* AC_PREREQ checks for 2.61, which is not supported any contemporary
distribution.
* AC_COPYRIGHT, autoconf documentation states "in addition to the Free
Software Foundation's copyright on the Autoconf macros, parts of your
configure are covered by the copyright-notice.".
This only refers to the autoconf infrastructure: we are doing simple
and standard usage of autoconf infrastructure, we also don't use this
macro in other existing userspace software available at netfilter.org.
The comment above at the beginning of this file shows text that is
available in many configure.ac templates on the Internet.
* AC_CANONICAL_HOST, we don't need the canonical host-system type to
build this software.
* AC_CONFIG_SRCDIR is not used in other userspace software in the tree.
* AC_DEFINE _GNU_SOURCE, define this where it's needed instead.
* AC_DEFINE _STDC_FORMAT_MACROS is not used in this codebase.
* AC_HEADER_STDC checks for ANSI C89 headers, however, we need more than
just this C standard, so this doesn't guarantee anything at all.
* Remove "Checks for libraries" comment, it's obvious.
* AC_HEADER_ASSERT allows us to disable assertions, this is bad because
this is helping us to diagnose bugs and incomplete features.
* AC_CHECK_HEADERS is checking for an arbitrary list of headers,
this still doesn't even guarantee that we can actually do a successful
compilation in a broken system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Thu, 1 Mar 2018 14:00:32 +0000 (15:00 +0100)]
netlink_delinearize: Fix resource leaks
Most of the cases are basically the same: Error path fails to free the
previously allocated statement or expression. A few cases received
special treatment though:
- In netlink_parse_payload_stmt(), the leak is easily avoided by code
reordering.
- In netlink_parse_exthdr(), there's no point in introducing a goto
label since there is but a single affected error check.
- In netlink_parse_hash() non-error path leaked as well if sreg
contained a concatenated expression.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 1 Mar 2018 14:00:31 +0000 (15:00 +0100)]
netlink: Complain if setting O_NONBLOCK fails
Assuming that code is not aware that reads from netlink socket may
block, treat inability to set O_NONBLOCK flag as fatal initialization
error aborting program execution.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer
dereference. This is probably a typo, the intention when introducing
this was to avoid the call to expr_cmp() for symmetric hash expressions
which don't use expr->hash.expr. Inverting the existence check should
fix this.
Fixes: 3a86406729782 ("src: hash: support of symmetric hash") Cc: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 1 Mar 2018 14:00:27 +0000 (15:00 +0100)]
cli: Drop pointless check in cli_append_multiline()
The function is called from cli_complete after it has checked for line
to be != NULL. The other part of the conditional, namely multiline being
NULL, is perfectly valid (if the last read line didn't end with
backslash. Hence drop the conditional completely.
Since variable eof is not used anywhere outside of the dropped
conditional, get rid of it completely.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
David Fabian [Mon, 22 Jan 2018 13:02:11 +0000 (14:02 +0100)]
Added undefine/redefine keywords
This is a small patch to nft which adds two new keywords - undefine and
redefine. undefine simply undefines a variable from the current scope.
redefine allows one to change a variable definition. We have a firewall
written in bash (using iptables) that is organized by customer VLANs.
Each VLAN has its own set of bash variables holding things like uplink
iface names, gateway IPs, etc. We want to rewrite the firewall to
nftables but are stuck on the fact that nft variables cannot be
overridden in the same scope. We have each VLAN configuration in a
separate file containing pre/post-routing, input, output and forward
rules,and we include those files to a master firewall configuration. One
solution is to rename all the variables with some VLAN specific
(pre/su)ffix. But that is cumbersome.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sun, 25 Feb 2018 18:46:04 +0000 (19:46 +0100)]
src: make raw payloads work
make syntax consistent between print and parse.
No dependency handling -- once you use raw expression, you need
to make sure the raw expression only sees the packets that you'd
want it to see.
based on an earlier patch from Laurent Fasnacht <l@libres.ch>.
Laurents patch added a different syntax:
@<protocol>,<base>,<data type>,<offset>,<length>
data_type is useful to make nftables not err when
asking for "@payload,32,32 192.168.0.1", this patch still requires
manual convsersion to an integer type (hex or decimal notation).
data_type should probably be added later by adding an explicit
cast expression, independent of the raw payload syntax.
Concatenate all family/hook examples into a single one by means of includes.
Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.
While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sat, 24 Feb 2018 11:28:30 +0000 (12:28 +0100)]
tests: meta.t: fix test case for anonymous set automerge
commit fb16c8b7f795e0d
("evaluate: Enable automerge feature for anonymous sets") re-enabled
merging of adjacent ranges, so 33-55, 56-88 turns into 33-88.
Do not exercise dependency removal for protocol key network payload
expressions in bridge, netdev and inet families from meta expressions,
more specifically:
* inet: nfproto and ether type.
* netdev and bridge: meta protocol and ether type.
need to be left in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Payload protocol key expressions at network base are meaningful in the
netdev, bridge and inet families, do not exercise the redundant
dependency removal in those cases since it breaks rule semantics.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be removed in the ip family since it is redundant,
but not in the netdev, bridge and inet families, where we cannot make
assumptions on the layer 3 protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_may_dependency_kill()").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 6 Feb 2018 18:18:47 +0000 (19:18 +0100)]
evaluate: Enable automerge feature for anonymous sets
Automatic merging of adjacent/overlapping ranges upon insertion has
clear benefits performance- and readability-wise. The drawbacks which
led to disabling it by default don't apply to anonymous sets since they
are read-only anyway, so enable this feature for them again.
Cc: Jeff Kletsky <netfilter@allycomm.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ville Skyttä [Wed, 7 Feb 2018 09:40:00 +0000 (11:40 +0200)]
configure: Make missing docbook2man an error if man build requested
Previously, if man page build was enabled but no suitable docbook2man or
the like tool was found, build failed at a later stage with
undescriptive error message. Fail early and explicitly at configure
stage instead.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Feb 2018 14:28:00 +0000 (15:28 +0100)]
tests: add test case for sets updated from packet path
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Baruch Siach [Fri, 9 Feb 2018 12:49:50 +0000 (14:49 +0200)]
src: fix build with older glibc
glibc before 2.19 missed the definition of IPPROTO_MH. This leads to
build failure:
parser_bison.y: In function 'nft_parse':
parser_bison.y:3793:21: error: 'IPPROTO_MH' undeclared (first use in this function)
| MH { $$ = IPPROTO_MH; }
^
Since we have a local definition of IPPROTO_MH in headers.h use that to
fix the build.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This release includes incremental fixes since last release plus meta
secpath support. libnftnl 1.0.9 is still OK as dependency, actually it
just prints meta secpath as unknown with --debug=netlink but I don't
think that is worth a libnftnl library release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 25 Jan 2018 15:18:53 +0000 (20:48 +0530)]
configure: Remove macro AC_CHECK_FUNCS
Functions memmove, strchr, strerror and strdup are defined in string.h
header file. Also, strtoull is defined in stdlib.h header file. These
header files are checked by AC_CHECK_HEADERS macro. AC_CHECK_FUNCS macro
is not required, so remove it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Mention nftables earlier in the documentation, so users have more context on what
we are talking about.
This is Debian bug #887718, which contains:
<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early as the NAME or DESCRIPTION.
>>>
Requested-by: Dan Jacobson <jidanni@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:07 +0000 (17:38 +0100)]
configure: Allow to disable man page building
Aparently there are distributions which come with incompatible docbook
implementations. On those, forced man page creating if required binaries
are found leads to build failure.
Allow them to conveniently disable man page output instead of having to
pass undocumented variables to configure.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:06 +0000 (17:38 +0100)]
configure: Fix help text regarding --enable-debug
Debugging symbols are enabled by default, so list '--disable-debug' in
help output rather than '--enable-debug'. This way it is also consistent
with the parameter's description.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:19:57 +0000 (17:19 +0100)]
build: Eliminate forgotten traces of libnftables exporting
This removes libnftables pkg-config file along with the few lines of
code to adjust and install it.
Fixes: d572d59788143 ("Make libnftables a local static library") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Fri, 19 Jan 2018 03:00:17 +0000 (08:30 +0530)]
configure: Remove AC_HEADER_STDBOOL, AC_C_ and AC_TYPE_ macros
The following macros check if particular C types in specific header file
exists, these header files defines them and are already included in the
source code. So, remove them.
AC_HEADER_STDBOOL - stdbool.h
AC_TYPE_INT and AC_TYPE_UINT - stdint.h or inttypes.h
AC_TYPE_OFF_T and AC_TYPE_UID_T - sys/types.h
AC_TYPE_SIZE_T - stddef.h, string.h, stdlib.h or stdio.h
Remove AC_C_CONST and AC_C_INLINE as gcc supports inline and const
keywords.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Tue, 5 Dec 2017 14:07:35 +0000 (19:37 +0530)]
tests: shell: Add tests for low level json import
Test "nft import vm json".
Basically it loads same set of rules by "nft -f" and "nft import vm json"
and prints differences (if any) in the ruleset listed by "nft list
ruleset" in each case.
For Example:
$ ./run-tests.sh testcases/import/vm_json_import_0
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 10 Jan 2018 20:32:04 +0000 (21:32 +0100)]
src: Don't merge adjacent/overlapping ranges
Previously, when adding multiple ranges to a set they were merged if
overlapping or adjacent. This might cause inconvenience though since it
is afterwards not easily possible anymore to remove one of the merged
ranges again while keeping the others in place.
Since it is not possible to have overlapping ranges, this patch adds a
check for newly added ranges to make sure they don't overlap if merging
is turned off.
Note that it is not possible (yet?) to enable range merging using nft
tool.
Testsuite had to be adjusted as well: One test in tests/py changed avoid
adding overlapping ranges and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behaviour is inconsistent and breaks the restoration of saved
rule-sets with "nft -f".
Fixes: c0697eabe832 ("src: add stateful object support for limit") Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 9 Dec 2017 15:52:29 +0000 (16:52 +0100)]
src: fix protocol context update on big-endian systems
There is an obscure bug on big-endian systems when trying to list a rule
containing the expression 'ct helper tftp' which triggers the assert()
call in mpz_get_type().
Florian identified the cause: ct_expr_pctx_update() is called for the
relational expression which calls mpz_get_uint32() to get RHS value
(assuming it is a protocol number). On big-endian systems, the
misinterpreted value exceeds UINT_MAX.
Expressions' pctx_update() callback should only be called for protocol
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags
& EXPR_F_PROTOCOL' like the one already present in
payload_expr_pctx_update().
In order to fix this in a clean way, this patch introduces a wrapper
relational_expr_pctx_update() to be used instead of directly calling
LHS's pctx_update() callback which unifies the necessary checks (and
adds one more assert):
- assert(expr->ops->type == EXPR_RELATIONAL)
-> This is new, just to ensure the wrapper is called properly.
- assert(expr->op == OP_EQ)
-> This was moved from {ct,meta,payload}_expr_pctx_update().
- left->ops->pctx_update != NULL
-> This was taken from expr_evaluate_relational(), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.
Phil Sutter [Thu, 30 Nov 2017 18:36:23 +0000 (19:36 +0100)]
Make libnftables a local static library
This changes Makefiles so that libnftables is built into a static
library which is not installed. This allows for incompatible changes
while still providing a library to link to for testing purposes.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sat, 2 Dec 2017 11:04:43 +0000 (22:04 +1100)]
doc: nft.8 aim for consistent synopses throughout
Single items in braces have the braces removed as per wiki Scripting:
"It is simply overkill to define a set that only stores one single element".
Items that were in braces or square brackets are made consistent, e.g. {family}
expands to single wor Ip, inet &c., but (type) in set spec expands to
"type type_name ;".
The former 'flow table' syntax allows flow tables with no name:
# nft add rule x y flow { ip saddr counter }
However, when listing, it leaks the name that it is autoallocating.
# nft list ruleset
table ip x {
chain y {
flow table __mt0 { ip saddr counter}
}
}
Which is odd since then restoring will use such a name.
Remove anonymous flow table/meters, so everyone needs to specify a name.
There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.
Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.
On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
src: deprecate "flow table" syntax, replace it by "meter"
According to bugzilla 1137: "flow tables" should not be syntactically
unique.
"Flow tables are always named, but they don't conform to the way sets,
maps, and dictionaries work in terms of "add" and "delete" and all that.
They are also "flow tables" instead of one word like "flows" or
"throttle" or something.
It seems weird to just have these break the syntactic expectations."
Personally, I never liked the reference to "table" since we have very
specific semantics in terms of what a "table" is netfilter for long
time.
This patch promotes "meter" as the new keyword. The former syntax is
still accepted for a while, just to reduce chances of breaking things.
At some point the former syntax will just be removed.
utils: fix one compilation error with --with-mini-gmp
Restore some code that is needed, until we have a version of gmp_printf
that takes variable arguments.
In file included from ../include/utils.h:12:0,
from ../include/nftables.h:6,
from ../include/rule.h:5,
from segtree.c:15:
segtree.c: In function ‘ei_insert’:
../include/gmputil.h:12:20: error: too many arguments to function ‘mpz_printf’
#define gmp_printf mpz_printf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 21 Nov 2017 22:13:39 +0000 (23:13 +0100)]
tests: shell: Prevent lockout in nft-f/0008split_tables_0
Since packets traverse both tables, the accept rule in the first one is
ineffective due to the second table's drop policy. To prevent lockouts
when running the testsuite via SSH connection, set the second chain's
policy to accept as well.
Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via nft -f") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 20 Nov 2017 15:54:04 +0000 (16:54 +0100)]
libnftables: Ensure output_fp is never NULL
Initialize output_fp to 'stdout' upon context creation and check output
stream validity in nft_ctx_set_output(). This allows to drop checks in
nft_{gmp_,}print() and do_command_export(). While doing so for the
latter, simplify it a bit by using nft_print() which takes care of
flushing the output stream.
If applications desire to drop all output, they are supposed to open
/dev/null and assign that.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sun, 19 Nov 2017 09:51:50 +0000 (20:51 +1100)]
doc: nft.8 document use of -f option to start nft scripts
The man page didn't document nft scripts at all before, so putting that with the
-f option seemed as good a place as any. It does work to start scripts
is also updated.
Phil Sutter [Tue, 14 Nov 2017 20:17:10 +0000 (21:17 +0100)]
libnftables: Split code into frontend and library
This finally creates the libnftables shared object.
For some reason, this causes two compiler warnings to appear:
| parser_bison.y: In function 'nft_parse':
| parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration]
| nft_set_debug(1, scanner);
| ^~~~~~~~~~~~~
| parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration]
| #define yylex nft_lex
| ^
| parser_bison.c:4745:16: note: in expansion of macro 'yylex'
| yychar = yylex (&yylval, &yylloc, scanner);
So this patch contains a workaround, namely declaring both functions
in src/parser_bison.y. During linking the objects are found, so this is
rather a matter of cosmetics.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 13 Nov 2017 14:08:16 +0000 (15:08 +0100)]
libnftables: Unexport enum nftables_exit_codes
Apart from SUCCESS/FAILURE, these codes were not used by library
functions simply because NOMEM and NONL conditions lead to calling
exit() instead of propagating the error condition back up the call
stack.
Instead, make nft_run_cmd_from_*() return either 0 or -1 on error.
Usually errno will then contain more details about what happened and/or
there are messages in erec.
Calls to exit()/return in main() are adjusted to stay compatible.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 10 Nov 2017 23:06:17 +0000 (00:06 +0100)]
Eliminate struct mnl_ctx
The issue leading to this patch was that debug output in nft_mnl_talk()
bypasses the application-defined output_fp. While investigating, another
problem was discovered: Most of the ad-hoc defined mnl_ctx objects have
their field 'debug_mask' set to zero regardless of what netlink_ctx
contains (this affects non-batch code path only).
The intuitive solution to both of those issues required to extend
function parameters of all the non-batch functions as well as the common
nft_mnl_talk() one. Instead of complicating them even further, this
patch instead makes them accept a pointer to netlink_ctx as first
parameter to gather both the old (nf_sock, seqnum) and the new values
(debug_mask, octx) from.
Since after the above change struct mnl_ctx was not really used anymore,
so the remaining places were adjusted as well to allow for removing the
struct altogether.
Note that cache routines needed special treatment: Although parameters
of cache_update() make it a candidate for the same change, it can't be
converted since it is called in evaluation phase sometimes in which
there is no netlink context available (but just eval context instead).
Since netlink_genid_get() needs a netlink context though, the ad-hoc
netlink_ctx definition from cache_init() is moved into cache_update() to
have it available there already.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 Nov 2017 12:24:57 +0000 (13:24 +0100)]
libnftables: Flush iface cache after command execution
Commit 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes")
was a bit too optimistic in that it missed the remaining need to flush
interface cache after each command in interactive mode - otherwise,
newly added interfaces won't be recognized.
Although cli.c only calls nft_run_cmd_from_buffer(), flush caches in
nft_run_cmd_from_filename() as well for matters of consistency.
Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
