summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: Bump version to v0.8.5v0.8.5Florian Westphal2018-05-101-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Extend rule_management/0001addposition_0Phil Sutter2018-05-096-36/+112
| | | | | | | | | | | | Combine it with 0002insertposition_0 due to the many similarities, extend it to test 'handle' and 'index' parameters as well and rename the testcase accordingly. Also add a new 0002addinsertlocation_1 which tests that wrong argument to all of the location parameters fails. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Support 'add/insert rule index <IDX>'Phil Sutter2018-05-096-9/+89
| | | | | | | | | | | Allow to specify an absolute rule position in add/insert commands like with iptables. The translation to rule handle takes place in userspace, so no kernel support for this is needed. Possible undesired effects are pointed out in man page to make users aware that this way of specifying a rule location might not be ideal. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Copy locations in handle_merge()Phil Sutter2018-05-091-3/+9
| | | | | | | | This allows to make error messages point to the right part of the command after handles were merged. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate add/insert rule 'position' argumentPhil Sutter2018-05-092-4/+21
| | | | | | | | | | Instead, use 'handle' keyword for the same effect since that is more consistent with respect to replace/delete commands. The old keyword is still supported for backwards compatibility and also listed in man page along with a hint that it shouldn't be used anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: allow to specify sets with a timeoutFlorian Westphal2018-05-097-19/+94
| | | | | | | | | | | Not usable yet, as the set timeout netlink output isn't captured so far, but it adds groundwork to add this as a follow-up. Set definition syntax changes a little, if you want to add multiple elements they now have to be separated by "," just like in nftables. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: add expires tests with different time basesFlorian Westphal2018-05-092-5/+21
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support timeouts in millisecondsFlorian Westphal2018-05-097-25/+50
| | | | | | | | | | currently the frontend uses seconds everywhere and multiplies/divides by 1000. Pass milliseconds around instead and extend the scanner to accept 'ms' in timestrings. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: add size keyword to meter exampleFlorian Westphal2018-05-091-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xt: don't BUG if we can't find an extensionsFlorian Westphal2018-05-081-6/+8
| | | | | | it seems a bit harsh to just exit. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: added missing semicolonMáté Eckl2018-05-081-0/+1
| | | | | | | It did not make any harm, but it was certainly missing. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add size to metersPablo Neira Ayuso2018-05-082-2/+2
| | | | | | Otherwise, 65535 is used and testsuite reports dump mismatch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete chain and rule with jump to chain in same transactionPablo Neira Ayuso2018-05-081-0/+25
| | | | | | We should not hit EBUSY in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: restore base table skeletonsFlorian Westphal2018-05-0816-13/+37
| | | | | | | | | | | | nftables releases until 0.8.2 included base skeleton hooks that were installed into /etc/nftables (sysconfdir). With 0.8.3 and newer these files were moved to the documentation area but apparently some users expect them to be there. Resurrect them. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: Support rfc4291 IPv4-compatible addressesPhil Sutter2018-05-061-1/+2
| | | | | | | | | | | These are defined in section 2.5.5.1. Although it is stated that they are deprecated and new implementations are not required to support them, they occur in ruleset output if an address in the form '::feed:babe' was given in input. In order to support reinsertion of that rule, we have to support those deprecated addresses as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix expected output in {bridge,inet}/icmpX.tPhil Sutter2018-05-062-2/+2
| | | | | | | | The first expression in that rule is not eliminated in evaluation phase, so there is no reason why it should be while delinearizing. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Fix wrong token in proto_icmp6Phil Sutter2018-05-061-1/+1
| | | | | | | | | | | | 'token' value of ICMP6HDR_MTU field must be 'mtu', not 'packet-too-big'. This went unnoticed because rule delinearization for icmp/icmpv6 payload expressions is problematic anyway in that different fields point to the same offset and therefore are indistinguishable. In this case, an expression like e.g. 'icmpv6 mtu 1500' will be printed later as 'icmpv6 parameter-problem 1500'. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use location to display error messagesPablo Neira Ayuso2018-05-061-62/+94
| | | | | | | | | # nft add chain foo bar Error: Could not process rule: No such file or directory add chain foo bar ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add obj_specPablo Neira Ayuso2018-05-065-18/+25
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set_specPablo Neira Ayuso2018-05-068-42/+49
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add chain_specPablo Neira Ayuso2018-05-066-22/+29
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add table_specPablo Neira Ayuso2018-05-067-67/+73
| | | | | | Store location object in handle to improve error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: Removed LOOKUP tokenMáté Eckl2018-05-051-1/+0
| | | | | | | It is never used. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: update doc/ispell_nft to track recent nft.8 updatesDuncan Roe2018-05-031-2/+2
| | | | | | | | | Track changes in commits 3baa28f24b3d70a7ee17d584c113a2c4e057a565 and 4787edad132c30ae0f6bb00135ae5d970b0ccb74 (rename ibriport and obriport: s/iport/name). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* meter: enforce presence of a max sizeFlorian Westphal2018-05-027-4/+17
| | | | | | | | | | meters are updated dynamically, so we don't know in advance how large this structure can be. Add a 'size' keyword to specifiy an upper limit and update the old syntax to assume a default max value of 65535. Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: fix header exportArturo Borrero Gonzalez2018-05-025-4/+4
| | | | | | | | | | | Instruct Make to actually install the header to the system, otherwise users won't see the header in their system after running 'make install'. Also, export main libnftables header with a proper name, since we have another private header called 'nftables.h' (i.e, let's be concrete with the naming). Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.8.4v0.8.4Florian Westphal2018-05-011-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: do not hardcode ingress when printing flowtablePablo Neira Ayuso2018-04-261-1/+2
| | | | | | Call hook number to string function instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing flowtable evaluation from nested notationPablo Neira Ayuso2018-04-261-0/+7
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix --debug mnl not producing outputDuncan Roe2018-04-264-19/+19
| | | | | | | | | cache_update() needs to accept the full debug mask instead of a boolean of NFT_DEBUG_NETLINK, because called functions may wish to check other bits (NFT_DEBUG_MNL in particular). Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: reword insert position, this expects rule handle to insert, not a ↵Florian Westphal2018-04-241-3/+3
| | | | | | relative postition Signed-off-by: Florian Westphal <fw@strlen.de>
* statement: Fix get_rate() for zero byte_ratePhil Sutter2018-04-241-0/+5
| | | | | | | | | The algorithm didn't detect whether given byte_rate was zero, pointlessly iterating through data units. Make it exit early in this case. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Free flowtable in handle_free()Phil Sutter2018-04-241-0/+1
| | | | | | Fixes: db0697ce7f602 ("src: support for flowtable listing") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: no EINTR handling from netlink_get_setelem()Pablo Neira Ayuso2018-04-241-11/+4
| | | | | | This cannot happen, this call does not set the NLM_F_DUMP flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: centralize netlink error reportingPablo Neira Ayuso2018-04-243-39/+11
| | | | | | Consolidate error reporting from do_command() call. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify netlink_get_setelems() and rename it to netlink_list_setelems()Pablo Neira Ayuso2018-04-243-13/+9
| | | | | | | | This is called from cache population path, remove netlink_io_error() call since this is not needed. Rename it for consistency with similar netlink_list_*() NLM_F_DUMP functions. Get rid of location parameter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove unused function declarationsPablo Neira Ayuso2018-04-241-4/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: don't pass location to netlink_list_*() functionPablo Neira Ayuso2018-04-243-38/+21
| | | | | | Not needed anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: netlink_list_chains() callers always wants all existing chainsPablo Neira Ayuso2018-04-241-15/+1
| | | | | | | Remove dead code, callers always need this to dump all of the existing chains. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: pass cmd object to netlink function callsPablo Neira Ayuso2018-04-243-163/+129
| | | | | | Simplify function footprint. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove dead netlink_io_error() callsPablo Neira Ayuso2018-04-201-58/+4
| | | | | | | | | This error path is never entered since mnl_nft_*_batch_{add,del,replace} calls never fail, and if they ever do fail it will be because we are hitting OOM, in such case we can display a more generic non-netlink error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove non-batch netlink codePablo Neira Ayuso2018-04-202-149/+0
| | | | | | This functions have no clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: clear expression context before cmd evaluationFlorian Westphal2018-04-192-0/+11
| | | | | | | | | | | | We also need to clear expr ctx before we eval a command. This is a followup fix to 'evaluate: reset eval context when evaluating set definitions'. The first patch only fixed set evaluation when dealing with a complete table representation rather than individual commands. Reported-by: David Fabian <david.fabian@bosson.cz> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: use ibrname and obrnamePablo Neira Ayuso2018-04-198-18/+18
| | | | | | | | | Legacy tool name is 'brctl' and so the 'br' prefix is already known. If we use ibrname and obrname it looks consistent with iifname and oifname. So let's this instead of ibridgename and obridgename since Florian likes this too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing rules for IBRIDGENAME and OBRIDGENAMEPablo Neira Ayuso2018-04-191-0/+2
| | | | | Fixes: 3baa28f24b3d ("src: rename ibrportname, obrportname") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: fix constant expression allocation on big endian with partial bytesSabrina Dubroca2018-04-191-1/+1
| | | | | | | | | | | | | | | | Commit 5259feeb7cda ("expression: fix constant expression allocation on big endian") improved constant handling on big endian, but didn't handle the case of partial bytes correctly. Currently, constant_data_ptr(val, 6) points to the item after val, instead of the last byte of val. Thanks to Stefano for providing the correct expression. Fixes: 5259feeb7cda ("expression: fix constant expression allocation on big endian") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reset eval context when evaluating set definitionsFlorian Westphal2018-04-183-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | David reported nft chokes on this: nft -f /tmp/A /tmp/A:9:22-45: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, IPv4 address), expression has type concatenation of (IPv4 address, internet network service) cat /tmp/A flush ruleset; table ip filter { set setA { type ipv4_addr . inet_service . ipv4_addr flags timeout } set setB { type ipv4_addr . inet_service flags timeout } } Problem is we leak set definition details of setA to setB via eval context, so reset this. Also add test case for this. Reported-by: David Fabian <david.fabian@bosson.cz> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: rename ibrportname, obrportnameFlorian Westphal2018-04-178-6/+42
| | | | | | | | | | | | | | | For bridge, iifname is the port name, whereas 'ibrport' is the logical name of the bridge ("br0") the port ("iifname") is enslaved to. So, 'ibrport' is a misnomer. libnftl calls these 'bri_iifname' and 'bri_oifname', which is good but using 'briiifname' in nft is rather ugly, so use 'ibridgename' and 'obridgename' instead. Old names are still recognized, listing shows the new names. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add helpers tokenFlorian Westphal2018-04-171-0/+1
| | | | | | | | | without it, you get: nft list ct helpers table filter Error: syntax error, unexpected string, expecting helper or helpers Fixes: 14fd3ad720f6e ("src: prepare for future ct timeout policy support") Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: Pass struct nft_ctx to parser_init()Phil Sutter2018-04-143-16/+10
| | | | | | | | | Signature of parser_init() got quite huge, so simply pass the whole context pointer to it - most of the parameters are just taken from there anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>