summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* src: add support for flowtable counterHEADmasterPablo Neira Ayuso3 days1-0/+1
| | | | | | | | | | | | | | | | | | Allow users to enable flow counters via control plane toggle, e.g. table ip x { flowtable y { hook ingress priority 0; counter; } chain z { type filter hook ingress priority filter; flow add @z } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso3 days1-0/+25
| | | | | | Fetch recent updates to the kernel header. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for counter in set definitionPablo Neira Ayuso9 days1-0/+1
| | | | | | | | | | | | | | | | | | | | | This patch allows you to turn on counter for each element in the set. table ip x { set y { typeof ip saddr counter elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } } chain z { type filter hook output priority filter; policy accept; ip daddr @y } } This example shows how to turn on counters globally in the set 'y'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for restoring element countersPablo Neira Ayuso11 days1-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to restore counters in dynamic sets: table ip test { set test { type ipv4_addr size 65535 flags dynamic,timeout timeout 30d gc-interval 1d elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 } } chain output { type filter hook output priority 0; update @test { ip saddr } } } You can also add counters to elements from the control place, ie. table ip test { set test { type ipv4_addr size 65535 elements = { 192.168.2.1 counter packets 75 bytes 19043 } } chain output { type filter hook output priority filter; policy accept; ip daddr @test } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: don't evaluate payloads twice.Jeremy Sowden2020-03-041-0/+1
| | | | | | | | | Payload munging means that evaluation of payload expressions may not be idempotent. Add a flag to prevent them from being evaluated more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for offload chain flagPablo Neira Ayuso2020-03-031-0/+1
| | | | | | | | | | | | | | | | | | | | This patch extends the basechain definition to allow users to specify the offload flag. This flag enables hardware offload if your drivers supports it. # cat file.nft table netdev x { chain y { type filter hook ingress device eth0 priority 10; flags offload; } } # nft -f file.nft Note: You have to enable offload via ethtool: # ethtool -K eth0 hw-tc-offload on Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow nat maps containing both ip(6) address and portFlorian Westphal2020-02-241-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft will now be able to handle map destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service } chain f { dnat to ip daddr . tcp dport map @destinations } Something like this won't work though: meta l4proto tcp dnat ip6 to numgen inc mod 4 map { 0 : dead::f001 . 8080, .. as we lack the type info to properly dissect "dead::f001" as an ipv6 address. For the named map case, this info is available in the map definition, but for the anon case we'd need to resort to guesswork. Support is added by peeking into the map definition when evaluating a nat statement with a map. Right now, when a map is provided as address, we will only check that the mapped-to data type matches the expected size (of an ipv4 or ipv6 address). After this patch, if the mapped-to type is a concatenation, it will take a peek at the individual concat expressions. If its a combination of address and service, nft will translate this so that the kernel nat expression looks at the returned register that would store the inet_service part of the octet soup returned from the lookup expression. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: use common code for expr_ops/expr_ops_by_typeFlorian Westphal2020-02-231-0/+1
| | | | | | | Useless duplication. Also, this avoids bloating expr_ops_by_type() when it needs to cope with more expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: improve error reporting when remove rulesPablo Neira Ayuso2020-02-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | # nft delete rule ip y z handle 7 Error: Could not process rule: No such file or directory delete rule ip y z handle 7 ^ # nft delete rule ip x z handle 7 Error: Could not process rule: No such file or directory delete rule ip x z handle 7 ^ # nft delete rule ip x x handle 7 Error: Could not process rule: No such file or directory delete rule ip x x handle 7 ^ # nft replace rule x y handle 10 ip saddr 1.1.1.2 counter Error: Could not process rule: No such file or directory replace rule x y handle 10 ip saddr 1.1.1.2 counter ^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: extended error support for create commandPablo Neira Ayuso2020-02-191-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | # nft create table x Error: Could not process rule: File exists create table x ^ # nft create chain x y Error: Could not process rule: File exists create chain x y ^ # nft create set x y { typeof ip saddr\; } Error: Could not process rule: File exists create set x y { typeof ip saddr; } ^ # nft create counter x y Error: Could not process rule: File exists create counter x y ^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: combine extended netlink error reporting with mispelling supportPablo Neira Ayuso2020-02-191-0/+1
| | | | | | | | | | | Preliminary support: only for the deletion command, e.g. # nft delete table twst Error: No such file or directory; did you mean table ‘test’ in family ip? delete table twst ^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: initial extended netlink error reportingPablo Neira Ayuso2020-02-194-6/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch correlates the in-kernel extended netlink error offset and the location information. Assuming 'foo' table does not exist, then error reporting shows: # nft delete table foo Error: Could not process rule: No such file or directory delete table foo ^^^ Similarly, if table uniquely identified by handle '1234' does not exist, then error reporting shows: # nft delete table handle 1234 Error: Could not process rule: No such file or directory delete table handle 1234 ^^^^ Assuming 'bar' chain does not exists in the kernel, while 'foo' does: # nft delete chain foo bar Error: Could not process rule: No such file or directory delete chain foo bar ^^^ This also gives us a hint when adding rules: # nft add rule ip foo bar counter Error: Could not process rule: No such file or directory add rule ip foo bar counter ^^^ This is based on ("src: basic support for extended netlink errors") from Florian Westphal, posted in 2018, with no netlink offset correlation support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: use list_is_first() from scanner_pop_indesc()Pablo Neira Ayuso2020-02-131-0/+11
| | | | | | | | | | !list_empty() always stands true since the list is never empty when calling scanner_pop_indesc(). Check for list_is_first() which actually tells us this is the initial input file, hence, state->indesc is set to NULL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove parser_state->indesc_idxLaurent Fasnacht2020-02-131-1/+0
| | | | | | | | Now that we have a proper stack implementation, we don't need an additional counter for the number of buffer state pushed. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Inclusion depth was computed incorrectly for glob includes.Laurent Fasnacht2020-02-131-0/+2
| | | | | Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove parser_state->indescs static arrayLaurent Fasnacht2020-02-131-1/+0
| | | | | | | | This static array is redundant with the indesc_list structure, but is less flexible. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: move the file descriptor to be in the input_descriptor structureLaurent Fasnacht2020-02-111-1/+2
| | | | | | | | This prevents a static allocation of file descriptors array, thus allows more flexibility. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for concatenated set rangesStefano Brivio2020-02-072-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After exporting field lengths via NFTNL_SET_DESC_CONCAT attributes, we now need to adjust parsing of user input and generation of netlink key data to complete support for concatenation of set ranges. Instead of using separate elements for start and end of a range, denoting the end element by the NFT_SET_ELEM_INTERVAL_END flag, as it's currently done for ranges without concatenation, we'll use the new attribute NFTNL_SET_ELEM_KEY_END as suggested by Pablo. It behaves in the same way as NFTNL_SET_ELEM_KEY, but it indicates that the included key represents the upper bound of a range. For example, "packets with an IPv4 address between 192.0.2.0 and 192.0.2.42, with destination port between 22 and 25", needs to be expressed as a single element with two keys: NFTA_SET_ELEM_KEY: 192.0.2.0 . 22 NFTA_SET_ELEM_KEY_END: 192.0.2.42 . 25 To achieve this, we need to: - adjust the lexer rules to allow multiton expressions as elements of a concatenation. As wildcards are not allowed (semantics would be ambiguous), exclude wildcards expressions from the set of possible multiton expressions, and allow them directly where needed. Concatenations now admit prefixes and ranges - generate, for each element in a range concatenation, a second key attribute, that includes the upper bound for the range - also expand prefixes and non-ranged values in the concatenation to ranges: given a set with interval and concatenation support, the kernel has no way to tell which elements are ranged, so they all need to be. For example, 192.0.2.0 . 192.0.2.9 : 1024 is sent as: NFTA_SET_ELEM_KEY: 192.0.2.0 . 1024 NFTA_SET_ELEM_KEY_END: 192.0.2.9 . 1024 - aggregate ranges when elements received by the kernel represent concatenated ranges, see concat_range_aggregate() - perform a few minor adjustments where interval expressions are already handled: we have intervals in these sets, but the set specification isn't just an interval, so we can't just aggregate and deaggregate interval ranges linearly v4: No changes v3: - rework to use a separate key for closing element of range instead of a separate element with EXPR_F_INTERVAL_END set (Pablo Neira Ayuso) v2: - reworked netlink_gen_concat_data(), moved loop body to a new function, netlink_gen_concat_data_expr() (Phil Sutter) - dropped repeated pattern in bison file, replaced by a new helper, compound_expr_alloc_or_add() (Phil Sutter) - added set_is_nonconcat_range() helper (Phil Sutter) - in expr_evaluate_set(), we need to set NFT_SET_SUBKEY also on empty sets where the set in the context already has the flag - dropped additional 'end' parameter from netlink_gen_data(), temporarily set EXPR_F_INTERVAL_END on expressions and use that from netlink_gen_concat_data() to figure out we need to add the 'end' element (Phil Sutter) - replace range_mask_len() by a simplified version, as we don't need to actually store the composing masks of a range (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for NFTNL_SET_DESC_CONCATStefano Brivio2020-02-072-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | To support arbitrary range concatenations, the kernel needs to know how long each field in the concatenation is. The new libnftnl NFTNL_SET_DESC_CONCAT set attribute describes this as an array of lengths, in bytes, of concatenated fields. While evaluating concatenated expressions, export the datatype size into the new field_len array, and hand the data over via libnftnl. Similarly, when data is passed back from libnftnl, parse it into the set description. When set data is cloned, we now need to copy the additional fields in set_clone(), too. This change depends on the libnftnl patch with title: set: Add support for NFTA_SET_DESC_CONCAT attributes v4: No changes v3: Rework to use set description data instead of a stand-alone attribute v2: No changes Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyStefano Brivio2020-02-071-0/+17
| | | | | | | | Get this header in sync with nf-next as of merge commit b3a608222336 (5.6-rc1-ish). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Jeremy Sowden2020-01-281-0/+23
| | | | | | | | The kernel UAPI header includes a couple of new bitwise netlink attributes and an enum. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: nf_tables: correct bitwise header comment.Jeremy Sowden2020-01-221-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | The comment documenting how bitwise expressions work includes a table which summarizes the mask and xor arguments combined to express the supported boolean operations. However, the row for OR: mask xor 0 x is incorrect. dreg = (sreg & 0) ^ x is not equivalent to: dreg = sreg | x What the code actually does is: dreg = (sreg & ~x) ^ x Update the documentation to match. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix output for ranges in anonymous setsPhil Sutter2020-01-131-0/+5
| | | | | | | | | | | | | | | | | | Previous fix for named interval sets was simply wrong: Instead of limiting decomposing to anonymous interval sets, it effectively disabled it entirely. Since code needs to check for both interval and anonymous bits separately, introduce set_is_interval() helper to keep the code readable. Also extend test case to assert ranges in anonymous sets are correctly printed by echo or monitor modes. Without this fix, range boundaries are printed as individual set elements. Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add slave device matchingFlorian Westphal2020-01-031-0/+4
| | | | | | | | Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: add exthdr_desc_id enum and use itPablo Neira Ayuso2019-12-171-0/+15
| | | | | | | This allows to identify the exthdr protocol from the userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add "typeof" build/parse/print supportFlorian Westphal2019-12-172-0/+5
| | | | | | | | | | | | | | | | | | | | This patch adds two new expression operations to build and to parse the userdata area that describe the set key and data typeof definitions. For maps, the grammar enforces either "type data_type : data_type" or or "typeof expression : expression". Check both key and data for valid user typeof info first. If they check out, flag set->key_typeof_valid as true and use it for printing the key info. This patch comes with initial support for using payload expressions with the 'typeof' keyword, followup patches will add support for other expressions as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: add expr_ops_by_type()Pablo Neira Ayuso2019-12-161-0/+1
| | | | | | | Fetch expression operation from the expression type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: add proto_desc_id enumerationPablo Neira Ayuso2019-12-161-0/+27
| | | | | | | This allows to uniquely identify the protocol description. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: store expr, not dtype to track data in setsFlorian Westphal2019-12-163-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will be needed once we add support for the 'typeof' keyword to handle maps that could e.g. store 'ct helper' "type" values. Instead of: set foo { type ipv4_addr . mark; this would allow set foo { typeof(ip saddr) . typeof(ct mark); (exact syntax TBD). This would be needed to allow sets that store variable-sized data types (string, integer and the like) that can't be used at at the moment. Adding special data types for everything is problematic due to the large amount of different types needed. For anonymous sets, e.g. "string" can be used because the needed size can be inferred from the statement, e.g. 'osf name { "Windows", "Linux }', but in case of named sets that won't work because 'type string' lacks the context needed to derive the size information. With 'typeof(osf name)' the context is there, but at the moment it won't help because the expression is discarded instantly and only the data type is retained. Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: don't remove nul-root element from interval setPablo Neira Ayuso2019-12-092-1/+2
| | | | | | | | | | | | | Check from the delinearize set element path if the nul-root element already exists in the interval set. Hence, the element insertion path skips the implicit nul-root interval insertion. Under some circunstances, nft bogusly fails to delete the last element of the interval set and to create an element in an existing empty internal set. This patch includes a test that reproduces the issue. Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add nf_tables_compat.h to tarballsPablo Neira Ayuso2019-12-031-0/+1
| | | | | | Add it to Makefile.am so make distcheck adds this header to tarballs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Store top_scope in struct nft_ctxPhil Sutter2019-11-073-2/+6
| | | | | | | | | | | | | | | | Allow for interactive sessions to make use of defines. Since parser is initialized for each line, top scope defines didn't persist although they are actually useful for stuff like: | # nft -i | define goodports = { 22, 23, 80, 443 } | add rule inet t c tcp dport $goodports accept | add rule inet t c tcp sport $goodports accept While being at it, introduce scope_alloc() and scope_free(). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add and use `set_is_meter` helperJeremy Sowden2019-11-061-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sets constructed for meters are flagged as anonymous and dynamic. However, in some places there are only checks that they are dynamic, which can lead to normal sets being classified as meters. For example: # nft add table t # nft add set t s { type ipv4_addr; size 256; flags dynamic,timeout; } # nft add chain t c # nft add rule t c tcp dport 80 meter m size 128 { ip saddr limit rate 10/second } # nft list meters table ip t { set s { type ipv4_addr size 256 flags dynamic,timeout } meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t m table ip t { meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t s Error: No such file or directory list meter t s ^ Add a new helper `set_is_meter` and use it wherever there are checks for meters. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: flowtable: add support for named flowtable listingEric Jallot2019-10-311-2/+10
| | | | | | | | | | | | | | | | | | | | This patch allows you to dump a named flowtable. # nft list flowtable inet t f table inet t { flowtable f { hook ingress priority filter + 10 devices = { eth0, eth1 } } } Also: libnftables-json.adoc: fix missing quotes. Fixes: db0697ce7f60 ("src: support for flowtable listing") Fixes: 872f373dc50f ("doc: Add JSON schema documentation") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add multidevice support for netdev chainPablo Neira Ayuso2019-10-301-1/+3
| | | | | | | | | | | | | | This patch allows you to specify multiple netdevices to be bound to the netdev basechain, eg. # nft add chain netdev x y { \ type filter hook ingress devices = { eth0, eth1 } priority 0\; } json codebase has been updated to support for one single device with the existing representation, no support for multidevice is included in this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --terse to suppress output of set elements.Jeremy Sowden2019-10-222-0/+6
| | | | | | | | | | | | Listing an entire ruleset or a table with `nft list` prints the elements of all set definitions within the ruleset or table. Seeing the full set contents is not often necessary especially when requesting to see someone's ruleset for help and support purposes. Add a new option '-t, --terse' options to suppress the output of set contents. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: restore --echo with anonymous setsPablo Neira Ayuso2019-10-181-1/+0
| | | | | | | | | | | | If --echo is passed, then the cache already contains the commands that have been sent to the kernel. However, anonymous sets are an exception since the cache needs to be updated in this case. Remove the old cache logic from the monitor code that has been replaced by 01e5c6f0ed03 ("src: add cache level flags"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* cli: add linenoise CLI implementation.Jeremy Sowden2019-10-151-1/+1
| | | | | | | | By default, continue to use libreadline, but if `--with-cli=linenoise` is passed to configure, build the linenoise implementation instead. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: remove unused declaration.Jeremy Sowden2019-09-201-1/+0
| | | | | | | | cli.h includes a forward declaration of struct parser_state which is not needed. Remove it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-132-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-065-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* netfilter: support for element deletionAnder Juaristi2019-08-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch implements element deletion from ruleset. Example: table ip set-test { set testset { type ipv4_addr; flags timeout; } chain outputchain { policy accept; type filter hook output priority filter; delete @testset { ip saddr } } } Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.9.2v0.9.2Pablo Neira Ayuso2019-08-191-0/+1
| | | | | | | | | Update dependency on libnftnl. Missing nf_synproxy.h in Makefile.am too. Update release name based Jazz series, Fats Waller performing "Scram": https://www.youtube.com/watch?v=c9-noJc9ifI Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gmputil: assert length is non-zeroPablo Neira Ayuso2019-08-142-7/+30
| | | | | | | | | | | | | Importing, exporting and byteswapping zero length data should not happen. Use macro definition so we know from where the assertion is triggered in the code for easier diagnosing in the future. When importing datatype.h from gmputil.h, it seems gcc complains on missing declarations in json.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cached copyPablo Neira Ayuso2019-08-092-6/+17
| | | | | | | | | Refresh it to fetch what we have in 5.3-rc1. Remove NFT_OSF_F_VERSION definition, this is already available in include/linux/netfilter/nf_tables.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-082-1/+2
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variables in the chain priority specificationFernando Fernandez Mancera2019-08-082-5/+3
| | | | | | | | | | | | | | | | | This patch allows you to use variables in chain priority definitions, e.g. define prio = filter define prionum = 10 define prioffset = "filter - 150" add table ip foo add chain ip foo bar { type filter hook input priority $prio; } add chain ip foo ber { type filter hook input priority $prionum; } add chain ip foo bor { type filter hook input priority $prioffset; } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove global symbol_tablePablo Neira Ayuso2019-08-084-16/+11
| | | | | | | | | Store symbol tables in context object instead. Use the nft_ctx object to store the dynamic symbol table. Pass it on to the parse_ctx object so this can be accessed from the parse routines. This dynamic symbol table is also accesible from the output_ctx object for print routines. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add parse_ctx objectPablo Neira Ayuso2019-08-082-3/+19
| | | | | | | | This object stores the dynamic symbol tables that are loaded from files. Pass this object to datatype parse functions, although this new parameter is not used yet, this is just a preparation patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Sync comments with current expr definitionBrett Mastbergen2019-07-231-2/+2
| | | | | | | ops has been removed, and etype has been added Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>