| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This patch adds userspace support for setting properties of tracked connections.
Currently, the connection mark is supported. This can be used to implemented the
same functionality as iptables -j CONNMARK --save-mark.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libnftables should not mask kernel errors. Let user specify any combination of
parameters and leave the error-checking to the kernel. The kernel will return
-EINVAL and users will know that they have to fix their code. This patch also a
removes a redundant variable that was passed to the snprintf-functions (flag).
A second iteration might be needed. I was not sure how to deal with
snprintf_default in the case of both sreg and dreg.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Since nftables now uses nft_rule_expr_get_u32(), the internal size must
also be a uint32_t.
Fixes complete breakage of any cmp or meta expression.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a copy of the include/linux/netfilter.h kernel header
that defines NFPROTO_INET, so libnftables compiles with relatively
old kernel headers in the system.
chain.c: In function 'nft_hooknum2str':
chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function)
This required to reorder and remove unneeded headers in src/expr/data_reg.c
to avoid a compilation warning due to redefinition of __visible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This example prints the ruleset, using the ruleset API of nftables.
The kernel patch c9c8e48 ("netfilter: nf_tables: dump sets in all existing
families") is required.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Other nftables objects are allowed to be dumped with NFPROTO_UNSPEC.
With sets is also possible since kernel patch c9c8e48 ("netfilter: nf_tables:
dump sets in all existing families").
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Parsing tests were failing because a missing 'use' attribute in tables.
validating xmlfiles/02-table.xml: FAILED
from file: 0</flags></table>
f
from snprintf: 0</flags><use>0</use
^
[...]
validating jsonfiles/64-ruleset.json: FAILED
from file: ,"flags":0}},{"chain
from snprintf: ,"flags":0,"use":0}}
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds userspace support for the meta expression in the set flavour.
This expression indicates that the packet has to be set with a property,
currently one of mark, priority or nftrace.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This adds support for table's attribute "use" which let us know about
how many chains are in the table, if any.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds a support of the queue target.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This fixes the following warning:
In file included from nft-expr_target-test.c:19:0: /usr/include/linux/netfilter_ipv4/ipt_LOG.h:4:2: warning: #warning "Please update iptables, this file will be removed soon!" [-Wcpp]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's test the XML/JSON parsing with test-script.sh as well.
Singed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add new function nft_nlmsg_build_hdr which consolidates all existing
functions to build headers per object. They basically look the same.
This patch still provides aliases for consistency in the naming
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use _LIBNFTABLES_ prefix to avoid possible clash with headers that
are defined in other libraries that may be used by third party
applications.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These tests create an initial object 'a' whose attributes are
set to arbitrary values. Then, that object is converted to a
Netlink message which is parsed to obtain the object 'b'. If
things go well, the original object 'a' and the transformed
object 'b' should be equivalent. Thus, we make sure that object
transformations through the main library APIs are correct.
These tests have helped to catch the following bugs in this library:
(3cf788a72 expr: fix leak in target and match expressions)
(4182e574f expr: match: fix wrong flag setting in nft_rule_expr_match_parse)
(0bec6bc5e expr: log: release prefix)
(2b690deea expr: log: fix missing \0 when sending log prefix to kernel)
(e55c7afcf expr: target: fix wrong info length in nft_rule_expr_target_parse)
(8fc4d4bd2 expr: log: fix wrong attribute type in nft_rule_expr_log_parse)
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
These are needed to set the family value for chain and table.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
I fixed it by using the correct value.
Signed-off-by: Ana Rey <anarey@gmail.com>
Acked-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test of libnftable, It shows:
ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36
The problem was in nft_rule_expr_target_parse function. With the
attached patch, we use mnl_attr_get_payload_len() in instead of
mnl_attr_get_len().
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test for libnftables, It shows:
"ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches"
a: test
b: test
^^
garbage
The problem was in nft_rule_expr_log_build function. With
the attached patch, we use mnl_attr_put_strz() instead of
mnl_attr_put_str() as in other functions in the library.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Ana Rey reported a leak in the log expression. Fix it by using
the new .free interface added in (3cf788a expr: fix leak in target
and match expressions).
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Expression flags were incorrectly set.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Fix missing files that were not included in the tarball
that distcheck generates.
This also includes AC_EXEEXT, otherwise configure complains about
undefined CHECK_GCC_FVISIBILITY.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Release internal data area for match and target expressions.
==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1
==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==30104== by 0x400C2F: main (nft-expr_match-test.c:65)
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
It should have been done in (2cba099 rule: remove
NFT_RULE_ATTR_FLAGS).
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Kill reference to undefined symbol.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The headers do not compile standalone which may cause compilation
problems to third party programs.
$ gcc -x c -Wall -c *.h
chain.h:62:35: error: unknown type name ‘size_t’
expr.h:40:39: error: unknown type name ‘size_t’
rule.h:60:34: error: unknown type name ‘size_t’
ruleset.h:20:1: error: unknown type name ‘bool’
ruleset.h:20:59: error: unknown type name ‘uint16_t’
ruleset.h:21:52: error: unknown type name ‘uint16_t’
ruleset.h:22:50: error: unknown type name ‘uint16_t’
ruleset.h:23:63: error: unknown type name ‘uint16_t’
ruleset.h:39:37: error: unknown type name ‘size_t’
ruleset.h:39:80: error: unknown type name ‘uint32_t’
ruleset.h:39:95: error: unknown type name ‘uint32_t’
set.h:40:33: error: unknown type name ‘size_t’
set.h:110:38: error: unknown type name ‘size_t’
table.h:50:35: error: unknown type name ‘size_t’
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac'
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
In file included from utils.c:11:0:
./internal.h:93:17: error: unknown type name 'FILE'
int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int
(*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type,
uint32_t flags));
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Print a message when there is no support for some parser.
Remove those EOPNOTSUPPs because they are unused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Report error when building XML tree.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Ensure the tree is freed when done.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Before this patch, 0 was returned unconditionally.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now it's possible to print directly from libnftables to a file or
other stream. The caller must explicitly print the trailing '\n'
in this call.
The error reporting of fprintf (< 0) is respected. However, we have
already print some information in case that the default (plain text)
output is used, that output is mostly intended for debugging so it
should not be a problem.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This factorization of JSON/XML open & close tag allows reutilice
code in future patches (for example, the fprintf API functions).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Give a new XML ruleset testfile. For some reason patchwork has truncated
the file?
This should have been fixed in (b7c39a7 test: xml: fix malformed ruleset
testfile).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The definition of this structure belongs to the scope of
linux/netlink.h.
Based on patch from Jan Engelhardt.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.
This closes netfilter bugzilla #868.
[ I have mangled this patch to solve possible null pointer
dereference with get operations with rule objects --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Update tests to fit the latest limit changes in
commit [e91ea14] (expr: limit: operational limit match)
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the reject expression.
Tested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is a leftover from the time we had per rule flags, obsoleted
by the new rule batching approach. Kill it as it is unused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Give a new XML ruleset testfile. For some reason, the previous was truncated.
This passed silently as nft-parsing-test is not reporting some errors properly.
This new file provides:
* 2 tables
* 3 chains
* 2 sets, with and without maps
* 3 rules with mixed exprs
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
my fault, spotted by Phil Oester.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
commit 10e0890e ('src: operational limit match') creates huge
array, increasing libnftables binary size. Use switch statement
instead.
Based on patch from Florian Westphal, for nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
If this fails to parse a set element, stop the processing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|