| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new expression type "set_elem_expr" that is used as container for
the key in order to attach different attributes, such as timeout values,
to the key.
The expression hierarchy is as follows:
Sets:
elem
|
key
Maps:
mapping
/ \
elem data
|
key
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Based on the existing netlink_open_error(), but indicate file and line
where the error happens. This will help us to diagnose what is going
wrong when users can back to us to report problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to change f3ff9e9 ("rule: delete extra space in rule indentation") in
function rule_print(), a missing space happens in monitor.
before this patch:
% nft monitor
add rule ip test-table test-chainip protocol tcp
after this patch:
% nft monitor
add rule ip test-table test-chain ip protocol tcp
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a set contains combined flag values, they are displayed as numeric
value since they don't match any of the single flag values:
tcp flags { 18, psh, syn}
Convert to a series of inclusive-OR binops of the single flag values
for improved readability:
tcp flags { syn | ack, psh, syn}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Fix crash when adding a non-base chain introduced by acdfae9 ("src:
allow to specify the default policy for base chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new syntax is:
nft add chain filter input { hook input type filter priority 0\; policy accept\; }
but the previous syntax is still allowed:
nft add chain filter input { hook input type filter priority 0\; }
this assumes default policy to accept.
If the base chain already exists, you can update the policy via:
nft add chain filter input { policy drop\; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nf_tables kernel API provides a way to disable a table using the
dormant flag. This patch adds the missing code to expose this feature
through nft.
Basically, if you want to disable a table and all its chains from seen
any traffic, you have to type:
nft add table filter { flags dormant\; }
to re-enable the table, you have to:
nft add table filter
this clears the flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Improve readability by using local variables for netlink attributes,
ordering variables more logically, don't arbitrarily initialize
some variables in the definition section and in the body and generally
make similar functions look similar.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Remove style discrepancies between different netlink I/O functions:
- we don't use brackets for single line statements
- most functions don't have a newline between error reporting and exit
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
We include an empty line between variable definitions and code.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Waste less space and return the results of the batch/compat
functions directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Fix two memory leaks in netlink event monitor. Also fix a leak related
to all sets, the ->init expression is not freed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Support specification of concat types in set declarations:
add set filter test {
type ipv4_addr . inet_service
}
Netlink delinearization is changed to reconstruct the type from the id.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
We have to switch the byteorder of the element in
netlink_delinearize_setelem() for non-range values only.
This fixes the listing of:
nft add rule filter input ct mark { 0x10-0x20 } counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We will likely have new ones in the future, silently skip them. If the
user wants to see them, it just needs to upgrade.
This is currently causing us problems with kernels that deliver the
generation counter event.
term1# nft add table test
term2# nft monitor
nft: netlink.c:2063: netlink_events_cb: Assertion `0' failed.
Aborted
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The 'struct mnl_socket *nf_sock' parameter is useless and perturbing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This is more robust than the current 'else' fallback. If we run a
newer kernel with old nft binaries, unknown messages will be
misinterpreted as deletions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds options to choose set optimization mechanisms.
Two new statements are added to the set syntax, and they can be mixed:
nft add set filter set1 { type ipv4_addr ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; }
nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; }
nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; }
nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; }
Also valid for maps:
nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
[...]
This is the output format, which can be imported later with `nft -f':
table filter {
set set1 {
type ipv4_addr
policy memory
size 1024
}
}
In this approach the parser accepts default options such as 'performance',
given they are a valid configurations, but aren't sent to the kernel.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Obtain the generation ID before dumping the object lists. Then,
check for generation ID updates when dumping the several lists that
this needs. In case of interference, nft has to remove the stale
objects and retry from scratch.
This is complementary to the NLM_F_DUMP_INTR flag which is local
to one single netlink dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's give some more information when netlink ABI errors happens.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the `flush ruleset' operation to nft.
The syntax is:
% nft flush ruleset [family]
To flush all the ruleset (all families):
% nft flush ruleset
To flush the ruleset of a given family:
% nft flush ruleset ip
% nft flush ruleset inet
This flush is a shortcut operation which deletes all rules, sets, tables
and chains.
It's possible since the modifications in the kernel to the NFT_MSG_DELTABLE
API call.
Users can benefit of this operation when doing an atomic replacement of the
entire ruleset, loading a file like this:
=========
flush ruleset
table ip filter {
chain input {
counter accept
}
}
=========
Also, users who want to simply clean the ruleset for whatever reason can do it now
without having to iterate families/tables.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This function converts the rule from the list of statements to the
netlink message format. The only two possible errors that can make
this function to fail are memory exhaustion and malformed statements
which inmediately stop the execution of nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Some memories are forgotten to release on the error path in get operation.
Just release them. Also, in netlink_get_chain, it's better to return
immediately when a error is detected.
Signed-off-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the batching logic in several aspects:
1) New batch pages are now always added into the batch page list in
first place. Then, in the send path, if the last batch page is
empty, it is removed from the batch list.
2) nft_batch_page_add() is only called if the current batch page is
full. Therefore, it is guaranteed to find a valid netlink message
in the batch page when moving the tail that didn't fit into a new
batch page.
3) The batch paging is initialized and released from the nft_netlink()
path.
4) No more global struct mnl_nlmsg_batch *batch that points to the
current batch page. Instead, it is retrieved from the tail of the
batch list, which indicates the current batch page.
This patch fixes a crash due to access of uninitialized memory area in
due to calling batch_page_add() with an empty batch in the send path,
and the memleak of the batch page contents. Reported in:
http://patchwork.ozlabs.org/patch/367085/
http://patchwork.ozlabs.org/patch/367774/
The patch is larger, but this saves the zeroing of the batch page area.
Reported-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, if we add a rule like this:
nft add rule filter test ip saddr { 1.1.1.1-2.2.2.2 }
The monitor operation output shows:
add rule ip filter test ip saddr { 0.0.0.0, 1.1.1.1, 2.2.2.3}
The fix suggested by Pablo is to call interval_map_decompose().
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds a helper function to handle lookup expressions with a callback,
so we can make an action for each set referenced by the rule.
Basically this is a refactorization, useful for follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This flag allows to detect that an update has ocurred while dumping
any of the object lists. In case of interference, nft cancels the
netlink socket to skip processing the remaining stale entries and
it retries to obtain fresh list of objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix segfaults when delinearizing the set fails and abort on error when
listing sets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
This removes a bug that displays strange hook priorities
like "type route hook output priority 4294967146".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to close a descriptor which failed to be opened.
==6231== Process terminating with default action of signal 11 (SIGSEGV)
==6231== Access not within mapped region at address 0x0
==6231== at 0x5503E21: mnl_socket_close (socket.c:248)
==6231== by 0x40517F: netlink_close_sock (netlink.c:68)
==6231== by 0x400EFEE: _dl_fini (dl-fini.c:253)
==6231== by 0x5740AA0: __run_exit_handlers (exit.c:77)
==6231== by 0x5740B24: exit (exit.c:99)
==6231== by 0x40F16F: netlink_open_error (netlink.c:105)
==6231== by 0x405642: netlink_open_sock (netlink.c:54)
==6231== by 0x424E6C: __libc_csu_init (in /usr/sbin/nft)
==6231== by 0x5728924: (below main) (libc-start.c:219)
==6231== If you believe this happened as a result of a stack
==6231== overflow in your program's main thread (unlikely but
==6231== possible), you can try to increase the size of the
==6231== main thread stack using the --main-stacksize= flag.
==6231== The main thread stack size used in this run was 8388608.
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=881
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The delinearize functions for tables, chains and sets add these objects
to the ctx->list. In the chain case, this is not required. Regarding
tables and sets, those are added to the cache.
This patch implicitly fixes an use chain object after free that result
in random crashes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the table messages to the netlink batch that
is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch moves the chain netlink messages to the big netlink
batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the netlink set messages to the batch that contains
the rules. This helps to speed up rule-set restoration time by
changing the operational. To achieve this, an internal set ID which
is unique to the batch is allocated as suggested by Patrick.
To retain backward compatibility, nft initially guesses if the
kernel supports set in batches. Otherwise, it falls back to the
previous (slowier) operational.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds a basic events reporting option to nft.
The syntax is:
% nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a simple helper function to report errors while
opening the Netlink socket.
To help users to diagnose problems, a new NFT_EXIT_NONL exit code is included,
which is 3.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Lets refactorize set_elem handling.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This code is suitable to be reusable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's make this code reusable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's factorize this code, so it can be reused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The length is measured in bytes, not bits.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
We currently crash when reporting a permission denied error for set additions.
This is due to using the wrong location, fix by passing in the set location.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for human-readable comments:
nft add rule filter input accept comment \"accept all traffic\"
Note that comments *always* come at the end of the rule. This uses
the new data area that allows you to attach information to the rule
via netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The handle's table was being set to the chain name instead of the
chain table attribute.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The table object that is allocated is unused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The prefix expression handling is full of bugs:
- netlink_gen_data() is used to construct the prefix mask from the full
prefix expression. This is both conceptually wrong, the prefix expression
is *not* data, and buggy, it only assumes network masks and thus only
handles big endian types.
- Prefix expression reconstruction doesn't check whether the mask is a
valid prefix and reconstructs crap otherwise. It doesn't reconstruct
prefixes for anything but network addresses. On top of that its
needlessly complicated, using the mpz values directly its a simple
matter of finding the sequence of 1's that extend up to the full width.
- Unnecessary cloning of expressions where a simple refcount increase would
suffice.
Rewrite that code properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Add a netlink_location and use it for error messages instead of internal_location.
internal:0:0-0: Error: Could not add set: Operation not permitted
=>
netlink: Error: Could not add set: Operation not permitted
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following operation:
:~# nft export <xml|json>
The XML/JSON output is provided raw by libnftnl, thus without format.
In case of XML, you can give format with the `xmllint' tool from libxml2-tools:
:~# nft list ruleset xml | xmllint --format -
In case of JSON, you can use `json_pp' from perl standar package:
:~# nft list ruleset json | json_pp
A format field is added in struct cmd, and it will be reused in the import
operation.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
