summaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter
Commit message (Collapse)AuthorAgeFilesLines
...
* expr: add hash expressionLaura Garcia Liebana2016-08-171-0/+21
| | | | | | | Support for the nft hash expression in libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: lookup: give support for inverted matchingArturo Borrero2016-06-241-0/+6
| | | | | | | | Inverted matching support was included in the kernel, let's give support here as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-05-201-4/+17
| | | | | | | | | | | | Refresh the cached header file. This includes a small fix to avoid this compilation warning after refreshing the header: trace.c: In function 'nftnl_trace_parse_attr_cb': trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: Add support for port selectionShivani Bhardwaj2016-03-031-0/+2
| | | | | | | Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: add prandom supportFlorian Westphal2016-02-021-0/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: add forward expressionPablo Neira Ayuso2016-02-011-0/+12
| | | | | | Add forward expression for the netdev family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add packet and byte counter supportFlorian Westphal2016-01-141-0/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add support for flagsPablo Neira Ayuso2016-01-131-0/+6
| | | | | | | This patch adds the limit flags, the first client of this is the inversion flag that allows us to match overlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add trace infrastructure supportFlorian Westphal2015-11-271-0/+52
| | | | | | | | | parses trace monitor netlink messages from the kernel and builds nftnl_trace struct that contains the dissected information. Provides getters to access these attributes. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: add payload mangling supportPatrick McHardy2015-11-251-0/+17
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add dup expression supportPablo Neira Ayuso2015-09-211-0/+14
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add per-byte limiting supportPablo Neira Ayuso2015-09-211-0/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add burst attributePablo Neira Ayuso2015-09-211-0/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add netdev family supportPablo Neira Ayuso2015-06-161-2/+2
| | | | | | | | | Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the basechain is attached to a net_device. This partially reworks 1dd9ba1ea23c ("table: add netdev family support"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: add netdev family supportPablo Neira Ayuso2015-05-291-0/+2
| | | | | | This adds support for the new 'netdev' family tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dynset: support expression templatesPatrick McHardy2015-04-141-0/+4
| | | | | | | Support expression templates for the dynset expression for dynamic expression instantiation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: support expressions attached to set elementsPatrick McHardy2015-04-141-0/+2
| | | | | | | This patch supports attaching a struct nft_rule_expr to a set element and adds netlink attribute encoding and decoding. Signed-off-by: Patrick McHardy <kaber@trash.net>
* data: increase maximum possible data sizePatrick McHardy2015-04-141-0/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* headers: resync headers for new register definitionsPatrick McHardy2015-04-141-1/+31
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for the dynset exprPatrick McHardy2015-04-121-0/+27
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: add support for userdataPatrick McHardy2015-04-121-0/+2
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: add timeout supportPatrick McHardy2015-04-091-0/+4
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add support for set timeoutsPatrick McHardy2015-04-091-0/+6
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add cgroup supportAna Rey2014-11-101-1/+3
| | | | | | | | The kernel support is add in the commit: netfilter: nft_meta: add cgroup support Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for nft_redir expressionArturo Borrero2014-10-301-0/+37
| | | | | | | This patch adds support for the new nft_redir expression. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ruleset generation classPablo Neira Ayuso2014-09-191-2/+17
| | | | | | | | | | | | | | The generation object currently only contains the uint32_t that indicates the generation ID. I could have just add the API to return the uint32_t ID instead, but I think this API is easier to extend without adding new APIs. We can probably include meaningful statistics in the generation message in the future without much hassle. This patch also extends examples/nft-events.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nf_tables.h: add NFTA_MASQ_UNSPECArturo Borrero2014-09-121-0/+1
| | | | | | | To keep this consistent with other nft_*_attributes. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add new nft_masq expressionArturo Borrero2014-09-091-0/+12
| | | | | | | | This patch adds userspace support to nft_masq, the new expression to perform masquerade. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: add support for the new flags attributeArturo Borrero2014-09-091-0/+2
| | | | | | | This patchs adds support for the new flags attribute in the nft_nat expression. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* expr: meta: Add devgroup supportAna Rey2014-09-031-0/+4
| | | | | | | | The kernel support is add in commit: netfilter: nf_tables: add devgroup support in meta expresion Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of cached copies of x_tables.h and xt_LOG.hPablo Neira Ayuso2014-08-313-205/+1
| | | | | | | | | | Keeping the full cached copy the of x_tables.h file in tree is too much for just the XT_EXTENSION_MAXNAMELEN constant. Similarly, xt_LOG.h is not actually required by the tests, we can use any whatever syntetic data to make sure the setter and getter provide the same result. So, let's get rid of these headers from the library tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add cpu support for meta expresionAna Rey2014-08-241-0/+2
| | | | | Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Add pkttype supportAna Rey2014-08-241-0/+2
| | | | | | Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: add support for level and flagsPablo Neira Ayuso2014-07-011-0/+4
| | | | | | This is required by changes scheduled for Linux kernel 3.17. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add set ID supportPablo Neira Ayuso2014-05-191-0/+6
| | | | | | | Add the set ID (u32) which allows us to uniquely identify the set in the batch that is sent to kernel-space. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: synchronize nf_tables.h with nftables treePablo Neira Ayuso2014-05-191-2/+28
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Add support for input and output bridge interface nameTomasz Bursztyka2014-04-241-0/+4
| | | | | | | | | Add support for dedicated bridge meta key, related to device names: - NFT_META_BRI_IIFNAME - NFT_META_BRI_OIFNAME Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFT_RULE_ATTR_USERDATA supportPablo Neira Ayuso2014-02-271-1/+4
| | | | | | This allows us to manipulate the user data area of the rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: get linux/netfilter/nf_tables.h in sync with kernel headerPablo Neira Ayuso2014-02-271-1/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add conntrack label match supportFlorian Westphal2014-02-181-0/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-033-5/+274
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch includes changes to adapt this branch to the library rename that happened in the master branch. Conflicts: src/Makefile.am src/expr/cmp.c src/expr/ct.c src/expr/data_reg.c src/expr/meta.c tests/jsonfiles/01-table.json tests/jsonfiles/02-table.json tests/jsonfiles/64-ruleset.json tests/xmlfiles/01-table.xml tests/xmlfiles/02-table.xml
| * build: resolve compile error involving XT_EXTENSION_MAXNAMELENJan Engelhardt2014-01-211-0/+185
| | | | | | | | | | | | | | | | 2.6.32 headers in /usr/include/linux again. Ship a copy of x_tables.h from Linux 3.11. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * include: update netlink.h to 3.13Tomasz Bursztyka2013-12-121-5/+84
| | | | | | | | | | | | | | | | Use kernel header from 3.13-rc upstream kernel, this includes documentation changes that were missing. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * examples: nft-rule-add: use existing batch infrastructurePablo Neira Ayuso2013-12-101-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reworks the existing example to add the rule: nft add rule ip filter input tcp dport 22 counter It uses the existing nfnl batching approach using the generic mnl netlink message batching infrastructure. It also removed the code that uses xtables compat code. Based on original patch by Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: ct: Add support for setting the markKristian Evensen2014-01-151-0/+2
| | | | | | | | | | | | | | | | | | This patch adds userspace support for setting properties of tracked connections. Currently, the connection mark is supported. This can be used to implemented the same functionality as iptables -j CONNMARK --save-mark. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libnftables: add support for inet family and mete nfproto/l4proto expressionsPatrick McHardy2014-01-081-0/+4
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | src: update meta exprArturo Borrero2013-12-261-1/+3
| | | | | | | | | | | | | | | | | | | | This patch adds userspace support for the meta expression in the set flavour. This expression indicates that the packet has to be set with a property, currently one of mark, priority or nftrace. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | table: Add support for NFTA_TABLE_USE attributeTomasz Bursztyka2013-12-171-0/+1
| | | | | | | | | | | | | | | | This adds support for table's attribute "use" which let us know about how many chains are in the table, if any. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | expr: add support for nfnetlink queueEric Leblond2013-12-041-0/+20
|/ | | | | | | This patch adds a support of the queue target. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-target: fix deprecation warningArturo Borrero2013-11-302-1/+20
| | | | | | | | | This fixes the following warning: In file included from nft-expr_target-test.c:19:0: /usr/include/linux/netfilter_ipv4/ipt_LOG.h:4:2: warning: #warning "Please update iptables, this file will be removed soon!" [-Wcpp] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>