summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: add flowtable testsPablo Neira Ayuso2018-03-056-1/+71
| | | | | | Add basic flowtable tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flow offload supportPablo Neira Ayuso2018-03-058-0/+65
| | | | | | | | | | | | This patch allows us to refer to existing flowtables: # nft add rule x x flow offload @m Packets matching this rule create an entry in the flow table 'm', hence, follow up packets that get to the flowtable at ingress bypass the classic forwarding path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: delete flowtablePablo Neira Ayuso2018-03-057-0/+48
| | | | | | | | This patch allows you to delete an existing flowtable: # nft delete flowtable x m Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support to add flowtablesPablo Neira Ayuso2018-03-0511-7/+245
| | | | | | | | | | | | | | | | | This patch allows you to create flowtable: # nft add table x # nft add flowtable x m { hook ingress priority 10\; devices = { eth0, wlan0 }\; } You have to specify hook and priority. So far, only the ingress hook is supported. The priority represents where this flowtable is placed in the ingress hook, which is registered to the devices that the user specifies. You can also use the 'create' command instead to bail out in case that there is an existing flowtable with this name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for flowtable listingPablo Neira Ayuso2018-03-0510-0/+291
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to dump existing flowtable. # nft list ruleset table ip x { flowtable x { hook ingress priority 10 devices = { eth0, tap0 } } } You can also list existing flowtables via: # nft list flowtables table ip x { flowtable x { hook ingress priority 10 devices = { eth0, tap0 } } } You need a Linux kernel >= 4.16-rc to test this new feature. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set timeout and size combination coveragePablo Neira Ayuso2018-03-051-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: redefine and undefinePablo Neira Ayuso2018-03-041-0/+40
| | | | | | This tests cover the new redefine and undefine scripting feature. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add variable expression and use it to allow redefinitionsPablo Neira Ayuso2018-03-046-22/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add new variable expression that we can use to attach symbols in runtime, this allows us to redefine variables via new keyword, eg. table ip x { chain y { define address = { 1.1.1.1, 2.2.2.2 } ip saddr $address redefine address = { 3.3.3.3 } ip saddr $address } } # nft list ruleset table ip x { chain y { ip saddr { 1.1.1.1, 2.2.2.2 } ip saddr { 3.3.3.3 } } } Note that redefinition just places a new symbol version before the existing one, so symbol lookups always find the latest version. The undefine keyword decrements the reference counter and removes the symbol from the list, so it cannot be used anymore. Still, previous references to this symbol via variable expression are still valid. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.8.3v0.8.3Florian Westphal2018-03-031-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: datatype: prefer sscanf, avoid strncpyFlorian Westphal2018-03-031-11/+10
| | | | | | similar to previous patch, but replace strncpy+atoi by sscanf. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Use snprintf() over strncpy()Harsha Sharma2018-03-032-4/+4
| | | | | | | Use snprintf() over strncpy() functions as the buffer is not null terminated in strncpy(). Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
* netlink: remove non-batching routinesPablo Neira Ayuso2018-03-033-328/+45
| | | | | | | | This is only needed by 3.16, which was released 8 months after nftables was merged upstream. That kernel version supports a reduced featureset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: misc updatesPablo Neira Ayuso2018-03-032-21/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the following macros: * AC_PREREQ checks for 2.61, which is not supported any contemporary distribution. * AC_COPYRIGHT, autoconf documentation states "in addition to the Free Software Foundation's copyright on the Autoconf macros, parts of your configure are covered by the copyright-notice.". This only refers to the autoconf infrastructure: we are doing simple and standard usage of autoconf infrastructure, we also don't use this macro in other existing userspace software available at netfilter.org. The comment above at the beginning of this file shows text that is available in many configure.ac templates on the Internet. * AC_CANONICAL_HOST, we don't need the canonical host-system type to build this software. * AC_CONFIG_SRCDIR is not used in other userspace software in the tree. * AC_DEFINE _GNU_SOURCE, define this where it's needed instead. * AC_DEFINE _STDC_FORMAT_MACROS is not used in this codebase. * AC_HEADER_STDC checks for ANSI C89 headers, however, we need more than just this C standard, so this doesn't guarantee anything at all. * Remove "Checks for libraries" comment, it's obvious. * AC_HEADER_ASSERT allows us to disable assertions, this is bad because this is helping us to diagnose bugs and incomplete features. * AC_CHECK_HEADERS is checking for an arbitrary list of headers, this still doesn't even guarantee that we can actually do a successful compilation in a broken system. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: use nf_key_protoFlorian Westphal2018-03-031-9/+7
| | | | | | Consolidate into one so it can be reused by new users. Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: don't crash when no commands are specifiedHarsha Sharma2018-03-031-0/+3
| | | | | | | | For e.g. nft -c " " Without this patch it segfaults. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: support of maps with timeoutLaura Garcia Liebana2018-03-021-0/+5
| | | | | | | | | | | | | | | | | | | | | Support of key and value association with a certain timeout. Example: nft add map nftlb mapa { type inet_service: ipv4_addr\; timeout 5s\; } Results in: table ip nftlb { map mapa { type inet_service : ipv4_addr timeout 5s } } Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: Fix resource leaksPhil Sutter2018-03-021-52/+92
| | | | | | | | | | | | | | | | | | Most of the cases are basically the same: Error path fails to free the previously allocated statement or expression. A few cases received special treatment though: - In netlink_parse_payload_stmt(), the leak is easily avoided by code reordering. - In netlink_parse_exthdr(), there's no point in introducing a goto label since there is but a single affected error check. - In netlink_parse_hash() non-error path leaked as well if sreg contained a concatenated expression. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Complain if setting O_NONBLOCK failsPhil Sutter2018-03-021-1/+2
| | | | | | | | | Assuming that code is not aware that reads from netlink socket may block, treat inability to set O_NONBLOCK flag as fatal initialization error aborting program execution. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* hash: Fix potential null-pointer dereference in hash_expr_cmp()Phil Sutter2018-03-021-1/+1
| | | | | | | | | | | | | | | | | The first part of the conditional: | (e1->hash.expr || expr_cmp(e1->hash.expr, e2->hash.expr)) will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer dereference. This is probably a typo, the intention when introducing this was to avoid the call to expr_cmp() for symmetric hash expressions which don't use expr->hash.expr. Inverting the existence check should fix this. Fixes: 3a86406729782 ("src: hash: support of symmetric hash") Cc: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Fix memleak in stmt_reject_gen_dependency()Phil Sutter2018-03-021-3/+7
| | | | | | | | | | | | | | The allocated payload expression is not used after returning from that function, so it needs to be freed again. Simple test case: | nft add rule inet t c reject with tcp reset Valgrind reports definitely lost 144 bytes. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: Avoid passing negative offset to fseek()Phil Sutter2018-03-021-5/+5
| | | | | | | | If the initial call to ftell() fails, variable orig_offset is set to -1. Avoid passing this to fseek() later on. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: Drop pointless check in cli_append_multiline()Phil Sutter2018-03-021-10/+2
| | | | | | | | | | | | | The function is called from cli_complete after it has checked for line to be != NULL. The other part of the conditional, namely multiline being NULL, is perfectly valid (if the last read line didn't end with backslash. Hence drop the conditional completely. Since variable eof is not used anywhere outside of the dropped conditional, get rid of it completely. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: regression test for bugzilla 1228Pablo Neira Ayuso2018-02-281-0/+30
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Make JSON/XML output respect output_fpPhil Sutter2018-02-281-19/+18
| | | | | | | | | | | | Make sure events callbacks print to output_ctx-defined stream for any type of output format. Since all of them use nft_print() as last call (if anything is printed at all), the final call to fflush() in netlink_events_cb() can be dropped. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Make trace events respect output_fpPhil Sutter2018-02-281-17/+21
| | | | | | | | Seems like this was incompletely converted, part of the output went to output_fp already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add example for rule add/deleteFlorian Westphal2018-02-281-0/+27
| | | | | | also mention that 'ip' is used when the family gets omitted. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: remove ipv6 address FIXMEFlorian Westphal2018-02-281-1/+11
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* Review switch statements for unmarked fall through casesPhil Sutter2018-02-285-4/+7
| | | | | | | | | | | | | | While revisiting all of them, clear a few oddities as well: - There's no point in marking empty fall through cases: They are easy to spot and a common concept when using switch(). - Fix indenting of break statement in one occasion. - Drop needless braces around one case which doesn't declare variables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: mention meta l4proto and ipv6 nexthdr issue wrt. extension headersFlorian Westphal2018-02-271-1/+25
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* Added undefine/redefine keywordsDavid Fabian2018-02-264-0/+40
| | | | | | | | | | | | | | | | | This is a small patch to nft which adds two new keywords - undefine and redefine. undefine simply undefines a variable from the current scope. redefine allows one to change a variable definition. We have a firewall written in bash (using iptables) that is organized by customer VLANs. Each VLAN has its own set of bash variables holding things like uplink iface names, gateway IPs, etc. We want to rewrite the firewall to nftables but are stuck on the fact that nft variables cannot be overridden in the same scope. We have each VLAN configuration in a separate file containing pre/post-routing, input, output and forward rules,and we include those files to a master firewall configuration. One solution is to rename all the variables with some VLAN specific (pre/su)ffix. But that is cumbersome. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add raw payload test cases.Florian Westphal2018-02-265-0/+93
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: document raw protocol expressionFlorian Westphal2018-02-261-0/+59
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: make raw payloads workFlorian Westphal2018-02-264-1/+8
| | | | | | | | | | | | | | | | | | | | make syntax consistent between print and parse. No dependency handling -- once you use raw expression, you need to make sure the raw expression only sees the packets that you'd want it to see. based on an earlier patch from Laurent Fasnacht <l@libres.ch>. Laurents patch added a different syntax: @<protocol>,<base>,<data type>,<offset>,<length> data_type is useful to make nftables not err when asking for "@payload,32,32 192.168.0.1", this patch still requires manual convsersion to an integer type (hex or decimal notation). data_type should probably be added later by adding an explicit cast expression, independent of the raw payload syntax. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: don't resolve expressions using the inet pseudoheaderFlorian Westphal2018-02-261-1/+1
| | | | | | | Else, '@ll,0,8' will be mapped to 'inet nfproto', but thats not correct (inet is a pseudo header). Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: use integer_type when initializing a raw expressionFlorian Westphal2018-02-261-0/+1
| | | | | | | The invalid type prints prominent "[invalid]", so prefer integer type in raw expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: introduce datatype ifname_typeArturo Borrero Gonzalez2018-02-2510-20/+103
| | | | | | | | | | | | | | | | | | | | | | | | This new datatype is a string subtype. It will allow us to build named maps/sets using meta keys like 'iifname', 'oifname', 'ibriport' or 'obriport'. Example: table inet t { set s { type ifname elements = { "eth0", "eth1" } } chain c { iifname @s accept oifname @s accept } } Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: add load balance exampleArturo Borrero Gonzalez2018-02-251-0/+54
| | | | | | | | Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add ct helper examplesArturo Borrero Gonzalez2018-02-251-0/+43
| | | | | | | | Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: rearrange files and examplesArturo Borrero Gonzalez2018-02-2518-37/+58
| | | | | | | | | | | | | | Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: check for overlapping elements at insertionPablo Neira Ayuso2018-02-251-44/+16
| | | | | | | This speeds up element overlap checks quite a bit. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1228 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: meta.t: fix test case for anonymous set automergeFlorian Westphal2018-02-242-2/+2
| | | | | | | | | | commit fb16c8b7f795e0d ("evaluate: Enable automerge feature for anonymous sets") re-enabled merging of adjacent ranges, so 33-55, 56-88 turns into 33-88. Update test case to reflect this. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc/nft.xml: fix typoDuncan Roe2018-02-181-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: fix build failureFlorian Westphal2018-02-171-0/+1
| | | | | | | on older machine of mine: ../include/nftables.h:130:30: error: 'UINT_MAX' undeclared (first use in this function) Signed-off-by: Florian Westphal <fw@strlen.de>
* src: bail out when exporting ruleset with unsupported outputPablo Neira Ayuso2018-02-153-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | Display error message and propagate error to shell when running command with unsupported output: # nft export ruleset json Error: this output type is not supported export ruleset json ^^^^^^^^^^^^^^^^^^^^ # echo $? 1 When displaying the output in json using the low-level VM representation, it shows: # nft export ruleset vm json ... low-level VM json output # echo $? 0 While at it, do the same with obsoleted XML output. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: don't decode past last valid templateFlorian Westphal2018-02-151-0/+4
| | | | | | | | | | | | When trying to decode payload header fields, be sure to bail out when having exhausted all available templates. Otherwise, we allocate invalid payload expressions (no dataype, header length of 0) and then crash when trying to print them. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Spelling fixesVille Skyttä2018-02-1510-12/+12
| | | | | Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: add meta_may_dependency_kill()Pablo Neira Ayuso2018-02-151-1/+71
| | | | | | | | | | | | | Do not exercise dependency removal for protocol key network payload expressions in bridge, netdev and inet families from meta expressions, more specifically: * inet: nfproto and ether type. * netdev and bridge: meta protocol and ether type. need to be left in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: add payload_may_dependency_kill()Pablo Neira Ayuso2018-02-151-2/+29
| | | | | | | | Payload protocol key expressions at network base are meaningful in the netdev, bridge and inet families, do not exercise the redundant dependency removal in those cases since it breaks rule semantics. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of __payload_dependency_kill()Pablo Neira Ayuso2018-02-153-18/+9
| | | | | | Use payload_dependency_release() instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add payload_dependency_exists()Pablo Neira Ayuso2018-02-153-16/+36
| | | | | | | | | | | | | | | This helper function tells us if there is already a protocol key payload expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might want to remove since we can infer from another expression in the upper protocol base, eg. ip protocol tcp tcp dport 22 'ip protocol tcp' can be removed in the ip family since it is redundant, but not in the netdev, bridge and inet families, where we cannot make assumptions on the layer 3 protocol. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>