| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Improve error reporting by always using a location in netlink operations.
Signed-off-by: Patrick McHardy<kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
You can now specify: nft list tables ip
to obtain the list of all existing tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
"ip protocol tcp" will currently produce a syntax error since tcp is also a keyword
which is expected ot be followed by a tcp header field. Allow to use protocol names
that are also keywords and allocate a constant expression for them.
|
| |
|
|
|
|
|
|
| |
Base chains with both a hook number and priority of zero are created
as regular chains. Fix by adding a BASECHAIN flag indicating that the
chain should be created as a base chain.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Work around stange behaviour in bison >= 2.4 (see large comment in parser.y for
details) and remove the skeleton file since it does not work with 2.4 anymore.
Its only purpose was to increase the amount of possible tokens reported in error
messages anyways.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft describe dccp type
payload expression, datatype dccp_pkttype (DCCP packet type) (basetype integer), 4 bits
pre-defined symbolic constants:
request 0x0
response 0x1
data 0x2
ack 0x3
dataack 0x4
closereq 0x5
close 0x6
reset 0x7
sync 0x8
syncack 0x9
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Free nested chain handles and command structures when done.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User-defined constants can be used like this:
define allowed_hosts = { 192.168.0.0/24, 10.0.0.20-10.0.0.30 }
define udp_services = domain
define tcp_services = { ssh, domain }
ip saddr $allowed_hosts udp dport $udp_services counter accept
ip saddr $allowed_hosts tcp dport $tcp_services counter accept
Recursive definitions are possible, but currently not fully handled.
Anything requiring transformations (sets using ranges) can not be
used more than once currently since the expressions need to be COW'ed
previously.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As a first step towards stand-alone sets, add support for scoping and
binding symbols. This will be used for user-defined constants, as well
as declarations of modifiable (stand-alone) sets once the kernel side
is ready.
Scopes are currently limited to three nesting levels: the global scope,
table block scopes and chain block scopes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Replace use of specific location references for single-element rules.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
The previous patch only handled sets and verdict maps.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
