| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Store the location of the chain type for better error reporting.
Several users that compile custom kernels reported that error
reporting is misleading when accidentally selecting
CONFIG_NFT_NAT=n.
After this patch, a better hint is provided:
# nft 'add chain x y { type nat hook prerouting priority dstnat; }'
Error: Could not process rule: No such file or directory
add chain x y { type nat hook prerouting priority dstnat; }
^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Extend exthdr expression to support scanning through SCTP packet chunks
and matching on fixed fields' values.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This isolates only "vtag" token for now.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following shortcut syntax:
expression flags / flags
instead of:
expression and flags == flags
For example:
tcp flags syn,ack / syn,ack,fin,rst
^^^^^^^ ^^^^^^^^^^^^^^^
value mask
instead of:
tcp flags and (syn|ack|fin|rst) == syn|ack
The second list of comma-separated flags represents the mask which are
examined and the first list of comma-separated flags must be set.
You can also use the != operator with this syntax:
tcp flags != fin,rst / syn,ack,fin,rst
This shortcut is based on the prefix notation, but it is also similar to
the iptables tcp matching syntax.
This patch introduces the flagcmp expression to print the tcp flags in
this new notation. The delinearize path transforms the binary expression
to this new flagcmp expression whenever possible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a catchall expression (EXPR_SET_ELEM_CATCHALL).
Use the asterisk (*) to represent the catch-all set element, e.g.
table x {
set y {
type ipv4_addr
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 }
}
}
Special handling for segtree: zap the catch-all element from the set
element list and re-add it after processing.
Remove wildcard_expr deadcode in src/parser_bison.y
This patch also adds several tests for the tests/py and tests/shell
infrastructures.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add a rule to specify the set key expression in preparation for the
catch-all element support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add support for matching on the cgroups version 2.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask
value") which was missing comma-separated list of flags.
This patch provides a shortcut for:
tcp flags and fin,rst == 0
which allows to check for the packet whose fin and rst bits are unset:
# nft add rule x y tcp flags not fin,rst counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a syntax error after loading a nft
dump with a set including stateful ct connlimit elements.
Having a nft dump as per below:
table ip nftlb {
set connlimit-set {
type ipv4_addr
size 65535
flags dynamic
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
}
}
The syntax error is shown when loading the ruleset.
root# nft -f connlimit.nft
connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}'
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
^^
connlimit.nft:16000:9-22: Error: syntax error, unexpected string
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
^^^^^^^^^^^^^^
After applying this patch a kernel panic is raised running
nft_rhash_gc() although no packet reaches the set.
The following patch [0] should be used as well:
4d8f9065830e5 ("netfilter: nftables: clone set element expression template")
Note that the kernel patch will produce the emptying of the
connection tracking, so the restore of the conntrack states
should be considered.
[0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Remove ft_flags_spec rule.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
It is closed after allocation, which is too early: this
stopped 'packets' and 'bytes' from getting parsed correctly.
Also add a test case for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/
tested on mt7622/Bananapi-R64
table ip filter {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload;
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}
}
table ip nat {
chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
GROUP and PREFIX are used by igmp and nat, so they can't be moved out of
INITIAL scope yet.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
move bytes/packets away from initial state.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
... and move "used" keyword to it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Moves rate and burst out of INITIAL.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
ID needs to remain exposed as its used by ct, icmp, icmp6 and so on.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
allows to move the arp specific tokens out of the INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
just like previous change: useless as-is, but prepares
for removal of saddr/daddr from INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
makes no sense as-is because all keywords need to stay
in the INITIAL scope.
This can be changed after all saddr/daddr users have been scoped.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
move flowlabel and hoplimit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Move the ip option names (rr, lsrr, ...) out of INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows moving multiple ct specific keywords out of INITIAL scope.
Next few patches follow same pattern:
1. add a scope_close_XXX rule
2. add a SCANSTATE_XXX & make flex switch to it when
encountering XXX keyword
3. make bison leave SCANSTATE_XXXX when it has seen the complete
expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
classid and nexthop can be moved out of INIT scope.
Rest are still needed because tehy are used by other expressions as
well.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
... and hide the ipsec specific tokens from the INITITAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
allows to remove 3 queue specific keywords from INITIAL scope.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a small initial chunk of flex start conditionals.
This starts with two low-hanging fruits, numgen and j/symhash.
NUMGEN and HASH start conditions are entered from flex when
the corresponding expression token is encountered.
Flex returns to the INIT condition when the bison parser
has seen a complete numgen/hash statement.
This intentionally uses a stack rather than BEGIN()
to eventually support nested states.
The scanner_pop_start_cond() function argument is not used yet, but
will need to be used later to deal with nesting.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add new ct_cmd_type and avoid copypaste of the ct cmd_list rules.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Similar to previous patch, we can avoid duplication.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
No need to have duplicate CMD rules for spec and specid: add and use
a common rule for those cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new flag to allow userspace process to own tables: Tables that have
an owner can only be updated/destroyed by the owner. The table is
destroyed either if the owner process calls nft_ctx_free() or owner
process is terminated (implicit table release).
The ruleset listing includes the program name that owns the table:
nft> list ruleset
table ip x { # progname nft
flags owner
chain y {
type filter hook input priority filter; policy accept;
counter packets 1 bytes 309
}
}
Original code to pretty print the netlink portID to program name has
been extracted from the conntrack userspace utility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
"typeof .... : ip saddr . tcp dport" is legal.
This makes 'testcases/maps/nat_addr_port' pass again.
Fixes: 4ab1e5e6077918 ("src: allow use of 'verdict' in typeof definitions")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'verdict' cannot be used as part of a map typeof-based key definition,
its a datatype and not an expression, e.g.:
typeof iifname . ip protocol . th dport : verdic
... will fail.
Make the parser convert a 'verdict' symbol to a verdict expression
and allow to store its presence as part of the typeof key definition.
Reported-by: Frank Myhr <fmyhr@fhmtech.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides a shortcut for:
ct status and dnat == 0
which allows to check for the packet whose dnat bit is unset:
# nft add rule x y ct status ! dnat counter
This operation is only available for expression with a bitmask basetype, eg.
# nft describe ct status
ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Update the byte rate limiter not to print burst 5 (default value).
Update tests/py payloads to print burst 5 instead of zero when the
burst is unspecified.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Extend the set element infrastructure to support for several statements.
This patch places the statements right after the key when printing it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows for two statements for dynamic set updates, e.g.
nft rule x y add @y { ip daddr limit rate 1/second counter }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
also, no need for this struct to be in the parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Call close_scope() from chain_block_alloc only.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1485
Fixes: c330152b7f77 ("src: support for implicit chain bindings")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Update parser to allow to restore limit per set element in dynamic set.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
tcp option @42,16,4 (@kind,offset,length).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently doesn't allow to check for presence of arbitrary tcp options.
Only known options where nft provides a template can be tested for.
This allows to test for presence of raw protocol values as well.
Example:
tcp option 42 exists
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we're limited to ten template fields in exthdr_desc struct.
Using a single enum for all tpc option fields thus won't work
indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get
added.
Fortunately we can just use one enum per tcp option to avoid this.
As a side effect this also allows to simplify the sack offset
calculations. Rather than computing that on-the-fly, just add extra
fields to the SACK template.
expr->exthdr.offset now holds the 'raw' value, filled in from the option
template. This would ease implementation of 'raw option matching'
using offset and length to load from the option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tcpopt template mapping is asymmetric:
one mapping is to match dumped netlink exthdr expression to the original
tcp option template.
This struct is indexed by the raw, on-write kind/type number.
The other mapping maps parsed options to the tcp option template.
Remove the latter. The parser is changed to translate the textual
option name, e.g. "maxseg" to the on-wire number.
This avoids the second mapping, it will also allow to more easily
support raw option matching in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One was added by the tcp option parsing ocde, the other by synproxy.
So we have:
synproxy ... sack-perm
synproxy ... mss
and
tcp option maxseg
tcp option sack-permitted
This kills the extra tokens on the scanner/parser side,
so sack-perm and sack-permitted can both be used.
Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too.
On the output side, the shorter form is now preferred, i.e. sack-perm
and mss.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the user to specify a comment when adding a chain.
Relies on kernel space supporting userdata for chains.
> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset
table ip filter {
chain input {
comment "test"
type filter hook input priority filter; policy accept;
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
