summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* include: linux: netfilter: nf_tables: copy file from nf-nextManuel Messner2017-02-121-1/+16
| | | | | Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Allow reset single stateful objectElise Lennion2017-01-272-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | Currently the stateful objects can only be reseted in groups. With this patch reseting a single object is allowed: $ nft reset counter filter https-traffic table ip filter { counter https-traffic { packets 8774 bytes 542668 } } $ nft list counter filter https-traffic table ip filter { counter https-traffic { packets 0 bytes 0 } } Heavily based on work from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Honor obligatory stateless printing of flow tablesElise Lennion2017-01-231-1/+1
| | | | | | | | Always print flow statement as stateless expressions, given that this just defines the flow table statement instance that is allocated per entry. Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
* src: Allow to list ruleset without stateful informationElise Lennion2017-01-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently only counter and quota have stateful information. For named counters, packets and bytes are displayed as 0. Standard list ruleset: table ip filter { counter https { packets 161942 bytes 10253353 } chain output { type filter hook output priority 0; policy accept; counter name tcp dport map { https : "https"} tcp dport https counter packets 171211 bytes 10869045 tcp dport https quota 25 mbytes used 10 mbytes } } With stateless option, -s: table ip filter { counter https { packets 0 bytes 0 } chain output { type filter hook output priority 0; policy accept; counter name tcp dport map { https : "https"} tcp dport https counter tcp dport https quota 25 mbytes } } Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-161-0/+5
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: sort set elements in netlink_get_setelems()Elise Lennion2017-01-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So users can better track their ruleset via git. Without sorting, the elements can be listed in a different order every time the set is created, generating unnecessary git changes. Mergesort is used. Doesn't sort sets with 'flags interval' set on. Pablo appends to this changelog description: Currently these interval set elements are dumped in order. We'll likely get new representations soon that may not guarantee this anymore, so let's revisit this later in case we need it. Without this patch, nft list ruleset with a set containing 40000 elements takes on my laptop: real 0m2.742s user 0m0.112s sys 0m0.280s With this patch: real 0m2.846s user 0m0.180s sys 0m0.284s Difference is small, so don't get nft more complicated with yet another getopt() option, enable this by default. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful object monitoringPablo Neira Ayuso2017-01-031-0/+3
| | | | | | | This patch extends the event monitoring infrastructure to catch events of addition and removal of stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for stateful object mapsPablo Neira Ayuso2017-01-031-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | You can create these maps using explicit map declarations: # nft add table filter # nft add chain filter input { type filter hook input priority 0\; } # nft add map filter badguys { type ipv4_addr : counter \; } # nft add rule filter input counter name ip saddr map @badguys # nft add counter filter badguy1 # nft add counter filter badguy2 # nft add element filter badguys { 192.168.2.3 : "badguy1" } # nft add element filter badguys { 192.168.2.4 : "badguy2" } Or through implicit map definitions: table ip filter { counter http-traffic { packets 8 bytes 672 } chain input { type filter hook input priority 0; policy accept; counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"} } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add stateful object reference expressionPablo Neira Ayuso2017-01-031-0/+10
| | | | | | | | | This patch adds a new objref statement to refer to existing stateful objects from rules, eg. # nft add rule filter input counter name test counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: reset internal stateful objectsPablo Neira Ayuso2017-01-033-3/+8
| | | | | | | | | | | | | | | | | | | | | This patch allows you to atomically dump and reset stateful objects, eg. # nft list counters table ip filter { counter test { packets 1024 bytes 100000 } } # nft reset quotas table filter counter test { packets 1024 bytes 100000 } # nft reset quotas table filter counter test { packets 0 bytes 0 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add/create/delete stateful objectsPablo Neira Ayuso2017-01-033-1/+12
| | | | | | | | | | | | | | | | This patch allows you to add and to delete objects, eg. # nft add quota filter test 1234567 bytes # nft list quotas table ip filter { quota test { 1234567 bytes } } # nft delete quota filter test Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: listing of stateful objectsPablo Neira Ayuso2017-01-034-0/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to dump existing stateful objects, eg. # nft list ruleset table ip filter { counter test { packets 64 bytes 1268 } quota test { over 1 mbytes used 1268 bytes } chain input { type filter hook input priority 0; policy accept; quota name test drop counter name test } } # nft list quotas table ip filter { quota test { over 1 mbytes used 1268 bytes } } # nft list counters table ip filter { counter test { packets 64 bytes 1268 } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add used quota supportPablo Neira Ayuso2017-01-031-0/+1
| | | | | | | | | | | | | table ip x { chain y { type filter hook forward priority 0; policy accept; quota over 200 mbytes used 1143 kbytes drop } } This patch allows us to list and to restore used quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove SET_F_* flag definitionsPablo Neira Ayuso2017-01-031-15/+0
| | | | | | | They map exactly one to one to we have in the kernel headers, so use kernel definitions instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fetch nf_tables.h updatesPablo Neira Ayuso2017-01-031-0/+64
| | | | | | Get header in sync with recent updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: provide array allocation wrapperOleksandr Natalenko2017-01-031-0/+1
| | | | | | | | This will be used for allocating memory for arrays in heap instead of keeping them on stack. Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Florian Westphal <fw@strlen.de>
* include: Missing noinst_HEADERS updatesv0.7Pablo Neira Ayuso2016-12-202-1/+6
| | | | | | From recent updates, otherwise make distcheck breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: add mnl_nft_setelem_batch_flush() and use it from netlink_flush_setelems()Pablo Neira Ayuso2016-12-201-0/+2
| | | | | | | | | | | | | Commit 8bd99f2fca7e ("mnl: don't send empty set elements netlink message to kernel") broke set flush because we still need to send the netlink message with no elements to flush sets. To avoid more whack-a-mole games, add a new explicit function mnl_nft_setelem_batch_flush() that is used to request a set flush, instead of reusing the one that allows us to explicitly delete given set elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: Display pre-defined inet_service values in decimal baseElise Lennion2016-12-111-1/+13
| | | | | | | | | because the convention is to represent ports in base 10. gcc-workaround is no longer needed and was removed. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: Display pre-defined inet_service values in host byte orderElise Lennion2016-12-101-1/+2
| | | | | | | | | | | | nft describe displays, to the user, which values are available for a selector, then the values should be in host byte order. Variable size was replaced by len to better match the common pattern. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support to flush setsPablo Neira Ayuso2016-12-051-0/+2
| | | | | | | | | | You can use this new command to remove all existing elements in a set: # nft flush set filter xyz After this command, the set 'xyz' in table 'filter' becomes empty. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: trigger layer 4 checksum when pseudoheader fields are modifiedPablo Neira2016-12-042-0/+8
| | | | | | | | This patch sets the NFT_PAYLOAD_L4CSUM_PSEUDOHDR when any of the pseudoheader fields are modified. This implicitly enables stateless NAT, that can be useful under some circuntances. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Introduce helper function cache_flushAnatole Denis2016-12-011-0/+1
| | | | | | | | | cache_release empties the cache, and marks it as uninitialized. Add cache_flush, which does the same, except it keeps the cache initialized, eg. after a "nft flush ruleset" when empty is the correct state of the cache. Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: Replace getnameinfo() by internal lookup tableElise Lennion2016-11-301-0/+2
| | | | | | | | | | | | | | | To avoid exceeding the inputs number limit of the flex scanner used, when calling getnameinfo() in inet_service_type_print(). The new symbol_table was associated with inet_service_type, to enable listing all pre-defined services using nft command line tool. The listed services are all well-known and registered ports of my local /etc/services file, from Ubuntu 16.04. Service numbers are converted to respect network byte order. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add log flags syntax supportLiping Zhang2016-11-242-0/+13
| | | | | | | | | | | | | | | | | | | | | Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h headerPablo Neira Ayuso2016-11-241-4/+12
| | | | | | Fetch what we have at 4.9-rc6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-142-0/+5
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add offset attribute for hash expressionLaura Garcia Liebana2016-11-093-1/+5
| | | | | | | | | | | Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fib expressionFlorian Westphal2016-10-284-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule x prerouting fib saddr . iif oif eq 0 drop # accept only if from eth0 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept # accept if from any valid interface # nft add rule x prerouting fib saddr oif accept Querying of address type is also supported. This can be used to e.g. only accept packets to addresses configured in the same interface: # fib daddr . iif type local Its also possible to use mark and verdict map, e.g.: # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : drop, unicast : accept } Signed-off-by: Florian Westphal <fw@strlen.de>
* rt: introduce routing expressionAnders K. Pedersen2016-10-283-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1. # nft add rule filter postrouting \ flow table acct { rt nexthop timeout 600s counter } # nft add rule ip6 filter postrouting \ flow table acct { rt nexthop timeout 600s counter } These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes. # nft add rule inet filter postrouting \ ether type ip \ flow table acct { rt nexthop timeout 600s counter } # nft add rule inet filter postrouting \ ether type ip6 \ flow table acct { rt nexthop timeout 600s counter } Same as above, but via the inet family, where the ether type must be specified explicitly. "rt classid" is also implemented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: allow resolving meta keys at run timeFlorian Westphal2016-10-271-0/+4
| | | | | | | | | use the meta template to translate the textual token to the enum value. This allows to remove two keywords from the scanner and also means we do not need to introduce new keywords when more meta keys get added. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-271-0/+2
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: provide snprintf helper macroFlorian Westphal2016-10-271-0/+10
| | | | | | | lifted from libnftnl, except that we will abort on snprintf errors. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add offset attribute for numgen expressionLaura Garcia Liebana2016-10-273-1/+5
| | | | | | | | | | | | | Add support to add an offset to the numgen generated value. Example: ct mark set numgen inc mod 2 offset 100 This will generate marks with serie like 100, 101, 100, ... Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new range expression for != [a,b] intervalsPablo Neira Ayuso2016-10-171-0/+29
| | | | | | | Use new range expression in the kernel to fix wrong bytecode generation. This patch also adjust tests so we don't hit problems there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnlLiping Zhang2016-09-121-2/+2
| | | | | | | | | | | | | In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to NFTNL_EXPR_NG_MODULUS, so compile error happened: netlink_linearize.c: In function ‘netlink_gen_numgen’: netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared (first use in this function) Also update NFTA_NG_UNTIL to NFTA_NG_MODULUS. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: validate maximum hash and numgen valuePablo Neira Ayuso2016-08-291-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can validate that values don't get over the maximum datatype length, this is expressed in number of bits, so the maximum value is always power of 2. However, since we got the hash and numgen expressions, the user should not set a value higher that what the specified modulus option, which may not be power of 2. This patch extends the expression context with a new optional field to store the maximum value. After this patch, nft bails out if the user specifies non-sense rules like those below: # nft add rule x y jhash ip saddr mod 10 seed 0xa 10 <cmdline>:1:45-46: Error: Value 10 exceeds valid range 0-9 add rule x y jhash ip saddr mod 10 seed 0xa 10 ^^ The modulus sets a valid value range of [0, n), so n is out of the valid value range. # nft add rule x y numgen inc mod 10 eq 12 <cmdline>:1:35-36: Error: Value 12 exceeds valid range 0-9 add rule x y numgen inc mod 10 eq 12 ^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add hash expressionPablo Neira Ayuso2016-08-292-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is special expression that transforms an input expression into a 32-bit unsigned integer. This expression takes a modulus parameter to scale the result and the random seed so the hash result becomes harder to predict. You can use it to set the packet mark, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef You can combine this with maps too, eg. # nft add rule x y dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { \ 0 : 192.168.20.100, \ 1 : 192.168.30.100 \ } Currently, this expression implements the jenkins hash implementation available in the Linux kernel: http://lxr.free-electrons.com/source/include/linux/jhash.h But it should be possible to extend it to support any other hash function type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add numgen expressionPablo Neira Ayuso2016-08-293-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new expression allows us to generate incremental and random numbers bound to a specified modulus value. The following rule sets the conntrack mark of 0 to the first packet seen, then 1 to second packet, then 0 again to the third packet and so on: # nft add rule x y ct mark set numgen inc mod 2 A more useful example is a simple load balancing scenario, where you can also use maps to set the destination NAT address based on this new numgen expression: # nft add rule nat prerouting \ dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } So this is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information. You can also emulate flow distribution with different backend weights using intervals: # nft add rule nat prerouting \ dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 } So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%. We can also be mixed with dynamic sets, thus weight can be updated in runtime. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add quota statementPablo Neira Ayuso2016-08-291-0/+10
| | | | | | | | | | | | | This new statement is stateful, so it can be used from flow tables, eg. # nft add rule filter input \ flow table http { ip saddr timeout 60s quota over 50 mbytes } drop This basically sets a quota per source IP address of 50 mbytes after which packets are dropped. Note that the timeout releases the entry if no traffic is seen from this IP after 60 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh uapi/linux/netfilter/nf_tables.h copyPablo Neira Ayuso2016-08-261-1/+79
| | | | | | Fetch incremental incremental updates on this file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: create element commandPablo Neira Ayuso2016-08-251-1/+1
| | | | | | | | | | | | | | | This patch adds the create command, that send the NLM_F_EXCL flag so nf_tables bails out if the element already exists, eg. # nft add element x y { 1.1.1.1 } # nft create element x y { 1.1.1.1 } <cmdline>:1:1-31: Error: Could not process rule: File exists create element x y { 1.1.1.1 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This update requires nf_tables kernel patches to honor the NLM_F_EXCL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add create set commandPablo Neira Ayuso2016-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | Add support for the 'create' command, we already support this in other existing objects, so support this for sets too, eg. # nft add set x y { type ipv4_addr\; } # nft create set x y { type ipv4_addr\; } <cmdline>:1:1-35: Error: Could not process rule: File exists create set x y { type ipv4_addr; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft add set x y { type ipv4_addr\; } # This command sets the NLM_F_EXCL netlink flag, so if the object already exists, nf_tables returns -EEXIST. This is changing the existing behaviour of 'nft add set' which was setting this flag, this is inconsistent with regards to the way other objects behave. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename datatype name from tc_handle to classidPablo Neira Ayuso2016-08-181-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: quote user-defined strings when used from rule selectorsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The following selectors display strings using quotes: * meta iifname * meta oifname * meta ibriport * meta obriport However, the following do not: * meta oif * meta iif * meta skuid * meta skgid * meta iifgroup * meta oifgroup * meta rtclassid * ct label Given they refer to user-defined values, neither keywords nor internal built-in known values, let's quote the output of this. This patch modifies symbolic_constant_print() so we can signal this to indicate if the string needs to be quoted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: print base and raw values for unknown payloadsFlorian Westphal2016-08-011-0/+1
| | | | | | | | | | | | | | | | | We currently print 'unknown' rather than the raw offset values for unrecognized header values. If its unknown, prefer to print payload @nh,0,16 set payload @nh,0,16 rather than 'unknown'. Also add a helper to check if payload expression has a description assigned to it. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add xt compat supportPablo Neira Ayuso2016-07-133-0/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At compilation time, you have to pass this option. # ./configure --with-xtables And libxtables needs to be installed in your system. This patch allows to list a ruleset containing xt extensions loaded through iptables-compat-restore tool. Example: $ iptables-save > ruleset $ cat ruleset *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT COMMIT $ sudo iptables-compat-restore ruleset $ sudo nft list rulseset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject } chain FORWARD { type filter hook forward priority 0; policy drop; } chain OUTPUT { type filter hook output priority 0; policy accept; } } A translation of the extension is shown if this is available. In other case, match or target definition is preceded by a hash. For example, classify target has not translation: $ sudo nft list chain mangle POSTROUTING table ip mangle { chain POSTROUTING { type filter hook postrouting priority -150; policy accept; ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10 ^^^ } } If the whole ruleset is translatable, the users can (re)load it using "nft -f" and get nft native support for all their rules. This patch is joint work by the authors listed below. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expose delinearize/linearize structures and stmt_error()Pablo Neira2016-07-132-0/+26
| | | | | | | Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.hPablo Neira Ayuso2016-07-139-1/+972
| | | | | | | | | The xt over nft support that comes in follow up patches need this, and update the corresponding Makefile.am. Based on patch from Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: time_type should send milliseconds to userspacePablo Neira Ayuso2016-07-091-0/+1
| | | | | | | Kernel expects milliseconds, so fix this datatype to use milliseconds instead of seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>