summaryrefslogtreecommitdiffstats
path: root/src/netlink.c
Commit message (Collapse)AuthorAgeFilesLines
* use new libnftnl library namePablo Neira Ayuso2014-01-201-4/+4
| | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: use stdout for debuggingPablo Neira Ayuso2014-01-151-5/+5
| | | | | Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix dictionary feature with data mappingsPablo Neira Ayuso2013-12-281-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes dictionary feature, that allows you to conditionally set packet fields based on a given selector, eg. add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 } This means that traffic flowing to tcp port 22 is dnatted to address 1.1.1.1 and tcp port 23 is dnatted to address 2.2.2.2. This feature was partially broken by aae836a ("src: use libnftables") although it also needs the kernel fix ("netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()"). This patch also fixes endianness issues when displaying the mark via `list table' related to list_setelem_cb() since the byteorder was left unset for the data part of a set element. meta mark set tcp dport map { telnet => 0x02000000, ssh => 0x01000000} ^ ^ Note the wrong endianness in the example above. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix rule flushing atomicallyPablo Neira Ayuso2013-12-061-34/+1
| | | | | | | | | | | | nft is currently retrieving the list of rule from the kernel, then deleting each rule one by one. This is slow and not safe. Fix it by sending a deletion command in a batch without specifying the chain. This change requires the kernel fix entitled: netfilter: nf_tables: fix missing rules flushing per table Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: improve rule deletion per chainPablo Neira Ayuso2013-11-251-1/+1
| | | | | | | | | | | | | | With this patch, nft asks the kernel for deleting all rules in a chain. This replaces the current behaviour that requires to dump all the rules, then iterate over that list to delete one by one, which is prone to races and slowier. After this patch, the following two commands are equivalent: nft flush chain filter input nft delete rule filter input Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: only display wanted chain in listingEric Leblond2013-11-191-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | When specifying a chain to list, all created chains were displayed with a void content: # nft list chain filter table ip filter { chain input { } chain new { counter packets 17971 bytes 2380637 accept counter packets 0 bytes 0 accept } } With the attached patch, only the asked chain is displayed: # nft list chain filter table ip filter { chain new { counter packets 17971 bytes 2380637 accept # handle 36 counter packets 0 bytes 0 accept # handle 40 } } Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix nft flush operationEric Leblond2013-10-031-2/+0
| | | | | | | | | | nft_netlink function is already calling mnl_batch_end and mnl_batch_begin so it is not necessary to do it in the netlink_flush_rules function. Doing this result in a invalid netlink message which is discarded by the kernel. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: only flush asked table/chainEric Leblond2013-10-031-0/+8
| | | | | | | | | The flush operation was not limiting the flush to the table or chain specified on command line. The result was that all the rules for a given family are flush independantly of the flush command. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: suppress useless variableEric Leblond2013-10-031-3/+0
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix IPv6 prefix computationEric Leblond2013-09-301-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | The prefix building algorithm in netlink phase was incorrect in IPv6. For example, when adding the following rule nft add rule ip6 nat postrouting ip6 saddr 2::/64 --debug=all we had: ip6 nat postrouting 0 0 [ payload load 16b @ network header + 8 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000000 0x99361540 0x00007f8d 0x2e33a1eb ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ] With the patch the result is as expected: ip6 nat postrouting 0 0 [ payload load 16b @ network header + 8 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] [ cmp eq reg 1 0x00000200 0x00000000 0x00000000 0x00000000 ] Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add rule batching supportPablo Neira Ayuso2013-09-231-11/+35
| | | | | | | | | | | | | | | | | | | | | | | This patch allows nft to put all rule update messages into one single batch that is sent to the kernel if `-f' option is used. In order to provide fine grain error reporting, I decided to to correlate the netlink message sequence number with the correspoding command sequence number, which is the same. Thus, nft can identify what rules trigger problems inside a batch and report them accordingly. Moreover, to avoid playing buffer size games at batch building stage, ie. guess what is the final size of the batch for this ruleset update will be, this patch collects batch pages that are converted to iovec to ensure linearization when the batch is sent to the kernel. This reduces the amount of unnecessary memory usage that is allocated for the batch. This patch uses the libmnl nlmsg batching infrastructure and it requires the kernel patch entitled (netfilter: nfnetlink: add batch support and use it from nf_tables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix base chain printingTomasz Bursztyka2013-08-301-0/+1
| | | | | | | | | Relying on chain's hooknum to know whether the chain is a base one or not is bogus: having 0 as hooknum is a valid number. Thus setting the right flag and handling it is the way to go, as parser does already. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to specify the base chain typePablo Neira Ayuso2013-08-271-6/+20
| | | | | | | | | | | | | | | | | | This patch allows you to specify the type of the base chain, eg. add table mangle add chain mangle OUTPUT { type route hook NF_INET_LOCAL_OUT 0; } The chain type determines the semantics of the chain, we currently have three types: * filter, used for plain packet filtering. * nat, it only sees the first packet of the flow. * route, which is the equivalent of the iptables mangle table, that triggers a re-route if there is any change in some of the packet header fields, eg. IP TOS/DSCP, or the packet metainformation, eg. mark. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for insertion inside rule listEric Leblond2013-07-191-0/+2
| | | | | | | | | | | | | | This patch adds support to insert and to add rule using a rule handle as reference. The rule handle syntax has an new optional position field which take a handle as argument. Two examples: nft add rule filter output position 5 ip daddr 1.2.3.1 drop nft insert rule filter output position 5 ip daddr 1.2.3.1 drop Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix network address prefixPablo Neira Ayuso2013-06-241-0/+24
| | | | | | | | | | | | | | eg. nft add rule filter output ip daddr 192.168.1.0/24 counter so far, this operation was only possible using sets. nft add rule filter output ip daddr \{ 192.168.1.0/24 \} counter While at it, move all binop postprocess code to a new function that contains this transformation and the existing bitmask to constant (as used by eg. ct state new,established). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use libnftablesPablo Neira Ayuso2013-06-241-427/+419
| | | | | | | | | | | | | | | | | | | | | | | | | This patch migrates nft to use the libnftables library, that is used by the iptables over nftables compat utility as well. Most of the conversion was pretty straight forward. Some small significant changes happened in the handling of set element and immediate data abstraction that libnl provides. libnftables is a bit more granular since it splits the struct nfnl_nft_data into three attributes: verdict, chain and plain data (used in maps). I have added a new file src/mnl.c that contains the low level netlink communication that now resides in nftables source tree instead of the library. This should help to implement the batching support using libmnl in follow up patches. I also spent some significant amount of time running my tests to make sure that we don't increase the number of bugs that we already have (I plan to provide a list of those that I have detected and diagnosed, so anyone else can help us to fix them). As a side effect, this change should also prepare the ground for JSON and XML support anytime soon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cmd/netlink: make sure we always have a location in netlink operationsPatrick McHardy2013-04-181-45/+64
| | | | | | Improve error reporting by always using a location in netlink operations. Signed-off-by: Patrick McHardy<kaber@trash.net>
* netlink: return error if chain not foundPablo Neira Ayuso2013-04-181-1/+16
| | | | | | | | | | | | | | | Before this patch: nft list chain filter xxx table filter { } After this patch: nft list chain filter xxx internal:0:0-0: Error: Could not find chain `xxx' in table `filter: Object not found Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: allow to list of existing tablesPablo Neira Ayuso2013-04-181-1/+2
| | | | | | | | You can now specify: nft list tables ip to obtain the list of all existing tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add rule insertion (prepend) supportPatrick McHardy2012-12-141-2/+2
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* chains: add chain rename supportPatrick McHardy2012-12-141-1/+22
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix query requestsPatrick McHardy2012-12-141-6/+10
| | | | | | | The callback needs to be set before sending the query since nl_wait_for_ack() already does message reception. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: include verbose message in all BUG statementsroot2012-12-081-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: Use the right datatype for verdictTomasz Bursztyka2012-08-031-1/+1
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add debugging for missing objectsPatrick McHardy2010-07-061-1/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix creation of base chains with hooknum and priority 0Patrick McHardy2010-07-061-1/+1
| | | | | | | | Base chains with both a hook number and priority of zero are created as regular chains. Fix by adding a BASECHAIN flag indicating that the chain should be created as a base chain. Signed-off-by: Patrick McHardy <kaber@trash.net>
* debug: allow runtime control of debugging outputPatrick McHardy2009-07-281-23/+13
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-1/+365
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: move data related functions to netlink.cPatrick McHardy2009-03-311-0/+113
| | | | | | | Move the data related function to netlink.c as they're going to be needed outside of rule context for set maintenance. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: use libnl OBJ_CAST macroPatrick McHardy2009-03-311-8/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: consistent naming fixesPatrick McHardy2009-03-311-4/+4
| | | | | | Rename libnl netlink data to "nld" for consistency. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: add helper function for socket callback modificationPatrick McHardy2009-03-311-6/+8
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-181-0/+476