| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The current kernel restricts ct helper names to 16 bytes length. Specify
this limit in the ct expression table to catch oversized strings in userspace.
Since older versions of nft didn't support larger values, this does not
negatively affect interaction with old kernel versions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Keep in sync with nf_tables.h header file in net-next tree.
Rename NFT_CT_LABEL to NFT_CT_LABELS, this probably slipped through
when editing the header file by hand.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the possibility to set ct keys using nft. Currently, the
connection mark is supported. This functionality enables creating rules
performing the same action as iptables -j CONNMARK --save-mark. For example:
table ip filter {
chain postrouting {
type filter hook postrouting priority 0;
ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark
}
}
My patch is based on the original http://patchwork.ozlabs.org/patch/307677/
by Kristian Evensen <kristian.evensen@gmail.com>.
I simply did a rebase and some testing. To test, I added rules like these:
counter meta mark set 1 counter
counter ct mark set mark counter
counter ct mark 1 counter
The last matching worked as expected, which means the second rule is also
working as expected.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Singed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
Takes advantage of the fact that the current maximum label storage area
is 128 bits, i.e. the dynamically allocated extension area in the
kernel will always fit into a nft register.
Currently this re-uses rt_symbol_table_init() to read connlabel.conf.
This works since the format is pretty much the same.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
should always generate cmp op (its enum 0, 1 in kernel).
Note: 'original,reply' will no longer work after this patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The secctx should be used instead of the secmark. Remove for now.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include the protocols defined through relational ct expressions in the
protocol context and use the protocol context to dynamically determine
the types of network and transport layer ct expression types.
Before:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ip protocol tcp ct proto-dst ssh
^^^
$ nft filter output ct protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ct protocol tcp ct proto-dst ssh
^^^
After:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
$ nft filter output ct protocol tcp ct proto-dst ssh
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/nft add rule filter output meta oifname eth0
doesn't work on x86. Problem is that nft declares these as
BYTEORDER_INVALID, but when converting the string mpz_import_data
treats INVALID like BIG_ENDIAN.
[ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ]
as kernel nft_cmp_eval basically boils down to
memcmp(reg, skb->dev->name, sizeof(reg) comparision fails.
with patch:
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Add size and type information to non-basetype types and remove the now
redundant information from the symbol tables.
This will be used to determine size and byteorder of set members without
analyzing the ruleset for incremental update operations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
Add a table containing all available datatypes and registration/lookup functions.
This will be used to associate a stand-alone set in the kernel with the correct
type without parsing the entire ruleset.
Additionally it would now be possible to remove the global declarations for the
core types. Not done yet though.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|