summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* use new libnftnl library namePablo Neira Ayuso2014-01-201-5/+5
| | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-161-1/+1
| | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add new --debug=mnl option to enable libmnl debuggingPablo Neira Ayuso2014-01-161-0/+1
| | | | | | | This allows you to dump the netlink message that is send via libmnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: only use prefix expressions for ranges for selected datatypesPatrick McHardy2014-01-161-0/+7
| | | | | | | | | | | | | | | | | | | | | | It is uncommon to represent f.i. port number ranges as prefix expressions. Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred representation of a range is a prefix and use it for segtree decomposition to decide whether to use a range or prefix expression. The ipaddr, ip6addr, mark and realm datatypes are changed to include the DTYPE_F_PREFIX flag. This fixes completely unreadable output in cases where the ranges are representable as prefixes, f.i. in case of port number: { 0/6 => jump chain1, 0/5 => jump chain2, 0/4 => continue} becomes: { 0-1023 => jump chain1, 1024-2047 => jump chain2, 2048-4095 => continue} Signed-off-by: Patrick McHardy <kaber@trash.net>
* segtree: add new segtree debugging optionPablo Neira Ayuso2014-01-151-0/+1
| | | | | | | | | Currently, nft displays the debugging information if it's compiled with --enable-debug (which seems a good idea) and when intervals are used in maps. Add a new option to enable debugging to segtree, so we only get this information when explicitly requested. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: fix supression of "permission denied" errorsPatrick McHardy2014-01-091-1/+1
| | | | | | | | | | | | | | Introduction of batch support broke displaying of EPERM since those are generated by the kernel before batch processing starts and thus have the sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the command messages. Also only a single error message is generated for the entire batch. This patch fixes this by noting the batch sequence number and displaying the error for all commands since this is what would happen if the permission check was inside batch processing as every other check. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: operational limit matchPhil Oester2013-10-221-1/+0
| | | | | | | | | | | | | | | | | | | | The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: cache a copy of nfnetlink.hTomasz Bursztyka2013-09-301-0/+64
| | | | | | | | | | | | | | | | | | | | If nft is compiled without nftables Linux kernel headers installed, we hit a compilation error: src/mnl.c: In function ‘mnl_batch_put’: src/mnl.c:117:16: error: ‘NFNL_SUBSYS_NFTABLES’ undeclared (first use in this function) src/mnl.c:117:16: note: each undeclared identifier is reported only once for each function it appears in src/mnl.c: In function ‘mnl_batch_begin’: src/mnl.c:125:16: error: ‘NFNL_MSG_BATCH_BEGIN’ undeclared (first use in this function) src/mnl.c: In function ‘mnl_batch_end’: src/mnl.c:130:16: error: ‘NFNL_MSG_BATCH_END’ undeclared (first use in this function) Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add rule batching supportPablo Neira Ayuso2013-09-233-0/+41
| | | | | | | | | | | | | | | | | | | | | | | This patch allows nft to put all rule update messages into one single batch that is sent to the kernel if `-f' option is used. In order to provide fine grain error reporting, I decided to to correlate the netlink message sequence number with the correspoding command sequence number, which is the same. Thus, nft can identify what rules trigger problems inside a batch and report them accordingly. Moreover, to avoid playing buffer size games at batch building stage, ie. guess what is the final size of the batch for this ruleset update will be, this patch collects batch pages that are converted to iovec to ensure linearization when the batch is sent to the kernel. This reduces the amount of unnecessary memory usage that is allocated for the batch. This patch uses the libmnl nlmsg batching infrastructure and it requires the kernel patch entitled (netfilter: nfnetlink: add batch support and use it from nf_tables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: use uint32_t instead of size_t for attribute lengthPablo Neira Ayuso2013-09-191-2/+2
| | | | | | | According to libnftables change 437d610, now the length obtained via getter function is uint32_t, not size_t anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Better error reporting if chain type is invalidTomasz Bursztyka2013-09-051-0/+1
| | | | | | | | | | | | | This patch verifies at command line parsing that given chain type is valid. Possibilities are: filter, nat, and route. nft add chain test test { type cheese hook input priority 0 }; <cmdline>:1:28-33: Error: unknown chain type cheese add chain test test { type cheese hook input priority 0 }; ^^^^^^ Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Wrap netfilter hooks around human readable stringsTomasz Bursztyka2013-09-041-0/+3
| | | | | | | | | | | | | | | | | | | This allows to use unique, human readable, hook names for the command line and let the user being unaware of the complex netfilter's hook names and there difference depending on the netfilter family. So: add chain foo bar { type route hook NF_INET_LOCAL_IN 0; } becomes: add chain foo bar { type route hook input 0; } It also fixes then the difference in hook values between families. I.e. ARP family has different values for input, forward and output compared to IPv4, IPv6 or bridge. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to specify the base chain typePablo Neira Ayuso2013-08-271-0/+2
| | | | | | | | | | | | | | | | | | This patch allows you to specify the type of the base chain, eg. add table mangle add chain mangle OUTPUT { type route hook NF_INET_LOCAL_OUT 0; } The chain type determines the semantics of the chain, we currently have three types: * filter, used for plain packet filtering. * nat, it only sees the first packet of the flow. * route, which is the equivalent of the iptables mangle table, that triggers a re-route if there is any change in some of the packet header fields, eg. IP TOS/DSCP, or the packet metainformation, eg. mark. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add additional --numeric levelPhil Oester2013-08-221-0/+1
| | | | | | | | | | | | | | Personally, I like seeing ports and IPs numerically, but prefer protocols to be shown by name. As such, add a third --numeric level which will show protocols by number, splitting them out from ports. -n/--numeric When specified once, show network addresses numerically. When specified twice, also show Internet services, user IDs and group IDs numerically. When specified thrice, also show protocols numerically. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: convert group and qthreshold to use u16Pablo Neira Ayuso2013-08-171-2/+2
| | | | | | | Required since (netfilter: nft_log: group and qthreshold are 2^16) kernel change. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add icmpv6 supportEric Leblond2013-07-312-0/+16
| | | | | | | | | | This patch adds ICMPv6 support to nftables. It is now possible to write rules such as: nft add rule ip6 filter input icmpv6 type nd-router-advert accept Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for insertion inside rule listEric Leblond2013-07-191-0/+2
| | | | | | | | | | | | | | This patch adds support to insert and to add rule using a rule handle as reference. The rule handle syntax has an new optional position field which take a handle as argument. Two examples: nft add rule filter output position 5 ip daddr 1.2.3.1 drop nft insert rule filter output position 5 ip daddr 1.2.3.1 drop Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use libnftablesPablo Neira Ayuso2013-06-243-25/+87
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: family field in struct handle is unsignedPablo Neira Ayuso2013-06-241-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get it sync with current include/linux/netfilter/nf_tables.hPablo Neira Ayuso2013-06-241-4/+44
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: concat expression only releases dynamically allocated datatypePablo Neira Ayuso2013-06-081-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Eric Leblond reports a crash with the following invalid command: nft add rule global filter ip daddr . tcp dport { 192.168.0.1 . 22\; 192.168.0.3 . 89 } drop Note that the semicolon is incorrect in that concatenation, it should be a comma. The backtrace shows: (gdb) bt #0 0x00007ffff6f39295 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff6f3c438 in __GI_abort () at abort.c:90 #2 0x00007ffff6f7486b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7070d28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199 #3 0x00007ffff6f7eac6 in malloc_printerr (action=3, str=0x7ffff706ccca "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4902 #4 0x00007ffff6f7f843 in _int_free (av=<optimized out>, p=0x428530, have_lock=0) at malloc.c:3758 #5 0x000000000041aae8 in xfree (ptr=0x428540 <invalid_type>) at src/utils.c:29 #6 0x000000000040bc43 in concat_type_destroy (dtype=0x428540 <invalid_type>) at src/datatype.c:690 #7 0x000000000040cebf in concat_expr_destroy (expr=0x643b90) at src/expression.c:571 [...] It's trying to release 'invalid_type', which was not dynamically allocated. Note that before the evaluation step, the invalid type is attached to the expressions. Since nftables allocates a dynamic datatype for concatenations in case that needs to be released in the exit path. All datatypes except this, are allocated in the BSS. Since we have no way to differenciate between these two, add a flag so we can recognize dynamically allocated datatypes. While at it, rename dtype->type from enum to explicit uint32_t, as it is used to store the concatenation type mask as well. Reported-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add flag to display rule handle as commentEric Leblond2013-05-311-0/+1
| | | | | | | | | | | Knowing the rule handle is necessary to be able to delete a single rule. It was not displayed till now in the output and it was thus impossible to remove a single rule. This patch modify the listing output to add a comment containing the handle when the -a/--handle flag is provided. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: complete basic functionality of the interactive modePablo Neira Ayuso2013-05-191-1/+3
| | | | | | | | | | This patch adds missing code to get basic interactive mode operative via `nft -i', including parsing, evaluation, command execution via netlink and error reporting. Autocomplete is not yet implemented. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cmd/netlink: make sure we always have a location in netlink operationsPatrick McHardy2013-04-182-18/+40
| | | | | | Improve error reporting by always using a location in netlink operations. Signed-off-by: Patrick McHardy<kaber@trash.net>
* expr: fix concat expression type propagationPatrick McHardy2013-04-181-0/+9
| | | | | Dynamically instantiate a data type to represent all types of a concatenation and use that for type propagation.
* types: add ethernet address typePatrick McHardy2013-04-181-0/+3
| | | | | | | | Add a new type for ethernet addresses. This is needed since for concatenations we need fixed sized data types, the generic link layer address doesn't have a fixed length. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: kill EXPR_F_PRIMARYPatrick McHardy2013-04-151-10/+3
| | | | | | Not used anymore, kill it. Signed-off-by: Patrick McHardy <kaber@trash.net>
* rule: add rule insertion (prepend) supportPatrick McHardy2012-12-142-1/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* chains: add chain rename supportPatrick McHardy2012-12-142-0/+6
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* rules: change rule handle to 64 bitPatrick McHardy2012-12-091-1/+1
| | | | | | Recent kernel versions are using 64 bit for the rule handle. Signed-off-by: Patrick McHardy <kaber@trash.net>
* segtree: fix segtree to properly support mappingsPatrick McHardy2012-12-081-1/+1
| | | | | | | Requires to use proper types for keys and data and using the key values for reverse transformation. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: include verbose message in all BUG statementsroot2012-12-081-1/+5
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expression: Differentiate expr among anonymous structures in struct exprTomasz Bursztyka2012-08-031-2/+2
| | | | | | | This fixes compilation with gcc-4.7 Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix creation of base chains with hooknum and priority 0Patrick McHardy2010-07-061-0/+11
| | | | | | | | Base chains with both a hook number and priority of zero are created as regular chains. Fix by adding a BASECHAIN flag indicating that the chain should be created as a base chain. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: properly parse debug levelsPatrick McHardy2010-07-061-1/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: add DCCP packet type definitionsPatrick McHardy2009-07-283-0/+17
| | | | | | | | | | | | | | | | | | | # nft describe dccp type payload expression, datatype dccp_pkttype (DCCP packet type) (basetype integer), 4 bits pre-defined symbolic constants: request 0x0 response 0x1 data 0x2 ack 0x3 dataack 0x4 closereq 0x5 close 0x6 reset 0x7 sync 0x8 syncack 0x9 Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: allow runtime control of debugging outputPatrick McHardy2009-07-281-0/+5
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-284-56/+421
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expressions: kill seperate sym_type datatype for symbolsPatrick McHardy2009-04-011-2/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: add/move size and byte order information into data typesPatrick McHardy2009-03-311-5/+7
| | | | | | | | | | Add size and type information to non-basetype types and remove the now redundant information from the symbol tables. This will be used to determine size and byteorder of set members without analyzing the ruleset for incremental update operations. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: maintain table of all datatypes and add registration/lookup functionPatrick McHardy2009-03-311-1/+9
| | | | | | | | | | | Add a table containing all available datatypes and registration/lookup functions. This will be used to associate a stand-alone set in the kernel with the correct type without parsing the entire ruleset. Additionally it would now be possible to remove the global declarations for the core types. Not done yet though. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: move data related functions to netlink.cPatrick McHardy2009-03-311-0/+11
| | | | | | | Move the data related function to netlink.c as they're going to be needed outside of rule context for set maintenance. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-311-3/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Release scopes during cleanupPatrick McHardy2009-03-201-0/+1
| | | | | | Properly release the user-defined symbols. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-201-0/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for user-defined symbolic constantsPatrick McHardy2009-03-201-0/+2
| | | | | | | | | | | | | | | | | | User-defined constants can be used like this: define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 } define udp_services = domain define tcp_services = { ssh, domain } ip saddr $allowed_hosts udp dport $udp_services counter accept ip saddr $allowed_hosts tcp dport $tcp_services counter accept Recursive definitions are possible, but currently not fully handled. Anything requiring transformations (sets using ranges) can not be used more than once currently since the expressions need to be COW'ed previously. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add support for scoping and symbol bindingPatrick McHardy2009-03-202-0/+41
| | | | | | | | | | | | As a first step towards stand-alone sets, add support for scoping and binding symbols. This will be used for user-defined constants, as well as declarations of modifiable (stand-alone) sets once the kernel side is ready. Scopes are currently limited to three nesting levels: the global scope, table block scopes and chain block scopes. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Fix use of reserved names in header sandwichPatrick McHardy2009-03-1816-48/+48
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-1826-0/+3259