summaryrefslogtreecommitdiffstats
path: root/include/statement.h
Commit message (Collapse)AuthorAgeFilesLines
* src: add log flags syntax supportLiping Zhang2016-11-241-0/+1
| | | | | | | | | | | | | | | | | | | | | Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+2
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add quota statementPablo Neira Ayuso2016-08-291-0/+10
| | | | | | | | | | | | | This new statement is stateful, so it can be used from flow tables, eg. # nft add rule filter input \ flow table http { ip saddr timeout 60s quota over 50 mbytes } drop This basically sets a quota per source IP address of 50 mbytes after which packets are dropped. Note that the timeout releases the entry if no traffic is seen from this IP after 60 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add xt compat supportPablo Neira Ayuso2016-07-131-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At compilation time, you have to pass this option. # ./configure --with-xtables And libxtables needs to be installed in your system. This patch allows to list a ruleset containing xt extensions loaded through iptables-compat-restore tool. Example: $ iptables-save > ruleset $ cat ruleset *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT COMMIT $ sudo iptables-compat-restore ruleset $ sudo nft list rulseset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject } chain FORWARD { type filter hook forward priority 0; policy drop; } chain OUTPUT { type filter hook output priority 0; policy accept; } } A translation of the extension is shown if this is available. In other case, match or target definition is preceded by a hash. For example, classify target has not translation: $ sudo nft list chain mangle POSTROUTING table ip mangle { chain POSTROUTING { type filter hook postrouting priority -150; policy accept; ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10 ^^^ } } If the whole ruleset is translatable, the users can (re)load it using "nft -f" and get nft native support for all their rules. This patch is joint work by the authors listed below. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flow statementPatrick McHardy2016-05-131-0/+12
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* stmt: support generating stateful statements outside of rule contextPatrick McHardy2016-05-131-0/+1
| | | | | | | | | | The flow statement contains a stateful per flow statement, which is not directly part of the rule. Allow generating these statements without adding them to the rule and mark the supported statements using a new flag STMT_F_STATEFUL. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for masquerade port selectionShivani Bhardwaj2016-03-031-0/+1
| | | | | | | | | Provide full support for masquerading by allowing port range selection, eg. # nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024 Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-311-0/+10
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-0/+1
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: add payload statementPatrick McHardy2015-11-251-0/+11
| | | | | | | | | Add support for payload mangling using the payload statement. The syntax is similar to the other data changing statements: nft filter output tcp dport set 25 Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add dup statement supportPablo Neira Ayuso2015-09-301-0/+10
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add per-bytes limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | This example show how to accept packets below the ratelimit: ... limit rate 1024 mbytes/second counter accept You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add set statemetPatrick McHardy2015-04-121-0/+11
| | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add redirect supportArturo Borrero2014-11-041-0/+10
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add masquerade supportArturo Borrero2014-10-091-0/+9
| | | | | | | | | | | | | | | | | This patch adds masquerade support for nft. The syntax is: % nft add rule nat postrouting masquerade [flags] Currently, flags are: random, random-fully, persistent Example: % nft add rule nat postrouting masquerade random,persistent Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat persistent and random optionsArturo Borrero2014-10-091-0/+1
| | | | | | | | | | | | | | | | | This patch adds more configuration options to the nat expression. The syntax is as follow: % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags] Flags are: random, persistent, random-fully. Example: % nft add rule nat postrouting dnat 1.1.1.1 random,persistent A requirement is to cache some [recent] copies of kernel headers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: complete reject supportAlvaro Neira2014-10-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use the reject action in rules. For example: nft add rule filter input udp dport 22 reject In this rule, we assume that the reason is network unreachable. Also we can specify the reason with the option "with" and the reason. For example: nft add rule filter input tcp dport 22 reject with icmp type host-unreachable In the bridge tables and inet tables, we can use this action too. For example: nft add rule inet filter input reject with icmp type host-unreachable In this rule above, this generates a meta nfproto dependency to match ipv4 traffic because we use a icmpv4 reason to reject. If the reason is not specified, we infer it from the context. Moreover, we have the new icmpx datatype. You can use this datatype for the bridge and the inet tables to simplify your ruleset. For example: nft add rule inet filter input reject with icmpx type host-unreachable We have four icmpx reason and the mapping is: ICMPX reason | ICMPv6 | ICMPv4 | | admin-prohibited | admin-prohibited | admin-prohibited port-unreachable | port-unreachable | port-unreachable no-route | no-route | net-unreachable host-unreachable | addr-unreachable | host-unreachable Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Enhance payload_gen_dependency()Alvaro Neira2014-10-091-0/+1
| | | | | | | | | | With this patch, this function returns a statement with the new dependency that we want to add, instead of an expression. This change is needed in a follow up patch. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: clean up queue statementPatrick McHardy2014-09-241-2/+1
| | | | | | | | | | | | | | | | | | - Rename keyword tokens to their actual keyword - Change the grammar to follow the standard schema for statements and arguments - Use actual expression for the queue numbers to support using normal range expressions, symbolic expression and so on. - restore comma seperation of flag keywords The result is that its possible to use standard ranges, prefix expressions, symbolic expressions etc for the queue number. We get checks for overflow, negative ranges and so on automatically. The comma seperation of flags is more similar to what we have for other flag values. It is still possible to use spaces, however this could be removed since we never had a release supporting that. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add level option to the log statementPablo Neira Ayuso2014-07-251-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revert broken reject icmp code supportPablo Neira Ayuso2014-06-201-1/+0
| | | | | | | | | | | | | | | | | This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter for indicating the type of error") and 11b2bb2 ("reject: Use protocol context for indicating the reject type"). These patches are flawed by two things: 1) IPv6 support is broken, only ICMP codes are considered. 2) If you don't specify any transport context, the utility exits without adding the rule, eg. nft add rule ip filter input reject. The kernel is also flawed when it comes to the inet table. Let's revert this until we can provide decent reject reason support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* reject: add ICMP code parameter for indicating the type of errorÁlvaro Neira Ayuso2014-06-161-0/+1
| | | | | | | | | | | | | | | | | | | | This patch allows to indicate the ICMP code field in case that we use to reject. Before, we have always sent network unreachable error as ICMP code, now we can explicitly indicate the ICMP code that we want to use. Examples: nft add rule filter input tcp dport 22 reject with host-unreach nft add rule filter input udp dport 22 reject with host-unreach In this case, it will use the host unreachable code to reject traffic. The default code field still is network unreachable and we can also use the rules without the with like that: nft add rule filter input udp dport 22 reject Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: More compact syntaxÁlvaro Neira Ayuso2014-06-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use a new syntax more compact and break the current syntax. This new syntax is more similar than the nftables syntax that we use usually. We can use range like we have used in other case in nftables. Here, we have some examples: Before, If we want to declare a queue, we have used a syntax like this: nft add rule test input queue num 1 total 3 options bypass,fanout If we want to use the queue number 1 and the two next (total 3), we use a range in the new syntax, for example: nft add rule test input queue num 1-3 bypass fanout Also if we want to use only one queue, the new rules are like: nft add rule test input queue num 1 # queue 1 or nft add rule test input queue # queue 0 And if we want to add a specific flags we only need to put what flags we want to use: nft add rule test input queue bypass we don't need to use options and the comma for indicating the flags. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for setting ct markArturo Borrero2014-03-131-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to set ct keys using nft. Currently, the connection mark is supported. This functionality enables creating rules performing the same action as iptables -j CONNMARK --save-mark. For example: table ip filter { chain postrouting { type filter hook postrouting priority 0; ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark } } My patch is based on the original http://patchwork.ozlabs.org/patch/307677/ by Kristian Evensen <kristian.evensen@gmail.com>. I simply did a rebase and some testing. To test, I added rules like these: counter meta mark set 1 counter counter ct mark set mark counter counter ct mark 1 counter The last matching worked as expected, which means the second rule is also working as expected. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for queueEric Leblond2014-01-041-0/+11
| | | | | | | | | | | This patch adds support for the queue target. It is now possible to specify rule sending packet to a given queue and using load balancing: nft add rule filter output queue num 3 total 2 options fanout Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: operational limit matchPhil Oester2013-10-221-1/+0
| | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: convert group and qthreshold to use u16Pablo Neira Ayuso2013-08-171-2/+2
| | | | | | | Required since (netfilter: nft_log: group and qthreshold are 2^16) kernel change. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix use of reserved names in header sandwichPatrick McHardy2009-03-181-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+140