summaryrefslogtreecommitdiffstats
path: root/src/ct.c
Commit message (Collapse)AuthorAgeFilesLines
* ct: add maximum helper length valuePatrick McHardy2015-06-021-1/+6
| | | | | | | | | The current kernel restricts ct helper names to 16 bytes length. Specify this limit in the ct expression table to catch oversized strings in userspace. Since older versions of nft didn't support larger values, this does not negatively affect interaction with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* include: refresh include/linux/nf_tables.h cached copyPablo Neira Ayuso2014-09-111-1/+1
| | | | | | | | | Keep in sync with nf_tables.h header file in net-next tree. Rename NFT_CT_LABEL to NFT_CT_LABELS, this probably slipped through when editing the header file by hand. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for setting ct markArturo Borrero2014-03-131-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to set ct keys using nft. Currently, the connection mark is supported. This functionality enables creating rules performing the same action as iptables -j CONNMARK --save-mark. For example: table ip filter { chain postrouting { type filter hook postrouting priority 0; ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark } } My patch is based on the original http://patchwork.ozlabs.org/patch/307677/ by Kristian Evensen <kristian.evensen@gmail.com>. I simply did a rebase and some testing. To test, I added rules like these: counter meta mark set 1 counter counter ct mark set mark counter counter ct mark 1 counter The last matching worked as expected, which means the second rule is also working as expected. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add comparison function for singleton expressionsPatrick McHardy2014-03-071-0/+6
| | | | Singed-off-by: Patrick McHardy <kaber@trash.net>
* ct: connlabel matching supportFlorian Westphal2014-02-181-0/+72
| | | | | | | | | | | Takes advantage of the fact that the current maximum label storage area is 128 bits, i.e. the dynamically allocated extension area in the kernel will always fit into a nft register. Currently this re-uses rt_symbol_table_init() to read connlabel.conf. This works since the format is pretty much the same. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: direction should be integer, not bitmaskFlorian Westphal2014-02-181-1/+1
| | | | | | | | | should always generate cmp op (its enum 0, 1 in kernel). Note: 'original,reply' will no longer work after this patch. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-151-3/+0
| | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct expr: protocol context updates and dynamic typingPatrick McHardy2014-01-081-0/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Include the protocols defined through relational ct expressions in the protocol context and use the protocol context to dynamically determine the types of network and transport layer ct expression types. Before: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ip protocol tcp ct proto-dst ssh ^^^ $ nft filter output ct protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ct protocol tcp ct proto-dst ssh ^^^ After: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh $ nft filter output ct protocol tcp ct proto-dst ssh Signed-off-by: Patrick McHardy <kaber@trash.net>
* meta: iif/oifname should be host byte orderFlorian Westphal2013-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | src/nft add rule filter output meta oifname eth0 doesn't work on x86. Problem is that nft declares these as BYTEORDER_INVALID, but when converting the string mpz_import_data treats INVALID like BIG_ENDIAN. [ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ] as kernel nft_cmp_eval basically boils down to memcmp(reg, skb->dev->name, sizeof(reg) comparision fails. with patch: [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add/move size and byte order information into data typesPatrick McHardy2009-03-311-6/+6
| | | | | | | | | | Add size and type information to non-basetype types and remove the now redundant information from the symbol tables. This will be used to determine size and byteorder of set members without analyzing the ruleset for incremental update operations. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: maintain table of all datatypes and add registration/lookup functionPatrick McHardy2009-03-311-3/+13
| | | | | | | | | | | Add a table containing all available datatypes and registration/lookup functions. This will be used to associate a stand-alone set in the kernel with the correct type without parsing the entire ruleset. Additionally it would now be possible to remove the global declarations for the core types. Not done yet though. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-311-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-201-0/+6
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+149