summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: add --literal optionPablo Neira Ayuso2018-07-0716-32/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: limit: don't print default burst valueFlorian Westphal2018-07-041-1/+1
| | | | | | | | | | | | limit http-traffic { rate 1/second } gets printed as limit http-traffic { rate 1/second burst 5 packets } caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0 to return 'DUMP FAIL'. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add socket expression to man pageMáté Eckl2018-07-031-0/+56
| | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com>
* nftables: tests: shell: Replace "%" with "#" or "$"Arushi Singhal2018-07-021-5/+5
| | | | | | | | | | | Shell prompt ends with: "%", indicates a C shell. "$", indicates shell that's compatible with the Bash. "#", indicates shell is running as the system's root. So, "%" is replaced with "$" or "#". Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: Refactor meta_may_dependency_kill()Phil Sutter2018-06-265-40/+259
| | | | | | | | | | | | | | | | The original intent was to fix a bug: The following rule in inet table: | meta nfproto ipv4 icmpv6 type echo-reply Was added correctly but when printing the meta match was falsely removed. The fix is to deny dependency killing if RHS family of nfproto match doesn't match RHS family of l4proto match. Adding this to the already large conditional led to even more unreadable code, therefore this patch tries to clean that up (and also removes the partial code duplication. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: trace: fix policy printingFlorian Westphal2018-06-261-1/+30
| | | | | | | | | | | | | | | | | | | | policy type is erronously handled via verdict, this is wrong. It is a different event type and needs to be handled as such. before: trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 42b54e71 inet filter input verdict continue trace id 42b54e71 inet filter input after: trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 9f40c5c7 inet filter input verdict continue trace id 9f40c5c7 inet filter input policy drop Reported-by: vtol@gmx.net Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: fix import when run from other directoryEric Leblond2018-06-211-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: minor cleaningEric Leblond2018-06-201-4/+5
| | | | | | | Move import and use explicit parameter in object creation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix make distcheckEric Leblond2018-06-201-4/+4
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: set license and author in nftables.pyEric Leblond2018-06-201-0/+16
| | | | | | | | It will be distributed separately so this worth setting things correctly. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: installation of binding via make installEric Leblond2018-06-207-1/+87
| | | | | | | | | setup.py is used to build and install the python binding. Call to setup.py are done in Makefile to proceed to build and installation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: docbook2man invalid syntax errorEric Leblond2018-06-201-6/+3
| | | | | | | | | docbook2man can not be used with the same option so let's remove it from the alternative. Fedora and debian seems to be fine with that. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: remove useless braces in messagesEric Leblond2018-06-201-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: better message when a2x is missingEric Leblond2018-06-201-1/+1
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: Fix typos/Grammatical ErrorsArushi Singhal2018-06-191-4/+4
| | | | | | | | typos/Grammatical errors are corrected. Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Acked-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* Makefile: Introduce Make_global.amPhil Sutter2018-06-182-1/+24
| | | | | | | | | Analogous to libnftnl's build system, define libnftables interface version in a variable in Make_global.am. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnftables-json: Review asciidoc syntaxPhil Sutter2018-06-181-184/+142
| | | | | | | | | | | | | | | | | | | | This changes asciidoc markup according to a few best practices recommended in [1] and a quick review of html output: * Use atx-style headings everywhere apart from the document title. This requires to explicitly disable compat-mode after the latter. * Use only the minimum number of dashes for listings. * Enclose verses with empty lines in a verse block instead of having multiple verses for it. * Indent continued lines in synopsis for added readability. [1] https://asciidoctor.org/docs/asciidoc-recommended-practices/ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Do not convert tabs into spacesPhil Sutter2018-06-181-15/+1
| | | | | | | | | | | | | | | | | | | | | Commit 2f86dd5a43baf ("erec: Review erec_print()") changed erec_print() function to expect tabs in input by replacing the whitespace character in the marker line at the same offset with a tab character so that the marker aligns with the offending part of input. The need for that came from JSON input not having its tabs converted to spaces, which erec_print() didn't expect. Above change though has a shortcoming: When reading standard syntax input from a file, Flex code converts tabs into spaces. Location information is taken from this converted input, but when printing an error message, the offending input line is read from the input file directly (which still contains tabs). The solution is to simply drop said tab conversion from scanner.l. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-189-21/+20
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix exit_cookie()Phil Sutter2018-06-181-0/+2
| | | | | | | | | | | | | | | | | | The output and error buffer feature depends on cookie->orig_fp to indicate the current status of buffering: If it is set, a prior call to init_cookie() is assumed. Though exit_cookie() missed to reset that pointer to NULL. causing weird behaviour in applications if they do: | nft = nft_ctx_new(0); | nft_ctx_buffer_output(nft); | nft_ctx_unbuffer_output(nft); | nft_ctx_buffer_output(nft); While being at it, apply the same fix to error path in init_cookie() as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Fix typo in Makefile.amPhil Sutter2018-06-161-1/+1
| | | | | | | | Previous patch adding libnftables man page missed a backslash. Fixes: 3c57ff87b1b2b ("doc: Add libnftables man page") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Add libnftables man pagePhil Sutter2018-06-153-3/+324
| | | | | | | | For now, use a single man page to describe all the functions exported by libnftables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dynamic flag and use itPablo Neira Ayuso2018-06-124-4/+7
| | | | | | | We need to signal the kernel to use a set backend that supports dynamic updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add stolen verdictFlorian Westphal2018-06-121-1/+5
| | | | | | | | | | | | | | | using fwd statement causes crash when using nft trace: trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue) trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0" BUG: invalid verdict value 2 nft: datatype.c:282: verdict_type_print: Assertion `0' failed. ADd stolen verdict (2) and remove the BUG statement. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1261 Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Add JSON schema documentationPhil Sutter2018-06-114-4/+1261
| | | | | | | | | | The document is written as man page in asciidoc which means this adds another dependency to the build system. Though since the (long-term) plan is to replace the docbook-based nft man page with an asciidoc one anyway, we might ultimately get rid of docbook dependency in exchange. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Support latest enhancements of fwd statementPhil Sutter2018-06-116-33/+102
| | | | | | | | | | | | | JSON equivalent of fwd statement was too primitive to support the added address and family parameters, so make its value an object and accept the device expression as value of a "dev" property in there. Then add optional "addr" and "family" properties to it. While being at it, add a testcase to make sure the extended syntax works right. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for connlimit statementPhil Sutter2018-06-114-0/+32
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for socket expressionPhil Sutter2018-06-116-0/+63
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Don't print burst if equal to 5Phil Sutter2018-06-111-1/+1
| | | | | | | | Analogous to commit 3dddef928d80d ("statement: don't print burst if equals 5"), don't print the default burst value. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix JSON for flowtable testsPhil Sutter2018-06-114-28/+7
| | | | | | | | | Changing the reference lines is not enough, the actual JSON has to be adjusted as well. Since after the changes output for ip/flowtable.t is now symmetric, ip/flowtable.t.json.output can be removed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Call verdict maps 'vmap' in JSON as wellPhil Sutter2018-06-1117-74/+80
| | | | | | | This way JSON format is more consistent with the standard one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: build: cover --with-json tooPablo Neira Ayuso2018-06-101-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: timeout: fix output for HZ=250v0.9.0Florian Westphal2018-06-081-2/+2
| | | | | | 4s5ms gets rounded to 4s8ms with HZ=250, which is a common setting. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add quotes when using <<<-style here documentFlorian Westphal2018-06-0852-59/+59
| | | | | | | | | bash 4.3.30 removes newlines in RULESET when "" are omitted, which then causes nft -f to complain about invalid syntax. As a result, all test cases that use this here-doc style fail. Signed-off-by: Florian Westphal <fw@strlen.de>
* build: missing headers file in Makefile.amFlorian Westphal2018-06-081-0/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.9.0Florian Westphal2018-06-081-2/+2
| | | | | | Update dependency on libnftnl. Signed-off-by: Florian Westphal <fw@strlen.de>
* build: update release namePablo Neira Ayuso2018-06-081-1/+1
| | | | | | | | Dedicated to Al Capp cartoonist: https://en.wikipedia.org/wiki/Fearless_Fosdick Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: use 100ms for set timeoutFlorian Westphal2018-06-071-2/+2
| | | | | | | | | | | | | | Pablo reports set test fails with HZ=250, as it lists "324ms" instead of "321". This is because of rounding errors that occur when converting from user-side millisecond scale to kernel-internal jiffies one. use 100ms for now to avoid this error. Alternatives would be to store use-provided value in kernel or to avoid the conversions; this would require a change to make timeout independent from jiffies on kernel side. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink_delinarize: don't stop when encountering unsupported expressionFlorian Westphal2018-06-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The error message is still shown, but try to make sense of further expressions (if any). I tried to replace the expression by a textual representation. Two variants I tested are: 1. append as comment: ip saddr 127.0.0.2 drop comment "unknown expression 'foo'" This allows nft -f, but it adds/alters a comment. 2. substitute in-place (i.e., add a constant expression with the error message instead of 'unkown' message: unknown expression "foo" ip saddr 127.0.0.2 drop This won't allow 'nft -f' however. I'm not sure this is a problem, in any case we lose information if we can't find an expression (e.g. added by newer version). Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: add crash reproducerFlorian Westphal2018-06-071-0/+4
| | | | | | | | | | | | | | | | | | | Two reports point to a crash in nft when 'flush' is provided on existing ruleset. In that case, nft will crash with a null-ptr dereference. "evaluate: do not inconditionally update cache from flush command" causes the commit to fail due to a cache inconsistency, we then trip over NULL location->indesc. Cause of 2nd bug not known yet, not sure how to fix cache issue either, so only adding reproducer so this can be fixed later. Without erec bug, the (errnoeous) error message would be Could not process rule: File exists Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name> Reported-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: do not reset generation ID on ruleset flushPablo Neira Ayuso2018-06-073-4/+24
| | | | | | | | If 'flush ruleset' command is done, release the cache but still keep the generation ID around. Hence, follow up calls to cache_update() will assume that cache is updated and will not perform a netlink dump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* test: py: Add test cases for socket matchingMáté Eckl2018-06-062-0/+39
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update linux/netfilter_ipv4.hMáté Eckl2018-06-061-4/+10
| | | | | | | | | | | Update file from <kerneldir>/usr/include/linux/netfilter_ipv4.h. Reasons: - New values have been introduced in nf_ip_hook_priorities. - include limits.h was missing Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce socket matchingMáté Eckl2018-06-0610-0/+176
| | | | | | | | | | | | | | | | For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: extend fwd statement to support address and familyPablo Neira Ayuso2018-06-069-20/+124
| | | | | | | | Allow to forward packets through to explicit destination and interface. nft add rule netdev x y fwd ip to 192.168.2.200 device eth0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: connlimit supportPablo Neira Ayuso2018-06-067-3/+102
| | | | | | | | | | | | | | This patch adds support for the new connlimit stateful expression, that provides a mapping with the connlimit iptables extension through meters. eg. nft add rule filter input tcp dport 22 \ meter test { ip saddr ct count over 2 } counter reject This limits the maximum amount incoming of SSH connections per source address up to 2 simultaneous connections. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: Eliminate misuse of AF_*Máté Eckl2018-06-062-5/+5
| | | | | | | | | Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of AF_INET was misleading when checking the proto family. Same with AF_INET6. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: explicitly deny concatenated types in interval setsPhil Sutter2018-06-061-0/+4
| | | | | | | | | | | | | | | | | | | | | Previously, this triggered a program abort: | # nft add table ip t | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }' | # nft add element ip t my_set '{10.0.0.1 . tcp }' | BUG: invalid range expression type concat | nft: expression.c:1085: range_expr_value_low: Assertion `0' failed. With this patch in place, the 'add set' command above gives an error message: | # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }' | Error: concatenated types not supported in interval sets | add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft.8: Fix reject statement documentationPhil Sutter2018-06-061-5/+5
| | | | | | | | | | First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In addition to that, parameter 'type' expects an icmp*_code type, not icmp*_type. The respective table column was already correct, but in synopsis it was wrong. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* configure.ac: fix typo in docbook2x error messageFernando Fernandez Mancera2018-06-051-1/+1
| | | | | | | The correct name is "docbook2x-man" not "docbookx2-man". Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>