| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
This allows to check for existence of an IPv6 extension or TCP
option header by using the following syntax:
| exthdr frag exists
| tcpopt window exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This allows to have custom flags in exthdr expression, which is
necessary for upcoming existence checks (of both IPv6 extension headers
as well as TCP options).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This will only trigger during development when adding new object types to
the parser.
The BUG() gives a clear hint where the serialization code needs to go.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use these new type-specific helper functions instead available in
libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Python script name ends by .py instead of .sh
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rework syntax, add tokens so we can extend the grammar more easily.
This has triggered several syntax changes with regards to the original
patch, specifically:
tcp option sack0 left 1
There is no space between sack and the block number anymore, no more
offset field, now they are a single field. Just like we do with rt, rt0
and rt2. This simplifies our grammar and that is good since it makes our
life easier when extending it later on to accomodate new features.
I have also renamed sack_permitted to sack-permitted. I couldn't find
any option using underscore so far, so let's keep it consistent with
what we have.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft automatically understands 'ct zone set 1' but when a direction is
specified too we get a parser error since they are currently only
allowed for plain ct expressions.
This permits the existing syntax ('ct original zone') for all tokens with
an optional direction also for set statements.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Once directional zone support is added we also need to print the
direction of the statement, so factor the common code to re-use
this helper from the statement print function.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables zone get/set support.
As the zone can be optionally tied to a direction as well we need a new
token for this (unless we turn reply/original into tokens in which case
we could handle zone via STRING).
There was some discussion on how zone set support should be handled,
especially 'zone set 1'.
There are several issues to consider:
1. its not possible to change a zone 'later on', any given
conntrack flow has exactly one zone for its entire lifetime.
2. to create conntracks in a given zone, the zone therefore has to be
assigned *before* the packet gets picked up by conntrack (so that lookup
finds the correct existing flow or the flow is created with the desired
zone id). In iptables, this is enforced because zones are assigned with
CT target and this is restricted to the 'raw' table in iptables, which
runs after defragmentation but before connection tracking.
3. Thus, in nftables the 'ct zone set' rule needs to hook before
conntrack too, e.g. via
table raw {
chain pre {
type filter hook prerouting priority -300;
iif eth3 ct zone set 23
}
chain out {
type filter hook output priority -300;
oif eth3 ct zone set 23
}
}
... but this is not enforced.
There were two alternatives to better document this.
One was to use an explicit 'template' keyword:
nft ... template zone set 23
... but 'connection tracking templates' are a kernel detail
that users should not and need not know about.
The other one was to use the meta keyword instead since
we're (from a practical point of view) assigning the zone to
the packet, not the conntrack:
nft ... meta zone set 23
However, next patch also supports 'directional' zones, and
nft ... meta original zone 23
makes no sense because 'direction' refers to a direction as understood
by the connection tracker.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add new UDATA_SET_DATABYTEORDER attribute for NFTA_SET_UDATA to store
the datatype byteorder. This is required if integer_type is used on the
rhs of the mapping given that this datatype comes with no specific
byteorder.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Rework the NFTNL_SET_USERDATA in netlink_delinearize_set() to accomodate
rhs datatype byteorder in mappings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This function can be used either side of the map, so rename it to
something generic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
stmt_evaluate_arg() needs to take the lhs map expression byteorder in
order to evaluate the lhs of mappings accordingly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This flag allows us to identify datatypes that are instances from
original datatypes.
This fixes a possible double free when attaching a concatenation
datatype to set->keytype while being also referenced from concatenation
expressions.
ip6/flowtable.t: ERROR: line 5: src/nft add rule --debug=netlink ip6 test-ip6 input flow table acct_out { meta iif . ip6 saddr timeout 600s counter }: This rule should not have failed.
*** Error in `src/nft': double free or corruption (fasttop): 0x000000000117ce70 ***
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Byteorder is not correct as it is expressed in network byteorder. This
uncovered when storing set byteorder in NFTA_USER_DATA.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Not required anymore since the set definition now comes with the right
byteorder for integer types via NFTA_SET_USERDATA area. So we don't need
to look at the lhs anymore. Note that this was a workaround that does
not work with named sets, where we cannot assume we have a lhs, since
it is valid to have a named set that is not referenced from any rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The integer datatype has neither specific byteorder nor length. This
results in the following broken output:
# nft list ruleset
table ip x {
chain y {
mark set cpu map { 0 : 0x00000001, 16777216 : 0x00000002}
}
}
Currently, with BYTEORDER_INVALID, nft defaults on network byteorder,
hence the output above.
This patch stores the key byteorder in the userdata using a TLV
structure in the NFTA_SET_USERDATA area, so nft can interpret key
accordingly when dumping the set back to userspace.
Thus, after this patch the listing is correct:
# nft list ruleset
table ip x {
chain y {
mark set cpu map { 0 : 0x00000001, 1 : 0x00000002}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Selectors that rely on the integer type and expect host endian
byteorder don't work properly.
We need to keep the byteorder around based on the left hand size
expression that provides the context, so store the byteorder when
evaluating the map.
Before this patch.
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 01000000 : 00000002 0 [end]
^^^^^^^^
This is expressed in network byteorder, because the invalid byteorder
defaults on this.
After this patch:
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 00000001 : 00000002 0 [end]
^^^^^^^^
This is in host byteorder, as the key selector in the map mandates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add this new header filer otherwise make distcheck breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when creating an error record (erec), the current location in the
file is duplicated, but not the input_descriptor inside it. Input descriptors
are added and removed by the parser when including files, and memory references
in the error record thus become incorrect when a subsequent file is included.
This patch copies the input descriptors recursively to ensure each erec has the
correct chain of input descriptors at the time of printing.
For example:
badinclude.nft:
```
include "error.nft"
include "empty.nft"
```
a.nft:
```
add rule t c obvious syntax error
```
b.nft: (empty file)
Results in the last included file being referenced and quoted for all errors
$ nft -f badinclude.nft
In file included from badinclude.nft:2:1-20:
./empty.nft:1:34-34: Error: syntax error, unexpected newline
^
Expected behavior:
$ nft -f badinclude.nft -I.
In file included from badinclude.nft:1:1-20:
./error.nft:1:34-34: Error: syntax error, unexpected newline
add rule t c obvious syntax error
^
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds the missing documentation for maps. Also, updates sets
policy to match maps.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Update shell/run-tests.sh to remove this new module too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Get us in sync with kernel tree header file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch automatically removes the dependencies for exthdr and tcpopt.
# nft add rule filter input tcp option maxseg kind 3 counter.
# nft list table filter input
Before:
# ip protocol 6 tcp option maxseg kind 3 counter
After:
# tcp option maxseg kind 3 counter
Thus allowing to write tests as follows:
# tcp option maxseg kind 3;ok
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule inet filter input tcp option sack 4 left 1
<cmdline>:1:28-49: Error: Cannot generate dependency: no network layer protocol specified
Users can avoid this via 'meta l4proto tcp', this enables implicit
dependency injection for the inet/bridge/netdev families.
Reviewed-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables nft to match against TCP options.
Currently these TCP options are supported:
* End of Option List (eol)
* No-Operation (noop)
* Maximum Segment Size (maxseg)
* Window Scale (window)
* SACK Permitted (sack_permitted)
* SACK (sack)
* Timestamps (timestamp)
Syntax: tcp options $option_name [$offset] $field_name
Example:
# count all incoming packets with a specific maximum segment size `x`
# nft add rule filter input tcp option maxseg size x counter
# count all incoming packets with a SACK TCP option where the third
# (counted from zero) left field is greater `x`.
# nft add rule filter input tcp option sack 2 left \> x counter
If the offset (the `2` in the example above) is zero, it can optionally
be omitted.
For all non-SACK TCP options it is always zero, thus can be left out.
Option names and field names are parsed from templates, similar to meta
and ct options rather than via keywords to prevent adding more keywords
than necessary.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently exthdr always needs ipv6 dependency (i.e. link layer), but
with upcomming TCP option matching we also need to include TCP at the
network layer.
This patch prepares this change by adding two parameters to
exthdr_gen_dependency.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
right now exthdr only deals with ipv6 extension headers, followup
patch will enable tcp option matching.
This adds the 'op' arg to exthdr_init.
Signed-off-by: Manuel Messner <mm@skelett.io>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
get_rate() is used to print quotas and limits and currently rounds the
number of bytes:
$ nft add quota filter https-quota 4000 kbytes
$ nft list ruleset
table ip filter {
quota https-quota {
3 mbytes
}
}
This may be a problem when loading your configuration after saving it
with 'list ruleset'. With this patch the values are represented in a
greater unit only when there is no rest in the conversion:
$ nft add quota filter https-quota2 2048 kbytes
$ nft list ruleset
table ip filter {
quota https-quota {
4000 kbytes
}
quota https-quota2 {
2 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds the missing documentation for sets.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds documentation for stateful objects and updates
tables description to mention them.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nftables uses a internal service table to print service names. This
table should be used when parsing new rules, to avoid conflicts between
nft service table and the local /etc/services, when loading an exported
ruleset.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1118
Fixes: ccc5da4 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
the change causes non-ipv6 addresses to not be printed at all in case
a nfproto was given.
Also add a test case to catch this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117
Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with brackets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the configure script requires xtables v1.6.0 when the option
--with-xtables is given. However, nftables-0.7 build fails with this
version, xtables v1.6.1 is the minimum required to have libxtables
support.
Fixes(Bug 1110 - Build failure if --with-xtables).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Because the rules are more legible this way. Also, the parser doesn't
accept strings on ranges, so, printing ranges numerically better match
the rules definition.
Fixes(Bug 1046 - mobility header with range gives illegible rule).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The number of numeric options influences the behavior and the user
should be warned if a invalid number is used.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
These test for adding counters and quotas, to tables of different
families, and for referencing the objects in rules.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to write pytests using the new stateful objects.
To add an object use the symbol '%', followed by the name, type and
specifications (currently used in quota):
%cnt1 type counter;ok # Adds the counter cnt1 to all tables
%qt1 type quota over 25 mbytes;ok # Adds the quota qt1 to all tables
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, stateful objects can be listed by: listing all objects in
all tables; listing a single object in a table. Now it's allowed to
list all objects in a table.
$ nft list counters table filter
table ip filter {
counter https-traffic {
packets 14825 bytes 950063
}
counter http-traffic {
packets 117 bytes 9340
}
}
$ nft list quotas table filter
table ip filter {
quota https-quota {
25 mbytes used 2 mbytes
}
quota http-quota {
25 mbytes used 10 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Reseting stateful objects in a single table is already implemented and
cmd_evaluate_reset() now tests for the table name.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the stateful objects can only be listed in groups. With this
patch listing a single object is allowed:
$ nft list counter filter https-traffic
table ip filter {
counter https-traffic {
packets 4014 bytes 228948
}
}
$ nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 278 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the stateful objects can only be reseted in groups. With this
patch reseting a single object is allowed:
$ nft reset counter filter https-traffic
table ip filter {
counter https-traffic {
packets 8774 bytes 542668
}
}
$ nft list counter filter https-traffic
table ip filter {
counter https-traffic {
packets 0 bytes 0
}
}
Heavily based on work from Pablo Neira Ayuso <pablo@netfilter.org>.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the inet, bridge and netdev families, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table inet t {
chain c {
icmpv6 type echo-request
icmp type echo-request
}
}
These rules we obtain can't be added again:
% nft add rule inet t c icmp type echo-request
<cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp
add rule inet t c icmp type echo-request
^^^^^^^^^
% nft add rule inet t c icmpv6 type echo-request
<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6
add rule inet t c icmpv6 type echo-request
^^^^^^^^^^^
Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet
carrying ICMP, if the link layer is inet, the network layer protocol context
can be safely update to 'ip' or 'ip6'.
Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
using icmp or icmp6 in the inet family, and similar in netdev and bridge
families.
While at it, a bit of code factorization is introduced.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Add two tests to make sure that set size checks work fine:
1) Check if set size is indeed working, this is a simple one.
2) Check if set size is correct after ENFILE error, there is bug that
adds a new spare slot everytime we hit this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|