| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
By adding flags to nft_ctx_new, we will have a minimum capabilities
of changing the way the nft_ctx is created.
For now, this patch uses a simple value that allow the user to specify
that he will handle netlink by himself.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The idea is to provide a simplistic API for non-netlink wise people.
Add a field in struct nft_ctx to store the socket.
The advanced API that we're planning will just simply leave this unset,
since netlink IO will be exposed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
So we don't forget all these caches should be placed into struct
nft_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Not a global variable anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Not convenient to keep this as static for the upcoming library, so let's
move it where it belongs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is preliminary work for Eric's libnftables patchset.
Cc: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Place sequence number that is allocated per-command on the struct
netlink_ctx structure. This is allocated from nft_run() to correlate
commands with netlink messages for error reporting. Batch support
probing also shares this sequence numbers with commands.
There is an inpendent cache sequence number though, this routine is
called from a different path, usually from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Pass variable cache_initialized and structure list_head as members of
structure nft_cache.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.
Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).
Here are some examples of how it works:
| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
| '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
| elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add nft_init and nft_exit functions, which calls _init and _exit
functions in main.c file. Remove __init and __exit macro definitions as
libnftables library will be created soon. Rename realm_table_init() and
realm_table_exit() functions to avoid ambiguity as
realm_table_rt_init(), realm_table_meta_init, realm_table_rt_exit() and
realm_table_meta_exit() in rt.c and meta.c files.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This socket should not be global, it is also hidden in many layers of
code. Expose it as function parameters to decouple the netlink socket
handling logic from the command parsing, evaluation and bytecode
generation.
Joint work with Varsha Rao.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new structure nft_ctx is meant to be used as a generic container of
context information.
This is a preparatory patch. So at the moment the struct just carry
output_ctx on his path through main.c and cli.c.
Based on original idea from Eric Leblond.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
numeric_output -> numeric
stateless_output -> stateless
ip2name_output -> ip2name
handle_output -> handle
Also add struct output_ctx *octx as member of struct netlink_ctx.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Always print flow statement as stateless expressions, given that this
just defines the flow table statement instance that is allocated per
entry.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only counter and quota have stateful information.
For named counters, packets and bytes are displayed as 0.
Standard list ruleset:
table ip filter {
counter https {
packets 161942 bytes 10253353
}
chain output {
type filter hook output priority 0; policy accept;
counter name tcp dport map { https : "https"}
tcp dport https counter packets 171211 bytes 10869045
tcp dport https quota 25 mbytes used 10 mbytes
}
}
With stateless option, -s:
table ip filter {
counter https {
packets 0 bytes 0
}
chain output {
type filter hook output priority 0; policy accept;
counter name tcp dport map { https : "https"}
tcp dport https counter
tcp dport https quota 25 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location shouldn't ever alter the expression.
And this fixes this compilation warning:
netlink_delinearize.c: In function ‘netlink_parse_expr’:
netlink_delinearize.c:1008:10: warning: assignment discards ‘const’ qualifier from pointer target type
loc.nle = nle;
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Needed by follow up patches to use autotools.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the default behaviour of nft to not translate IP
addresses to hostnames when printing rules if no options are passed.
The options regarding translations after this patch are:
<no -n/-N> show IP addresses numerically (default behaviour)
-n show IP addresses numerically
-nn show Internet services and uid/gid numerically
-nnn show protocols numerically
-N (--reversedns) translate IP addresses to names
The idea is to avoid breaking existing scripts that most likely rely on
'-n' to save the ruleset, so we reduce the impact of this patch and
provide a default behaviour that doesn't generate network traffic when
listing / saving the ruleset.
Joint work with Pablo.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This makes nftables a bit more embedded-friendly.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a simple helper function to report errors while
opening the Netlink socket.
To help users to diagnose problems, a new NFT_EXIT_NONL exit code is included,
which is 3.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move error recovery to the common_block definition to handle errors
in any block. Queue those errors and abort parsing once a threshold
is reached.
With this in place, we can continue parsing when errors occur and
show all of them to the user at once.
tests/error.1:3:8-8: Error: syntax error, unexpected '{', expecting string
filter {
^
tests/error.1:4:13-13: Error: syntax error, unexpected newline
filter input
^
tests/error.1:5:17-17: Error: syntax error, unexpected newline
filter input tcp
^
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| |
| |
| |
| |
| |
| |
| | |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new debugging level to debug updates to the protocol context.
Sample output:
<cmdline>:1:15-23: Evaluate
filter output tcp dport ssh
^^^^^^^^^
tcp
update transport layer protocol context:
link layer : none
network layer : ip
transport layer : tcp <-
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Personally, I like seeing ports and IPs numerically, but prefer protocols
to be shown by name. As such, add a third --numeric level which will
show protocols by number, splitting them out from ports.
-n/--numeric When specified once, show network addresses numerically.
When specified twice, also show Internet services,
user IDs and group IDs numerically.
When specified thrice, also show protocols numerically.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle when the -a/--handle flag is provided.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds missing code to get basic interactive mode
operative via `nft -i', including parsing, evaluation,
command execution via netlink and error reporting.
Autocomplete is not yet implemented.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|