| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Just merge this code to netlink_open_sock().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The idea is to provide a simplistic API for non-netlink wise people.
Add a field in struct nft_ctx to store the socket.
The advanced API that we're planning will just simply leave this unset,
since netlink IO will be exposed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch addresses shortcomings in the main synopsis section
illustrating possible invocations of nft command:
- Fix font styles to correctly put options into bold font and meta
characters (brackets, pipes) into normal font.
- Add missing options to synopsis line.
- Use curly braces where either one of the alternatives is required.
- Remove choice="opt" attribute since that is the default anyway.
- Note that --includepath option is allowed to be given multiple times.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_rt might write data in host byte order, so make sure to
convert if needed.
This makes 'tcp option maxseg size rt mtu' actually work, right now such rules
are no-ops because nft_exthdr never increases the mss.
While at it, extend the example to not bother testing non-syn packets.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The common paradigm here is that all parser rules converting string
tokens into symbols must free the string token if it's not used anymore.
This is unrelated to the %destructor directive, since that will apply
only if the parser discards the token, which is not the case then.
While being at it, simplify error handling in parser rule for listing
conntrack helpers (error() won't return NULL) and drop the unused extra
parameter passed to error() in level_type rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So we don't forget all these caches should be placed into struct
nft_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Release existing caches from nft_ctx_free(). Still, the iface cache
should be good to place it in the nft_ctx structure.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add new function to read nftables command from a file and buffer, that
we can expose as library.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
These new functions allows us to allocate and release the context
structure. This is going to be useful for libnftables.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If one of the command is failing we should return an error.
Pablo says: "This is not a real issue since nft_netlink() returns an
error in case the list of errors is not empty. But we can indeed
simplify things by removing that explicit assignment in nft_netlink() so
mnl_batch_talk() consistently reports when if an error has happened.
Signee-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In case of failing command evaluation, commands need to be freed as
their memory becomes orphaned afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
This combines the calls to yylex_init() and yyset_extra().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The function takes the scanner as argument, not the state. This wasn't a
real issue since scanner is a void pointer, which means it's only casted
around without need. So this fix is a rather cosmetic one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Debug mask check was done against wrong flag, causing protocol context
debug output being printed when only --debug=netlink was given.
Fixes: be441e1ffdc24 ("src: add debugging mask to context structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Initialize structure stmt with stmt_alloc in netlink_parse_target and
netlink_parse_match functions. This patch fixes the gcc warning:
‘stmt’ may be used uninitialized in this function.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Separator was misspelled as "seperator" in a symbol name.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Reduce function footprint.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This new structure contains the netlink socket and the sequence number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Not a global variable anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Not convenient to keep this as static for the upcoming library, so let's
move it where it belongs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This is preliminary work for Eric's libnftables patchset.
Cc: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Only use case is to allow similar behaviour to iptables
TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement:
tcp option maxseg size set rt mtu
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds support for tcp mss mangling:
nft add rule filter input tcp option maxseg size 1200
Its also possible to change other tcp option fields, but
maxseg is one of the more useful ones to change.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Functions mnl_nft_chain_get(), mnl_nft_rule_add(),
mnl_nft_rule_delete(), mnl_nft_set_get(), mnl_nft_table_get(),
set_get_cb(), table_get_cb() and chain_get_cb() are only defined
but not used, so remove them.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Remove netlink_add_rule_list(), netlink_dump_table(),
netlink_get_chain(), netlink_get_set(), netlink_get_table(),
netlink_list_chain() functions definitions as they are not
called anywhere in source code.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Remove cli_display() function, as it is not called anywhere in source
code.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
mpz_get_be64() is not used anywhere in source code. So remove it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Remove functions xt_stmt_alloc(), xt_stmt_release(), xt_stmt_xlate(),
xt_stmt_print(), xt_stmt_destroy() as they are not used. Similarly,
remove structure xt_stmt_ops.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
nft .. ip ttl set 42
did set the protocol field and left ttl alone, add test cases for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule .. ip ttl set 64
erronously mangles ip protocol instead of ttl.
Because the kernel can't deal with odd-sized data (ttl is one byte) when
doing checksum fixups, so the write to 'ttl' is turned into
[ payload load 2b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ $new_value ]
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
While doing so, we did fail to shift the imm value, i.e.
we clear the wrong half of the u16 (protocol) instead of csum.
The correct mask is 0xff00, and $new_value needs to be shifted
so we leave the protocol value (which is next to ttl) alone.
Fixes: f9069cefdf ("netlink: make checksum fixup work with odd-sized header fields")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This field is unused, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Place sequence number that is allocated per-command on the struct
netlink_ctx structure. This is allocated from nft_run() to correlate
commands with netlink messages for error reporting. Batch support
probing also shares this sequence numbers with commands.
There is an inpendent cache sequence number though, this routine is
called from a different path, usually from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added cache update upon every command dealing with rules was a
bummer. Instead, perform the needed cache update only if echo option was
set.
Initially, I tried to perform the cache update from within
netlink_echo_callback(), but that turned into a mess since the shared
socket between cache_init() and mnl_batch_talk() would receive
unexpected new input. So instead update the cache from do_command_add(),
netlink_replace_rule_batch() and do_comand_insert() so it completes
before mnl_batch_talk() starts listening.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The two test suites were pretty similar already, and since echo output
is supposed to be identical to monitor output apart from delete
commands, they can be merged together with litte effort.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 07b45939972eb ("src: introduce struct nft_cache") added cache
pointer to struct netlink_mon_handler and the code assumes it is never
NULL. Therefore initialize it in the dummy version of
netlink_mon_handler in netlink_echo_callback().
Fixes: b99c4d072d996 ("Implement --echo option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Echo support in nft_mnl_talk() was broken: nft_mnl_talk_cb() passed
cbdata->data as second parameter to netlink_echo_callback() which
expected it to be of type struct netlink_ctx while in fact it was
whatever callers of nft_mnl_talk() passed as callback data (in most
cases a NULL pointer).
I didn't notice this because I didn't test for kernels without support
for transactions. This has been added to nftables in kernel version 3.16
back in 2014. Since then, user space which doesn't support it can't even
add a table anymore. So adding this new feature to the old code path is
really not feasible, therefore drop this broken attempt at supporting
it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
https works for the wiki, and users should prefer it by default,
whether they are logging in (to protect their credentials) or whether
they're reading data (to protect the integrity of the content).
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The word 'occur' is misspelled as 'ocurr'. This patch fixes it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Pass variable cache_initialized and structure list_head as members of
structure nft_cache.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Although not very informational, still better than ending mid-sentence.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This mostly covers base chain types, but also tries to clarify meaning
of priority values, chain policy and the ominous device parameter.
Command synopsis is adjusted as well to point out which parts of a base
chain definition are optional and which are not.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
It is the only address family which lacks a table describing supported
hooks. Since that would be identical to the one for ip/ip6/inet
families, just point there.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
- Describe 'type' argument datatypes in DATA TYPES section, then remove
value list from reject statement description and refer to that section
instead.
- Fix synopsis: 'with ...' is optional.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
People new to nftables and yet unaware of 'list ruleset' and 'flush
ruleset' commands have a hard time. Therefore put description of those
prominently at the top, even before explaining operations on tables and
chains.
Since 'export ruleset' is closely related, document it here as well and
remove it's sparse description from ADDITIONAL COMMANDS section.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
