| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After discussions with Karel here:
https://bugzilla.netfilter.org/show_bug.cgi?id=1184
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new operation allows to import low level virtual machine ruleset in
json to make incremental changes using the parse functions of libnftnl.
A basic way to test this new functionality is:
$ cat file.json | nft import vm json
where the file.json is a ruleset exported in low level json format.
To export json rules in low level virtual machine format
we need to specify "vm" token before json. See below
$ nft export vm json
and
$ nft export/import json
will do no operations.
Same goes with "$nft monitor"
Highly based on work from Alvaro Neira <alvaroneay@gmail.com>
and Arturo Borrero <arturo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is an obscure bug on big-endian systems when trying to list a rule
containing the expression 'ct helper tftp' which triggers the assert()
call in mpz_get_type().
Florian identified the cause: ct_expr_pctx_update() is called for the
relational expression which calls mpz_get_uint32() to get RHS value
(assuming it is a protocol number). On big-endian systems, the
misinterpreted value exceeds UINT_MAX.
Expressions' pctx_update() callback should only be called for protocol
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags
& EXPR_F_PROTOCOL' like the one already present in
payload_expr_pctx_update().
In order to fix this in a clean way, this patch introduces a wrapper
relational_expr_pctx_update() to be used instead of directly calling
LHS's pctx_update() callback which unifies the necessary checks (and
adds one more assert):
- assert(expr->ops->type == EXPR_RELATIONAL)
-> This is new, just to ensure the wrapper is called properly.
- assert(expr->op == OP_EQ)
-> This was moved from {ct,meta,payload}_expr_pctx_update().
- left->ops->pctx_update != NULL
-> This was taken from expr_evaluate_relational(), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Print error "Empty string is not allowed", eg.
# nft add rule filter input meta iifname '""'
add rule filter input meta iifname ""
^^
Error: Empty String is not allowed
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The former 'flow table' syntax allows flow tables with no name:
# nft add rule x y flow { ip saddr counter }
However, when listing, it leaks the name that it is autoallocating.
# nft list ruleset
table ip x {
chain y {
flow table __mt0 { ip saddr counter}
}
}
Which is odd since then restoring will use such a name.
Remove anonymous flow table/meters, so everyone needs to specify a name.
There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.
Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.
On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to bugzilla 1137: "flow tables" should not be syntactically
unique.
"Flow tables are always named, but they don't conform to the way sets,
maps, and dictionaries work in terms of "add" and "delete" and all that.
They are also "flow tables" instead of one word like "flows" or
"throttle" or something.
It seems weird to just have these break the syntactic expectations."
Personally, I never liked the reference to "table" since we have very
specific semantics in terms of what a "table" is netfilter for long
time.
This patch promotes "meter" as the new keyword. The former syntax is
still accepted for a while, just to reduce chances of breaking things.
At some point the former syntax will just be removed.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Static const char * array should be static const char *
const array as per linux-kernel coding style.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When introducing output_fp, debug output in src/evaluate.c was not
adjusted and therefore broke.
This patch restores eval debug output by applying the following changes:
- Change erec_print() and erec_print_list() to take a struct output_ctx
pointer as first argument and use output_fp field as destination to
print to.
- Drop octx_debug_dummy variable and instead use octx pointer from
struct eval_ctx for debug output.
- Add missing calls to erec_destroy() in eval debug output which should
eliminate another mem leak.
Fixes: 2535ba7006f22 ("src: get rid of printf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the rt expression currently always sets NFT_RT_NEXTHOP4 and then
uses the network base to determine if its really supposed to be
NEXTHOP6.
For inet, this will fail because the network base is not known,
so this currently enforces need for "meta nfproto" to dermine the
type.
Allow following syntax instead:
rt ip nexthop
rt ip6 nexthop
There is no need for a dependency anymore, as rt expression
checks the hook protocol, ie. NEXTHOP4 will break if the hook pf
is not NFPROTO_IPV4.
Cc: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft has enough context to determine if a dependeny is needed.
add rule ip filter ct original ip6 saddr
allows nft to generate an error due to conflicting bases (ip vs ip6).
add rule inet filter ct original ip6 saddr
allows nft to inject an ipv6 dependency expression.
add rule inet filter ct original saddr
will print an error and will suggest to add ip/ip6 keyword.
Delinerize and print support will be added in followup patches.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently set definitions store a datatype rather than
an expression.
In order to support use of unqualified data types (string in particular),
this prepares implicit set definition helper to expect an expression instead
of plain data type. This also has the advantage that we can use EXPR_CONCAT
to retain the original expressions when key concatentation is used, e.g.
'meta iifname . tcp dport'. The netlink serialization code can use
this info to store individual key lengths independently of data types.
Would also allow later on to store the original names of the
expressions, e.g. "ip daddr", in the kernel to support a future
typeof keyword, e.g. 'type typeof(ip daddr)' instead of 'type ipv4_addr'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_rt might write data in host byte order, so make sure to
convert if needed.
This makes 'tcp option maxseg size rt mtu' actually work, right now such rules
are no-ops because nft_exthdr never increases the mss.
While at it, extend the example to not bother testing non-syn packets.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds support for tcp mss mangling:
nft add rule filter input tcp option maxseg size 1200
Its also possible to change other tcp option fields, but
maxseg is one of the more useful ones to change.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule .. ip ttl set 64
erronously mangles ip protocol instead of ttl.
Because the kernel can't deal with odd-sized data (ttl is one byte) when
doing checksum fixups, so the write to 'ttl' is turned into
[ payload load 2b @ network header + 8 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000ff ) ^ $new_value ]
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x0 ]
While doing so, we did fail to shift the imm value, i.e.
we clear the wrong half of the u16 (protocol) instead of csum.
The correct mask is 0xff00, and $new_value needs to be shifted
so we leave the protocol value (which is next to ttl) alone.
Fixes: f9069cefdf ("netlink: make checksum fixup work with odd-sized header fields")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added cache update upon every command dealing with rules was a
bummer. Instead, perform the needed cache update only if echo option was
set.
Initially, I tried to perform the cache update from within
netlink_echo_callback(), but that turned into a mess since the shared
socket between cache_init() and mnl_batch_talk() would receive
unexpected new input. So instead update the cache from do_command_add(),
netlink_replace_rule_batch() and do_comand_insert() so it completes
before mnl_batch_talk() starts listening.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Pass variable cache_initialized and structure list_head as members of
structure nft_cache.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.
Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).
Here are some examples of how it works:
| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
| '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
| elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Traces are not an event type, they should be handled as an object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds event reporting for ruleset, which prints only ruleset
events.
Syntax : nft monitor ruleset
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usually one wants to at least initialize set_flags from the parent, so
make allocation of a set's set expression more convenient.
The idea to do this came when fixing an issue with output formatting of
larger anonymous sets in nft monitor: Since
netlink_events_cache_addset() didn't initialize set_flags,
calculate_delim() didn't detect it's an anonymous set and therefore
added newlines to the output.
Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Fixes: a9dc3ceabc10f ("expression: print sets and maps in pretty format")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Building with a recent clang was failing due to the following error:
src/evaluate.c|450 col 45| error: initializer element is not constant
|| static const unsigned int max_tcpoptlen = 15 * 4 * BITS_PER_BYTE - tcphdrlen;
|| ^~
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This socket should not be global, it is also hidden in many layers of
code. Expose it as function parameters to decouple the netlink socket
handling logic from the command parsing, evaluation and bytecode
generation.
Joint work with Varsha Rao.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In case you refer to an unexisting set, bail out with:
# nft add table x
# nft add chain x y
# nft add rule x y ip protocol vmap @reject_to_rule2;
<cmdline>:1:31-46: Error: Set 'reject_to_rule2' does not exist
add rule x y ip protocol vmap @reject_to_rule2
^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A set may contain a nested set element definition, merge the nested set
flags so we don't hit:
BUG: invalid data expression type range
nft: netlink.c:400: netlink_gen_data: Assertion `0' failed.
Aborted
With the following example ruleset:
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
add rule x y tcp dport $port_allow accept
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1145
Fixes: a6b75b837f5e ("evaluate: set: Allow for set elems to be sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
numeric_output -> numeric
stateless_output -> stateless
ip2name_output -> ip2name
handle_output -> handle
Also add struct output_ctx *octx as member of struct netlink_ctx.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6.
For some cases we could infer it from the rhs, but there are cases where we don't have any
information, e.g. when passing ct original saddr to jhash expression.
So do the same thing that we do for "rt nexthop" -- error out and hint to user
they need to specifiy the desired address type with "meta nfproto".
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent this assert:
% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
We can't use a set here because we will not known which value to use.
With this patch, a proper error message is reported to users:
% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
<cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
% nft add rule t c tcp dport set @s
<cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
~~~~~~~~~~~~~~^^
This error is reported to all statements which set values.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
at first I thought this was a bug but this in fact seems the right
thing, add a comment/example why adding dependency as first statement makes
sense.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently nft can lists sets:
nft list sets
but unlike e.g. 'quotas' or 'counters' we didn't support restricting it to
a table. Now its possible to restrict set definition listing to one table:
nft list sets table inet filter
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal set infrastructure is used for sets, maps and flow tables.
The flush command requires the set type but currently it works for all
of them. E.g. if there is a set named 's' in a table 't' the following
command shouldn't be valid but still executes:
$ nft flush flow table t s
This patch makes the flush command selective so 'flush flow table' only
works in flow tables and so on.
Fixes: 6d37dae ("parser_bison: Allow flushing maps")
Fixes: 2daa0ee ("parser_bison: Allow flushing flow tables")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When merging a nested set into the parent one, we are actually replacing
one item with the items of the nested set. Therefore we have to remove
the replaced item from size.
The respective bug isn't as easy to trigger, since the size field seems
to be relevant only when set elements are ranges which are checked for
overlaps. Here's an example of how to trigger it:
| add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recursive use of sets is handled in parts by parser_bison.y, which
has a rule for inline unnamed sets in set_list_member_expr, e.g. like
this:
| add rule ip saddr { { 1.1.1.0, 2.2.2.0 }, 3.3.3.0 }
Yet there is another way to have an unnamed set inline, which is via
define:
| define myset = {
| 1.1.1.0,
| 2.2.2.0,
| }
| add rule ip saddr { $myset, 3.3.3.0 }
This didn't work because the inline set comes in as EXPR_SET_ELEM with
EXPR_SET as key. This patch handles that case by replacing the former by
a copy of the latter, so the following set list merging can take place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
this implements
nft list ct helpers table filter
table ip filter {
ct helper ftp-standard {
..
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
... to make adding CMD_OBJ_CT_HELPER support easier.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to check whether a FIB entry exists for a given packet by
comparing the expression with a boolean keyword like so:
| fib daddr oif exists
The implementation requires introduction of a generic expression flag
EXPR_F_BOOLEAN which allows relational expression to signal it's LHS
that a boolean comparison is being done (indicated by boolean type on
RHS). In contrast to exthdr existence checks, fib expression can't know
this in beforehand because the LHS syntax is absolutely identical to a
non-boolean comparison.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows to check for existence of an IPv6 extension or TCP
option header by using the following syntax:
| exthdr frag exists
| tcpopt window exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add new UDATA_SET_DATABYTEORDER attribute for NFTA_SET_UDATA to store
the datatype byteorder. This is required if integer_type is used on the
rhs of the mapping given that this datatype comes with no specific
byteorder.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function can be used either side of the map, so rename it to
something generic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
stmt_evaluate_arg() needs to take the lhs map expression byteorder in
order to evaluate the lhs of mappings accordingly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Selectors that rely on the integer type and expect host endian
byteorder don't work properly.
We need to keep the byteorder around based on the left hand size
expression that provides the context, so store the byteorder when
evaluating the map.
Before this patch.
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 01000000 : 00000002 0 [end]
^^^^^^^^
This is expressed in network byteorder, because the invalid byteorder
defaults on this.
After this patch:
# nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 }
__map%d x b
__map%d x 0
element 00000000 : 00000001 0 [end] element 00000001 : 00000002 0 [end]
^^^^^^^^
This is in host byteorder, as the key selector in the map mandates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables nft to match against TCP options.
Currently these TCP options are supported:
* End of Option List (eol)
* No-Operation (noop)
* Maximum Segment Size (maxseg)
* Window Scale (window)
* SACK Permitted (sack_permitted)
* SACK (sack)
* Timestamps (timestamp)
Syntax: tcp options $option_name [$offset] $field_name
Example:
# count all incoming packets with a specific maximum segment size `x`
# nft add rule filter input tcp option maxseg size x counter
# count all incoming packets with a SACK TCP option where the third
# (counted from zero) left field is greater `x`.
# nft add rule filter input tcp option sack 2 left \> x counter
If the offset (the `2` in the example above) is zero, it can optionally
be omitted.
For all non-SACK TCP options it is always zero, thus can be left out.
Option names and field names are parsed from templates, similar to meta
and ct options rather than via keywords to prevent adding more keywords
than necessary.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
