summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* fib: Add support for NFTA_FIB_F_PRESENT flagPhil Sutter2017-03-131-2/+6
| | | | | | | Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add nftnl_udata_put_u32() and nftnl_udata_get_u32()Pablo Neira Ayuso2017-03-062-0/+17
| | | | | | | Add new helper function to put and to fetch tlv that comes with u32 payload. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: support of symmetric hashLaura Garcia Liebana2017-03-061-6/+40
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use nftnl_buf to export XML/JSON rulesElise Lennion2017-03-032-75/+75
| | | | | | | | | | This completes the use of nftnl_buf and its auxiliary functions to export XML/JSON rules. Highly based on work from Shivani Bhardwaj <shivanib134@gmail.com>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: fix crash when object ops is nullFlorian Westphal2017-02-271-1/+2
| | | | | | | | | when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-nullFlorian Westphal2017-02-271-1/+4
| | | | | | | | | If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused variable uval8Alexander Alemayhu2017-02-231-1/+0
| | | | | | | | | | | | | Was added but not used in d7b451fe1a45 (src: add TCP option matching requirements, 2017-02-07). Fixes the following warning: expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’: expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable] uint8_t uval8; ^~~~~ Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add zone supportFlorian Westphal2017-02-191-1/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFTA_RULE_ID attributePablo Neira Ayuso2017-02-161-1/+37
| | | | | | This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: return nlmsghdr in nftnl_batch_{begin,end}()Pablo Neira Ayuso2017-02-161-6/+6
| | | | | | Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: get rid of nftnl_batch_build_hdr()Pablo Neira Ayuso2017-02-161-23/+18
| | | | | | | Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Add missing exthdr flags casesPhil Sutter2017-02-161-0/+4
| | | | | | | | | Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr flagsPhil Sutter2017-02-151-0/+17
| | | | | | | | Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-121-4/+45
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: Add const qualifiers to *2str translation arraysTobias Klauser2017-01-165-5/+5
| | | | | | | | | | | | | | | | Add const qualifiers to the "to string" translation arrays used by various *2str() functions. This fixes GCC warnings such as the following when compiling with -Wwrite-strings: expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] In order to catch these in the future, also add -Wwrite-strings to default CFLAGS. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add average bytes per packet counter supportLiping Zhang2017-01-031-1/+2
| | | | | | | Similar to ct packets/bytes ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of aliases and compatPablo Neira Ayuso2016-12-2012-544/+281
| | | | | | | | | | | This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the upcoming release of 0.7 (and 0.6 which is now 6 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and buggy. So let's get rid of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* quota: support for consumed bytesPablo Neira Ayuso2016-12-091-3/+23
| | | | | | This patch extends the quota support to account for consumed bytes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: objref: add support for stateful object mapsPablo Neira Ayuso2016-12-091-2/+70
| | | | | | | | If the NFT_SET_OBJECT flag is set, then this set stores a mapping between any random user-defined arbitrary key and one stateful object. Very useful for performance lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add NFTNL_SET_ELEM_OBJREF attributePablo Neira Ayuso2016-12-091-0/+27
| | | | | | | This new attribute allows us to attach stateful objects to elements for map lookups. This new attribute identifies the object through its name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFTNL_SET_OBJ_TYPE attributePablo Neira Ayuso2016-12-091-0/+27
| | | | | | | | This new attribute specifies the stateful object type this set stores. Similar to data type, but specific to store objects. You must set the NFT_SET_OBJECT flag to use this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add stateful object reference expressionPablo Neira Ayuso2016-12-094-0/+223
| | | | | | | This patch adds a new "objref" expression that you can use to refer to stateful objects from rules. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-095-0/+996
| | | | | | | This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_nlmsg_build_payload_iter()Pablo Neira Ayuso2016-12-051-0/+4
| | | | | | | Similar to a24e4b21ee33 ("set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is empty"). This is required by the set flush support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: add NFTNL_EXPR_PAYLOAD_FLAGSPablo Neira Ayuso2016-12-041-2/+20
| | | | | | So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: call expr->ops->snprintf only if definedPablo Neira Ayuso2016-11-291-0/+3
| | | | | | | The notrack expression comes with no ->ops->snprintf, so skip this from nftnl_expr_snprintf() if not set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: missing offset handling for snprintf() in hash and numgenPablo Neira Ayuso2016-10-312-2/+2
| | | | | | Fix incorrect output when offset attribute is unset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add fib expressionFlorian Westphal2016-10-283-0/+276
| | | | | | | | | Allows to query fib for output interface and route type of a packets source or destination address. Scheduled for Linux 4.10. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: introduce rt expressionAnders K. Pedersen2016-10-283-0/+246
| | | | | | | | Introduce support for rt expression for routing related data as implemented in kernel. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack expressionPablo Neira Ayuso2016-10-202-2/+10
| | | | | | | | Register this simple expression with no attributes. Make sure libnftnl doesn't crash when no build and parse indirections are defined, as it is the case for this expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: update Arturo Borrero Gonzalez emailArturo Borrero Gonzalez2016-10-174-4/+4
| | | | | | | Update Arturo Borrero Gonzalez email address. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is emptyPablo Neira Ayuso2016-10-171-0/+3
| | | | | | | If the set is empty, don't send an empty NFTA_SET_ELEM_LIST_ELEMENTS netlink attributes with no elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add range expressionPablo Neira Ayuso2016-10-133-0/+291
| | | | | | | | Add range expression available that is scheduled for linux kernel 4.9. This range expression allows us to check if a given value placed in a register is within/outside a specified interval. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: complete log flags supportLiping Zhang2016-10-041-5/+30
| | | | | | | | | If NFTNL_EXPR_LOG_FLAGS is not set, it's unnecessary to print out the flags value. Furthermore, it's better to print out string message instead of the hex value. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: do not print prefix if it is not setLiping Zhang2016-10-041-2/+4
| | | | | | | | This will avoid the following ugly display output: [ log prefix (null) ] Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: log: fix typo in nftnl_expr_log_exportLiping Zhang2016-10-041-1/+1
| | | | | | | | After test NFTNL_EXPR_LOG_FLAGS is set, we should put "log->flags" instead of "log->level". Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: display offset only if present in hash and numgen expressionsPablo Neira Ayuso2016-09-232-9/+18
| | | | | | So nft payload python tests don't break. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove libmxml supportArturo Borrero2016-09-2335-2034/+29
| | | | | | | | | | | | | | | | | | | This patch removes the libmxml integration in libnftnl, since we have JSON in place and there is no need to support two at the same time. The JSON support is much better, for example libjansson has a better parsing error reporting. Moreover, libmxml 2.10 breaks the integration with libnftnl somehow, as reported in Debian bug #83870 [0]. Also, the XML support inside libnftnl has never been in good shape, with several tiny inconsitencies. [0] https://bugs.debian.org/838370 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: queue: add NFTA_QUEUE_SREG_QNUM attr supportLiping Zhang2016-09-221-7/+50
| | | | | | | | | | After adding _SREG_QNUM attr, queuenum is not must option anymore, so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num in snprintf_default. Also add a tailing space in snprintf_default, this is consistent with other expressions. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: add number generation offsetLaura Garcia Liebana2016-09-221-6/+33
| | | | | | | | | | | | | | | | Add support to pass through an offset value to the counter initialization. With this feature, the sysadmin is able to apply a value to be added to the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with series 100, 101, 100, 101, ... Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: Add offset to hash valueLaura Garcia Liebana2016-09-121-6/+33
| | | | | | | | | | | | | | | | Add support to pass through an offset to the hash value. With this feature, the sysadmin is able to generate a hash with a given started value. Example: meta mark set jhash ip saddr mod 2 seed 0xabcd offset 100 This option generates marks according to the source address from 100 to 101. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: queue: remove redundant NFTNL_EXPR_QUEUE_NUM set in json parseLiping Zhang2016-09-121-1/+0
| | | | | | | | We have already set NFTNL_EXPR_QUEUE_NUM when parse "num" successfully, here is wrong and redundant, remove it. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: Rename until attribute by modulusLaura Garcia Liebana2016-09-071-28/+28
| | | | | | | | | | | The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: use get_u32 to parse NFPROTO and POLICY attributeLiping Zhang2016-09-021-2/+2
| | | | | | | | NFTA_TRACE_NFPROTO and NFTA_TRACE_POLICY attribute is 32-bit value, so we should use mnl_attr_get_u32 and htonl here. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2016-09-022-2/+4
| | | | | | | | | | Sync this with the kernel header file we currently have in tree. This patch addresses the compilation warning and breakage as result of this header update, specifically the "attibute" typo in trace and missing default case in expr/numgen.c. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix incorrect maximum set description attributePablo Neira Ayuso2016-08-301-1/+1
| | | | | | | Maximum set description attribute is NFTA_SET_DESC_MAX, instead of NFTA_SET_MAX. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: add missing nftnl_expr_ng_cmp()Pablo Neira Ayuso2016-08-301-0/+18
| | | | | | | | This patch adds the missing comparator interface, most likely due to race between the patchset that has added this and the introduction of numgen. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: missing trailing space and modulus in hexadecimal in snprintfPablo Neira Ayuso2016-08-301-1/+1
| | | | | | | | | | | | Before patch: [ hash reg 1 = jhash(reg 2, 8, 3735928559) % modulus 2] After patch: [ hash reg 1 = jhash(reg 2, 8, 0xdeadbeef) % mod 2 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: add missing trailing whitespacePablo Neira Ayuso2016-08-301-2/+2
| | | | | | | | | | | | Before patch: [ numgen reg 1 = inc(2)] After patch: [ numgen reg 1 = inc(2) ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: numgen: use switch to handle numgen types from snprintfPablo Neira Ayuso2016-08-301-4/+5
| | | | | | Use switch instead of if branch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>