| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove the "in batch" part, it makes most messages exceed a single line, the
user doesn't care about this and we process even single rules in "batches".
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exit with NFT_EXIT_FAILURE if something went wrong in the netlink code.
Before this patch:
internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...]
0
After this patch:
internal:0:0-0: Error: Could not find chain `asd' in table `filter': [...]
1
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows nft to put all rule update messages into one
single batch that is sent to the kernel if `-f' option is used.
In order to provide fine grain error reporting, I decided to
to correlate the netlink message sequence number with the
correspoding command sequence number, which is the same. Thus,
nft can identify what rules trigger problems inside a batch
and report them accordingly.
Moreover, to avoid playing buffer size games at batch building
stage, ie. guess what is the final size of the batch for this
ruleset update will be, this patch collects batch pages that
are converted to iovec to ensure linearization when the batch
is sent to the kernel. This reduces the amount of unnecessary
memory usage that is allocated for the batch.
This patch uses the libmnl nlmsg batching infrastructure and it
requires the kernel patch entitled (netfilter: nfnetlink: add batch
support and use it from nf_tables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Personally, I like seeing ports and IPs numerically, but prefer protocols
to be shown by name. As such, add a third --numeric level which will
show protocols by number, splitting them out from ports.
-n/--numeric When specified once, show network addresses numerically.
When specified twice, also show Internet services,
user IDs and group IDs numerically.
When specified thrice, also show protocols numerically.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle when the -a/--handle flag is provided.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds missing code to get basic interactive mode
operative via `nft -i', including parsing, evaluation,
command execution via netlink and error reporting.
Autocomplete is not yet implemented.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Now it displays:
nft -f wrong_file
internal:0:0-0: Error: Could not open file "wrong_file": No such file or directory
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The bison parser returns 0 in case of success and it returns 1 in
case of error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Trivial patch which fixes typo.
Signed-off-by: Romain Bignon <romain@peerfuse.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Fixes strange error messages like:
In file included from internal:0:0-0:
files/examples/sets_and_maps:55:2-2: Error: syntax error, unexpected newline, expecting string
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Free nested chain handles and command structures when done.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Properly release the user-defined symbols.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
