summaryrefslogtreecommitdiffstats
path: root/include/libnftnl
Commit message (Collapse)AuthorAgeFilesLines
* table: add table owner supportPablo Neira Ayuso2021-03-011-0/+1
| | | | | | Add support for NFTA_TABLE_OWNER. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dynset: add NFTNL_EXPR_DYNSET_FLAGSPablo Neira Ayuso2021-01-131-0/+1
| | | | | | This patch adds support for the dynset flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_EXPR_DYNSET_EXPRESSIONSPablo Neira Ayuso2020-12-171-0/+7
| | | | | | | | | | | | | | NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that an element stores when added from the packet path. This patch adds support for the set expression list, which generalizes NFTNL_EXPR_DYNSET_EXPR. This patch also adds nftnl_expr_add_expr() to add new expressions to elements and nftnl_set_expr_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_SET_EXPRESSIONSPablo Neira Ayuso2020-12-171-0/+7
| | | | | | | | | | | | | | | | NFTNL_SET_EXPR defines the stateful expression type that this set stores in each element. This provides the set definition in terms of stateful expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must equal to this set stateful expression type, otherwise the kernel bails out. This patch adds support for the set expression list, which generalizes NFTNL_SET_EXPR. This patch also adds nftnl_set_add_expr() to add new expressions to a set and nftnl_set_elem_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_SET_ELEM_EXPRESSIONSPablo Neira Ayuso2020-12-171-0/+7
| | | | | | | | | | | | | | | NFTNL_SET_ELEM_EXPR defines the stateful expression type that this element stores. This is useful to restore runtime set element stateful expressions (when saving, then reboot and restore). This patch adds support for the set element expression list, which generalizes NFTNL_SET_ELEM_EXPR. This patch also adds nftnl_set_elem_add_expr() to add new expressions to set elements and nftnl_set_elem_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nftnl_rule_del_expr()Pablo Neira Ayuso2020-10-191-0/+1
| | | | | | Add a function to remove expression from the rule list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: expose nftnl_expr_build_payload()Pablo Neira Ayuso2020-10-161-0/+2
| | | | | | | This function allows you to build the netlink attributes for expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add userdata and comment supportJose M. Guisado Gomez2020-09-302-0/+7
| | | | | | | | | | | | Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains. Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a comment. Relies on NFTA_CHAIN_USERDATA. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: add userdata and comment supportJose M. Guisado Gomez2020-09-082-0/+7
| | | | | | | | | | | | | This patch adds NFTNL_OBJ_USERDATA to support userdata for objects. Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects, stored in userdata space. Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to enable getting object attributes/data. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: add userdata supportJose M. Guisado Gomez2020-08-282-0/+7
| | | | | | | | This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to support for table comments. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: export nftnl_set_elem_fprintfFlorian Westphal2020-08-201-1/+1
| | | | | | | | | | Was not exported so far due to a typo. While at it, add const qualifier to element structure. Will be used to optionally dump set contents / elements from nft frontend. Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: add NFTNL_UDATA_SET_COMMENTJose M. Guisado Gomez2020-08-121-0/+1
| | | | | | | This field is used to store an optional comment of a set. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for chain ID attributePablo Neira Ayuso2020-07-212-0/+2
| | | | | | | his patch allows you to refer to chains via the chain ID. The semantics are similar to the NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_SET_DATA_INTERVALPablo Neira Ayuso2020-04-281-0/+1
| | | | | | Use this field to specify that set element data specifies an interval. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "bitwise: add support for passing mask and xor via registers."Pablo Neira Ayuso2020-03-311-2/+0
| | | | | | | This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel support for this new feature might be reworked, keep this back. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: support for NFTNL_SET_EXPRPablo Neira Ayuso2020-03-172-0/+2
| | | | | | This patch adds support for the NFTA_SET_EXPR netlink attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add NFTNL_CHAIN_FLAGSPablo Neira Ayuso2020-03-031-0/+1
| | | | | | This patch adds support for chain flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for passing mask and xor via registers.Jeremy Sowden2020-03-021-0/+2
| | | | | | | | | | The kernel supports passing mask and xor values for bitwise boolean operations via registers. These are mutually exclusive with the existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nftnl_*_{get,set}_array()Pablo Neira Ayuso2020-02-192-2/+4
| | | | | | | | | The original intention in eb58f53372e7 ("src: add flowtable support") was to introduce this helper function. Add helper to set and to get array of strings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* set_elem: Introduce support for NFTNL_SET_ELEM_KEY_ENDStefano Brivio2020-02-051-0/+1
| | | | | | | | | | | The new set element attribute maps to the netlink attribute NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY maps to NFTA_SET_ELEM_KEY, and represents the key data used to express the upper bound of a range, in concatenations. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add support for NFTA_SET_DESC_CONCAT attributesStefano Brivio2020-02-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel as NFTA_SET_DESC_CONCAT attributes: it describes the length of single concatenated fields, in bytes. Similarly, parse NFTA_SET_DESC_CONCAT attributes if received from the kernel. This is the libnftnl counterpart for nftables patch: src: Add support for NFTNL_SET_DESC_CONCAT v4: - move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr to avoid ABI breakage (Pablo Neira Ayuso) v3: - use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso) - pass field length in bytes instead of bits, fields would get unnecessarily big otherwise v2: - fixed grammar in commit message - removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(), we're simply passing values to htonl() (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Jeremy Sowden2020-01-181-0/+2
| | | | | | | | The kernel UAPI header includes a couple of new bitwise netlink attributes and an enum. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: support for TLV attribute nestingPablo Neira Ayuso2019-12-171-0/+5
| | | | | | | This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end() to build attribute nests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_SET_*TYPEOF* definitionsPablo Neira Ayuso2019-12-161-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: typo in object.h C++ wrapperPablo Neira Ayuso2019-12-111-1/+1
| | | | | | | s/__cplusplusg/__cplusplus/ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1389 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: add support for handle attributeEric Jallot2019-11-061-0/+3
| | | | | | | Add code to implement NFTA_FLOWTABLE_HANDLE Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate untyped data settersPhil Sutter2019-10-317-7/+7
| | | | | | | | | These functions make assumptions on size of passed data pointer and therefore tend to hide programming mistakes. Instead either one of the type-specific setters or the generic *_set_data() setter should be used. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: multi-device supportPablo Neira Ayuso2019-10-281-0/+1
| | | | | | Add support for NFTA_HOOK_DEVS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Validate nftnl_set_elem_set() parametersPhil Sutter2019-10-161-0/+2
| | | | | | | | | | | | | Copying from nftnl_table_set_data(), validate input to nftnl_set_elem_set() as well. Given that for some attributes the function assumes passed data size, this seems necessary. Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Export nftnl_set_list_lookup_byname()Phil Sutter2019-10-101-0/+2
| | | | | | | | | Rename and optimize internal function nftnl_set_lookup() for external use. Just like with nftnl_chain_list, use a hash table for fast set name lookups. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: synproxy stateful object supportFernando Fernandez Mancera2019-09-101-0/+6
| | | | | | | This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add synproxy supportFernando Fernandez Mancera2019-07-061-0/+6
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectation supportStéphane Veyret2019-06-191-0/+8
| | | | | | | | Add support for ct expectation objects, used to define specific expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove redundant declaration of nftnl_gen_nlmsg_parse()Phil Sutter2019-05-141-1/+0
| | | | | | | | | The duplicated declaration was there since the functions initial introduction as 'nft_gen_nlmsg_parse()'. Fixes: 2e66fb09d6936 ("src: add ruleset generation class") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: osf: add version option supportFernando Fernandez Mancera2019-04-081-0/+1
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_* definitionsPablo Neira Ayuso2019-02-121-0/+33
| | | | | | | | Place them in the library, so iptables and nftables do not need to redefine them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* src: rule: Support NFTA_RULE_POSITION_ID attributePhil Sutter2019-01-281-0/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "expr: add map lookups for hash statements"Laura Garcia Liebana2019-01-281-2/+2
| | | | | | | | | A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: bb4b75aea5c0 ("expr: add map lookups for hash statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "expr: add map lookups for numgen statements"Laura Garcia Liebana2019-01-281-2/+2
| | | | | | | | | A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: b97f45c2ebaa ("expr: add map lookups for numgen statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: chain: Fix nftnl_chain_rule_insert_at()Phil Sutter2019-01-141-0/+1
| | | | | | | | | | Extrapolating from iptables nomenclature, one would expect that "insert" means to prepend the new item to the referenced one, not append. Change nftnl_chain_rule_insert_at() to do just that and introduce nftnl_chain_rule_append_at() to insert a rule after the referenced one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: chain: Add missing nftnl_chain_rule_del()Phil Sutter2019-01-141-0/+1
| | | | | | | | | | | Although identical to nftnl_rule_list_del(), this function adheres to the common naming style of per chain rule list routines introduced earlier, therefore helps with deprecating the global rule list API at a later point. Fixes: e33798478176f ("chain: Support per chain rules list") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Add lookup functions for chain list and rules in chainPhil Sutter2018-12-071-0/+2
| | | | | | | | | For now, these lookup functions simply iterate over the linked list until they find the right entry. In future, they may make use of more optimized data structures behind the curtains. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Support per chain rules listPhil Sutter2018-12-071-0/+15
| | | | | | | The implementation basically copies expr_list in struct nftnl_rule. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove nftnl_rule_cmp() and nftnl_expr_cmp()Pablo Neira Ayuso2018-10-242-4/+0
| | | | | | | | | | | | | | These functions are not very useful, rule comparison from this layer does not work well with implicit set definitions. This infrastructure was added as an attempt to support for deletion by name from this layer, which should be done from higher level libnftables library. Finally, we never had a client for this code in git.netfilter.org. Let's remove it and bump libversion for safety reasons. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: osf: add ttl option supportFernando Fernandez Mancera2018-10-151-0/+1
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for new secmark objectChristian Göttsche2018-10-091-0/+4
| | | | | | | The new object will hold security context strings. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add xfrm supportFlorian Westphal2018-09-211-0/+8
| | | | | | | Joint work with Máté Eckl. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: use fixed size arrayPablo Neira Ayuso2018-08-311-0/+2
| | | | | | | | | Use an internal array and expose maximum size so we can just use the same array size for all protocol timeouts. This simplifies handling a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct timeout supportHarsha Sharma2018-08-131-0/+27
| | | | | | | | Add support for ct timeout objects, used to assign connection tracking timeout policies. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add support for matching tunnel metadataPablo Neira Ayuso2018-08-061-0/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>