summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-046-2/+259
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: tcpmss get supportFlorian Westphal2017-08-212-1/+3
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option set supportFlorian Westphal2017-08-213-6/+38
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: free user dataEric Leblond2017-07-061-0/+2
| | | | | | | | | | | | This was causing a memory leak when using set. Catched by an ASAN run: ==21004==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12 byte(s) in 2 object(s) allocated from: #0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58) #1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
* ct: rename eventmask to eventFlorian Westphal2017-06-071-1/+1
| | | | | | Pablo suggested this for consistency; ct status isn't named statusmask either. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct eventmask supportFlorian Westphal2017-03-162-1/+4
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-166-2/+236
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: extend set/get api for u8/u16 typesFlorian Westphal2017-03-163-0/+34
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: exthdr: Display NFT_EXTHDR_F_PRESENT in debug outputPhil Sutter2017-03-131-2/+4
| | | | | | | This allows to assert it in testsuite also. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Add support for NFTA_FIB_F_PRESENT flagPhil Sutter2017-03-132-2/+7
| | | | | | | Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add nftnl_udata_put_u32() and nftnl_udata_get_u32()Pablo Neira Ayuso2017-03-063-0/+20
| | | | | | | Add new helper function to put and to fetch tlv that comes with u32 payload. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: support of symmetric hashLaura Garcia Liebana2017-03-064-6/+58
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use nftnl_buf to export XML/JSON rulesElise Lennion2017-03-033-75/+86
| | | | | | | | | | This completes the use of nftnl_buf and its auxiliary functions to export XML/JSON rules. Highly based on work from Shivani Bhardwaj <shivanib134@gmail.com>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: fix crash when object ops is nullFlorian Westphal2017-02-271-1/+2
| | | | | | | | | when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-nullFlorian Westphal2017-02-271-1/+4
| | | | | | | | | If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused variable uval8Alexander Alemayhu2017-02-231-1/+0
| | | | | | | | | | | | | Was added but not used in d7b451fe1a45 (src: add TCP option matching requirements, 2017-02-07). Fixes the following warning: expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’: expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable] uint8_t uval8; ^~~~~ Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add zone supportFlorian Westphal2017-02-191-1/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFTA_RULE_ID attributePablo Neira Ayuso2017-02-162-1/+38
| | | | | | This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: return nlmsghdr in nftnl_batch_{begin,end}()Pablo Neira Ayuso2017-02-162-8/+8
| | | | | | Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: get rid of nftnl_batch_build_hdr()Pablo Neira Ayuso2017-02-162-25/+20
| | | | | | | Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Add missing exthdr flags casesPhil Sutter2017-02-161-0/+4
| | | | | | | | | Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr flagsPhil Sutter2017-02-152-0/+18
| | | | | | | | Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2017-02-151-15/+25
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-123-5/+62
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: Remove the use of nftnl_mnl_batch_put()Elise Lennion2017-01-164-92/+60
| | | | | | | | use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples consistent and avoid code duplication. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Add const qualifiers to *2str translation arraysTobias Klauser2017-01-166-6/+6
| | | | | | | | | | | | | | | | Add const qualifiers to the "to string" translation arrays used by various *2str() functions. This fixes GCC warnings such as the following when compiling with -Wwrite-strings: expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] In order to catch these in the future, also add -Wwrite-strings to default CFLAGS. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add average bytes per packet counter supportLiping Zhang2017-01-032-1/+7
| | | | | | | Similar to ct packets/bytes ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of aliases and compatPablo Neira Ayuso2016-12-2024-1251/+283
| | | | | | | | | | | This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the upcoming release of 0.7 (and 0.6 which is now 6 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and buggy. So let's get rid of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Missing nf_log.h in Makefilelibnftnl-1.0.7Pablo Neira Ayuso2016-12-191-1/+1
| | | | | | Otherwise, make distcheck breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update LIBVERSION to prepare a new releasePablo Neira Ayuso2016-12-192-2/+2
| | | | | | | New interfaces has been added (bump revision), and no interfaces were removed (bump age). Update version: 1.0.7. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* quota: support for consumed bytesPablo Neira Ayuso2016-12-092-3/+24
| | | | | | This patch extends the quota support to account for consumed bytes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: objref: add support for stateful object mapsPablo Neira Ayuso2016-12-092-2/+73
| | | | | | | | If the NFT_SET_OBJECT flag is set, then this set stores a mapping between any random user-defined arbitrary key and one stateful object. Very useful for performance lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add NFTNL_SET_ELEM_OBJREF attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | This new attribute allows us to attach stateful objects to elements for map lookups. This new attribute identifies the object through its name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFTNL_SET_OBJ_TYPE attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | | This new attribute specifies the stateful object type this set stores. Similar to data type, but specific to store objects. You must set the NFT_SET_OBJECT flag to use this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add stateful object reference expressionPablo Neira Ayuso2016-12-098-0/+329
| | | | | | | This patch adds a new "objref" expression that you can use to refer to stateful objects from rules. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-0917-0/+1638
| | | | | | | This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fetch stateful object updates for nf_tables.h cache copyPablo Neira Ayuso2016-12-091-0/+64
| | | | | | This patch includes updates for the stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_nlmsg_build_payload_iter()Pablo Neira Ayuso2016-12-051-0/+4
| | | | | | | Similar to a24e4b21ee33 ("set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is empty"). This is required by the set flush support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: add NFTNL_EXPR_PAYLOAD_FLAGSPablo Neira Ayuso2016-12-043-2/+27
| | | | | | So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-elem-add: add missing batch logicPablo Neira Ayuso2016-11-301-5/+21
| | | | | | | This example is broken since batch logic in missing. Update it to add element of 2 bytes so this works with nft-set-add. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: update it to add a set that stores port numbersPablo Neira Ayuso2016-11-301-2/+3
| | | | | | | | This patch updates the existing example to add a set that stores port numbers. In order to interoperate with the nft tool, we use the datatype numbers defined there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-map-addPablo Neira Ayuso2016-11-302-0/+161
| | | | | | | Place an example to add a map in the libnftnl tree. Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: call expr->ops->snprintf only if definedPablo Neira Ayuso2016-11-291-0/+3
| | | | | | | The notrack expression comes with no ->ops->snprintf, so skip this from nftnl_expr_snprintf() if not set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-11-241-4/+10
| | | | | | Fetch what we have at 4.9-rc6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: missing offset handling for snprintf() in hash and numgenPablo Neira Ayuso2016-10-312-2/+2
| | | | | | Fix incorrect output when offset attribute is unset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add fib expressionFlorian Westphal2016-10-285-0/+318
| | | | | | | | | Allows to query fib for output interface and route type of a packets source or destination address. Scheduled for Linux 4.10. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce rt expressionAnders K. Pedersen2016-10-285-0/+283
| | | | | | | | Introduce support for rt expression for routing related data as implemented in kernel. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack expressionPablo Neira Ayuso2016-10-202-2/+10
| | | | | | | | Register this simple expression with no attributes. Make sure libnftnl doesn't crash when no build and parse indirections are defined, as it is the case for this expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update Arturo Borrero Gonzalez emailArturo Borrero Gonzalez2016-10-179-9/+9
| | | | | | | Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is emptyPablo Neira Ayuso2016-10-171-0/+3
| | | | | | | If the set is empty, don't send an empty NFTA_SET_ELEM_LIST_ELEMENTS netlink attributes with no elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>