summaryrefslogtreecommitdiffstats
path: root/include/expression.h
Commit message (Collapse)AuthorAgeFilesLines
* src: add flow statementPatrick McHardy2016-05-131-0/+1
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: declare interval_map_decompose() from header filePablo Neira Ayuso2016-05-131-0/+1
| | | | | | Instead of having several extern function declarations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: special handling for the first non-matching segmentPablo Neira Ayuso2016-04-251-1/+1
| | | | | | | Add the first non-matching segment if the set is empty or if the set becomes empty after the element removal. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: explicit initialization via set_to_intervals()Pablo Neira Ayuso2016-04-251-1/+2
| | | | | | | Allow explicit compound expression to initialize the set intervals. Incremental updates to interval sets require this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: store offset for later useFlorian Westphal2016-03-021-0/+1
| | | | | | | | Its possible that we cannot find the template without also considering an implicit mask. For this we need to store the offset. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for directional keysFlorian Westphal2016-01-041-0/+1
| | | | | | | | | | | | | | A few keys in the ct expression are directional, i.e. we need to tell kernel if it should fetch REPLY or ORIGINAL direction. Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys that the kernel rejects unless also given a direction. During postprocessing we also need to invoke ct_expr_update_type, problem is that e.g. ct saddr can be any family (ip, ipv6) so we need to update the expected data type based on the network base. Signed-off-by: Florian Westphal <fw@strlen.de>
* setelem: add support for attaching comments to set elementsPatrick McHardy2015-04-121-0/+1
| | | | | | | | Syntax: # nft add element filter test { 192.168.0.1 comment "some host" } Signed-off-by: Patrick McHardy <kaber@trash.net>
* setelem: add timeout support for set elementsPatrick McHardy2015-04-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | Support specifying per element timeout values and displaying the expiration time. If an element should not use the default timeout value of the set, an element specific value can be specified as follows: # nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m} For listing of elements that use the default timeout value, just the expiration time is shown, otherwise the element specific timeout value is also displayed: set test { type ipv4_addr timeout 1h elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s} } Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add set_elem_expr as container for set element attributesPatrick McHardy2015-04-121-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: add --with-mini-gmp switch to disable linking libgmpSteven Barth2015-01-081-1/+1
| | | | | | | | | | This allows to disable linking the >400 KB big libgmp and replace it with the builtin mini-gmp which only increases size by ~30KB. Enabling this selectively decreases debugging verbosity (pr_debug). Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: generate set members using integer_type in the appropriate byteorderPablo Neira Ayuso2014-12-091-2/+14
| | | | | | | | | | | | | | | | Rules with header fields that rely on the generic integer datatype from sets are not matching, eg. nft add rule filter input udp length { 9 } counter This set member is an integer represented in host byte order, which obviously doesn't match the header field (in network byte order). Since the integer datatype has no specific byteorder, we have to rely on the expression byteorder instead when configuring the context, before we evaluate the list of set members. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: make range_low()/range_high() usable outside of segtreePatrick McHardy2014-09-241-0/+4
| | | | | | | Their functionality is also needed for set descriptions, move the functions to expressions.c and give them a more suitable name for global functions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* set: abort on interval conflictsPatrick McHardy2014-03-071-1/+1
| | | | | | | | | | | We currently print a debug message (with debugging) and continue. Output a proper error message and abort. While at it, make sure we only report a conflict if there actually is one. This is not the case similar actions, IOW in case of sets, never, in case of maps, only if the mapping differs. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add comparison function for singleton expressionsPatrick McHardy2014-03-071-0/+4
| | | | Singed-off-by: Patrick McHardy <kaber@trash.net>
* expr: make expr_binary_error() usable outside of evaluationPatrick McHardy2014-03-071-3/+3
| | | | | | Turn the eval_ctx argument into a list_head to queue the error to. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_delinarize: convert *all* bitmask values into individual bit valuesPatrick McHardy2014-02-171-0/+6
| | | | | | | | | | | | | | We're currently only converting bitmask types as direct argument to a relational expression in the form of a flagcmp (expr & mask neq 0) back into a list of bit values. This means expressions like: tcp flags & (syn | ack) == syn | ack won't be shown symbolically. Convert *all* bitmask values back to a sequence of inclusive or expressions of the individual bits. In case of a flagcmp, this sequence is further converted to a list (tcp flags syn,ack). Signed-off-by: Patrick McHardy <kaber@trash.net>
* binop: take care of operator precedence when printing binop argumentsPatrick McHardy2014-02-171-0/+2
| | | | | | | | | | | | | | | | | When the argument of a binop is a binop itself, we may need to add parens if the precedence of the argument is lower then the binop. Before: tcp flags & syn | ack == syn | ack tcp flags & syn | ack != syn | ack After: tcp flags & (syn | ack) == syn | ack tcp flags & (syn | ack) != syn | ack Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-161-1/+1
|\ | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: include/nftables.h src/main.c
| * src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink_delinearize: remove implied meta expressionsPatrick McHardy2014-01-081-0/+1
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | expr: add protocol context update callbackPatrick McHardy2014-01-081-0/+4
| | | | | | | | | | | | | | | | | | | | Add a callback function to the expression ops to update the protocol context for relational protocol expressions (EXPR_F_PROTOCOL). Also set the EXPR_F_PROTOCOL flag for IIFTYPE meta expressions to make sure the callback is invoked when necessary. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | nftables: generic procotol contextsPatrick McHardy2014-01-081-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the context of higher layer protocols is specific to payload expressions with some special cases for meta IIFTYPE expressions. This approach has a few shortcomings, concretely there are more expression types which define upper layer protocols like the ct expression and two upcoming new types for the meta expression. Replace the payload context by a generic protocol context to deal with this. This patch just splits off the requires parts from the payload expression without any functional changes, the following patches will add further functionality for other expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | expr: replace PAYLOAD_PROTOCOL_EXPR by generic flagPatrick McHardy2014-01-081-2/+3
|/ | | | | | | Introduce a generic flag to indicate that an expression describes the upper layer protocol as replacement for the payload specific flag. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: kill EXPR_F_PRIMARYPatrick McHardy2013-04-151-10/+3
| | | | | | Not used anymore, kill it. Signed-off-by: Patrick McHardy <kaber@trash.net>
* segtree: fix segtree to properly support mappingsPatrick McHardy2012-12-081-1/+1
| | | | | | | Requires to use proper types for keys and data and using the key values for reverse transformation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expression: Differentiate expr among anonymous structures in struct exprTomasz Bursztyka2012-08-031-2/+2
| | | | | | | This fixes compilation with gcc-4.7 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-2/+18
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expressions: kill seperate sym_type datatype for symbolsPatrick McHardy2009-04-011-2/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-201-0/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for user-defined symbolic constantsPatrick McHardy2009-03-201-0/+2
| | | | | | | | | | | | | | | | | | User-defined constants can be used like this: define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 } define udp_services = domain define tcp_services = { ssh, domain } ip saddr $allowed_hosts udp dport $udp_services counter accept ip saddr $allowed_hosts tcp dport $tcp_services counter accept Recursive definitions are possible, but currently not fully handled. Anything requiring transformations (sets using ranges) can not be used more than once currently since the expressions need to be COW'ed previously. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix use of reserved names in header sandwichPatrick McHardy2009-03-181-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+323