summaryrefslogtreecommitdiffstats
path: root/include/linux
Commit message (Collapse)AuthorAgeFilesLines
* expr: osf: add ttl option supportFernando Fernandez Mancera2018-10-151-1/+3
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for new secmark objectChristian Göttsche2018-10-091-1/+17
| | | | | | | The new object will hold security context strings. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add xfrm supportFlorian Westphal2018-09-211-0/+29
| | | | | | | Joint work with Máté Eckl. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: rt: ipsec match supportFlorian Westphal2018-09-211-0/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct timeout supportHarsha Sharma2018-08-131-1/+13
| | | | | | | | Add support for ct timeout objects, used to assign connection tracking timeout policies. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add support for matching tunnel metadataPablo Neira Ayuso2018-08-061-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: add tunnel supportPablo Neira Ayuso2018-08-061-1/+68
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add osf supportFernando Fernandez Mancera2018-07-301-0/+12
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Add tproxy supportMáté Eckl2018-07-301-0/+16
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* socket: Expose socket mark via socket expressionMáté Eckl2018-07-301-1/+3
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: extend fwd to support address and protocolPablo Neira Ayuso2018-06-061-0/+4
| | | | | | To support forwarding through neighbour layer from ingress. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add connlimit supportPablo Neira Ayuso2018-06-061-1/+20
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for native socket matchingMáté Eckl2018-06-011-0/+25
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: updated nf_tables.hMáté Eckl2018-05-291-7/+17
| | | | | | | Joint work with Pablo. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add map lookups for hash statementsLaura Garcia Liebana2018-05-231-0/+4
| | | | | | | | | | | This patch introduces two new attributes for hash expression to allow map lookups where the hash is the key. The new attributes are NFTNL_EXPR_HASH_SET_NAME and NFTNL_EXPR_HASH_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add map lookups for numgen statementsLaura Garcia Liebana2018-05-081-0/+4
| | | | | | | | | | | This patch introduces two new attributes for numgen to allow map lookups where the number generator will be the key. Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and NFTNL_EXPR_NG_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2018-03-111-2/+10
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for objectsHarsha Sharma2018-03-051-0/+2
| | | | | | | | This patch add code to allocate object handles and delete objects via object handles. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for setsHarsha Sharma2018-03-051-0/+2
| | | | | | | This patch adds code to allocate set handles and delete sets via set handle. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
* src: parse new handle attribute for tablesHarsha Sharma2018-03-051-0/+2
| | | | | | | This patch adds code to parse new handle attribute for tables. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: support for flagsPablo Neira Ayuso2018-03-051-0/+2
| | | | | | This new attribute allows you to specify the flowtable flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: allow to specify sizePablo Neira Ayuso2018-03-051-0/+5
| | | | | | This new attribute allows you to specify the flowtable size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add flow offload expressionPablo Neira Ayuso2018-03-051-0/+11
| | | | | | | This patch adds the new "flow_offload" expression to select what flows are offloaded to an existing flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flowtable supportPablo Neira Ayuso2018-03-051-0/+53
| | | | | | | This patch allows you to add, delete and list flowtable through the existing netlink interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: secpath supportFlorian Westphal2018-01-161-0/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-041-1/+2
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: tcpmss get supportFlorian Westphal2017-08-211-0/+1
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option set supportFlorian Westphal2017-08-211-1/+3
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct eventmask supportFlorian Westphal2017-03-161-0/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-161-1/+11
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Add support for NFTA_FIB_F_PRESENT flagPhil Sutter2017-03-131-0/+1
| | | | | | | Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: support of symmetric hashLaura Garcia Liebana2017-03-061-0/+13
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2017-02-151-15/+25
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-121-1/+16
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add average bytes per packet counter supportLiping Zhang2017-01-031-0/+5
| | | | | | | Similar to ct packets/bytes ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Missing nf_log.h in Makefilelibnftnl-1.0.7Pablo Neira Ayuso2016-12-191-1/+1
| | | | | | Otherwise, make distcheck breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fetch stateful object updates for nf_tables.h cache copyPablo Neira Ayuso2016-12-091-0/+64
| | | | | | This patch includes updates for the stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: add NFTNL_EXPR_PAYLOAD_FLAGSPablo Neira Ayuso2016-12-041-0/+6
| | | | | | So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-11-241-4/+10
| | | | | | Fetch what we have at 4.9-rc6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add fib expressionFlorian Westphal2016-10-281-0/+36
| | | | | | | | | Allows to query fib for output interface and route type of a packets source or destination address. Scheduled for Linux 4.10. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce rt expressionAnders K. Pedersen2016-10-281-0/+27
| | | | | | | | Introduce support for rt expression for routing related data as implemented in kernel. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add range expressionPablo Neira Ayuso2016-10-131-0/+29
| | | | | | | | Add range expression available that is scheduled for linux kernel 4.9. This range expression allows us to check if a given value placed in a register is within/outside a specified interval. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: complete log flags supportLiping Zhang2016-10-041-0/+12
| | | | | | | | | If NFTNL_EXPR_LOG_FLAGS is not set, it's unnecessary to print out the flags value. Furthermore, it's better to print out string message instead of the hex value. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: queue: add NFTA_QUEUE_SREG_QNUM attr supportLiping Zhang2016-09-221-0/+2
| | | | | | | | | | After adding _SREG_QNUM attr, queuenum is not must option anymore, so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num in snprintf_default. Also add a tailing space in snprintf_default, this is consistent with other expressions. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: add number generation offsetLaura Garcia Liebana2016-09-221-0/+2
| | | | | | | | | | | | | | | | Add support to pass through an offset value to the counter initialization. With this feature, the sysadmin is able to apply a value to be added to the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with series 100, 101, 100, 101, ... Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: Add offset to hash valueLaura Garcia Liebana2016-09-121-0/+2
| | | | | | | | | | | | | | | | Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given started value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100 This option generates marks according to the source address from 100 to 101. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: Rename until attribute by modulusLaura Garcia Liebana2016-09-071-2/+2
| | | | | | | | | | | The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2016-09-021-44/+40
| | | | | | | | | | Sync this with the kernel header file we currently have in tree. This patch addresses the compilation warning and breakage as result of this header update, specifically the "attibute" typo in trace and missing default case in expr/numgen.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add number generation expressionLaura Garcia Liebana2016-08-221-0/+27
| | | | | | | Support for the nft ng expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add quota expressionPablo Neira Ayuso2016-08-221-0/+19
| | | | | | This patch adds support for the new quota expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>