summaryrefslogtreecommitdiffstats
path: root/src/ct.c
Commit message (Collapse)AuthorAgeFilesLines
* src: support zone set statement with optional directionFlorian Westphal2017-02-281-2/+5
| | | | | | | | | | | | nft automatically understands 'ct zone set 1' but when a direction is specified too we get a parser error since they are currently only allowed for plain ct expressions. This permits the existing syntax ('ct original zone') for all tokens with an optional direction also for set statements. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: refactor print function so it can be re-used for ct statementFlorian Westphal2017-02-281-4/+9
| | | | | | | | | Once directional zone support is added we also need to print the direction of the statement, so factor the common code to re-use this helper from the statement print function. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add conntrack zone supportFlorian Westphal2017-02-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set support should be handled, especially 'zone set 1'. There are several issues to consider: 1. its not possible to change a zone 'later on', any given conntrack flow has exactly one zone for its entire lifetime. 2. to create conntracks in a given zone, the zone therefore has to be assigned *before* the packet gets picked up by conntrack (so that lookup finds the correct existing flow or the flow is created with the desired zone id). In iptables, this is enforced because zones are assigned with CT target and this is restricted to the 'raw' table in iptables, which runs after defragmentation but before connection tracking. 3. Thus, in nftables the 'ct zone set' rule needs to hook before conntrack too, e.g. via table raw { chain pre { type filter hook prerouting priority -300; iif eth3 ct zone set 23 } chain out { type filter hook output priority -300; oif eth3 ct zone set 23 } } ... but this is not enforced. There were two alternatives to better document this. One was to use an explicit 'template' keyword: nft ... template zone set 23 ... but 'connection tracking templates' are a kernel detail that users should not and need not know about. The other one was to use the meta keyword instead since we're (from a practical point of view) assigning the zone to the packet, not the conntrack: nft ... meta zone set 23 However, next patch also supports 'directional' zones, and nft ... meta original zone 23 makes no sense because 'direction' refers to a direction as understood by the connection tracker. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-161-0/+2
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: Show the base which pre-defined constants are displayedElise Lennion2016-12-201-0/+3
| | | | | | | | | | so the user know how we express it. The base was added to all symbol tables, which are associated with datatype->sym_tbl, so they are displayed in the right base. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+16
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-271-0/+35
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: display bit number instead of raw valueFlorian Westphal2016-08-221-1/+1
| | | | | | | | | | ... and add test cases for ct label. Currently this dumped 'label 0x2', now 'label 1' would be shown. This makes add/list behave the same. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow numeric conntrack labelsFlorian Westphal2016-08-221-8/+22
| | | | | | | | | | | | | | | When dumping labels in rule list we try to print a symbolic name. If we don't find one, we print the bit number instead. This changes nft to also allow use of the number instead of a name when adding ct label rules so that such dumps can also be restored again. This is similar to other cases, e.g. skuid root vs skuid 0 which are both valid. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: quote user-defined strings when used from rule selectorsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The following selectors display strings using quotes: * meta iifname * meta oifname * meta ibriport * meta obriport However, the following do not: * meta oif * meta iif * meta skuid * meta skgid * meta iifgroup * meta oifgroup * meta rtclassid * ct label Given they refer to user-defined values, neither keywords nor internal built-in known values, let's quote the output of this. This patch modifies symbolic_constant_print() so we can signal this to indicate if the string needs to be quoted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: release ct_label table on exitPablo Neira Ayuso2016-08-171-0/+5
| | | | | | | Just like we do with other symbol tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* ct: add missing slash to connlabel pathPablo Neira Ayuso2016-08-171-1/+1
| | | | | | | | | | | | If I configure nftables via: ./configure --prefix=/usr the connlabel path breaks due to missing slash, so append this after DEFAULT_INCLUDE_PATH. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* ct: use nftables sysconf location for connlabel configurationFlorian Westphal2016-07-211-2/+5
| | | | | | | | | | | | Instead of using /etc/xtables use the nftables syconfdir. Also update error message to tell which label failed translation and which config file was used for this: nft add filter input ct label foo <cmdline>:1:27-29: Error: /etc/nftables/connlabel.conf: could not parse conntrack label "foo" Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add packet/byte counter supportFlorian Westphal2015-12-121-0/+4
| | | | | | | | | | | | | | | | | packets and bytes need special treatment -- we want to be able to get packet/byte counter in either direction, but also express 'fetch in *BOTH* directions', i.e. ct packets original + ct packets reply > 1000 This either requires a '+' expression, a new 'both' direction, or keys where direction is optional, i.e. ct packets > 12345 ; original + reply ct original packets > 12345 ; original Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: swap key and direction in ct_dir syntaxFlorian Westphal2016-01-071-7/+6
| | | | | | | | | | | | | | | old: ct saddr original 1.2.3.4 new: ct original saddr 1.2.3.4 The advantage is that this allows to add ct keys where direction is optional without creating ambiguities in the parser. So we can have ct packets gt 42 ct original packets gt 42 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: make ct l3proto workFlorian Westphal2016-01-041-2/+2
| | | | | | | | | ct l3proto original == ipv6 <cmdline>:1:56-59: Error: Can't parse symbolic invalid expressions Its just the nf protocol number -- no dependencies. Just set right type. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add support for directional keysFlorian Westphal2016-01-041-3/+37
| | | | | | | | | | | | | | A few keys in the ct expression are directional, i.e. we need to tell kernel if it should fetch REPLY or ORIGINAL direction. Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys that the kernel rejects unless also given a direction. During postprocessing we also need to invoke ct_expr_update_type, problem is that e.g. ct saddr can be any family (ip, ipv6) so we need to update the expected data type based on the network base. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add maximum helper length valuePatrick McHardy2015-06-021-1/+6
| | | | | | | | | The current kernel restricts ct helper names to 16 bytes length. Specify this limit in the ct expression table to catch oversized strings in userspace. Since older versions of nft didn't support larger values, this does not negatively affect interaction with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* include: refresh include/linux/nf_tables.h cached copyPablo Neira Ayuso2014-09-111-1/+1
| | | | | | | | | Keep in sync with nf_tables.h header file in net-next tree. Rename NFT_CT_LABEL to NFT_CT_LABELS, this probably slipped through when editing the header file by hand. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for setting ct markArturo Borrero2014-03-131-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to set ct keys using nft. Currently, the connection mark is supported. This functionality enables creating rules performing the same action as iptables -j CONNMARK --save-mark. For example: table ip filter { chain postrouting { type filter hook postrouting priority 0; ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark } } My patch is based on the original http://patchwork.ozlabs.org/patch/307677/ by Kristian Evensen <kristian.evensen@gmail.com>. I simply did a rebase and some testing. To test, I added rules like these: counter meta mark set 1 counter counter ct mark set mark counter counter ct mark 1 counter The last matching worked as expected, which means the second rule is also working as expected. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add comparison function for singleton expressionsPatrick McHardy2014-03-071-0/+6
| | | | Singed-off-by: Patrick McHardy <kaber@trash.net>
* ct: connlabel matching supportFlorian Westphal2014-02-181-0/+72
| | | | | | | | | | | Takes advantage of the fact that the current maximum label storage area is 128 bits, i.e. the dynamically allocated extension area in the kernel will always fit into a nft register. Currently this re-uses rt_symbol_table_init() to read connlabel.conf. This works since the format is pretty much the same. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: direction should be integer, not bitmaskFlorian Westphal2014-02-181-1/+1
| | | | | | | | | should always generate cmp op (its enum 0, 1 in kernel). Note: 'original,reply' will no longer work after this patch. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: remove secmark from ct and meta expressionPatrick McHardy2014-01-151-3/+0
| | | | | | The secctx should be used instead of the secmark. Remove for now. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct expr: protocol context updates and dynamic typingPatrick McHardy2014-01-081-0/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Include the protocols defined through relational ct expressions in the protocol context and use the protocol context to dynamically determine the types of network and transport layer ct expression types. Before: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ip protocol tcp ct proto-dst ssh ^^^ $ nft filter output ct protocol tcp ct proto-dst ssh <cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions filter output ct protocol tcp ct proto-dst ssh ^^^ After: $ nft filter output ct proto-dst ssh <cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions filter output ct proto-dst ssh ^^^ $ nft filter output ip protocol tcp ct proto-dst ssh $ nft filter output ct protocol tcp ct proto-dst ssh Signed-off-by: Patrick McHardy <kaber@trash.net>
* meta: iif/oifname should be host byte orderFlorian Westphal2013-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | src/nft add rule filter output meta oifname eth0 doesn't work on x86. Problem is that nft declares these as BYTEORDER_INVALID, but when converting the string mpz_import_data treats INVALID like BIG_ENDIAN. [ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ] as kernel nft_cmp_eval basically boils down to memcmp(reg, skb->dev->name, sizeof(reg) comparision fails. with patch: [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add/move size and byte order information into data typesPatrick McHardy2009-03-311-6/+6
| | | | | | | | | | Add size and type information to non-basetype types and remove the now redundant information from the symbol tables. This will be used to determine size and byteorder of set members without analyzing the ruleset for incremental update operations. Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: maintain table of all datatypes and add registration/lookup functionPatrick McHardy2009-03-311-3/+13
| | | | | | | | | | | Add a table containing all available datatypes and registration/lookup functions. This will be used to associate a stand-alone set in the kernel with the correct type without parsing the entire ruleset. Additionally it would now be possible to remove the global declarations for the core types. Not done yet though. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ct: resync netlink header and properly add ct l3protocol supportPatrick McHardy2009-03-311-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add support for cloning expressionsPatrick McHardy2009-03-201-0/+6
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+149