| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Splice the existing set element cache with the elements to be deleted
and merge sort it. The elements to be deleted are identified by the
EXPR_F_REMOVE flag.
The set elements to be deleted is automerged in first place if the
automerge flag is set on.
There are four possible deletion scenarios:
- Exact match, eg. delete [a-b] and there is a [a-b] range in the kernel set.
- Adjust left side of range, eg. delete [a-b] from range [a-x] where x > b.
- Adjust right side of range, eg. delete [a-b] from range [x-b] where x < a.
- Split range, eg. delete [a-b] from range [x-y] where x < a and b < y.
Update nft_evaluate() to use the safe list variant since new commands
are dynamically registered to the list to update ranges.
This patch also restores the set element existence check for Linux
kernels <= 5.7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of realloc(), so process stops execution in case memory
allocation fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new -o/--optimize option to enable ruleset
optimization.
You can combine this option with the dry run mode (--check) to review
the proposed ruleset updates without actually loading the ruleset, e.g.
# nft -c -o -f ruleset.test
Merging:
ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept
ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept
ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept
into:
ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept
This infrastructure collects the common statements that are used in
rules, then it builds a matrix of rules vs. statements. Then, it looks
for common statements in consecutive rules which allows to merge rules.
This ruleset optimization always performs an implicit dry run to
validate that the original ruleset is correct. Then, on a second pass,
it performs the ruleset optimization and add the rules into the kernel
(unless --check has been specified by the user).
From libnftables perspective, there is a new API to enable
this feature:
uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx);
void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags);
This patch adds support for the first optimization: Collapse a linear
list of rules matching on a single selector into a set as exposed in the
example above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reading from stdin requires to store the ruleset in a buffer so error
reporting works accordingly, eg.
# cat ruleset.nft | nft -f -
/dev/stdin:3:13-13: Error: unknown identifier 'x'
ip saddr $x
^
The error reporting infrastructure performs a fseek() on the file
descriptor which does not work in this case since the data from the
descriptor has been already consumed.
This patch adds a new stdin input descriptor to perform this special
handling which consists on re-routing this request through the buffer
functions.
Fixes: 935f82e7dd49 ("Support 'nft -f -' to read from stdin")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Skip set element netlink dump if set is flushed, this speeds up
set flush + add element operation in a batch file for an existing set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not fetch table content for list commands that specify a
table name, e.g.
# nft list table filter
This speeds up listing of a given table by not populating the
cache with tables that are not needed.
- Full ruleset (huge with ~100k lines).
# sudo nft list ruleset &> /dev/null
real 0m3,049s
user 0m2,080s
sys 0m0,968s
- Listing per table is now faster:
# nft list table nat &> /dev/null
real 0m1,969s
user 0m1,412s
sys 0m0,556s
# nft list table filter &> /dev/null
real 0m0,697s
user 0m0,478s
sys 0m0,220s
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1326
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Partially revert 913979f882d1 ("src: add expression handler hashtable")
which is causing a crash with two instances of the nftables handler.
$ sudo python
[sudo] password for echerkashin:
Python 3.9.7 (default, Sep 3 2021, 06:18:44)
[GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from nftables import Nftables
>>> n1=Nftables()
>>> n2=Nftables()
>>> <Ctrl-D>
double free or corruption (top)
Aborted
Reported-by: Eugene Crosser <crosser@average.org>
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This function might be useful to recycle the existing nft_ctx to use it
with different external variable definitions.
Moreover, reset ctx->num_vars to zero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new option to define variables from the command line.
# cat test.nft
table netdev x {
chain y {
type filter hook ingress devices = $dev priority 0;
counter accept
}
}
# nft --define dev="{ eth0, eth1 }" -f test.nft
You can only combine it with -f/--filename.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The err->seqnum == batch_seqnum case results in a memleak of mnl_err
objects under some scenarios such as nf_tables kernel support is not
available or user runs the nft executable as non-root.
Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a hashtable for fast table lookups.
Tables that reside in the cache use the table->cache_hlist and
table->cache_list heads.
Table that are created from command line / ruleset are also added
to the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
- prepend nft_ prefix to nft_cache API and internal functions
- move declarations to cache.h (and remove redundant declarations)
- move struct nft_cache definition to cache.h
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
$ /usr/sbin/nft list ruleset
Operation not permitted (you must be root)
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1372
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Because the command seqnums are monotonic, repeated traversals
of the cmds list from the beginning are not necessary as long as
the error seqnums are also monotonic.
Signed-off-by: Jindrich Makovicka <makovick@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
netlink_parsers is actually small, but update this code to use a
hashtable instead since more expressions may come in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Restrict the expansion logic to the CMD_ADD command which is where this
is only required.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Preliminary support: only for the deletion command, e.g.
# nft delete table twst
Error: No such file or directory; did you mean table ‘test’ in family ip?
delete table twst
^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch correlates the in-kernel extended netlink error offset and
the location information.
Assuming 'foo' table does not exist, then error reporting shows:
# nft delete table foo
Error: Could not process rule: No such file or directory
delete table foo
^^^
Similarly, if table uniquely identified by handle '1234' does not exist,
then error reporting shows:
# nft delete table handle 1234
Error: Could not process rule: No such file or directory
delete table handle 1234
^^^^
Assuming 'bar' chain does not exists in the kernel, while 'foo' does:
# nft delete chain foo bar
Error: Could not process rule: No such file or directory
delete chain foo bar
^^^
This also gives us a hint when adding rules:
# nft add rule ip foo bar counter
Error: Could not process rule: No such file or directory
add rule ip foo bar counter
^^^
This is based on ("src: basic support for extended netlink errors") from
Florian Westphal, posted in 2018, with no netlink offset correlation
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow for interactive sessions to make use of defines. Since parser is
initialized for each line, top scope defines didn't persist although
they are actually useful for stuff like:
| # nft -i
| define goodports = { 22, 23, 80, 443 }
| add rule inet t c tcp dport $goodports accept
| add rule inet t c tcp sport $goodports accept
While being at it, introduce scope_alloc() and scope_free().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
==9946== 200,807 (40 direct, 200,767 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
==9946== at 0x4837B65: calloc (vg_replace_malloc.c:762)
==9946== by 0x4F28216: nftnl_batch_alloc (batch.c:66)
==9946== by 0x48A33E8: mnl_batch_init (mnl.c:164)
==9946== by 0x48A736F: nft_netlink.isra.0 (libnftables.c:29)
==9946== by 0x48A7D03: nft_run_cmd_from_filename (libnftables.c:508)
==9946== by 0x10A621: main (main.c:328)
Fixes: fc6d0f8b0cb1 ("libnftables: get rid of repeated initialization of netlink_ctx")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==29699== Invalid read of size 8
==29699== at 0x507E140: ct_label_table_exit (ct.c:239)
==29699== by 0x5091877: nft_exit (libnftables.c:97)
==29699== by 0x5091877: nft_ctx_free (libnftables.c:297)
[...]
==29699== Address 0xb251008 is 136 bytes inside a block of size 352 free'd
==29699== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==29699== by 0x509186F: nft_ctx_free (libnftables.c:296)
[...]
==29699== Block was alloc'd at
==29699== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==29699== by 0x508C51D: xmalloc (utils.c:36)
==29699== by 0x508C51D: xzalloc (utils.c:65)
==29699== by 0x50916BE: nft_ctx_new (libnftables.c:151)
[...]
Release symbol tables before context object.
Fixes: 45cb29a2ada4 ("src: remove global symbol_table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Store symbol tables in context object instead. Use the nft_ctx object to
store the dynamic symbol table. Pass it on to the parse_ctx object so
this can be accessed from the parse routines. This dynamic symbol table
is also accesible from the output_ctx object for print routines.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Most members in the context don't change, so there is no need to memset
it and reassign them on every iteration. Moved that code out of the
loop.
Fixes: a72315d2bad4 ("src: add rule batching support")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Export public symbols (the library API functions) instead of all symbols in
the library.
This patch introduces the required macros to manage the visibility attributes
(mostly copied from libnftnl.git) and also marks each symbol as exported when
they need to be public. Also, introduce a .map file for proper symbol
versioning.
Previous to this patch, libnftables public symbols were:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 | wc -l
527
With this patch, libnftables symbols are:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1
libnftables.so.1 libnftables #MINVER#
nft_ctx_add_include_path@Base 0.9.1
nft_ctx_buffer_error@Base 0.9.1
nft_ctx_buffer_output@Base 0.9.1
nft_ctx_clear_include_paths@Base 0.9.1
nft_ctx_free@Base 0.9.1
nft_ctx_get_dry_run@Base 0.9.1
nft_ctx_get_error_buffer@Base 0.9.1
nft_ctx_get_output_buffer@Base 0.9.1
nft_ctx_new@Base 0.9.1
nft_ctx_output_get_debug@Base 0.9.1
nft_ctx_output_get_flags@Base 0.9.1
nft_ctx_output_set_debug@Base 0.9.1
nft_ctx_output_set_flags@Base 0.9.1
nft_ctx_set_dry_run@Base 0.9.1
nft_ctx_set_error@Base 0.9.1
nft_ctx_set_output@Base 0.9.1
nft_ctx_unbuffer_error@Base 0.9.1
nft_ctx_unbuffer_output@Base 0.9.1
nft_run_cmd_from_buffer@Base 0.9.1
nft_run_cmd_from_filename@Base 0.9.1
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
They are not part of the libnftables library API, they are not public symbols,
so it doesn't not make sense to have them there. Move the two functions to a
different source file so libnftables.c only has the API functions.
I think copyright belongs to Phil Sutter since he introduced this code back in
commit 2535ba7006f22a6470f4c88ea7d30c343a1d8799 (src: get rid of printf).
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objects that
are needed through these new flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Check for state->nerrs after evaluation to restore error reporting when
evaluation fails.
Fixes: df2f746fb4cf ("libnftables: keep evaluating until parser_max_errors")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bail out after parser_max_errors has been reached, eg.
# nft -f /tmp/errors.nft
/tmp/errors.nft:1:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
/tmp/errors.nft:2:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
/tmp/errors.nft:3:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp sport udp
~~~~~~~~~ ^^^
Fixes: f211921e25e6 ("src: perform evaluation after parsing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.
The problem is easy to reproduce in an interactive session:
| nft> list ruleset
| table ip t {
| chain c {
| }
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
| ^
| nft> list ruleset
| nft>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows us to make one single cache_update() call. Thus, there
is not need to rebuild an incomplete cache from the middle of the batch
processing.
Note that nft_run_cmd_from_filename() does not need a full netlink dump
to build the cache anymore, this should speed nft -f with incremental
updates and very large rulesets.
cache_evaluate() calculates the netlink dump to populate the cache that
this batch needs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch restores 61236968b7a1 ("parser: evaluate commands immediately
after parsing") following a different approach.
In this patch, the evaluation phase is done if the parsing phase fails,
hence the user gets parsing and evaluation errors in one shot, which is
the purpose of 61236968b7a1.
Note that evaluation errors are now shown after parser errors, the example
available in 61236968b7a1 displays with this patch the following error:
# nft -f /tmp/bad.nft
/tmp/bad.nft:3:32-32: Error: syntax error, unexpected newline
add rule filter input tcp dport
^
/tmp/bad.nft:5:37-41: Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule filter input tcp dport tcp dport
^^^^^
/tmp/bad.nft:4:33-35: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
add rule filter input tcp dport tcp
~~~~~~~~~ ^^^
So evaluation pointing to line 4 happens after line error reporting
generated by the parser that points to line 3, while 61236968b7a1 was
showing errors per line in order. As a future work, we can sort the
error reporting list to restore exactly the same behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since 61236968b7a1 ("parser: evaluate commands immediately after
parsing"), evaluation is invoked from the parsing phase in order to
improve error reporting.
However, this approach is problematic from the cache perspective since
we don't know if a full or partial netlink dump from the kernel is
needed. If the number of objects in the kernel is significant, the
netlink dump operation to build the cache may significantly slow down
commands.
This patch moves the evaluation phase after the parsing phase as a
preparation update to allow for a better strategy to build the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Display an error in case internal netlink plumbing hits problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set a receiver buffer size based on the number of commands and the
average message size, this is useful for the --echo option in order to
avoid ENOBUFS errors.
On the kernel side, each skbuff consumes truesize from the socket queue
(although it uses NLMSG_GOODSIZE to allocate it), which is approximately
four times the estimated size per message that we get in turn for each
echo message to ensure enough receiver buffer space.
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
File that contains the ruleset is never closed, track open files through
the nft_ctx object and close them accordingly.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Commands may contain data printed by an error record, so make sure
cmd_free() is not called before erec_print_list() has returned.
Fixes: 778de37d82e7b ("libnftables: Keep cmds list outside of parser_state")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that path too to print it
inconditionally to simplify things.
Given the numeric levels have no more clients after this patch, remove
that code.
Update several tests/shell not to use -nn.
This patch adds NFT_CTX_OUTPUT_NUMERIC_ALL which enables all flags to
provide a fully numerical output.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
the kernel.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft_ctx_output_{get,flags}_flags
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
This patch adds nft_output_save_flags() and nft_output_restore_flags()
to temporarily disable stateful printing
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit this to provide individual options to turn on literal
printing.
What I'm proposing is to provide a good default for everyone, and
provide options to turn on literal/numeric printing.
This patch adds nft_ctx_output_{set,get}_flags() and define two flags to
enable reverse DNS lookups and to print ports as service names.
This patch introduces -S/--services, to print service names as per
/etc/services.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The basic principle is to not return a JSON object freshly created from
netlink responses, but just update the existing user-provided one to
make sure callers get back exactly what they expect.
To achieve that, keep the parsed JSON object around in a global variable
('cur_root') and provide a custom callback to insert handles into it
from received netlink messages. The tricky bit here is updating rules
since unique identification is problematic. Therefore drop possibly
present handles from input and later assume updates are received in
order so the first rule not having a handle set is the right one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace it by direct call to mnl_batch_talk().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These functions are part of the mnl backend, move them there. Remove
netlink_close_sock(), use direct call to mnl_socket_close().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Allocated scanner object leaks when returning to caller. For some odd
reason, this was missed by the commit referenced below.
Fixes: bd82e03e15df8 ("libnftables: Move scanner object into struct nft_ctx")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default not to print the service name as we discussed during the NFWS.
# nft list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1.1.1.1
}
}
# nft -l list ruleset
table ip x {
chain y {
tcp dport ssh
ip saddr 1.1.1.1
}
}
# nft -ll list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1dot1dot1dot1.cloudflare-dns.com
}
}
Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N)
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With libnftables documentation being upstream and one confirmed external
user (nftlb), time to break the API!
First of all, the command buffer passed to nft_run_cmd_from_buffer may
(and should) be const. One should consider it a bug if that function
ever changed it's content.
On the other hand, there is no point in passing the buffer's length as
separate argument: NULL bytes are not expected to occur in the input, so
it is safe to rely upon strlen(). Also, the actual parsers don't require
a buffer length passed to them, either. The only use-case for it is when
reallocating the buffer to append a final newline character, there
strlen() is perfectly sufficient.
Suggested-by: Harald Welte <laforge@gnumonks.org>
Cc: Laura Garcia Liebana <nevola@gmail.com>
Cc: Eric Leblond <eric@regit.org>
Cc: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
