summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* src: expose nft_ctx_clear_vars as APIPablo Neira Ayuso5 days1-0/+1
| | | | | | | | | This function might be useful to recycle the existing nft_ctx to use it with different external variable definitions. Moreover, reset ctx->num_vars to zero. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --define key=valuePablo Neira Ayuso8 days2-0/+13
| | | | | | | | | | | | | | | | | This patch adds a new option to define variables from the command line. # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; counter accept } } # nft --define dev="{ eth0, eth1 }" -f test.nft You can only combine it with -f/--filename. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: get `make distcheck` to pass againDuncan Roe2021-07-051-0/+1
| | | | | | | | Commit 4694f7230195 introduced nfnetlink_hook.h but didn't update the automake system to take account of the new file. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add queue expr and flags to queue_stmt_allocFlorian Westphal2021-06-211-1/+2
| | | | | | Preparation patch to avoid too much $<stmt>$ references in the parser. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add xzalloc_array() and use it to allocate the expression hashtablePablo Neira Ayuso2021-06-141-0/+1
| | | | | | | | | | | Otherwise, assertion to ensure that no colission occur is hit due to uninitialized hashtable memory area: nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed. Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add vlan deiPablo Neira Ayuso2021-06-111-0/+1
| | | | | | | | | | the CFI bit has been repurposed as DEI "Drop Eligible Indicator" since 802.1Q-2011. The vlan cfi field is still retained for compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for base hook dumpingFlorian Westphal2021-06-094-1/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Example output: $ nft list hook ip input family ip hook input { +0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input +0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT +0000000100 nf_nat_ipv4_local_in [nf_nat] +2147483647 ipv4_confirm [nf_conntrack] } $ nft list hooks netdev type ingress device lo family netdev hook ingress device lo { +0000000000 nft_do_chain_netdev [nf_tables] } $ nft list hooks inet family ip hook prerouting { -0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4] -0000000300 iptable_raw_hook [iptable_raw] -0000000290 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain raw_PREROUTING -0000000200 ipv4_conntrack_in [nf_conntrack] -0000000140 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain mangle_PREROUTING -0000000100 nf_nat_ipv4_pre_routing [nf_nat] } ... 'nft list hooks' will display everyting except the netdev family via successive dump request for all family:hook combinations. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add list cmd parser scopeFlorian Westphal2021-06-091-0/+1
| | | | | | | | | | Followup patch will add new 'hooks' keyword for nft list hooks Add a scope for list to avoid exposure of the new keyword in nft rulesets. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: missing catchall expression stub with ./configure --without-jsonPablo Neira Ayuso2021-06-041-0/+1
| | | | | | | | | | | set_elem_catchall_expr_json undeclared here (not in a function); did you mean 'set_elem_catchall_expr_ops'? 1344 | .json = set_elem_catchall_expr_json, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ | set_elem_catchall_expr_ops https://bugzilla.netfilter.org/show_bug.cgi?id=1542 Fixes: 5c2c6b092860 json: catchall element support Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: catchall element supportFlorian Westphal2021-06-021-0/+1
| | | | | | | Treat '*' as catchall element, not as a symbol. Also add missing json test cases for wildcard set support. Signed-off-by: Florian Westphal <fw@strlen.de>
* include: missing sctp_chunk.h in Makefile.amPablo Neira Ayuso2021-05-251-0/+1
| | | | | | | Fix make distcheck. Fixes: 0e3871cfd9a1 ("exthdr: Implement SCTP Chunk matching") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cmd: typo in chain fuzzy lookupPablo Neira Ayuso2021-05-201-1/+1
| | | | | | | | | | | | | | | | Refer to chain, not table. Error: No such file or directory; did you mean table ‘z’ in family ip? add chain x y { type filter nat prerouting priority dstnat; } ^ It should say instead: Error: No such file or directory; did you mean chain ‘z’ in table ip ‘x’? [ Florian added args check for fmt to the netlink_io_error() prototype. ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: location-based error reporting for chain typePablo Neira Ayuso2021-05-201-1/+6
| | | | | | | | | | | | | | | | | Store the location of the chain type for better error reporting. Several users that compile custom kernels reported that error reporting is misleading when accidentally selecting CONFIG_NFT_NAT=n. After this patch, a better hint is provided: # nft 'add chain x y { type nat hook prerouting priority dstnat; }' Error: Could not process rule: No such file or directory add chain x y { type nat hook prerouting priority dstnat; } ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-193-0/+90
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* scanner: sctp: Move to own scopePhil Sutter2021-05-191-0/+1
| | | | | | | This isolates only "vtag" token for now. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* parser_bison: add shortcut syntax for matching flags without binary operationsPablo Neira Ayuso2021-05-162-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following shortcut syntax: expression flags / flags instead of: expression and flags == flags For example: tcp flags syn,ack / syn,ack,fin,rst ^^^^^^^ ^^^^^^^^^^^^^^^ value mask instead of: tcp flags and (syn|ack|fin|rst) == syn|ack The second list of comma-separated flags represents the mask which are examined and the first list of comma-separated flags must be set. You can also use the != operator with this syntax: tcp flags != fin,rst / syn,ack,fin,rst This shortcut is based on the prefix notation, but it is also similar to the iptables tcp matching syntax. This patch introduces the flagcmp expression to print the tcp flags in this new notation. The delinearize path transforms the binary expression to this new flagcmp expression whenever possible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element catch-all supportPablo Neira Ayuso2021-05-112-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | Add a catchall expression (EXPR_SET_ELEM_CATCHALL). Use the asterisk (*) to represent the catch-all set element, e.g. table x { set y { type ipv4_addr counter elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 } } } Special handling for segtree: zap the catch-all element from the set element list and re-add it after processing. Remove wildcard_expr deadcode in src/parser_bison.y This patch also adds several tests for the tests/py and tests/shell infrastructures. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cgroupsv2 supportPablo Neira Ayuso2021-05-034-1/+7
| | | | | | Add support for matching on the cgroups version 2. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove flowtable from cache on delete flowtable commandPablo Neira Ayuso2021-05-021-0/+1
| | | | | | | Update the cache to remove this flowtable from the evaluation phase. Add flowtable_cache_del() function for this purpose. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove chain from cache on delete chain commandPablo Neira Ayuso2021-05-021-0/+2
| | | | | | | Update the cache to remove this chain from the evaluation phase. Add chain_cache_del() function for this purpose. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add hashtable cache for tablePablo Neira Ayuso2021-05-022-10/+14
| | | | | | | | | | | | Add a hashtable for fast table lookups. Tables that reside in the cache use the table->cache_hlist and table->cache_list heads. Table that are created from command line / ruleset are also added to the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add set_cache_del() and use itPablo Neira Ayuso2021-05-021-0/+1
| | | | | | | | Update set_cache_del() from the monitor path to remove sets in the cache. Fixes: df48e56e987f ("cache: add hashtable cache for sets") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add hashtable cache for flowtablePablo Neira Ayuso2021-05-023-2/+8
| | | | | | | | | | Add flowtable hashtable cache. Actually I am not expecting that many flowtables to benefit from the hashtable to be created by streamline this code with tables, chains, sets and policy objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add hashtable cache for objectPablo Neira Ayuso2021-05-022-3/+7
| | | | | | | | | | | | | | | | | | | | This patch adds a hashtable for object lookups. This patch also splits table->objs in two: - Sets that reside in the cache are stored in the new tables->cache_obj and tables->cache_obj_ht. - Set that defined via command line / ruleset file reside in tables->obj. Sets in the cache (already in the kernel) are not placed in the table->objs list. By keeping separated lists, objs defined via command line / ruleset file can be added to cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate object cache infrastructurePablo Neira Ayuso2021-05-022-8/+19
| | | | | | | This patch consolidates the object cache infrastructure. Update set and chains to use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: consolidate nft_cache infrastructurePablo Neira Ayuso2021-05-023-19/+18
| | | | | | | | - prepend nft_ prefix to nft_cache API and internal functions - move declarations to cache.h (and remove redundant declarations) - move struct nft_cache definition to cache.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: pass chain name to chain_cache_find()Pablo Neira Ayuso2021-05-021-2/+1
| | | | | | | | You can identify chains through the unique handle in deletions, update this interface to take a string instead of the handle to prepare for the introduction of 64-bit handle chain lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Makefile: missing owner.h filePablo Neira Ayuso2021-04-031-0/+1
| | | | | | Add it to include/Makefile.am, this fixes `make distcheck'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add hashtable cache for setsPablo Neira Ayuso2021-04-033-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a hashtable for set lookups. This patch also splits table->sets in two: - Sets that reside in the cache are stored in the new tables->cache_set and tables->cache_set_ht. - Set that defined via command line / ruleset file reside in tables->set. Sets in the cache (already in the kernel) are not placed in the table->sets list. By keeping separated lists, sets defined via command line / ruleset file can be added to cache. Adding 10000 sets, before: # time nft -f x real 0m6,415s user 0m3,126s sys 0m3,284s After: # time nft -f x real 0m3,949s user 0m0,743s sys 0m3,205s Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: statify chain_cache_dump()Pablo Neira Ayuso2021-04-031-1/+0
| | | | | | Only used internally in cache.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: use chain hashtable for lookupsPablo Neira Ayuso2021-04-031-2/+0
| | | | | | | | | | | | | | | | | | | | | Instead of the linear list lookup. Before this patch: real 0m21,735s user 0m20,329s sys 0m1,384s After: real 0m10,910s user 0m9,448s sys 0m1,434s chain_lookup() is removed since linear list lookups are only used by the fuzzy chain name matching for error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: split chain list in tablePablo Neira Ayuso2021-04-031-0/+2
| | | | | | | | | | | | | | | | | | | This patch splits table->lists in two: - Chains that reside in the cache are stored in the new tables->cache_chain and tables->cache_chain_ht. The hashtable chain cache allows for fast chain lookups. - Chains that defined via command line / ruleset file reside in tables->chains. Note that chains in the cache (already in the kernel) are not placed in the table->chains. By keeping separated lists, chains defined via command line / ruleset file can be added to cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: rename chain_htable to cache_chain_htPablo Neira Ayuso2021-04-031-2/+2
| | | | | | Rename the hashtable chain that is used for fast cache lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add datatype->describe()Pablo Neira Ayuso2021-03-251-0/+1
| | | | | | | | | | | | As an alternative to print the datatype values when no symbol table is available. Use it to print protocols available via getprotobynumber() which actually refers to /etc/protocols. Not very efficient, getprotobynumber() causes a series of open()/close() calls on /etc/protocols, but this is called from a non-critical path. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1503 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add flags offload to flowtableFrank Wunderlich2021-03-251-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow flags (currently only offload) in flowtables like it is stated here: https://lwn.net/Articles/804384/ tested on mt7622/Bananapi-R64 table ip filter { flowtable f { hook ingress priority filter + 1 devices = { lan3, lan0, wan } flags offload; } chain forward { type filter hook forward priority filter; policy accept; ip protocol { tcp, udp } flow add @f } } table ip nat { chain post { type nat hook postrouting priority filter; policy accept; oifname "wan" masquerade } } Signed-off-by: Frank Wunderlich <frank-w@public-files.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: log: move to own scopeFlorian Westphal2021-03-241-0/+2
| | | | | | | GROUP and PREFIX are used by igmp and nat, so they can't be moved out of INITIAL scope yet. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: counter: move to own scopeFlorian Westphal2021-03-241-0/+1
| | | | | | move bytes/packets away from initial state. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add support for scope nestingFlorian Westphal2021-03-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding a COUNTER scope introduces parsing errors. Example: add rule ... counter ip saddr 1.2.3.4 This is supposed to be COUNTER IP SADDR SYMBOL but it will be parsed as COUNTER IP STRING SYMBOL ... and rule fails with unknown saddr. This is because IP state change gets popped right after it was pushed. bison parser invokes scanner_pop_start_cond() helper via 'close_scope_counter' rule after it has processed the entire 'counter' rule. But that happens *after* flex has executed the 'IP' rule. IOW, the sequence of events is not the exepcted "COUNTER close_scope_counter IP SADDR SYMBOL close_scope_ip", it is "COUNTER IP close_scope_counter". close_scope_counter pops the just-pushed SCANSTATE_IP and returns the scanner to SCANSTATE_COUNTER, so next input token (saddr) gets parsed as a string, which gets then rejected from bison. To resolve this, defer the pop operation until the current state is done. scanner_pop_start_cond() already gets the scope that it has been completed as an argument, so we can compare it to the active state. If those are not the same, just defer the pop operation until the bison reports its done with the active flex scope. This leads to following sequence of events: 1. flex switches to SCANSTATE_COUNTER 2. flex switches to SCANSTATE_IP 3. bison calls scanner_pop_start_cond(SCANSTATE_COUNTER) 4. flex remains in SCANSTATE_IP, bison continues 5. bison calls scanner_pop_start_cond(SCANSTATE_IP) once the entire ip rule has completed: this pops both IP and COUNTER. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: secmark: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: quota: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | ... and move "used" keyword to it. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: limit: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | Moves rate and burst out of INITIAL. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: vlan: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | ID needs to remain exposed as its used by ct, icmp, icmp6 and so on. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: arp: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | allows to move the arp specific tokens out of the INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add ether scopeFlorian Westphal2021-03-161-0/+1
| | | | | | | just like previous change: useless as-is, but prepares for removal of saddr/daddr from INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add fib scopeFlorian Westphal2021-03-161-0/+1
| | | | | | | | | makes no sense as-is because all keywords need to stay in the INITIAL scope. This can be changed after all saddr/daddr users have been scoped. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ip6: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | move flowlabel and hoplimit. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ip: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | Move the ip option names (rr, lsrr, ...) out of INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ct: move to own scopeFlorian Westphal2021-03-161-0/+1
| | | | | | | | | | | | This allows moving multiple ct specific keywords out of INITIAL scope. Next few patches follow same pattern: 1. add a scope_close_XXX rule 2. add a SCANSTATE_XXX & make flex switch to it when encountering XXX keyword 3. make bison leave SCANSTATE_XXXX when it has seen the complete expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: move remaining cache functions in rule.c to cache.cPablo Neira Ayuso2021-03-111-2/+4
| | | | | | Move all the cache logic to src/cache.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: socket: move to own scopeFlorian Westphal2021-03-111-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>