| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
The policy field was printed unconditionally, but if it wasn't set the
default value 0 was printed as 'policy drop' which is not correct.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==11688== HEAP SUMMARY:
==11688== in use at exit: 40 bytes in 1 blocks
==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11688==
==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11688== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11688== by 0x40133B: main (nft-chain-add.c:103)
==11688==
==11688== LEAK SUMMARY:
==11688== definitely lost: 40 bytes in 1 blocks
==11688== indirectly lost: 0 bytes in 0 blocks
==11688== possibly lost: 0 bytes in 0 blocks
==11688== still reachable: 0 bytes in 0 blocks
==11688== suppressed: 0 bytes in 0 blocks
==11831== HEAP SUMMARY:
==11831== in use at exit: 40 bytes in 1 blocks
==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11831==
==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11831== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11831== by 0x401154: main (nft-chain-del.c:79)
==11831==
==11831== LEAK SUMMARY:
==11831== definitely lost: 40 bytes in 1 blocks
==11831== indirectly lost: 0 bytes in 0 blocks
==11831== possibly lost: 0 bytes in 0 blocks
==11831== still reachable: 0 bytes in 0 blocks
==11831== suppressed: 0 bytes in 0 blocks
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for a new type of stateful object: limit.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was causing a memory leak when using set.
Catched by an ASAN run:
==21004==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 12 byte(s) in 2 object(s) allocated from:
#0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58)
#1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
|
|
|
|
|
|
| |
Pablo suggested this for consistency; ct status isn't named statusmask either.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
add support for ct helper objects, these are used to assign helpers to
connections, similar to iptables -j CT --set-helper target.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This allows to assert it in testsuite also.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Reflect existence of flag in debug output so testsuite can check for it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add new helper function to put and to fetch tlv that comes with u32
payload.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This completes the use of nftnl_buf and its auxiliary functions to
export XML/JSON rules.
Highly based on work from Shivani Bhardwaj <shivanib134@gmail.com>.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
when debugging nft with invalid object type (during development),
this will crash here with null deref. Print (unknown) instead
if obj->ops is null.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Was added but not used in d7b451fe1a45 (src: add TCP option matching
requirements, 2017-02-07). Fixes the following warning:
expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’:
expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable]
uint8_t uval8;
^~~~~
Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds the new NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Useful to append netlink attributes after the batch headers.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and
nftnl_nlmsg_build_hdr() share the same code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Looks like some chunks went by the board while merging with exthdr->op
patch.
Fixes: 4196376330468 ("exthdr: Add support for exthdr flags")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Along with the actual support for exthdr expression specific flags, this
also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fetch what we have in the kernel tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch is a requirement of the TCP option patch.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples
consistent and avoid code duplication.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add const qualifiers to the "to string" translation arrays used by
various *2str() functions.
This fixes GCC warnings such as the following when compiling with
-Wwrite-strings:
expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
In order to catch these in the future, also add -Wwrite-strings to
default CFLAGS.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Similar to ct packets/bytes ...
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This machinery was introduced to avoid sudden compilation breakage of
old nftables releases. With the upcoming release of 0.7 (and 0.6 which
is now 6 months old) this is not required anymore. Moreover, users gain
nothing from older releases since they are half-boiled and buggy.
So let's get rid of aliases now. Bump LIBVERSION and update map file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Otherwise, make distcheck breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
New interfaces has been added (bump revision), and no interfaces were
removed (bump age). Update version: 1.0.7.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch extends the quota support to account for consumed bytes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If the NFT_SET_OBJECT flag is set, then this set stores a mapping
between any random user-defined arbitrary key and one stateful object.
Very useful for performance lookups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This new attribute allows us to attach stateful objects to elements for
map lookups. This new attribute identifies the object through its name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This new attribute specifies the stateful object type this set stores.
Similar to data type, but specific to store objects. You must set the
NFT_SET_OBJECT flag to use this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds a new "objref" expression that you can use to refer to
stateful objects from rules.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch allows you to add, to delete and to get stateful objects,
this support two object types: counter and quota.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch includes updates for the stateful objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Similar to a24e4b21ee33 ("set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS
attribute if set is empty"). This is required by the set flush support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This example is broken since batch logic in missing. Update it to add
element of 2 bytes so this works with nft-set-add.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch updates the existing example to add a set that stores port
numbers. In order to interoperate with the nft tool, we use the datatype
numbers defined there.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Place an example to add a map in the libnftnl tree.
Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The notrack expression comes with no ->ops->snprintf, so skip this from
nftnl_expr_snprintf() if not set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fetch what we have at 4.9-rc6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fix incorrect output when offset attribute is unset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Allows to query fib for output interface and route type of a packets
source or destination address.
Scheduled for Linux 4.10.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Introduce support for rt expression for routing related data as implemented
in kernel.
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Register this simple expression with no attributes. Make sure libnftnl
doesn't crash when no build and parse indirections are defined, as it
is the case for this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|