summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* expr: hash: Add offset to hash valueLaura Garcia Liebana2016-09-122-0/+3
| | | | | | | | | | | | | | | | Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given started value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100 This option generates marks according to the source address from 100 to 101. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: Rename until attribute by modulusLaura Garcia Liebana2016-09-073-4/+3
| | | | | | | | | | | The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2016-09-021-44/+40
| | | | | | | | | | Sync this with the kernel header file we currently have in tree. This patch addresses the compilation warning and breakage as result of this header update, specifically the "attibute" typo in trace and missing default case in expr/numgen.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add number generation expressionLaura Garcia Liebana2016-08-223-0/+34
| | | | | | | Support for the nft ng expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add quota expressionPablo Neira Ayuso2016-08-222-0/+24
| | | | | | This patch adds support for the new quota expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Implement rule comparisonCarlos Falgueras García2016-08-174-0/+8
| | | | | | | | | | | | | | | | | | | | This patch implements the function: bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) for rule comparison. Expressions within rules need to be compared, so also has been created the function: bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2); Also includes all expression comparators. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add hash expressionLaura Garcia Liebana2016-08-173-0/+31
| | | | | | | Support for the nft hash expression in libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Don't return directly from SNPRINTF_BUFFER_SIZEPhil Sutter2016-08-121-1/+1
| | | | | | | | | | | | | Apart from being a bad idea in general, the return statement contained in that macro in some cases leads to returning from functions without properly cleaning up, thereby causing memory leaks. Instead, just sanitize the value in 'ret' to not harm further calls of snprintf() (as 'len' will eventually just become zero). Cc: Arturo Borrero <arturo.borrero.glez@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Constify iteratorsCarlos Falgueras García2016-08-104-16/+16
| | | | | | | | Iterators do not modify objects which they iterate, so input pointer must be const. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add new attribute into 'set' to store user dataCarlos Falgueras García2016-07-012-0/+5
| | | | | | | | The new structure 'user' holds a pointer to user data and its length. The kernel must have the flag NFTA_SET_USERDATA to support this feature. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: lookup: give support for inverted matchingArturo Borrero2016-06-242-0/+7
| | | | | | | | Inverted matching support was included in the kernel, let's give support here as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: return value on setters that internally allocate memoryPablo Neira Ayuso2016-06-156-20/+20
| | | | | | | | So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: assert when setting unknown attributesPablo Neira Ayuso2016-06-151-0/+9
| | | | | | | | | | | | If this attribute is not supported by the library, we should rise an assertion so the client knows something is wrong, instead of silently going through. The only case I can think may hit this problem is version mismatch between library and tools. This should not ever really happen, so better bail out from the library itself in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-05-201-4/+17
| | | | | | | | | | | | Refresh the cached header file. This includes a small fix to avoid this compilation warning after refreshing the header: trace.c: In function 'nftnl_trace_parse_attr_cb': trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: missing constification of _get() functionsPablo Neira Ayuso2016-05-131-8/+8
| | | | | | These functions don't modify the chain object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: constify object arguments to various functionsPatrick McHardy2016-05-0912-53/+57
| | | | | | | | | flow table support needs constant object arguments to printing functions to avoid ugly casts. While at it, also constify object arguments to message construction, destructor and a few helper functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add TLV user data infrastructureCarlos Falgueras García2016-04-144-0/+94
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These functions allow to create a buffer (struct nftnl_udata_buf) of user data attributes in TLV format (struct nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store several TLVs sequentially into an object. Example: struct nftnl_udata_buf *buf; struct nftnl_udata *attr; const char *str = "Hello World!"; buf = nftnl_udata_buf_alloc(UDATA_SIZE); if (!buf) { perror("OOM"); exit(EXIT_FAILURE); } if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) { perror("Can't put attribute \"%s\"", str); exit(EXIT_FAILURE); } nftnl_udata_for_each(buf, attr) printf("%s\n", (char *)nftnl_udata_attr_value(attr)); nftnl_udata_buf_free(buf); Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: Add support for port selectionShivani Bhardwaj2016-03-032-1/+5
| | | | | | | Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: add prandom supportFlorian Westphal2016-02-021-0/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: add forward expressionPablo Neira Ayuso2016-02-012-0/+16
| | | | | | Add forward expression for the netdev family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add packet and byte counter supportFlorian Westphal2016-01-141-0/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add support for flagsPablo Neira Ayuso2016-01-132-0/+7
| | | | | | | This patch adds the limit flags, the first client of this is the inversion flag that allows us to match overlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add trace infrastructure supportFlorian Westphal2015-11-273-0/+108
| | | | | | | | | parses trace monitor netlink messages from the kernel and builds nftnl_trace struct that contains the dissected information. Provides getters to access these attributes. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: add payload mangling supportPatrick McHardy2015-11-252-0/+23
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIASFlorian Westphal2015-11-241-1/+3
| | | | | | | Future symbols don't need backwards-compat aliases. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add dup expression supportPablo Neira Ayuso2015-09-212-0/+19
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add per-byte limiting supportPablo Neira Ayuso2015-09-212-0/+8
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add burst attributePablo Neira Ayuso2015-09-213-0/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _attr_ infix in new nftnl_ definitionsPablo Neira Ayuso2015-09-076-76/+76
| | | | | | | The function names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _ATTR_ infix in new nfntl_ definitionsPablo Neira Ayuso2015-09-075-62/+62
| | | | | | | The constant names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename NFTNL_RULE_EXPR_ATTR to NFTNL_EXPR_Pablo Neira Ayuso2015-09-071-25/+25
| | | | | | So we get a shorter constant definition for expression attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-078-44/+44
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add compat header file definitionsPablo Neira Ayuso2015-09-0710-1/+696
| | | | | | | | | | | This patch restores the original nft_* definitions from the header files to avoid sudden compilation breakage of the existing clients of this library. Then, moving forward the idea is to deprecate the old nft_* symbols anytime soon using __attribute__((deprecated)) from the header files to warn our users that they need to update their code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-0719-610/+610
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce nftnl_* aliases for all existing functionsPablo Neira Ayuso2015-09-021-1/+1
| | | | | | | | | | | This patch introduces the nftnl_ symbols as aliases for the existing nft_ symbols through the EXPORT_SYMBOL(...) macro. We would like to use the nft_* prefix from our upcoming higher level library, meanwhile with this move we avoid that old binaries break because of missing symbol dependencies. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: immediate: fix leak in expression destroy pathPablo Neira Ayuso2015-08-181-0/+1
| | | | | | | | The verdict can be a chain string, make sure we release it when the expression is destroyed. This patch adds a new nft_free_data() for this purpose and use it from the immediate expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add netdev family supportPablo Neira Ayuso2015-06-163-3/+3
| | | | | | | | | Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the basechain is attached to a net_device. This partially reworks 1dd9ba1ea23c ("table: add netdev family support"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: add netdev family supportPablo Neira Ayuso2015-05-294-0/+12
| | | | | | This adds support for the new 'netdev' family tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add batch abstractionPablo Neira Ayuso2015-04-272-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new batch class to libnftnl, it basically generalizes what we already have. A batch is composed of one or more page objects. Every page may contain one or more netlink messages. batch * .------. .------. .------. | | | | | | | `----> | page |-->| page |-->...-->| page | | | | | | | `------' `------' `------' You can create a batch via: batch = nft_batch_alloc(...); This batch initially comes with one initial page. You can fetch a pointer to the next spare area in the current page to add a new netlink message to the batch. void *nft_batch_buffer(struct nft_batch *batch); Once you have added a netlink message, you have to call: nft_batch_update(batch); this internally updates the pointer to the next spare data area in the page. Every page has a limit threshold after which you start using the overrun area. page .------. | | | | . . page area | | | | |------|<--- limit | | | | overrun area | | '______'<--- real page size If we write over the limit, then the next call to nft_batch_update() results in a new empty page added to the batch. With careful page size and limit selection, we ensure that a netlink message always fit into the page, so we avoid the overhead of canceling the netlink message that doesn't fit in. Once your batch is complete, if you want to send it out to kernel-space, you can convert them to iovec via: nft_batch_iovec(batch, iov, iov_len); Then, after having sent the batch, you can release it via: nft_batch_free(batch); This class relies on the libmnl batching infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dynset: support expression templatesPatrick McHardy2015-04-142-0/+5
| | | | | | | Support expression templates for the dynset expression for dynamic expression instantiation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: support expressions attached to set elementsPatrick McHardy2015-04-143-0/+4
| | | | | | | This patch supports attaching a struct nft_rule_expr to a set element and adds netlink attribute encoding and decoding. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: seperate expression parsing and building functionsPatrick McHardy2015-04-142-4/+6
| | | | | | | | | | | | The expression build function currently assumes to be only used from rule context and actually builds rule attributes. Fix that and only build the expression. Also it seems to have been exported by accident, undo that. Additionally, move the expression parsing function from rule parsing and also remove any assumptions about being used in rule context. Signed-off-by: Patrick McHardy <kaber@trash.net>
* data: increase maximum possible data sizePatrick McHardy2015-04-142-1/+5
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* headers: resync headers for new register definitionsPatrick McHardy2015-04-141-1/+31
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for the dynset exprPatrick McHardy2015-04-123-0/+39
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: add support for userdataPatrick McHardy2015-04-123-0/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: add timeout supportPatrick McHardy2015-04-093-0/+10
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add support for set timeoutsPatrick McHardy2015-04-093-0/+12
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* list: fix prefetch dummyPatrick McHardy2015-03-261-1/+1
| | | | | | | | | | ../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] for (pos = list_entry((head)->next, typeof(*pos), member), \ ^ set.c:266:2: note: in expansion of macro 'list_for_each_entry' list_for_each_entry(elem, &set->element_list, head) { Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: restore static array with expression operationsPablo Neira Ayuso2015-03-232-4/+0
| | | | | | | | | | | | | We cannot use __attribute__((constructor)) to register the supported expressions in runtime when the library is statically linked. This lead us to some explicit libnftnl_init() function that needs to be called from the main() function of the client program. This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to register expression"). Reported-by: Laurent Bercot <ska-devel@skarnet.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>