| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After discussions with Karel here:
https://bugzilla.netfilter.org/show_bug.cgi?id=1184
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new operation allows to import low level virtual machine ruleset in
json to make incremental changes using the parse functions of libnftnl.
A basic way to test this new functionality is:
$ cat file.json | nft import vm json
where the file.json is a ruleset exported in low level json format.
To export json rules in low level virtual machine format
we need to specify "vm" token before json. See below
$ nft export vm json
and
$ nft export/import json
will do no operations.
Same goes with "$nft monitor"
Highly based on work from Alvaro Neira <alvaroneay@gmail.com>
and Arturo Borrero <arturo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Rework grammar to skip the 'name' token after 'meter' for named meters.
For consistency with sets and maps in terms of syntax.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The former 'flow table' syntax allows flow tables with no name:
# nft add rule x y flow { ip saddr counter }
However, when listing, it leaks the name that it is autoallocating.
# nft list ruleset
table ip x {
chain y {
flow table __mt0 { ip saddr counter}
}
}
Which is odd since then restoring will use such a name.
Remove anonymous flow table/meters, so everyone needs to specify a name.
There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.
Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.
On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to bugzilla 1137: "flow tables" should not be syntactically
unique.
"Flow tables are always named, but they don't conform to the way sets,
maps, and dictionaries work in terms of "add" and "delete" and all that.
They are also "flow tables" instead of one word like "flows" or
"throttle" or something.
It seems weird to just have these break the syntactic expectations."
Personally, I never liked the reference to "table" since we have very
specific semantics in terms of what a "table" is netfilter for long
time.
This patch promotes "meter" as the new keyword. The former syntax is
still accepted for a while, just to reduce chances of breaking things.
At some point the former syntax will just be removed.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1137
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This finally creates the libnftables shared object.
For some reason, this causes two compiler warnings to appear:
| parser_bison.y: In function 'nft_parse':
| parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration]
| nft_set_debug(1, scanner);
| ^~~~~~~~~~~~~
| parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration]
| #define yylex nft_lex
| ^
| parser_bison.c:4745:16: note: in expansion of macro 'yylex'
| yychar = yylex (&yylval, &yylloc, scanner);
So this patch contains a workaround, namely declaring both functions
in src/parser_bison.y. During linking the objects are found, so this is
rather a matter of cosmetics.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Allow TC classid as set key.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Reported-by: Tomas Mudrunka <mudrunka@spoje.net>
Tested-by: Tomas Mudrunka <mudrunka@spoje.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Allow to use limit objects from dictionaries.
Fixes: c0697eabe832 ("src: add stateful object support for limit")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the rt expression currently always sets NFT_RT_NEXTHOP4 and then
uses the network base to determine if its really supposed to be
NEXTHOP6.
For inet, this will fail because the network base is not known,
so this currently enforces need for "meta nfproto" to dermine the
type.
Allow following syntax instead:
rt ip nexthop
rt ip6 nexthop
There is no need for a dependency anymore, as rt expression
checks the hook protocol, ie. NEXTHOP4 will break if the hook pf
is not NFPROTO_IPV4.
Cc: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
current syntax is:
ct original saddr $address
problem is that in inet, bridge etc. we lack context to
figure out if this should fetch ipv6 or ipv4 from the conntrack
structure.
$address might not exist, rhs could e.g. be a set reference.
One way to do this is to have users manually specifiy the dependeny:
ct l3proto ipv4 ct original saddr $address
Thats ugly, and, moreover, only needed for table families
other than ip or ipv6.
Pablo suggested to instead specify ip saddr, ip6 saddr:
ct original ip saddr $address
and let nft handle the dependency injection.
This adds the required parts to the scanner and the grammar, next
commit adds code to eval step to make use of this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
'ct event set label' and 'ct event set new or label' work, but
'ct event set new, label' did not:
nft add rule filter input ct event set new,label
Error: syntax error, unexpected label
This changes the definition to also contain keyword symbol expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change all places that expect ct helper tokens (ct helper configuration)
to CT HELPER. ct_obj_kind is removed.
When we add ct timeout support, we will add a new ct_timeout_block,
plus extra rules. We won't extend ct_block, it prevents the parser
from detecting bogus syntax that only makes sense for ct helper but
not for something else for instance.
ct_block should be renamed to ct_helper_block, will be done in
followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The helper keyword clashes with the string rule, make sure we still
accept ct helper object types from the parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Using string give us more chances to hit shift/reduce conflicts when
extending this grammar, more specifically, from the stmt_expr rule, so
add keywords for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend stmt_expr and use it from all of our statement rules. Add more
rules to describe what we take from statement expressions, instead of
reusing rhs_expr which is allowing way more things that we actually need
here. This is causing us problems when extending the grammar.
After this patch, you will hit this:
parser_bison.y: warning: 2 shift/reduce conflicts [-Wconflicts-sr]
However, this is fixed by the follow up patches:
parser_bison: allow helper keyword in ct object kind
parser_bison: use keywords in ct expression
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The common paradigm here is that all parser rules converting string
tokens into symbols must free the string token if it's not used anymore.
This is unrelated to the %destructor directive, since that will apply
only if the parser discards the token, which is not the case then.
While being at it, simplify error handling in parser rule for listing
conntrack helpers (error() won't return NULL) and drop the unused extra
parameter passed to error() in level_type rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In case of failing command evaluation, commands need to be freed as
their memory becomes orphaned afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Separator was misspelled as "seperator" in a symbol name.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Not a global variable anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Not convenient to keep this as static for the upcoming library, so let's
move it where it belongs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Only use case is to allow similar behaviour to iptables
TCPMSS --clamp-mss-to-pmtu, by combining this with exthdr statement:
tcp option maxseg size set rt mtu
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds support for tcp mss mangling:
nft add rule filter input tcp option maxseg size 1200
Its also possible to change other tcp option fields, but
maxseg is one of the more useful ones to change.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Pass variable cache_initialized and structure list_head as members of
structure nft_cache.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Traces are not an event type, they should be handled as an object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds event reporting for ruleset, which prints only ruleset
events.
Syntax : nft monitor ruleset
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usually one wants to at least initialize set_flags from the parent, so
make allocation of a set's set expression more convenient.
The idea to do this came when fixing an issue with output formatting of
larger anonymous sets in nft monitor: Since
netlink_events_cache_addset() didn't initialize set_flags,
calculate_delim() didn't detect it's an anonymous set and therefore
added newlines to the output.
Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Fixes: a9dc3ceabc10f ("expression: print sets and maps in pretty format")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had the following warnings
parser_bison.y:1089:10: warning: variable 'cmd' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
if (erec != NULL) {
^~~~~~~~~~~~
parser_bison.y:1095:39: note: uninitialized use occurs here
(yyval.cmd) = cmd_alloc(CMD_LIST, cmd, &(yyvsp[0].handle), &(yyloc), NULL);
^~~
parser_bison.y:1089:6: note: remove the 'if' if its condition is always true
if (erec != NULL) {
^~~~~~~~~~~~~~~~~~
parser_bison.y:1080:12: note: initialize the variable 'cmd' to silence this warning
int cmd;
^
= 0
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.9/bin/llvm-symbolizer nft add set inet filter blacklisddddddddddddddddddddt {type inet_service \;}
=================================================================
==25152==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0)
#1 0x593cb1 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8
#2 0x5bccb2 in nft_lex /home/eric/git/netfilter/nftables/src/scanner.l:566:22
#3 0x5cb363 in nft_parse /home/eric/git/netfilter/nftables/src/parser_bison.c:4366:16
#4 0x505a37 in nft_run /home/eric/git/netfilter/nftables/src/main.c:246:8
#5 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6
#6 0x7ff7befdb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: 13 byte(s) leaked in 1 allocation(s).
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This socket should not be global, it is also hidden in many layers of
code. Expose it as function parameters to decouple the netlink socket
handling logic from the command parsing, evaluation and bytecode
generation.
Joint work with Varsha Rao.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Its misleading, this structure holds members for ct_helper object
infrastructure, rename it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Condenses the copy/pastry via a define to avoid repeating this
when the list gets extended.
Based on earlier patch from Pablo.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of bitmask types (tcp flags, ct eventmask) nft
allows to use comma operator to test multiple values, i.e.
tcp flags syn,ack ct event new,destroy etc.
But currently nft fails to use this when used in a statement, i.e.
... ct eventmask set new,destroy
gives:
syntax error, unexpected comma
This allows makes this work, it is the same as
ct eventmask set new|destroy
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently nft can lists sets:
nft list sets
but unlike e.g. 'quotas' or 'counters' we didn't support restricting it to
a table. Now its possible to restrict set definition listing to one table:
nft list sets table inet filter
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will
not generate a random seed, instead, the seed will always be zero.
So if seed option is empty, we shoulde not set the NFTA_HASH_SEED
attribute, then a random seed will be generated in the kernel.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal set infrastructure is used for sets, maps and flow tables.
The flush command requires the set type but currently it works for all
of them. E.g. if there is a set named 's' in a table 't' the following
command shouldn't be valid but still executes:
$ nft flush flow table t s
This patch makes the flush command selective so 'flush flow table' only
works in flow tables and so on.
Fixes: 6d37dae ("parser_bison: Allow flushing maps")
Fixes: 2daa0ee ("parser_bison: Allow flushing flow tables")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the command flush on maps, which removes all
entries in it:
$ nft flush map filter map1
Command above flushes map 'map1' in table 'filter'.
The documentation was updated accordingly.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the command flush on flow tables, which removes all
entries in it:
$ nft flush flow table filter ft-https
Command above flushes flow table 'ft-https' in table 'filter'.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
this implements
nft list ct helpers table filter
table ip filter {
ct helper ftp-standard {
..
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds initial support for defining conntrack helper objects
which can then be assigned to connections using the objref infrastructure:
table ip filter {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain y {
tcp dport 21 ct helper set "ftp-standard"
}
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows to check for existence of an IPv6 extension or TCP
option header by using the following syntax:
| exthdr frag exists
| tcpopt window exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
