summaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* src: add ruleset optimization infrastructurePablo Neira Ayuso9 days1-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a new -o/--optimize option to enable ruleset optimization. You can combine this option with the dry run mode (--check) to review the proposed ruleset updates without actually loading the ruleset, e.g. # nft -c -o -f ruleset.test Merging: ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept into: ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept This infrastructure collects the common statements that are used in rules, then it builds a matrix of rules vs. statements. Then, it looks for common statements in consecutive rules which allows to merge rules. This ruleset optimization always performs an implicit dry run to validate that the original ruleset is correct. Then, on a second pass, it performs the ruleset optimization and add the rules into the kernel (unless --check has been specified by the user). From libnftables perspective, there is a new API to enable this feature: uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx); void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags); This patch adds support for the first optimization: Collapse a linear list of rules matching on a single selector into a set as exposed in the example above. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcpopt: remove KIND keywordFlorian Westphal2021-12-011-12/+17
| | | | | | | | | | | | | | | | tcp option <foo> kind ... never makes any sense, as "tcp option <foo>" already tells the kernel to look for the foo <kind>. "tcp option sack kind 5" matches if the sack option is present; its a more complicated form of the simpler "tcp option sack exists". "tcp option sack kind 1" (or any other value than 5) will never match. So remove this. Test cases are converted to "exists". Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: update ct timeout section with the state namesFlorian Westphal2021-11-081-0/+11
| | | | | | | | docs are too terse and did not have the list of valid timeout states. While at it, adjust default stream timeout of udp to 120, this is the current kernel default. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Support netdev egress hookLukas Wunner2021-10-282-10/+30
| | | | | | | | | Add userspace support for the netdev egress hook which is queued up for v5.16-rc1, complete with documentation and tests. Usage is identical to the ingress hook. Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnftables-json: make the example valid libnftables JSON inputŠtěpán Němec2021-10-111-2/+3
| | | | | | | | | | | - Add missing comma between array elements. - Fix chain 'name' property. - Match 'op' property is mandatory. Fixes: 2e56f533b36a ("doc: Improve example in libnftables-json(5)") Fixes: 90d4ee087171 ("JSON: Make match op mandatory, introduce 'in' operator") Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: fix synopsis of named counter, quota and ct {helper,timeout,expect}Pablo Neira Ayuso2021-09-162-9/+61
| | | | | | Synopsis is not complete. Add examples for counters and quotas. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nfnetlink_log allows one single process through unicastPablo Neira Ayuso2021-09-091-5/+5
| | | | | | | nfnetlink_log uses netlink unicast to send logs to one single process in userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: refer to ulogd manpagePablo Neira Ayuso2021-09-061-2/+3
| | | | | | Refer to the ulogd daemon in the log statement section. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnflog handles `log group`, not libnfqDuncan Roe2021-09-061-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Missing NFT_CTX_OUTPUT_NUMERIC_SYMBOL in libnftables documentationPablo Neira Ayuso2021-09-061-0/+1
| | | | | | | | Add NFT_CTX_OUTPUT_NUMERIC_SYMBOL to libnftables.adoc to keep it in sync with the nftables/libnftables.h header. Fixes: 685a06447ee4 ("doc: libnftables.adoc misc cleanups") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: consolidate queue statement syntaxPablo Neira Ayuso2021-08-201-2/+2
| | | | | | | | | | | | Print queue statement using the 'queue ... to' syntax to consolidate the syntax around Florian's proposal introduced in 6cf0f2c17bfb ("src: queue: allow use of arbitrary queue expressions"). Retain backward compatibility, 'queue num' syntax is still allowed. Update and add new tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: promote 'reject with icmp CODE' syntaxPablo Neira Ayuso2021-07-262-4/+4
| | | | | | | | | | | | | | | | | | | | | | | The kernel already assumes that that ICMP type to reject a packet is destination-unreachable, hence the user specifies the *ICMP code*. Simplify the syntax to: ... reject with icmp port-unreachable this removes the 'type' keyword before the ICMP code to reject the packet with. IIRC, the original intention is to leave room for future extensions that allow to specify both the ICMP type and the ICMP code, this is however not possible with the current inconsistent syntax. Update manpages which also refer to ICMP type. Adjust tests/py to the new syntax. Fixes: 5fdd0b6a0600 ("nft: complete reject support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --define key=valuePablo Neira Ayuso2021-07-201-0/+4
| | | | | | | | | | | | | | | | | This patch adds a new option to define variables from the command line. # cat test.nft table netdev x { chain y { type filter hook ingress devices = $dev priority 0; counter accept } } # nft --define dev="{ eth0, eth1 }" -f test.nft You can only combine it with -f/--filename. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: allow use of MAP statement for queue number retrievalFlorian Westphal2021-06-211-2/+4
| | | | | | | | | This allows to chose a queue number at run time using map statements, e.g.: queue flags bypass to ip saddr map { 192.168.7/24 : 0, 192.168.0/24 : 1 } Signed-off-by: Florian Westphal <fw@strlen.de>
* src: queue: allow use of arbitrary queue expressionsFlorian Westphal2021-06-211-0/+4
| | | | | | | | | | | | | | | | | | | | | back in 2016 Liping Zhang added support to kernel and libnftnl to specify a source register containing the queue number to use. This was never added to nft itself, so allow this. On linearization side, check if attached expression is a range. If its not, allocate a new register and set NFTNL_EXPR_QUEUE_SREG_QNUM attribute after generating the lowlevel expressions for the kernel. On delinarization we need to check for presence of NFTNL_EXPR_QUEUE_SREG_QNUM and decode the expression(s) when present. Also need to do postprocessing for STMT_QUEUE so that the protocol context is set correctly, without this only raw payload expressions will be shown (@nh,32,...) instead of 'ip ...'. Next patch adds test cases. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: new queue flag input formatFlorian Westphal2021-06-211-2/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add vlan deiPablo Neira Ayuso2021-06-111-3/+3
| | | | | | | | | | the CFI bit has been repurposed as DEI "Drop Eligible Indicator" since 802.1Q-2011. The vlan cfi field is still retained for compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add LISTING sectionFlorian Westphal2021-06-091-0/+11
| | | | | | | mention various 'nft list' options, such as secmarks, flow tables, and so on. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft: ct id does not allow for original|replyPablo Neira Ayuso2021-06-041-2/+2
| | | | | | This is a singleton ct key, move it to where it belongs to. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: connlimit: remove extra whitespace in print functionPablo Neira Ayuso2021-06-041-1/+1
| | | | | | | | | | | | | | | Instead of: ct count 2 accept ^^ simply print: ct count 2 accept While at it, add incomplete reference 'ct count' to manpage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: tiny spelling fix in stateful object section s/an/aFlorian Westphal2021-05-251-1/+1
| | | | | | | | Quoting Duncan Roe: Tiny nit: suggest "by a unique" instead of "by an unique". "a" reads better to this native en-GB speaker at least. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.8: Extend monitor description by tracePhil Sutter2021-05-191-3/+22
| | | | | | Briefly describe 'nft monitor trace' command functionality. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: document cgroupv2Pablo Neira Ayuso2021-05-191-1/+16
| | | | | | This patch adds documentation for cgroupsv2 support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-192-0/+66
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* doc: Reduce size of NAT statement synopsisPhil Sutter2021-05-111-15/+10
| | | | | | | | | Introduce non-terminals representing address and port which may represent ranges as well. Combined with dropping the distinction between PR_FLAGS and PRF_FLAGS, all the lines for each nat statement type can be combined. Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: no need to define a set in ct statePablo Neira Ayuso2021-03-241-1/+1
| | | | | | ct state are flags, no need to define a set for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: use symbolic names for chain prioritiesSimon Ruderich2021-03-244-16/+16
| | | | | | | | | | | | | This replaces the numbers with the matching symbolic names with one exception: The NAT example used "priority 0" for the prerouting priority. This is replaced by "dstnat" which has priority -100 which is the new recommended priority. Also use spaces instead of tabs for consistency in lines which require updates. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: move drop rule on a separate line in blackhole exampleSimon Ruderich2021-03-091-1/+2
| | | | | | | | At first I overlooked the "drop". Putting it on a separate line makes it more visible and also details the separate steps of this rule. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: remove duplicate tables in synproxy exampleSimon Ruderich2021-03-091-16/+1
| | | | | | | | | | | | | The "outcome ruleset" is the same as the two tables in the example. Don't duplicate this information which just wastes space in the documentation and can confuse the reader (it took me a while to realize the tables are the same). In addition, use the same table name for both tables to make it clear that they can be the same. They will be merged in the resulting ruleset. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add * to include example to actually include filesSimon Ruderich2021-03-091-1/+1
| | | | | | | | "/etc/firewall/rules/" causes no error but also doesn't include any files contained in the directory. Signed-off-by: Simon Ruderich <simon@ruderich.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: fix some typos and formatting issuesŠtěpán Němec2021-02-221-11/+11
| | | | | | | | Trying to escape asciidoc (9.1.0) * with \ preserves the backslash in the formatted man page. Bare * works as expected. Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-1/+2
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document 'dccp type' matchPhil Sutter2020-12-082-1/+47
| | | | | | | Add a description of dccp_pkttype and extend DCCP header expression synopsis by the 'type' argument. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tcp: add raw tcp option match supportFlorian Westphal2020-11-091-0/+6
| | | | | | tcp option @42,16,4 (@kind,offset,length). Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: rename noop to nopFlorian Westphal2020-11-091-2/+2
| | | | | | | 'nop' is the tcp padding "option". "noop" is retained for compatibility on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopts: clean up parser -> tcpopt.c plumbingFlorian Westphal2020-11-091-2/+2
| | | | | | | | | | | | | | | | | tcpopt template mapping is asymmetric: one mapping is to match dumped netlink exthdr expression to the original tcp option template. This struct is indexed by the raw, on-write kind/type number. The other mapping maps parsed options to the tcp option template. Remove the latter. The parser is changed to translate the textual option name, e.g. "maxseg" to the on-wire number. This avoids the second mapping, it will also allow to more easily support raw option matching in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: merge sack-perm/sack-permitted and maxseg/mssFlorian Westphal2020-11-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | One was added by the tcp option parsing ocde, the other by synproxy. So we have: synproxy ... sack-perm synproxy ... mss and tcp option maxseg tcp option sack-permitted This kills the extra tokens on the scanner/parser side, so sack-perm and sack-permitted can both be used. Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too. On the output side, the shorter form is now preferred, i.e. sack-perm and mss. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: correct chain name in example of adding a ruleJeremy Sowden2020-11-011-1/+1
| | | | | | | The example adds a rule to the `output` chain, not the `input` chain. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.8: describe inet ingress hookPablo Neira Ayuso2020-10-161-4/+17
| | | | | | Available since Linux kernel >= 5.10. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: migrate man page examples with `meter` directive to setsDevin Bayer2020-10-012-15/+26
| | | | | | | this updates the two examples in the man page that use the obsolete `meter` to use sets. I also fixed a bit of formatting for the conntrack expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: added documentation on "socket wildcard"Balazs Scheidler2020-08-291-3/+8
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: rearrange help output to group related options togetherArturo Borrero Gonzalez2020-07-291-38/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has been reported that nft options are a bit chaotic. With a growing list of options for the nft CLI, we can do better when presenting them to the user who requests help. This patch introduces a textual output grouping for options, in 4 groups: * Options (general) -- common Unix utility options * Options (operative) -- the options that modify the operative behaviour of nft * Options (translation) -- output text modifiers for data translation * Options (parsing) -- output text modifiers for parsing and other operations There is no behavior change in this patch, is mostly a cosmetic change in the hope that users will find the nft tool a bit less confusing to use. After this patch, the help output is: === 8< === % nft --help Usage: nft [ options ] [ cmds... ] Options (general): -h, help Show this help -v, version Show version information -V Show extended version information Options (ruleset input handling): -f, file <filename> Read input from <filename> -i, interactive Read input from interactive CLI -I, includepath <directory> Add <directory> to the paths searched for include files. Defaul[..] -c, check Check commands validity without actually applying the changes. Options (ruleset list formatting): -a, handle Output rule handle. -s, stateless Omit stateful information of ruleset. -t, terse Omit contents of sets. -S, service Translate ports to service names as described in /etc/services. -N, reversedns Translate IP addresses to names. -u, guid Print UID/GID as defined in /etc/passwd and /etc/group. -n, numeric Print fully numerical output. -y, numeric-priority Print chain priority numerically. -p, numeric-protocol Print layer 4 protocols numerically. -T, numeric-time Print time values numerically. Options (command output format): -e, echo Echo what has been added, inserted or replaced. -j, json Format output in JSON -d, debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, p[..] === 8< === While at it, refresh the man page to better reflex this new grouping, and add some missing options. Joint work with Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revisit meta/rt primary expressions and ct statementFlorian Westphal2020-06-252-4/+12
| | | | | | | Clarify meta/rt ipsec examples and document that 'ct helper set' needs to be used *after* conntrack lookup. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Document notrack statementPhil Sutter2020-06-221-0/+14
| | | | | | | | Merely a stub, but better to mention it explicitly instead of having it appear in synproxy examples and letting users guess as to what it does. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* datatype: add frag-needed (ipv4) to reject optionsMichael Braun2020-05-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix tentative generation of nft.8 after disabled docLaura Garcia Liebana2020-05-181-1/+1
| | | | | | | | | | | | | | | | | | | Despite doc generation is disabled, the makefile is trying to build it. $ ./configure --disable-man-doc $ make Making all in doc make[2]: Entering directory '/workdir/build-pkg/workdir/doc' make[2]: *** No rule to make target 'nft.8', needed by 'all-am'. Stop. make[2]: Leaving directory '/workdir/build-pkg/workdir/doc' make[1]: *** [Makefile:479: all-recursive] Error 1 make[1]: Leaving directory '/workdir/build-pkg/workdir' make: *** [Makefile:388: all] Error 2 Fixes: 4f2813a313ae0 ("build: Include generated man pages in dist tarball") Reported-by: Adan Marin Jacquot <adan.marin@zevenet.com> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Add support for the 'id' keyBrett Mastbergen2020-05-011-1/+4
| | | | | | | | | The 'id' key allows for matching on the id of the conntrack entry. v2: Remove ct_id_type Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Include generated man pages in dist tarballMatt Turner2020-04-191-9/+8
| | | | | | | | | | | | | | | | | | Most projects ship pre-generated man pages in the distribution tarball so that builders don't need the documentation tools installed, similar to how bison-generated sources are included. To do this, we conditionalize the presence check of a2x on whether nft.8 already exists in the source directory, as it would exist if included in the distribution tarball. Secondly, we move the 'if BUILD_MAN' conditional to around the man page generation rules. This ensures that the man pages are unconditionally installed. Also only add the man pages to CLEANFILES if their generation is enabled. Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add hashing expressions descriptionLaura Garcia Liebana2020-04-011-0/+29
| | | | | | | | The hashing expressions jhash and symhash are missing in the nft manual. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8: Mention wildcard interface matchingPhil Sutter2020-02-101-0/+7
| | | | | | | Special meaning of asterisk in interface names wasn't described anywhere. Signed-off-by: Phil Sutter <phil@nwl.cc>