| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Otherwise we keep using the old netlink socket if we hit EINTR.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Despite the recent fixes, the test still fails. While trying to address
the remaining issues, I found more potentially problematic inputs so
extend the test by those.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add documentation for creating ct timeout objects and assigning timeout
policies via rules.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following ruleset that uses raw expressions:
table ip nftlb {
map persistency {
type inet_service : mark
size 65535
timeout 1h
elements = { 53 expires 59m55s864ms : 0x00000064, 80 expires 59m58s924ms : 0x00000065, 443 expires 59m56s220ms : 0x00000064 }
}
chain pre {
type filter hook prerouting priority filter; policy accept;
ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 }
}
}
bogusly bails out with:
/tmp/test:9:57-64: Error: datatype mismatch: expected internet network service, expression has type integer
ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 }
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the problem by evaluating expression basetype and length in this case.
Reported-by: Laura Garcia <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This is never used, ie. always NULL.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for new nft object secmark holding security context strings.
The following should demonstrate its usage (based on SELinux context):
# define a tag containing a context string
nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\"
nft list secmarks
# set the secmark
nft add rule inet filter input tcp dport 22 meta secmark set sshtag
# map usage
nft add map inet filter secmapping { type inet_service : secmark \; }
nft add element inet filter secmapping { 22 : sshtag }
nft list maps
nft list map inet filter secmapping
nft add rule inet filter input meta secmark set tcp dport map @secmapping
[ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The variable 'root' is always assigned to after initialization, so there
is no point in initializing it upon declaration.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since handle->family is unsigned, checking for value < 0 never yields
true. Overcome this by changing parse_family() to return an error code
and write the parsed family value into a pointer passed as parameter.
The above change required a bit more cleanup to avoid passing pointers
to signed variables to the function. Also leverage json_parse_family() a
bit more to reduce code side.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Allocated scanner object leaks when returning to caller. For some odd
reason, this was missed by the commit referenced below.
Fixes: bd82e03e15df8 ("libnftables: Move scanner object into struct nft_ctx")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Make sure allocated 'stmt' is freed before returning to caller.
Fixes: 30d45266bf38b ("expr: extend fwd statement to support address and family")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Enhance monitor test suite to test check JSON output as well. Note that
for now there is no support for --echo output testing with JSON.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This switches 'nft monitor' JSON output from using libnftnl's to
libnftables' implementation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Monitor output is supposed to be single lined without tabs, but ct
object were printed with newlines and tabs hard-coded. Fixing this
wasn't too hard given that there is 'stmt_separator' to also include
semi-colons where required if newline was removed.
A more obvious mistake was position of object type in monitor output:
Like with other object types, it has to occur between command and table
spec. As a positive side-effect, this aligns ct objects better with
others (see obj_type_name_array for instance).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
There seems to be no situation where this comes to play. Also, since
there is no 'nft update table/chain' command, this is inconsistent with
input.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since libnftnl doesn't support XML formatting, pretending to do so in
nft monitor is pointless.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add support for printing and parsing ct timeout objects to JSON API.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This seems like a left-over from day 1: Said function is static in
json.c, so there is no point in providing a stub when compiling with
JSON disabled.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Those were forgotten when renaming meta secpath to meta ipsec.
Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding new elements result in a confusing "Success" error message.
# nft add element x y { 0-3 }
[...]
Error: Could not process rule: Success
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
after this patch, this reports:
Error: Could not process rule: File exists
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add range to the list of matching elements.
Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Just a simple wrapper function, replace it by direct call to
mnl_nft_rule_del().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can remove alloc_nftnl_set() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can remove alloc_nftnl_rule() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_chain() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_table() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We have better json support these days, remove libnftnl json support.
While at it, remove test file for this too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Of all possible TCP flags, 'ecn' is special since it is recognized by
lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
same name). Therefore it is listed in keyword_expr, but that was
sufficient for RHS only. The following statement reproduces the issue:
| tcp flags & (syn | ecn) == (syn | ecn)
The solution is to limit binop expressions to accept an RHS expression
on RHS ("real" LHS expressions don't make much sense there anyway),
which then allows keyword_expr to occur there. In order to maintain the
recursive behaviour if braces are present, allow primary_rhs_expr to
consist of a basic_rhs_expr enclosed in braces. This in turn requires
for braced RHS part in relational_expr to be dropped, otherwise bison
complains about shift/reduce conflict.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
No need to keep iterating once the range object has been allocated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release set and elements in case of error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Release set content on error. Moreover, release input set content in
case we finally manage to decompose it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This command is currently broken when used in sets with ranges. Test
various variants against known data and check if output is as expected.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This test called nft binary 391 times and took about 38s to complete on
my testing VM. Improve this by writing all commands into a temporary
file for processing in a single nft call. Reduces run-time to about 4s.
Interestingly, piping the sub-process's output directly into 'nft -f -'
leads to spurious errors (parser complaining about perfectly fine
syntax). It seems like handling large input this way is not possible.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Enhance the function to accept an optional fourth parameter specifying
the device name, then use it for netdev family. Also remove dubled empty
lines and instead put together what belongs together.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
There is really no point in declaring a variable which is used just
once. Also mark function local variables as such to make sure they don't
overwrite global ones.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Pointless indenting doesn't increase readability, merely makes the
script seem more complicated than it actually is.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since 'out' is defined as a keyword in scanner.l, using it as a chain
priority name without quotes is not possible. Fix this by introducing
'extended_prio_name' in bison which may be either a string (as before)
or OUT, which is then converted into a string.
Fixes: c8a0e8c90e2d1 ("src: Set/print standard chain prios with textual names")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.
Examples:
ipsec in ip saddr 192.168.1.0/24
ipsec out ip6 daddr @endpoints
ipsec in spi 1-65536
Joint work with Florian Westphal.
Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
for symmetry with 'rt ipsec'. "meta secpath" still works.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
It was tempting to remove "position" from the synopsis,
but have left that for another patch.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft would throw misleading error in case map exists but doesn't contain
expected objects.
nft add rule filter in ct helper set tcp dport map @foo
Error: Expression is not a map
add rule filter in ct helper set tcp dport map @foo
^^^^
nft list table filter
table ip filter {
map foo {
type inet_service : ifname
}
...
clarify this.
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, changes to any of the included adoc snippets in nft.txt were
not detected and hence the man page not updated (unless 'make clean' was
called). It seems like the '.txt.8' target only considers foo.txt when
trying to generate foo.8, so get rid of that and introduce a dedicated
target for nft.8.
While doing so, apply a few other minor changes:
* Although nft.8 target has to list all included adoc snippets as a
dependency, it is sufficient to call a2x with the main one (i.e.,
nft.txt) only.
* Keep common a2x parameters in a variable.
* Use ${A2X} everywhere and hide all calls behind ${AM_V_GEN}, not just
the one for nft.8.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
