| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
By default, continue to use libreadline, but if `--with-cli=linenoise`
is passed to configure, build the linenoise implementation instead.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
configure.ac contains a couple of AC_SUBST macros which serve no
purpose. Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Update dependency on libnftnl. Missing nf_synproxy.h in Makefile.am too.
Update release name based Jazz series, Fats Waller performing "Scram":
https://www.youtube.com/watch?v=c9-noJc9ifI
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Export public symbols (the library API functions) instead of all symbols in
the library.
This patch introduces the required macros to manage the visibility attributes
(mostly copied from libnftnl.git) and also marks each symbol as exported when
they need to be public. Also, introduce a .map file for proper symbol
versioning.
Previous to this patch, libnftables public symbols were:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1 | wc -l
527
With this patch, libnftables symbols are:
% dpkg-gensymbols -q -plibnftables -v0.9.1 -O -esrc/.libs/libnftables.so.1
libnftables.so.1 libnftables #MINVER#
nft_ctx_add_include_path@Base 0.9.1
nft_ctx_buffer_error@Base 0.9.1
nft_ctx_buffer_output@Base 0.9.1
nft_ctx_clear_include_paths@Base 0.9.1
nft_ctx_free@Base 0.9.1
nft_ctx_get_dry_run@Base 0.9.1
nft_ctx_get_error_buffer@Base 0.9.1
nft_ctx_get_output_buffer@Base 0.9.1
nft_ctx_new@Base 0.9.1
nft_ctx_output_get_debug@Base 0.9.1
nft_ctx_output_get_flags@Base 0.9.1
nft_ctx_output_set_debug@Base 0.9.1
nft_ctx_output_set_flags@Base 0.9.1
nft_ctx_set_dry_run@Base 0.9.1
nft_ctx_set_error@Base 0.9.1
nft_ctx_set_output@Base 0.9.1
nft_ctx_unbuffer_error@Base 0.9.1
nft_ctx_unbuffer_output@Base 0.9.1
nft_run_cmd_from_buffer@Base 0.9.1
nft_run_cmd_from_filename@Base 0.9.1
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Update dependency on libnftnl.
Update release name too: https://www.youtube.com/watch?v=CTV1To1e5w8
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* AC_ARG_ENABLE implicitly defines enable_debug; there's no point in
performing extra work just to define with_debug with an identical
value.
* The same applies to with_xtables and with_libxtables.
* The AS_IF block in the `AC_ARG_ENABLE([man-doc], ...` invocation is
essentially a noop. All it does is to set enable_man_doc to `yes` if
has a value that matches neither `yes` nor `no`. (This could happen if
a user calls `configure --enable-man-doc=foo`, but that'd be a user
error which we don't need to handle.)
* The correct operator for equality tests in `test` is `=`. Some
implementations also support `==`, but this is not portable.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* If enable_man_doc is set, but a2x can't be found, configure should
fail instead of silently disabling man page creation.
* The AS_IF block checking $need_a2x is never active (need_a2x has been
removed from configure.ac in 13e44a608 and a277479dc).
* AC_CHECK_PROG(VAR, ...) is a noop if VAR is already set, allowing the
user to explicitly specify the (path to the) binary in VAR. Adjust the
AS_IF check to account for this.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
As we are going to need pf.os file to load OS fingerprints from the incoming
nfnl_osf.c, we copy it into the nftables tree directory "files/osf/".
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This adds unnecessary complexity to our build infrastructure. People can
just manually generate them in PDF in case they need too. So let's keep
it simple and remove this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch converts nft.xml into asciidoc markup.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
setup.py is used to build and install the python binding. Call
to setup.py are done in Makefile to proceed to build and
installation.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
docbook2man can not be used with the same option so let's remove
it from the alternative. Fedora and debian seems to be fine with
that.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The document is written as man page in asciidoc which means this adds
another dependency to the build system. Though since the (long-term)
plan is to replace the docbook-based nft man page with an asciidoc one
anyway, we might ultimately get rid of docbook dependency in exchange.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Update dependency on libnftnl.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Dedicated to Al Capp cartoonist:
https://en.wikipedia.org/wiki/Fearless_Fosdick
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The correct name is "docbook2x-man" not "docbookx2-man".
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Although technically there already is support for JSON output via 'nft
export json' command, it is hardly useable since it exports all the gory
details of nftables VM. Also, libnftables has no control over what is
exported since the content comes directly from libnftnl.
Instead, implement JSON format support for regular 'nft list' commands.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nftables releases until 0.8.2 included base skeleton hooks
that were installed into /etc/nftables (sysconfdir).
With 0.8.3 and newer these files were moved to the documentation
area but apparently some users expect them to be there.
Resurrect them.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given,
so use 'withval'.
After this patch:
./configure -> xtables off
./configure --with-xtables -> xtables on
./configure --without-xtables -> xtables off (was on).
Reported-by: Alexander Dahl <ada@thorsis.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commits d572d59788143945c2a638f12a5227d9b21ce489 and
9f5e49e147219cd161de8cd80cadf8a444969ef0.
Current libnftables API should be stable enough to release it into the
public, and after 4aba100e593f ("rule: reset cache iff there is an
existing cache") we have a simple way to batch commands through this
API.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Check for 1.1.0, which includes flowtable symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the following macros:
* AC_PREREQ checks for 2.61, which is not supported any contemporary
distribution.
* AC_COPYRIGHT, autoconf documentation states "in addition to the Free
Software Foundation's copyright on the Autoconf macros, parts of your
configure are covered by the copyright-notice.".
This only refers to the autoconf infrastructure: we are doing simple
and standard usage of autoconf infrastructure, we also don't use this
macro in other existing userspace software available at netfilter.org.
The comment above at the beginning of this file shows text that is
available in many configure.ac templates on the Internet.
* AC_CANONICAL_HOST, we don't need the canonical host-system type to
build this software.
* AC_CONFIG_SRCDIR is not used in other userspace software in the tree.
* AC_DEFINE _GNU_SOURCE, define this where it's needed instead.
* AC_DEFINE _STDC_FORMAT_MACROS is not used in this codebase.
* AC_HEADER_STDC checks for ANSI C89 headers, however, we need more than
just this C standard, so this doesn't guarantee anything at all.
* Remove "Checks for libraries" comment, it's obvious.
* AC_HEADER_ASSERT allows us to disable assertions, this is bad because
this is helping us to diagnose bugs and incomplete features.
* AC_CHECK_HEADERS is checking for an arbitrary list of headers,
this still doesn't even guarantee that we can actually do a successful
compilation in a broken system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Concatenate all family/hook examples into a single one by means of includes.
Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.
While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Previously, if man page build was enabled but no suitable docbook2man or
the like tool was found, build failed at a later stage with
undescriptive error message. Fail early and explicitly at configure
stage instead.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This release includes incremental fixes since last release plus meta
secpath support. libnftnl 1.0.9 is still OK as dependency, actually it
just prints meta secpath as unknown with --debug=netlink but I don't
think that is worth a libnftnl library release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Functions memmove, strchr, strerror and strdup are defined in string.h
header file. Also, strtoull is defined in stdlib.h header file. These
header files are checked by AC_CHECK_HEADERS macro. AC_CHECK_FUNCS macro
is not required, so remove it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Aparently there are distributions which come with incompatible docbook
implementations. On those, forced man page creating if required binaries
are found leads to build failure.
Allow them to conveniently disable man page output instead of having to
pass undocumented variables to configure.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Debugging symbols are enabled by default, so list '--disable-debug' in
help output rather than '--enable-debug'. This way it is also consistent
with the parameter's description.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This removes libnftables pkg-config file along with the few lines of
code to adjust and install it.
Fixes: d572d59788143 ("Make libnftables a local static library")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following macros check if particular C types in specific header file
exists, these header files defines them and are already included in the
source code. So, remove them.
AC_HEADER_STDBOOL - stdbool.h
AC_TYPE_INT and AC_TYPE_UINT - stdint.h or inttypes.h
AC_TYPE_OFF_T and AC_TYPE_UID_T - sys/types.h
AC_TYPE_SIZE_T - stddef.h, string.h, stdlib.h or stdio.h
Remove AC_C_CONST and AC_C_INLINE as gcc supports inline and const
keywords.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
A release including incremental fixes since last release. Still it needs
libnftnl 1.0.9 because of nftnl_expr_fprint().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This finally creates the libnftables shared object.
For some reason, this causes two compiler warnings to appear:
| parser_bison.y: In function 'nft_parse':
| parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration]
| nft_set_debug(1, scanner);
| ^~~~~~~~~~~~~
| parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration]
| #define yylex nft_lex
| ^
| parser_bison.c:4745:16: note: in expansion of macro 'yylex'
| yychar = yylex (&yylval, &yylloc, scanner);
So this patch contains a workaround, namely declaring both functions
in src/parser_bison.y. During linking the objects are found, so this is
rather a matter of cosmetics.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This creates src/libnftables.c and include/nftables/nftables.h which
will become the central elements of libnftables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Update libnftnl dependency up to latest (1.0.8). Dedicate this release
to Joe Btfsplk [1], the world worst jinx.
[1] https://en.wikipedia.org/wiki/Joe_Btfsplk#/media/File:Joe_Btfsplk_Excerpt.png
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, the configure script requires xtables v1.6.0 when the option
--with-xtables is given. However, nftables-0.7 build fails with this
version, xtables v1.6.1 is the minimum required to have libxtables
support.
Fixes(Bug 1110 - Build failure if --with-xtables).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Update libnftnl dependency up to latest (1.0.7). Update my copyright
statements. Dedicate this release to Scroodge McDuck [1].
[1] https://en.wikipedia.org/wiki/Scrooge_McDuck#/media/File:ScroogeFirst.jpg
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At compilation time, you have to pass this option.
# ./configure --with-xtables
And libxtables needs to be installed in your system.
This patch allows to list a ruleset containing xt extensions loaded
through iptables-compat-restore tool.
Example:
$ iptables-save > ruleset
$ cat ruleset
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
COMMIT
$ sudo iptables-compat-restore ruleset
$ sudo nft list rulseset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The xt over nft support that comes in follow up patches need this, and update
the corresponding Makefile.am.
Based on patch from Arturo Borrero Gonzalez.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add a configure switch to enable and disable PDF document generation.
This switch is to replace the current method of automatically detecting
dblatex and building the PDF documentation when present.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Adapt the nftables code to use the new symbols in libnftnl. This patch contains
quite some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
As the documentation indicates "The most common mistake for this macro is to
consider the two actions as action-if-enabled and action-if-disabled."
Use AS_IF in the action-if-present to check the real argument that we're
getting from the user.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
