summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: regression: fix arp.t expected payloadFlorian Westphal2015-11-271-17/+17
| | | | | | previous commit fixed arp header definition so fix payload as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: fix arpop symbol table endianessPatrick McHardy2015-11-251-7/+7
| | | | | | The symbols need to be in big endian. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: add payload statementPatrick McHardy2015-11-257-5/+167
| | | | | | | | | Add support for payload mangling using the payload statement. The syntax is similar to the other data changing statements: nft filter output tcp dport set 25 Signed-off-by: Patrick McHardy <kaber@trash.net>
* proto: add checksum key information to struct proto_descPatrick McHardy2015-11-252-0/+7
| | | | | | | The checksum key is used to determine the correct position where to update the checksum for the payload statement. Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: regression: allow to run tests from anywherePablo M. Bermudo Garay2015-11-191-4/+6
| | | | | | | | | | | | | Since 357d8cf "tests: use the src/nft binary instead of $PATH one", the tests script needs to be executed from nftables repository root. Now the script can be run from any location and also checks the binary existence. To run a single test file, the path must be relative from the directory where you launch the script. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: regression: homogenize indentation stylePablo M. Bermudo Garay2015-11-191-5/+5
| | | | | | | | | Python interpreter doesn't like mixed indentation. So in order to prevent future problems, this commit replace some tabs found in the script with space indentation. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: move comment out of handlePatrick McHardy2015-11-156-19/+18
| | | | | | The comment does not belong to the handle, it belongs to the rule. Signed-off-by: Patrick McHardy <kaber@trash.net>
* evaluate: fix string matching on big endianPablo Neira Ayuso2015-11-111-3/+14
| | | | | | | | | | We need to reallocate the constant expression with the right expression length when evaluating the string. Otherwise the linearization step generates a wrong comparison on big endian. We cannot do this any earlier since we don't know the maximum string length for this datatype at the parsing stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add inet test for ip/ether concatenationFlorian Westphal2015-11-104-0/+42
| | | | | | | | Test rule from Pablo, it caused assertion failure with earlier versions of nft (caused by 7ead4932f9ab, later fixed via 775e7ff1f5ddaa32). Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test cases for ethernet header matchingFlorian Westphal2015-11-068-0/+200
| | | | | | Adds ether saddr statements for inet, bridge and ip/ip6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: don't reorder protocol payload expressions when mergingFlorian Westphal2015-11-061-7/+42
| | | | | | | | | | | | | | | | | | | | | | | An instruction like bridge filter input ip saddr 1.2.3.4 ether saddr a:b:c:d:e:f is displayed as unknown unknown 0x1020304 [invalid type] ether saddr 00:0f:54:0c:11:04 ether type ip .. because the (implicit) 'ether type ip' that is injected before the network header match gets merged into the ether saddr instruction. This inverts the merge in case the merge candidate contains a next header protocol field. After this change, the rule will be displayed as bridge filter input ether saddr a:b:c:d:e:f ip saddr 1.2.3.4 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests matching on ether saddr for inet, bridge, ip, ip6Florian Westphal2015-11-065-0/+227
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow filtering on L2 header in inet familyFlorian Westphal2015-11-064-9/+72
| | | | | | | | | | | | | | | | | | Error: conflicting protocols specified: inet vs. ether tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 ^^^^^^^^^^^ This allows the implicit inet proto dependency to get replaced by an ethernet one. This is possible since by the time we detect the conflict the meta dependency for the network protocol has already been added. So we only need to add another dependency on the Linklayer frame type. Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=981 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-029-40/+231
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add command "replace" for rulesCarlos Falgueras García2015-11-029-2/+68
| | | | | | | | | | | | | | | | | | | | | | | | Modify the parser and add necessary functions to provide the command "nft replace rule <ruleid_spec> <new_rule>" Example of use: # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.7 counter packets 0 bytes 0 # handle 3 } } # nft replace rule filter output handle 3 ip daddr 8.8.8.8 counter # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } } Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix mapping evaluationPablo Neira Ayuso2015-10-231-12/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # cat ruleset.file table ip mangle { map CLASS05 { type ipv4_addr : mark elements = { 192.168.0.10 : 0x00000001} } chain OUTPUT { type route hook output priority 0; policy accept; mark set ip saddr map @CLASS05 } } # nft -f ruleset.file ruleset.file:4:28-54: Error: mapping outside of map context elements = { 192.168.0.10 : 0x00000001} ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This actually is fixing two problems: 1) Validate datatype of the rhs before evaluating the map definition, this is also setting set->datalen which is needed for the element evaluation. 2) Add missing set context. Reported-by: Andreas Schultz <aschultz@tpip.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: factor out prefix generationPablo Neira Ayuso2015-10-211-22/+31
| | | | | | | Add a new netlink_gen_prefix() function that encapsulates the prefix generation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check if table and chain exists when adding rulesPablo Neira Ayuso2015-10-181-0/+11
| | | | | | | | | | | | | | | Assuming a table 'test' that contains a chain 'test': # nft add rule test1 test2 counter <cmdline>:1:1-28: Error: Could not process rule: Table 'test1' does not exist add rule test1 test2 counter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft add rule test test2 counter <cmdline>:1:1-27: Error: Could not process rule: Chain 'test2' does not exist add rule test test2 counter ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: show all sets via list sets with no familyPablo Neira Ayuso2015-10-121-11/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default to the same behaviour that we get through `list ruleset', ie. # nft list sets table ip test1 { set foo { type ipv4_addr } } table ip6 test2 { set bar { type ipv6_addr } } # nft list sets ip table ip test1 { set foo { type ipv4_addr } } # nft list sets ip6 table ip6 test2 { set bar { type ipv6_addr } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: rework list chainPablo Neira Ayuso2015-10-121-1/+21
| | | | | | | | | | | | | | | | | | After this patch: # nft list chain inet filter forward table inet filter { chain forward { type filter hook forward priority 0; policy drop; ct state established,related counter packets 39546074 bytes 11566126287 accept } } Before this patch, this was showing the full table definition, including all chains, which is not what the user is asking for. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: `list sets' only displays declaration, not definitionPablo Neira Ayuso2015-10-121-3/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # nft list sets table ip nat { set libssh { type ipv4_addr } } table inet filter { set set0 { type inet_service flags constant } set set1 { type inet_service flags constant } set set2 { type icmpv6_type flags constant } } So in case you want to inspect the definition, you have to use `list set' and the specific set that you want to inspect: # nft list set inet filter set0 table inet filter { set set0 { type inet_service flags constant elements = { 2200, ssh} } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* evaluate: check if set exists before listing itPablo Neira Ayuso2015-10-121-1/+11
| | | | | | | | | | | | | | After this patch, we obtain: # nft list set ip6 test pepe <cmdline>:1:1-22: Error: Could not process rule: Set 'foo' does not exist list set ip6 test foo ^^^^^^^^^^^^^^^^^^^^^ So we get things aligned with table and chain listing commands. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: display table when listing one setPablo Neira Ayuso2015-10-121-3/+11
| | | | | | | | | | | | | | | | | | | | | After: # nft list set ip6 test foo table ip6 test { set foo { type ipv4_addr } } Before: # nft list set ip6 test foo set foo { type ipv4_addr } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* src: add `list chains' commandPablo Neira Ayuso2015-10-124-3/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # nft list chains table ip filter { chain test1 { } chain test2 { } chain input { type filter hook input priority 0; policy accept; } } table ip6 filter { chain test1 { } chain input { type filter hook input priority 0; policy accept; } } You can also filter out per family: # nft list chains ip table ip x { chain y { } chain xz { } chain input { type filter hook input priority 0; policy accept; } } # nft list chains ip6 table ip6 filter { chain x { } chain input { type filter hook input priority 0; policy accept; } } This command only shows the chain declarations, so the content (the definition) is omitted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: display table when listing setsPablo Neira Ayuso2015-10-121-0/+10
| | | | | | | | | | | | | | | | | | | | | After this patch: # nft list sets ip table ip test { set pepe { type ipv4_addr } } Before: # nft list sets ip set pepe { type ipv4_addr } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: fix printing of rule commentsArturo Borrero Gonzalez2015-10-081-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Several fixes: * handles are printed last * simplify space games (an extra space was being printed) * comments are shown with `nft monitor' as well (missing before this patch) Before this patch: % nft list ruleset -a [...] chain test { iifname eth0 # handle 1 comment "test" } [...] % nft list ruleset [...] chain test { iifname eth0 comment "test" ^^ } [...] % nft monitor & % nft add rule test test iifname eth0 comment "test" add rule test test iifname eth0 After this patch: % nft list ruleset -a chain test { iifname eth0 comment "test" # handle 1 ^ } % nft monitor -a & % nft add rule test test iifname eth0 comment "test" add rule test test iifname eth0 comment "test" # handle 1 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: provide clone operation for set element opsFlorian Westphal2015-10-061-0/+10
| | | | | | | | | | | | | | | | define addrs={ 1.2.3.4 } table ip filter { chain input { type filter hook input priority 0; ip saddr $addrs accept } } segfaults. Using saddr { 1.2.3.4 } instead of $addrs works. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087 Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests for dupPablo Neira Ayuso2015-09-305-0/+80
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement supportPablo Neira Ayuso2015-09-3010-3/+201
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: show all tables via list tables with no familyPablo Neira Ayuso2015-09-231-1/+1
| | | | | | | | | | | | | | | | | Default to the same behaviour that we get through `list ruleset', ie. # nft list tables table ip filter table ip6 filter # nft list tables ip table ip filter # nft list tables ip6 table ip6 filter Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1033 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: filter out tables depending on familyPablo Neira Ayuso2015-09-231-1/+6
| | | | | | | | | | | # nft list tables ip table ip filter # nft list tables ip6 table ip6 filter Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1033 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: limit: extend them to validate new bytes/second and burst parametersPablo Neira Ayuso2015-09-232-6/+63
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-238-5/+43
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add per-bytes limitPablo Neira Ayuso2015-09-238-2/+129
| | | | | | | | | | This example show how to accept packets below the ratelimit: ... limit rate 1024 mbytes/second counter accept You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* vlan: make != tests workFlorian Westphal2015-09-183-0/+13
|
* tests: vlan testsFlorian Westphal2015-09-182-0/+223
| | | | | | | add a few regression tests that match vlan id/dei/pcp fields of the vlan header. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: support listing expressions that use non-byte header fieldsFlorian Westphal2015-09-184-13/+159
| | | | | | | This allows to list rules that check fields that are not aligned on byte boundary. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests for ip version/hdrlength/tcp doffFlorian Westphal2015-09-187-0/+78
| | | | | | | Header fields of 4 bit lengths. Requires implicit masks and shifting of RHS constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: cmp: shift rhs constant if lhs offset doesn't start on byte boundaryFlorian Westphal2015-09-181-0/+10
| | | | | | | | | | | | | | if we have payload(someoffset) == 42, then shift 42 in case someoffset doesn't start on a byte boundary. We already insert a mask instruction to only load those bits into the register that we were interested in, but the cmp will fail without also adjusting rhs accordingly. Needs additional patch in reverse direction to undo the shift again when dumping ruleset. Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: fill in doff and fix ihl/version template entriesFlorian Westphal2015-09-181-4/+6
| | | | | | | | | | | | This allows to use nft add rule ip filter input tcp doff 8 or similar. Furhermore, ip version looked at hdrlen and vice versa. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink: don't truncate set key lengthsFlorian Westphal2015-09-181-2/+2
| | | | | | | If key is e.g. 12 bits, pretend its 16 instead of 8. This is needed to make sets work with header fields with size not divisible by 8. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink_linearize: handle sub-byte lengthsFlorian Westphal2015-09-181-2/+44
| | | | | | | | | | | | | | Currently length is expr->len / BITS_PER_BYTE, i.e. expr->len has to be a multiple of 8. When core asks for e.g. '9 bits', we truncate this to 8. Round up to 16 and inject a 9-bit mask to zero out the parts we're not interested in. This will also need change to the delinarization step to remove the extra op when dumping rules from kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: disable payload merge if offsets are not on byte boundary.Florian Westphal2015-09-181-0/+4
| | | | | | | | | | | | | | | | | | ... because it doesn't work, we attempt to merge it into wrong place, we would have to merge the second value at a specific location. F.e. vlan hdr 4094 gives us 0xfe0f Merging in the CFI should yield 0xfe1f, but the constant merging doesn't know how to achive that; at the moment 'vlan id 4094' and 'vlan id 4094 vlan cfi 1' give same result -- 0xfe0f. For now just turn off the optimization step unless everything is byte divisible (the common case). Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: allow stacking vlan header on top of ethernetFlorian Westphal2015-09-184-10/+121
| | | | | | | | | | | | | | | | | | | | currently 'vlan id 42' or even 'vlan type ip' doesn't work since we expect ethernet header but get vlan. So if we want to add another protocol header to the same base, we attempt to figure out if the new header can fit on top of the existing one (i.e. proto_find_num gives a protocol number when asking to find link between the two). We also annotate protocol description for eth and vlan with the full header size and track the offset from the current base. Otherwise, 'vlan type ip' fetches the protocol field from mac header offset 0, which is some mac address. Instead, we must consider full size of ethernet header. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: don't depend on set element orderFlorian Westphal2015-09-182-1/+30
| | | | | | | | | | | | | Pablo reported test failures because the order of returned set entries is not deterministic. This sorts set elements before comparision. Patrick suggested to move ordering into libnftnl (since we could f.e. also get duplicate entries due to how netlink dumps work), but thats a bit more work. Hence this quick workaround. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* Bump version to v0.5v0.5Pablo Neira Ayuso2015-09-161-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new symbols in libnftnlPablo Neira Ayuso2015-09-169-877/+877
| | | | | | | | | Adapt the nftables code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add concatenations and maps; combine them tooPablo Neira Ayuso2015-09-118-0/+118
| | | | | | | This patch adds simple tests for concatenation and maps, including more advanced tests that combine them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: use existing table object from evaluation contextPablo Neira Ayuso2015-09-111-4/+18
| | | | | | | | | | | | | Skip table object lookup if we are in the context of table declaration already, ctx->table already points to the right table we have to use during the evalution. Otherwise, a list corruption occurs when using the wrong table object when it already exists in the kernel. http://marc.info/?l=netfilter-devel&m=144179814209295&w=2 Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* mnl: rework netlink socket receive path for eventsPablo Neira Ayuso2015-09-071-1/+37
| | | | | | | | | | | | | This patch reworks two aspects of the netlink socket event receive path: 1) In case of ENOBUFS, stay in the loop to keep receiving messages. The tool displays a message so the user knows that we got lost event messages. 2) Rise the default size of the receive socket buffer up to 16 MBytes to reduce chances of hitting ENOBUFS. Asumming that the netlink event message size is ~150 bytes, we can bear with ~111848 rules without message loss. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>