| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add missing NLM_F_CREATE flag when creating new chains to trigger
module autoloading in the kernel.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch allows to specify a string to indicate the time, eg.
nft add rule filter output ct expiration \"1d2h3m4s\" counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If a set contains elements, the output is not parsable since the
elements = { ... } is not understood by the parser. Fix this and
also add support for creating constant sets (which only makes sense
when using an initializer).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes two problems:
- the output of "nft list table ..." is not parsable if sets are included
because the parser can't parse the flags.
- set flags can't be specified during set creation.
To fix this, the set output is changed to:
- not print each flag on a single line
- prefix the flags with "flags "
- only show the interval flag since all others are for internal use only
The parser is changed to parse the flags specified in a set declaration.
This allows to parse empty sets. The following patch will take care of
parsing sets that are already populated.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace => by : to make it easier for most shell users, as
> implies a redirection, let's avoid possible confusion that
may result if you forget to escape it.
This works fine if you don't forget to add space between the
key and the value. If you forget to add the space, depending
on the case, the scanner may recognize it correctly or process
it as a string.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Ocassionally when regenerating the scanner or parser (not sure which),
recursive inclusion of the parser.h file occurs. The reason is that
bison doesn't generate a header sandwich to protect against this (*sigh*).
Change the makefile to do this manually.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If intervals are directly adjacent or extend to the right end of the dimension,
they are not closed by a EXPR_F_INTERVAL_END entry. This leads to multiple
errors when decomposing the intervals:
- the last unclosed interval is not shown at all.
- if a range is unclosed and the set is a map, the starting point of the
next interval is set to the data, not the key, leading to nonsensical
output.
- if a prefix is unclosed, the interval is assumed to be a prefix as well
and the same starting point is kept. This makes sense for cases like
192.168.0.0/24, 192.168.0.0/16, but leads to hard to understand
results if the next interval is not representable as a prefix.
Fix this by doing two things:
- add an EXPR_F_INTERVAL_END element for each unclosed interval during
preprocessing.
- process the final unclosed interval extending to the right end of the
dimension, if present.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is uncommon to represent f.i. port number ranges as prefix expressions.
Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred
representation of a range is a prefix and use it for segtree decomposition
to decide whether to use a range or prefix expression.
The ipaddr, ip6addr, mark and realm datatypes are changed to include the
DTYPE_F_PREFIX flag.
This fixes completely unreadable output in cases where the ranges are
representable as prefixes, f.i. in case of port number:
{ 0/6 => jump chain1, 0/5 => jump chain2, 0/4 => continue}
becomes:
{ 0-1023 => jump chain1, 1024-2047 => jump chain2, 2048-4095 => continue}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 0bd59cf4da (parser: fix parsing of ethernet protocol types) broke
compilation:
src/parser.y:26:22: fatal error: if_ether.h: No such file or directory
Should be netinet/if_ether.h.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
% nft list table filter
table ip filter {
...
chain output {
...
ip saddr map { 1.1.1.1 => accept}
}
}
It displays 'map' instead of 'vmap'. Fix it by checking the mapping
type in map_expr_print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use ip6 instead of ipv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
nft add rule ip filter output meta protocol xyz counter
^^^
This fix is similar to 4097ad7 ("meta: fix crash when parsing
unresolvable mark values").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This allows us to use the protocol type keyword, eg.
nft add rule ip filter output meta protocol ip6 counter
^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the output of relational expressions to not surpress
the '==' when the LHS is a binop, f.i.
... meta mark & 0x00000003 0x00000001
becomes
... meta mark & 0x00000003 == 0x00000001
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
It's "ether" now since we've changed the keyword.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Don't require the meta keyword for mark, iif, oif, iifname, oifname,
skuid, skgid, nftrace, rtclassid and secmark.
The protocol and length types still need the meta keyword to avoid
grammar conflicts.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/parser.y
|
| |
|
|
|
|
| |
The secctx should be used instead of the secmark. Remove for now.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
These symbols need to be escaped in bash and if you use them without
escaping then, it can lead to confusion. This patch adds nominal
aliases, eg.
nft add rule filter output meta mark and 0x3 eq 0x1
as an alternative to:
nft add rule filter output meta mark \& 0x3 == 0x1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a problem with the follow ipv6 address combination:
nft add rule ip6 t_ip61 filter-input ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
1234::1234:1234:1234:1234:1234:1234
1234:1234::1234:1234:1234:1234:1234
1234:1234:1234::1234:1234:1234:1234
1234:1234:1234:1234::1234:1234:1234
1234:1234:1234:1234:1234::1234:1234
::1234:1234:1234:1234:1234:1234
1234::1234:1234:1234:1234:1234
1234:1234::1234:1234:1234:1234
1234:1234:1234::1234:1234:1234
1234:1234:1234:1234::1234:1234
::1234:1234:1234:1234:1234
1234::1234:1234:1234:1234
1234:1234::1234:1234:1234
1234:1234:1234::1234:1234
::1234:1234:1234:1234
1234::1234:1234:1234
1234:1234::1234:1234
::1234:1234:1234
1234::1234:1234
The problem was in the scanner (src/scanner.l). Several brackets were missed
and the result was an incorrect interpretation.
Fix it by adding some brackets in a regular expression in src/scanner.l
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
eth may easily occur when using ifname masks. This could be also
fixed by interpreting 'eth' as a simple string in the parser but
I think this selector also looks more similar to what we use in
tcpdump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This reverts commit 5e8f8a1807917f92e568437598670b0026462c1c.
I missed that this introduces shift-reduce conflicts. Revert for now.
|
| |
|
|
|
|
| |
Consistently use "map" to express mappings.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many systems (for example Debian) don't recognice `#!nft -f' as a
valid interpreter.
A short way to handle this is to provide the full path to the interpreter
in the shebang.
That is what this patch does: update the shebang's path during installation.
For example, if you are installing under /usr/local, the shebang becomes:
#!/usr/local/sbin/nft -f
If using --prefix=/, then:
#!/sbin/nft -f
NOTE: If the shebang in source files are changed in a future, this sed script
should be updated as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Packaging systems build as a non priv user, so can't install as root. Users
installing from source can 'sudo make install' or run 'make install' as root
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Fix inconsistent attribute types in meta and cmp expressions, use
uint32_t. This problem was added when converting nft to use libmnl
and libnftables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
*res has undefined contents, set to NULL before invoking the parse function
to make sure the test for != NULL doesn't falsely return true.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert commit a320531e7:
We have generic type checks that handle this case just fine and indeed
the bugzilla entry mentioned in the reverted patch states:
BUG: invalid input descriptor type 538976288
nft: src/erec.c:100: erec_print: Assertion `0' failed.
Abandon
So the problem is not related to datatypes at all and generic type
checking works perfectly fine:
<cmdline>:1:52-57: Error: datatype mismatch, expected Ethernet protocol, expression has type Internet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
For errors starting at column 0, we must not subtract 1 to avoid underflow.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Remove the "in batch" part, it makes most messages exceed a single line, the
user doesn't care about this and we process even single rules in "batches".
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes dictionary feature, that allows you to conditionally
set packet fields based on a given selector, eg.
add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
This means that traffic flowing to tcp port 22 is dnatted to address
1.1.1.1 and tcp port 23 is dnatted to address 2.2.2.2.
This feature was partially broken by aae836a ("src: use libnftables")
although it also needs the kernel fix ("netfilter: nf_tables: fix wrong
datatype in nft_validate_data_load()").
This patch also fixes endianness issues when displaying the mark
via `list table' related to list_setelem_cb() since the byteorder
was left unset for the data part of a set element.
meta mark set tcp dport map { telnet => 0x02000000, ssh => 0x01000000}
^ ^
Note the wrong endianness in the example above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If the NLM_F_ACK flag is unset, the kernel still explicitly reports
errors. Thus, we can save the handling of many explicit (useless) ack
messages that indicate success.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft is currently retrieving the list of rule from the kernel, then
deleting each rule one by one. This is slow and not safe. Fix it
by sending a deletion command in a batch without specifying the
chain.
This change requires the kernel fix entitled:
netfilter: nf_tables: fix missing rules flushing per table
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Minor fix, given that all those functions are aliases.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating a map is done via "add map". However, to delete a map requires using
"delete set", which is confusing. Add the appropriate synonym to parser.
The downside to this is that one can now delete a set with "delete map", but
this seems a minor issue. It could of course be fixed by adding a new
CMD_OBJ_MAP.
This closes netfilter bugzilla #879.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
When listing a table in interactive mode, the set list is not cleaned up. Thus
the number of displayed sets grows with each successive listing. Attached
patch adds the necessary list cleanup to do_command_list.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This example file has not been updated with new syntax.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft segfaults if a symbol is added in top_scope, because of a missing
init_list_head. Trivial example:
define ip_set = {192.168.1.2, 192.168.2.3}
add rule filter output ip daddr $ip_set counter
This closes netfilter bugzilla #877.
Reported-by: Anand Raj Manickam <anandrm@gmail.com>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
nft is currently rejecting unknown UID/GID if they don't exist in the
system, relax this as Bjørnar Ness considers this is a valid scenario.
Now this only reports an error if you pass an unknown user (expressed as
string or if the UID/GID goes above 32 bits).
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
add rule filter output meta skuid vmap { 1000 => accept }
list table filter
meta skuid map { 3892510720 => accept}
^--------^
this is 1000 in network byte order
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, nft asks the kernel for deleting all rules in a chain.
This replaces the current behaviour that requires to dump all the rules,
then iterate over that list to delete one by one, which is prone to races
and slowier.
After this patch, the following two commands are equivalent:
nft flush chain filter input
nft delete rule filter input
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thomas Berger reported that he is seeing garbage after valid string
values, eg.
fwtest01 ~ # nft -i
nft> table filter
nft> add chain filter input
nft> add rule filter input meta iifname "lo" accept
nft> list table filter
table ip filter {
chain input {
meta iifname "lo�.�" accept
}
...
The buffer that is allocated in the stack does not include room to
nul-terminate the string accordingly. This patch fixes bugzilla
report #872:
https://bugzilla.netfilter.org/show_bug.cgi?id=872
Reported-by: Thomas Berger <loki@lokis-chaos.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When specifying a chain to list, all created chains were displayed
with a void content:
# nft list chain filter
table ip filter {
chain input {
}
chain new {
counter packets 17971 bytes 2380637 accept
counter packets 0 bytes 0 accept
}
}
With the attached patch, only the asked chain is displayed:
# nft list chain filter
table ip filter {
chain new {
counter packets 17971 bytes 2380637 accept # handle 36
counter packets 0 bytes 0 accept # handle 40
}
}
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
