| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the parser and add necessary functions to provide the command "nft
replace rule <ruleid_spec> <new_rule>"
Example of use:
# nft list ruleset -a
table ip filter {
chain output {
ip daddr 8.8.8.7 counter packets 0 bytes 0 # handle 3
}
}
# nft replace rule filter output handle 3 ip daddr 8.8.8.8 counter
# nft list ruleset -a
table ip filter {
chain output {
ip daddr 8.8.8.8 counter packets 0 bytes 0 # handle 3
}
}
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Adapt the nftables code to use the new symbols in libnftnl. This patch contains
quite some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks two aspects of the netlink socket event receive path:
1) In case of ENOBUFS, stay in the loop to keep receiving messages. The tool
displays a message so the user knows that we got lost event messages.
2) Rise the default size of the receive socket buffer up to 16 MBytes to reduce
chances of hitting ENOBUFS. Asumming that the netlink event message size is
~150 bytes, we can bear with ~111848 rules without message loss.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
mnl.c:241:1: error: expected identifier or '(' before '}' token
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Each batch page has a size of 320 Kbytes, and the limit has been set to 256
KBytes, so the overrun area is 64 KBytes long to accomodate the largest netlink
message (sets).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nf_tables kernel API provides a way to disable a table using the
dormant flag. This patch adds the missing code to expose this feature
through nft.
Basically, if you want to disable a table and all its chains from seen
any traffic, you have to type:
nft add table filter { flags dormant\; }
to re-enable the table, you have to:
nft add table filter
this clears the flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The 'struct mnl_socket *nf_sock' parameter is useless and perturbing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use the existing functions in libnftnl to begin and end a batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Obtain the generation ID before dumping the object lists. Then,
check for generation ID updates when dumping the several lists that
this needs. In case of interference, nft has to remove the stale
objects and retry from scratch.
This is complementary to the NLM_F_DUMP_INTR flag which is local
to one single netlink dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft crashes when adding many elements into a set for two reasons:
1) The overflow of the nla_len field for the NFTA_SET_ELEM_LIST_ELEMENTS
attribute.
2) Out-of-bound memory writes to the reserved area for the netlink
message, which is solved by the patch entitled ("mnl: introduce
NFT_NLMSG_MAXSIZE").
This patch adds the corresponding nla_len overflow check for
NFTA_SET_ELEM_LIST_ELEMENTS and it splits the elements in several
netlink messages. This should be enough when set updates are handled
by the transaction infrastructure.
With this patch, nft should be now capable of adding an unlimited
number of elements to a given set.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=898
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NFT_NLMSG_MAXSIZE constant defines the maximum nf_tables netlink
message. Currently, the largest is the set element message, which
contains the NFTA_SET_ELEM_LIST_ELEMENTS attribute. This attribute is
a nest that describes the set elements. Given that the netlink attribute
length (nla_len) is 16 bits, the largest message is a bit larger than
64 KBytes. Thus, the proposed value of NFT_NLMSG_MAXSIZE is set to
(1 << 16) + getpagesize().
This new constant is used to calculate the length of:
1) the batch page length, when the batching mode is used.
2) the buffer that stores the netlink message in the send (when no
batching is used) and receive paths.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the batching logic in several aspects:
1) New batch pages are now always added into the batch page list in
first place. Then, in the send path, if the last batch page is
empty, it is removed from the batch list.
2) nft_batch_page_add() is only called if the current batch page is
full. Therefore, it is guaranteed to find a valid netlink message
in the batch page when moving the tail that didn't fit into a new
batch page.
3) The batch paging is initialized and released from the nft_netlink()
path.
4) No more global struct mnl_nlmsg_batch *batch that points to the
current batch page. Instead, it is retrieved from the tail of the
batch list, which indicates the current batch page.
This patch fixes a crash due to access of uninitialized memory area in
due to calling batch_page_add() with an empty batch in the send path,
and the memleak of the batch page contents. Reported in:
http://patchwork.ozlabs.org/patch/367085/
http://patchwork.ozlabs.org/patch/367774/
The patch is larger, but this saves the zeroing of the batch page area.
Reported-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Save some LOC with this function that wraps typical handling
after pushing the netlink message into the batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
If this fails to fetch any of the objects, stop handling inmediately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the table messages to the netlink batch that
is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the chain netlink messages to the big netlink
batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the netlink set messages to the batch that contains
the rules. This helps to speed up rule-set restoration time by
changing the operational. To achieve this, an internal set ID which
is unique to the batch is allocated as suggested by Patrick.
To retain backward compatibility, nft initially guesses if the
kernel supports set in batches. Otherwise, it falls back to the
previous (slowier) operational.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's split talk() and recv() functions, so they can be used independently.
While at it, lets rename mnl_talk() to nft_mnl_talk() so we avoid potential
clashes with other functions in external libs.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds a basic events reporting option to nft.
The syntax is:
% nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the inclusion of the last rule that didn't fit
into a batch page.
When using sets this has manifested with the -EBUSY error when deleting
the table (it was still containing unused sets after the flush).
The following command line works fine here:
nft -f test ; nft flush table filter ; nft delete chain filter output; nft delete table filter
Tested using this kernel patch: http://patchwork.ozlabs.org/patch/314143/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the following operation:
:~# nft export <xml|json>
The XML/JSON output is provided raw by libnftnl, thus without format.
In case of XML, you can give format with the `xmllint' tool from libxml2-tools:
:~# nft list ruleset xml | xmllint --format -
In case of JSON, you can use `json_pp' from perl standar package:
:~# nft list ruleset json | json_pp
A format field is added in struct cmd, and it will be reused in the import
operation.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
|
| |
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add missing NLM_F_CREATE flag when creating new chains to trigger
module autoloading in the kernel.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
If the NLM_F_ACK flag is unset, the kernel still explicitly reports
errors. Thus, we can save the handling of many explicit (useless) ack
messages that indicate success.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Minor fix, given that all those functions are aliases.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows nft to put all rule update messages into one
single batch that is sent to the kernel if `-f' option is used.
In order to provide fine grain error reporting, I decided to
to correlate the netlink message sequence number with the
correspoding command sequence number, which is the same. Thus,
nft can identify what rules trigger problems inside a batch
and report them accordingly.
Moreover, to avoid playing buffer size games at batch building
stage, ie. guess what is the final size of the batch for this
ruleset update will be, this patch collects batch pages that
are converted to iovec to ensure linearization when the batch
is sent to the kernel. This reduces the amount of unnecessary
memory usage that is allocated for the batch.
This patch uses the libmnl nlmsg batching infrastructure and it
requires the kernel patch entitled (netfilter: nfnetlink: add batch
support and use it from nf_tables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to insert and to add rule using a rule
handle as reference. The rule handle syntax has an new optional
position field which take a handle as argument.
Two examples:
nft add rule filter output position 5 ip daddr 1.2.3.1 drop
nft insert rule filter output position 5 ip daddr 1.2.3.1 drop
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Adapt it to the semantic fix that has been applied to libnftables,
nft_*_list_add now inserts nodes, instead of appending them.
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
