summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* nftables: xt: don't use hard-coded AF_INETFlorian Westphal2018-05-141-4/+20
| | | | | | | | | | We need to check which revision type is requested (match, target) and wheter its ipv4 or ipv6, then set family based on that. This allows nft ipv6 family to display compat entries if a translation is available. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft.8: Drop misleading adjective 'absolute'Phil Sutter2018-05-111-1/+1
| | | | | | | | Discussion showed that rule index may be interpreted as being absolute or relative, so just drop this adjective without replacement. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Return ENOENT if rule index is too largePhil Sutter2018-05-111-1/+1
| | | | | | | | | Since EINVAL usually indicates errors from kernel, avoid using it here too. Instead return ENOENT to indicate there's no entry to append or prepend the rule to. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Support testing JSON input and output as wellPhil Sutter2018-05-11136-5/+34651
| | | | | | | | | | | | | | | | | | This extends nft-test.py by optional JSON testing capabilities, activated via '-j'/'--enable-json' parameter). JSON testing happens for all rules which are supposed to work: After a rule has been added and the existing tests (payload, ruleset listing output) have been performed, basically the same test is done again using a recorded JSON equivalent and (if necessary) a recorded listing output. The code tries to ease new test case creation overhead by auto-generating JSON equivalent input via listing the (non-JSON) rule in JSON format. Also, differing netlink debug and listing output are stored in *.got files to assist in analyzing/fixing failing test cases. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Highlight offending parts in differences warningsPhil Sutter2018-05-111-1/+34
| | | | | | | | Print the non-equal parts of the two rules in yellow when printing the differences warning. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Don't read expected payload for each tablePhil Sutter2018-05-111-10/+12
| | | | | | | | | When testing rule adding to different table families, expected payload was read for each tested family again. Instead, read it just once and just try to read a family-specific payload for each tested family. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Reduce indenting level in nft-test.pyPhil Sutter2018-05-111-61/+65
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Add JSON support to nftables ClassPhil Sutter2018-05-111-1/+44
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: Add getter/setter for echo output optionPhil Sutter2018-05-111-0/+25
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Implement JSON parserPhil Sutter2018-05-114-4/+3172
| | | | | | | | | If JSON output setting is active in current context, try parsing any input as JSON. If the initial loading of the buffer or filename by libjansson fails, fall back to regular syntax parser. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Implement JSON output supportPhil Sutter2018-05-1124-2/+1845
| | | | | | | | | | | | Although technically there already is support for JSON output via 'nft export json' command, it is hardly useable since it exports all the gory details of nftables VM. Also, libnftables has no control over what is exported since the content comes directly from libnftnl. Instead, implement JSON format support for regular 'nft list' commands. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce a few helper functionsPhil Sutter2018-05-114-15/+55
| | | | | | | | | | | | | | | This adds a bunch of functions for conversion of different values into string (and vice-versa). * log_level_parse(): A simple helper to turn log level string representation into log level value. * nat_etype2str(): Translate nat statement type into string representation. * ct_dir2str(): Convert IP_CT_DIR_* values into string representation. * ct_label2str(): Convert ct_label values into string representation. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Make some functions globally accessiblePhil Sutter2018-05-118-6/+15
| | | | | | | | | | | | | | | This removes static flag and adds header prototype for the following functions: * must_print_eq_op() from src/expression.c * fib_result_str() from src/fib.c * set_policy2str() and chain_policy2str from src/rule.c In fib.h, include linux/netfilter/nf_tables.h to make sure enum nft_fib_result is known when including this file. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Make some arrays globally accessiblePhil Sutter2018-05-1114-9/+27
| | | | | | | | | | | | | | | This removes static flag and adds declarations in headers for the following arrays: * ct_templates from src/ct.c * mark_tbl from src/datatype.c * meta_templates and devgroup_tbl from src/meta.c * table_flags_name from src/rule.c * set_stmt_op_names from src/statement.c * tcpopthdr_protocols from src/tcpopt.c Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Put bison parsing into dedicated functionsPhil Sutter2018-05-112-39/+64
| | | | | | | | Preparing for an alternative JSON parser, put bison specific details into separate functions. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include/linux: Add required NFT_CT_MAX macroPhil Sutter2018-05-111-0/+2
| | | | | | | This should be dropped for a real UAPI header update. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.8.5v0.8.5Florian Westphal2018-05-101-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Extend rule_management/0001addposition_0Phil Sutter2018-05-096-36/+112
| | | | | | | | | | | | Combine it with 0002insertposition_0 due to the many similarities, extend it to test 'handle' and 'index' parameters as well and rename the testcase accordingly. Also add a new 0002addinsertlocation_1 which tests that wrong argument to all of the location parameters fails. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Support 'add/insert rule index <IDX>'Phil Sutter2018-05-096-9/+89
| | | | | | | | | | | Allow to specify an absolute rule position in add/insert commands like with iptables. The translation to rule handle takes place in userspace, so no kernel support for this is needed. Possible undesired effects are pointed out in man page to make users aware that this way of specifying a rule location might not be ideal. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Copy locations in handle_merge()Phil Sutter2018-05-091-3/+9
| | | | | | | | This allows to make error messages point to the right part of the command after handles were merged. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate add/insert rule 'position' argumentPhil Sutter2018-05-092-4/+21
| | | | | | | | | | Instead, use 'handle' keyword for the same effect since that is more consistent with respect to replace/delete commands. The old keyword is still supported for backwards compatibility and also listed in man page along with a hint that it shouldn't be used anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: allow to specify sets with a timeoutFlorian Westphal2018-05-097-19/+94
| | | | | | | | | | | Not usable yet, as the set timeout netlink output isn't captured so far, but it adds groundwork to add this as a follow-up. Set definition syntax changes a little, if you want to add multiple elements they now have to be separated by "," just like in nftables. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add expires tests with different time basesFlorian Westphal2018-05-092-5/+21
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support timeouts in millisecondsFlorian Westphal2018-05-097-25/+50
| | | | | | | | | | currently the frontend uses seconds everywhere and multiplies/divides by 1000. Pass milliseconds around instead and extend the scanner to accept 'ms' in timestrings. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: add size keyword to meter exampleFlorian Westphal2018-05-091-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xt: don't BUG if we can't find an extensionsFlorian Westphal2018-05-081-6/+8
| | | | | | it seems a bit harsh to just exit. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: added missing semicolonMáté Eckl2018-05-081-0/+1
| | | | | | | It did not make any harm, but it was certainly missing. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add size to metersPablo Neira Ayuso2018-05-082-2/+2
| | | | | | Otherwise, 65535 is used and testsuite reports dump mismatch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete chain and rule with jump to chain in same transactionPablo Neira Ayuso2018-05-081-0/+25
| | | | | | We should not hit EBUSY in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: restore base table skeletonsFlorian Westphal2018-05-0816-13/+37
| | | | | | | | | | | | nftables releases until 0.8.2 included base skeleton hooks that were installed into /etc/nftables (sysconfdir). With 0.8.3 and newer these files were moved to the documentation area but apparently some users expect them to be there. Resurrect them. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: Support rfc4291 IPv4-compatible addressesPhil Sutter2018-05-061-1/+2
| | | | | | | | | | | These are defined in section 2.5.5.1. Although it is stated that they are deprecated and new implementations are not required to support them, they occur in ruleset output if an address in the form '::feed:babe' was given in input. In order to support reinsertion of that rule, we have to support those deprecated addresses as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix expected output in {bridge,inet}/icmpX.tPhil Sutter2018-05-062-2/+2
| | | | | | | | The first expression in that rule is not eliminated in evaluation phase, so there is no reason why it should be while delinearizing. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Fix wrong token in proto_icmp6Phil Sutter2018-05-061-1/+1
| | | | | | | | | | | | 'token' value of ICMP6HDR_MTU field must be 'mtu', not 'packet-too-big'. This went unnoticed because rule delinearization for icmp/icmpv6 payload expressions is problematic anyway in that different fields point to the same offset and therefore are indistinguishable. In this case, an expression like e.g. 'icmpv6 mtu 1500' will be printed later as 'icmpv6 parameter-problem 1500'. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use location to display error messagesPablo Neira Ayuso2018-05-061-62/+94
| | | | | | | | | # nft add chain foo bar Error: Could not process rule: No such file or directory add chain foo bar ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add obj_specPablo Neira Ayuso2018-05-065-18/+25
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set_specPablo Neira Ayuso2018-05-068-42/+49
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add chain_specPablo Neira Ayuso2018-05-066-22/+29
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add table_specPablo Neira Ayuso2018-05-067-67/+73
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: Removed LOOKUP tokenMáté Eckl2018-05-051-1/+0
| | | | | | | It is never used. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: update doc/ispell_nft to track recent nft.8 updatesDuncan Roe2018-05-031-2/+2
| | | | | | | | | Track changes in commits 3baa28f24b3d70a7ee17d584c113a2c4e057a565 and 4787edad132c30ae0f6bb00135ae5d970b0ccb74 (rename ibriport and obriport: s/iport/name). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* meter: enforce presence of a max sizeFlorian Westphal2018-05-027-4/+17
| | | | | | | | | | meters are updated dynamically, so we don't know in advance how large this structure can be. Add a 'size' keyword to specifiy an upper limit and update the old syntax to assume a default max value of 65535. Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: fix header exportArturo Borrero Gonzalez2018-05-025-4/+4
| | | | | | | | | | | Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Also, export main libnftables header with a proper name, since we have another private header called 'nftables.h' (i.e, let's be concrete with the naming). Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.8.4v0.8.4Florian Westphal2018-05-011-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: do not hardcode ingress when printing flowtablePablo Neira Ayuso2018-04-261-1/+2
| | | | | | Call hook number to string function instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing flowtable evaluation from nested notationPablo Neira Ayuso2018-04-261-0/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix --debug mnl not producing outputDuncan Roe2018-04-264-19/+19
| | | | | | | | | cache_update() needs to accept the full debug mask instead of a boolean of NFT_DEBUG_NETLINK, because called functions may wish to check other bits (NFT_DEBUG_MNL in particular). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: reword insert position, this expects rule handle to insert, not a ↵Florian Westphal2018-04-241-3/+3
| | | | | | relative postition Signed-off-by: Florian Westphal <fw@strlen.de>
* statement: Fix get_rate() for zero byte_ratePhil Sutter2018-04-241-0/+5
| | | | | | | | | The algorithm didn't detect whether given byte_rate was zero, pointlessly iterating through data units. Make it exit early in this case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Free flowtable in handle_free()Phil Sutter2018-04-241-0/+1
| | | | | | Fixes: db0697ce7f602 ("src: support for flowtable listing") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: no EINTR handling from netlink_get_setelem()Pablo Neira Ayuso2018-04-241-11/+4
| | | | | | This cannot happen, this call does not set the NLM_F_DUMP flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>