summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* payload: kill redundant payload protocol expressions during netlink ↵Patrick McHardy2012-12-091-5/+34
| | | | | | | | | postprocessing Kill payload protocol expressions like "ip protocol tcp" if a higher layer payload expression already implies this, like "tcp dport 22". Signed-off-by: Patrick McHardy <kaber@trash.net>
* seqtree: update mapping data when keeping the basePatrick McHardy2012-12-081-3/+8
| | | | | | | | When a prefix expression is followed by another prefix expression using the same base but a wider prefix, we need to update the mapping data to that of the second expression. Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add verdict map testPatrick McHardy2012-12-081-0/+20
| | | | Signed-off-by: Patrick McHardy <kaber@ŧrash.net>
* segtree: fix segtree to properly support mappingsPatrick McHardy2012-12-083-34/+61
| | | | | | | Requires to use proper types for keys and data and using the key values for reverse transformation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: include verbose message in all BUG statementsroot2012-12-089-38/+44
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* evaluate: reintroduce type chekcs for relational expressionsPatrick McHardy2012-12-051-0/+27
| | | | | | | Since the parser can now generate constant expressions of a specific type not determinaed by the LHS, we need to check that relational expressions are actually using the correct types to avoid accepting stupid things like "tcp dport tcp".
* parser: fix parsing protocol names for protocols which are also keywordsPatrick McHardy2012-12-051-0/+63
| | | | | | "ip protocol tcp" will currently produce a syntax error since tcp is also a keyword which is expected ot be followed by a tcp header field. Allow to use protocol names that are also keywords and allocate a constant expression for them.
* tests: fix test, commands now comes before the family and table namePablo Neira Ayuso2012-08-0614-88/+88
| | | | | | | Most tests still don't work though. They still need another fix. Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: Differentiate expr among anonymous structures in struct exprTomasz Bursztyka2012-08-036-26/+26
| | | | | | | This fixes compilation with gcc-4.7 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: Handle returned value properly in erec_printTomasz Bursztyka2012-08-031-3/+4
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Remove useless variable in expr_evaluate_bitwise()Tomasz Bursztyka2012-08-031-2/+1
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Use the right datatype for verdictTomasz Bursztyka2012-08-031-1/+1
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add bridge filter table definitionsPatrick McHardy2010-07-061-0/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* help: fix of the -I option in help displayRomain Bignon2010-07-061-1/+1
| | | | | | | Trivial patch which fixes typo. Signed-off-by: Romain Bignon <romain@peerfuse.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: reject incompletely parsed integers in integer_type_parse()Patrick McHardy2010-07-061-1/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* don't use internal_location for files specified on command linePatrick McHardy2010-07-061-1/+1
| | | | | | | | | Fixes strange error messages like: In file included from internal:0:0-0: files/examples/sets_and_maps:55:2-2: Error: syntax error, unexpected newline, expecting string Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: add debugging for missing objectsPatrick McHardy2010-07-061-1/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* nat: validate protocol context when performing transport protocol mappingsPatrick McHardy2010-07-061-8/+19
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix nat stmt linearization/parsingPatrick McHardy2010-07-062-26/+29
| | | | | | | | Fix invalid register use when parsing NAT statements and handle range expressions during postprocessing. When linearizing, allocate all registers for both proto and address expressions at once to avoid double use. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: fix crash with uncombinable protocolsPatrick McHardy2010-07-061-5/+10
| | | | | | | | The dependency of non-combinable protocols (f.i. arp + tcp) results in a relational dependency expression without a datatype, causing a segfault later on. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix creation of base chains with hooknum and priority 0Patrick McHardy2010-07-063-1/+14
| | | | | | | | Base chains with both a hook number and priority of zero are created as regular chains. Fix by adding a BASECHAIN flag indicating that the chain should be created as a base chain. Signed-off-by: Patrick McHardy <kaber@trash.net>
* utils: fix invalid assertion in xrealloc()Patrick McHardy2010-07-061-1/+0
| | | | | | The pointer is allowed to have the value NULL. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix byteorder of RHS of relational meta expressionPatrick McHardy2010-07-063-9/+18
| | | | | | | The RHS needs to be postprocessed before updating the payload context for byteorder conversion. Fixes iiftype match reconstruction. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: properly parse debug levelsPatrick McHardy2010-07-064-20/+81
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: fix endless recursion with SUBDIRS=...Patrick McHardy2010-07-061-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: add 'archive' targetPatrick McHardy2010-07-061-0/+4
| | | | | | make archive creates a tar.bz2 from the HEAD version. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: support bison >= 2.4Patrick McHardy2010-07-063-1531/+19
| | | | | | | | | Work around stange behaviour in bison >= 2.4 (see large comment in parser.y for details) and remove the skeleton file since it does not work with 2.4 anymore. Its only purpose was to increase the amount of possible tokens reported in error messages anyways. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: fix two datatypesPatrick McHardy2009-07-281-1/+2
| | | | | | Fix typo in URG-flag and missing end-of-list marker for the arpop constants. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: add DCCP packet type definitionsPatrick McHardy2009-07-285-0/+47
| | | | | | | | | | | | | | | | | | | # nft describe dccp type payload expression, datatype dccp_pkttype (DCCP packet type) (basetype integer), 4 bits pre-defined symbolic constants: request 0x0 response 0x1 data 0x2 ack 0x3 dataack 0x4 closereq 0x5 close 0x6 reset 0x7 sync 0x8 syncack 0x9 Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix binop RHS byteorderPatrick McHardy2009-07-281-1/+2
| | | | | | | | | | | | | | | The byteorder of the RHS of a binop must be set before post-processing it to make sure it will get byteorder-switched if necessary. Fixes invalid conntrack expression states when used with bitmasks: ct state 33554432,67108864 counter packets 1924 bytes 142960 => ct state established,related counter packets 2029 bytes 151508 Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: dump all chains when listing rulesPatrick McHardy2009-07-281-0/+3
| | | | | | | | Currently only the rules are dumped and chains are constructed based on the rules identities. Dump all chains manually to make sure we also display empty chains. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix bitmask element reconstructionPatrick McHardy2009-07-281-3/+3
| | | | | | | mpz_scan1() needs to begin scanning at bit 0 and the loop must accept bit 0 as valid. No more bits were found when ULONG_MAX is returned. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: allow runtime control of debugging outputPatrick McHardy2009-07-284-25/+37
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-2813-349/+1515
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expressions: kill seperate sym_type datatype for symbolsPatrick McHardy2009-04-015-15/+13
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: add/move size and byte order information into data typesPatrick McHardy2009-03-317-33/+56
| | | | | | | | | | Add size and type information to non-basetype types and remove the now redundant information from the symbol tables. This will be used to determine size and byteorder of set members without analyzing the ruleset for incremental update operations. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: maintain table of all datatypes and add registration/lookup functionPatrick McHardy2009-03-318-32/+139
| | | | | | | | | | | Add a table containing all available datatypes and registration/lookup functions. This will be used to associate a stand-alone set in the kernel with the correct type without parsing the entire ruleset. Additionally it would now be possible to remove the global declarations for the core types. Not done yet though. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: move data related functions to netlink.cPatrick McHardy2009-03-314-117/+128
| | | | | | | Move the data related function to netlink.c as they're going to be needed outside of rule context for set maintenance. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: use libnl OBJ_CAST macroPatrick McHardy2009-03-312-9/+5
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: consistent naming fixesPatrick McHardy2009-03-311-4/+4
| | | | | | Rename libnl netlink data to "nld" for consistency. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: add helper function for socket callback modificationPatrick McHardy2009-03-311-6/+8
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-314-8/+12
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: remove two debugging printfsPatrick McHardy2009-03-311-2/+0
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix some memory leaksPatrick McHardy2009-03-202-2/+5
| | | | | | Free nested chain handles and command structures when done. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Release scopes during cleanupPatrick McHardy2009-03-203-0/+16
| | | | | | Properly release the user-defined symbols. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix multiple references to the same user defined symbolic expressionPatrick McHardy2009-03-201-2/+1
| | | | | | | | The expression needs to be cloned so transformations don't corrupt the original expression. This could be slightly optimized by only taking a reference and COW'ing when necessary (which is actually quite rare). Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-206-0/+125
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add more notes to INSTALLPatrick McHardy2009-03-201-2/+9
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for user-defined symbolic constantsPatrick McHardy2009-03-205-12/+59
| | | | | | | | | | | | | | | | | | User-defined constants can be used like this: define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 } define udp_services = domain define tcp_services = { ssh, domain } ip saddr $allowed_hosts udp dport $udp_services counter accept ip saddr $allowed_hosts tcp dport $tcp_services counter accept Recursive definitions are possible, but currently not fully handled. Anything requiring transformations (sets using ranges) can not be used more than once currently since the expressions need to be COW'ed previously. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for scoping and symbol bindingPatrick McHardy2009-03-204-2/+103
| | | | | | | | | | | | As a first step towards stand-alone sets, add support for scoping and binding symbols. This will be used for user-defined constants, as well as declarations of modifiable (stand-alone) sets once the kernel side is ready. Scopes are currently limited to three nesting levels: the global scope, table block scopes and chain block scopes. Signed-off-by: Patrick McHardy <kaber@trash.net>