| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Syntax:
# nft add element filter test { 192.168.0.1 comment "some host" }
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support specifying per element timeout values and displaying the expiration
time.
If an element should not use the default timeout value of the set, an
element specific value can be specified as follows:
# nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m}
For listing of elements that use the default timeout value, just the
expiration time is shown, otherwise the element specific timeout value
is also displayed:
set test {
type ipv4_addr
timeout 1h
elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Timeout support can be enabled in one of two ways:
1. Using a default timeout value:
set test {
type ipv4_addr;
timeout 1h;
}
2. Using the timeout flag without a default:
set test {
type ipv4_addr;
flags timeout;
}
Optionally a garbage collection interval can be specified using
gc-interval <interval>;
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new expression type "set_elem_expr" that is used as container for
the key in order to attach different attributes, such as timeout values,
to the key.
The expression hierarchy is as follows:
Sets:
elem
|
key
Maps:
mapping
/ \
elem data
|
key
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set keys are currently defined as a regular expr for pure sets and
map_lhs_expr for maps. map_lhs_expr is what can actually be used for
a single member, namely a concat_expr or a multiton_expr. The reason
why pure sets use expr for the key is to allow recursive set specifications,
which doesn't make sense for maps since every element needs a mapping.
However, the rule is too wide and also allows map expressions as a key,
which obviously doesn't make sense.
Rearrange the rules so we have:
set_lhs_expr: concat or multiton
set_rhs_expr: concat or verdict
and special case the recursive set specifications, as they deserve.
Besides making it a lot easier to understand what is actually supported,
this will be used by the following patch to support timeouts and comments
for keys in a uniform way.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Seperate relative time parsing and printing from the time_type to make
it usable for set and set element time related parameters.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Don't require hours to be in range 0-23 and minutes/seconds in range 0-59.
The time_type is used for relative times where it is entirely reasonable
to specify 180s instead of 3m.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Properly detect time strings in the lexer without quotation marks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nftables used to have a cache to speed up interface name <-> index lookup,
restore it using libmnl.
This reduces netlink traffic since if_nametoindex() and if_indextoname() open,
send a request, receive the list of interface and close a netlink socket for
each call. I think this is also good for consistency since nft -f will operate
with the same index number when reloading the ruleset.
The cache is populated by when nft_if_nametoindex() and nft_if_indextoname()
are used for first time. Then, it it released in the output path. In the
interactive mode, it is invalidated after each command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Based on the existing netlink_open_error(), but indicate file and line
where the error happens. This will help us to diagnose what is going
wrong when users can back to us to report problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to change f3ff9e9 ("rule: delete extra space in rule indentation") in
function rule_print(), a missing space happens in monitor.
before this patch:
% nft monitor
add rule ip test-table test-chainip protocol tcp
after this patch:
% nft monitor
add rule ip test-table test-chain ip protocol tcp
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
payload_dependency_kill() does not properly handle dependencies for link
layer expressions. Since those dependencies are logically defined on an
even lower layer (device layer), we don't have a payload base for them,
meaning they will use PROTO_BASE_INVALID, which is skipped.
So instead of storing the payload base on which the dependency is defined,
we store the base of the layer for which the dependency applies, meaning
dependencies defined by the device layer will properly work.
This fixes killing the dependency of ether saddr, instead of
iiftype ether ether ether saddr ...
we now only display
ether saddr ...
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a set contains combined flag values, they are displayed as numeric
value since they don't match any of the single flag values:
tcp flags { 18, psh, syn}
Convert to a series of inclusive-OR binops of the single flag values
for improved readability:
tcp flags { syn | ack, psh, syn}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
f.i:
type filter hook output priority 0; policy accept;
ip daddr @test counter packets 14 bytes 1176
Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix crash when adding a non-base chain introduced by acdfae9 ("src:
allow to specify the default policy for base chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Annoying extra space in rule indentation:
Example before this patch:
table ip6 test_table {
chain test_chain {
counter tcp dport { 22, 80, 443} accept # handle 1
^
}
}
Example after this patch:
table ip6 test_table {
chain test_chain {
counter tcp dport { 22, 80, 443} accept # handle 1
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new syntax is:
nft add chain filter input { hook input type filter priority 0\; policy accept\; }
but the previous syntax is still allowed:
nft add chain filter input { hook input type filter priority 0\; }
this assumes default policy to accept.
If the base chain already exists, you can update the policy via:
nft add chain filter input { policy drop\; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nf_tables kernel API provides a way to disable a table using the
dormant flag. This patch adds the missing code to expose this feature
through nft.
Basically, if you want to disable a table and all its chains from seen
any traffic, you have to type:
nft add table filter { flags dormant\; }
to re-enable the table, you have to:
nft add table filter
this clears the flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1000
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The objects need to be loaded in the following order:
#1 tables
#2 chains
#3 sets
#4 rules
We have to make sure that chains are in place by when we add rules with
jumps/gotos. Similarly, we have to make sure that the sets are in place
by when rules reference them.
Without this patch, you may hit ENOENT errors depending on your ruleset
configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=995
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When using a symbolic vmap expression, we fail to verify that the map
actually contains verdicts.
Use stmt_evaluate_arg() everywhere to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Catch type errors in map expressions using named maps:
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set tcp dport map @test
<cmdline>:1:38-42: Error: datatype mismatch, map expects IPv4 address, mapping expression has type internet network service
filter output mark set tcp dport map @test
~~~~~~~~~ ^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The datatype of the map expression is the datatype of the mappings.
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set ip daddr map @test
Before:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type IPv4 address
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
After:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type internet network service
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add set filter test { type ipv4_addr; }
# nft filter input ip daddr vmap @test
Before:
<cmdline>:0:0-32: Error: Could not process rule: Invalid argument
filter input ip daddr vmap @test
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After:
<cmdline>:1:28-32: Error: Expression is not a map
filter input ip daddr vmap @test
^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix regression introduced by commit 87c2a2205:
netlink_delinearize: clone on netlink_get_register(), release previous on _set()
When using a non-verdict mapping, the set ref expression is assigned to the
destination register. The next get_register() will attempt to clone it and
crash because of the missing ->clone() callback.
# nft filter input meta mark set ip daddr map { 192.168.0.1 : 123 }
# nft list table filter
Segmentation fault (core dumped)
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
The set_clone() function was added by the event monitor patchset and is
unused. It is also broken since it simply initializes the list head to
the list of the original set, so remove it.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of the ERROR symbol is an ugly hack. There's no reason
to special case large integer values, the NUM token only exists for
small values that are needed immediately, everything else is passed
as EXPR_SYMBOL to evaluation anyways.
Additionally the error reporting is different from what we'd usually
report, the token is easy to confuse with the bison internal error
token and it even has a name, messing up bison internal diagnostics.
Simply return values to large to be handled by strtoull as STRING.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Add a helper function to dump netlink register numbers in preparation
of concat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Add a helper function to parse netlink register numbers in preparation
of concat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
The netlink parsing code is full of long function calls spawning multiple
lines and in some cases parses netlink attributes multiple times.
Use local variables for the registers and other data required to
reconstruct the expressions and statements and reorder the code in
some cases to move related processing next to each other.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
These are really badly chosen names, use parse_expr and parse_stmt instead.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Improve readability by using local variables for netlink attributes,
ordering variables more logically, don't arbitrarily initialize
some variables in the definition section and in the body and generally
make similar functions look similar.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Remove style discrepancies between different netlink I/O functions:
- we don't use brackets for single line statements
- most functions don't have a newline between error reporting and exit
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
We include an empty line between variable definitions and code.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Waste less space and return the results of the batch/compat
functions directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Fix two memory leaks in netlink event monitor. Also fix a leak related
to all sets, the ->init expression is not freed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
netlink_delinearize is prepared to deal with malformed expressions from
the kernel that it doesn't understand. However since expressions are now
cloned unconditionally by netlink_get_register(), we crash before such
errors can be detected for invalid inputs.
Fix by only cloning non-NULL expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a helper function to evaluate expressions used as arguments for
statements and report datatype mismatches.
Fixes acceptance of mismatching expressions like:
$ nft filter output meta mark set ip daddr
<cmdline>:1:29-36: Error: datatype mismatch: expected packet mark. expression has type IPv4 address
filter output meta mark set ip daddr
~~~~~~~~~~~~~~^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
The redir and masq evaluation functions include some useless context
updates and checks.
Refactor the NAT code to have a single instance of address and transport
evaluation functions for simplicity and unified error reporting.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Modify pr_debug() to use printf so we get debugging traces for
proto-ctx when --with-mini-gmp is enabled.
Add pr_gmp_debug(), this is disabled with --with-mini-gmp since it
relies on the gmp_printf(), which is not available in the mini-gmp
implementation.
Suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CC mini-gmp.o
mini-gmp.c: In function ‘mpn_get_str_bits’:
mini-gmp.c:1176:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_and’:
mini-gmp.c:3650:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_ior’:
mini-gmp.c:3723:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_xor’:
mini-gmp.c:3792:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_set_str’:
mini-gmp.c:4167:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows to disable linking the >400 KB big libgmp and replace it
with the builtin mini-gmp which only increases size by ~30KB.
Enabling this selectively decreases debugging verbosity (pr_debug).
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
