summaryrefslogtreecommitdiffstats
path: root/src/netlink.c
Commit message (Collapse)AuthorAgeFilesLines
* src: Allow reset single stateful objectElise Lennion2017-01-271-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | Currently the stateful objects can only be reseted in groups. With this patch reseting a single object is allowed: $ nft reset counter filter https-traffic table ip filter { counter https-traffic { packets 8774 bytes 542668 } } $ nft list counter filter https-traffic table ip filter { counter https-traffic { packets 0 bytes 0 } } Heavily based on work from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: don't bail out on dump errorsPablo Neira Ayuso2017-01-231-15/+5
| | | | | | | | | | | | | | This patch removes the existing error messages on netlink dump errors. These functions used to be called from list commands. These days they are called from the cache cache population path. Note that nft breaks with older kernels at netlink_list_objs() since we have no stateful objects support there. Silence errors at this stage and return an empty list, thus, nft bails out on explicit user commands if no nf_tables support is available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: sort set elements in netlink_get_setelems()Elise Lennion2017-01-101-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So users can better track their ruleset via git. Without sorting, the elements can be listed in a different order every time the set is created, generating unnecessary git changes. Mergesort is used. Doesn't sort sets with 'flags interval' set on. Pablo appends to this changelog description: Currently these interval set elements are dumped in order. We'll likely get new representations soon that may not guarantee this anymore, so let's revisit this later in case we need it. Without this patch, nft list ruleset with a set containing 40000 elements takes on my laptop: real 0m2.742s user 0m0.112s sys 0m0.280s With this patch: real 0m2.846s user 0m0.180s sys 0m0.284s Difference is small, so don't get nft more complicated with yet another getopt() option, enable this by default. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful object monitoringPablo Neira Ayuso2017-01-031-0/+134
| | | | | | | This patch extends the event monitoring infrastructure to catch events of addition and removal of stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for stateful object mapsPablo Neira Ayuso2017-01-031-8/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | You can create these maps using explicit map declarations: # nft add table filter # nft add chain filter input { type filter hook input priority 0\; } # nft add map filter badguys { type ipv4_addr : counter \; } # nft add rule filter input counter name ip saddr map @badguys # nft add counter filter badguy1 # nft add counter filter badguy2 # nft add element filter badguys { 192.168.2.3 : "badguy1" } # nft add element filter badguys { 192.168.2.4 : "badguy2" } Or through implicit map definitions: table ip filter { counter http-traffic { packets 8 bytes 672 } chain input { type filter hook input priority 0; policy accept; counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"} } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: reset internal stateful objectsPablo Neira Ayuso2017-01-031-1/+23
| | | | | | | | | | | | | | | | | | | | | This patch allows you to atomically dump and reset stateful objects, eg. # nft list counters table ip filter { counter test { packets 1024 bytes 100000 } } # nft reset quotas table filter counter test { packets 1024 bytes 100000 } # nft reset quotas table filter counter test { packets 0 bytes 0 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add/create/delete stateful objectsPablo Neira Ayuso2017-01-031-0/+95
| | | | | | | | | | | | | | | | This patch allows you to add and to delete objects, eg. # nft add quota filter test 1234567 bytes # nft list quotas table ip filter { quota test { 1234567 bytes } } # nft delete quota filter test Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: listing of stateful objectsPablo Neira Ayuso2017-01-031-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to dump existing stateful objects, eg. # nft list ruleset table ip filter { counter test { packets 64 bytes 1268 } quota test { over 1 mbytes used 1268 bytes } chain input { type filter hook input priority 0; policy accept; quota name test drop counter name test } } # nft list quotas table ip filter { quota test { over 1 mbytes used 1268 bytes } } # nft list counters table ip filter { counter test { packets 64 bytes 1268 } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove SET_F_* flag definitionsPablo Neira Ayuso2017-01-031-4/+4
| | | | | | | They map exactly one to one to we have in the kernel headers, so use kernel definitions instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: add mnl_nft_setelem_batch_flush() and use it from netlink_flush_setelems()Pablo Neira Ayuso2016-12-201-1/+13
| | | | | | | | | | | | | Commit 8bd99f2fca7e ("mnl: don't send empty set elements netlink message to kernel") broke set flush because we still need to send the netlink message with no elements to flush sets. To avoid more whack-a-mole games, add a new explicit function mnl_nft_setelem_batch_flush() that is used to request a set flush, instead of reusing the one that allows us to explicitly delete given set elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support to flush setsPablo Neira Ayuso2016-12-051-1/+8
| | | | | | | | | | You can use this new command to remove all existing elements in a set: # nft flush set filter xyz After this command, the set 'xyz' in table 'filter' becomes empty. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix monitor trace crash with netdev familyFlorian Westphal2016-10-211-2/+5
| | | | | | | | | | | | | | | | | nft monitor trace crashes on first packet with: table netdev filter { chain foobar { type filter hook ingress device eth0 priority 0; udp sport 53 meta nftrace set 1 } } We did not handle netdev family and thus generated bogus payload statements without data types. Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=1092 Signed-off-by: Florian Westphal <fw@strlen.de>
* src: create element commandPablo Neira Ayuso2016-08-251-7/+8
| | | | | | | | | | | | | | | This patch adds the create command, that send the NLM_F_EXCL flag so nf_tables bails out if the element already exists, eg. # nft add element x y { 1.1.1.1 } # nft create element x y { 1.1.1.1 } <cmdline>:1:1-31: Error: Could not process rule: File exists create element x y { 1.1.1.1 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This update requires nf_tables kernel patches to honor the NLM_F_EXCL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add create set commandPablo Neira Ayuso2016-08-241-7/+10
| | | | | | | | | | | | | | | | | | | | | | Add support for the 'create' command, we already support this in other existing objects, so support this for sets too, eg. # nft add set x y { type ipv4_addr\; } # nft create set x y { type ipv4_addr\; } <cmdline>:1:1-35: Error: Could not process rule: File exists create set x y { type ipv4_addr; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft add set x y { type ipv4_addr\; } # This command sets the NLM_F_EXCL netlink flag, so if the object already exists, nf_tables returns -EEXIST. This is changing the existing behaviour of 'nft add set' which was setting this flag, this is inconsistent with regards to the way other objects behave. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new definitions from libnftnlPablo Neira Ayuso2016-06-151-2/+2
| | | | | | | Use new definitions in libnftnl, so we can consider getting rid of them at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Use libnftnl/udata to store set element commentCarlos Falgueras García2016-05-301-4/+46
| | | | | | | | | The set element comment is stored in nftnl_set_elem->user.data using libnftnl/udata infrastructure. This allows store multiple variable length user data into set element. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flow statementPatrick McHardy2016-05-131-0/+6
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: declare interval_map_decompose() from header filePablo Neira Ayuso2016-05-131-2/+0
| | | | | | Instead of having several extern function declarations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: several function constificationsPablo Neira Ayuso2016-05-131-10/+10
| | | | | | | | | | Constify: * netlink_dump*() * netlink_delinearize_*() * netlink_add_rule_list() Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft monitor [ trace ]Patrick McHardy2016-04-241-1/+278
| | | | | | | | | | | | | | | | | | | | | | | | | ... can now display nftables nftrace debug information. $ nft filter input tcp dport 10000 nftrace set 1 $ nft filter input icmp type echo-request nftrace set 1 $ nft -nn monitor trace trace id e1f5055f ip filter input packet: iif eth0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 ip saddr 192.168.122.1 ip daddr 192.168.122.83 ip tos 0 ip ttl 64 ip id 32315 ip length 84 icmp type echo-request icmp code 0 icmp id 10087 icmp sequence 1 trace id e1f5055f ip filter input rule icmp type echo-request nftrace set 1 (verdict continue) trace id e1f5055f ip filter input verdict continue trace id e1f5055f ip filter input trace id 74e47ad2 ip filter input packet: iif vlan0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1 vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 0 ip ttl 64 ip id 49030 ip length 84 icmp type echo-request icmp code 0 icmp id 10095 icmp sequence 1 trace id 74e47ad2 ip filter input rule icmp type echo-request nftrace set 1 (verdict continue) trace id 74e47ad2 ip filter input verdict continue trace id 74e47ad2 ip filter input trace id 3030de23 ip filter input packet: iif vlan0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 vlan pcp 0 vlan cfi 1 vlan id 1000 ip saddr 10.0.0.1 ip daddr 10.0.0.2 ip tos 16 ip ttl 64 ip id 59062 ip length 60 tcp sport 55438 tcp dport 10000 tcp flags == syn tcp window 29200 trace id 3030de23 ip filter input rule tcp dport 10000 nftrace set 1 (verdict continue) trace id 3030de23 ip filter input verdict continue trace id 3030de23 ip filter input Based on a patch from Florian Westphal, which again was based on a patch from Markus Kötter. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: store parser location for handle and position specifiersPablo Neira Ayuso2016-03-301-7/+7
| | | | | | | | | Store the parser location structure for handle and position IDs so we can use this information from the evaluation step, to provide better error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* netlink: fix up indentation damagePatrick McHardy2015-11-271-59/+43
| | | | | | | The conversion to the net libnftnl API has left a lot of indentation damage in the netlink functions. Fix it up. Signed-off-by: Patrick McHardy <kaber@trash.net>
* rule: move comment out of handlePatrick McHardy2015-11-151-3/+0
| | | | | | The comment does not belong to the handle, it belongs to the rule. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Add command "replace" for rulesCarlos Falgueras García2015-11-021-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | Modify the parser and add necessary functions to provide the command "nft replace rule <ruleid_spec> <new_rule>" Example of use: # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.7 counter packets 0 bytes 0 # handle 3 } } # nft replace rule filter output handle 3 ip daddr 8.8.8.8 counter # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } } Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: netlink: don't truncate set key lengthsFlorian Westphal2015-09-181-2/+2
| | | | | | | If key is e.g. 12 bits, pretend its 16 instead of 8. This is needed to make sets work with header fields with size not divisible by 8. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: use new symbols in libnftnlPablo Neira Ayuso2015-09-161-356/+356
| | | | | | | | | Adapt the nftables code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: flush stdout after each event in monitor modePablo Neira Ayuso2015-09-071-0/+1
| | | | | | | | So we get all events when redirecting them to file, ie. # nftables monitor > file Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: don't call netlink_dump_*() from listing functions with --debug=netlinkPablo Neira Ayuso2015-08-181-4/+0
| | | | | | | | | | Now that we always retrieve the object list to build a cache before executing the command, this results in fully listing of existing objects in the kernel. This is confusing when adding a simple rule, so better not to call netlink_dump_*() from listing functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: early allocation of the set IDPablo Neira Ayuso2015-08-181-4/+0
| | | | | | | By when the set is created, so element in the batch use this set ID as reference. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next-4.2'Pablo Neira Ayuso2015-08-181-0/+7
|\ | | | | | | | | | | | | | | | | | | This branch adds support for the new 'netdev' family. This also resolves a simple conflict with the default chain policy printing. Conflicts: src/rule.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: add netdev family supportPablo Neira Ayuso2015-06-161-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for the new 'netdev' table. So far, this table allows you to create filter chains from ingress. The following example shows a very simple base configuration with one table that contains a basechain that is attached to the 'eth0': # nft list table netdev filter table netdev filter { chain eth0-ingress { type filter hook ingress device eth0 priority 0; policy accept; } } You can test that this works by adding a simple rule with counters: # nft add rule netdev filter eth0-ingress counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink: release table object via table_free() in netlink_get_table()Pablo Neira Ayuso2015-07-141-1/+1
| | | | | | | | | | | | Instead of xfree(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: set chain->hookstr from delinearizationPablo Neira Ayuso2015-07-061-0/+2
| | | | | | | | | | | | Set human readable hookname chain->hookstr field from delinearize. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink: fix use-after-free netlink_events_cache_deltable()Pablo Neira Ayuso2015-06-161-2/+3
|/ | | | | | | h.table stores a pointer to a nftnl table object that is gone just after assignment. Release this object once its content is not referenced anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: handle concat expressions in set dataPatrick McHardy2015-06-021-0/+32
| | | | | | | Reconstruct the concat expressions in set data by splicing off the subtype values based on the keytype of the set. Signed-off-by: Patrick McHardy
* netlink: pad constant concat sub-expressionsPatrick McHardy2015-06-021-8/+6
| | | | | | Pad all but the last sub-expressions of a concat expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* setelem: add support for attaching comments to set elementsPatrick McHardy2015-04-121-0/+11
| | | | | | | | Syntax: # nft add element filter test { 192.168.0.1 comment "some host" } Signed-off-by: Patrick McHardy <kaber@trash.net>
* setelem: add timeout support for set elementsPatrick McHardy2015-04-121-0/+7
| | | | | | | | | | | | | | | | | | | | | | Support specifying per element timeout values and displaying the expiration time. If an element should not use the default timeout value of the set, an element specific value can be specified as follows: # nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m} For listing of elements that use the default timeout value, just the expiration time is shown, otherwise the element specific timeout value is also displayed: set test { type ipv4_addr timeout 1h elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s} } Signed-off-by: Patrick McHardy <kaber@trash.net>
* set: add timeout support for setsPatrick McHardy2015-04-121-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | Timeout support can be enabled in one of two ways: 1. Using a default timeout value: set test { type ipv4_addr; timeout 1h; } 2. Using the timeout flag without a default: set test { type ipv4_addr; flags timeout; } Optionally a garbage collection interval can be specified using gc-interval <interval>; Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: add set_elem_expr as container for set element attributesPatrick McHardy2015-04-121-23/+30
| | | | | | | | | | | | | | | | | | | | | | | | Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: introduce netlink_init_error()Pablo Neira Ayuso2015-04-091-4/+5
| | | | | | | | Based on the existing netlink_open_error(), but indicate file and line where the error happens. This will help us to diagnose what is going wrong when users can back to us to report problems. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: fix missing space after chain nameArturo Borrero2015-04-081-1/+1
| | | | | | | | | | | | | | | | Due to change f3ff9e9 ("rule: delete extra space in rule indentation") in function rule_print(), a missing space happens in monitor. before this patch: % nft monitor add rule ip test-table test-chainip protocol tcp after this patch: % nft monitor add rule ip test-table test-chain ip protocol tcp Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix use after free in netlink_get_table()Patrick McHardy2015-03-251-4/+4
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* set_elem: convert flag value to inclusive-OR binops during delinearizePatrick McHardy2015-03-231-0/+4
| | | | | | | | | | | | | | When a set contains combined flag values, they are displayed as numeric value since they don't match any of the single flag values: tcp flags { 18, psh, syn} Convert to a series of inclusive-OR binops of the single flag values for improved readability: tcp flags { syn | ack, psh, syn} Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: fix crash when adding new non-base chainPablo Neira Ayuso2015-03-181-20/+24
| | | | | | | Fix crash when adding a non-base chain introduced by acdfae9 ("src: allow to specify the default policy for base chains"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to specify the default policy for base chainsPablo Neira Ayuso2015-03-171-1/+12
| | | | | | | | | | | | | | | | | | The new syntax is: nft add chain filter input { hook input type filter priority 0\; policy accept\; } but the previous syntax is still allowed: nft add chain filter input { hook input type filter priority 0\; } this assumes default policy to accept. If the base chain already exists, you can update the policy via: nft add chain filter input { policy drop\; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expose table flagsPablo Neira Ayuso2015-03-171-4/+17
| | | | | | | | | | | | | | | | | | | The nf_tables kernel API provides a way to disable a table using the dormant flag. This patch adds the missing code to expose this feature through nft. Basically, if you want to disable a table and all its chains from seen any traffic, you have to type: nft add table filter { flags dormant\; } to re-enable the table, you have to: nft add table filter this clears the flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: readability fixesPatrick McHardy2015-01-111-56/+71
| | | | | | | | | Improve readability by using local variables for netlink attributes, ordering variables more logically, don't arbitrarily initialize some variables in the definition section and in the body and generally make similar functions look similar. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: style fixesPatrick McHardy2015-01-111-24/+15
| | | | | | | | | Remove style discrepancies between different netlink I/O functions: - we don't use brackets for single line statements - most functions don't have a newline between error reporting and exit Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: style fixesPatrick McHardy2015-01-111-12/+18
| | | | | | We include an empty line between variable definitions and code. Signed-off-by: Patrick McHardy <kaber@trash.net>