| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails
with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
that and fixes additional sources of unaligned accesses matching the
same pattern. Both nft-expr_quota-test and nft-expr_objref-test
generated unaligned accesses on DEC Alpha.
Bug: https://bugs.gentoo.org/666448
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
All tests are now run with make check.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The existing test-script.sh does not check the return values of the
tests so it is not very good for automated testing.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Seems to have been forgotten in commit 4d472c225ba0 ("tests: add
flowtable regression test")
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
We have better json support in libnftables these days.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The new object will hold security context strings.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Joint work with Máté Eckl.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes compilation error
"../include/obj.h:43:21: error: ‘NFTNL_CTTIMEOUT_ARRAY_MAX’
undeclared here (not in a function);
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
It's a valid configuration, don't assume this means timeout is unset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use an internal array and expose maximum size so we can just use the
same array size for all protocol timeouts. This simplifies handling
a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first
place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
gcc 4.9 only allows for-loop initialisation declarations in C99 or C11 modes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
./nft-rule-ct-timeout-add ip filter input some-name
./nft-rule-get ip filter
ip filter input 4
[ objref type 7 name some-name ]
nft list ruleset
...
chain input {
ct timeout set "some-name"
}
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add, list and delete ct timeout objects from specified table
Usage e.g.:
% ./nft-ct-timeout-add ip filter some-name tcp
% ./nft-ct-timeout-get ip filter
table filter name some-name use 0 [ ct_timeout family 2 protocol 6
policy = {ESTABLISHED = 111,CLOSE_WAIT = 14, CLOSE = 16}]
% ./nft-ct-timeout-del ip filter some-name
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add support for ct timeout objects, used to assign connection tracking
timeout policies.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This code, which is enabled via --with-json-parsing, doesn't compile.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
A few files (batch.h / common.h / set.h / udata.h) are missing the
usual.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1268
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When setting NFTNL_EXPR_EXTHDR_TYPE, one needs to call
nftnl_expr_set_u8() and not nftnl_expr_set_u32(). Otherwise 'type'
variable is assigned to uint32_t parameter before being passed to
nftnl_expr_exthdr_set() as void pointer which casts it to uint8_t.
On big endian systems, the latter would only consider the most
significant byte instead of the least significant one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Since reg->len is a 32bit variable, one needs to pass NFTNL_TYPE_U32 to
nftnl_jansson_parse_val(). Otherwise, only the most significant byte in
that variable is being written to.
Since the value could potentially be larger than 255, increase node_name
buffer to avoid a compiler warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function basically did:
| memcpy(out, val, <len of requested type>);
which works only for little endian integer types. Fix this by assigning
the 64bit input value to a variable of the right size and use that as
input for above memcpy() call.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Check for libmnl >= 1.0.3 just like nftables does.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rt_key2str() should also return the 'tcpmss' case.
Instead of:
[ rt load unknown => reg 1 ]
print:
[ rt load tcpmss => reg 1 ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
To support forwarding through neighbour layer from ingress.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Joint work with Pablo.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Allow to add rule object before any existing rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces two new attributes for hash expression
to allow map lookups where the hash is the key.
The new attributes are NFTNL_EXPR_HASH_SET_NAME and
NFTNL_EXPR_HASH_SET_ID in order to identify the given map.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
./nft-rule-ct-helper-add ip filter input sip-5060
./nft-rule-get ip filter
ip filter input 7 6
[ objref type 3 name sip-5060 ]
nft list ruleset
...
chain input {
ct helper set "sip-5060"
}
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces two new attributes for numgen to allow map
lookups where the number generator will be the key.
Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and
NFTNL_EXPR_NG_SET_ID in order to identify the given map.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
AC_INIT version was already bumped in 7693a5e293962, not needed.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
->len is uint8_t, so we can't handle more than this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
The lookup expression does not do this either, so let's be consistent
and remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Fixes: 62d6fff78b2c ("src: remove set/get array api")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table.
Examples:
% ./nft-ct-helper-get ip filter
<nothing>
% ./nft-ct-helper-add ip filter sip-5060 sip udp
% ./nft-ct-helper-get ip filter
table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ]
% ./nft-ct-helper-del ip filter sip-5060
% ./nft-ct-helper-get ip filter
<nothing>
Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
one-line wrapper, callers can use nftnl_flowtable_get/set instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Correct one typo for parsing set handles.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
So new nftables doesn't break compilation with old libnftnl versions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch add code to allocate object handles and delete objects via
object handles.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds code to allocate set handles and delete sets via set
handle.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
|