summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* parser: close scope when encountering an error in a table or chain blockPatrick McHardy2014-02-041-2/+4
| | | | | | | | Close the scopes when destroying a table_block/chain_block. Also add assertions to open_scope()/close_scope() to catch memory corruption early. Signed-off-by: Patrick McHardy <kaber@trash.net>
* erec: skip includes with INDESC_INTERNALPatrick McHardy2014-02-041-1/+3
| | | | | | | Don't display "In file included from internal:0:0-0:" for errors occuring in a parsed file. Signed-off-by: Patrick McHardy <kaber@trash.net>
* scanner: update last_line in struct locationPatrick McHardy2014-02-041-0/+1
| | | | | | Currently always has the value 0. Signed-off-by: Patrick McHardy <kaber@trash.net>
* scanner: don't update location's line_offset for newlinesPatrick McHardy2014-02-041-1/+0
| | | | | | | | When reset_pos() is invoked, YY_USER_ACTION() has already advanced the line offset to the next line. This causes errors for unexpected newlines to incorrectly show the following line when reading from files. Signed-off-by: Patrick McHardy <kaber@trash.net>
* evaluate: determine implicit relational op before RHS constant checksPatrick McHardy2014-02-041-11/+11
| | | | | | | | | | | | The symbol for the relational op is shown in the error message. Since OP_IMPLICIT doesn't have a symbol, (null) is shown. Fix by determining the implicit op before checking for constants. Error: Right hand side of relational expression ((null)) must be constant => Error: Right hand side of relational expression (==) must be constant Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' into next-3.14Pablo Neira Ayuso2014-02-032-2/+12
|\
| * mnl: fix inclusion of last rule in batch pagePablo Neira Ayuso2014-01-301-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the inclusion of the last rule that didn't fit into a batch page. When using sets this has manifested with the -EBUSY error when deleting the table (it was still containing unused sets after the flush). The following command line works fine here: nft -f test ; nft flush table filter ; nft delete chain filter output; nft delete table filter Tested using this kernel patch: http://patchwork.ozlabs.org/patch/314143/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * bump release number to 0.100Pablo Neira Ayuso2014-01-201-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
| * build: use libnftnl instead of libnftables in configure.inPablo Neira Ayuso2014-01-201-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Revert "set: add abstract set descriptions"Patrick McHardy2014-01-233-113/+1
| | | | | | | | | | | | This reverts commit 2f61f093c3149465f2a68764b25c817adbe87fcd. Crap, accidentally committed this.
* | ruleset: add XML/JSON exportArturo Borrero Gonzalez2014-01-239-3/+137
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following operation: :~# nft export <xml|json> The XML/JSON output is provided raw by libnftnl, thus without format. In case of XML, you can give format with the `xmllint' tool from libxml2-tools: :~# nft list ruleset xml | xmllint --format - In case of JSON, you can use `json_pp' from perl standar package: :~# nft list ruleset json | json_pp A format field is added in struct cmd, and it will be reused in the import operation. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | set: add abstract set descriptionsPatrick McHardy2014-01-223-1/+113
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | cmd: add create command for tables and chainsPatrick McHardy2014-01-218-25/+62
| | | | | | | | | | | | | | | | | | We currently always use NLM_F_EXCL for add, which makes adding existing chains or tables fail. There's usually no reason why you would care about this, so change "add" to not use NLM_F_EXCL and add a new "create" command in case you do care. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-206-35/+137
|\|
| * nftables: version 0.099v0.099Patrick McHardy2014-01-201-2/+2
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * use new libnftnl library namePablo Neira Ayuso2014-01-205-16/+16
| | | | | | | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * mnl: fix chain type autoloadingPablo Neira Ayuso2014-01-171-1/+1
| | | | | | | | | | | | | | | | Add missing NLM_F_CREATE flag when creating new chains to trigger module autoloading in the kernel. Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * datatype: add time type parser and adapt outputPablo Neira Ayuso2014-01-171-16/+118
| | | | | | | | | | | | | | | | This patch allows to specify a string to indicate the time, eg. nft add rule filter output ct expiration \"1d2h3m4s\" counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-1615-44/+108
|\| | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: include/nftables.h src/main.c
| * set: make set initializer parsablePatrick McHardy2014-01-164-2/+27
| | | | | | | | | | | | | | | | | | If a set contains elements, the output is not parsable since the elements = { ... } is not understood by the parser. Fix this and also add support for creating constant sets (which only makes sense when using an initializer). Signed-off-by: Patrick McHardy <kaber@trash.net>
| * set: make set flags output parsablePatrick McHardy2014-01-163-6/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes two problems: - the output of "nft list table ..." is not parsable if sets are included because the parser can't parse the flags. - set flags can't be specified during set creation. To fix this, the set output is changed to: - not print each flag on a single line - prefix the flags with "flags " - only show the interval flag since all others are for internal use only The parser is changed to parse the flags specified in a set declaration. This allows to parse empty sets. The following patch will take care of parsing sets that are already populated. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-1610-32/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: add new --debug=mnl option to enable libmnl debuggingPablo Neira Ayuso2014-01-163-3/+8
| | | | | | | | | | | | | | This allows you to dump the netlink message that is send via libmnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * build: fix recursive parser.h inclusionPatrick McHardy2014-01-161-1/+8
| | | | | | | | | | | | | | | | | | | | Ocassionally when regenerating the scanner or parser (not sure which), recursive inclusion of the parser.h file occurs. The reason is that bison doesn't generate a header sandwich to protect against this (*sigh*). Change the makefile to do this manually. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | parser: use symbolic expressions for parsing keywords as protocol valuesPatrick McHardy2014-01-161-16/+12
| | | | | | | | | | | | | | | | | | | | | | For "meta protocol" and the "meta nfproto" expressions, we need to be able to parse "ip", "ip6", "vlan" and "arp" as protocol values. Since the interpretation depends on the LHS of the relaltional expression, we need to use symbolic expressions instead of constants to defer parsing to the evaluation phase. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-167-12/+79
|\| | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: src/payload.c
| * segtree: fix decomposition of unclosed intervalsPatrick McHardy2014-01-161-9/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If intervals are directly adjacent or extend to the right end of the dimension, they are not closed by a EXPR_F_INTERVAL_END entry. This leads to multiple errors when decomposing the intervals: - the last unclosed interval is not shown at all. - if a range is unclosed and the set is a map, the starting point of the next interval is set to the data, not the key, leading to nonsensical output. - if a prefix is unclosed, the interval is assumed to be a prefix as well and the same starting point is kept. This makes sense for cases like 192.168.0.0/24, 192.168.0.0/16, but leads to hard to understand results if the next interval is not representable as a prefix. Fix this by doing two things: - add an EXPR_F_INTERVAL_END element for each unclosed interval during preprocessing. - process the final unclosed interval extending to the right end of the dimension, if present. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * segtree: only use prefix expressions for ranges for selected datatypesPatrick McHardy2014-01-164-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is uncommon to represent f.i. port number ranges as prefix expressions. Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred representation of a range is a prefix and use it for segtree decomposition to decide whether to use a range or prefix expression. The ipaddr, ip6addr, mark and realm datatypes are changed to include the DTYPE_F_PREFIX flag. This fixes completely unreadable output in cases where the ranges are representable as prefixes, f.i. in case of port number: { 0/6 => jump chain1, 0/5 => jump chain2, 0/4 => continue} becomes: { 0-1023 => jump chain1, 1024-2047 => jump chain2, 2048-4095 => continue} Signed-off-by: Patrick McHardy <kaber@trash.net>
| * parser: fix compilation breakagePatrick McHardy2014-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | Commit 0bd59cf4da (parser: fix parsing of ethernet protocol types) broke compilation: src/parser.y:26:22: fatal error: if_ether.h: No such file or directory Should be netinet/if_ether.h. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * expression: fix output of verdict mapsPablo Neira2014-01-161-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | % nft list table filter table ip filter { ... chain output { ... ip saddr map { 1.1.1.1 => accept} } } It displays 'map' instead of 'vmap'. Fix it by checking the mapping type in map_expr_print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * payload: fix inconsistency in ethertype outputPablo Neira Ayuso2014-01-161-1/+1
| | | | | | | | | | | | Use ip6 instead of ipv6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * payload: fix crash when wrong ethernet protocol type is usedPablo Neira Ayuso2014-01-161-0/+1
| | | | | | | | | | | | | | | | | | | | nft add rule ip filter output meta protocol xyz counter ^^^ This fix is similar to 4097ad7 ("meta: fix crash when parsing unresolvable mark values"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * parser: fix parsing of ethernet protocol typesPablo Neira Ayuso2014-01-161-0/+29
| | | | | | | | | | | | | | | | | | This allows us to use the protocol type keyword, eg. nft add rule ip filter output meta protocol ip6 counter ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-155-18/+48
|\| | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: include/nftables.h src/main.c
| * expr: relational: don't surpress '==' for LHS binops in outputPatrick McHardy2014-01-151-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the output of relational expressions to not surpress the '==' when the LHS is a binop, f.i. ... meta mark & 0x00000003 0x00000001 becomes ... meta mark & 0x00000003 == 0x00000001 Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink: use stdout for debuggingPablo Neira Ayuso2014-01-151-5/+5
| | | | | | | | | | Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * segtree: add new segtree debugging optionPablo Neira Ayuso2014-01-153-11/+39
| | | | | | | | | | | | | | | | | | Currently, nft displays the debugging information if it's compiled with --enable-debug (which seems a good idea) and when intervals are used in maps. Add a new option to enable debugging to segtree, so we only get this information when explicitly requested. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'master' into next-3.14Patrick McHardy2014-01-151-1/+1
|\| | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: src/payload.c
| * payload: fix name of eth_protoPatrick McHardy2014-01-151-1/+1
| | | | | | | | | | | | It's "ether" now since we've changed the keyword. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge branch 'master' into next-3.14Patrick McHardy2014-01-152-28/+40
|\| | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: src/meta.c src/parser.y
| * meta: fix mismergePatrick McHardy2014-01-151-2/+0
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * meta: don't require "meta" keyword for a subset of meta expressionsPatrick McHardy2014-01-152-4/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | Don't require the meta keyword for mark, iif, oif, iifname, oifname, skuid, skgid, nftrace, rtclassid and secmark. The protocol and length types still need the meta keyword to avoid grammar conflicts. Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: src/parser.y
| * expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-154-9/+0
| | | | | | | | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * scanner: add aliases to symbols for easier interaction with most shellsPablo Neira Ayuso2014-01-151-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | These symbols need to be escaped in bash and if you use them without escaping then, it can lead to confusion. This patch adds nominal aliases, eg. nft add rule filter output meta mark and 0x3 eq 0x1 as an alternative to: nft add rule filter output meta mark \& 0x3 == 0x1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nft: scanner: fixed problem with ipv6 addressAna Rey2014-01-151-25/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a problem with the follow ipv6 address combination: nft add rule ip6 t_ip61 filter-input ip6 saddr ::1234:1234:1234:1234:1234:1234:1234 1234::1234:1234:1234:1234:1234:1234 1234:1234::1234:1234:1234:1234:1234 1234:1234:1234::1234:1234:1234:1234 1234:1234:1234:1234::1234:1234:1234 1234:1234:1234:1234:1234::1234:1234 ::1234:1234:1234:1234:1234:1234 1234::1234:1234:1234:1234:1234 1234:1234::1234:1234:1234:1234 1234:1234:1234::1234:1234:1234 1234:1234:1234:1234::1234:1234 ::1234:1234:1234:1234:1234 1234::1234:1234:1234:1234 1234:1234::1234:1234:1234 1234:1234:1234::1234:1234 ::1234:1234:1234:1234 1234::1234:1234:1234 1234:1234::1234:1234 ::1234:1234:1234 1234::1234:1234 The problem was in the scanner (src/scanner.l). Several brackets were missed and the result was an incorrect interpretation. Fix it by adding some brackets in a regular expression in src/scanner.l Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * scanner: rename address selector from 'eth' to 'ether'Pablo Neira Ayuso2014-01-142-3/+3
| | | | | | | | | | | | | | | | | | eth may easily occur when using ifname masks. This could be also fixed by interpreting 'eth' as a simple string in the parser but I think this selector also looks more similar to what we use in tcpdump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | meta: don't require "meta" keyword for a subset of meta expressionsPatrick McHardy2014-01-152-4/+29
| | | | | | | | | | | | | | | | | | | | Don't require the meta keyword for mark, iif, oif, iifname, oifname, skuid, skgid, nftrace, rtclassid and secmark. The protocol and length types still need the meta keyword to avoid grammar conflicts. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-154-9/+0
| | | | | | | | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-142-1/+3
|\|
| * Revert "parser: replace "vmap" keyword by "map""Patrick McHardy2014-01-142-1/+3
| | | | | | | | | | | | This reverts commit 5e8f8a1807917f92e568437598670b0026462c1c. I missed that this introduces shift-reduce conflicts. Revert for now.