summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* object: fix crash when object ops is nullFlorian Westphal2017-02-271-1/+2
| | | | | | | | | when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-nullFlorian Westphal2017-02-271-1/+4
| | | | | | | | | If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused variable uval8Alexander Alemayhu2017-02-231-1/+0
| | | | | | | | | | | | | Was added but not used in d7b451fe1a45 (src: add TCP option matching requirements, 2017-02-07). Fixes the following warning: expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’: expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable] uint8_t uval8; ^~~~~ Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add zone supportFlorian Westphal2017-02-191-1/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFTA_RULE_ID attributePablo Neira Ayuso2017-02-162-1/+38
| | | | | | This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: return nlmsghdr in nftnl_batch_{begin,end}()Pablo Neira Ayuso2017-02-162-8/+8
| | | | | | Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: get rid of nftnl_batch_build_hdr()Pablo Neira Ayuso2017-02-162-25/+20
| | | | | | | Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Add missing exthdr flags casesPhil Sutter2017-02-161-0/+4
| | | | | | | | | Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr flagsPhil Sutter2017-02-152-0/+18
| | | | | | | | Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2017-02-151-15/+25
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-123-5/+62
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: Remove the use of nftnl_mnl_batch_put()Elise Lennion2017-01-164-92/+60
| | | | | | | | use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples consistent and avoid code duplication. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Add const qualifiers to *2str translation arraysTobias Klauser2017-01-166-6/+6
| | | | | | | | | | | | | | | | Add const qualifiers to the "to string" translation arrays used by various *2str() functions. This fixes GCC warnings such as the following when compiling with -Wwrite-strings: expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] In order to catch these in the future, also add -Wwrite-strings to default CFLAGS. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add average bytes per packet counter supportLiping Zhang2017-01-032-1/+7
| | | | | | | Similar to ct packets/bytes ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of aliases and compatPablo Neira Ayuso2016-12-2024-1251/+283
| | | | | | | | | | | This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the upcoming release of 0.7 (and 0.6 which is now 6 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and buggy. So let's get rid of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Missing nf_log.h in Makefilelibnftnl-1.0.7Pablo Neira Ayuso2016-12-191-1/+1
| | | | | | Otherwise, make distcheck breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update LIBVERSION to prepare a new releasePablo Neira Ayuso2016-12-192-2/+2
| | | | | | | New interfaces has been added (bump revision), and no interfaces were removed (bump age). Update version: 1.0.7. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* quota: support for consumed bytesPablo Neira Ayuso2016-12-092-3/+24
| | | | | | This patch extends the quota support to account for consumed bytes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: objref: add support for stateful object mapsPablo Neira Ayuso2016-12-092-2/+73
| | | | | | | | If the NFT_SET_OBJECT flag is set, then this set stores a mapping between any random user-defined arbitrary key and one stateful object. Very useful for performance lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add NFTNL_SET_ELEM_OBJREF attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | This new attribute allows us to attach stateful objects to elements for map lookups. This new attribute identifies the object through its name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFTNL_SET_OBJ_TYPE attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | | This new attribute specifies the stateful object type this set stores. Similar to data type, but specific to store objects. You must set the NFT_SET_OBJECT flag to use this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add stateful object reference expressionPablo Neira Ayuso2016-12-098-0/+329
| | | | | | | This patch adds a new "objref" expression that you can use to refer to stateful objects from rules. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-0917-0/+1638
| | | | | | | This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fetch stateful object updates for nf_tables.h cache copyPablo Neira Ayuso2016-12-091-0/+64
| | | | | | This patch includes updates for the stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_nlmsg_build_payload_iter()Pablo Neira Ayuso2016-12-051-0/+4
| | | | | | | Similar to a24e4b21ee33 ("set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is empty"). This is required by the set flush support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: add NFTNL_EXPR_PAYLOAD_FLAGSPablo Neira Ayuso2016-12-043-2/+27
| | | | | | So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-elem-add: add missing batch logicPablo Neira Ayuso2016-11-301-5/+21
| | | | | | | This example is broken since batch logic in missing. Update it to add element of 2 bytes so this works with nft-set-add. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: update it to add a set that stores port numbersPablo Neira Ayuso2016-11-301-2/+3
| | | | | | | | This patch updates the existing example to add a set that stores port numbers. In order to interoperate with the nft tool, we use the datatype numbers defined there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-map-addPablo Neira Ayuso2016-11-302-0/+161
| | | | | | | Place an example to add a map in the libnftnl tree. Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: call expr->ops->snprintf only if definedPablo Neira Ayuso2016-11-291-0/+3
| | | | | | | The notrack expression comes with no ->ops->snprintf, so skip this from nftnl_expr_snprintf() if not set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-11-241-4/+10
| | | | | | Fetch what we have at 4.9-rc6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: missing offset handling for snprintf() in hash and numgenPablo Neira Ayuso2016-10-312-2/+2
| | | | | | Fix incorrect output when offset attribute is unset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add fib expressionFlorian Westphal2016-10-285-0/+318
| | | | | | | | | Allows to query fib for output interface and route type of a packets source or destination address. Scheduled for Linux 4.10. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce rt expressionAnders K. Pedersen2016-10-285-0/+283
| | | | | | | | Introduce support for rt expression for routing related data as implemented in kernel. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack expressionPablo Neira Ayuso2016-10-202-2/+10
| | | | | | | | Register this simple expression with no attributes. Make sure libnftnl doesn't crash when no build and parse indirections are defined, as it is the case for this expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update Arturo Borrero Gonzalez emailArturo Borrero Gonzalez2016-10-179-9/+9
| | | | | | | Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is emptyPablo Neira Ayuso2016-10-171-0/+3
| | | | | | | If the set is empty, don't send an empty NFTA_SET_ELEM_LIST_ELEMENTS netlink attributes with no elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add range expressionPablo Neira Ayuso2016-10-138-0/+441
| | | | | | | | Add range expression available that is scheduled for linux kernel 4.9. This range expression allows us to check if a given value placed in a register is within/outside a specified interval. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: complete log flags supportLiping Zhang2016-10-042-5/+42
| | | | | | | | | If NFTNL_EXPR_LOG_FLAGS is not set, it's unnecessary to print out the flags value. Furthermore, it's better to print out string message instead of the hex value. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: do not print prefix if it is not setLiping Zhang2016-10-041-2/+4
| | | | | | | | This will avoid the following ugly display output: [ log prefix (null) ] Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix typo in nftnl_expr_log_exportLiping Zhang2016-10-041-1/+1
| | | | | | | | After test NFTNL_EXPR_LOG_FLAGS is set, we should put "log->flags" instead of "log->level". Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: display offset only if present in hash and numgen expressionsPablo Neira Ayuso2016-09-232-9/+18
| | | | | | So nft payload python tests don't break. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove libmxml supportArturo Borrero2016-09-23122-2297/+60
| | | | | | | | | | | | | | | | | | | This patch removes the libmxml integration in libnftnl, since we have JSON in place and there is no need to support two at the same time. The JSON support is much better, for example libjansson has a better parsing error reporting. Moreover, libmxml 2.10 breaks the integration with libnftnl somehow, as reported in Debian bug #83870 [0]. Also, the XML support inside libnftnl has never been in good shape, with several tiny inconsitencies. [0] https://bugs.debian.org/838370 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: queue: add NFTA_QUEUE_SREG_QNUM attr supportLiping Zhang2016-09-224-7/+54
| | | | | | | | | | After adding _SREG_QNUM attr, queuenum is not must option anymore, so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num in snprintf_default. Also add a tailing space in snprintf_default, this is consistent with other expressions. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: add number generation offsetLaura Garcia Liebana2016-09-224-6/+40
| | | | | | | | | | | | | | | | Add support to pass through an offset value to the counter initialization. With this feature, the sysadmin is able to apply a value to be added to the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with series 100, 101, 100, 101, ... Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: Add offset to hash valueLaura Garcia Liebana2016-09-124-6/+40
| | | | | | | | | | | | | | | | Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given started value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100 This option generates marks according to the source address from 100 to 101. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: queue: add missing NFTNL_EXPR_QUEUE_FLAGS compare testLiping Zhang2016-09-121-0/+3
| | | | | | | | We forgot to compare NFTNL_EXPR_QUEUE_FLAGS between two exprs, now add it. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: queue: remove redundant NFTNL_EXPR_QUEUE_NUM set in json parseLiping Zhang2016-09-121-1/+0
| | | | | | | | We have already set NFTNL_EXPR_QUEUE_NUM when parse "num" successfully, here is wrong and redundant, remove it. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: Rename until attribute by modulusLaura Garcia Liebana2016-09-075-36/+35
| | | | | | | | | | | The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: use get_u32 to parse NFPROTO and POLICY attributeLiping Zhang2016-09-021-2/+2
| | | | | | | | NFTA_TRACE_NFPROTO and NFTA_TRACE_POLICY attribute is 32-bit value, so we should use mnl_attr_get_u32 and htonl here. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Florian Westphal <fw@strlen.de>