| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we try to add a rule like:
nft add rule filter input udp length {55-9999}
nftable shows:
BUG: invalid byte order conversion 0 => 2
nft: src/evaluate.c:153: byteorder_conversion_op: Assertion `0' failed.
Some of the existing payload fields rely on BYTEORDER_INVALID. Therefore, if we
try to convert it in evaluation step, we hit this bug.
This patch allows to add a specific byteorder to the struct proto_hdr_template. If
we create a expression with a invalid byteorder, we will use the byteorder
added to the proto_hdr_template structure.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
The ethernet header type is in big endian byte order, the ETH_P_* values
are in host byte order however. Fix this using __constant_htons().
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Otherwise, you may crash in:
nft add rule bridge filter input ether type ip
Reported-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add some more consistency by using _addr for all address types, _proto
for all protocol types and iface_ for all interface types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bug with rreply symbol. The rreply and reply symbol were the same.
There is a reproduction of this bug here:
$ sudo nft add rule arp art-t filter arp operation reply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512
}
}
$ sudo nft add rule arp art-t filter arp operation rreply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512 <=====
arp operation 512 <=====
}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/payload.c
|
| |
|
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/payload.c
|
| |
|
|
|
|
|
|
|
| |
Add support for the meta l4proto type. This is used in the inet table to
match on the transport layer protocol without requiring the network layer
protocol to be known, allowing to use transport header matches that apply
to both IPv4 and IPv6.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Add support for the meta nfproto type, which refers to the AF from the
netfilter hook ops. This is needed to get the actual family of a packet
in the dummy NFPROTO_INET family.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new debugging level to debug updates to the protocol context.
Sample output:
<cmdline>:1:15-23: Evaluate
filter output tcp dport ssh
^^^^^^^^^
tcp
update transport layer protocol context:
link layer : none
network layer : ip
transport layer : tcp <-
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Add a helper function which is to be used to update the protocol update.
Signed-off-by: Patrick McHardy <ksber@trash.net<
|
|
|
Currently the context of higher layer protocols is specific to payload
expressions with some special cases for meta IIFTYPE expressions. This
approach has a few shortcomings, concretely there are more expression
types which define upper layer protocols like the ct expression and two
upcoming new types for the meta expression.
Replace the payload context by a generic protocol context to deal with
this. This patch just splits off the requires parts from the payload
expression without any functional changes, the following patches will
add further functionality for other expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
