summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* parser: segfault in top scope definePhil Oester2013-11-301-0/+1
| | | | | | | | | | | | | | nft segfaults if a symbol is added in top_scope, because of a missing init_list_head. Trivial example: define ip_set = {192.168.1.2, 192.168.2.3} add rule filter output ip daddr $ip_set counter This closes netfilter bugzilla #877. Reported-by: Anand Raj Manickam <anandrm@gmail.com> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: relax restriction on UID/GID parsingPablo Neira Ayuso2013-11-291-20/+34
| | | | | | | | | | nft is currently rejecting unknown UID/GID if they don't exist in the system, relax this as Bjørnar Ness considers this is a valid scenario. Now this only reports an error if you pass an unknown user (expressed as string or if the UID/GID goes above 32 bits). Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix endianness in UID/GIDPablo Neira Ayuso2013-11-291-2/+2
| | | | | | | | | | | add rule filter output meta skuid vmap { 1000 => accept } list table filter meta skuid map { 3892510720 => accept} ^--------^ this is 1000 in network byte order Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: improve rule deletion per chainPablo Neira Ayuso2013-11-251-1/+1
| | | | | | | | | | | | | | With this patch, nft asks the kernel for deleting all rules in a chain. This replaces the current behaviour that requires to dump all the rules, then iterate over that list to delete one by one, which is prone to races and slowier. After this patch, the following two commands are equivalent: nft flush chain filter input nft delete rule filter input Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix missing nul-terminated string in string_type_printPablo Neira Ayuso2013-11-251-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Thomas Berger reported that he is seeing garbage after valid string values, eg. fwtest01 ~ # nft -i nft> table filter nft> add chain filter input nft> add rule filter input meta iifname "lo" accept nft> list table filter table ip filter { chain input { meta iifname "lo�.�" accept } ... The buffer that is allocated in the stack does not include room to nul-terminate the string accordingly. This patch fixes bugzilla report #872: https://bugzilla.netfilter.org/show_bug.cgi?id=872 Reported-by: Thomas Berger <loki@lokis-chaos.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: only display wanted chain in listingEric Leblond2013-11-191-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | When specifying a chain to list, all created chains were displayed with a void content: # nft list chain filter table ip filter { chain input { } chain new { counter packets 17971 bytes 2380637 accept counter packets 0 bytes 0 accept } } With the attached patch, only the asked chain is displayed: # nft list chain filter table ip filter { chain new { counter packets 17971 bytes 2380637 accept # handle 36 counter packets 0 bytes 0 accept # handle 40 } } Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* verdict: fix delinearize in case of jumpEric Leblond2013-11-191-2/+6
| | | | | | | | | The name of the chain was not handled in case of a jump or a goto. This patch adds parsing of the chain. Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* jump: fix logic in netlink linearizeEric Leblond2013-11-191-1/+2
| | | | | | | | | Logic in the test was inverted. The result was the jump string not to be set. Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: fix indentEric Leblond2013-11-191-1/+1
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: fix warning on deprecated directive in bisonPablo Neira Ayuso2013-11-181-1/+1
| | | | | | | | src/parser.y:93.1-13: warning: deprecated directive, use ‘%name-prefix’ [-Wdeprecated] %name-prefix="nft_" ^^^^^^^^^^^^^ Reported-by: Anatol Pomozov <anatol.pomozov@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: fix ethernet type protocol matchingPablo Neira Ayuso2013-11-041-1/+1
| | | | | | | | | This fixes ethernet type protocol matching, which is needed to match network layer information, eg. nft add rule bridge filter input ip protocol icmp counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: finish reject supportPablo Neira Ayuso2013-10-271-1/+3
| | | | | | | | This patch finishes the reject support. Reported-by: Jiri Benc <jbenc@redhat.com> Tested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: avoid huge rodata arrayFlorian Westphal2013-10-221-9/+14
| | | | | | | | | commit b259d1a ('src: operational limit match') creates huge array, increasing nft binary size from ~240k to ~5m on x86_64. Use switch statement instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: operational limit matchPhil Oester2013-10-224-14/+19
| | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix return codeArturo Borrero Gonzalez2013-10-171-3/+4
| | | | | | | | | | | | | | | | | | | Exit with NFT_EXIT_FAILURE if something went wrong in the netlink code. Before this patch: internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...] 0 After this patch: internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...] 1 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix nft flush operationEric Leblond2013-10-031-2/+0
| | | | | | | | | | nft_netlink function is already calling mnl_batch_end and mnl_batch_begin so it is not necessary to do it in the netlink_flush_rules function. Doing this result in a invalid netlink message which is discarded by the kernel. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: only flush asked table/chainEric Leblond2013-10-031-0/+8
| | | | | | | | | The flush operation was not limiting the flush to the table or chain specified on command line. The result was that all the rules for a given family are flush independantly of the flush command. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: suppress useless variableEric Leblond2013-10-031-3/+0
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: fix typo in commentEric Leblond2013-10-031-1/+1
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for IPv6 NATEric Leblond2013-09-302-4/+20
| | | | | | | | This patch adds support for IPv6 NAT. It adds IPv6 support in evaluation and in delinearization which were the only missing parts. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix IPv6 prefix computationEric Leblond2013-09-301-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | The prefix building algorithm in netlink phase was incorrect in IPv6. For example, when adding the following rule nft add rule ip6 nat postrouting ip6 saddr 2::/64 --debug=all we had: ip6 nat postrouting 0 0 [ payload load 16b @ network header + 8 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000000 0x99361540 0x00007f8d 0x2e33a1eb ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ] With the patch the result is as expected: ip6 nat postrouting 0 0 [ payload load 16b @ network header + 8 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add rule batching supportPablo Neira Ayuso2013-09-234-40/+343
| | | | | | | | | | | | | | | | | | | | | | | This patch allows nft to put all rule update messages into one single batch that is sent to the kernel if `-f' option is used. In order to provide fine grain error reporting, I decided to to correlate the netlink message sequence number with the correspoding command sequence number, which is the same. Thus, nft can identify what rules trigger problems inside a batch and report them accordingly. Moreover, to avoid playing buffer size games at batch building stage, ie. guess what is the final size of the batch for this ruleset update will be, this patch collects batch pages that are converted to iovec to ensure linearization when the batch is sent to the kernel. This reduces the amount of unnecessary memory usage that is allocated for the batch. This patch uses the libmnl nlmsg batching infrastructure and it requires the kernel patch entitled (netfilter: nfnetlink: add batch support and use it from nf_tables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: iif/oifname should be host byte orderFlorian Westphal2013-09-233-5/+5
| | | | | | | | | | | | | | | | | | | | src/nft add rule filter output meta oifname eth0 doesn't work on x86. Problem is that nft declares these as BYTEORDER_INVALID, but when converting the string mpz_import_data treats INVALID like BIG_ENDIAN. [ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ] as kernel nft_cmp_eval basically boils down to memcmp(reg, skb->dev->name, sizeof(reg) comparision fails. with patch: [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* display family in table listingEric Leblond2013-09-171-1/+19
| | | | | | | | As family was not displayed in table listing, it was not possible to restore an ipv6 table saved via 'nft list table ip6 TABLE'. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: add mandatory family attributeEric Leblond2013-09-171-0/+4
| | | | | | | | NFT_EXPR_NAT_FAMILY is a mandatory attribute for NAT rules and it was not set by nftables. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: s/threshold/queue-threshold/Florian Westphal2013-09-141-1/+1
| | | | | | | | on input we expect "queue-threshold" token, so use the same name when printing the output. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: fix endianess of ARP operation codePablo Neira Ayuso2013-09-141-1/+1
| | | | | | | | | | So it display compatibility command: xtables-arp -A INPUT --opcode Reply -j DROP accordinly: arp plen 4 arp operation reply counter packets 0 bytes 0 drop
* src: Better error reporting if chain type is invalidTomasz Bursztyka2013-09-052-3/+32
| | | | | | | | | | | | | This patch verifies at command line parsing that given chain type is valid. Possibilities are: filter, nat, and route. nft add chain test test { type cheese hook input priority 0 }; <cmdline>:1:28-33: Error: unknown chain type cheese add chain test test { type cheese hook input priority 0 }; ^^^^^^ Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix mark parsing if string is usedPablo Neira Ayuso2013-09-041-0/+11
| | | | | | | | | | | | | | | | | | | This fixes string mark parsing. Note that /etc/iproute2/rt_marks may contain mapping between string and mark values. This fixes here: add rule filter output meta mark 0 counter Assumming that: cat /etc/iproute2/rt_marks says: 0 test Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix output display of meta lengthPablo Neira Ayuso2013-09-041-1/+1
| | | | | | | | | | | | | nft list table filter Before: meta len 1000 counter packets 0 bytes 0 After: meta length 1000 counter packets 0 bytes 0 Now it doesn't break with nft -f. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add priority keyword on base chain descriptionTomasz Bursztyka2013-09-042-5/+5
| | | | | | | | | | Instead of: add chain foo bar { type route hook input 0; } it should be now: add chain foo bar { type route hook input priority 0; } Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
* src: Wrap netfilter hooks around human readable stringsTomasz Bursztyka2013-09-044-25/+119
| | | | | | | | | | | | | | | | | | | This allows to use unique, human readable, hook names for the command line and let the user being unaware of the complex netfilter's hook names and there difference depending on the netfilter family. So: add chain foo bar { type route hook NF_INET_LOCAL_IN 0; } becomes: add chain foo bar { type route hook input 0; } It also fixes then the difference in hook values between families. I.e. ARP family has different values for input, forward and output compared to IPv4, IPv6 or bridge. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix base chain printingTomasz Bursztyka2013-08-302-1/+2
| | | | | | | | | Relying on chain's hooknum to know whether the chain is a base one or not is bogus: having 0 as hooknum is a valid number. Thus setting the right flag and handling it is the way to go, as parser does already. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to specify the base chain typePablo Neira Ayuso2013-08-273-15/+30
| | | | | | | | | | | | | | | | | | This patch allows you to specify the type of the base chain, eg. add table mangle add chain mangle OUTPUT { type route hook NF_INET_LOCAL_OUT 0; } The chain type determines the semantics of the chain, we currently have three types: * filter, used for plain packet filtering. * nat, it only sees the first packet of the flow. * route, which is the equivalent of the iptables mangle table, that triggers a re-route if there is any change in some of the packet header fields, eg. IP TOS/DSCP, or the packet metainformation, eg. mark. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix wrong endianess in numeric portsPablo Neira Ayuso2013-08-241-1/+1
| | | | | | | | In (5075879 datatype: validate port number in inet_service_type_parse), conversion to network byte order was missing. Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add additional --numeric levelPhil Oester2013-08-222-3/+4
| | | | | | | | | | | | | | Personally, I like seeing ports and IPs numerically, but prefer protocols to be shown by name. As such, add a third --numeric level which will show protocols by number, splitting them out from ports. -n/--numeric When specified once, show network addresses numerically. When specified twice, also show Internet services, user IDs and group IDs numerically. When specified thrice, also show protocols numerically. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: convert group and qthreshold to use u16Pablo Neira Ayuso2013-08-172-4/+4
| | | | | | | Required since (netfilter: nft_log: group and qthreshold are 2^16) kernel change. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: allow protocols by number in inet_protocol_type_parsePhil Oester2013-08-171-4/+18
| | | | | | | | nftables does not currently allow specifying protocols by number. Below patch adds this capability. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: validate port number in inet_service_type_parsePhil Oester2013-08-171-7/+20
| | | | | | | | | | | | | | | | At present, nft accepts out of range port values such as in this example: nft add rule ip filter input tcp dport 123456 accept Attached patch adds checks for both integer overflow and 16 bit overflow, and avoids getaddrinfo call in the (common) case of digit input. Example above now produces this output: <cmdline>:1:36-41: Error: Service out of range add rule ip filter input tcp dport 123456 accept ^^^^^^ Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add icmpv6 supportEric Leblond2013-07-313-3/+93
| | | | | | | | | | This patch adds ICMPv6 support to nftables. It is now possible to write rules such as: nft add rule ip6 filter input icmpv6 type nd-router-advert accept Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix crash if wrong integer type is passedPablo Neira Ayuso2013-07-241-2/+4
| | | | | | | | | | | | | | | | | | | | | | Eric Leblond reported that this command: nft add rule ip6 filter input position 4 meta protocol icmpv6 accept crashes nft. The problem is that 'icmpv6' is wrong there, as meta protocol is expecting an ethernet protocol, that can be expressed as an hexadecimal. Now this command displays the following error: <cmdline>:1:52-57: Error: This is not a valid Ethernet protocol add rule ip6 filter input position 4 meta protocol icmpv6 accept ^^^^^^ This closes bugzilla #834: https://bugzilla.netfilter.org/show_bug.cgi?id=834 Reported-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for insertion inside rule listEric Leblond2013-07-196-3/+24
| | | | | | | | | | | | | | This patch adds support to insert and to add rule using a rule handle as reference. The rule handle syntax has an new optional position field which take a handle as argument. Two examples: nft add rule filter output position 5 ip daddr 1.2.3.1 drop nft insert rule filter output position 5 ip daddr 1.2.3.1 drop Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: use nft_*_list_add_tailPablo Neira Ayuso2013-07-161-4/+4
| | | | | | | Adapt it to the semantic fix that has been applied to libnftables, nft_*_list_add now inserts nodes, instead of appending them. Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* datatype: fix table listing if name resolution is not availablePablo Neira Ayuso2013-07-061-7/+24
| | | | | | | | | | | | | | | | | | nft list table filter returns garbage here for IP and IPv6 addresses if no name resolution is available. The output looks good if `-n' is used in that case. The problem is that getnameinfo() returns: EAI_AGAIN -3 /* Temporary failure in name resolution. */ Without working name resolution. To fix this, force a fall back to numeric resolution in that case. While at it, fix also possible resolution of services in case of that /etc/services is missing in the system. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix network address prefixPablo Neira Ayuso2013-06-243-24/+109
| | | | | | | | | | | | | | eg. nft add rule filter output ip daddr 192.168.1.0/24 counter so far, this operation was only possible using sets. nft add rule filter output ip daddr \{ 192.168.1.0/24 \} counter While at it, move all binop postprocess code to a new function that contains this transformation and the existing bitmask to constant (as used by eg. ct state new,established). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use libnftablesPablo Neira Ayuso2013-06-246-642/+1210
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: replace rtnl_tc_handle2str and rtnl_tc_str2handlePablo Neira Ayuso2013-06-241-10/+43
| | | | | | | Provide replacements for rtnl_tc_handle2str and rtnl_tc_str2handle, it removes the dependency with libnl-route. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: use if_nametoindex and if_indextonamePablo Neira Ayuso2013-06-241-44/+4
| | | | | | | Instead of having a cache of ifindex based on libnl. Those functions basically use rtnetlink as well to perform the translation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix range and comparison evaluationPablo Neira Ayuso2013-06-121-2/+2
| | | | | | | | | This patch fixes these two commands: nft add rule ip test test ip saddr 1.1.1.1-2.2.2.2 nft add rule ip test test ip saddr < 1.1.1.1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix counter restorationEric Leblond2013-06-123-3/+31
| | | | | | | | | | | | It was not possible to restore a ruleset countaining counter. The packets and bytes fields were not known from the parser but they were in the output of the list command. This patch fixes the issue by restoring correctly the counters if they are present in the command. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>