summaryrefslogtreecommitdiffstats
path: root/src/netlink_linearize.c
Commit message (Collapse)AuthorAgeFilesLines
* src: add dup statement supportPablo Neira Ayuso2015-09-301-0/+37
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-231-0/+4
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add per-bytes limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | This example show how to accept packets below the ratelimit: ... limit rate 1024 mbytes/second counter accept You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: cmp: shift rhs constant if lhs offset doesn't start on byte boundaryFlorian Westphal2015-09-181-0/+10
| | | | | | | | | | | | | | if we have payload(someoffset) == 42, then shift 42 in case someoffset doesn't start on a byte boundary. We already insert a mask instruction to only load those bits into the register that we were interested in, but the cmp will fail without also adjusting rhs accordingly. Needs additional patch in reverse direction to undo the shift again when dumping ruleset. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink_linearize: handle sub-byte lengthsFlorian Westphal2015-09-181-2/+44
| | | | | | | | | | | | | | Currently length is expr->len / BITS_PER_BYTE, i.e. expr->len has to be a multiple of 8. When core asks for e.g. '9 bits', we truncate this to 8. Round up to 16 and inject a 9-bit mask to zero out the parts we're not interested in. This will also need change to the delinarization step to remove the extra op when dumping rules from kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: use new symbols in libnftnlPablo Neira Ayuso2015-09-161-152/+152
| | | | | | | | | Adapt the nftables code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: generate concat expressionsPatrick McHardy2015-06-021-3/+11
| | | | | | | Use the real length for reserving/releasing registers when generating concat expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: use NFT_REG32 values internallyPatrick McHardy2015-06-021-4/+39
| | | | | | | | | | | | | | | | | | | Prepare netlink_linearize for 32 bit register usage: Switch to use 16 data registers of 32 bit each. A helper function takes care of mapping the registers to the NFT_REG32 values and, if the register refers to the beginning of an 128 bit area, the old NFT_REG_1-4 values for compatibility. New register reservation and release helper function take the size into account and reserve the required amount of registers. The reservation and release functions will so far still always allocate 128 bit. If no other expression in a rule uses a 32 bit register directly, these will be mapped to the old register values, meaning everything continues to work with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: pass expression to register allocation/release functionsPatrick McHardy2015-06-021-26/+28
| | | | | | Prepare for taking the expression size into account. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/master' into next-4.1Patrick McHardy2015-06-021-2/+3
|\
| * netlink_linearize: fix range cmp instruction generationPatrick McHardy2015-06-021-2/+3
| | | | | | | | | | | | | | The LHS expression is generated twice and the register not properly released. Fix by calling netlink_gen_range() before generating the LHS. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | nftables: add set statemetPatrick McHardy2015-04-121-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
* | expr: add set_elem_expr as container for set element attributesPatrick McHardy2015-04-121-0/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: add register dumping helper functionPatrick McHardy2015-01-111-34/+40
| | | | | | | Add a helper function to dump netlink register numbers in preparation of concat support. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add redirect supportArturo Borrero2014-11-041-0/+49
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add masquerade supportArturo Borrero2014-10-091-0/+15
| | | | | | | | | | | | | | | | | This patch adds masquerade support for nft. The syntax is: % nft add rule nat postrouting masquerade [flags] Currently, flags are: random, random-fully, persistent Example: % nft add rule nat postrouting masquerade random,persistent Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat persistent and random optionsArturo Borrero2014-10-091-0/+3
| | | | | | | | | | | | | | | | | This patch adds more configuration options to the nat expression. The syntax is as follow: % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags] Flags are: random, persistent, random-fully. Example: % nft add rule nat postrouting dnat 1.1.1.1 random,persistent A requirement is to cache some [recent] copies of kernel headers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: complete reject supportAlvaro Neira2014-10-091-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use the reject action in rules. For example: nft add rule filter input udp dport 22 reject In this rule, we assume that the reason is network unreachable. Also we can specify the reason with the option "with" and the reason. For example: nft add rule filter input tcp dport 22 reject with icmp type host-unreachable In the bridge tables and inet tables, we can use this action too. For example: nft add rule inet filter input reject with icmp type host-unreachable In this rule above, this generates a meta nfproto dependency to match ipv4 traffic because we use a icmpv4 reason to reject. If the reason is not specified, we infer it from the context. Moreover, we have the new icmpx datatype. You can use this datatype for the bridge and the inet tables to simplify your ruleset. For example: nft add rule inet filter input reject with icmpx type host-unreachable We have four icmpx reason and the mapping is: ICMPX reason | ICMPv6 | ICMPv4 | | admin-prohibited | admin-prohibited | admin-prohibited port-unreachable | port-unreachable | port-unreachable no-route | no-route | net-unreachable host-unreachable | addr-unreachable | host-unreachable Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: clean up queue statementPatrick McHardy2014-09-241-8/+14
| | | | | | | | | | | | | | | | | | - Rename keyword tokens to their actual keyword - Change the grammar to follow the standard schema for statements and arguments - Use actual expression for the queue numbers to support using normal range expressions, symbolic expression and so on. - restore comma seperation of flag keywords The result is that its possible to use standard ranges, prefix expressions, symbolic expressions etc for the queue number. We get checks for overflow, negative ranges and so on automatically. The comma seperation of flags is more similar to what we have for other flag values. It is still possible to use spaces, however this could be removed since we never had a release supporting that. Signed-off-by: Patrick McHardy <kaber@trash.net>
* log: netlink_linearize: don't set level if user didn't specifyPablo Neira Ayuso2014-09-121-1/+4
| | | | | | | The kernel will default on LOG_WARNING, to mimic iptables behaviour. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't return error in netlink_linearize_rule()Pablo Neira Ayuso2014-08-191-3/+2
| | | | | | | | | This function converts the rule from the list of statements to the netlink message format. The only two possible errors that can make this function to fail are memory exhaustion and malformed statements which inmediately stop the execution of nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* linealize: generate unary expression with the appropiate operationAlvaro Neira2014-08-191-1/+1
| | | | | | | | If we add a unary expression which the operation is ntoh, we use hton. This looks like a typo. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add level option to the log statementPablo Neira Ayuso2014-07-251-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Correct initial value of bytes counter in nftables ruleYanchuan Nian2014-06-251-1/+1
| | | | | | | | | | | | | | Packages can be accounted by nftables through such command. % nft add rule filter output ip daddr 8.8.8.8 counter You can also give the initial values of packets and bytes. % nft add rule filter output ip daddr 8.8.8.8 counter packets 10 bytes 20 But packets and bytes are both initialized to 10 in above command for there is a mistake in the program. Signed-off-by: Yanchuan Nian <ycnian@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revert broken reject icmp code supportPablo Neira Ayuso2014-06-201-1/+1
| | | | | | | | | | | | | | | | | This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter for indicating the type of error") and 11b2bb2 ("reject: Use protocol context for indicating the reject type"). These patches are flawed by two things: 1) IPv6 support is broken, only ICMP codes are considered. 2) If you don't specify any transport context, the utility exits without adding the rule, eg. nft add rule ip filter input reject. The kernel is also flawed when it comes to the inet table. Let's revert this until we can provide decent reject reason support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* reject: add ICMP code parameter for indicating the type of errorÁlvaro Neira Ayuso2014-06-161-1/+1
| | | | | | | | | | | | | | | | | | | | This patch allows to indicate the ICMP code field in case that we use to reject. Before, we have always sent network unreachable error as ICMP code, now we can explicitly indicate the ICMP code that we want to use. Examples: nft add rule filter input tcp dport 22 reject with host-unreach nft add rule filter input udp dport 22 reject with host-unreach In this case, it will use the host unreachable code to reject traffic. The default code field still is network unreachable and we can also use the rules without the with like that: nft add rule filter input udp dport 22 reject Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: More compact syntaxÁlvaro Neira Ayuso2014-06-111-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use a new syntax more compact and break the current syntax. This new syntax is more similar than the nftables syntax that we use usually. We can use range like we have used in other case in nftables. Here, we have some examples: Before, If we want to declare a queue, we have used a syntax like this: nft add rule test input queue num 1 total 3 options bypass,fanout If we want to use the queue number 1 and the two next (total 3), we use a range in the new syntax, for example: nft add rule test input queue num 1-3 bypass fanout Also if we want to use only one queue, the new rules are like: nft add rule test input queue num 1 # queue 1 or nft add rule test input queue # queue 0 And if we want to add a specific flags we only need to put what flags we want to use: nft add rule test input queue bypass we don't need to use options and the comma for indicating the flags. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Allow to invert the rangesÁlvaro Neira Ayuso2014-06-051-6/+39
| | | | | | | | | | | | | | | | | | | | This patch fix the bug: http://bugzilla.netfilter.org/show_bug.cgi?id=924 Before, nftables doesn't permit invert ranges. This patch allows add rules like this: nft add rule ip test input ip daddr != 192.168.1.2-192.168.1.55 or nft add rule ip test input ip daddr == 192.168.1.2-192.168.1.55 Also, we still have the option for adding rules like this: sudo nft add rule ip test output frag id 33-45 Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set netlink message to the batchPablo Neira Ayuso2014-05-191-0/+4
| | | | | | | | | | | | | This patch moves the netlink set messages to the batch that contains the rules. This helps to speed up rule-set restoration time by changing the operational. To achieve this, an internal set ID which is unique to the batch is allocated as suggested by Patrick. To retain backward compatibility, nft initially guesses if the kernel supports set in batches. Otherwise, it falls back to the previous (slowier) operational. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for setting ct markArturo Borrero2014-03-131-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to set ct keys using nft. Currently, the connection mark is supported. This functionality enables creating rules performing the same action as iptables -j CONNMARK --save-mark. For example: table ip filter { chain postrouting { type filter hook postrouting priority 0; ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark } } My patch is based on the original http://patchwork.ozlabs.org/patch/307677/ by Kristian Evensen <kristian.evensen@gmail.com>. I simply did a rebase and some testing. To test, I added rules like these: counter meta mark set 1 counter counter ct mark set mark counter counter ct mark 1 counter The last matching worked as expected, which means the second rule is also working as expected. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix prefix expression handlingPatrick McHardy2014-02-171-2/+9
| | | | | | | | | | | | | | | | | | | | | | The prefix expression handling is full of bugs: - netlink_gen_data() is used to construct the prefix mask from the full prefix expression. This is both conceptually wrong, the prefix expression is *not* data, and buggy, it only assumes network masks and thus only handles big endian types. - Prefix expression reconstruction doesn't check whether the mask is a valid prefix and reconstructs crap otherwise. It doesn't reconstruct prefixes for anything but network addresses. On top of that its needlessly complicated, using the mpz values directly its a simple matter of finding the sequence of 1's that extend up to the full width. - Unnecessary cloning of expressions where a simple refcount increase would suffice. Rewrite that code properly. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: fix flagcmp opPatrick McHardy2014-02-161-4/+3
| | | | | | | | | | | | | | | | | | Florian reports that flag comparisons generate incorrect instructions: $ nft --debug=netlink add rule filter output ct labels foo ip filter output 0 0 [ ct load labels => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000001 0x00000000 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp neq reg 1 0x00000001 0x00000000 0x00000000 0x00000000 ] The "cmp new" should compare to zero. This was broken by commit aae836a7 (src: use libnftables by using expr->right instead of zero. Slightly rearrange the code as well to prevent similar problems in the future. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-141-7/+7
|\
| * netlink: fix wrong type in attributesPablo Neira Ayuso2014-01-101-7/+7
| | | | | | | | | | | | | | | | Fix inconsistent attribute types in meta and cmp expressions, use uint32_t. This problem was added when converting nft to use libmnl and libnftables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: add support for queueEric Leblond2014-01-041-0/+22
| | | | | | | | | | | | | | | | | | | | | | This patch adds support for the queue target. It is now possible to specify rule sending packet to a given queue and using load balancing: nft add rule filter output queue num 3 total 2 options fanout Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink: add support to set meta keysPablo Neira Ayuso2013-12-281-0/+2
|/ | | | | | | | | | | | | | | | | | | | Arturo Borrero added kernel support to set meta keys in http://patchwork.ozlabs.org/patch/305281/ and the corresponding library support in http://patchwork.ozlabs.org/patch/305283/. This patch enhances nft to use this new kernel feature. The following example shows how to set the packet mark. % nft add rule ip filter input meta mark set 22 % nft list table filter table ip filter { chain input { type filter hook input priority 0; meta mark set 0x00000016 } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* jump: fix logic in netlink linearizeEric Leblond2013-11-191-1/+2
| | | | | | | | | Logic in the test was inverted. The result was the jump string not to be set. Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: finish reject supportPablo Neira Ayuso2013-10-271-1/+3
| | | | | | | | This patch finishes the reject support. Reported-by: Jiri Benc <jbenc@redhat.com> Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: operational limit matchPhil Oester2013-10-221-2/+2
| | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: add mandatory family attributeEric Leblond2013-09-171-0/+4
| | | | | | | | NFT_EXPR_NAT_FAMILY is a mandatory attribute for NAT rules and it was not set by nftables. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: convert group and qthreshold to use u16Pablo Neira Ayuso2013-08-171-2/+2
| | | | | | | Required since (netfilter: nft_log: group and qthreshold are 2^16) kernel change. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix network address prefixPablo Neira Ayuso2013-06-241-3/+21
| | | | | | | | | | | | | | eg. nft add rule filter output ip daddr 192.168.1.0/24 counter so far, this operation was only possible using sets. nft add rule filter output ip daddr \{ 192.168.1.0/24 \} counter While at it, move all binop postprocess code to a new function that contains this transformation and the existing bitmask to constant (as used by eg. ct state new,established). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use libnftablesPablo Neira Ayuso2013-06-241-140/+195
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix counter restorationEric Leblond2013-06-121-0/+4
| | | | | | | | | | | | It was not possible to restore a ruleset countaining counter. The packets and bytes fields were not known from the parser but they were in the output of the list command. This patch fixes the issue by restoring correctly the counters if they are present in the command. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* debug: include verbose message in all BUG statementsroot2012-12-081-7/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expression: Differentiate expr among anonymous structures in struct exprTomasz Bursztyka2012-08-031-1/+1
| | | | | | | This fixes compilation with gcc-4.7 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix nat stmt linearization/parsingPatrick McHardy2010-07-061-24/+24
| | | | | | | | Fix invalid register use when parsing NAT statements and handle range expressions during postprocessing. When linearizing, allocate all registers for both proto and address expressions at once to avoid double use. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: allow runtime control of debugging outputPatrick McHardy2009-07-281-2/+0
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-61/+9
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: move data related functions to netlink.cPatrick McHardy2009-03-311-77/+4
| | | | | | | Move the data related function to netlink.c as they're going to be needed outside of rule context for set maintenance. Signed-off-by: Patrick McHardy <kaber@trash.net>