| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
json restore is broken on big-endian because we errounously
passed uint8_t with 64 bit size indicator.
On bigendian, this causes all values to get shifted by 56 bit,
this will then cause the eval step to bail because all values
are outside of the 8bit 0-255 protocol range.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Json output could not be restored back by nft because it did
not recognize the new "th" pseudoheader.
Fixes: a43a696443a150f44 ("proto: add pseudo th protocol to match d/sport in generic way")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Importing, exporting and byteswapping zero length data should not
happen.
Use macro definition so we know from where the assertion is triggered in
the code for easier diagnosing in the future.
When importing datatype.h from gmputil.h, it seems gcc complains on
missing declarations in json.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/shell/testcases/transactions/0049huge_0
still fails with ENOBUFS error after endian fix done in
previous patch. Its enough to increase the scale factor (4)
on s390x, but rather than continue with these "guess the proper
size" game, just increase the buffer size and retry up to 3 times.
This makes above test work on s390x.
So, implement what Pablo suggested in the earlier commit:
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
v2: call setsockopt unconditionally, then increase on error.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/shell/testcases/flowtable/0001flowtable_0
tests/shell/testcases/nft-f/0008split_tables_0
fail the 'dump compare' on s390x.
The priority (10) turns to 0, and accept turned to drop.
Problem is that '$1' is a 64bit value -- then we pass the address
and import 'int' -- we then get the upper all zero bits.
Add a 32bit interger type and use that.
v2: add uint32_t type to union, v1 used temporary value instead.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Fixes: dba4a9b4b5fe ("src: allow variable in chain policy")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table bla {
chain foo { }
chain bar { jump foo }
}
}
Fails to restore on big-endian platforms:
jump.nft:5:2-9: Error: Could not process rule: No such file or directory
jump foo
nft passes a 0-length name to the kernel.
This is because when we export the value (the string), we provide
the size of the destination buffer.
In earlier versions, the parser allocated the name with the same
fixed size and all was fine.
After the fix, the export places the name in the wrong location
in the destination buffer.
This makes tests/shell/testcases/chains/0001jumps_0 work on s390x.
v2: convert one error check to a BUG(), it should not happen unless
kernel abi is broken.
Fixes: 142350f154c78 ("src: invalid read when importing chain name")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel expects socklen_t (int).
Using size_t causes kernel to read upper 0-bits.
This caused tests/shell/testcases/transactions/0049huge_0
to fail on s390x -- it uses 'echo' mode and will quickly
overrun the tiny buffer size set due to this bug.
Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain policy definition, e.g.
define default_policy = "accept"
add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain priority definitions,
e.g.
define prio = filter
define prionum = 10
define prioffset = "filter - 150"
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Store symbol tables in context object instead. Use the nft_ctx object to
store the dynamic symbol table. Pass it on to the parse_ctx object so
this can be accessed from the parse routines. This dynamic symbol table
is also accesible from the output_ctx object for print routines.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This object stores the dynamic symbol tables that are loaded from files.
Pass this object to datatype parse functions, although this new
parameter is not used yet, this is just a preparation patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the new cache system, nft raises a table error flushing a chain in
a transaction.
# nft "flush chain ip nftlb filter-newfarm ; \
add rule ip nftlb filter-newfarm update \
@persist-newfarm { ip saddr : ct mark } ; \
flush chain ip nftlb nat-newfarm"
Error: No such file or directory
flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...)
^^^^^
This patch sets the cache flag properly to save this case.
Fixes: 01e5c6f0ed031 ("src: add cache level flags")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Given the following bridge rules:
1. ip protocol icmp accept
2. ether type vlan vlan type ip ip protocol icmp accept
The are currently both dumped by "nft list ruleset" as
1. ip protocol icmp accept
2. ip protocol icmp accept
Though, the netlink code actually is different
bridge filter FORWARD 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
bridge filter FORWARD 5 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
[ payload load 2b @ link header + 16 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
What happens here is that:
1. vlan type ip kills ether type vlan
2. ip protocol icmp kills vlan type ip
Fix this by avoiding the removal of all vlan statements
in the given example.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Bison-3.3 significantly increased warnings for POSIX incompatibilities,
it now complains about missing support for %name-prefix, %define,
%destructor and string literals. The latter applies to parameter of
%name-prefix and all relevant %token statements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bison-3.3 started to warn about:
/home/n0-1/git/nftables/src/parser_bison.y:117.1-19: warning: deprecated directive, use ‘%define api.prefix {nft_}’ [-Wdeprecated]
117 | %name-prefix "nft_"
| ^~~~~~~~~~~~~~~~~~~
/home/n0-1/git/nftables/src/parser_bison.y:119.1-12: warning: deprecated directive, use ‘%define api.pure’ [-Wdeprecated]
119 | %pure-parser
| ^~~~~~~~~~~~
/home/n0-1/git/nftables/src/parser_bison.y:124.1-14: warning: deprecated directive, use ‘%define parse.error verbose’ [-Wdeprecated]
124 | %error-verbose
| ^~~~~~~~~~~~~~
Replace the last two as suggested but leave the first one in place as
that causes compilation errors in scanner.l - flex seems not to pick up
the changed internal symbol names.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
It doesn't work when reading from a pipe, leading to parser
errors in case of 'cat foo | nft -f -', whereas 'nft -f < foo'
works fine.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1354
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to
populate the cache, since the existing ruleset is going to flushed by
this batch.
NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to
the cache based on the existing batch, this is required by the rule
commands that use the index and the position selectors.
This patch removes cache_flush() which is not required anymore. This
cache removal is coming too late, in the evaluation phase, after the
initial cache_update() invocation.
Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if
NFT_CACHE_FLUSHED is set on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Initialization of a netlink_ctx included two initializers for .nft.
Removed one of them.
Fixes: 2dc07bcd7eaa ("src: pass struct nft_ctx through struct netlink_ctx")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Most members in the context don't change, so there is no need to memset
it and reassign them on every iteration. Moved that code out of the
loop.
Fixes: a72315d2bad4 ("src: add rule batching support")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)),
osf produces following warnings:
-Wformat-truncation warning have been introduced in the version 7.1 of gcc.
Also, remove a unneeded address check of "tmp + 1" in nf_osf_strchr().
nfnl_osf.c: In function ‘nfnl_osf_load_fingerprints’:
nfnl_osf.c:292:39: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 128 [-Wformat-truncation=]
292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg);
| ^~
nfnl_osf.c:292:9: note: ‘snprintf’ output between 2 and 1025 bytes into a
destination of size 128
292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:302:46: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
| ^~
nfnl_osf.c:302:10: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:309:49: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg);
| ^~
nfnl_osf.c:309:9: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:317:47: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
| ^~
nfnl_osf.c:317:7: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
error reporting may crash because location is unset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently nft dumps core when it encounters a prefix expression as
part of a statement, e.g.
iifname ens3 snat to 10.0.0.0/28
yields:
BUG: unknown expression type prefix
nft: netlink_linearize.c:688: netlink_gen_expr: Assertion `0' failed.
This assertion is correct -- we can't linearize a prefix because
kernel doesn't know what that is.
For LHS prefixes, they get converted to a binary 'and' such as
'10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar
and convert them into a range.
snat to 10.0.0.0/28 will be converted into:
iifname "ens3" snat to 10.0.0.0-10.0.0.15
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1187
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
add rule ip testNEW test6 jump test8
^^^^^
Error: invalid verdict chain expression value
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Use the correct function when populating policy property value,
otherwise the temporary objects' refcounts are incremented.
Fixes: c82a26ebf7e9f ("json: Add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Basic ct expectation object evaluation. This fixes tests/py errors.
Error reporting is very sparse at this stage. I'm intentionally leaving
this as future work to store location objects for each field, so user
gets better indication on what is missing when configuring expectations.
Fixes: 1dd08fcfa07a ("src: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This modification allow to directly add/list/delete expectations.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft create table testD
# nft create chain testD test6
Error: No such file or directory
create chain testD test6
^^^^^
Handle 'create' command just like 'add' and 'insert'. Check for object
types to dump the tables for more fine grain listing, instead of dumping
the whole ruleset.
Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is noticeable when displaying mispelling errors, however, there are
also few spots not checking for the object map flag.
Before:
# nft flush set inet filter countermxx
Error: No such file or directory; did you mean set ‘countermap’ in table inet ‘filter’?
flush set inet filter countermxx
^^^^^^^^^^
After:
# nft flush set inet filter countermxx
Error: No such file or directory; did you mean map ‘countermap’ in table inet ‘filter’?
flush set inet filter countermxx
^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFT_SET_OBJECT tells there is an object map.
# nft list ruleset
table inet filter {
map countermap {
type ipv4_addr : counter
}
}
The following command fails:
# nft flush set inet filter countermap
This patch checks for NFT_SET_OBJECT from new set_is_literal() and
map_is_literal() functions. This patch also adds tests for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Two map types are currently possible:
* data maps, ie. set_is_datamap().
* object maps, ie. set_is_objmap().
This patch adds helper functions to check for the map type.
set_is_map() allows you to check for either map type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: Its not possible to easily match both udp and tcp in a single
rule.
... input ip protocol { tcp,udp } dport 53
will not work, as bison expects "tcp dport" or "sctp dport", or any
other transport protocol name.
Its possible to match the sport and dport via raw payload expressions,
e.g.:
... input ip protocol { tcp,udp } @th,16,16 53
but its not very readable.
Furthermore, its not possible to use this for set definitions:
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr . ip protocol . @th,0,16 @myset
}
}
# nft -f test
test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions
During the netfilter workshop Pablo suggested to add an alias to do raw
sport/dport matching more readable, and make it use the inet_service
type automatically.
So, this change makes @th,0,16 work for the set definition case by
setting the data type to inet_service.
A new "th s|dport" syntax is provided as readable alternative:
ip protocol { tcp, udp } th dport 53
As "th" is an alias for the raw expression, no dependency is
generated -- its the users responsibility to add a suitable test to
select the l4 header types that should be matched.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft can load but not list this:
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The main.c file always uses either EXIT_FAILURE or EXIT_SUCCESS, replace
this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
xmalloc() and xfree() are internal symbols of the library, do not use
them.
Fixes: 16543a0136c0 ("libnftables: export public symbols only")
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: 226a0e072d5c ("exthdr: add support for matching IPv4 options")
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
On error, the kernel already sends to userspace an acknowledgement for
the table and chain deletion case.
In case of NLM_F_DUMP, the NLM_F_ACK is not required as the kernel
always sends a NLMSG_DONE at the end of the dumping, even if the list of
objects is empty.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Export public symbols (the library API functions) instead of all symbols in
the library.
This patch introduces the required macros to manage the visibility attributes
(mostly copied from libnftnl.git) and also marks each symbol as exported when
they need to be public. Also, introduce a .map file for proper symbol
versioning.
Previous to this patch, libnftables public symbols were:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 | wc -l
527
With this patch, libnftables symbols are:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1
libnftables.so.1 libnftables #MINVER#
nft_ctx_add_include_path@Base 0.9.1
nft_ctx_buffer_error@Base 0.9.1
nft_ctx_buffer_output@Base 0.9.1
nft_ctx_clear_include_paths@Base 0.9.1
nft_ctx_free@Base 0.9.1
nft_ctx_get_dry_run@Base 0.9.1
nft_ctx_get_error_buffer@Base 0.9.1
nft_ctx_get_output_buffer@Base 0.9.1
nft_ctx_new@Base 0.9.1
nft_ctx_output_get_debug@Base 0.9.1
nft_ctx_output_get_flags@Base 0.9.1
nft_ctx_output_set_debug@Base 0.9.1
nft_ctx_output_set_flags@Base 0.9.1
nft_ctx_set_dry_run@Base 0.9.1
nft_ctx_set_error@Base 0.9.1
nft_ctx_set_output@Base 0.9.1
nft_ctx_unbuffer_error@Base 0.9.1
nft_ctx_unbuffer_output@Base 0.9.1
nft_run_cmd_from_buffer@Base 0.9.1
nft_run_cmd_from_filename@Base 0.9.1
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
They are not part of the libnftables library API, they are not public symbols,
so it doesn't not make sense to have them there. Move the two functions to a
different source file so libnftables.c only has the API functions.
I think copyright belongs to Phil Sutter since he introduced this code back in
commit 2535ba7006f22a6470f4c88ea7d30c343a1d8799 (src: get rid of printf).
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the current setup, nft (the frontend object) is using the xzalloc() function
from libnftables, which does not makes sense, as this is typically an internal
helper function.
In order to don't use this public libnftables symbol (a later patch just
removes it), let's use calloc() directly in the nft frontend.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
table ip filter {
ct timeout agressive-tcp {
...
policy = { established : 100, close_wait : 4, close : 4 }
^ ^ ^ ^ ^ ^
for consistency with map syntax.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
table ip filter {
ct timeout agressive-tcp {
protocol tcp;
^--- remove this semicolon
Not needed, remove it.
Fixes: c7c94802679c ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use the statement separator rule, since newline is also valid.
Fixes: c7c94802679c ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The evaluation step already updates the cache for each command in this
batch. There is no need to update the cache again from the echo path,
otherwise the cache is populated twice with the same object.
Fixes: b99c4d072d99 ("Implement --echo option")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch will enable the _expires_ input parameter in
the parser and propagate NFTNL_SET_ELEM_EXPIRATION in
order to send the configured value.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
