| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add support for NFTA_TABLE_OWNER.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for the dynset flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that
an element stores when added from the packet path.
This patch adds support for the set expression list, which generalizes
NFTNL_EXPR_DYNSET_EXPR.
This patch also adds nftnl_expr_add_expr() to add new expressions to
elements and nftnl_set_expr_expr_foreach() to iterate over the list of
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_EXPR defines the stateful expression type that this set stores
in each element. This provides the set definition in terms of stateful
expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must
equal to this set stateful expression type, otherwise the kernel bails
out.
This patch adds support for the set expression list, which generalizes
NFTNL_SET_EXPR.
This patch also adds nftnl_set_add_expr() to add new expressions to a set
and nftnl_set_elem_expr_foreach() to iterate over the list of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_ELEM_EXPR defines the stateful expression type that this
element stores. This is useful to restore runtime set element stateful
expressions (when saving, then reboot and restore).
This patch adds support for the set element expression list, which
generalizes NFTNL_SET_ELEM_EXPR.
This patch also adds nftnl_set_elem_add_expr() to add new expressions to
set elements and nftnl_set_elem_expr_foreach() to iterate over the list
of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Introduce a flag to allow toggling the '0x' prefix when printing data
values, then use the existing routines to print data registers from
set_elem code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Add a function to remove expression from the rule list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function allows you to build the netlink attributes for
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add missing NFT_SOCKET_WILDCARD definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains.
Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a
comment.
Relies on NFTA_CHAIN_USERDATA.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFTNL_OBJ_USERDATA to support userdata for objects.
Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects,
stored in userdata space.
Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to
enable getting object attributes/data.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to
support for table comments.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Was not exported so far due to a typo. While at it, add const qualifier
to element structure.
Will be used to optionally dump set contents / elements from nft
frontend.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This field is used to store an optional comment of a set.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
his patch allows you to refer to chains via the chain ID. The semantics
are similar to the NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use this field to specify that set element data specifies an interval.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Get header in sync with 5.7.0-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel
support for this new feature might be reworked, keep this back.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for the NFTA_SET_EXPR netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for chain flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The kernel supports passing mask and xor values for bitwise boolean
operations via registers. These are mutually exclusive with the
existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and
NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Pick up a couple of new bitwise netlink attributes.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The original intention in eb58f53372e7 ("src: add flowtable support")
was to introduce this helper function. Add helper to set and to get
array of strings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
The new set element attribute maps to the netlink attribute
NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY
maps to NFTA_SET_ELEM_KEY, and represents the key data used
to express the upper bound of a range, in concatenations.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
as NFTA_SET_DESC_CONCAT attributes: it describes the length of
single concatenated fields, in bytes.
Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
from the kernel.
This is the libnftnl counterpart for nftables patch:
src: Add support for NFTNL_SET_DESC_CONCAT
v4:
- move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr
to avoid ABI breakage (Pablo Neira Ayuso)
v3:
- use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
- pass field length in bytes instead of bits, fields would get
unnecessarily big otherwise
v2:
- fixed grammar in commit message
- removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
we're simply passing values to htonl() (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Get this header in sync with nf-next as of merge commit
b3a608222336 (5.6-rc1-ish).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The kernel UAPI header includes a couple of new bitwise netlink
attributes and an enum.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Almost everything in this header is unused. The command defines
used in utils.c don't seem to be justified and have just been
replaced by their strings
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Cc: Martin Willi <martin@strongswan.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end()
to build attribute nests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
s/__cplusplusg/__cplusplus/
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1389
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since __visible is now used directly, provide a fallback empty
definition if HAVE_VISIBILITY_HIDDEN is not defined.
Fixes: 7349a70634fa0 ("Deprecate untyped data setters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Never defined in upstream Linux kernel uAPI, remove it.
Reported-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Eric Garver <eric@garver.life>
|
| |
|
|
|
|
|
| |
Add code to implement NFTA_FLOWTABLE_HANDLE
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
These functions make assumptions on size of passed data pointer and
therefore tend to hide programming mistakes. Instead either one of the
type-specific setters or the generic *_set_data() setter should be used.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add support for NFTA_HOOK_DEVS.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Copying from nftnl_table_set_data(), validate input to
nftnl_set_elem_set() as well. Given that for some attributes the
function assumes passed data size, this seems necessary.
Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is
sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg
accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Array 'tb' has only 'attr_max' elements, the loop overstepped its
boundary by one. Copy array_size() macro from include/utils.h in
nftables.git to make sure code does the right thing.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Rename and optimize internal function nftnl_set_lookup() for external
use. Just like with nftnl_chain_list, use a hash table for fast set name
lookups.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds synproxy stateful object support.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Get this header in sync with 5.3-rc1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This only affects debug output, the key was properly handled in
productive code paths already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The 'id' key returns the id of the connection entry
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add support for ct expectation objects, used to define specific
expectations.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Moreover, add missing include/rule.h file to Makefile.am.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
