Received: (at 36759) by debbugs.gnu.org; 2 May 2022 08:40:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 02 04:40:50 2022 Received: from localhost ([127.0.0.1]:34767 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nlRbt-0000F6-Pu for submit <at> debbugs.gnu.org; Mon, 02 May 2022 04:40:50 -0400 Received: from quimby.gnus.org ([95.216.78.240]:40416) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <larsi@HIDDEN>) id 1nlRbs-0000Ek-Bq for 36759 <at> debbugs.gnu.org; Mon, 02 May 2022 04:40:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=z/HV41cV9Ep8buTLZFMGI92Yfpa245eZau5ZFbDGQOo=; b=UZ2svNZcMW8f3Y647mOjQUjTVa fjZoHvlL71lT70+YceVJ3bEbJ2zA1J1vvM1SxC0TGalWvhorvBwleFix0jXNp2eSRC00U2ZtbVGoI TDBASAVdytD5IDAAeaTNT1+HfL/M0Tnd5KpJ6rdFiHvR2UB43sk3vAe/5INMnlxlktK0=; Received: from [84.212.220.105] (helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <larsi@HIDDEN>) id 1nlRbi-00075T-Qb; Mon, 02 May 2022 10:40:41 +0200 From: Lars Ingebrigtsen <larsi@HIDDEN> To: Stefan Monnier <monnier@HIDDEN> Subject: Re: bug#36759: 26.1; nftables major mode References: <87d0i2ecma.fsf@HIDDEN> <87ee9gs448.fsf@HIDDEN> <jwvr1dg590l.fsf-monnier+emacs@HIDDEN> X-Now-Playing: Bogdan Raczynski's _Mixes_: "Mix 8" Date: Mon, 02 May 2022 10:40:37 +0200 In-Reply-To: <jwvr1dg590l.fsf-monnier+emacs@HIDDEN> (Stefan Monnier's message of "Wed, 22 Sep 2021 22:22:21 -0400") Message-ID: <875ymo9vju.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Stefan Monnier <monnier@HIDDEN> writes: >> I think perhaps this makes more sense in GNU ELPA than in Emacs core >> (since editing nftables files is a somewhat specialised task), and I >> looked into putting it there, but I'm still not quite [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36759 Cc: "Trent W. Buck" <trentbuck@HIDDEN>, 36759 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Stefan Monnier <monnier@HIDDEN> writes: >> I think perhaps this makes more sense in GNU ELPA than in Emacs core >> (since editing nftables files is a somewhat specialised task), and I >> looked into putting it there, but I'm still not quite sure how. :-) >> >> So I've added Stefan to the CCs -- could you do the right thing here? > > I'd be happy to add an nftables mode to GNU ELPA, but AFAICT Trent has > not signed the needed paperwork for Emacs. Seems like we forgot about this one -- Trent's paperwork was completed in December 2021, so we should be able to add nftables to GNU ELPA now. Stefan? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Lars Ingebrigtsen <larsi@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Lars Ingebrigtsen <larsi@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 36759) by debbugs.gnu.org; 24 Sep 2021 02:49:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Sep 23 22:49:24 2021 Received: from localhost ([127.0.0.1]:56358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mTbHA-00031E-ER for submit <at> debbugs.gnu.org; Thu, 23 Sep 2021 22:49:24 -0400 Received: from mail-pg1-f174.google.com ([209.85.215.174]:38582) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <trentbuck@HIDDEN>) id 1mTbH8-00030x-6T for 36759 <at> debbugs.gnu.org; Thu, 23 Sep 2021 22:49:23 -0400 Received: by mail-pg1-f174.google.com with SMTP id w8so8500281pgf.5 for <36759 <at> debbugs.gnu.org>; Thu, 23 Sep 2021 19:49:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=rmfmQQLJE/ttuY+FEVNq3zVCVchBkUG7ymgfRm9+4e0=; b=VZS8oJ5WwrLpx0p6+QHOP8vPIIZO21erMZ4ETQioiiBiuLkF/u67va+Jncjfw6QKJt Hf+rhgsGzOlS34SJJoV0K0qFnwKB9mLL6QFqb/Ztj5OBVO0TtVFtUTxpf6R2TNs9DFGw zciWDqUZObnuhs8ESdrs7ui3H4ufj428xhFofQfL7GS+xV98poSIZfwXhbEc0kzFVIgK yDYJMF5+ltsn8+wqROpRFiux0T0jlpH9JXN3PO7HX5ZIHfXinfI9/lfQGSPMTvFjaoBt 7Ru/KgAzdZviW5KBk2TtuES0orZ0Ap7sS2Z931gJHrNFrT7piIc0rWnEVFEwrXzoaib2 1ZKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=rmfmQQLJE/ttuY+FEVNq3zVCVchBkUG7ymgfRm9+4e0=; b=j/BNRrUmGFF2d2t0+D2KSX/C2qgAHLcW3jK7Z7emm1K9U6+hKIiYe9UpYWwsyxtnjw vPofDBNl12vfF5V3su2GS7R0Az6gJnHitw2tOc5WZwIREZMpC7wWXl2EanHzOng+BJnR bDfol3FBz4vu4HnBIpex2hqdHTveqXIXMrI98jabSUGEavVhS/g36TsmZ0JdTecB3zxr X7hdOaJ6WbGjvVKDML53STXmZPkrUmWNSdwc7fFXMX6rJFDOSThYg/kYBd2LSeBvIARV 8/JG5N6VWNhmou1p1KRtH0ALj8fPeDha68zWfseLotn8AYi/qY9pU6NkmRFiEztNBmo+ 4iBw== X-Gm-Message-State: AOAM533EseO6z/iccdQzC1azphmn4G3+YBXv077lsCVNIMTZk6ugj+uc Uagfmf8Ysl5Tedd5ddedfWg= X-Google-Smtp-Source: ABdhPJyz3Gcc531UOgFwQ0CVWnBm0ka1Pc5+FqYhr7ppd7+hNFzN1jQRkyzq7YEplAPQtstLkHWBdg== X-Received: by 2002:a63:6f42:: with SMTP id k63mr1791815pgc.358.1632451756342; Thu, 23 Sep 2021 19:49:16 -0700 (PDT) Received: from localhost ([203.7.155.73]) by smtp.gmail.com with ESMTPSA id cl16sm6397471pjb.23.2021.09.23.19.49.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Sep 2021 19:49:15 -0700 (PDT) Date: Fri, 24 Sep 2021 12:49:11 +1000 From: "Trent W. Buck" <trentbuck@HIDDEN> To: Stefan Monnier <monnier@HIDDEN> Subject: Re: bug#36759: 26.1; nftables major mode Message-ID: <YU08p5xCbYQihhEW@HIDDEN> References: <87d0i2ecma.fsf@HIDDEN> <87ee9gs448.fsf@HIDDEN> <jwvr1dg590l.fsf-monnier+emacs@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <jwvr1dg590l.fsf-monnier+emacs@HIDDEN> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 36759 Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 36759 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Stefan, Stefan Monnier wrote: > > I think perhaps this makes more sense in GNU ELPA than in Emacs core > > (since editing nftables files is a somewhat specialised task), and I > > looked into putting it there, but I'm still not quite sure how. :-) > > > > So I've added Stefan to the CCs -- could you do the right thing here? > > I'd be happy to add an nftables mode to GNU ELPA, but AFAICT Trent has > not signed the needed paperwork for Emacs. > > Trent, would you be OK signing that copyright paperwork? > If so, please fill the form below and send it to the FSF as instructed > so they can send you the appropriate paperwork to sign. Hi, I did copyright assignment long long ago, but like a decade later, kensanata wrote me saying I had somehow only done copyright assignment for a specific file, rather than for ALL contributions to Emacs? It was all Too Hard so I didn't chase it up at the time. This was around about Emacs 23; I don't remember exactly when. If it's easier, I can just do a fresh copyright assignment. Should I do that?
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.
Received: (at 36759) by debbugs.gnu.org; 23 Sep 2021 02:22:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 22 22:22:38 2021
Received: from localhost ([127.0.0.1]:52288 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1mTENh-0000VR-OX
for submit <at> debbugs.gnu.org; Wed, 22 Sep 2021 22:22:37 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:60113)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <monnier@HIDDEN>) id 1mTENe-0000VA-1h
for 36759 <at> debbugs.gnu.org; Wed, 22 Sep 2021 22:22:36 -0400
Received: from pmg1.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id 33F2810021B;
Wed, 22 Sep 2021 22:22:28 -0400 (EDT)
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
by pmg1.iro.umontreal.ca (Proxmox) with ESMTP id A2304100139;
Wed, 22 Sep 2021 22:22:22 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
s=mail; t=1632363742;
bh=2fZH9UnvvyYSNsZeLKZ5hEZ+ulTAdUKeDlMBW8gmzxk=;
h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
b=fipPCls/oNW1Zm3mt0AiT5V26nZmmSIvLmG04/eFC1X8U+rivJapVeidc6y06ZKdg
qZTrodAO5Swb3nIfkcpeFPkbmIhqo6d1jPXGqH5ELUuqOlMPbh/1iECzPS0RbAr1qP
j6hBxKWxCMd/Gs7CcGj4lULRYB6W84IxM4BwzkTbfOlVu6Wrqtyqs1glcbf8D5sym7
eRyrsZXdHGdUTHWRiFCi/dPIRqQ4bAMhjfzsguX5fq92rJ7hhtge+8DOGo0ECulEuq
2HoUqaBPHlFoeYgDPEmHWb73j4jM83JAIEKtCCMWknR8xc/rhcn28Wm0z3jpZUpmES
DP/oH2iG/7IJw==
Received: from milanesa (unknown [45.72.241.23])
by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 5E03412001E;
Wed, 22 Sep 2021 22:22:22 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: trentbuck@HIDDEN (Trent W. Buck), Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#36759: 26.1; nftables major mode
Message-ID: <jwvr1dg590l.fsf-monnier+emacs@HIDDEN>
References: <87d0i2ecma.fsf@HIDDEN> <87ee9gs448.fsf@HIDDEN>
Date: Wed, 22 Sep 2021 22:22:21 -0400
In-Reply-To: <87ee9gs448.fsf@HIDDEN> (Lars Ingebrigtsen's message of "Wed,
22 Sep 2021 23:16:23 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results: 0
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
AWL -0.059 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature,
not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
domain
GB_TO_NAME_FREEMAIL 0.01 Freemail spear phish with free mail
X-SPAM-LEVEL:
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 36759
Cc: 36759 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
> I think perhaps this makes more sense in GNU ELPA than in Emacs core
> (since editing nftables files is a somewhat specialised task), and I
> looked into putting it there, but I'm still not quite sure how. :-)
>
> So I've added Stefan to the CCs -- could you do the right thing here?
I'd be happy to add an nftables mode to GNU ELPA, but AFAICT Trent has
not signed the needed paperwork for Emacs.
Trent, would you be OK signing that copyright paperwork?
If so, please fill the form below and send it to the FSF as instructed
so they can send you the appropriate paperwork to sign.
Stefan
Please email the following information to assign@HIDDEN, and we
will send you the assignment form for your past and future changes.
Please use your full legal name (in ASCII characters) as the subject
line of the message.
----------------------------------------------------------------------
REQUEST: SEND FORM FOR PAST AND FUTURE CHANGES
[What is the name of the program or package you're contributing to?]
Emacs
[Did you copy any files or text written by someone else in these changes?
Even if that material is free software, we need to know about it.]
[Do you have an employer who might have a basis to claim to own
your changes? Do you attend a school which might make such a claim?]
[For the copyright registration, what country are you a citizen of?]
[What year were you born?]
[Please write your email address here.]
[Please write your postal address here.]
[Which files have you changed so far, and which new files have you written
so far?]
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Lars Ingebrigtsen <larsi@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at 36759) by debbugs.gnu.org; 22 Sep 2021 21:16:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 22 17:16:39 2021
Received: from localhost ([127.0.0.1]:51894 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1mT9bb-0005Yn-9d
for submit <at> debbugs.gnu.org; Wed, 22 Sep 2021 17:16:39 -0400
Received: from quimby.gnus.org ([95.216.78.240]:34312)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <larsi@HIDDEN>) id 1mT9bZ-0005SV-6l
for 36759 <at> debbugs.gnu.org; Wed, 22 Sep 2021 17:16:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=01TbobSOqw/S7aOFezKC4EqO5JxU7hgWLovUB11XIV4=; b=PFZPdOJDUSBmHsgHHnnmoy0N9E
o86xzDZEXHRCQkq47AxlQyQft/8bxzaGDM3Fu0J2/tGcYkJC72+LVAmo1QQRs1jylgN1kbI7BJo8M
+k4plgkZEWEmS4Gw9o7pBfMElIrcT0tybJTGPgCvJ6XZIxEMqgOpnh+viVDdkAmXwi9g=;
Received: from [84.212.220.105] (helo=elva)
by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.92) (envelope-from <larsi@HIDDEN>)
id 1mT9bL-0007Nu-Po; Wed, 22 Sep 2021 23:16:28 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: trentbuck@HIDDEN (Trent W. Buck)
Subject: Re: bug#36759: 26.1; nftables major mode
References: <87d0i2ecma.fsf@HIDDEN>
X-Now-Playing: Don Armando's 2nd Avenue Band's _Don Armando's 2nd Avenue
Band_: "Goin' to a Showdown"
Date: Wed, 22 Sep 2021 23:16:23 +0200
In-Reply-To: <87d0i2ecma.fsf@HIDDEN> (Trent W. Buck's message of "Mon, 22
Jul 2019 17:45:33 +1000")
Message-ID: <87ee9gs448.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content preview: trentbuck@HIDDEN (Trent W. Buck) writes: > I couldn't find
a major mode for this, so I wrote a basic one. > This is working well enough
for today, but I don't have the time or > interest to maintain it properly.
Content analysis details: (-2.9 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 36759
Cc: Stefan Monnier <monnier@HIDDEN>, 36759 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
--=-=-=
Content-Type: text/plain
trentbuck@HIDDEN (Trent W. Buck) writes:
> I couldn't find a major mode for this, so I wrote a basic one.
> This is working well enough for today, but I don't have the time or
> interest to maintain it properly.
Thanks; seems to work very well. I've included a very lightly edited
version of the code below (just adding some of the normal conventions
for .el files).
I think perhaps this makes more sense in GNU ELPA than in Emacs core
(since editing nftables files is a somewhat specialised task), and I
looked into putting it there, but I'm still not quite sure how. :-)
So I've added Stefan to the CCs -- could you do the right thing here?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
--=-=-=
Content-Type: application/emacs-lisp
Content-Disposition: attachment; filename=nftables-mode.el
Content-Transfer-Encoding: quoted-printable
;;; nftables-mode.el --- Major mode for editing nftables -*- lexical-bindi=
ng: t -*-
;; Copyright (C) 2021 Free Software Foundation, Inc
;; Author: trentbuck@HIDDEN (Trent W. Buck)
;; Maintainer: emacs-devel@HIDDEN
;; Version: 1.0
;; Package-Requires: ((emacs "25.1"))
;; Keywords: convenience
;; This package is free software; you can redistribute it and/or modify
;; it under the terms of the GNU General Public License as published by
;; the Free Software Foundation; either version 3, or (at your option)
;; any later version.
;; This package is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;; GNU General Public License for more details.
;; You should have received a copy of the GNU General Public License
;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
;;; Commentary:
(require 'rx)
(require 'syntax) ; syntax-ppss, for indentation
(defvar nftables-mode-map (make-sparse-keymap))
(defvar nftables-mode-hook nil)
(defvar nftables-mode-syntax-table
(let ((table (make-syntax-table)))
(modify-syntax-entry ?# "<\n" table) ; make #comment work
(modify-syntax-entry ?\n ">#" table) ; make #comment work
(modify-syntax-entry ?_ "w" table) ; foo_bar is 1 word (not 2)
table))
;;; NOTE: I started with the keywords in the nano highlighter, but
;;; they were really incomplete. So instead I looked at the
;;; flex/bison rules in the nft source code (as at debian/0.9.1-2-2-g3255aa=
a):
;;; https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/maste=
r/src/scanner.l
;;; https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/maste=
r/src/parser_bison.y
;;; NOTE: not supporting multi-statement lines "list ruleset; flush ruleset=
".
;;; NOTE: not supporting multi-line statements "list \\\n ruleset".
;;; NOTE: not supporting arbitrary whitespace in some places.
;;; NOTE: identifiers are hard (e.g. bare addresses, names, quoted strings)=
, so
;;; not supporting all those properly.
;;; NOTE: family can be omitted; it defaults to "ip" (IPv4 only).
;;; I am not supporting that, because you USUALLY want "inet" (IPv4/I=
Pv6 dual-stack).
;;; NOTE: there are two main styles, I'm supporting only those and not a mi=
x of same.
;;;
;;; Style #1:
;;;
;;; flush ruleset
;;; table inet foo {
;;; chain bar {
;;; type filter hook input priority filter
;;; policy drop
;;; predicate [counter] [log] <accept|drop|reject>
;;; }
;;; }
;;;
;;; Style #2 (everything at the "top level"):
;;;
;;; flush ruleset
;;; add table inet foo
;;; add chain inet foo bar { type filter hook input priority fil=
ter; policy drop }
;;; add rule inet foo bar predicate [counter] [log] <accept|dro=
p|reject>
(defvar nftables-font-lock-keywords
`(;; include "foo"
;; list ruleset
;; flush ruleset
(,(rx bol
(or "include"
"list ruleset"
"flush ruleset"
"list tables"
"list counters"
"list quotas")
eow)
. font-lock-preprocessor-face)
;; define foo =3D bar
;; define foo =3D { bar, baz }
;; redefine foo =3D bar
;; undefine foo
(,(rx bol
(group (or "define" "redefine" "undefine"))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-variable-name-face))
;; add table inet my_table { ... }
;; table inet my_table { ... }
(,(rx bol
(group (or "table" ; style #1
"add table")) ; style #2
" "
;; This is parser_bison.y:family_spec
(group (or "ip" "ip6" "inet" "arp" "bridge" "netdev"))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face)
(3 font-lock-variable-name-face))
;; chain my_chain {
;; set my_set {
;; map my_map {
(,(rx bol
(one-or-more blank)
(group (or "chain" "set" "map"))
" "
(group (one-or-more (any alnum ?_))))
(1 font-lock-type-face)
(2 font-lock-variable-name-face))
;; add chain inet my_table my_chain { ... }
;; add set inet my_table my_set { ... }
;; add map inet my_table my_map { ... }
;; add rule inet my_table my_chain ... <accept|drop|reject>
;; add element inet my_table my_set { ... }
;; add element inet my_table my_map { ... }
(,(rx bol
(group "add "
(or "chain" "set" "map" "rule" "element"))
" "
(group (or "ip" "ip6" "inet" "arp" "bridge" "netdev"))
" "
(group (one-or-more (any alnum ?_)))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face)
(3 font-lock-variable-name-face)
(4 font-lock-variable-name-face))
;; Remaining rules not anchored at beginning-of-line.
;; << chain specification >>
;; { type filter hook input priority filter; }
(,(rx bow
(group "type")
" "
(group (or "filter" "nat" "route"))
" "
(group "hook")
" "
(group (or "prerouting"
"input"
"forward"
"output"
"postrouting"
"ingress"
"dormant"))
" "
(group "priority")
" "
(group (or (and (opt "-") (one-or-more digit))
"raw"
"mangle"
"dstnat"
"filter"
"security"
"srcnat"
"dstnat"
"filter"
"out"
"srcnat"))
eow)
(1 font-lock-type-face)
(3 font-lock-type-face)
(5 font-lock-type-face)
(2 font-lock-constant-face)
(4 font-lock-constant-face)
(6 font-lock-constant-face))
;; << Table 8. Set specifications >>
;; type x # set
;; type x : y # map
;; flags x , y , z # set/map
;; timeout 60s # set
;; gc-interval 12s # set
;; elements =3D { ... } # set/map
;; size 1000 # set/map
;; auto-merge # set
(,(rx bow
(group "type")
" "
(group (or "ipv4_addr" "ipv6_addr" "ether_addr" "inet_proto" "ine=
t_service" "mark"))
(optional
" : "
(group (or "ipv4_addr" "ipv6_addr" "ether_addr" "inet_proto" "in=
et_service" "mark" "counter" "quota")))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face))
(,(rx bow
(group "flags")
" "
(group
(or "constant" "dynamic" "interval" "timeout")
(zero-or-more
", "
(or "constant" "dynamic" "interval" "timeout")))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face))
(,(rx bow
(group (or "timeout" "gc-interval"))
" "
(group ; copied from scanner.l
(optional (one-or-more digit) "d")
(optional (one-or-more digit) "h")
(optional (one-or-more digit) "m")
(optional (one-or-more digit) "s")
(optional (one-or-more digit) "ms"))
eow)
(1 font-lock-type-face)
(2 font-lock-string-face))
(,(rx bow
(group "size")
" "
(group (one-or-more digit))
eow)
(1 font-lock-type-face)
(2 font-lock-string-face))
(,(rx bow
"auto-merge"
eow)
. font-lock-type-face)
(,(rx bow
(group "elements")
" =3D "
eow)
(1 font-lock-type-face))
;; policy accept
;; policy drop
(,(rx (group "policy") " " (group (or "accept" "drop")))
(1 font-lock-type-face)
(2 font-lock-function-name-face))
;; $variable
;; @array
(,(rx (or "@" "$")
alpha
(zero-or-more (any alnum ?_)))
. font-lock-variable-name-face)
;; Simplified because scanner.l is INSANE for IPv6.
;; 1234 (e.g. port number)
;; 1.2.3.4
;; ::1
(,(rx bow
(or
;; IPv4 address (optional CIDR)
(and digit
(zero-or-more (any digit "."))
digit
(optional "/" (one-or-more digit)))
;; IPv6 address (optional CIDR)
;; Oops, this was matching "add"!
;; WOW THIS IS REALLY REALLY HARD!
(and (zero-or-more (or (and (repeat 1 4 hex-digit) ":")
"::"))
(repeat 1 4 hex-digit)
(optional "/" (one-or-more digit)))
;; Bare digits.
;; Has to be after IPv4 address, or IPv4 address loses.
;; (or (one-or-more digit))
)
eow)
. font-lock-string-face)
;; parser_bison.y:family_spec_explicit
;; (,(rx bow (or "ip" "ip6" "inet" "arp" "bridge" "netdev") eow)
;; . font-lock-constant-face)
;; parser_bison.y:verdict_expr
(,(rx bow (or "accept" "drop" "continue" "return") eow)
. font-lock-function-name-face)
(,(rx bow (group (or "jump" "goto"))
" "
(group (one-or-more (any alnum ?_)))) ; chain_expr
(1 font-lock-function-name-face)
(2 font-lock-variable-name-face))))
;;; Based on equivalent for other editors:
;;; * /usr/share/nano/nftables.nanorc
;;; * https://github.com/nfnty/vim-nftables
;;;###autoload
(define-derived-mode nftables-mode prog-mode "nft"
"Major mode to edit nftables files."
(setq-local comment-start "#")
(setq-local font-lock-defaults
`(nftables-font-lock-keywords nil nil))
;; ;; make "table my_table {" result in indents on the next line.
;; (setq-local electric-indent-chars ?\})
(setq-local indent-line-function #'nftables-indent-line)
(setq-local tab-width 4))
;;; Stolen from parsnip's (bradyt's) dart-mode.
;;; https://github.com/bradyt/dart-mode/blob/199709f7/dart-mode.el#L315
(defun nftables-indent-line ()
(let (old-point)
(save-excursion
(back-to-indentation)
(let ((depth (car (syntax-ppss))))
(when (=3D ?\) (char-syntax (char-after)))
(setq depth (1- depth)))
(indent-line-to (* depth tab-width)))
(setq old-point (point)))
(when (< (point) old-point)
(back-to-indentation))))
;;;###autoload
(add-to-list 'auto-mode-alist '("\\.nft\\(?:ables\\)?\\'" . nftables-mode))
;;;###autoload
(add-to-list 'auto-mode-alist '("/etc/nftables.conf" . nftables-mode))
;;;###autoload
(add-to-list 'interpreter-mode-alist '("nft\\(?:ables\\)?" . nftables-mode))
(provide 'nftables-mode)
;;; nftables-mode.el enads here.
--=-=-=--
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Received: (at 36759) by debbugs.gnu.org; 5 Sep 2020 04:34:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 05 00:34:39 2020 Received: from localhost ([127.0.0.1]:41336 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kEPuR-0008FD-88 for submit <at> debbugs.gnu.org; Sat, 05 Sep 2020 00:34:39 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:44743) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <trentbuck@HIDDEN>) id 1kEPuO-0008Ez-Ko for 36759 <at> debbugs.gnu.org; Sat, 05 Sep 2020 00:34:37 -0400 Received: by mail-pg1-f194.google.com with SMTP id 7so5315088pgm.11 for <36759 <at> debbugs.gnu.org>; Fri, 04 Sep 2020 21:34:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=sm7g1w1/MNrxRYgns4km8lJw5yvahbCCD1WQJOf+u5I=; b=rpZ0hvZy6fplSDksSPHJb/W6N0AGSCGPYObW24OmRjYJ1Okj2flN7FdmabheOWn82T xPSnuIY/UcMSElO0tfnDG9DP9Tv4rXz9+pu80ce5sgjOonLnOnfLtXkmpjikvBoor9qi vRtFvUmAOEXBSwCBwXsrBUj/v5k6eOg7fgmLlDgaKjellmUrlNkTMlEsSbCqb1Efrui+ 3J2Jojy3mdsqQsvm/iAwkjcQUapDjSyKpGvKBoHQAQc0hxDoLSOl2NgcsjrRy2+Dnytj 2QlM1Bk+gHFjTG8UzGuSPTNERpVsDJlcQ+mawqoGSn1mT+eq69X3hN4xyS0FpYH8ybCF yidA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=sm7g1w1/MNrxRYgns4km8lJw5yvahbCCD1WQJOf+u5I=; b=JER57bhZzUn/slbNcu08PlWPE1BTB/9eVkWfa6E1UHB/VLiY56ykl1Vz41Zpd1pJA7 07k5t/hN2OYFvNcEylKvtDo/aOmeMR+WJ7fyNOd2VPmEtMSN6PMN45MDmf1UBrkgaeTw GXh69y5W4zY2lmERydQPTpa7yesch7lI9gVron+nWXzCoB0axN4qYhvoPPAAuOVTcL8a LibXvchq0uLM+19Qov4wCp0BWw8KHfaFAVmZcYg3vOiNMaWo2epNhkob8+UqytMgY6Ac 0Ccd6bL3d6mEdHEpiRmIrGs/EiAx8nc8BQDErGL+sYslR9gD09JMH/yTBWCHxJRwppDt v74w== X-Gm-Message-State: AOAM531h1zJOdGt+yySLqUplLE4JJLAqWr9FZ3pU1VbN+pSEJO7grgOB tmi8TQ0Y3sWsPazxdPDeShM= X-Google-Smtp-Source: ABdhPJzEoDfgSGkbrHZeOiW2hqMYQ8hlkRHnhPcDwckiRd1QlLo5UnlvtC6/daBHZF6iae/FF+OiQg== X-Received: by 2002:a62:1b81:: with SMTP id b123mr11687568pfb.149.1599280470614; Fri, 04 Sep 2020 21:34:30 -0700 (PDT) Received: from localhost (2403-5800-3200-8300--a92.ip6.aussiebb.net. [2403:5800:3200:8300::a92]) by smtp.gmail.com with ESMTPSA id r123sm8262827pfc.187.2020.09.04.21.34.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Sep 2020 21:34:29 -0700 (PDT) Date: Sat, 5 Sep 2020 14:34:26 +1000 From: "Trent W. Buck" <trentbuck@HIDDEN> To: Stefan Kangas <stefan@HIDDEN> Subject: Re: bug#36759: 26.1; nftables major mode Message-ID: <20200905043426.GB29937@HIDDEN> References: <87d0i2ecma.fsf@HIDDEN> <834l2pa1fz.fsf@HIDDEN> <20190812011632.GA935@HIDDEN> <CADwFkm=RrFNUepty0Srg71RSO8f9idTv_Mq8o3X6p_1y1LRbDw@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <CADwFkm=RrFNUepty0Srg71RSO8f9idTv_Mq8o3X6p_1y1LRbDw@HIDDEN> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 36759 Cc: Eli Zaretskii <eliz@HIDDEN>, 36759 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Stefan Kangas wrote: > "Trent W. Buck" <trentbuck@HIDDEN> writes: > > > Eli Zaretskii wrote: > >>> nftables is a Linux kernel firewall. > >>> I couldn't find a major mode for this, so I wrote a basic one. > >>> Could someone else adopt it into mainline Emacs? > >> > >> Would it be possible to rewrite this mode using define-generic-mode? > >> See generic-x.el for some example of using that macro. > > > > I didn't know about define-generic-mode! > > > > (My elisp-fu is Giraffe Book vintage, and I've been using > > e.g. conf-mode instead of ini-generic-mode, and third-party > > apache-mode instead of apache-conf-generic-mode.) > > > > I can have a go, but I don't know when I'll get around to it. > > (That was one year ago.) > > Are you still working on this mode? Have you made any progress, so far? Sorry, I haven't touched it since I last wrote to this bug ticket. I haven't done much nftables since, and what I stopped with was "good enough" for that.
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Received: (at 36759) by debbugs.gnu.org; 5 Sep 2020 01:13:29 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 04 21:13:28 2020 Received: from localhost ([127.0.0.1]:41168 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kEMlk-0002mM-NI for submit <at> debbugs.gnu.org; Fri, 04 Sep 2020 21:13:28 -0400 Received: from mail-ej1-f68.google.com ([209.85.218.68]:37069) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1kEMlj-0002mA-CS for 36759 <at> debbugs.gnu.org; Fri, 04 Sep 2020 21:13:27 -0400 Received: by mail-ej1-f68.google.com with SMTP id nw23so10860531ejb.4 for <36759 <at> debbugs.gnu.org>; Fri, 04 Sep 2020 18:13:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to:cc; bh=t5WPScll+9bfh0UtmMS/bWIorJKAMsuxJkRxf+t/id4=; b=pz1RZ0Xt07XbDjBFkUub6eMCLxICZYY3g80wQBWEt3C8B5I9PLbMwn4xEJiyKbS9x2 ZrybLNx8b9VSYSmsfGHEO0suSgxVi0ruZVAGIntNgCQL0O6xcGfrb3W50zjz9neySlJO un+ySshZkusHroHrAxzOzCYuUPD5NJy+ltcnY5i2FOu5tNS2J6jF9fayTT+meRk1pQz0 rRA4DcR7obST8cKY09idgRWZEbqYilBeI8PJO3g0NzzxjJSUlnn92iMN3LgQaSjVdF/F V8sjOTBDYINdgShrruO5x1LmHs6EsOhxHOhK6qzXFlQCiI5kkOmhdzhovhso5pZlLCiP hkZg== X-Gm-Message-State: AOAM532eG4OsRQ46YSaCAUU8a7+WkvKWDqEyN+dyYliE+3wKbD8cIqli kUupafTFT/r+DrpADVsAFXir1aR4+/r/QE0+1Ds= X-Google-Smtp-Source: ABdhPJxybMAR62CPzjPkBSVDm5/kiti9o7EVm3qV9lfV6aZBfq1190D/d7TDRLgYstZa5iTRFk5XCpIfGRZ9TT5eQyM= X-Received: by 2002:a17:906:bb0e:: with SMTP id jz14mr10703553ejb.525.1599268401716; Fri, 04 Sep 2020 18:13:21 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 5 Sep 2020 01:13:21 +0000 From: Stefan Kangas <stefan@HIDDEN> In-Reply-To: <20190812011632.GA935@HIDDEN> (Trent W. Buck's message of "Mon, 12 Aug 2019 11:16:34 +1000") References: <87d0i2ecma.fsf@HIDDEN> <834l2pa1fz.fsf@HIDDEN> <20190812011632.GA935@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Date: Sat, 5 Sep 2020 01:13:21 +0000 Message-ID: <CADwFkm=RrFNUepty0Srg71RSO8f9idTv_Mq8o3X6p_1y1LRbDw@HIDDEN> Subject: Re: bug#36759: 26.1; nftables major mode To: "Trent W. Buck" <trentbuck@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 36759 Cc: Eli Zaretskii <eliz@HIDDEN>, 36759 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) "Trent W. Buck" <trentbuck@HIDDEN> writes: > Eli Zaretskii wrote: >>> nftables is a Linux kernel firewall. >>> I couldn't find a major mode for this, so I wrote a basic one. >>> Could someone else adopt it into mainline Emacs? >> >> Would it be possible to rewrite this mode using define-generic-mode? >> See generic-x.el for some example of using that macro. > > I didn't know about define-generic-mode! > > (My elisp-fu is Giraffe Book vintage, and I've been using > e.g. conf-mode instead of ini-generic-mode, and third-party > apache-mode instead of apache-conf-generic-mode.) > > I can have a go, but I don't know when I'll get around to it. (That was one year ago.) Are you still working on this mode? Have you made any progress, so far?
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.
Received: (at 36759) by debbugs.gnu.org; 12 Aug 2019 01:16:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 11 21:16:46 2019
Received: from localhost ([127.0.0.1]:45957 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1hwyx4-0004oM-1b
for submit <at> debbugs.gnu.org; Sun, 11 Aug 2019 21:16:46 -0400
Received: from mail-pl1-f196.google.com ([209.85.214.196]:44997)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <trentbuck@HIDDEN>) id 1hwyx2-0004id-9c
for 36759 <at> debbugs.gnu.org; Sun, 11 Aug 2019 21:16:44 -0400
Received: by mail-pl1-f196.google.com with SMTP id t14so47219130plr.11
for <36759 <at> debbugs.gnu.org>; Sun, 11 Aug 2019 18:16:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=date:from:to:cc:subject:message-id:references:mime-version
:content-disposition:in-reply-to:user-agent;
bh=mG510hkcgLtExY4/2BtJhVX48nTBm+qtvhmLeydRRVY=;
b=XA7FhzHkN8n9VL5sbTLbbidBIyxU1iu2+ezI9E1Q20H0Kak5EK9We1VWLdnUYPjCWS
aU2NzFOjw606DM9rZa3RSOPjmtW0VdHSbrD3ndSDXhevn/mIWmTIytBl0vQSpoGLy0Y2
UtG0xtOT8PbuK7IF37ebEdj4a5WrwHHFQRG+3WSnE+uXdDjzfJkDSPzfb0rawA9DY7B2
NLADLi1DnS0SByvncBMvuxixyp8FLTqSa/NE2hQIz/0B2GByBheAdUyX8M5QX+5jyoFp
OuAUO0XXCUT9lBJaJ62mfRIR/n++CupCqOuJEOd5RE0V3Y/DEpYbu6FavAhSi+AZJT+s
mf5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:date:from:to:cc:subject:message-id:references
:mime-version:content-disposition:in-reply-to:user-agent;
bh=mG510hkcgLtExY4/2BtJhVX48nTBm+qtvhmLeydRRVY=;
b=KosX4gUt3MyIVUn73uQxGUhDiLz2sDJMuTi63CMKGYfTpf3ey8uWy4K19qr8i8qwzB
uHw8UgNJCSQQJicpudq+wbJXSHF3CQ6mlH2K5bAYaJSNBxVHIOdy0PRCD/DUDRh0Dz/3
aasvVXfixzC58NA/L95Rhei8034HXFdm5kRqAg5LZ4Jnl1WxLmtUgfDydACAYtxIyJGL
zPLtuoLe7gHP+yvQyFrwJY60OlPx51wxq4BrVNvE8r7oL8xiEY6KdmKSArNIlSRmG9MW
mC7ORyg3AJMxp6vnd1797IwBMSbrvWdoQklNOCzW5H0A8h4IYhPc1adfBiu9SASCsaEq
XZXw==
X-Gm-Message-State: APjAAAUCMs3WAp+m1QNxtVfmKuK6piLOcVS1MphuWKXxYeDX0gctS9Uh
6AsuXqpN/JtMqpWsuQUXBOY=
X-Google-Smtp-Source: APXvYqxRckaBVkxE7Xkv/t7r80eq2HZfKz+fh4SIsMQBM9t7YY9o+KMqyqM/yaq3aDa0IvpePNSfGA==
X-Received: by 2002:a17:902:ba8e:: with SMTP id
k14mr9751229pls.10.1565572598441;
Sun, 11 Aug 2019 18:16:38 -0700 (PDT)
Received: from localhost ([203.7.155.117])
by smtp.gmail.com with ESMTPSA id v18sm105303827pgl.87.2019.08.11.18.16.36
(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
Sun, 11 Aug 2019 18:16:37 -0700 (PDT)
Date: Mon, 12 Aug 2019 11:16:34 +1000
From: "Trent W. Buck" <trentbuck@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#36759: 26.1; nftables major mode
Message-ID: <20190812011632.GA935@HIDDEN>
References: <87d0i2ecma.fsf@HIDDEN>
<834l2pa1fz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <834l2pa1fz.fsf@HIDDEN>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36759
Cc: 36759 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Eli Zaretskii wrote:
>> nftables is a Linux kernel firewall.
>> I couldn't find a major mode for this, so I wrote a basic one.
>> Could someone else adopt it into mainline Emacs?
>
> Would it be possible to rewrite this mode using define-generic-mode?
> See generic-x.el for some example of using that macro.
I didn't know about define-generic-mode!
(My elisp-fu is Giraffe Book vintage, and I've been using
e.g. conf-mode instead of ini-generic-mode, and third-party
apache-mode instead of apache-conf-generic-mode.)
I can have a go, but I don't know when I'll get around to it.
At a glance, I don't see how to handle code blocks (syntax-entry for ?{ and ?}) and continuation lines in there.
In fact, I don't see ANY indent function handling in generic.el or generic-x.el?
I'm also concerned that keyword-list there will do the Wrong Thing.
For example, in this standard example document,
the second and third "filter" are keywords, but
the first "filter" is a variable.
table inet filter {
chain input {
type filter hook input priority filter; default accept;
iiftype loopback counter accept
}
}
That can also be written like this (the "add" and "rule" are optional).
add table inet filter
add chain inet filter chain input { type filter hook input priority filter; default accept; }
add rule inet filter iiftype loopback counter accept
It's because of this reuse of keywords as variables that I wrote more
than just keyword highlighting -- I *need* the "filter"s to be colored
differently, or I can't cope.
PS: In the example above, "input" also a variable AND a keyword.
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Received: (at 36759) by debbugs.gnu.org; 10 Aug 2019 08:07:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Aug 10 04:07:26 2019 Received: from localhost ([127.0.0.1]:43411 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hwMPO-0004aG-9L for submit <at> debbugs.gnu.org; Sat, 10 Aug 2019 04:07:26 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42751) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1hwMPL-0004Zw-PJ for 36759 <at> debbugs.gnu.org; Sat, 10 Aug 2019 04:07:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50634) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>) id 1hwMPG-0000UW-Mh; Sat, 10 Aug 2019 04:07:18 -0400 Received: from [176.228.60.248] (port=3084 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <eliz@HIDDEN>) id 1hwMPG-00022Q-2y; Sat, 10 Aug 2019 04:07:18 -0400 Date: Sat, 10 Aug 2019 11:07:12 +0300 Message-Id: <834l2pa1fz.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: trentbuck@HIDDEN (Trent W. Buck) In-reply-to: <87d0i2ecma.fsf@HIDDEN> (trentbuck@HIDDEN) Subject: Re: bug#36759: 26.1; nftables major mode References: <87d0i2ecma.fsf@HIDDEN> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36759 Cc: 36759 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: trentbuck@HIDDEN (Trent W. Buck) > Date: Mon, 22 Jul 2019 17:45:33 +1000 > > nftables is a Linux kernel firewall. > > Its configuration uses a complex BNF where many keywords are repeated; > they mean different things in different places. > > I want syntax highlighting and smart indentation for such files, > because they're very hard to read in just conf-mode, > even with some conf-space-keywords. > > I couldn't find a major mode for this, so I wrote a basic one. > This is working well enough for today, but I don't have the time or > interest to maintain it properly. > > If someone else is prepared to adopt it and get it into mainline Emacs, > that would be FANTASTIC. Sorry for the delay in responding. Would it be possible to rewrite this mode using define-generic-mode? See generic-x.el for some example of using that macro. If using generic.el is somehow impossible or impractical, then could you please format your code as a separate Lisp file according to our conventions (see any of the *.el files in the Emacs tree for an example), add a NEWS entry, and submit that in the "git format-patch" form? Bonus points for adding tests based on your example file. Thanks.
bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.Noam Postavsky <npostavs@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at submit) by debbugs.gnu.org; 22 Jul 2019 07:45:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 22 03:45:56 2019
Received: from localhost ([127.0.0.1]:59895 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1hpT19-0002BL-L0
for submit <at> debbugs.gnu.org; Mon, 22 Jul 2019 03:45:56 -0400
Received: from lists.gnu.org ([209.51.188.17]:54137)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <trentbuck@HIDDEN>) id 1hpT17-0002BD-2i
for submit <at> debbugs.gnu.org; Mon, 22 Jul 2019 03:45:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:36875)
by lists.gnu.org with esmtp (Exim 4.86_2)
(envelope-from <trentbuck@HIDDEN>) id 1hpT13-0000Ms-8l
for bug-gnu-emacs@HIDDEN; Mon, 22 Jul 2019 03:45:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <trentbuck@HIDDEN>) id 1hpT0z-0001EF-Fw
for bug-gnu-emacs@HIDDEN; Mon, 22 Jul 2019 03:45:49 -0400
Received: from mail-pl1-x643.google.com ([2607:f8b0:4864:20::643]:43112)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <trentbuck@HIDDEN>) id 1hpT0w-00019q-7E
for bug-gnu-emacs@HIDDEN; Mon, 22 Jul 2019 03:45:44 -0400
Received: by mail-pl1-x643.google.com with SMTP id 4so11833760pld.10
for <bug-gnu-emacs@HIDDEN>; Mon, 22 Jul 2019 00:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:subject:date:message-id:mime-version;
bh=hi1mNNMa2LZV/gfUPHEQH+Pn8A/S30BGFYfBy8s52qs=;
b=WfdYpeNZhTiB6D3GT4TIUXHaj9LM1aVpIBrbv6iz8nGIA1WNrRXw4ImLKCjgpdaBNQ
ZLqjY3C4PLvWhd8jP4tR2ZCWf/sl+wt3Xkrgqoaze8CX0q3hOcowHDxWD/V8x7u5aNwh
wUohAHsscy1rE0HQS3VDPzfw0YvILhzjxTr22O0Gy/VzifDtABNhj+eUzXz/WmpdZ8BQ
9ln+rX1i4bSDvmO0SRecPDngrizPRSeIyfjXei/gZJj32S9Epd5TVRCQYPsMnUSujmhk
lfLzuv0+SCKK5OhSvc9o9vZhFJ2K28TiYgTVKA7y4rR90WxMF+Em+ciVdFhRW6wRUNfA
TuPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:subject:date:message-id:mime-version;
bh=hi1mNNMa2LZV/gfUPHEQH+Pn8A/S30BGFYfBy8s52qs=;
b=Qgn95MSHKabwenmq1RFSHwLR1bHENwV78oXQQqh8tnUZ2bXRgoHQ2Aen0ZvXsq+any
HTxS7OldRrDjhIs+6LzILP02gXdLsN2IJfIRbFnFoGkNgWn5YgoXVJW/2lo/YXqiW6sk
k2qQBJ40MAM9qc1mu0MQ/Xwg9RWZ1jdSAgOpXHu6XkK7IxQrqVOz6YD2BuwbY0d+aqaW
2THoP/61SqnZJW/vMuBba5p7Q58CSAq60bKrGIUsTRHF139XQjrhUWjnPjULiWAGkk7I
2G9cr7FpDMj9bqOGi9A3tgejq08/kYTNEodi8DUDimggHkW5/ePrfdyXwRyPs7V13d4p
fwvA==
X-Gm-Message-State: APjAAAXh4HhwYfODm8uMfETmA0qmg2rlQ1D54m3S1pbisAdGdTih86gM
4PtfnNg2E7mouRkUy6AAMtjgtFSK
X-Google-Smtp-Source: APXvYqxryCAfGegPpPGg0gpAItvMwPPwGGNIYL0rytj9BNjcsCtHpmRUOtoPw6R5A39Avl4kntM4HQ==
X-Received: by 2002:a17:902:2a69:: with SMTP id
i96mr73140538plb.108.1563781539575;
Mon, 22 Jul 2019 00:45:39 -0700 (PDT)
Received: from localhost ([203.7.155.117])
by smtp.gmail.com with ESMTPSA id z19sm33429438pgv.35.2019.07.22.00.45.36
for <bug-gnu-emacs@HIDDEN>
(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
Mon, 22 Jul 2019 00:45:37 -0700 (PDT)
From: trentbuck@HIDDEN (Trent W. Buck)
To: bug-gnu-emacs@HIDDEN
Subject: 26.1; nftables major mode
Date: Mon, 22 Jul 2019 17:45:33 +1000
Message-ID: <87d0i2ecma.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-Received-From: 2607:f8b0:4864:20::643
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-=-=
Content-Type: text/plain
nftables is a Linux kernel firewall.
Its configuration uses a complex BNF where many keywords are repeated;
they mean different things in different places.
I want syntax highlighting and smart indentation for such files,
because they're very hard to read in just conf-mode,
even with some conf-space-keywords.
I couldn't find a major mode for this, so I wrote a basic one.
This is working well enough for today, but I don't have the time or
interest to maintain it properly.
If someone else is prepared to adopt it and get it into mainline Emacs,
that would be FANTASTIC.
Background references:
https://wiki.nftables.org
https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/master/src/scanner.l
https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/master/src/parser_bison.y
file:///usr/share/nano/nftables.nanorc
https://github.com/nfnty/vim-nftables
--=-=-=
Content-Type: application/emacs-lisp
Content-Disposition: attachment; filename=nftables-mode.el
Content-Transfer-Encoding: quoted-printable
(require 'rx)
(require 'syntax) ; syntax-ppss, for indentation
(defvar nftables-mode-map (make-sparse-keymap))
(defvar nftables-mode-hook nil)
(defvar nftables-mode-syntax-table
(let ((table (make-syntax-table)))
(modify-syntax-entry ?# "<\n" table) ; make #comment work
(modify-syntax-entry ?\n ">#" table) ; make #comment work
(modify-syntax-entry ?_ "w" table) ; foo_bar is 1 word (not 2)
table))
;;; NOTE: I started with the keywords in the nano highlighter, but
;;; they were really incomplete. So instead I looked at the
;;; flex/bison rules in the nft source code (as at debian/0.9.1-2-2-g3255aa=
a):
;;; https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/maste=
r/src/scanner.l
;;; https://salsa.debian.org/pkg-netfilter-team/pkg-nftables/blob/maste=
r/src/parser_bison.y
;;; NOTE: not supporting multi-statement lines "list ruleset; flush ruleset=
".
;;; NOTE: not supporting multi-line statements "list \\\n ruleset".
;;; NOTE: not supporting arbitrary whitespace in some places.
;;; NOTE: identifiers are hard (e.g. bare addresses, names, quoted strings)=
, so
;;; not supporting all those properly.
;;; NOTE: family can be omitted; it defaults to "ip" (IPv4 only).
;;; I am not supporting that, because you USUALLY want "inet" (IPv4/I=
Pv6 dual-stack).
;;; NOTE: there are two main styles, I'm supporting only those and not a mi=
x of same.
;;;
;;; Style #1:
;;;
;;; flush ruleset
;;; table inet foo {
;;; chain bar {
;;; type filter hook input priority filter
;;; policy drop
;;; predicate [counter] [log] <accept|drop|reject>
;;; }
;;; }
;;;
;;; Style #2 (everything at the "top level"):
;;;
;;; flush ruleset
;;; add table inet foo
;;; add chain inet foo bar { type filter hook input priority fil=
ter; policy drop }
;;; add rule inet foo bar predicate [counter] [log] <accept|dro=
p|reject>
(defvar nftables-font-lock-keywords
`(
;; include "foo"
;; list ruleset
;; flush ruleset
(,(rx bol
(or "include"
"list ruleset"
"flush ruleset"
"list tables"
"list counters"
"list quotas")
eow)
. font-lock-preprocessor-face)
;; define foo =3D bar
;; define foo =3D { bar, baz }
;; redefine foo =3D bar
;; undefine foo
(,(rx bol
(group (or "define" "redefine" "undefine"))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-variable-name-face))
;; add table inet my_table { ... }
;; table inet my_table { ... }
(,(rx bol
(group (or "table" ; style #1
"add table")) ; style #2
" "
;; This is parser_bison.y:family_spec
(group (or "ip" "ip6" "inet" "arp" "bridge" "netdev"))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face)
(3 font-lock-variable-name-face))
;; chain my_chain {
;; set my_set {
;; map my_map {
(,(rx bol
(one-or-more blank)
(group (or "chain" "set" "map"))
" "
(group (one-or-more (any alnum ?_))))
(1 font-lock-type-face)
(2 font-lock-variable-name-face))
;; add chain inet my_table my_chain { ... }
;; add set inet my_table my_set { ... }
;; add map inet my_table my_map { ... }
;; add rule inet my_table my_chain ... <accept|drop|reject>
;; add element inet my_table my_set { ... }
;; add element inet my_table my_map { ... }
(,(rx bol
(group "add "
(or "chain" "set" "map" "rule" "element"))
" "
(group (or "ip" "ip6" "inet" "arp" "bridge" "netdev"))
" "
(group (one-or-more (any alnum ?_)))
" "
(group (one-or-more (any alnum ?_)))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face)
(3 font-lock-variable-name-face)
(4 font-lock-variable-name-face))
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; REMAINING RULES NOT ANCHORED AT BEGINNING-OF-LINE
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; << chain specification >>
;; { type filter hook input priority filter; }
(,(rx bow
(group "type")
" "
(group (or "filter" "nat" "route"))
" "
(group "hook")
" "
(group (or "prerouting"
"input"
"forward"
"output"
"postrouting"
"ingress"
"dormant"))
" "
(group "priority")
" "
(group (or (and (opt "-") (one-or-more digit))
"raw"
"mangle"
"dstnat"
"filter"
"security"
"srcnat"
"dstnat"
"filter"
"out"
"srcnat"))
eow)
(1 font-lock-type-face)
(3 font-lock-type-face)
(5 font-lock-type-face)
(2 font-lock-constant-face)
(4 font-lock-constant-face)
(6 font-lock-constant-face))
;; << Table 8. Set specifications >>
;; type x # set
;; type x : y # map
;; flags x , y , z # set/map
;; timeout 60s # set
;; gc-interval 12s # set
;; elements =3D { ... } # set/map
;; size 1000 # set/map
;; auto-merge # set
(,(rx bow
(group "type")
" "
(group (or "ipv4_addr" "ipv6_addr" "ether_addr" "inet_proto" "ine=
t_service" "mark"))
(optional
" : "
(group (or "ipv4_addr" "ipv6_addr" "ether_addr" "inet_proto" "in=
et_service" "mark" "counter" "quota")))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face))
(,(rx bow
(group "flags")
" "
(group
(or "constant" "dynamic" "interval" "timeout")
(zero-or-more
", "
(or "constant" "dynamic" "interval" "timeout")))
eow)
(1 font-lock-type-face)
(2 font-lock-constant-face))
(,(rx bow
(group (or "timeout" "gc-interval"))
" "
(group ; copied from scanner.l
(optional (one-or-more digit) "d")
(optional (one-or-more digit) "h")
(optional (one-or-more digit) "m")
(optional (one-or-more digit) "s")
(optional (one-or-more digit) "ms"))
eow)
(1 font-lock-type-face)
(2 font-lock-string-face))
(,(rx bow
(group "size")
" "
(group (one-or-more digit))
eow)
(1 font-lock-type-face)
(2 font-lock-string-face))
(,(rx bow
"auto-merge"
eow)
. font-lock-type-face)
(,(rx bow
(group "elements")
" =3D "
eow)
(1 font-lock-type-face))
;; policy accept
;; policy drop
(,(rx (group "policy") " " (group (or "accept" "drop")))
(1 font-lock-type-face)
(2 font-lock-function-name-face))
;; $variable
;; @array
(,(rx (or "@" "$")
alpha
(zero-or-more (any alnum ?_)))
. font-lock-variable-name-face)
;; Simplified because scanner.l is INSANE for IPv6.
;; 1234 (e.g. port number)
;; 1.2.3.4
;; ::1
(,(rx bow
(or
;; IPv4 address (optional CIDR)
(and digit
(zero-or-more (any digit "."))
digit
(optional "/" (one-or-more digit)))
;; IPv6 address (optional CIDR)
;; Oops, this was matching "add"!
;; WOW THIS IS REALLY REALLY HARD!
(and (zero-or-more (or (and (repeat 1 4 hex-digit) ":")
"::"))
(repeat 1 4 hex-digit)
(optional "/" (one-or-more digit)))
;; Bare digits.
;; Has to be after IPv4 address, or IPv4 address loses.
;; (or (one-or-more digit))
)
eow)
. font-lock-string-face)
;; parser_bison.y:family_spec_explicit
;; (,(rx bow (or "ip" "ip6" "inet" "arp" "bridge" "netdev") eow)
;; . font-lock-constant-face)
;; parser_bison.y:verdict_expr
(,(rx bow (or "accept" "drop" "continue" "return") eow)
. font-lock-function-name-face)
(,(rx bow (group (or "jump" "goto"))
" "
(group (one-or-more (any alnum ?_)))) ; chain_expr
(1 font-lock-function-name-face)
(2 font-lock-variable-name-face))
))
;;; Based on equivalent for other editors:
;;; * /usr/share/nano/nftables.nanorc
;;; * https://github.com/nfnty/vim-nftables
;;;###autoload
(define-derived-mode nftables-mode prog-mode "nft"
"FIXME docstring"
(setq-local comment-start "#")
(setq-local font-lock-defaults
`(nftables-font-lock-keywords nil nil))
;; ;; make "table my_table {" result in indents on the next line.
;; (setq-local electric-indent-chars ?\})
(setq-local indent-line-function #'nftables-indent-line)
(setq-local tab-width 4))
;;; Stolen from parsnip's (bradyt's) dart-mode.
;;; https://github.com/bradyt/dart-mode/blob/199709f7/dart-mode.el#L315
(defun nftables-indent-line ()
(let (old-point)
(save-excursion
(back-to-indentation)
(let ((depth (car (syntax-ppss))))
(if (=3D ?\) (char-syntax (char-after)))
(setq depth (1- depth)))
(indent-line-to (* depth tab-width)))
(setq old-point (point)))
(when (< (point) old-point)
(back-to-indentation))))
(add-to-list 'auto-mode-alist '("\\.nft\\(?:ables\\)?\\'" . nftables-mode))
(add-to-list 'auto-mode-alist '("/etc/nftables.conf" . nftables-mode))
(add-to-list 'interpreter-mode-alist '("nft\\(?:ables\\)?" . nftables-mode))
(provide 'nftables-mode)
--=-=-=
Content-Type: text/plain
Content-Disposition: inline; filename=nftables-mode-test.nft
#!/sbin/nft -f
$foo
@bar
######################################################################
# EXAMPLE RULESETS FROM https://wiki.nftables.org/
######################################################################
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
# FLOWTABLE EXAMPLE (NOTE: 0.9 flowtable, not the unrelated 0.8 thing also called flowtable)
table inet x {
flowtable f {
hook ingress priority 0 devices = { eth0, eth1 };
}
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload @f
counter packets 0 bytes 0
}
}
# UPDATING A SET FROM ANOTHER CHAIN (a la iptables -m recent?)
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s }
}
chain input {
type filter hook input priority 0; policy accept;
update @myset { tcp dport timeout 1m }
}
}
table ip filter {
set myset {
type ipv4_addr
elements = { 1.1.1.1 }
}
chain input {
type filter hook input priority 0; policy accept;
add @myset { ip saddr }
}
}
add rule bridge filter forward ether type ip tcp dport 22 accept
add rule bridge filter forward ether type arp accept
add rule inet nat prerouting dnat tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 }
add rule inet nat postrouting snat ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 }
flush ruleset
include "./defines.nft"
table inet filter {
chain global {
ct state established,related accept
ct state invalid drop
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
udp dport 53 accept
}
include "./inet-filter-sets.nft"
include "./inet-filter-forward.nft"
include "./inet-filter-local.nft"
}
# interfaces
define nic_inet = bond0
define nic_dmz = bond1
define nic_lan = bond2
# network ranks
define net_ipv4_dmz = 10.0.1.0/24
define net_ipv6_dmz = fe00:1::/64
define net_ipv4_lan = 10.0.2.0/24
define net_ipv6_lan = fe00:2::/64
# some machines
define server1_ipv4 = 10.0.1.2
define server1_ipv6 = fe00:1::2
define workstation1_ipv4 = 10.0.2.2
define workstation1_ipv6 = fe00:2::2
set myset_ipv4 {
type ipv4_addr;
elements = { $server1_ipv4 , $workstation1_ipv4 }
}
set myset_ipv6 {
type ipv6_addr;
elements = { $server1_ipv6 , $workstation1_ipv6 }
}
chain dmz_in {
# your rules for traffic to your dmz servers
ip saddr @myset_ipv4
ip6 saddr @myset_ipv6
}
chain dmz_out {
# your rules for traffic from the dmz to internet
}
chain lan_in {
# your rules for traffic to your LAN nodes
}
chain lan_out {
# your rules for traffic from the LAN to the internet
}
chain forward {
type filter hook forward priority 0; policy drop;
jump global
oifname vmap { $nic_dmz : jump dmz_in , $nic_lan : jump lan_in }
oifname $nic_inet iifname vmap { $nic_dmz : jump dmz_out , $nic_lan : jump lan_out }
}
chain input {
type filter hook input priority 0 ; policy drop;
jump global
# your rules for traffic to the firewall here
}
chain output {
type filter hook output priority 0 ; policy drop;
jump global
# your rules for traffic originated from the firewall itself here
}
flush ruleset
table ip Inet4 {
set Knocked_1 {
type ipv4_addr
flags timeout, interval
timeout 10s
gc-interval 4s
}
set Knocked_2 {
type ipv4_addr
flags timeout
timeout 10s
gc-interval 4s
}
set Knocked_3 {
type ipv4_addr
flags timeout
timeout 10s
gc-interval 4s
}
set Knocked_4 {
type ipv4_addr
flags timeout
timeout 2m
gc-interval 4s
}
chain Knock_1 {
set add ip saddr @Knocked_1
}
chain Unknock_1 {
set update ip saddr timeout 0s @Knocked_1
}
chain Knock_2 {
set update ip saddr timeout 0s @Knocked_1
set add ip saddr @Knocked_2
}
chain Unknock_2 {
set update ip saddr timeout 0s @Knocked_2
}
chain Knock_3 {
set update ip saddr timeout 0s @Knocked_2
set add ip saddr @Knocked_3
}
chain Unknock_3 {
set update ip saddr timeout 0s @Knocked_3
}
chain Knock_4 {
set update ip saddr timeout 0s @Knocked_3
set add ip saddr @Knocked_4 log prefix "Port-Knock accepted: "
}
chain RefreshKnock {
set update ip saddr timeout 2m @Knocked_4
}
chain PortKnock {
ct state new ip saddr @Knocked_4 goto RefreshKnock
tcp dport 456 ct state new ip saddr @Knocked_3 goto Knock_4
tcp dport 345 ct state new ip saddr @Knocked_3 return
ip saddr @Knocked_3 ct state new goto Unknock_3
tcp dport 345 ct state new ip saddr @Knocked_2 goto Knock_3
tcp dport 234 ct state new ip saddr @Knocked_2 return
ip saddr @Knocked_2 ct state new goto Unknock_2
tcp dport 234 ct state new ip saddr @Knocked_1 goto Knock_2
tcp dport 123 ct state new ip saddr @Knocked_1 return
ip saddr @Knocked_1 ct state new goto Unknock_1
tcp dport 123 ct state new goto Knock_1
}
chain FilterIn {
type filter hook input priority 0
policy drop
# allow established/related connections
ct state established,related accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
meta iif lo accept
# allow icmp
ip protocol icmp accept
# port-knocking
jump PortKnock
# misc. filtering
# ...
}
chain FilterOut {
type filter hook output priority 0
policy accept
}
}
table ip filter {
map subnet_map {
type ipv4_addr : verdict
flags interval
elements = { 10.20.255.48/29 : goto group_114, 10.20.255.88/29 : goto group_114,
10.20.255.128/29 : goto group_114 }
}
set priority_set {
type ipv4_addr
flags interval
elements = { 8.8.8.8, 8.8.4.4 }
}
map group_114 {
type ipv4_addr : classid
flags interval
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,
10.20.255.130 : 1:ffd2 }
}
map group_114_prio {
type ipv4_addr : classid
flags interval
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,
10.20.255.130 : 1:ffd3 }
}
chain forward {
type filter hook forward priority filter; policy accept;
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "
}
chain input {
type filter hook input priority filter; policy accept;
meta priority none meta priority set 1:2 counter packets 419381 bytes 45041195
}
chain output {
type filter hook output priority filter; policy accept;
meta priority none meta priority set 1:2 counter packets 507779 bytes 51809859
}
chain group_114 {
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "
}
}
add table ip filter
add chain ip filter forward { type filter hook forward priority 0; policy accept; }
add map ip filter subnet_map { type ipv4_addr : verdict; flags interval; }
add set ip filter priority_set { type ipv4_addr; flags interval; }
add element ip filter priority_set {8.8.8.8 }
add element ip filter priority_set {8.8.4.4 }
add rule ip filter forward meta priority 0 ip daddr vmap @subnet_map counter
add rule ip filter forward meta priority 0 ip saddr vmap @subnet_map counter
add rule ip filter forward ip daddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip saddr 192.168.0.0/16 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip daddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward ip saddr 10.0.0.0/8 meta priority 0 meta priority set "1:0xffff" counter log prefix "total - "
add rule ip filter forward meta priority 0 meta priority set "1:0x2" counter log prefix "non_shaped - "
add chain ip filter input { type filter hook input priority 0; policy accept; }
add rule ip filter input meta priority 0 meta priority set "1:0x2" counter
add chain ip filter output { type filter hook output priority 0; policy accept; }
add rule ip filter output meta priority 0 meta priority set "1:0x2" counter
add chain ip filter group_114
add map ip filter group_114 { type ipv4_addr : classid; flags interval; }
add map ip filter group_114_prio { type ipv4_addr : classid; flags interval; }
add rule ip filter group_114 meta priority 0 ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter
add rule ip filter group_114 meta priority 0 ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter
add rule ip filter group_114 meta priority 0 meta priority set ip daddr map @group_114 counter
add rule ip filter group_114 meta priority 0 meta priority set ip saddr map @group_114 counter
add rule ip filter group_114 meta priority 0 meta priority set "1:0xffff" counter log prefix "group_114 - "
add element ip filter subnet_map { 10.20.255.48/29 : goto group_114 }
add element ip filter subnet_map { 10.20.255.88/29 : goto group_114 }
add element ip filter subnet_map { 10.20.255.128/29 : goto group_114 }
add element ip filter group_114_prio { 10.20.255.50/32 : "1:0xffd9" }
add element ip filter group_114 { 10.20.255.50/32 : "1:0xffd8" }
add element ip filter group_114_prio { 10.20.255.90/32 : "1:0xffd6" }
add element ip filter group_114 { 10.20.255.90/32 : "1:0xffd5" }
add element ip filter group_114_prio { 10.20.255.130/32 : "1:0xffd3" }
add element ip filter group_114 { 10.20.255.130/32 : "1:0xffd2" }
# packet passing through server
chain forward {
# hook forward does the magic, not the name of the chain
# priority filter can be used in newer versions of nftables > 0.9.0
type filter hook forward priority filter; policy accept;
# packet is matched against subnet_map - it is verdict map = 10.20.255.48/29 : goto group_114
meta priority none ip daddr vmap @subnet_map counter packets 0 bytes 0 # packet's dst address is looked up
# it contains decision on where to send the packet for further processing when matched - chain group_114
meta priority none ip saddr vmap @subnet_map counter packets 0 bytes 0 # packet's src address is looked up
# private destination subnet without set priority is set to 1:0xffff
ip daddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "
# private source subnet without set priority is set to 1:0xffff
ip saddr 192.168.0.0/16 meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "total - "
ip daddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 38931 bytes 2926076 log prefix "total - "
ip saddr 10.0.0.0/8 meta priority none meta priority set 1:ffff counter packets 14 bytes 1064 log prefix "total - "
# rest of traffic is sent to separate tc class object
meta priority none meta priority set 1:2 counter packets 0 bytes 0 log prefix "non_shaped - "
}
# subnet_map redirected the packet here
chain group_114 {
# packet's source / destination address is matched against set named priority_set and it can't contain any priority set
meta priority none ip saddr @priority_set meta priority set ip daddr map @group_114_prio counter packets 0 bytes 0
# when matched it compares destination address of the packet against group_114_prio map and sets the priority accordingly - 1:ffd9
meta priority none ip daddr @priority_set meta priority set ip saddr map @group_114_prio counter packets 0 bytes 0
# packets heading / originating to / from non prioritized addresses are matched in next steps
meta priority none meta priority set ip daddr map @group_114 counter packets 0 bytes 0
meta priority none meta priority set ip saddr map @group_114 counter packets 0 bytes 0
# unknown traffic is set to untracked object - 1:0xffff
meta priority none meta priority set 1:ffff counter packets 0 bytes 0 log prefix "group_114 - "
}
map group_114 {
type ipv4_addr : classid
flags interval
elements = { 10.20.255.50 : 1:ffd8, 10.20.255.90 : 1:ffd5,
10.20.255.130 : 1:ffd2 }
}
map group_114_prio {
type ipv4_addr : classid
flags interval
elements = { 10.20.255.50 : 1:ffd9, 10.20.255.90 : 1:ffd6,
10.20.255.130 : 1:ffd3 }
}
######################################################################
# EXAMPLE STATEMENTS FROM THE MANPAGE
######################################################################
list ruleset
flush ruleset
list ruleset ip
flush ruleset ip6
table my_table { ... }
table arp my_table { ... }
add table my_table { ... }
add table arp my_table { ... }
create table my_table { ... }
create table arp my_table { ... }
delete table my_table
delete table arp my_table
list table my_table
list table arp my_table
flush table my_table
flush table arp my_table
list tables
delete table handle 1234
delete table arp handle 1234
create table inet mytable
add chain inet mytable myin { type filter hook input priority 0; }
add rule inet mytable myin counter
add table inet mytable { flags dormant; }
add table inet mytable
chain my_table my_chain { type filter hook input priority filter }
# {add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]
# {delete | list | flush} chain [family] table chain
# list chains
# delete chain [family] table handle handle
# rename chain [family] table chain newname
add rule filter output ip daddr 192.168.0.0/24 accept # 'ip filter' is assumed
# same command, slightly more verbose
add rule ip filter output ip daddr 192.168.0.0/24 accept
# nft -a list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept # handle 4
ip saddr 10.1.1.1 tcp dport ssh accept # handle 5
...
}
}
# delete the rule with handle 5
# nft delete rule inet filter input handle 5
add rule inet filter input ip saddr { 10.0.0.0/8, 192.168.0.0/16 } tcp dport { 22, 443 } accept
add rule inet filter input ip saddr @allowed_hosts tcp dport @allowed_ports accept
# add set [family] table set { type type ; [flags flags ;] [timeout timeout ;] [gc-interval gc-interval ;] [elements = { element[, ...] } ;] [size size ;] [policy policy ;] [auto-merge ;] }
# {delete | list | flush} set [family] table set
# list sets
# delete set [family] table handle handle
# {add | delete} element [family] table set { element[, ...] }
# add map [family] table map { type type [flags flags ;] [elements = { element[, ...] } ;] [size size ;] [policy policy ;] }
# {delete | list | flush} map [family] table map
# list maps
# {add | delete} element [family] table map { elements = { element[, ...] } ; }
# {add | create} flowtable [family] table flowtable { hook hook priority priority ; devices = { device[, ...] } ; }
# {delete | list} flowtable [family] table flowtable
# {add | delete | list | reset} type [family] table object
# delete type [family] table handle handle
# list counters
# list quotas
# ct helper helper { type type protocol protocol ; [l3proto family ;] }
table inet myhelpers {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain prerouting {
type filter hook prerouting priority 0;
tcp dport 21 ct helper set "ftp-standard"
}
}
# ct timeout name { protocol protocol ; policy = { state: value [, ...] } ; [l3proto family ;] }
table ip filter {
ct timeout customtimeout {
protocol tcp;
l3proto ip
policy = { established: 120, close: 20 }
}
chain output {
type filter hook output priority filter; policy accept;
ct timeout set "customtimeout"
}
}
# counter [packets bytes]
# quota [over | until] [used]
# describe expression
describe tcp flags
# Interface name
filter input iifname eth0
# Weird interface name
filter input iifname "(eth0)"
# Ethernet destination MAC address
filter input ether daddr 20:c9:d0:43:12:d9
# dotted decimal notation
filter output ip daddr 127.0.0.1
# host name
filter output ip daddr localhost
# abbreviated loopback address
filter output ip6 daddr ::1
# without [] the port number (22) would be parsed as part of the
# ipv6 address
ip6 nat prerouting tcp dport 2222 dnat to [1ce::d0]:22
# match if route exists
filter input fib daddr . iif oif exists
# match only non-fragmented packets in IPv6 traffic
filter input exthdr frag missing
# match if TCP timestamp option is present
filter input tcp option timestamp exists
# match ping packets
filter output icmp type { echo-request, echo-reply }
# match ICMPv6 ping packets
filter output icmpv6 type { echo-request, echo-reply }
# meta {length | nfproto | l4proto | protocol | priority}
# [meta] {mark | iif | iifname | iiftype | oif | oifname | oiftype | skuid | skgid | nftrace | rtclassid | ibrname | obrname | pkttype | cpu | iifgroup | oifgroup | cgroup | random | ipsec | iifkind | oifkind}
filter input meta iif "foo"
# qualified meta expression
filter output meta oif eth0
# unqualified meta expression
filter output oif eth0
# packet was subject to ipsec processing
raw prerouting meta ipsec exists accept
# socket {transparent | mark}
# Mark packets that correspond to a transparent socket
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001 accept
}
}
# Trace packets that corresponds to a socket with a mark value of 15
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
socket mark 0x0000000f nftrace set 1
}
}
# Set packet mark to socket mark
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 8080 mark set socket mark
}
}
# osf [ttl {loose | skip}] {name | version}
# Accept packets that match the "Linux" OS genre signature without comparing TTL.
table inet x {
chain y {
type filter hook input priority 0; policy accept;
osf ttl skip name "Linux"
}
}
# fib {saddr | daddr | mark | iif | oif} [. ...] {oif | oifname | type}
# drop packets without a reverse path
filter prerouting fib saddr . iif oif missing drop
# drop packets to address not configured on ininterface
filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop
# perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule)
filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop }
# rt [ip | ip6] {classid | nexthop | mtu | ipsec}
# IP family independent rt expression
filter output rt classid 10
filter output rt ipsec missing
# IP family dependent rt expressions
ip filter output rt nexthop 192.168.0.1
ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop 192.168.0.1
inet filter output rt ip6 nexthop fd00::1
# ipsec {in | out} [ spnum NUM ] {reqid | spi}
# ipsec {in | out} [ spnum NUM ] {ip | ip6} {saddr | daddr}
# ether {daddr | saddr | type}
# vlan {id | cfi | pcp | type}
# arp {htype | ptype | hlen | plen | operation | saddr { ip | ether } | daddr { ip | ether }
# ip {version | hdrlength | dscp | ecn | length | id | frag-off | ttl | protocol | checksum | saddr | daddr }
# icmp {type | code | checksum | id | sequence | gateway | mtu}
# igmp {type | mrt | checksum | group}
# ip6 {version | dscp | ecn | flowlabel | length | nexthdr | hoplimit | saddr | daddr}
# matching if first extension header indicates a fragment
ip6 nexthdr ipv6-frag
# icmpv6 {type | code | checksum | parameter-problem | packet-too-big | id | sequence | max-delay}
# tcp {sport | dport | sequence | ackseq | doff | reserved | flags | window | checksum | urgptr}
# udp {sport | dport | length | checksum}
# udplite {sport | dport | checksum}
# sctp {sport | dport | vtag | checksum}
# dccp {sport | dport}
# ah {nexthdr | hdrlength | reserved | spi | sequence}
# esp {spi | sequence}
# comp {nexthdr | flags | cpi}
# @base,offset,length
# Matching destination port of both UDP and TCP.
inet filter input meta l4proto {tcp, udp} @th,16,16 { 53, 80 }
# Rewrite arp packet target hardware address if target protocol address
# matches a given address.
input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
# hbh {nexthdr | hdrlength}
# frag {nexthdr | frag-off | more-fragments | id}
# rt {nexthdr | hdrlength | type | seg-left}
# dst {nexthdr | hdrlength}
# mh {nexthdr | hdrlength | checksum | type}
# srh {flags | tag | sid | seg-left}
# tcp option {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp} tcp_option_field
# exthdr {hbh | frag | rt | dst | mh}
# tcp option {eol | noop | maxseg | window | sack-permitted | sack | sack0 | sack1 | sack2 | sack3 | timestamp}
filter input tcp option sack-permitted kind 1 counter
ip6 filter input frag more-fragments 1 counter
# ct {state | direction | status | mark | expiration | helper | label}
# ct [original | reply] {l3proto | protocol | bytes | packets | avgpkt | zone}
# ct {original | reply} {proto-src | proto-dst}
# ct {original | reply} {ip | ip6} {saddr | daddr}
# restrict the number of parallel connections to a server.
filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
# {accept | drop | queue | continue | return}
# {jump | goto} chain
# process packets from eth0 and the internal network in from_lan
# chain, drop all packets from eth0 with different source addresses.
filter input iif eth0 ip saddr 192.168.0.0/24 jump from_lan
filter input iif eth0 drop
# payload_expression set value
# route some packets instead of bridging.
# redirect tcp:http from 192.160.0.0/16 to local machine for routing instead of bridging
# assumes 00:11:22:33:44:55 is local MAC address.
bridge input meta iif eth0 ip saddr 192.168.0.0/16 tcp dport 80 meta pkttype set unicast ether daddr set 00:11:22:33:44:55
# Set IPv4 DSCP header field.
ip forward ip dscp set 42
# extension_header_expression set value
tcp flags syn tcp option maxseg size set 1360
# set a size based on route information:
tcp flags syn tcp option maxseg size set rt mtu
# log the UID which generated the packet and ip options
ip filter output log flags skuid flags ip options
# log the tcp sequence numbers and tcp options from the TCP packet
ip filter output log flags tcp sequence,options
# enable all supported log flags
ip6 filter output log flags all
# counter packets number bytes number
# counter { packets number | bytes number }
# save packet nfmark in conntrack.
ct mark set meta mark
# set zone mapped via interface.
table inet raw {
chain prerouting {
type filter hook prerouting priority -300;
ct zone set iif map { "eth1" : 1, "veth1" : 2 }
}
chain output {
type filter hook output priority -300;
ct zone set oif map { "eth1" : 1, "veth1" : 2 }
}
}
# restrict events reported by ctnetlink.
ct event set new,related,destroy
# meta {mark | priority | pkttype | nftrace} set value
# limit rate [over] packet_number / TIME_UNIT [burst packet_number packets]
# limit rate [over] byte_number BYTE_UNIT / TIME_UNIT [burst byte_number BYTE_UNIT]
# TIME_UNIT := second | minute | hour | day
# BYTE_UNIT := bytes | kbytes | mbytes
# create a suitable table/chain setup for all further examples
add table nat
add chain nat prerouting { type nat hook prerouting priority 0; }
add chain nat postrouting { type nat hook postrouting priority 100; }
# translate source addresses of all packets leaving via eth0 to address 1.2.3.4
add rule nat postrouting oif eth0 snat to 1.2.3.4
# redirect all traffic entering via eth0 to destination address 192.168.1.120
add rule nat prerouting iif eth0 dnat to 192.168.1.120
# translate source addresses of all packets leaving via eth0 to whatever
# locally generated packets would use as source to reach the same destination
add rule nat postrouting oif eth0 masquerade
# redirect incoming TCP traffic for port 22 to port 2222
add rule nat prerouting tcp dport 22 redirect to :2222
# inet family:
# handle ip dnat:
add rule inet nat prerouting dnat ip to 10.0.2.99
# handle ip6 dnat:
add rule inet nat prerouting dnat ip6 to fe80::dead
# this masquerades both ipv4 and ipv6:
add rule inet nat postrouting meta oif ppp0 masquerade
# Example ruleset for tproxy statement.
table ip x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :2222
}
}
table ip6 x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :2222
}
}
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
}
}
flow add @flowtable
# send to machine with ip address 10.2.3.4 on eth0
ip filter forward dup to 10.2.3.4 device "eth0"
# copy raw frame to another interface
netdetv ingress dup to "eth0"
dup to "eth0"
# combine with map dst addr to gateways
dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
fwd to device
# Example for simple blacklist.
# declare a set, bound to table "filter", in family "ip". Timeout and size are mandatory because we will add elements from packet path.
add set ip filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }"
# whitelist internal interface.
add rule ip filter input meta iifname "internal" accept
# drop packets coming from blacklisted ip addresses.
add rule ip filter input ip saddr @blackhole counter drop
# add source ip addresses to the blacklist if more than 10 tcp connection requests occurred per second and ip address.
# entries will timeout after one minute, after which they might be re-added if limit condition persists.
add rule ip filter input tcp flags syn tcp dport ssh meter flood size 128000 { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m } drop
# inspect state of the rate limit meter:
list meter ip filter flood
# inspect content of blackhole:
list set ip filter blackhole
# manually add two addresses to the set:
add element filter blackhole { 10.2.3.4, 10.23.1.42 }
# select DNAT target based on TCP dport:
# connections to port 80 are redirected to 192.168.1.100,
# connections to port 8888 are redirected to 192.168.1.101
add rule ip nat prerouting dnat tcp dport map { 80 : 192.168.1.100, 8888 : 192.168.1.101 }
# source address based SNAT:
# packets from net 192.168.1.0/24 will appear as originating from 10.0.0.1,
# packets from net 192.168.2.0/24 will appear as originating from 10.0.0.2
add rule ip nat postrouting snat to ip saddr map { 192.168.1.0/24 : 10.0.0.1, 192.168.2.0/24 : 10.0.0.2 }
# jump to different chains depending on layer 4 protocol type:
add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain }
monitor ruleset
--=-=-=--
trentbuck@HIDDEN (Trent W. Buck):bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#36759; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.