("unknown payload offset %d\n", offset);
+ DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
break;
}
}
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 2e50627..5489398 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -142,7 +142,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
if (inv)
cs->fw6.ipv6.invflags |= IPT_INV_PROTO;
default:
- DEBUGP("unknown payload offset %d\n", offset);
+ DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
break;
}
}
--
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-10-20 09:02:37 UTC
Permalink
Post by Giuseppe Longo
The offset variable (undefined) is passed to DEBUGP function,
so you get a compilation error if you try to build iptables
with debug enabled
Applied to master, thanks.

I have rebased the ebtables-compat branch again upon these fixes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-10-20 09:01:42 UTC
Permalink
Post by Giuseppe Longo
This prints the header like ebtables.
Applied to the ebtables-compat branch. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-10-20 09:04:31 UTC
Permalink
Post by Pablo Neira Ayuso
Post by Giuseppe Longo
This prints the header like ebtables.
Applied to the ebtables-compat branch. Thanks.
I forgot to say that I made a quick change, so the iptables/nft.c code
remains family agnostic.

See the new .print_table_header callback:

http://git.netfilter.org/iptables/commit/?h=ebtables-compat-experimental3&id=457c2065827cc05a4c30e27fd57da998550dd078
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...