| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
They map exactly one to one to we have in the kernel headers, so use
kernel definitions instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
so the user know how we express it.
The base was added to all symbol tables, which are associated with
datatype->sym_tbl, so they are displayed in the right base.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft describe displays, to the user, which values are available for a selector,
then the values should be in host byte order.
Variable size was replaced by len to better match the common pattern.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
define addrs={ 1.2.3.4 }
table ip filter {
chain input {
type filter hook input priority 0;
ip saddr $addrs accept
}
}
segfaults. Using saddr { 1.2.3.4 } instead of $addrs works.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Syntax:
# nft add element filter test { 192.168.0.1 comment "some host" }
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support specifying per element timeout values and displaying the expiration
time.
If an element should not use the default timeout value of the set, an
element specific value can be specified as follows:
# nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m}
For listing of elements that use the default timeout value, just the
expiration time is shown, otherwise the element specific timeout value
is also displayed:
set test {
type ipv4_addr
timeout 1h
elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new expression type "set_elem_expr" that is used as container for
the key in order to attach different attributes, such as timeout values,
to the key.
The expression hierarchy is as follows:
Sets:
elem
|
key
Maps:
mapping
/ \
elem data
|
key
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix regression introduced by commit 87c2a2205:
netlink_delinearize: clone on netlink_get_register(), release previous on _set()
When using a non-verdict mapping, the set ref expression is assigned to the
destination register. The next get_register() will attempt to clone it and
crash because of the missing ->clone() callback.
# nft filter input meta mark set ip daddr map { 192.168.0.1 : 123 }
# nft list table filter
Segmentation fault (core dumped)
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Their functionality is also needed for set descriptions, move the functions
to expressions.c and give them a more suitable name for global functions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
bitmask types default to flagcmp now, thus do not suppress OP_EQ. Else,
rule filter output tcp flags syn
rule filter output tcp flags == syn
are both displayed as 'flags syn'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Singed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Turn the eval_ctx argument into a list_head to queue the error to.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're currently only converting bitmask types as direct argument to a
relational expression in the form of a flagcmp (expr & mask neq 0) back
into a list of bit values. This means expressions like:
tcp flags & (syn | ack) == syn | ack
won't be shown symbolically. Convert *all* bitmask values back to a sequence
of inclusive or expressions of the individual bits. In case of a flagcmp,
this sequence is further converted to a list (tcp flags syn,ack).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the argument of a binop is a binop itself, we may need to add parens
if the precedence of the argument is lower then the binop.
Before:
tcp flags & syn | ack == syn | ack
tcp flags & syn | ack != syn | ack
After:
tcp flags & (syn | ack) == syn | ack
tcp flags & (syn | ack) != syn | ack
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace => by : to make it easier for most shell users, as
> implies a redirection, let's avoid possible confusion that
may result if you forget to escape it.
This works fine if you don't forget to add space between the
key and the value. If you forget to add the space, depending
on the case, the scanner may recognize it correctly or process
it as a string.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
% nft list table filter
table ip filter {
...
chain output {
...
ip saddr map { 1.1.1.1 => accept}
}
}
It displays 'map' instead of 'vmap'. Fix it by checking the mapping
type in map_expr_print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the output of relational expressions to not surpress
the '==' when the LHS is a binop, f.i.
... meta mark & 0x00000003 0x00000001
becomes
... meta mark & 0x00000003 == 0x00000001
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Dynamically instantiate a data type to represent all types of a concatenation
and use that for type propagation.
|
| |
|
|
|
|
| |
Fix reversed order during constant splicing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
This fixes compilation with gcc-4.7
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Add size and type information to non-basetype types and remove the now
redundant information from the symbol tables.
This will be used to determine size and byteorder of set members without
analyzing the ruleset for incremental update operations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a table containing all available datatypes and registration/lookup functions.
This will be used to associate a stand-alone set in the kernel with the correct
type without parsing the entire ruleset.
Additionally it would now be possible to remove the global declarations for the
core types. Not done yet though.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User-defined constants can be used like this:
define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 }
define udp_services = domain
define tcp_services = { ssh, domain }
ip saddr $allowed_hosts udp dport $udp_services counter accept
ip saddr $allowed_hosts tcp dport $tcp_services counter accept
Recursive definitions are possible, but currently not fully handled.
Anything requiring transformations (sets using ranges) can not be
used more than once currently since the expressions need to be COW'ed
previously.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
