| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new expression type "set_elem_expr" that is used as container for
the key in order to attach different attributes, such as timeout values,
to the key.
The expression hierarchy is as follows:
Sets:
elem
|
key
Maps:
mapping
/ \
elem data
|
key
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When using a symbolic vmap expression, we fail to verify that the map
actually contains verdicts.
Use stmt_evaluate_arg() everywhere to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Catch type errors in map expressions using named maps:
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set tcp dport map @test
<cmdline>:1:38-42: Error: datatype mismatch, map expects IPv4 address, mapping expression has type internet network service
filter output mark set tcp dport map @test
~~~~~~~~~ ^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The datatype of the map expression is the datatype of the mappings.
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set ip daddr map @test
Before:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type IPv4 address
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
After:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type internet network service
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add set filter test { type ipv4_addr; }
# nft filter input ip daddr vmap @test
Before:
<cmdline>:0:0-32: Error: Could not process rule: Invalid argument
filter input ip daddr vmap @test
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After:
<cmdline>:1:28-32: Error: Expression is not a map
filter input ip daddr vmap @test
^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a helper function to evaluate expressions used as arguments for
statements and report datatype mismatches.
Fixes acceptance of mismatching expressions like:
$ nft filter output meta mark set ip daddr
<cmdline>:1:29-36: Error: datatype mismatch: expected packet mark. expression has type IPv4 address
filter output meta mark set ip daddr
~~~~~~~~~~~~~~^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
The redir and masq evaluation functions include some useless context
updates and checks.
Refactor the NAT code to have a single instance of address and transport
evaluation functions for simplicity and unified error reporting.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Use stdio's vasprintf instead of gmp_vasprintf which is not part
of the mini-gmp function subset. Furthermore convert the only
gmp-specific user and allow the compiler to verify format-strings.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When nft -f is used, ctx->cmd points to the table object, which
contains the corresponding chain, set and rule lists. The reject
statement evaluator relies on ctx->cmd->rule to add the payload
dependencies, which is doesn't point to the rule in that case.
This patch adds the rule context to the eval_ctx structure to update
the rule list of statements when generating dependencies, as the reject
statement needs.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993
Reported-by: Ting-Wei Lan <lantw44@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The kernel only stored the id so we need to be able to reconstruct
the datatype from the id only.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The id of concat datatypes is composed of the ids of the individual
datatypes. Add a define for the number of bits for each datatype id
and a mask.
The number of bits is chosen as 6, allowing for 63 datatypes, or twice
as much as we currently have. This allows for concatenations of 5
types using 32 bits.
The value is statically chosen instead of basing it on the current
numbers of datatypes since we don't want the maximum concatenation
size to vary between versions, also new versions are supposed to be
able to propery parse a ruleset generated by an older version.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Using the size is confusing since it usually holds the size of
the data. Add a new "subtypes" member, which holds the number
of datatypes the concat type is made of.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rules with header fields that rely on the generic integer datatype
from sets are not matching, eg.
nft add rule filter input udp length { 9 } counter
This set member is an integer represented in host byte order, which
obviously doesn't match the header field (in network byte order).
Since the integer datatype has no specific byteorder, we have to rely
on the expression byteorder instead when configuring the context,
before we evaluate the list of set members.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:
Rule:
nft add bridge filter input ether type vlan reject with tcp reset
Output:
<cmdline>:1:46-51: Error: cannot reject this ether type
add rule bridge filter input ether type vlan reject with tcp reset
~~~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds redirect support for nft.
The syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we add a rule like:
nft add rule bridge filter input ether type ip reject with icmpv6 type no-route
We throw an error like:
<cmdline>:1:44-49: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
Now, we are going to show in which part of the rule, we have the conflict:
<cmdline>:1:51-75: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
inet tables
In rules like:
nft add rule inet filter input reject
or
nft add rule bridge filter input reject
we use icmpx to reject it. But if we have network context, we also use type of
reject. With this patch, we check the network context. If we don't have context,
we still use icmpx. However, if we have rules with network context like:
nft add rule inet meta nfproto ipv4 reject
or
nft add rule bridge ether type ipv6 reject
We are going to use icmp or icmpv6 to reject it taking into account the network
context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Inet tables, we have to check the network context in rules that we use
icmp or icmpv6 reason in reject. To be sure that the context is the correct.
However, for icmpx and tcp reject, we don't need to check it.
In Bridge tables, ee have vlan and arp traffic and they are not supported.
For this things, we have to check the network context. For example:
nft add rule bridge test-bridge input \
ether type arp reject with icmp type host-unreachable
or
nft add rule bridge test-bridge input \
ether type vlan reject with tcp reset
In that cases, we have to throw an error. Moreover, we have to accept rules
that the network context is Ipv4 and Ipv6. For example:
nft add rule -nnn bridge test-bridge input \
ip protocol tcp reject with tcp reset
Moreover, this patch refactor the code for check the family for bridge and inet
tables.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft add rule bridge test-bridge input ether type ip \
reject with icmpv6 type no-route
This rule pass the evaluation step but the network context is incompatible with
the reject reason. In that cases, we have to throw an error like "conflicting
protocols specified: ip vs ip6"
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Example:
nft add rule inet filter input meta l4proto udp reject with tcp reset
If we try to check if the transport protocol is tcp, we use the network context.
If we don't have this network context, we have a crash.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use this rule:
nft add rule bridge filter input \
ether type ip reject with icmp type host-unreachable
or that:
nft add rule inet filter input \
meta nfproto ipv4 reject with icmp type host-unreachable
we have a segfault because we add a network dependency when we already have
network context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use a rule:
nft add rule bridge filter input \
ether type ip reject with icmp type host-unreachable
or this:
nft add rule inet filter input \
meta nfproto ipv4 reject with icmp type host-unreachable
we have a segfault because we add a network dependency when we already have
network context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds masquerade support for nft.
The syntax is:
% nft add rule nat postrouting masquerade [flags]
Currently, flags are:
random, random-fully, persistent
Example:
% nft add rule nat postrouting masquerade random,persistent
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Postpone the event type interpretation to the evaluation step.
This patch also fixes the combination of event and object types,
which was broken. The export code needed to be adjusted too.
The new and destroy are not tokens that can be recognized by
the scanner anymore, so this also implicitly restores 'ct state'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to use the reject action in rules. For example:
nft add rule filter input udp dport 22 reject
In this rule, we assume that the reason is network unreachable. Also
we can specify the reason with the option "with" and the reason. For example:
nft add rule filter input tcp dport 22 reject with icmp type host-unreachable
In the bridge tables and inet tables, we can use this action too. For example:
nft add rule inet filter input reject with icmp type host-unreachable
In this rule above, this generates a meta nfproto dependency to match
ipv4 traffic because we use a icmpv4 reason to reject.
If the reason is not specified, we infer it from the context.
Moreover, we have the new icmpx datatype. You can use this datatype for
the bridge and the inet tables to simplify your ruleset. For example:
nft add rule inet filter input reject with icmpx type host-unreachable
We have four icmpx reason and the mapping is:
ICMPX reason | ICMPv6 | ICMPv4
| |
admin-prohibited | admin-prohibited | admin-prohibited
port-unreachable | port-unreachable | port-unreachable
no-route | no-route | net-unreachable
host-unreachable | addr-unreachable | host-unreachable
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
With this patch, this function returns a statement with the new dependency
that we want to add, instead of an expression.
This change is needed in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Rename keyword tokens to their actual keyword
- Change the grammar to follow the standard schema for statements and arguments
- Use actual expression for the queue numbers to support using normal range
expressions, symbolic expression and so on.
- restore comma seperation of flag keywords
The result is that its possible to use standard ranges, prefix expressions,
symbolic expressions etc for the queue number. We get checks for overflow,
negative ranges and so on automatically.
The comma seperation of flags is more similar to what we have for other
flag values. It is still possible to use spaces, however this could be
removed since we never had a release supporting that.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch:
# nft describe tcp foo
value expression, datatype inet_proto (Internet protocol) (basetype integer), 8 bits
Segmentation fault
After this patch:
# nft describe tcp foo
<cmdline>:1:14-16: Error: syntax error, unexpected string, expecting end of file or newline or semicolon
describe tcp foo
^^^
Reported-by: Kevin Fenzi <kevin@scrye.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is required if you use upcoming Linux kernels >= 3.17
which come with a complete logging support for nf_tables.
If you use 'log' without options, the kernel logging buffer is used:
nft> add rule filter input log
You can also specify the logging prefix string:
nft> add rule filter input log prefix "input: "
You may want to specify the log level:
nft> add rule filter input log prefix "input: " level notice
By default, if not specified, the default level is 'warn' (just like
in iptables).
If you specify the group, then nft uses the nfnetlink_log instead:
nft> add rule filter input log prefix "input: " group 10
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The type in the evaluation context needs to be reset to avoid treating
the concatenation as a right hand side relational expression.
# nft filter output mark set ip daddr . tcp dport map { 192.168.0.1 . 22 : 1 }
<cmdline>:1:24-43: Error: datatype mismatch, expected packet mark, expression has type concatenation of (IPv4 address, internet network service)
filter output mark set ip daddr . tcp dport map { 192.168.0.1 . 22 : 1 }
^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:
nft add rule filter input tcp dport 22 reject with host-unreach
nft add rule filter input udp dport 22 reject with host-unreach
In this case, it will use the host unreachable code to reject traffic.
The default code field still is network unreachable and we can also
use the rules without the with like that:
nft add rule filter input udp dport 22 reject
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch uses the protocol context to initialize the reject type
considering if the transport protocol is tcp, udp, etc. Before this
patch, this was left unset.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds a basic events reporting option to nft.
The syntax is:
% nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the possibility to set ct keys using nft. Currently, the
connection mark is supported. This functionality enables creating rules
performing the same action as iptables -j CONNMARK --save-mark. For example:
table ip filter {
chain postrouting {
type filter hook postrouting priority 0;
ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark
}
}
My patch is based on the original http://patchwork.ozlabs.org/patch/307677/
by Kristian Evensen <kristian.evensen@gmail.com>.
I simply did a rebase and some testing. To test, I added rules like these:
counter meta mark set 1 counter
counter ct mark set mark counter
counter ct mark 1 counter
The last matching worked as expected, which means the second rule is also
working as expected.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit e7b43ec0 [expr: make expr_binary_error() usable outside of evaluation]
seem to change expr_binary_error() interface.
Later, several compilation warning appears.
The expr_binary_error() function and expr_error() macro both expect
`struct list_head *', so I simply changed callers to send `ctx->msgs'.
[...]
src/evaluate.c: In function ‘byteorder_conversion’:
src/evaluate.c:166:3: warning: passing argument 1 of ‘expr_binary_error’ from incompatible pointer type [enabled by default]
In file included from src/evaluate.c:21:0:
include/expression.h:275:12: note: expected ‘struct list_head *’ but argument is of type ‘struct eval_ctx *’
src/evaluate.c: In function ‘expr_evaluate_symbol’:
src/evaluate.c:204:4: warning: passing argument 1 of ‘expr_binary_error’ from incompatible pointer type [enabled by default]
In file included from src/evaluate.c:21:0:
include/expression.h:275:12: note: expected ‘struct list_head *’ but argument is of type ‘struct eval_ctx *’
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Always use flagcmp for RHS bitmask expressions, independant of whether
only one or an entire list of bitmask expression is specified.
This makes sure that f.i. "tcp flags ack" will match any combinations
of ACK instead of ACK and only ACK.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently do parsing and evaluation in two seperate stages. This means
that if any error occurs during parsing, we won't evaluate the syntactical
correct commands and detect possible evaluation errors in them.
In order to improve error reporting, change this to evaluate every command
as soon as it is fully parsed.
With this in place, the ruleset can be fully validated and all errors
reported in one step:
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant
filter input tcp dport tcp dport
~~~~~~~~~~^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The symbol for the relational op is shown in the error message. Since
OP_IMPLICIT doesn't have a symbol, (null) is shown. Fix by determining
the implicit op before checking for constants.
Error: Right hand side of relational expression ((null)) must be constant
=>
Error: Right hand side of relational expression (==) must be constant
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following operation:
:~# nft export <xml|json>
The XML/JSON output is provided raw by libnftnl, thus without format.
In case of XML, you can give format with the `xmllint' tool from libxml2-tools:
:~# nft list ruleset xml | xmllint --format -
In case of JSON, you can use `json_pp' from perl standar package:
:~# nft list ruleset json | json_pp
A format field is added in struct cmd, and it will be reused in the import
operation.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
If a set contains elements, the output is not parsable since the
elements = { ... } is not understood by the parser. Fix this and
also add support for creating constant sets (which only makes sense
when using an initializer).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for the mixed IPv4/IPv6 "inet" family. This mainly consist
of adding the "inet" <-> NFPROTO_INET mapping in the parser and netlink
support functions.
Additionally add the definitions for the inet filter table.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Include the protocols defined through relational ct expressions in the
protocol context and use the protocol context to dynamically determine
the types of network and transport layer ct expression types.
Before:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ip protocol tcp ct proto-dst ssh
^^^
$ nft filter output ct protocol tcp ct proto-dst ssh
<cmdline>:1:44-46: Error: Can't parse symbolic invalid expressions
filter output ct protocol tcp ct proto-dst ssh
^^^
After:
$ nft filter output ct proto-dst ssh
<cmdline>:1:28-30: Error: Can't parse symbolic invalid expressions
filter output ct proto-dst ssh
^^^
$ nft filter output ip protocol tcp ct proto-dst ssh
$ nft filter output ct protocol tcp ct proto-dst ssh
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a callback function to the expression ops to update the protocol
context for relational protocol expressions (EXPR_F_PROTOCOL).
Also set the EXPR_F_PROTOCOL flag for IIFTYPE meta expressions to make
sure the callback is invoked when necessary.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
