summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* src: add ct expectations supportStéphane Veyret2019-07-162-1/+23
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing object maps handling in list and flush commandsPablo Neira Ayuso2019-07-161-0/+15
| | | | | | | | | | | | | | | | | | | | NFT_SET_OBJECT tells there is an object map. # nft list ruleset table inet filter { map countermap { type ipv4_addr : counter } } The following command fails: # nft flush set inet filter countermap This patch checks for NFT_SET_OBJECT from new set_is_literal() and map_is_literal() functions. This patch also adds tests for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set_is_datamap(), set_is_objmap() and set_is_map() helpersPablo Neira Ayuso2019-07-161-0/+16
| | | | | | | | | | | | | Two map types are currently possible: * data maps, ie. set_is_datamap(). * object maps, ie. set_is_objmap(). This patch adds helper functions to check for the map type. set_is_map() allows you to check for either map type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-151-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: remove useless #include headersPablo Neira Ayuso2019-07-051-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ipopt: missing ipopt.h and ipopt.c filesPablo Neira Ayuso2019-07-041-0/+29
| | | | | | Fixes: 226a0e072d5c ("exthdr: add support for matching IPv4 options") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: add support for matching IPv4 optionsStephen Suryaputra2019-07-043-0/+4
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: export public symbols onlyArturo Borrero Gonzalez2019-07-011-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Export public symbols (the library API functions) instead of all symbols in the library. This patch introduces the required macros to manage the visibility attributes (mostly copied from libnftnl.git) and also marks each symbol as exported when they need to be public. Also, introduce a .map file for proper symbol versioning. Previous to this patch, libnftables public symbols were: % dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 | wc -l 527 With this patch, libnftables symbols are: % dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 libnftables.so.1 libnftables #MINVER# nft_ctx_add_include_path@Base 0.9.1 nft_ctx_buffer_error@Base 0.9.1 nft_ctx_buffer_output@Base 0.9.1 nft_ctx_clear_include_paths@Base 0.9.1 nft_ctx_free@Base 0.9.1 nft_ctx_get_dry_run@Base 0.9.1 nft_ctx_get_error_buffer@Base 0.9.1 nft_ctx_get_output_buffer@Base 0.9.1 nft_ctx_new@Base 0.9.1 nft_ctx_output_get_debug@Base 0.9.1 nft_ctx_output_get_flags@Base 0.9.1 nft_ctx_output_set_debug@Base 0.9.1 nft_ctx_output_set_flags@Base 0.9.1 nft_ctx_set_dry_run@Base 0.9.1 nft_ctx_set_error@Base 0.9.1 nft_ctx_set_output@Base 0.9.1 nft_ctx_unbuffer_error@Base 0.9.1 nft_ctx_unbuffer_output@Base 0.9.1 nft_run_cmd_from_buffer@Base 0.9.1 nft_run_cmd_from_filename@Base 0.9.1 Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2019-06-211-2/+1
| | | | | | | | | | | | | | | | | These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: statement: disable reject statement type omission for bridgeFlorian Westphal2019-06-191-1/+2
| | | | | | | | | | | | | add rule bridge test-bridge input reject with icmp type port-unreachable ... will be printed as 'reject', which is fine on ip family, but not on bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error). Add a toggle to supress short-hand versions in this case. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cache level flagsPablo Neira Ayuso2019-06-174-3/+38
| | | | | | | | | | | | | The score approach based on command type is confusing. This patch introduces cache level flags, each flag specifies what kind of object type is needed. These flags are set on/off depending on the list of commands coming in this batch. cache_is_complete() now checks if the cache contains the objects that are needed through these new flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove netlink_list_table()Pablo Neira Ayuso2019-06-171-1/+1
| | | | | | Remove this wrapper, call netlink_list_rules() instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove useless parameter from cache_flush()Pablo Neira Ayuso2019-06-171-2/+1
| | | | | | Command type is never used in cache_flush(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: do not populate the cache in case of flush ruleset commandPablo Neira Ayuso2019-06-141-0/+1
| | | | | | | | __CMD_FLUSH_RULESET is a dummy definition that used to skip the netlink dump to populate the cache. This patch is a workaround until we have a better infrastructure to track the state of the cache objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: double datatype_free() with dynamic integer datatypesPablo Neira Ayuso2019-06-141-1/+0
| | | | | | datatype_set() already deals with this case, remove this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add reference counter for dynamic datatypesPablo Neira Ayuso2019-06-132-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are two datatypes are using runtime datatype allocation: * Concatenations. * Integer, that require byteorder adjustment. From the evaluation / postprocess step, transformations are common, hence expressions may end up fetching (infering) datatypes from an existing one. This patch adds a reference counter to release the dynamic datatype object when it is shared. The API includes the following helper functions: * datatype_set(expr, datatype), to assign a datatype to an expression. This helper already deals with reference counting for dynamic datatypes. This also drops the reference counter of any previous datatype (to deal with the datatype replacement case). * datatype_get(datatype) bumps the reference counter. This function also deals with nul-pointers, that occurs when the datatype is unset. * datatype_free() drops the reference counter, and it also releases the datatype if there are not more clients of it. Rule of thumb is: The reference counter of any newly allocated datatype is set to zero. This patch also updates every spot to use datatype_set() for non-dynamic datatypes, for consistency. In this case, the helper just makes an simple assignment. Note that expr_alloc() has been updated to call datatype_get() on the datatype that is assigned to this new expression. Moreover, expr_free() calls datatype_free(). This fixes valgrind reports like this one: ==28352== 1,350 (440 direct, 910 indirect) bytes in 5 blocks are definitely lost in loss recor 3 of 3 ==28352== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==28352== by 0x4E79558: xmalloc (utils.c:36) ==28352== by 0x4E7963D: xzalloc (utils.c:65) ==28352== by 0x4E6029B: dtype_alloc (datatype.c:1073) ==28352== by 0x4E6029B: concat_type_alloc (datatype.c:1127) ==28352== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578) ==28352== by 0x4E6D68E: list_set_cb (netlink.c:648) ==28352== by 0x5D74023: nftnl_set_list_foreach (set.c:780) ==28352== by 0x4E6D6F3: netlink_list_sets (netlink.c:669) ==28352== by 0x4E5A7A3: cache_init_objects (rule.c:159) ==28352== by 0x4E5A7A3: cache_init (rule.c:216) ==28352== by 0x4E5A7A3: cache_update (rule.c:266) ==28352== by 0x4E7E0EE: nft_evaluate (libnftables.c:388) ==28352== by 0x4E7EADD: nft_run_cmd_from_filename (libnftables.c:479) ==28352== by 0x109A53: main (main.c:310) This patch also removes the DTYPE_F_CLONE flag which is broken and not needed anymore since proper reference counting is in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: release expressions in context registersPablo Neira Ayuso2019-06-101-1/+3
| | | | | | | | | netlink_release_registers() needs to go a bit further to release the expressions in the register array. This should be safe since netlink_get_register() clones expressions in the context registers. Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Support intra-transaction rule referencesPhil Sutter2019-06-071-0/+2
| | | | | | | | | | | | | | | | | | | | | | | A rule may be added before or after another one using index keyword. To support for the other rule being added within the same batch, one has to make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This patch does just that among a few more crucial things: * If cache is complete enough to contain rules, update cache when evaluating rule commands so later index references resolve correctly. * Reduce rule_translate_index() to its core code which is the actual linking of rules and consequently rename the function. The removed bits are pulled into the calling rule_evaluate() to reduce code duplication in between cache updates with and without rule reference. * Pass the current command op to rule_evaluate() as indicator whether to insert before or after a referenced rule or at beginning or end of chain in cache. Exploit this from chain_evaluate() to avoid adding the chain's rules a second time. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Make cache_is_complete() publicPhil Sutter2019-06-071-0/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Introduce rule_lookup_by_index()Phil Sutter2019-06-071-0/+2
| | | | | | | | In contrast to rule_lookup(), this function returns a chain's rule at a given index instead of by handle. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: generation ID is 32-bit longPablo Neira Ayuso2019-06-072-2/+2
| | | | | | | | Update mnl_genid_get() to return 32-bit long generation ID. Add nft_genid_u16() which allows us to catch ruleset updates from the netlink dump path via 16-bit long nfnetlink resource ID field. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: single cache_update() call to build cache before evaluationPablo Neira Ayuso2019-06-061-0/+1
| | | | | | | | | | | | | | | This patch allows us to make one single cache_update() call. Thus, there is not need to rebuild an incomplete cache from the middle of the batch processing. Note that nft_run_cmd_from_filename() does not need a full netlink dump to build the cache anymore, this should speed nft -f with incremental updates and very large rulesets. cache_evaluate() calculates the netlink dump to populate the cache that this batch needs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: perform evaluation after parsingPablo Neira Ayuso2019-06-051-1/+0
| | | | | | | | | | | | | | | | | Since 61236968b7a1 ("parser: evaluate commands immediately after parsing"), evaluation is invoked from the parsing phase in order to improve error reporting. However, this approach is problematic from the cache perspective since we don't know if a full or partial netlink dump from the kernel is needed. If the number of objects in the kernel is significant, the netlink dump operation to build the cache may significantly slow down commands. This patch moves the evaluation phase after the parsing phase as a preparation update to allow for a better strategy to build the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: dynamic input_descriptor allocationPablo Neira Ayuso2019-06-052-1/+3
| | | | | | | | | | | | | This patch introduces the input descriptor list, that stores the existing input descriptor objects. These objects are now dynamically allocated and release from scanner_destroy() path. Follow up patches that decouple the parsing and the evaluation phases require this for error reporting as described by b14572f72aac ("erec: Fix input descriptors for included files"), this patch partially reverts such partial. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: estimate receiver buffer sizePablo Neira Ayuso2019-05-311-1/+2
| | | | | | | | | | | | | | | | | Set a receiver buffer size based on the number of commands and the average message size, this is useful for the --echo option in order to avoid ENOBUFS errors. On the kernel side, each skbuff consumes truesize from the socket queue (although it uses NLMSG_GOODSIZE to allocate it), which is approximately four times the estimated size per message that we get in turn for each echo message to ensure enough receiver buffer space. We could also explore increasing the buffer and retry if mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce chain_expr in jump and goto statementsFernando Fernandez Mancera2019-05-241-2/+2
| | | | | | | | | Introduce expressions as a chain in jump and goto statements. This is going to be used to support variables as a chain in the following patches. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for arp sender and target ethernet and IPv4 addressesPablo Neira Ayuso2019-05-242-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp saddr ip 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } You can also specify hardware sender address, eg. # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update cache if cmd is more specificEric Garver2019-05-241-0/+1
| | | | | | | | | | | | | | | | | If we've done a partial fetch of the cache and the genid is the same the cache update will be skipped without fetching the needed items. This change flushes the cache if the new request is more specific than the current cache - forcing a cache update which includes the needed items. Introduces a simple scoring system which reflects how cache_init_objects() looks at the current command to decide if it is finished already or not. Then use that in cache_needs_more(): If current command's score is higher than old command's, cache needs an update. Fixes: 816d8c7659c1 ("Support 'add/insert rule index <IDX>'") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cached copyPablo Neira Ayuso2019-05-121-1/+1
| | | | | | Fetch fix for NFT_LOGLEVEL_MAX. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use definitions in include/linux/netfilter/nf_tables.hPablo Neira Ayuso2019-05-121-0/+2
| | | | | | | | | | | | | | | Use NFT_LOGLEVEL_* definitions in UAPI. Make an internal definition of NFT_OSF_F_VERSION, this was originally defined in the UAPI header in the initial patch version, however, this is not available anymore. Add a bison rule to deal with the timeout case. Otherwise, compilation breaks. Fixes: d3869cae9d62 ("include: refresh nf_tables.h cached copy") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cached copyPablo Neira Ayuso2019-05-121-38/+140
| | | | | | Refresh it to fetch what we have in 5.2-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gmputil: Add missing header for va_listRosen Penev2019-05-061-0/+1
| | | | | | | Otherwise it errors with unknown type name when using uClibc. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use UDATA defines from libnftnlPhil Sutter2019-05-031-32/+0
| | | | | | | | | | | | | Userdata attribute names have been added to libnftnl, use them instead of the local copy. While being at it, rename udata_get_comment() in netlink_delinearize.c and the callback it uses since the function is specific to rules. Also integrate the existence check for NFTNL_RULE_USERDATA into it along with the call to nftnl_rule_get_data(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix double free on xt stmt destructionFlorian Westphal2019-05-011-1/+1
| | | | | | | | | | | | 'nft monitor' dies with: *** Error in `/sbin/nft': double free or corruption (fasttop): 0x000055f8ba57b750 *** ... when the iptables-nft test suite is running in parallel, because xfree(stmt->xt.name) gets called twice. Fixes: 4ac11b890fe870 ("src: missing destroy function in statement definitions") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat support for the inet familyFlorian Westphal2019-04-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | consider a simple ip6 nat table: table ip6 nat { chain output { type nat hook output priority 0; policy accept; dnat to dead:2::99 } Now consider same ruleset, but using 'table inet nat': nft now lacks context to determine address family to parse 'to $address'. This adds code to make the following work: table inet nat { [ .. ] # detect af from network protocol context: ip6 daddr dead::2::1 dnat to dead:2::99 # use new dnat ip6 keyword: dnat ip6 to dead:2::99 } On list side, the keyword is only shown in the inet family, else the short version (dnat to ...) is used as the family is redundant when the table already mandates the ip protocol version supported. Address mismatches such as table ip6 { .. dnat ip to 1.2.3.4 are detected/handled during the evaluation phase. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* osf: add version fingerprint supportFernando Fernandez Mancera2019-04-083-1/+9
| | | | | | | | | | | | | | | Add support for version fingerprint in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" osf ttl skip version "Linux:4.20" } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: missing misspell.h in Makefile.amPablo Neira Ayuso2019-03-201-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: file descriptor leak in include_file()Pablo Neira Ayuso2019-03-152-3/+6
| | | | | | | | File that contains the ruleset is never closed, track open files through the nft_ctx object and close them accordingly. Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: remove dummy debug_octxPablo Neira Ayuso2019-03-061-1/+2
| | | | | | | | Breaks custom-defined configuration in library mode, ie. user may want to store output in a file, instead of stderr. Fixes: 35f6cd327c2e ("src: Pass stateless, numeric, ip2name and handle variables as structure members.") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expr: fix build failure with json supportFlorian Westphal2019-02-121-0/+2
| | | | | | Fixes: e3f195777ee54 ("src: expr: remove expr_ops from struct expr") Reported-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: expr: remove expr_ops from struct exprFlorian Westphal2019-02-081-5/+4
| | | | | | | | size of struct expr changes from 144 to 128 bytes on x86_64. This doesn't look like much, but large rulesets can have tens of thousands of expressions (each set element is represented by an expression). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: expr: add expression etypeFlorian Westphal2019-02-081-1/+2
| | | | | | | | Temporary kludge to remove all the expr->ops->type == ... patterns. Followup patch will remove expr->ops, and make expr_ops() lookup the correct expr_ops struct instead to reduce struct expr size. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: payload: export and use payload_expr_cmpFlorian Westphal2019-02-081-0/+2
| | | | | | | expr->ops is going away, so export payload cmp and use it directly. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expr: add and use expr_name helperFlorian Westphal2019-02-081-0/+2
| | | | | | | | Currently callers use expr->ops->name, but follouwp patch will remove the ops pointer from struct expr. So add this helper and use it everywhere. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add cplusplus guards for externPablo Neira Ayuso2019-01-281-0/+8
| | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* meta: add iifkind and oifkind supportwenxu2019-01-281-0/+4
| | | | | | | | | | This can be used to match the kind type of iif or oif interface of the packet. Example: add rule inet raw prerouting meta iifkind "vrf" accept Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add igmp supportPablo Neira Ayuso2019-01-092-0/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove deprecated code for export/import commandsPablo Neira Ayuso2018-12-272-7/+0
| | | | | | | | | | | | | | | | | | Update parser to display this error message: # nft export json Error: JSON export is no longer supported, use 'nft -j list ruleset' instead export json ^^^^^^^^^^^^ Just like: # nft export vm json Error: JSON export is no longer supported, use 'nft -j list ruleset' instead export vm json ^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce simple hints on incorrect identifierPablo Neira Ayuso2018-12-011-0/+2
| | | | | | | | | | | | | | | | | # cat test.nft define test = "1.2.3.4" table ip x { chain y { ip saddr $text } } # nft -f test.nft test.nft:5:13-16: Error: unknown identifier 'text'; did you mean identifier ‘test’? ip saddr $text ^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce simple hints on incorrect objectPablo Neira Ayuso2018-12-011-0/+3
| | | | | | | | | | # nft add counter x test # nft list counter x test Error: No such file or directory; did you mean obj ‘test’ in table ip ‘x’? list counter x text ^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>