summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* cli: complete basic functionality of the interactive modePablo Neira Ayuso2013-05-194-43/+69
| | | | | | | | | | This patch adds missing code to get basic interactive mode operative via `nft -i', including parsing, evaluation, command execution via netlink and error reporting. Autocomplete is not yet implemented. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: fix size of internet protocol expressions matching keywordsPatrick McHardy2013-04-231-9/+9
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: include leading '.' in concat subexpression locationPatrick McHardy2013-04-221-0/+6
| | | | | | | | | | | | | | | | Make error messages point to the entire subexpression. Before: filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh} ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^ After: filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh} ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^ Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: catch missing and excess elements in concatenationsPatrick McHardy2013-04-222-4/+19
| | | | | | | | | | | | | | # nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh } <cmdline>:1:50-66: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, internet network service), expression has type concatenation of (IPv4 address, internet network service) filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh } ^^^^^^^^^^^^^^^^^ # nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh} <cmdline>:1:76-78: Error: unexpected concat component, expecting concatenation of (IPv4 address, internet network service, internet network service) filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh} ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^ Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: obj-table: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-4/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: set: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: dictionary: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-12/+12
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: obj-chain: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-3/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-meta: update examples to use the current syntaxPablo Neira Ayuso2013-04-201-7/+7
| | | | | | Also enable nftrace, now that nftables kernel-space supports this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: accept uid/gid in numericalPablo Neira Ayuso2013-04-201-4/+12
| | | | | | You can use the user/group name or alternatively the uid/gid. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: feat-adjancent-load-merging: remove ip protocol from rulePablo Neira Ayuso2013-04-201-1/+1
| | | | | | No need to include this, it is now added as a dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: family-bridge: update to use the current syntaxPablo Neira Ayuso2013-04-201-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: accept ethertype in hexadecimalPablo Neira Ayuso2013-04-201-1/+21
| | | | | | | You can use the symbols ip, ip6, arp and vlan, or alternatively the ethertype protocol number. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: family-ipv6: update to use the current syntaxPablo Neira Ayuso2013-04-191-2/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix crash if nft -f wrong_file is passedPablo Neira Ayuso2013-04-191-1/+1
| | | | | | | | | Now it displays: nft -f wrong_file internal:0:0-0: Error: Could not open file "wrong_file": No such file or directory Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-ct: update examples to use the current syntaxPablo Neira Ayuso2013-04-181-5/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mark: fix numeric mark value parsingPatrick McHardy2013-04-181-0/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* cmd/netlink: make sure we always have a location in netlink operationsPatrick McHardy2013-04-186-122/+172
| | | | | | Improve error reporting by always using a location in netlink operations. Signed-off-by: Patrick McHardy<kaber@trash.net>
* tests: family-ipv4: update test to use current syntaxPablo Neira Ayuso2013-04-181-2/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix error checking in nft_parsePablo Neira Ayuso2013-04-181-1/+1
| | | | | | | The bison parser returns 0 in case of success and it returns 1 in case of error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: return error if chain not foundPablo Neira Ayuso2013-04-181-1/+16
| | | | | | | | | | | | | | | Before this patch: nft list chain filter xxx table filter { } After this patch: nft list chain filter xxx internal:0:0-0: Error: Could not find chain `xxx' in table `filter: Object not found Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: fix nft list chainPablo Neira Ayuso2013-04-181-1/+4
| | | | | | | | | | | | | | | | Use netlink_list_chains instead of netlink_list_chain (note the final `s') After "nft list table filter" shows: table filter { chain input { } } "nft list chain filter input" shows: table filter { }
* rule: allow to list of existing tablesPablo Neira Ayuso2013-04-184-3/+31
| | | | | | | | You can now specify: nft list tables ip to obtain the list of all existing tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix concat expression type propagationPatrick McHardy2013-04-184-7/+74
| | | | | Dynamically instantiate a data type to represent all types of a concatenation and use that for type propagation.
* types: add ethernet address typePatrick McHardy2013-04-183-1/+14
| | | | | | | | Add a new type for ethernet addresses. This is needed since for concatenations we need fixed sized data types, the generic link layer address doesn't have a fixed length. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: parse/print in all basetypes subsequentlyPatrick McHardy2013-04-181-9/+15
| | | | | | | | Go down the chain of basetypes until we find a ->parse()/->print() callback or symbol table. Needed to invoke the generic link layer address parsing function for the etheraddr_type. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: kill EXPR_F_PRIMARYPatrick McHardy2013-04-152-13/+4
| | | | | | Not used anymore, kill it. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_delinearize: don't reset source register after readPatrick McHardy2013-01-041-1/+0
| | | | | | | | | | Range expression use a single load and two comparisons. Don't reset the source register in netlink_delinearize when reading it. Fixes: "Relational expression has no left hand side" for range (x-y) expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* chains: add rename testcasesPatrick McHardy2012-12-153-0/+16
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* rule: add rule insertion (prepend) supportPatrick McHardy2012-12-147-7/+34
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* chains: add chain rename supportPatrick McHardy2012-12-147-5/+71
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix query requestsPatrick McHardy2012-12-141-6/+10
| | | | | | | The callback needs to be set before sending the query since nl_wait_for_ack() already does message reception. Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add loop detection testsPatrick McHardy2012-12-104-0/+29
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* cmd: fix handle use after free for implicit set declarationsPatrick McHardy2012-12-101-1/+4
| | | | | | | | The implicit set declaration passes the set's handle to cmd_alloc(), which copies the pointers to the allocated strings. Later on both the set's handle and the commands handle are freed, resulting in a use after free. Signed-off-by: Patrick McHardy <kaber@trash.net>
* rule: reenable adjacent payload mergingPatrick McHardy2012-12-092-1/+8
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* sets: fix sets using intervalsPatrick McHardy2012-12-091-1/+3
| | | | | | | | When using intervals, the initializers set_flags are set to SET_F_INTERVAL, however that is not propagated back to the set, so the segtree construction is not performed. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix endless loop on 64 bit when parsing binopsPatrick McHardy2012-12-091-1/+1
| | | | | | | | mpz_scan1() returns ULONG_MAX when no more bits are found. Due to assignment to an unsigned int, this value was truncated on 64 bit and the loop never terminated. Signed-off-by: Patrick McHardy <kaber@trash.net>
* rules: change rule handle to 64 bitPatrick McHardy2012-12-091-1/+1
| | | | | | Recent kernel versions are using 64 bit for the rule handle. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expression: fix constant expression splicingPatrick McHardy2012-12-091-1/+3
| | | | | | Fix reversed order during constant splicing. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: kill redundant payload protocol expressions during netlink ↵Patrick McHardy2012-12-091-5/+34
| | | | | | | | | postprocessing Kill payload protocol expressions like "ip protocol tcp" if a higher layer payload expression already implies this, like "tcp dport 22". Signed-off-by: Patrick McHardy <kaber@trash.net>
* seqtree: update mapping data when keeping the basePatrick McHardy2012-12-081-3/+8
| | | | | | | | When a prefix expression is followed by another prefix expression using the same base but a wider prefix, we need to update the mapping data to that of the second expression. Signed-off-by: Patrick McHardy <kaber@trash.net>
* tests: add verdict map testPatrick McHardy2012-12-081-0/+20
| | | | Signed-off-by: Patrick McHardy <kaber@ŧrash.net>
* segtree: fix segtree to properly support mappingsPatrick McHardy2012-12-083-34/+61
| | | | | | | Requires to use proper types for keys and data and using the key values for reverse transformation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: include verbose message in all BUG statementsroot2012-12-089-38/+44
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* evaluate: reintroduce type chekcs for relational expressionsPatrick McHardy2012-12-051-0/+27
| | | | | | | Since the parser can now generate constant expressions of a specific type not determinaed by the LHS, we need to check that relational expressions are actually using the correct types to avoid accepting stupid things like "tcp dport tcp".
* parser: fix parsing protocol names for protocols which are also keywordsPatrick McHardy2012-12-051-0/+63
| | | | | | "ip protocol tcp" will currently produce a syntax error since tcp is also a keyword which is expected ot be followed by a tcp header field. Allow to use protocol names that are also keywords and allocate a constant expression for them.
* tests: fix test, commands now comes before the family and table namePablo Neira Ayuso2012-08-0614-88/+88
| | | | | | | Most tests still don't work though. They still need another fix. Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: Differentiate expr among anonymous structures in struct exprTomasz Bursztyka2012-08-036-26/+26
| | | | | | | This fixes compilation with gcc-4.7 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: Handle returned value properly in erec_printTomasz Bursztyka2012-08-031-3/+4
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Remove useless variable in expr_evaluate_bitwise()Tomasz Bursztyka2012-08-031-2/+1
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>