| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This patch adds support for IPv6 NAT. It adds IPv6 support in
evaluation and in delinearization which were the only missing parts.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to use unique, human readable, hook names for the command
line and let the user being unaware of the complex netfilter's hook
names and there difference depending on the netfilter family.
So:
add chain foo bar { type route hook NF_INET_LOCAL_IN 0; }
becomes:
add chain foo bar { type route hook input 0; }
It also fixes then the difference in hook values between families.
I.e. ARP family has different values for input, forward and output
compared to IPv4, IPv6 or bridge.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes these two commands:
nft add rule ip test test ip saddr 1.1.1.1-2.2.2.2
nft add rule ip test test ip saddr < 1.1.1.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
<cmdline>:1:50-66: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, internet network service), expression has type concatenation of (IPv4 address, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
^^^^^^^^^^^^^^^^^
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
<cmdline>:1:76-78: Error: unexpected concat component, expecting concatenation of (IPv4 address, internet network service, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Improve error reporting by always using a location in netlink operations.
Signed-off-by: Patrick McHardy<kaber@trash.net>
|
| |
|
|
|
| |
Dynamically instantiate a data type to represent all types of a concatenation
and use that for type propagation.
|
| |
|
|
|
|
| |
Not used anymore, kill it.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
The implicit set declaration passes the set's handle to cmd_alloc(), which copies
the pointers to the allocated strings. Later on both the set's handle and the
commands handle are freed, resulting in a use after free.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
When using intervals, the initializers set_flags are set to SET_F_INTERVAL,
however that is not propagated back to the set, so the segtree construction
is not performed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Since the parser can now generate constant expressions of a specific type
not determinaed by the LHS, we need to check that relational expressions
are actually using the correct types to avoid accepting stupid things
like "tcp dport tcp".
|
| |
|
|
|
|
|
| |
This fixes compilation with gcc-4.7
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a table containing all available datatypes and registration/lookup functions.
This will be used to associate a stand-alone set in the kernel with the correct
type without parsing the entire ruleset.
Additionally it would now be possible to remove the global declarations for the
core types. Not done yet though.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
The expression needs to be cloned so transformations don't corrupt the original
expression. This could be slightly optimized by only taking a reference and
COW'ing when necessary (which is actually quite rare).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User-defined constants can be used like this:
define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 }
define udp_services = domain
define tcp_services = { ssh, domain }
ip saddr $allowed_hosts udp dport $udp_services counter accept
ip saddr $allowed_hosts tcp dport $tcp_services counter accept
Recursive definitions are possible, but currently not fully handled.
Anything requiring transformations (sets using ranges) can not be
used more than once currently since the expressions need to be COW'ed
previously.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
