summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* meta: allow resolving meta keys at run timeFlorian Westphal2016-10-274-7/+66
| | | | | | | | | use the meta template to translate the textual token to the enum value. This allows to remove two keywords from the scanner and also means we do not need to introduce new keywords when more meta keys get added. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-275-15/+69
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: provide snprintf helper macroFlorian Westphal2016-10-271-0/+10
| | | | | | | lifted from libnftnl, except that we will abort on snprintf errors. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add offset keyword and parser rulePablo Neira Ayuso2016-10-272-1/+7
| | | | | | This is required by the numgen and jhash expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix linearize numgen typeLaura Garcia Liebana2016-10-271-1/+1
| | | | | | | | Avoid to treat numgen type attribute as a register. Fixes: 345236211715 ("src: add hash expression") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add offset attribute for numgen expressionLaura Garcia Liebana2016-10-278-7/+20
| | | | | | | | | | | | | Add support to add an offset to the numgen generated value. Example: ct mark set numgen inc mod 2 offset 100 This will generate marks with serie like 100, 101, 100, ... Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix pkttype name and add 'other' symbolFlorian Westphal2016-10-273-5/+7
| | | | | | | | | | | | | | 'unicast' doesn't check for unicast packets; it checks for PACKET_HOST, i.e. a packet coming in for this host. A unicast address to some other machine (e.g. because nic is in promisc mode) will have PACKET_OTHER. So at best this is misleading, so this patch changes it to 'host'. The unicast entry is retained for compat purpose. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't need keyword for log levelPablo Neira Ayuso2016-10-212-16/+24
| | | | | | | We can handle log levels without keywords in our grammar, use string instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: update kernel modules to cleanArturo Borrero Gonzalez2016-10-211-2/+4
| | | | | | | | | | | | | | | Let's keep the kernel_cleanup() function updated with latest kernel changes: * added nft_quota, nft_queue, nft_numgen, nft_range * rename nft_hash to nft_set_hash * keep nft_hash as well * rename nft_rbtree to nft_set_rbtree The idea is to run each test in a clean evironment. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to use variable to add/create/delete elementsPablo Neira Ayuso2016-10-212-3/+25
| | | | | | | | | | | | | | | | | | | | | | | Using variable definitions from element command doesn't work, eg. -test.nft- define whitelist_v4 = { 1.1.1.1 } table inet filter { set whitelist_v4 { type ipv4_addr; } } add element inet filter whitelist_v4 $whitelist_v4 -EOF- # nft -f test.nft test.nft:7:38-38: Error: syntax error, unexpected '$', expecting '{' add element inet filter whitelist_v4 $whitelist_v4 ^ Fix this by using set_block_expr rule for every element command. This patch also comes with a new regression test. Reported-by: Leon Merten Lohse <leon@green-side.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix monitor trace crash with netdev familyFlorian Westphal2016-10-211-2/+5
| | | | | | | | | | | | | | | | | nft monitor trace crashes on first packet with: table netdev filter { chain foobar { type filter hook ingress device eth0 priority 0; udp sport 53 meta nftrace set 1 } } We did not handle netdev family and thus generated bogus payload statements without data types. Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=1092 Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support ct l3proto/protocol without direction syntaxLiping Zhang2016-10-173-8/+10
| | | | | | | | | | | | | | | Acctually, ct l3proto and ct protocol are unrelated to direction, so it's unnecessary that we must specify dir if we want to use them. Now add support that we can match ct l3proto/protocol without direction: # nft add rule filter input ct l3proto ipv4 # nft add rule filter output ct protocol 17 Note: existing syntax is still preserved, so "ct reply l3proto ipv6" is still fine. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new range expression for != [a,b] intervalsPablo Neira Ayuso2016-10-1758-421/+293
| | | | | | | Use new range expression in the kernel to fix wrong bytecode generation. This patch also adjust tests so we don't hit problems there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: permit numeric interface typeFlorian Westphal2016-10-171-2/+13
| | | | | | | | | | | | | | If we can't translate an interface index back to a name we just print the number. This change allows using a number instead of an interface index to make this symmetric. If we can't find an interface with the given name check if its a numeric string and then use it instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: fix numgen case failed due to changes in libnftnlLiping Zhang2016-09-231-3/+3
| | | | | | | | | | | | In nftnl_expr_ng_snprintf_default, format "(%u)" was changed to "mod %u", so numgen test case failed: ... '[ numgen reg 1 = inc(2) ]' mismatches '[ numgen reg 1 = inc mod 2 ]' ... ip/numgen.t: 3 unit tests, 3 error, 0 warning Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add more test cases for queue exprLiping Zhang2016-09-232-6/+17
| | | | | | | | | | | It's necessary to cover more test cases, for example, large queue range 1-65535, error queue number 65536. Also add a space before tailing square brackets, this is updated to keep consistent with other expr. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnlLiping Zhang2016-09-123-4/+4
| | | | | | | | | | | | | In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to NFTNL_EXPR_NG_MODULUS, so compile error happened: netlink_linearize.c: In function ‘netlink_gen_numgen’: netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared (first use in this function) Also update NFTA_NG_UNTIL to NFTA_NG_MODULUS. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: replace "eth0" with "lo" in dup expr testsLiping Zhang2016-09-124-12/+12
| | | | | | | | | | | | | | This patch follow up on Manuel's commit a8871ba6daa0 ("tests: py: any: Make tests more generic by using other interfaces"). The ifindex of "eth0" is not always 1, furthermore, "eth0" maybe not exist on some systems. So replace it with "lo" will make tests more rubost. In other test cases, "eth0" is used by iifname or oifname, so there's no need to convert it to "lo". Even if "eth0" is not exist, test will never fail. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: remove byteorder conversionFlorian Westphal2016-09-091-2/+0
| | | | | | | | | This is what made ether addresses get formatted correctly with plain payload expression (ether saddr 00:11 ...) when listing rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: catch ordering issue w. ether setFlorian Westphal2016-09-092-3/+3
| | | | | | | | | | | | | | | Before previous commit, ether set (payload statement) was reversed on output: ether daddr set 00:03:2d:2b:74:ec would be shown as 'ec:74:2b:2d:03:00'. With ff:ff:ff ... such bug doesn't appear so use something where it will show up. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: ll: use big endian byte orderingFlorian Westphal2016-09-092-5/+6
| | | | | | | | | | | | | | | | | | | | ether daddr set 00:03:2d:2b:74:ec is listed as: ether daddr set ec:74:2b:2d:03:00 (it was fine without 'set' keyword). Reason is that ether address was listed as being HOST endian. The payload expression (unlike statement) path contains a few conversion call sites for this, i.e.: if (tmp->byteorder == BYTEORDER_HOST_ENDIAN) mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE); ... it might make sense to remove those in a followup patch. Reported-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: payload and conntrack statementFlorian Westphal2016-09-091-1/+81
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update meta expressionFlorian Westphal2016-09-091-0/+6
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: document log, reject, counter, meta, limit, nat and queue statementsPablo Neira Ayuso2016-09-081-3/+457
| | | | | | | | | This patch adds the missing documentation for the aforementioned statements. This is based on original work from Shivani Bhardwaj. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: add my copyright statement to the manpagePablo Neira Ayuso2016-09-081-4/+17
| | | | | | | Update the manpage to include my copyright statement and credit me as author of this software. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: Avoid potential null pointer derefPablo Neira Ayuso2016-09-071-0/+13
| | | | | | | | | | | | | Phil Sutter says: As netlink_get_register() may return NULL, we must not pass the returned data unchecked to expr_set_type() as that will dereference it. Since the parser has failed at that point anyway, by returning early we can skip the useless statement allocation that follows in netlink_parse_ct_stmt(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* tests: py: any: Remove duplicate testsManuel Johannes Messner2016-09-062-15/+0
| | | | | | | This commit removes some duplicated tests. Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: any: Make tests more generic by using other interfacesManuel Johannes Messner2016-09-062-71/+71
| | | | | | | | | | | Some tests use hard coded interface names and interface indexes. This commit removes these cases by exchanging "eth0" with "dummy0" and "lo" (depending on the test) in all ifname tests and by using "lo" instead of "eth0" in all interface index tests (because we can assume "lo" ifindex is 1). Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: nft-tests.py: Add function for loading and removing kernel modulesManuel Johannes Messner2016-09-061-0/+32
| | | | | | | | Some tests use the dummy kernel module. This commit adds a function to automatically load that module and remove it afterwards. Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: display expression, statement and command name on debugPablo Neira Ayuso2016-09-051-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extend debugging knob for evaluation to display the command, the expression and statement names. # nft --debug=eval add rule x y ip saddr 1.1.1.1 counter <cmdline>:1:1-37: Evaluate add add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <cmdline>:1:14-29: Evaluate expression add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^ ip saddr $1.1.1.1 <cmdline>:1:14-29: Evaluate relational add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^ ip saddr $1.1.1.1 <cmdline>:1:14-21: Evaluate payload add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^ ip saddr <cmdline>:1:23-29: Evaluate symbol add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ <cmdline>:1:23-29: Evaluate value add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ 1.1.1.1 <cmdline>:1:31-37: Evaluate counter add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ counter packets 0 bytes 0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Avoid undefined behaviour in concat_subtype_id()Phil Sutter2016-09-051-1/+4
| | | | | | | | | | | | | For the left side of a concat expression, dtype is NULL and therefore off is 0. In that case the code expects to get a datatype of TYPE_INVALID, but this is fragile as the output of concat_subtype_id() is undefined for n > 32 / TYPE_BITS. To fix this, call datatype_lookup() directly passing the expected TYPE_INVALID as argument if off is 0. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject: Have a generic fix for missing network contextPhil Sutter2016-09-051-3/+1
| | | | | | | | | | | | | | | | | | Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport protocol conflict from inet") took care of a crash when using inet or bridge families, but since then netdev family has been added which also does not implicitly define the network context. Therefore the crash can be reproduced again using the following example: nft add rule netdev filter e1000-ingress \ meta l4proto udp reject with tcp reset In order to fix this in a more generic way, have stmt_evaluate_reset() fall back to the generic proto_inet_service irrespective of the actual proto context. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Fix datalen checks in expr_evaluate_string()Phil Sutter2016-09-051-1/+2
| | | | | | | | | | | | | | I have been told that the flex scanner won't return empty strings, so strlen(data) should always be greater 0. To avoid a hard to debug issue though, add an assert() to make sure this is always the case before risking an unsigned variable underrun. A real issue though is the check for 'datalen - 1 >= 0', which will never fail due to datalen being unsigned. Fix this by incrementing both sides by one, hence checking 'datalen >= 1'. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix memory leak in tc classid parserLiping Zhang2016-08-301-1/+2
| | | | | | | | We forgot to free the str which was allocated by xstrdup, so memory leak will happen. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: adapt netlink bytecode output of numgen and hashPablo Neira Ayuso2016-08-302-5/+5
| | | | | | Adapt them to the revisited output string now in libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow variable references in set elements definitionPablo Neira Ayuso2016-08-292-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Andreas reports that he cannot use variables in set definitions: define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143 set s-ext-2-int { type ipv4_addr . inet_service elements = { $s-ext-2-int } } This syntax is not correct though, since the curly braces should be placed in the variable definition itself, so we have context to handle this variable as a list of set elements. The correct syntax that works after this patch is: define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 } table inet forward { set s-ext-2-int { type ipv4_addr . inet_service elements = $s-ext-2-int } } Reported-by: Andreas Hainke <andreas.hainke@foteviken.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: add variable_expr rulePablo Neira Ayuso2016-08-291-10/+13
| | | | | | | This patch adds a rule for variable expression so we can reuse it in a follow up patch to allow set element initialization from variable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: validate maximum hash and numgen valuePablo Neira Ayuso2016-08-292-8/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can validate that values don't get over the maximum datatype length, this is expressed in number of bits, so the maximum value is always power of 2. However, since we got the hash and numgen expressions, the user should not set a value higher that what the specified modulus option, which may not be power of 2. This patch extends the expression context with a new optional field to store the maximum value. After this patch, nft bails out if the user specifies non-sense rules like those below: # nft add rule x y jhash ip saddr mod 10 seed 0xa 10 <cmdline>:1:45-46: Error: Value 10 exceeds valid range 0-9 add rule x y jhash ip saddr mod 10 seed 0xa 10 ^^ The modulus sets a valid value range of [0, n), so n is out of the valid value range. # nft add rule x y numgen inc mod 10 eq 12 <cmdline>:1:35-36: Error: Value 12 exceeds valid range 0-9 add rule x y numgen inc mod 10 eq 12 ^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add expr_evaluate_integer()Pablo Neira Ayuso2016-08-291-15/+23
| | | | | | Add a helper function to wrap the integer evaluation code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add hash expressionPablo Neira Ayuso2016-08-2911-2/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is special expression that transforms an input expression into a 32-bit unsigned integer. This expression takes a modulus parameter to scale the result and the random seed so the hash result becomes harder to predict. You can use it to set the packet mark, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef You can combine this with maps too, eg. # nft add rule x y dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { \ 0 : 192.168.20.100, \ 1 : 192.168.30.100 \ } Currently, this expression implements the jenkins hash implementation available in the Linux kernel: http://lxr.free-electrons.com/source/include/linux/jhash.h But it should be possible to extend it to support any other hash function type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add numgen expressionPablo Neira Ayuso2016-08-2912-3/+197
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new expression allows us to generate incremental and random numbers bound to a specified modulus value. The following rule sets the conntrack mark of 0 to the first packet seen, then 1 to second packet, then 0 again to the third packet and so on: # nft add rule x y ct mark set numgen inc mod 2 A more useful example is a simple load balancing scenario, where you can also use maps to set the destination NAT address based on this new numgen expression: # nft add rule nat prerouting \ dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } So this is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information. You can also emulate flow distribution with different backend weights using intervals: # nft add rule nat prerouting \ dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 } So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%. We can also be mixed with dynamic sets, thus weight can be updated in runtime. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add quota statementPablo Neira Ayuso2016-08-299-5/+178
| | | | | | | | | | | | | This new statement is stateful, so it can be used from flow tables, eg. # nft add rule filter input \ flow table http { ip saddr timeout 60s quota over 50 mbytes } drop This basically sets a quota per source IP address of 50 mbytes after which packets are dropped. Note that the timeout releases the entry if no traffic is seen from this IP after 60 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: adapt it to new add element command semanticsPablo Neira Ayuso2016-08-292-5/+5
| | | | | | | | Since fd33d96 ("src: create element command"), add element doesn't fail anymore if the element exists, you have to use create instead in case you want to check if the element already exists. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh uapi/linux/netfilter/nf_tables.h copyPablo Neira Ayuso2016-08-261-1/+79
| | | | | | Fetch incremental incremental updates on this file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-251-0/+15
| | | | | | | This patch validates that creation of an already existing element bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: create element commandPablo Neira Ayuso2016-08-254-14/+20
| | | | | | | | | | | | | | | This patch adds the create command, that send the NLM_F_EXCL flag so nf_tables bails out if the element already exists, eg. # nft add element x y { 1.1.1.1 } # nft create element x y { 1.1.1.1 } <cmdline>:1:1-31: Error: Could not process rule: File exists create element x y { 1.1.1.1 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This update requires nf_tables kernel patches to honor the NLM_F_EXCL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-241-0/+14
| | | | | | | This patch validates that creation of an already existing set bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add create set commandPablo Neira Ayuso2016-08-244-12/+29
| | | | | | | | | | | | | | | | | | | | | | Add support for the 'create' command, we already support this in other existing objects, so support this for sets too, eg. # nft add set x y { type ipv4_addr\; } # nft create set x y { type ipv4_addr\; } <cmdline>:1:1-35: Error: Could not process rule: File exists create set x y { type ipv4_addr; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft add set x y { type ipv4_addr\; } # This command sets the NLM_F_EXCL netlink flag, so if the object already exists, nf_tables returns -EEXIST. This is changing the existing behaviour of 'nft add set' which was setting this flag, this is inconsistent with regards to the way other objects behave. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: explicit indication on export rulesetPablo Neira Ayuso2016-08-231-1/+7
| | | | | | | | | | | | | | | This patch modifies the grammar to explicitly indicate what you want to export, eg. # nft export ruleset json This leaves room to extend this later on to support other object types, such as integrating conntrack into nft. This also leaves the syntax in consistent state wrt. other existing objects. The existing syntax is still preserved. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Simplify parser rule_spec treeCarlos Falgueras García2016-08-232-89/+22
| | | | | | | | | | This patch separates the rule identification from the rule localization, so the logic moves from the evaluator to the parser. This allows to revert the patch "evaluate: improve rule managment checks" (4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>