summaryrefslogtreecommitdiffstats
path: root/src/scanner.l
Commit message (Collapse)AuthorAgeFilesLines
* src: add log flags syntax supportLiping Zhang2016-11-241-0/+3
| | | | | | | | | | | | | | | | | | | | | Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+2
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fib expressionFlorian Westphal2016-10-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule x prerouting fib saddr . iif oif eq 0 drop # accept only if from eth0 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept # accept if from any valid interface # nft add rule x prerouting fib saddr oif accept Querying of address type is also supported. This can be used to e.g. only accept packets to addresses configured in the same interface: # fib daddr . iif type local Its also possible to use mark and verdict map, e.g.: # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : drop, unicast : accept } Signed-off-by: Florian Westphal <fw@strlen.de>
* rt: introduce routing expressionAnders K. Pedersen2016-10-281-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1. # nft add rule filter postrouting \ flow table acct { rt nexthop timeout 600s counter } # nft add rule ip6 filter postrouting \ flow table acct { rt nexthop timeout 600s counter } These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes. # nft add rule inet filter postrouting \ ether type ip \ flow table acct { rt nexthop timeout 600s counter } # nft add rule inet filter postrouting \ ether type ip6 \ flow table acct { rt nexthop timeout 600s counter } Same as above, but via the inet family, where the ether type must be specified explicitly. "rt classid" is also implemented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: allow resolving meta keys at run timeFlorian Westphal2016-10-271-2/+0
| | | | | | | | | use the meta template to translate the textual token to the enum value. This allows to remove two keywords from the scanner and also means we do not need to introduce new keywords when more meta keys get added. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-271-6/+0
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add offset keyword and parser rulePablo Neira Ayuso2016-10-271-0/+1
| | | | | | This is required by the numgen and jhash expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't need keyword for log levelPablo Neira Ayuso2016-10-211-8/+0
| | | | | | | We can handle log levels without keywords in our grammar, use string instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add hash expressionPablo Neira Ayuso2016-08-291-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is special expression that transforms an input expression into a 32-bit unsigned integer. This expression takes a modulus parameter to scale the result and the random seed so the hash result becomes harder to predict. You can use it to set the packet mark, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef You can combine this with maps too, eg. # nft add rule x y dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { \ 0 : 192.168.20.100, \ 1 : 192.168.30.100 \ } Currently, this expression implements the jenkins hash implementation available in the Linux kernel: http://lxr.free-electrons.com/source/include/linux/jhash.h But it should be possible to extend it to support any other hash function type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add numgen expressionPablo Neira Ayuso2016-08-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new expression allows us to generate incremental and random numbers bound to a specified modulus value. The following rule sets the conntrack mark of 0 to the first packet seen, then 1 to second packet, then 0 again to the third packet and so on: # nft add rule x y ct mark set numgen inc mod 2 A more useful example is a simple load balancing scenario, where you can also use maps to set the destination NAT address based on this new numgen expression: # nft add rule nat prerouting \ dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } So this is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information. You can also emulate flow distribution with different backend weights using intervals: # nft add rule nat prerouting \ dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 } So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%. We can also be mixed with dynamic sets, thus weight can be updated in runtime. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add quota statementPablo Neira Ayuso2016-08-291-0/+2
| | | | | | | | | | | | | This new statement is stateful, so it can be used from flow tables, eg. # nft add rule filter input \ flow table http { ip saddr timeout 60s quota over 50 mbytes } drop This basically sets a quota per source IP address of 50 mbytes after which packets are dropped. Note that the timeout releases the entry if no traffic is seen from this IP after 60 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta priority support using tc classidPablo Neira Ayuso2016-08-181-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the missing bits to scan and parse the meta priority handle as expressed by tc classid major:minor syntax. The :minor syntax is not support for two reason: major is always >= 1 and this clashes with port syntax in nat. Here below, several example on how to match the packet priority field: nft add rule filter forward meta priority abcd:0 nft add rule filter forward meta priority abcd:1234 and to set it, you have to: nft add rule filter forward meta priority set abcd:1234 The priority expression in flex looks ahead to restrict the pattern to avoid problems with mappings: {classid}/[ \t\n:\-},] So the following doesn't break: ... vmap { 25:accept } ^^^^^ The lookahead expression requires a slight change to extend the input string in one byte. This patch is conservative as you always have to explicity indicate major and minor numbers even if zero. We could consider supporting this shortcut in the future: abcd: However, with regards to this: :abcd We don't need to support it since major number is assumed to be >= 1. However, if we ever decide to support this, we'll have problems since this clashes with our port representation in redirect and mangle. So let's keep this simple and start with this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove range expressionPablo Neira Ayuso2016-08-181-1/+0
| | | | | | This expression is not used anywhere in this scanner code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow strings starting by underscores and dotsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says: "The set of characters from which portable filenames are constructed. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -" On top of that it says: "The <hyphen> character should not be used as the first character of a portable user name." This allows a bit more things that NAME_REGEX though, but this still looks fine to me. For more info, see: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431 http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_278 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for RFC2732 IPv6 address format with bracketsPablo Neira Ayuso2016-08-181-0/+7
| | | | | | | | | | | | | | The statement: dnat to 2001:838:35f:1:::80 is very confusing as it is not so easy to identify where address ends and the port starts. This even harder to read with ranges. So this patch adds squared brackets as RFC2732 to enclose the IPv6 address. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't break line on include error messagePablo Neira Ayuso2016-08-101-1/+1
| | | | | | | For consistency with other error messages in this codebase, don't add a line break. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't fall back on current directory if include is not foundPablo Neira Ayuso2016-08-101-7/+6
| | | | | | | | | This resolves an ambiguity if the same file name is used both under sysconfdir and the current working directory. You can use dot slash ./ to explicitly refer to files in the current working directory. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: honor absolute and relative paths via include filePablo Neira Ayuso2016-08-101-7/+17
| | | | | | | | If the path refers to an absolute or relative path, do not check for the default include paths, eg. /etc/nftables/. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add 'list maps' supportPablo M. Bermudo Garay2016-05-311-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new command that lists maps: # nft list maps [family] Only the declaration is displayed. If no family is specified, all maps of all families are listed. Example: # nft list maps table ip filter { map test { type ipv4_addr : inet_service } } table ip6 filter { map test { type ipv6_addr : inet_service } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flow statementPatrick McHardy2016-05-131-0/+2
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ecn supportPablo Neira Ayuso2016-05-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule ip filter forward ip ecn ce counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] [ counter pkts 0 bytes 0 ] For IPv6: # nft --debug=netlink add rule ip6 filter forward ip6 ecn ce counter ip6 filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000030 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000030 ] [ counter pkts 0 bytes 0 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dscp supportPablo Neira Ayuso2016-05-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule filter forward ip dscp cs1 counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] [ counter pkts 0 bytes 0 ] And also IPv6, note that in this case we take two bytes from the payload: # nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter ip6 filter input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000008 ] [ counter pkts 0 bytes 0 ] Given the DSCP is split in two bytes, the less significant nibble of the first byte and the two most significant 2 bits of the second byte. The 8 bit traffic class in RFC2460 after the version field are used for DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: remove 'reset' as reserve keywordPablo Neira Ayuso2016-03-071-1/+0
| | | | | | | | | The 'reset' keyword can be used as dccp type, so don't qualify it as reserve keyword to avoid a conflict with this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1055 Reported-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-311-0/+1
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-0/+2
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-021-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add command "replace" for rulesCarlos Falgueras García2015-11-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Modify the parser and add necessary functions to provide the command "nft replace rule <ruleid_spec> <new_rule>" Example of use: # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.7 counter packets 0 bytes 0 # handle 3 } } # nft replace rule filter output handle 3 ip daddr 8.8.8.8 counter # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } } Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement supportPablo Neira Ayuso2015-09-301-0/+2
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add netdev family supportPablo Neira Ayuso2015-06-161-0/+2
| | | | | | | | | | | | | | | | | | | | | This patch adds support for the new 'netdev' table. So far, this table allows you to create filter chains from ingress. The following example shows a very simple base configuration with one table that contains a basechain that is attached to the 'eth0': # nft list table netdev filter table netdev filter { chain eth0-ingress { type filter hook ingress device eth0 priority 0; policy accept; } } You can test that this works by adding a simple rule with counters: # nft add rule netdev filter eth0-ingress counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add set statemetPatrick McHardy2015-04-121-0/+1
| | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
* set: add timeout support for setsPatrick McHardy2015-04-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Timeout support can be enabled in one of two ways: 1. Using a default timeout value: set test { type ipv4_addr; timeout 1h; } 2. Using the timeout flag without a default: set test { type ipv4_addr; flags timeout; } Optionally a garbage collection interval can be specified using gc-interval <interval>; Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: fix parsing of time typePatrick McHardy2015-04-121-0/+7
| | | | | | Properly detect time strings in the lexer without quotation marks. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: properly fix handling of large integer valuesPatrick McHardy2015-01-111-2/+2
| | | | | | | | | | | | | | | Introduction of the ERROR symbol is an ugly hack. There's no reason to special case large integer values, the NUM token only exists for small values that are needed immediately, everything else is passed as EXPR_SYMBOL to evaluation anyways. Additionally the error reporting is different from what we'd usually report, the token is easy to confuse with the bison internal error token and it even has a name, messing up bison internal diagnostics. Simply return values to large to be handled by strtoull as STRING. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: rename VERSION token to HDRVERSIONSteven Barth2015-01-071-1/+1
| | | | | | | | | A token name of VERSION results in a macro being defined with the same name. This prevents inclusion of config.h in commonly used headers. Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: use 'redirect to PORT' instead of 'redirect :PORT'Pablo Neira Ayuso2014-12-121-0/+1
| | | | | | Small syntax update suggested by Patrick. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* stmt: rename nat "random-fully" option to "fully-random"Patrick McHardy2014-12-111-1/+1
| | | | | | Use proper english for full randomization option. Signed-off-by: Patrick McHardy
* scanner: don't bug on too large valuesPablo Neira Ayuso2014-12-011-4/+8
| | | | | | | | | | | | | Add a new ERROR symbol to handle scanning of too large values. <cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ instead of: BUG: nft: scanner.l:470: nft_lex: Assertion `0' failed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix reading of really long lineEric Leblond2014-12-011-1/+2
| | | | | | | | | | | | | | | Current code is causing a failure in adding a set containing a really long list of elements. The failure occurs as soon as the line is longer than flex read buffer. When a line is longer than scanner buffer size, the code in YY_INPUT forces a rewind to the beginning of the string because it does not find a end of line. The result is that the string is never parsed. This patch updates the code by rewinding till we found a space. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: autotools conversionPablo Neira Ayuso2014-11-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) This removes former Makefiles and install-sh (which is now automagically imported via autoreconf). Makefile.defs.in Makefile.in Makefile.rules.in src/Makefile.in install-sh (now automagically imported via autoreconf). 2) CFLAGS are left almost same, they are integrated into Make_global.am. Use AM_CPPFLAGS to set the CFLAGS set by pkgconfig. 3) Add m4 directory to the tree which only contains the .gitignore file. Update .gitignore file to skip autogenerated files. 4) include <config.h> whenever required. 5) Minor adjustments to scanner.l and parser_bison.y to compile cleanly with autotools. 6) Add %option outfile=lex.yy.c to scanner.l, otherwise I hit this error here: gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DDEFAULT_INCLUDE_PATH="\"/usr/etc\"" -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wsign-compare -Winit-self -Wformat-nonliteral -Wformat-security -Wmissing-format-attribute -Wcast-align -Wundef -Wbad-function-cast -g -O2 -MT mnl.o -MD -MP -MF $depbase.Tpo -c -o mnl.o mnl.c &&\ mv -f $depbase.Tpo $depbase.Po /bin/sh ../build-aux/ylwrap scanner.l lex.yy.c scanner.c -- flex make[3]: *** [scanner.c] Error 1 make[3]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables' make: *** [all] Error 2 7) Add Makefile.am for include/ (contributed by Giorgio Dal Molin). The doc/ and files/ conversion to automake will come in follow up patches but 'make distcheck' already works. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rename parser.y to parser_bison.yPablo Neira Ayuso2014-11-101-1/+1
| | | | | | | | | The conversion to the autotools need this. Make sure you remove the autogenerated parser.c and parser.h from your tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add cgroup support in meta expresionAna Rey2014-11-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | The new attribute of meta is "cgroup". Example of use in nft: # nft add rule ip test output meta cgroup != 0x100001 counter drop Moreover, this adds tests to the meta.t test file. The kernel support is addedin the commit: ce67417 ("netfilter: nft_meta: add cgroup support") The libnftnl support is add in the commit: 1d4a480 ("expr: meta: Add cgroup support") More information about the steps to use cgroup: https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt More info about cgroup in iptables: http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3 Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add redirect supportArturo Borrero2014-11-041-0/+1
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add masquerade supportArturo Borrero2014-10-091-0/+1
| | | | | | | | | | | | | | | | | This patch adds masquerade support for nft. The syntax is: % nft add rule nat postrouting masquerade [flags] Currently, flags are: random, random-fully, persistent Example: % nft add rule nat postrouting masquerade random,persistent Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: interpret the event type from the evaluation stepPablo Neira Ayuso2014-10-091-3/+0
| | | | | | | | | | | Postpone the event type interpretation to the evaluation step. This patch also fixes the combination of event and object types, which was broken. The export code needed to be adjusted too. The new and destroy are not tokens that can be recognized by the scanner anymore, so this also implicitly restores 'ct state'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat persistent and random optionsArturo Borrero2014-10-091-0/+3
| | | | | | | | | | | | | | | | | This patch adds more configuration options to the nat expression. The syntax is as follow: % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags] Flags are: random, persistent, random-fully. Example: % nft add rule nat postrouting dnat 1.1.1.1 random,persistent A requirement is to cache some [recent] copies of kernel headers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: complete reject supportAlvaro Neira2014-10-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use the reject action in rules. For example: nft add rule filter input udp dport 22 reject In this rule, we assume that the reason is network unreachable. Also we can specify the reason with the option "with" and the reason. For example: nft add rule filter input tcp dport 22 reject with icmp type host-unreachable In the bridge tables and inet tables, we can use this action too. For example: nft add rule inet filter input reject with icmp type host-unreachable In this rule above, this generates a meta nfproto dependency to match ipv4 traffic because we use a icmpv4 reason to reject. If the reason is not specified, we infer it from the context. Moreover, we have the new icmpx datatype. You can use this datatype for the bridge and the inet tables to simplify your ruleset. For example: nft add rule inet filter input reject with icmpx type host-unreachable We have four icmpx reason and the mapping is: ICMPX reason | ICMPv6 | ICMPv4 | | admin-prohibited | admin-prohibited | admin-prohibited port-unreachable | port-unreachable | port-unreachable no-route | no-route | net-unreachable host-unreachable | addr-unreachable | host-unreachable Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set optimization optionsArturo Borrero2014-09-291-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds options to choose set optimization mechanisms. Two new statements are added to the set syntax, and they can be mixed: nft add set filter set1 { type ipv4_addr ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; policy memory ; } nft add set filter set1 { type ipv4_addr ; policy performance ; } nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; } nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; } Also valid for maps: nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; } [...] This is the output format, which can be imported later with `nft -f': table filter { set set1 { type ipv4_addr policy memory size 1024 } } In this approach the parser accepts default options such as 'performance', given they are a valid configurations, but aren't sent to the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: clean up queue statementPatrick McHardy2014-09-241-2/+2
| | | | | | | | | | | | | | | | | | - Rename keyword tokens to their actual keyword - Change the grammar to follow the standard schema for statements and arguments - Use actual expression for the queue numbers to support using normal range expressions, symbolic expression and so on. - restore comma seperation of flag keywords The result is that its possible to use standard ranges, prefix expressions, symbolic expressions etc for the queue number. We get checks for overflow, negative ranges and so on automatically. The comma seperation of flags is more similar to what we have for other flag values. It is still possible to use spaces, however this could be removed since we never had a release supporting that. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: simplify monitor command parsingPatrick McHardy2014-09-171-0/+3
| | | | | | | Add tokens for "new" and "destroy". Split up the monitor flags into an event and an object to avoid lots of duplicated code. Signed-off-by: Patrick McHardy <kaber@trash.net>