summaryrefslogtreecommitdiffstats
path: root/src/netlink_linearize.c
Commit message (Collapse)AuthorAgeFilesLines
* netlink_linearize: skip NFTNL_EXPR_DYNSET_TIMEOUT attribute if timeout is unsetPablo Neira Ayuso2016-07-121-2/+3
| | | | | | | Otherwise kernel bails out with EINVAL in case that the sets got no timeout flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new definitions from libnftnlPablo Neira Ayuso2016-06-151-7/+7
| | | | | | | Use new definitions in libnftnl, so we can consider getting rid of them at some point. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: do not duplicate user data when linearizing user dataCarlos Falgueras García2016-05-251-8/+3
| | | | | | | | | | | | | Otherwise, we memory leak this area since nftnl_rule_set_data() now makes a copy of the user data which receives. This is happening since libnftnl's ("rule: Fix segfault due to invalid free of rule user data"), it is not necessary make a copy before call it. Note: Carlos originally posted this patch under the name of ("nftables: Fix memory leak linearizing user data"). Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flow statementPatrick McHardy2016-05-131-4/+36
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* stmt: support generating stateful statements outside of rule contextPatrick McHardy2016-05-131-30/+50
| | | | | | | | | | The flow statement contains a stateful per flow statement, which is not directly part of the rule. Allow generating these statements without adding them to the rule and mark the supported statements using a new flag STMT_F_STATEFUL. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: move payload sub-byte matching to the evaluation stepPablo Neira Ayuso2016-05-111-99/+0
| | | | | | | | | | | | | | | | | | | | Generating the bitwise logic to match sub-byte payload fields from the linearize step has several problems: 1) When the bits are split between two bytes and the payload field is smaller than one byte, we need to extend the expression length on both sides (payload and constant) of the relational expression. 2) Explicit bitmask operations on sub-byte payload fields need to be merge to the implicit bitmask operation, otherwise we generate two bitwise instructions. This is not resolved by this patch, but we should have a look at some point to this. With this approach, we can benefit from the binary operation transfer for shifts to provide a generic way to adjust the constant side of the expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Use libnftnl user data TLV infrastructureCarlos Falgueras García2016-04-141-3/+22
| | | | | | | | | Now it is possible to store multiple variable length user data into rule. Modify the parser in order to fill the nftnl_udata with the comment, and the print function for extract these commentary and print it to user. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinarize: shift constant for ranges tooFlorian Westphal2016-03-101-0/+2
| | | | | | | | | ... else rule like vlan pcp 1-3 won't work and will be displayed as 0-0 (reverse direction already works since range is represented as two lte/gte compare expressions). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix bogus offset w exthdr expressionsFlorian Westphal2016-03-101-1/+6
| | | | | | | Need to fetch the offset from the exthdr template. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for masquerade port selectionShivani Bhardwaj2016-03-031-0/+24
| | | | | | | | | Provide full support for masquerading by allowing port range selection, eg. # nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024 Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add and use netlink_gen_exthdr_maskFlorian Westphal2016-03-021-3/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | rule ip6 filter input frag frag-off 33 before patch: [ exthdr load 1b @ 44 + 2 => reg 1 ] [ cmp eq reg 1 0x00002100 ] We truncated 13bit field to 1 byte. after patch: [ exthdr load 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000801 ] - ask for 2 bytes - mask out the 3 lower bits - shift the value by 3 so equality test will pass for 33 This causes test failures, will be fixed up in a later patch (the test suite expects the old, broken input). It also misses the reverse translation to remove the binop, find the right template and undo the shift of the value. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: split generic part of netlink_gen_payload_mask into helperFlorian Westphal2016-03-021-12/+23
| | | | | | | | | | | netlink_gen_payload_mask assumes expr is a payload expression, but most of this function would work fine with exthdr too. So split the gernic part into a helper, followup patch will add netlink_gen_exthdr_mask. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: netlink_linearize: Fix bug for redirect targetShivani Bhardwaj2016-01-311-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch, $ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200 ip nat post [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] [ redir proto_min reg 1 proto_max reg 5 ] <cmdline>:1:1-56: Error: Could not process rule: Invalid argument add rule ip nat post ip protocol tcp redirect to 100-200 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ After this patch, $ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200 ip nat post [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] [ redir proto_min reg 1 proto_max reg 2 ] Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-311-0/+18
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-0/+1
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: use u64 conversion for 64bit quantitiesFlorian Westphal2016-01-081-1/+9
| | | | | | | | | | | | | | | | nft generated two 4-byte swaps for conntrack byte/packet counters, which are 64bit host-endian values: byteorder reg 1 = hton(reg 1, 4, 8) ] This makes the kernel perform two htonl() calls, but we need a cpu_to_be64 conversion instead (reg 1, 8, 8). Without this a rule like 'ct original packets > 10' matched when counter was between 1 and 10. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add support for directional keysFlorian Westphal2016-01-041-0/+4
| | | | | | | | | | | | | | A few keys in the ct expression are directional, i.e. we need to tell kernel if it should fetch REPLY or ORIGINAL direction. Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys that the kernel rejects unless also given a direction. During postprocessing we also need to invoke ct_expr_update_type, problem is that e.g. ct saddr can be any family (ip, ipv6) so we need to update the expected data type based on the network base. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: fix sub-byte protocol header definitionsPablo Neira Ayuso2015-12-141-13/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update bitfield definitions to match according to the way they are expressed in RFC and IEEE specifications. This required a bit of update for c3f0501 ("src: netlink_linearize: handle sub-byte lengths"). >From the linearize step, to calculate the shift based on the bitfield offset, we need to obtain the length of the word in bytes: len = round_up(expr->len, BITS_PER_BYTE); Then, we substract the offset bits and the bitfield length. shift = len - (offset + expr->len); From the delinearize, payload_expr_trim() needs to obtain the real offset through: off = round_up(mask->len, BITS_PER_BYTE) - mask_len; For vlan id (offset 12), this gets the position of the last bit set in the mask (ie. 12), then we substract the length we fetch in bytes (16), so we obtain the real bitfield offset (4). Then, we add that to the original payload offset that was expressed in bytes: payload_offset += off; Note that payload_expr_trim() now also adjusts the payload expression to its real length and offset so we don't need to propagate the mask expression. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix up indentation damagePatrick McHardy2015-11-271-43/+38
| | | | | | | The conversion to the net libnftnl API has left a lot of indentation damage in the netlink functions. Fix it up. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: add payload statementPatrick McHardy2015-11-251-0/+40
| | | | | | | | | Add support for payload mangling using the payload statement. The syntax is similar to the other data changing statements: nft filter output tcp dport set 25 Signed-off-by: Patrick McHardy <kaber@trash.net>
* rule: move comment out of handlePatrick McHardy2015-11-151-0/+4
| | | | | | The comment does not belong to the handle, it belongs to the rule. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-021-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: factor out prefix generationPablo Neira Ayuso2015-10-211-22/+31
| | | | | | | Add a new netlink_gen_prefix() function that encapsulates the prefix generation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement supportPablo Neira Ayuso2015-09-301-0/+37
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-231-0/+4
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add per-bytes limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | This example show how to accept packets below the ratelimit: ... limit rate 1024 mbytes/second counter accept You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: cmp: shift rhs constant if lhs offset doesn't start on byte boundaryFlorian Westphal2015-09-181-0/+10
| | | | | | | | | | | | | | if we have payload(someoffset) == 42, then shift 42 in case someoffset doesn't start on a byte boundary. We already insert a mask instruction to only load those bits into the register that we were interested in, but the cmp will fail without also adjusting rhs accordingly. Needs additional patch in reverse direction to undo the shift again when dumping ruleset. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink_linearize: handle sub-byte lengthsFlorian Westphal2015-09-181-2/+44
| | | | | | | | | | | | | | Currently length is expr->len / BITS_PER_BYTE, i.e. expr->len has to be a multiple of 8. When core asks for e.g. '9 bits', we truncate this to 8. Round up to 16 and inject a 9-bit mask to zero out the parts we're not interested in. This will also need change to the delinarization step to remove the extra op when dumping rules from kernel. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: use new symbols in libnftnlPablo Neira Ayuso2015-09-161-152/+152
| | | | | | | | | Adapt the nftables code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: generate concat expressionsPatrick McHardy2015-06-021-3/+11
| | | | | | | Use the real length for reserving/releasing registers when generating concat expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: use NFT_REG32 values internallyPatrick McHardy2015-06-021-4/+39
| | | | | | | | | | | | | | | | | | | Prepare netlink_linearize for 32 bit register usage: Switch to use 16 data registers of 32 bit each. A helper function takes care of mapping the registers to the NFT_REG32 values and, if the register refers to the beginning of an 128 bit area, the old NFT_REG_1-4 values for compatibility. New register reservation and release helper function take the size into account and reserve the required amount of registers. The reservation and release functions will so far still always allocate 128 bit. If no other expression in a rule uses a 32 bit register directly, these will be mapped to the old register values, meaning everything continues to work with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink: pass expression to register allocation/release functionsPatrick McHardy2015-06-021-26/+28
| | | | | | Prepare for taking the expression size into account. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/master' into next-4.1Patrick McHardy2015-06-021-2/+3
|\
| * netlink_linearize: fix range cmp instruction generationPatrick McHardy2015-06-021-2/+3
| | | | | | | | | | | | | | The LHS expression is generated twice and the register not properly released. Fix by calling netlink_gen_range() before generating the LHS. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | nftables: add set statemetPatrick McHardy2015-04-121-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
* | expr: add set_elem_expr as container for set element attributesPatrick McHardy2015-04-121-0/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy <kaber@trash.net>
* netlink_linearize: add register dumping helper functionPatrick McHardy2015-01-111-34/+40
| | | | | | | Add a helper function to dump netlink register numbers in preparation of concat support. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add redirect supportArturo Borrero2014-11-041-0/+49
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add masquerade supportArturo Borrero2014-10-091-0/+15
| | | | | | | | | | | | | | | | | This patch adds masquerade support for nft. The syntax is: % nft add rule nat postrouting masquerade [flags] Currently, flags are: random, random-fully, persistent Example: % nft add rule nat postrouting masquerade random,persistent Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat persistent and random optionsArturo Borrero2014-10-091-0/+3
| | | | | | | | | | | | | | | | | This patch adds more configuration options to the nat expression. The syntax is as follow: % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags] Flags are: random, persistent, random-fully. Example: % nft add rule nat postrouting dnat 1.1.1.1 random,persistent A requirement is to cache some [recent] copies of kernel headers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: complete reject supportAlvaro Neira2014-10-091-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use the reject action in rules. For example: nft add rule filter input udp dport 22 reject In this rule, we assume that the reason is network unreachable. Also we can specify the reason with the option "with" and the reason. For example: nft add rule filter input tcp dport 22 reject with icmp type host-unreachable In the bridge tables and inet tables, we can use this action too. For example: nft add rule inet filter input reject with icmp type host-unreachable In this rule above, this generates a meta nfproto dependency to match ipv4 traffic because we use a icmpv4 reason to reject. If the reason is not specified, we infer it from the context. Moreover, we have the new icmpx datatype. You can use this datatype for the bridge and the inet tables to simplify your ruleset. For example: nft add rule inet filter input reject with icmpx type host-unreachable We have four icmpx reason and the mapping is: ICMPX reason | ICMPv6 | ICMPv4 | | admin-prohibited | admin-prohibited | admin-prohibited port-unreachable | port-unreachable | port-unreachable no-route | no-route | net-unreachable host-unreachable | addr-unreachable | host-unreachable Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: clean up queue statementPatrick McHardy2014-09-241-8/+14
| | | | | | | | | | | | | | | | | | - Rename keyword tokens to their actual keyword - Change the grammar to follow the standard schema for statements and arguments - Use actual expression for the queue numbers to support using normal range expressions, symbolic expression and so on. - restore comma seperation of flag keywords The result is that its possible to use standard ranges, prefix expressions, symbolic expressions etc for the queue number. We get checks for overflow, negative ranges and so on automatically. The comma seperation of flags is more similar to what we have for other flag values. It is still possible to use spaces, however this could be removed since we never had a release supporting that. Signed-off-by: Patrick McHardy <kaber@trash.net>
* log: netlink_linearize: don't set level if user didn't specifyPablo Neira Ayuso2014-09-121-1/+4
| | | | | | | The kernel will default on LOG_WARNING, to mimic iptables behaviour. Reported-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't return error in netlink_linearize_rule()Pablo Neira Ayuso2014-08-191-3/+2
| | | | | | | | | This function converts the rule from the list of statements to the netlink message format. The only two possible errors that can make this function to fail are memory exhaustion and malformed statements which inmediately stop the execution of nft. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* linealize: generate unary expression with the appropiate operationAlvaro Neira2014-08-191-1/+1
| | | | | | | | If we add a unary expression which the operation is ntoh, we use hton. This looks like a typo. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add level option to the log statementPablo Neira Ayuso2014-07-251-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Correct initial value of bytes counter in nftables ruleYanchuan Nian2014-06-251-1/+1
| | | | | | | | | | | | | | Packages can be accounted by nftables through such command. % nft add rule filter output ip daddr 8.8.8.8 counter You can also give the initial values of packets and bytes. % nft add rule filter output ip daddr 8.8.8.8 counter packets 10 bytes 20 But packets and bytes are both initialized to 10 in above command for there is a mistake in the program. Signed-off-by: Yanchuan Nian <ycnian@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revert broken reject icmp code supportPablo Neira Ayuso2014-06-201-1/+1
| | | | | | | | | | | | | | | | | This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter for indicating the type of error") and 11b2bb2 ("reject: Use protocol context for indicating the reject type"). These patches are flawed by two things: 1) IPv6 support is broken, only ICMP codes are considered. 2) If you don't specify any transport context, the utility exits without adding the rule, eg. nft add rule ip filter input reject. The kernel is also flawed when it comes to the inet table. Let's revert this until we can provide decent reject reason support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* reject: add ICMP code parameter for indicating the type of errorÁlvaro Neira Ayuso2014-06-161-1/+1
| | | | | | | | | | | | | | | | | | | | This patch allows to indicate the ICMP code field in case that we use to reject. Before, we have always sent network unreachable error as ICMP code, now we can explicitly indicate the ICMP code that we want to use. Examples: nft add rule filter input tcp dport 22 reject with host-unreach nft add rule filter input udp dport 22 reject with host-unreach In this case, it will use the host unreachable code to reject traffic. The default code field still is network unreachable and we can also use the rules without the with like that: nft add rule filter input udp dport 22 reject Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: More compact syntaxÁlvaro Neira Ayuso2014-06-111-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use a new syntax more compact and break the current syntax. This new syntax is more similar than the nftables syntax that we use usually. We can use range like we have used in other case in nftables. Here, we have some examples: Before, If we want to declare a queue, we have used a syntax like this: nft add rule test input queue num 1 total 3 options bypass,fanout If we want to use the queue number 1 and the two next (total 3), we use a range in the new syntax, for example: nft add rule test input queue num 1-3 bypass fanout Also if we want to use only one queue, the new rules are like: nft add rule test input queue num 1 # queue 1 or nft add rule test input queue # queue 0 And if we want to add a specific flags we only need to put what flags we want to use: nft add rule test input queue bypass we don't need to use options and the comma for indicating the flags. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>