* [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
@ 2019-06-24 15:12 Phil Sutter
2019-06-24 15:14 ` Florian Westphal
2019-07-03 11:06 ` Pablo Neira Ayuso
0 siblings, 2 replies; 8+ messages in thread
From: Phil Sutter @ 2019-06-24 15:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Commit 13535a3b40b62 ("files: restore base table skeletons") moved
config skeletons back from examples/ to /etc/nftables/ directory, but
ignored the fact that commit 6c9230e79339c ("nftables: rearrange files
and examples") added a new file 'netdev-ingress.nft' which is referenced
from 'all-in-one.nft' as well.
Fixes: 13535a3b40b62 ("files: restore base table skeletons")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
files/nftables/Makefile.am | 3 ++-
files/{examples => nftables}/netdev-ingress.nft | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
rename files/{examples => nftables}/netdev-ingress.nft (87%)
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index f18156d844e5c..a93b7978f62d4 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -10,7 +10,8 @@ dist_pkgsysconf_DATA = all-in-one.nft \
ipv6-filter.nft \
ipv6-mangle.nft \
ipv6-nat.nft \
- ipv6-raw.nft
+ ipv6-raw.nft \
+ netdev-ingress.nft
install-data-hook:
${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*.nft
diff --git a/files/examples/netdev-ingress.nft b/files/nftables/netdev-ingress.nft
similarity index 87%
rename from files/examples/netdev-ingress.nft
rename to files/nftables/netdev-ingress.nft
index 2585d15493885..9e46b15a7e596 100755
--- a/files/examples/netdev-ingress.nft
+++ b/files/nftables/netdev-ingress.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
# mind the NIC, it must exists
table netdev filter {
--
2.21.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-24 15:12 [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well Phil Sutter
@ 2019-06-24 15:14 ` Florian Westphal
2019-06-24 16:24 ` Phil Sutter
2019-07-03 11:06 ` Pablo Neira Ayuso
1 sibling, 1 reply; 8+ messages in thread
From: Florian Westphal @ 2019-06-24 15:14 UTC (permalink / raw)
To: Phil Sutter; +Cc: Pablo Neira Ayuso, netfilter-devel
Phil Sutter <phil@nwl.cc> wrote:
> Commit 13535a3b40b62 ("files: restore base table skeletons") moved
> config skeletons back from examples/ to /etc/nftables/ directory, but
> ignored the fact that commit 6c9230e79339c ("nftables: rearrange files
> and examples") added a new file 'netdev-ingress.nft' which is referenced
> from 'all-in-one.nft' as well.
Right. Do you think we should also add in inet-nat.nft example,
or even replace the ipvX- ones?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-24 15:14 ` Florian Westphal
@ 2019-06-24 16:24 ` Phil Sutter
2019-06-24 16:49 ` Florian Westphal
0 siblings, 1 reply; 8+ messages in thread
From: Phil Sutter @ 2019-06-24 16:24 UTC (permalink / raw)
To: Florian Westphal; +Cc: Pablo Neira Ayuso, netfilter-devel
Hi Florian,
On Mon, Jun 24, 2019 at 05:14:46PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Commit 13535a3b40b62 ("files: restore base table skeletons") moved
> > config skeletons back from examples/ to /etc/nftables/ directory, but
> > ignored the fact that commit 6c9230e79339c ("nftables: rearrange files
> > and examples") added a new file 'netdev-ingress.nft' which is referenced
> > from 'all-in-one.nft' as well.
>
> Right. Do you think we should also add in inet-nat.nft example,
> or even replace the ipvX- ones?
Having an inet family nat example would be wonderful! Can inet NAT
replace IPvX-ones completely or are there any limitations as to what is
possible in rules?
Cheers, Phil
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-24 16:24 ` Phil Sutter
@ 2019-06-24 16:49 ` Florian Westphal
2019-06-25 0:24 ` Pablo Neira Ayuso
0 siblings, 1 reply; 8+ messages in thread
From: Florian Westphal @ 2019-06-24 16:49 UTC (permalink / raw)
To: Phil Sutter, Florian Westphal, Pablo Neira Ayuso, netfilter-devel
Phil Sutter <phil@nwl.cc> wrote:
> > Right. Do you think we should also add in inet-nat.nft example,
> > or even replace the ipvX- ones?
>
> Having an inet family nat example would be wonderful! Can inet NAT
> replace IPvX-ones completely or are there any limitations as to what is
> possible in rules?
I'm not aware of any limitations.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-24 16:49 ` Florian Westphal
@ 2019-06-25 0:24 ` Pablo Neira Ayuso
2019-07-03 10:56 ` Phil Sutter
0 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2019-06-25 0:24 UTC (permalink / raw)
To: Florian Westphal; +Cc: Phil Sutter, netfilter-devel
On Mon, Jun 24, 2019 at 06:49:41PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > > Right. Do you think we should also add in inet-nat.nft example,
> > > or even replace the ipvX- ones?
> >
> > Having an inet family nat example would be wonderful! Can inet NAT
> > replace IPvX-ones completely or are there any limitations as to what is
> > possible in rules?
>
> I'm not aware of any limitations.
Only limitation is that older kernels do not support NAT for the inet
family.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-25 0:24 ` Pablo Neira Ayuso
@ 2019-07-03 10:56 ` Phil Sutter
2019-07-03 11:06 ` Pablo Neira Ayuso
0 siblings, 1 reply; 8+ messages in thread
From: Phil Sutter @ 2019-07-03 10:56 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
On Tue, Jun 25, 2019 at 02:24:04AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Jun 24, 2019 at 06:49:41PM +0200, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > > Right. Do you think we should also add in inet-nat.nft example,
> > > > or even replace the ipvX- ones?
> > >
> > > Having an inet family nat example would be wonderful! Can inet NAT
> > > replace IPvX-ones completely or are there any limitations as to what is
> > > possible in rules?
> >
> > I'm not aware of any limitations.
>
> Only limitation is that older kernels do not support NAT for the inet
> family.
OK, so maybe add inet NAT example but not delete ip/ip6 ones?
What is the status regarding my patch, please? I think fixing
netdev-ingress.nft location is unrelated to this discussion, right?
Cheers, Phil
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-07-03 10:56 ` Phil Sutter
@ 2019-07-03 11:06 ` Pablo Neira Ayuso
0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2019-07-03 11:06 UTC (permalink / raw)
To: Phil Sutter, Florian Westphal, netfilter-devel
On Wed, Jul 03, 2019 at 12:56:00PM +0200, Phil Sutter wrote:
> On Tue, Jun 25, 2019 at 02:24:04AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Jun 24, 2019 at 06:49:41PM +0200, Florian Westphal wrote:
> > > Phil Sutter <phil@nwl.cc> wrote:
> > > > > Right. Do you think we should also add in inet-nat.nft example,
> > > > > or even replace the ipvX- ones?
> > > >
> > > > Having an inet family nat example would be wonderful! Can inet NAT
> > > > replace IPvX-ones completely or are there any limitations as to what is
> > > > possible in rules?
> > >
> > > I'm not aware of any limitations.
> >
> > Only limitation is that older kernels do not support NAT for the inet
> > family.
>
> OK, so maybe add inet NAT example but not delete ip/ip6 ones?
Agreed.
> What is the status regarding my patch, please? I think fixing
> netdev-ingress.nft location is unrelated to this discussion, right?
Oh right, I got confused by the discussion.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well
2019-06-24 15:12 [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well Phil Sutter
2019-06-24 15:14 ` Florian Westphal
@ 2019-07-03 11:06 ` Pablo Neira Ayuso
1 sibling, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2019-07-03 11:06 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
On Mon, Jun 24, 2019 at 05:12:38PM +0200, Phil Sutter wrote:
> Commit 13535a3b40b62 ("files: restore base table skeletons") moved
> config skeletons back from examples/ to /etc/nftables/ directory, but
> ignored the fact that commit 6c9230e79339c ("nftables: rearrange files
> and examples") added a new file 'netdev-ingress.nft' which is referenced
> from 'all-in-one.nft' as well.
Applied, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-07-03 11:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-24 15:12 [nft PATCH] files: Move netdev-ingress.nft to /etc/nftables as well Phil Sutter
2019-06-24 15:14 ` Florian Westphal
2019-06-24 16:24 ` Phil Sutter
2019-06-24 16:49 ` Florian Westphal
2019-06-25 0:24 ` Pablo Neira Ayuso
2019-07-03 10:56 ` Phil Sutter
2019-07-03 11:06 ` Pablo Neira Ayuso
2019-07-03 11:06 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.