| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
*res has undefined contents, set to NULL before invoking the parse function
to make sure the test for != NULL doesn't falsely return true.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert commit a320531e7:
We have generic type checks that handle this case just fine and indeed
the bugzilla entry mentioned in the reverted patch states:
BUG: invalid input descriptor type 538976288
nft: src/erec.c:100: erec_print: Assertion `0' failed.
Abandon
So the problem is not related to datatypes at all and generic type
checking works perfectly fine:
<cmdline>:1:52-57: Error: datatype mismatch, expected Ethernet protocol, expression has type Internet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
For errors starting at column 0, we must not subtract 1 to avoid underflow.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| | |
Remove the "in batch" part, it makes most messages exceed a single line, the
user doesn't care about this and we process even single rules in "batches".
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
src/netlink_delinearize.c: In function ‘meta_match_postprocess’:
src/netlink_delinearize.c:660:3: warning: passing argument 1 of ‘expr->left->ops->pctx_update’ from incompatible pointer type [enabled by default]
src/netlink_delinearize.c:660:3: note: expected ‘struct proto_ctx *’ but argument is of type ‘struct rule_pp_ctx *’
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for the meta l4proto type. This is used in the inet table to
match on the transport layer protocol without requiring the network layer
protocol to be known, allowing to use transport header matches that apply
to both IPv4 and IPv6.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for the meta nfproto type, which refers to the AF from the
netfilter hook ops. This is needed to get the actual family of a packet
in the dummy NFPROTO_INET family.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The following two patches will add two new meta expression types that are
used as dependencies in the inet table. To reuse the existing dependency
generation code, add a slightly hackish way to specify meta expressions
as payload dependencies.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for the mixed IPv4/IPv6 "inet" family. This mainly consist
of adding the "inet" <-> NFPROTO_INET mapping in the parser and netlink
support functions.
Additionally add the definitions for the inet filter table.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Include the protocols defined through relational ct expressions in the
protocol context and use the protocol context to dynamically determine
the types of network and transport layer ct expression types.
Before:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ip protocol tcp ct proto-dst ssh
^^^
$ nft filter output ct protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ct protocol tcp ct proto-dst ssh
^^^
After:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
$ nft filter output ct protocol tcp ct proto-dst ssh
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new debugging level to debug updates to the protocol context.
Sample output:
<cmdline>:1:15-23: Evaluate
filter output tcp dport ssh
^^^^^^^^^
tcp
update transport layer protocol context:
link layer : none
network layer : ip
transport layer : tcp <-
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
Add a helper function which is to be used to update the protocol update.
Signed-off-by: Patrick McHardy <ksber@trash.net<
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a callback function to the expression ops to update the protocol
context for relational protocol expressions (EXPR_F_PROTOCOL).
Also set the EXPR_F_PROTOCOL flag for IIFTYPE meta expressions to make
sure the callback is invoked when necessary.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the context of higher layer protocols is specific to payload
expressions with some special cases for meta IIFTYPE expressions. This
approach has a few shortcomings, concretely there are more expression
types which define upper layer protocols like the ct expression and two
upcoming new types for the meta expression.
Replace the payload context by a generic protocol context to deal with
this. This patch just splits off the requires parts from the payload
expression without any functional changes, the following patches will
add further functionality for other expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| | |
Introduce a generic flag to indicate that an expression describes the
upper layer protocol as replacement for the payload specific flag.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds support for the queue target. It is now possible
to specify rule sending packet to a given queue and using load
balancing:
nft add rule filter output queue num 3 total 2 options fanout
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arturo Borrero added kernel support to set meta keys in
http://patchwork.ozlabs.org/patch/305281/ and the corresponding
library support in http://patchwork.ozlabs.org/patch/305283/.
This patch enhances nft to use this new kernel feature. The
following example shows how to set the packet mark.
% nft add rule ip filter input meta mark set 22
% nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
meta mark set 0x00000016
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes dictionary feature, that allows you to conditionally
set packet fields based on a given selector, eg.
add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
This means that traffic flowing to tcp port 22 is dnatted to address
1.1.1.1 and tcp port 23 is dnatted to address 2.2.2.2.
This feature was partially broken by aae836a ("src: use libnftables")
although it also needs the kernel fix ("netfilter: nf_tables: fix wrong
datatype in nft_validate_data_load()").
This patch also fixes endianness issues when displaying the mark
via `list table' related to list_setelem_cb() since the byteorder
was left unset for the data part of a set element.
meta mark set tcp dport map { telnet => 0x02000000, ssh => 0x01000000}
^ ^
Note the wrong endianness in the example above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If the NLM_F_ACK flag is unset, the kernel still explicitly reports
errors. Thus, we can save the handling of many explicit (useless) ack
messages that indicate success.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft is currently retrieving the list of rule from the kernel, then
deleting each rule one by one. This is slow and not safe. Fix it
by sending a deletion command in a batch without specifying the
chain.
This change requires the kernel fix entitled:
netfilter: nf_tables: fix missing rules flushing per table
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Minor fix, given that all those functions are aliases.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating a map is done via "add map". However, to delete a map requires using
"delete set", which is confusing. Add the appropriate synonym to parser.
The downside to this is that one can now delete a set with "delete map", but
this seems a minor issue. It could of course be fixed by adding a new
CMD_OBJ_MAP.
This closes netfilter bugzilla #879.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
When listing a table in interactive mode, the set list is not cleaned up. Thus
the number of displayed sets grows with each successive listing. Attached
patch adds the necessary list cleanup to do_command_list.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This example file has not been updated with new syntax.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft segfaults if a symbol is added in top_scope, because of a missing
init_list_head. Trivial example:
define ip_set = {192.168.1.2, 192.168.2.3}
add rule filter output ip daddr $ip_set counter
This closes netfilter bugzilla #877.
Reported-by: Anand Raj Manickam <anandrm@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nft is currently rejecting unknown UID/GID if they don't exist in the
system, relax this as Bjørnar Ness considers this is a valid scenario.
Now this only reports an error if you pass an unknown user (expressed as
string or if the UID/GID goes above 32 bits).
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
add rule filter output meta skuid vmap { 1000 => accept }
list table filter
meta skuid map { 3892510720 => accept}
^--------^
this is 1000 in network byte order
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, nft asks the kernel for deleting all rules in a chain.
This replaces the current behaviour that requires to dump all the rules,
then iterate over that list to delete one by one, which is prone to races
and slowier.
After this patch, the following two commands are equivalent:
nft flush chain filter input
nft delete rule filter input
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thomas Berger reported that he is seeing garbage after valid string
values, eg.
fwtest01 ~ # nft -i
nft> table filter
nft> add chain filter input
nft> add rule filter input meta iifname "lo" accept
nft> list table filter
table ip filter {
chain input {
meta iifname "lo�.�" accept
}
...
The buffer that is allocated in the stack does not include room to
nul-terminate the string accordingly. This patch fixes bugzilla
report #872:
https://bugzilla.netfilter.org/show_bug.cgi?id=872
Reported-by: Thomas Berger <loki@lokis-chaos.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When specifying a chain to list, all created chains were displayed
with a void content:
# nft list chain filter
table ip filter {
chain input {
}
chain new {
counter packets 17971 bytes 2380637 accept
counter packets 0 bytes 0 accept
}
}
With the attached patch, only the asked chain is displayed:
# nft list chain filter
table ip filter {
chain new {
counter packets 17971 bytes 2380637 accept # handle 36
counter packets 0 bytes 0 accept # handle 40
}
}
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The name of the chain was not handled in case of a jump or a goto.
This patch adds parsing of the chain.
Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk>
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Logic in the test was inverted. The result was the jump string
not to be set.
Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk>
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The debian/ dir does not belong here, we already discussed this
with Debian maintainers many times before.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Remove -Werror, as bison and flex generate unclean code that may
break compilation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
src/parser.y:93.1-13: warning: deprecated directive, use ‘%name-prefix’ [-Wdeprecated]
%name-prefix="nft_"
^^^^^^^^^^^^^
Reported-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This fixes ethernet type protocol matching, which is needed
to match network layer information, eg.
nft add rule bridge filter input ip protocol icmp counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch finishes the reject support.
Reported-by: Jiri Benc <jbenc@redhat.com>
Tested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
commit b259d1a ('src: operational limit match') creates huge
array, increasing nft binary size from ~240k to ~5m on x86_64.
Use switch statement instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nft limit match currently does not work at all. Below patches to nftables,
libnftables, and kernel address the issue. A few notes on the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exit with NFT_EXIT_FAILURE if something went wrong in the netlink code.
Before this patch:
internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...]
0
After this patch:
internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...]
1
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
nft_netlink function is already calling mnl_batch_end and
mnl_batch_begin so it is not necessary to do it in the
netlink_flush_rules function. Doing this result in a invalid
netlink message which is discarded by the kernel.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The flush operation was not limiting the flush to the table or
chain specified on command line. The result was that all the rules
for a given family are flush independantly of the flush command.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|