| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft will now be able to handle
map destinations {
type ipv4_addr . inet_service : ipv4_addr . inet_service
}
chain f {
dnat to ip daddr . tcp dport map @destinations
}
Something like this won't work though:
meta l4proto tcp dnat ip6 to numgen inc mod 4 map { 0 : dead::f001 . 8080, ..
as we lack the type info to properly dissect "dead::f001" as an ipv6
address.
For the named map case, this info is available in the map
definition, but for the anon case we'd need to resort to guesswork.
Support is added by peeking into the map definition when evaluating
a nat statement with a map.
Right now, when a map is provided as address, we will only check that
the mapped-to data type matches the expected size (of an ipv4 or ipv6
address).
After this patch, if the mapped-to type is a concatenation, it will
take a peek at the individual concat expressions. If its a combination
of address and service, nft will translate this so that the kernel nat
expression looks at the returned register that would store the
inet_service part of the octet soup returned from the lookup expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
add rule bridge test-bridge input reject with icmp type port-unreachable
... will be printed as 'reject', which is fine on ip family, but not on
bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject
does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error).
Add a toggle to supress short-hand versions in this case.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consider a simple ip6 nat table:
table ip6 nat { chain output {
type nat hook output priority 0; policy accept;
dnat to dead:2::99
}
Now consider same ruleset, but using 'table inet nat':
nft now lacks context to determine address family to parse 'to $address'.
This adds code to make the following work:
table inet nat { [ .. ]
# detect af from network protocol context:
ip6 daddr dead::2::1 dnat to dead:2::99
# use new dnat ip6 keyword:
dnat ip6 to dead:2::99
}
On list side, the keyword is only shown in the inet family, else the
short version (dnat to ...) is used as the family is redundant when the
table already mandates the ip protocol version supported.
Address mismatches such as
table ip6 { ..
dnat ip to 1.2.3.4
are detected/handled during the evaluation phase.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This is never used, ie. always NULL.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.
table ip x {
map xyz {
type ipv4_addr : mark
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook input priority filter; policy accept;
update @xyz { ip saddr counter : numgen inc mod 2 }
}
}
Supported stateful statements are: limit, quota, counter and connlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of using the map expression, store dynamic key and data
separately since they need special handling than constant maps.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for transparent proxy functionality which is
supported in ip, ip6 and inet tables.
The syntax is the following:
tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>}
It looks for a socket listening on the specified address or port and
assigns it to the matching packet.
In an inet table, a packet matches for both families until address is
specified.
Network protocol family has to be specified **only** in inet tables if
address is specified.
As transparent proxy support is implemented for sockets with layer 4
information, a transport protocol header criterion has to be set in the
same rule. eg. 'meta l4proto tcp' or 'udp dport 4444'
Example ruleset:
table ip x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :2222
}
}
table ip6 x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :2222
}
}
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
}
}
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Allow to forward packets through to explicit destination and interface.
nft add rule netdev x y fwd ip to 192.168.2.200 device eth0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Although technically there already is support for JSON output via 'nft
export json' command, it is hardly useable since it exports all the gory
details of nftables VM. Also, libnftables has no control over what is
exported since the content comes directly from libnftnl.
Instead, implement JSON format support for regular 'nft list' commands.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a bunch of functions for conversion of different values into
string (and vice-versa).
* log_level_parse(): A simple helper to turn log level string
representation into log level value.
* nat_etype2str(): Translate nat statement type into string
representation.
* ct_dir2str(): Convert IP_CT_DIR_* values into string representation.
* ct_label2str(): Convert ct_label values into string representation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes static flag and adds header prototype for the following
functions:
* must_print_eq_op() from src/expression.c
* fib_result_str() from src/fib.c
* set_policy2str() and chain_policy2str from src/rule.c
In fib.h, include linux/netfilter/nf_tables.h to make sure enum
nft_fib_result is known when including this file.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes static flag and adds declarations in headers for the
following arrays:
* ct_templates from src/ct.c
* mark_tbl from src/datatype.c
* meta_templates and devgroup_tbl from src/meta.c
* table_flags_name from src/rule.c
* set_stmt_op_names from src/statement.c
* tcpopthdr_protocols from src/tcpopt.c
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
meters are updated dynamically, so we don't know in advance
how large this structure can be.
Add a 'size' keyword to specifiy an upper limit and update
the old syntax to assume a default max value of 65535.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All these statements are very similar, handling them with the same code
is obvious. The only thing required here is a custom extension of enum
nft_nat_types which is used in nat_stmt to distinguish between snat and
dnat already. Though since enum nft_nat_types is part of kernel uAPI,
create a local extended version containing the additional fields.
Note that nat statement printing got a bit more complicated to get the
number of spaces right for every possible combination of attributes.
Note also that there wasn't a case for STMT_MASQ in
rule_parse_postprocess(), which seems like a bug. Since STMT_MASQ became
just a variant of STMT_NAT, postprocessing will take place for it now
anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The support of dynamic adds and updates are only available for sets
and meters. This patch gives such abilities to maps as well.
This patch is useful in cases where dynamic population of maps are
required, for example, to maintain a persistence during some period
of time.
Example:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
map update \
{ @nh,96,32 : numgen inc mod 2 offset 100 } @persistencia
}
}
An example of the netlink generated sequence:
nft --debug=netlink add rule ip nftlb pre map add \
{ ip saddr : numgen inc mod 2 offset 100 } @persistencia
ip nftlb pre
[ payload load 4b @ network header + 12 => reg 1 ]
[ numgen reg 2 = inc mod 2 offset 100 ]
[ dynset add reg_key 1 set persistencia sreg_data 2 ]
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch allows us to refer to existing flowtables:
# nft add rule x x flow offload @m
Packets matching this rule create an entry in the flow table 'm', hence,
follow up packets that get to the flowtable at ingress bypass the
classic forwarding path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Revert commit bce55916b51ec1a4c23322781e3b0c698ecc9561, we need this
code in place to properly make translation when iptables-compat loads
rules.
Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to bugzilla 1137: "flow tables" should not be syntactically
unique.
"Flow tables are always named, but they don't conform to the way sets,
maps, and dictionaries work in terms of "add" and "delete" and all that.
They are also "flow tables" instead of one word like "flows" or
"throttle" or something.
It seems weird to just have these break the syntactic expectations."
Personally, I never liked the reference to "table" since we have very
specific semantics in terms of what a "table" is netfilter for long
time.
This patch promotes "meter" as the new keyword. The former syntax is
still accepted for a while, just to reduce chances of breaking things.
At some point the former syntax will just be removed.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds support for tcp mss mangling:
nft add rule filter input tcp option maxseg size 1200
Its also possible to change other tcp option fields, but
maxseg is one of the more useful ones to change.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Remove functions xt_stmt_alloc(), xt_stmt_release(), xt_stmt_xlate(),
xt_stmt_print(), xt_stmt_destroy() as they are not used. Similarly,
remove structure xt_stmt_ops.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
numeric_output -> numeric
stateless_output -> stateless
ip2name_output -> ip2name
handle_output -> handle
Also add struct output_ctx *octx as member of struct netlink_ctx.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft automatically understands 'ct zone set 1' but when a direction is
specified too we get a parser error since they are currently only
allowed for plain ct expressions.
This permits the existing syntax ('ct original zone') for all tokens with
an optional direction also for set statements.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a new objref statement to refer to existing stateful
objects from rules, eg.
# nft add rule filter input counter name test counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to dump existing stateful objects, eg.
# nft list ruleset
table ip filter {
counter test {
packets 64 bytes 1268
}
quota test {
over 1 mbytes used 1268 bytes
}
chain input {
type filter hook input priority 0; policy accept;
quota name test drop
counter name test
}
}
# nft list quotas
table ip filter {
quota test {
over 1 mbytes used 1268 bytes
}
}
# nft list counters
table ip filter {
counter test {
packets 64 bytes 1268
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
table ip x {
chain y {
type filter hook forward priority 0; policy accept;
quota over 200 mbytes used 1143 kbytes drop
}
}
This patch allows us to list and to restore used quota.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.
Some examples are listed below:
# nft add rule t c log flags tcp sequence,options
# nft add rule t c log flags ip options
# nft add rule t c log flags skuid
# nft add rule t c log flags ether
# nft add rule t c log flags all
# nft add rule t c log flags all group 1
<cmdline>:1:14-16: Error: flags and group are mutually exclusive
add rule t c log flags all group 1
^^^
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the notrack statement, to skip connection tracking for
certain packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This new statement is stateful, so it can be used from flow tables, eg.
# nft add rule filter input \
flow table http { ip saddr timeout 60s quota over 50 mbytes } drop
This basically sets a quota per source IP address of 50 mbytes after
which packets are dropped. Note that the timeout releases the entry if
no traffic is seen from this IP after 60 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At compilation time, you have to pass this option.
# ./configure --with-xtables
And libxtables needs to be installed in your system.
This patch allows to list a ruleset containing xt extensions loaded
through iptables-compat-restore tool.
Example:
$ iptables-save > ruleset
$ cat ruleset
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
COMMIT
$ sudo iptables-compat-restore ruleset
$ sudo nft list rulseset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The flow statement contains a stateful per flow statement, which is not
directly part of the rule. Allow generating these statements without adding
them to the rule and mark the supported statements using a new flag
STMT_F_STATEFUL.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Provide full support for masquerading by allowing port range selection, eg.
# nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch add support for the forward statement, only available at the
netdev family.
# nft add table netdev filter
# nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; }
# nft add rule netdev filter ingress fwd to dummy0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far it was only possible to match packet under a rate limit, this
patch allows you to explicitly indicate if you want to match packets
that goes over or until the rate limit, eg.
... limit rate over 3/second counter log prefix "OVERLIMIT: " drop
... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop
... ct state invalid limit rate until 1/second counter log prefix "INVALID: "
When listing rate limit until, this shows:
... ct state invalid limit rate 1/second counter log prefix "INVALID: "
thus, the existing syntax is still valid (i.e. default to rate limit until).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add support for payload mangling using the payload statement. The syntax
is similar to the other data changing statements:
nft filter output tcp dport set 25
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
This allows you to clone packets to destination address, eg.
... dup to 172.20.0.2
... dup to 172.20.0.2 device eth1
... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
... limit rate 1024 mbytes/second burst 10240 bytes
... limit rate 1/second burst 3 packets
This parameter is optional.
You need a Linux kernel >= 4.3-rc1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This example show how to accept packets below the ratelimit:
... limit rate 1024 mbytes/second counter accept
You need a Linux kernel >= 4.3-rc1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The set statement is used to dynamically add or update elements in a set.
Syntax:
# nft filter input set add tcp dport @myset
# nft filter input set add ip saddr timeout 10s @myset
# nft filter input set update ip saddr timeout 10s @myset
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds redirect support for nft.
The syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds masquerade support for nft.
The syntax is:
% nft add rule nat postrouting masquerade [flags]
Currently, flags are:
random, random-fully, persistent
Example:
% nft add rule nat postrouting masquerade random,persistent
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds more configuration options to the nat expression.
The syntax is as follow:
% nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags]
Flags are: random, persistent, random-fully.
Example:
% nft add rule nat postrouting dnat 1.1.1.1 random,persistent
A requirement is to cache some [recent] copies of kernel headers.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to use the reject action in rules. For example:
nft add rule filter input udp dport 22 reject
In this rule, we assume that the reason is network unreachable. Also
we can specify the reason with the option "with" and the reason. For example:
nft add rule filter input tcp dport 22 reject with icmp type host-unreachable
In the bridge tables and inet tables, we can use this action too. For example:
nft add rule inet filter input reject with icmp type host-unreachable
In this rule above, this generates a meta nfproto dependency to match
ipv4 traffic because we use a icmpv4 reason to reject.
If the reason is not specified, we infer it from the context.
Moreover, we have the new icmpx datatype. You can use this datatype for
the bridge and the inet tables to simplify your ruleset. For example:
nft add rule inet filter input reject with icmpx type host-unreachable
We have four icmpx reason and the mapping is:
ICMPX reason | ICMPv6 | ICMPv4
| |
admin-prohibited | admin-prohibited | admin-prohibited
port-unreachable | port-unreachable | port-unreachable
no-route | no-route | net-unreachable
host-unreachable | addr-unreachable | host-unreachable
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
With this patch, this function returns a statement with the new dependency
that we want to add, instead of an expression.
This change is needed in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Rename keyword tokens to their actual keyword
- Change the grammar to follow the standard schema for statements and arguments
- Use actual expression for the queue numbers to support using normal range
expressions, symbolic expression and so on.
- restore comma seperation of flag keywords
The result is that its possible to use standard ranges, prefix expressions,
symbolic expressions etc for the queue number. We get checks for overflow,
negative ranges and so on automatically.
The comma seperation of flags is more similar to what we have for other
flag values. It is still possible to use spaces, however this could be
removed since we never had a release supporting that.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is required if you use upcoming Linux kernels >= 3.17
which come with a complete logging support for nf_tables.
If you use 'log' without options, the kernel logging buffer is used:
nft> add rule filter input log
You can also specify the logging prefix string:
nft> add rule filter input log prefix "input: "
You may want to specify the log level:
nft> add rule filter input log prefix "input: " level notice
By default, if not specified, the default level is 'warn' (just like
in iptables).
If you specify the group, then nft uses the nfnetlink_log instead:
nft> add rule filter input log prefix "input: " group 10
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
