summaryrefslogtreecommitdiffstats
path: root/src/ct.c
Commit message (Collapse)AuthorAgeFilesLines
...
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+16
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-271-0/+35
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: display bit number instead of raw valueFlorian Westphal2016-08-221-1/+1
| | | | | | | | | | ... and add test cases for ct label. Currently this dumped 'label 0x2', now 'label 1' would be shown. This makes add/list behave the same. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow numeric conntrack labelsFlorian Westphal2016-08-221-8/+22
| | | | | | | | | | | | | | | When dumping labels in rule list we try to print a symbolic name. If we don't find one, we print the bit number instead. This changes nft to also allow use of the number instead of a name when adding ct label rules so that such dumps can also be restored again. This is similar to other cases, e.g. skuid root vs skuid 0 which are both valid. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: quote user-defined strings when used from rule selectorsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The following selectors display strings using quotes: * meta iifname * meta oifname * meta ibriport * meta obriport However, the following do not: * meta oif * meta iif * meta skuid * meta skgid * meta iifgroup * meta oifgroup * meta rtclassid * ct label Given they refer to user-defined values, neither keywords nor internal built-in known values, let's quote the output of this. This patch modifies symbolic_constant_print() so we can signal this to indicate if the string needs to be quoted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: release ct_label table on exitPablo Neira Ayuso2016-08-171-0/+5
| | | | | | | Just like we do with other symbol tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* ct: add missing slash to connlabel pathPablo Neira Ayuso2016-08-171-1/+1
| | | | | | | | | | | | If I configure nftables via: ./configure --prefix=/usr the connlabel path breaks due to missing slash, so append this after DEFAULT_INCLUDE_PATH. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* ct: use nftables sysconf location for connlabel configurationFlorian Westphal2016-07-211-2/+5
| | | | | | | | | | | | Instead of using /etc/xtables use the nftables syconfdir. Also update error message to tell which label failed translation and which config file was used for this: nft add filter input ct label foo <cmdline>:1:27-29: Error: /etc/nftables/connlabel.conf: could not parse conntrack label "foo" Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add packet/byte counter supportFlorian Westphal2015-12-121-0/+4
| | | | | | | | | | | | | | | | | packets and bytes need special treatment -- we want to be able to get packet/byte counter in either direction, but also express 'fetch in *BOTH* directions', i.e. ct packets original + ct packets reply > 1000 This either requires a '+' expression, a new 'both' direction, or keys where direction is optional, i.e. ct packets > 12345 ; original + reply ct original packets > 12345 ; original Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: swap key and direction in ct_dir syntaxFlorian Westphal2016-01-071-7/+6
| | | | | | | | | | | | | | | old: ct saddr original 1.2.3.4 new: ct original saddr 1.2.3.4 The advantage is that this allows to add ct keys where direction is optional without creating ambiguities in the parser. So we can have ct packets gt 42 ct original packets gt 42 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: make ct l3proto workFlorian Westphal2016-01-041-2/+2
| | | | | | | | | ct l3proto original == ipv6 <cmdline>:1:56-59: Error: Can't parse symbolic invalid expressions Its just the nf protocol number -- no dependencies. Just set right type. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add support for directional keysFlorian Westphal2016-01-041-3/+37
| | | | | | | | | | | | | | A few keys in the ct expression are directional, i.e. we need to tell kernel if it should fetch REPLY or ORIGINAL direction. Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys that the kernel rejects unless also given a direction. During postprocessing we also need to invoke ct_expr_update_type, problem is that e.g. ct saddr can be any family (ip, ipv6) so we need to update the expected data type based on the network base. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add maximum helper length valuePatrick McHardy2015-06-021-1/+6
| | | | | | | | | The current kernel restricts ct helper names to 16 bytes length. Specify this limit in the ct expression table to catch oversized strings in userspace. Since older versions of nft didn't support larger values, this does not negatively affect interaction with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* include: refresh include/linux/nf_tables.h cached copyPablo Neira Ayuso2014-09-111-1/+1
| | | | | | | | | Keep in sync with nf_tables.h header file in net-next tree. Rename NFT_CT_LABEL to NFT_CT_LABELS, this probably slipped through when editing the header file by hand. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for setting ct markArturo Borrero2014-03-131-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to set ct keys using nft. Currently, the connection mark is supported. This functionality enables creating rules performing the same action as iptables -j CONNMARK --save-mark. For example: table ip filter { chain postrouting { type filter hook postrouting priority 0; ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark } } My patch is based on the original http://patchwork.ozlabs.org/patch/307677/ by Kristian Evensen <kristian.evensen@gmail.com>. I simply did a rebase and some testing. To test, I added rules like these: counter meta mark set 1 counter counter ct mark set mark counter counter ct mark 1 counter The last matching worked as expected, which means the second rule is also working as expected. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add comparison function for singleton expressionsPatrick McHardy2014-03-071-0/+6
| | | | Singed-off-by: Patrick McHardy <kaber@trash.net>
* ct: connlabel matching supportFlorian Westphal2014-02-181-0/+72
| | | | | | | | | | | Takes advantage of the fact that the current maximum label storage area is 128 bits, i.e. the dynamically allocated extension area in the kernel will always fit into a nft register. Currently this re-uses rt_symbol_table_init() to read connlabel.conf. This works since the format is pretty much the same. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: direction should be integer, not bitmaskFlorian Westphal2014-02-181-1/+1
| | | | | | | | | should always generate cmp op (its enum 0, 1 in kernel). Note: 'original,reply' will no longer work after this patch. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-151-3/+0
| | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct expr: protocol context updates and dynamic typingPatrick McHardy2014-01-081-0/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Include the protocols defined through relational ct expressions in the protocol context and use the protocol context to dynamically determine the types of network and transport layer ct expression types. Before: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ip protocol tcp ct proto-dst ssh ^^^ $ nft filter output ct protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ct protocol tcp ct proto-dst ssh ^^^ After: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh $ nft filter output ct protocol tcp ct proto-dst ssh Signed-off-by: Patrick McHardy <kaber@trash.net>
* meta: iif/oifname should be host byte orderFlorian Westphal2013-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | src/nft add rule filter output meta oifname eth0 doesn't work on x86. Problem is that nft declares these as BYTEORDER_INVALID, but when converting the string mpz_import_data treats INVALID like BIG_ENDIAN. [ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ] as kernel nft_cmp_eval basically boils down to memcmp(reg, skb->dev->name, sizeof(reg) comparision fails. with patch: [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add/move size and byte order information into data typesPatrick McHardy2009-03-311-6/+6
| | | | | | | | | | Add size and type information to non-basetype types and remove the now redundant information from the symbol tables. This will be used to determine size and byteorder of set members without analyzing the ruleset for incremental update operations. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: maintain table of all datatypes and add registration/lookup functionPatrick McHardy2009-03-311-3/+13
| | | | | | | | | | | Add a table containing all available datatypes and registration/lookup functions. This will be used to associate a stand-alone set in the kernel with the correct type without parsing the entire ruleset. Additionally it would now be possible to remove the global declarations for the core types. Not done yet though. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-311-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-201-0/+6
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+149