| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
'nft list quotas' would not print anything at all anymore.
Fixes: 88456a7ef01172 ("rule: list only the table containing object")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The previous change is bonkers, it fixes build when libxtables isn't
even installed, but broke build when --with-xtables is provided to configure.
Reason is that the include guard comes too early, so xtables.h is never
included, causing build to fail because no libxtables function prototypes
and definitions are available.
Fixes: 9e84f3f083bb ("xt: fix build when libxtables is not installed")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Instead of meta nftproto, which is a typo.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update parser to display this error message:
# nft export json
Error: JSON export is no longer supported, use 'nft -j list ruleset' instead
export json
^^^^^^^^^^^^
Just like:
# nft export vm json
Error: JSON export is no longer supported, use 'nft -j list ruleset' instead
export vm json
^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.
Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.
To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If libxtables is not even installed, build fails due to to missing
include file.
ifdef LIBXTABLES guard fixes the first error, but results in two
followup failures:
1. missing IFNAMSIZ definition
2. dereference of unknown struct.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Burst can be either bytes or packets, depending on the rate limit unit.
# nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
Error: syntax error, unexpected packets, expecting string or bytes
add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat test.nft
define test = "1.2.3.4"
table ip x {
chain y {
ip saddr $text
}
}
# nft -f test.nft
test.nft:5:13-16: Error: unknown identifier 'text'; did you mean identifier ‘test’?
ip saddr $text
^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
# nft add counter x test
# nft list counter x test
Error: No such file or directory; did you mean obj ‘test’ in table ip ‘x’?
list counter x text
^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Restrict suggestions to threshold, like gcc does.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use this from the lookup path, to check for misspellings:
# nft add table filter
# nft add chain filtre test
Error: No such file or directory; did you mean table ‘filter’ in family ip?
add chain filtre test
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So we can pass functions as parameters, needed by follow up patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Try to return != 0 if a testsuite fails.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a rule is replaced, all of the expressions that are in use need to
be deactivated.
Kernel missed to do this on replace. In this example, this would
result in a leak of the chain use counter ("jump" expression
deactivation is not called). This then either resulted in a BUG or
WARN, depending on kernel version.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
# nft rule x y ip saddr @y
Error: No such file or directory; did you mean set ‘y’ in table inet ‘x’?
rule x y ip saddr @y
^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
# nft list chain x y
Error: No such file or directory; did you mean chain ‘y’ in table inet ‘x’?
list chain x y
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds simple infrastructure to provide a hints to user on
references to incorrect table. While at it, remove "Could not process
rule:" which I think it is implicit in the error.
# nft rule x y ip saddr @y
Error: No such file or directory; did you mean table ‘x’ in family inet?
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
When building without libxtables, nft would just silently omit any presence
of nft_compat in the output.
This adds ifdef-ry to at least print name of target/match involved when
libxtables isn't available for decoding.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
We can't use it when no translation is available as libxtables will
use plain printf(), but when translation is available we can.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation for add rule command might trick readers into believing
the optional 'index' argument does not need to be that of an existing
rule. This false assumption is fueled by the fact that iptables allows
to insert with last rule number + 1 to actually append to a chain.
Change the relevant sentence to clarify that.
While being at it, drop the deprecated 'position' option from
documentation - since this will likely go away at some point, don't
encourage users to use it although they should notice that they
shoudn't.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Ensure split-off fragments of long lines start with <TAB>
if the original long line did.
Split 1 remaining long line at sentence boundary.
Fix spelling of "eg." to "e.g."
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When building from a separate build directory, a2x did not find the
source file nft.txt. Using '$<' instead fixes this.
Fixes: 3bacae9e4a1e3 ("doc: Review man page building in Makefile.am")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce setter/getter methods for each introduced output flag. Ignore
NFT_CTX_OUTPUT_NUMERIC_ALL for now since it's main purpose is for
internal use.
Adjust the script in tests/py accordingly: Due to the good defaults,
only numeric proto output has to be selected - this is not a must, but
allows for the test cases to remain unchanged.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When nftables is configured without libjansson support, the following
compilation error is shown:
monitor.c: In function ‘netlink_echo_callback’:
monitor.c:910:10: error: too many arguments to function ‘json_events_cb’
return json_events_cb(nlh, &echo_monh);
^~~~~~~~~~~~~~
This patch makes a declaration of the json_events_cb() function
consistent.
Fixes: bb32d8db9a12 ("JSON: Add support for echo option")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
For --guid, --numeric-protocol and --numeric-priority.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise we end up displaying things that we cannot parse as input.
Moreover, in a range, it's relevant to the user the values that are
enclosed in the range, so let's print this numerically.
Fixes: baa4e0e3fa5f ("src: add NFT_CTX_OUTPUT_NUMERIC_PROTO")
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. Add -p option to print layer 4 protocols numerically.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last
client of the numeric level approach.
This patch updates `-n' option semantics to display all output
numerically.
Note that monitor code was still using the -n option to skip printing
the process name, this patch updates that path too to print it
inconditionally to simplify things.
Given the numeric levels have no more clients after this patch, remove
that code.
Update several tests/shell not to use -nn.
This patch adds NFT_CTX_OUTPUT_NUMERIC_ALL which enables all flags to
provide a fully numerical output.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We keep printing layer 4 protocols as literals since we do not use
/etc/protocols. This new flag allows us to print it as a number.
libnftables internally uses this to print layer 4 protocol as numbers
when part of a range.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like iptables-save, print UID and GID as numeric values by default.
Add a new option `-u' to print the UID and GID names as defined by
/etc/passwd and /etc/group.
Note that -n is ignored after this patch, since default are numeric
printing for UID and GID.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to
the kernel.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_JSON flag and display output in json format.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft_ctx_output_{get,flags}_flags
Add NFT_CTX_OUTPUT_STATELESS flag and enable stateless printing from new
output flags interface.
This patch adds nft_output_save_flags() and nft_output_restore_flags()
to temporarily disable stateful printing
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.
After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit this to provide individual options to turn on literal
printing.
What I'm proposing is to provide a good default for everyone, and
provide options to turn on literal/numeric printing.
This patch adds nft_ctx_output_{set,get}_flags() and define two flags to
enable reverse DNS lookups and to print ports as service names.
This patch introduces -S/--services, to print service names as per
/etc/services.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since this pseudo log level fundamentally changes behaviour of log
statement, dedicate this mode a separate paragraph.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The basic principle is to not return a JSON object freshly created from
netlink responses, but just update the existing user-provided one to
make sure callers get back exactly what they expect.
To achieve that, keep the parsed JSON object around in a global variable
('cur_root') and provide a custom callback to insert handles into it
from received netlink messages. The tricky bit here is updating rules
since unique identification is problematic. Therefore drop possibly
present handles from input and later assume updates are received in
order so the first rule not having a handle set is the right one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The first test in there shows how the current cache update strategy
causes trouble. The second test shows that proposed "locking" of cache
when local entries are added is flawed, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The data side of the mapping that is dynamically generated needs to be
evaluated as well.
Fixes: 0e90798e9812 ("src: simplify map statement")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evaluation
Otherwise, we cannot validate mismatching length size when combining raw
expressions with sets and maps, eg.
# cat /tmp/test
table ip nftlb {
map persistency {
type ipv4_addr : mark
size 65535
timeout 1h
}
chain pre {
type filter hook prerouting priority filter; policy accept;
ip protocol { tcp, udp } update @persistency { @th,0,16 : numgen inc mod 2 offset 100 }
}
}
# nft -f /tmp/test
/tmp/test:10:68-75: Error: datatype mismatch: expected IPv4 address, expression has type integer with length 16
ip protocol { tcp, udp } update @persistency { @th,0,16 : numgen inc mod 2 offset 100 }
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pass inner expression instead, instead of the wrapping set element
expression.
Fixes: 0e90798e9812 ("src: simplify map statement")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to convert an xt stmt into JSON, print() callback was
called. Though the code in src/xt.c does not respect output_fp,
therefore buffer wasn't filled as expected making libjansson to puke:
| # nft -j list ruleset
| warning: stmt ops xt have no json callback
| nft: json.c:169: stmt_print_json: Assertion `__out' failed.
| Aborted (core dumped)
Avoid this by detecting xt stmt ops and returning a stub.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Replace it by direct call to mnl_batch_talk().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can remove alloc_nftnl_flowtable() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When trying to adjust receive buffer size, the second call to
setsockopt() was not error-checked.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Commits introducing nft_ctx pointer to netlink and eval contexts did not
update JSON code accordingly.
Fixes: 00f777bfc414a ("src: pass struct nft_ctx through struct eval_ctx")
Fixes: 2dc07bcd7eaa5 ("src: pass struct nft_ctx through struct netlink_ctx")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
