summaryrefslogtreecommitdiffstats
path: root/src/scanner.l
Commit message (Collapse)AuthorAgeFilesLines
* src: add flow statementPatrick McHardy2016-05-131-0/+2
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ecn supportPablo Neira Ayuso2016-05-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule ip filter forward ip ecn ce counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] [ counter pkts 0 bytes 0 ] For IPv6: # nft --debug=netlink add rule ip6 filter forward ip6 ecn ce counter ip6 filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000030 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000030 ] [ counter pkts 0 bytes 0 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dscp supportPablo Neira Ayuso2016-05-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule filter forward ip dscp cs1 counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] [ counter pkts 0 bytes 0 ] And also IPv6, note that in this case we take two bytes from the payload: # nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter ip6 filter input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000008 ] [ counter pkts 0 bytes 0 ] Given the DSCP is split in two bytes, the less significant nibble of the first byte and the two most significant 2 bits of the second byte. The 8 bit traffic class in RFC2460 after the version field are used for DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: remove 'reset' as reserve keywordPablo Neira Ayuso2016-03-071-1/+0
| | | | | | | | | The 'reset' keyword can be used as dccp type, so don't qualify it as reserve keyword to avoid a conflict with this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1055 Reported-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-311-0/+1
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-0/+2
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-021-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add command "replace" for rulesCarlos Falgueras García2015-11-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Modify the parser and add necessary functions to provide the command "nft replace rule <ruleid_spec> <new_rule>" Example of use: # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.7 counter packets 0 bytes 0 # handle 3 } } # nft replace rule filter output handle 3 ip daddr 8.8.8.8 counter # nft list ruleset -a table ip filter { chain output { ip daddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } } Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement supportPablo Neira Ayuso2015-09-301-0/+2
| | | | | | | | | | This allows you to clone packets to destination address, eg. ... dup to 172.20.0.2 ... dup to 172.20.0.2 device eth1 ... dup to ip saddr map { 192.168.0.2 : 172.20.0.2, ... } device eth1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add burst parameter to limitPablo Neira Ayuso2015-09-231-0/+1
| | | | | | | | | | | ... limit rate 1024 mbytes/second burst 10240 bytes ... limit rate 1/second burst 3 packets This parameter is optional. You need a Linux kernel >= 4.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add netdev family supportPablo Neira Ayuso2015-06-161-0/+2
| | | | | | | | | | | | | | | | | | | | | This patch adds support for the new 'netdev' table. So far, this table allows you to create filter chains from ingress. The following example shows a very simple base configuration with one table that contains a basechain that is attached to the 'eth0': # nft list table netdev filter table netdev filter { chain eth0-ingress { type filter hook ingress device eth0 priority 0; policy accept; } } You can test that this works by adding a simple rule with counters: # nft add rule netdev filter eth0-ingress counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: add set statemetPatrick McHardy2015-04-121-0/+1
| | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
* set: add timeout support for setsPatrick McHardy2015-04-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Timeout support can be enabled in one of two ways: 1. Using a default timeout value: set test { type ipv4_addr; timeout 1h; } 2. Using the timeout flag without a default: set test { type ipv4_addr; flags timeout; } Optionally a garbage collection interval can be specified using gc-interval <interval>; Signed-off-by: Patrick McHardy <kaber@trash.net>
* datatype: fix parsing of time typePatrick McHardy2015-04-121-0/+7
| | | | | | Properly detect time strings in the lexer without quotation marks. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: properly fix handling of large integer valuesPatrick McHardy2015-01-111-2/+2
| | | | | | | | | | | | | | | Introduction of the ERROR symbol is an ugly hack. There's no reason to special case large integer values, the NUM token only exists for small values that are needed immediately, everything else is passed as EXPR_SYMBOL to evaluation anyways. Additionally the error reporting is different from what we'd usually report, the token is easy to confuse with the bison internal error token and it even has a name, messing up bison internal diagnostics. Simply return values to large to be handled by strtoull as STRING. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: rename VERSION token to HDRVERSIONSteven Barth2015-01-071-1/+1
| | | | | | | | | A token name of VERSION results in a macro being defined with the same name. This prevents inclusion of config.h in commonly used headers. Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: use 'redirect to PORT' instead of 'redirect :PORT'Pablo Neira Ayuso2014-12-121-0/+1
| | | | | | Small syntax update suggested by Patrick. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* stmt: rename nat "random-fully" option to "fully-random"Patrick McHardy2014-12-111-1/+1
| | | | | | Use proper english for full randomization option. Signed-off-by: Patrick McHardy
* scanner: don't bug on too large valuesPablo Neira Ayuso2014-12-011-4/+8
| | | | | | | | | | | | | Add a new ERROR symbol to handle scanning of too large values. <cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ instead of: BUG: nft: scanner.l:470: nft_lex: Assertion `0' failed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix reading of really long lineEric Leblond2014-12-011-1/+2
| | | | | | | | | | | | | | | Current code is causing a failure in adding a set containing a really long list of elements. The failure occurs as soon as the line is longer than flex read buffer. When a line is longer than scanner buffer size, the code in YY_INPUT forces a rewind to the beginning of the string because it does not find a end of line. The result is that the string is never parsed. This patch updates the code by rewinding till we found a space. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: autotools conversionPablo Neira Ayuso2014-11-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) This removes former Makefiles and install-sh (which is now automagically imported via autoreconf). Makefile.defs.in Makefile.in Makefile.rules.in src/Makefile.in install-sh (now automagically imported via autoreconf). 2) CFLAGS are left almost same, they are integrated into Make_global.am. Use AM_CPPFLAGS to set the CFLAGS set by pkgconfig. 3) Add m4 directory to the tree which only contains the .gitignore file. Update .gitignore file to skip autogenerated files. 4) include <config.h> whenever required. 5) Minor adjustments to scanner.l and parser_bison.y to compile cleanly with autotools. 6) Add %option outfile=lex.yy.c to scanner.l, otherwise I hit this error here: gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DDEFAULT_INCLUDE_PATH="\"/usr/etc\"" -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wsign-compare -Winit-self -Wformat-nonliteral -Wformat-security -Wmissing-format-attribute -Wcast-align -Wundef -Wbad-function-cast -g -O2 -MT mnl.o -MD -MP -MF $depbase.Tpo -c -o mnl.o mnl.c &&\ mv -f $depbase.Tpo $depbase.Po /bin/sh ../build-aux/ylwrap scanner.l lex.yy.c scanner.c -- flex make[3]: *** [scanner.c] Error 1 make[3]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/pablo/devel/scm/git-netfilter/nftables' make: *** [all] Error 2 7) Add Makefile.am for include/ (contributed by Giorgio Dal Molin). The doc/ and files/ conversion to automake will come in follow up patches but 'make distcheck' already works. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rename parser.y to parser_bison.yPablo Neira Ayuso2014-11-101-1/+1
| | | | | | | | | The conversion to the autotools need this. Make sure you remove the autogenerated parser.c and parser.h from your tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add cgroup support in meta expresionAna Rey2014-11-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | The new attribute of meta is "cgroup". Example of use in nft: # nft add rule ip test output meta cgroup != 0x100001 counter drop Moreover, this adds tests to the meta.t test file. The kernel support is addedin the commit: ce67417 ("netfilter: nft_meta: add cgroup support") The libnftnl support is add in the commit: 1d4a480 ("expr: meta: Add cgroup support") More information about the steps to use cgroup: https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt More info about cgroup in iptables: http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3 Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add redirect supportArturo Borrero2014-11-041-0/+1
| | | | | | | | | | | This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add masquerade supportArturo Borrero2014-10-091-0/+1
| | | | | | | | | | | | | | | | | This patch adds masquerade support for nft. The syntax is: % nft add rule nat postrouting masquerade [flags] Currently, flags are: random, random-fully, persistent Example: % nft add rule nat postrouting masquerade random,persistent Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: interpret the event type from the evaluation stepPablo Neira Ayuso2014-10-091-3/+0
| | | | | | | | | | | Postpone the event type interpretation to the evaluation step. This patch also fixes the combination of event and object types, which was broken. The export code needed to be adjusted too. The new and destroy are not tokens that can be recognized by the scanner anymore, so this also implicitly restores 'ct state'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat persistent and random optionsArturo Borrero2014-10-091-0/+3
| | | | | | | | | | | | | | | | | This patch adds more configuration options to the nat expression. The syntax is as follow: % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags] Flags are: random, persistent, random-fully. Example: % nft add rule nat postrouting dnat 1.1.1.1 random,persistent A requirement is to cache some [recent] copies of kernel headers. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: complete reject supportAlvaro Neira2014-10-091-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use the reject action in rules. For example: nft add rule filter input udp dport 22 reject In this rule, we assume that the reason is network unreachable. Also we can specify the reason with the option "with" and the reason. For example: nft add rule filter input tcp dport 22 reject with icmp type host-unreachable In the bridge tables and inet tables, we can use this action too. For example: nft add rule inet filter input reject with icmp type host-unreachable In this rule above, this generates a meta nfproto dependency to match ipv4 traffic because we use a icmpv4 reason to reject. If the reason is not specified, we infer it from the context. Moreover, we have the new icmpx datatype. You can use this datatype for the bridge and the inet tables to simplify your ruleset. For example: nft add rule inet filter input reject with icmpx type host-unreachable We have four icmpx reason and the mapping is: ICMPX reason | ICMPv6 | ICMPv4 | | admin-prohibited | admin-prohibited | admin-prohibited port-unreachable | port-unreachable | port-unreachable no-route | no-route | net-unreachable host-unreachable | addr-unreachable | host-unreachable Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set optimization optionsArturo Borrero2014-09-291-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds options to choose set optimization mechanisms. Two new statements are added to the set syntax, and they can be mixed: nft add set filter set1 { type ipv4_addr ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; policy memory ; } nft add set filter set1 { type ipv4_addr ; policy performance ; } nft add set filter set1 { type ipv4_addr ; policy memory ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; size 1024 ; policy memory ; } nft add set filter set1 { type ipv4_addr ; policy performance ; size 1024 ; } nft add set filter set1 { type ipv4_addr ; size 1024 ; policy performance ; } Also valid for maps: nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; } [...] This is the output format, which can be imported later with `nft -f': table filter { set set1 { type ipv4_addr policy memory size 1024 } } In this approach the parser accepts default options such as 'performance', given they are a valid configurations, but aren't sent to the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: clean up queue statementPatrick McHardy2014-09-241-2/+2
| | | | | | | | | | | | | | | | | | - Rename keyword tokens to their actual keyword - Change the grammar to follow the standard schema for statements and arguments - Use actual expression for the queue numbers to support using normal range expressions, symbolic expression and so on. - restore comma seperation of flag keywords The result is that its possible to use standard ranges, prefix expressions, symbolic expressions etc for the queue number. We get checks for overflow, negative ranges and so on automatically. The comma seperation of flags is more similar to what we have for other flag values. It is still possible to use spaces, however this could be removed since we never had a release supporting that. Signed-off-by: Patrick McHardy <kaber@trash.net>
* parser: simplify monitor command parsingPatrick McHardy2014-09-171-0/+3
| | | | | | | Add tokens for "new" and "destroy". Split up the monitor flags into an event and an object to avoid lots of duplicated code. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: add `flush ruleset'Arturo Borrero2014-09-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the `flush ruleset' operation to nft. The syntax is: % nft flush ruleset [family] To flush all the ruleset (all families): % nft flush ruleset To flush the ruleset of a given family: % nft flush ruleset ip % nft flush ruleset inet This flush is a shortcut operation which deletes all rules, sets, tables and chains. It's possible since the modifications in the kernel to the NFT_MSG_DELTABLE API call. Users can benefit of this operation when doing an atomic replacement of the entire ruleset, loading a file like this: ========= flush ruleset table ip filter { chain input { counter accept } } ========= Also, users who want to simply clean the ruleset for whatever reason can do it now without having to iterate families/tables. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add devgroup support in meta expresionAna Rey2014-09-031-0/+2
| | | | | | | | | | | | | | | | | | | This adds device group support in meta expresion. The new attributes of meta are "iffgroup" and "oifgroup" - iffgroup: Match device group of incoming device. - oifgroup: Match device group of outcoming device. Example of use: nft add rule ip test input meta iifgroup 2 counter nft add rule ip test output meta oifgroup 2 counter The kernel and libnftnl support were added in these commits: netfilter: nf_tables: add devgroup support in meta expresion src: meta: Add devgroup support to meta expresion Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for cpu in meta expresionAna Rey2014-08-241-0/+1
| | | | | | | | | | | | | This allows you to match cpu handling with a packet. This is an example of the syntax for this new attribute: nft add rule ip test input meta cpu 1 counter nft add rule ip test input meta cpu 1-3 counter nft add rule ip test input meta cpu { 1, 3} counter Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for pkttype in meta expresionAna Rey2014-08-241-0/+1
| | | | | | | | | | | | | | | If you want to match the pkttype field of the skbuff, you have to use the following syntax: nft add rule ip filter input meta pkttype PACKET_TYPE where PACKET_TYPE can be: unicast, broadcast and multicast. Joint work with Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add level option to the log statementPablo Neira Ayuso2014-07-251-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is required if you use upcoming Linux kernels >= 3.17 which come with a complete logging support for nf_tables. If you use 'log' without options, the kernel logging buffer is used: nft> add rule filter input log You can also specify the logging prefix string: nft> add rule filter input log prefix "input: " You may want to specify the log level: nft> add rule filter input log prefix "input: " level notice By default, if not specified, the default level is 'warn' (just like in iptables). If you specify the group, then nft uses the nfnetlink_log instead: nft> add rule filter input log prefix "input: " group 10 You can also specify the snaplen and qthreshold for the nfnetlink_log. But you cannot mix level and group at the same time, they are mutually exclusive. Default values for both snaplen and qthreshold are 0 (just like in iptables). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revert broken reject icmp code supportPablo Neira Ayuso2014-06-201-1/+0
| | | | | | | | | | | | | | | | | This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter for indicating the type of error") and 11b2bb2 ("reject: Use protocol context for indicating the reject type"). These patches are flawed by two things: 1) IPv6 support is broken, only ICMP codes are considered. 2) If you don't specify any transport context, the utility exits without adding the rule, eg. nft add rule ip filter input reject. The kernel is also flawed when it comes to the inet table. Let's revert this until we can provide decent reject reason support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* reject: add ICMP code parameter for indicating the type of errorÁlvaro Neira Ayuso2014-06-161-0/+1
| | | | | | | | | | | | | | | | | | | | This patch allows to indicate the ICMP code field in case that we use to reject. Before, we have always sent network unreachable error as ICMP code, now we can explicitly indicate the ICMP code that we want to use. Examples: nft add rule filter input tcp dport 22 reject with host-unreach nft add rule filter input udp dport 22 reject with host-unreach In this case, it will use the host unreachable code to reject traffic. The default code field still is network unreachable and we can also use the rules without the with like that: nft add rule filter input udp dport 22 reject Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* queue: More compact syntaxÁlvaro Neira Ayuso2014-06-111-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows to use a new syntax more compact and break the current syntax. This new syntax is more similar than the nftables syntax that we use usually. We can use range like we have used in other case in nftables. Here, we have some examples: Before, If we want to declare a queue, we have used a syntax like this: nft add rule test input queue num 1 total 3 options bypass,fanout If we want to use the queue number 1 and the two next (total 3), we use a range in the new syntax, for example: nft add rule test input queue num 1-3 bypass fanout Also if we want to use only one queue, the new rules are like: nft add rule test input queue num 1 # queue 1 or nft add rule test input queue # queue 0 And if we want to add a specific flags we only need to put what flags we want to use: nft add rule test input queue bypass we don't need to use options and the comma for indicating the flags. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Add udplite tokenÁlvaro Neira Ayuso2014-05-281-0/+1
| | | | | | | | If we add a udplite rule, we can't because we have forgot to add this token in the scanner. Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: remove the "new" and "destroy" tokens from the scannerPablo Neira Ayuso2014-05-201-2/+0
| | | | | | | | | | | | | | | | These new tokens were introduced in f9563c0 ("src: add events reporting") to allow filtering based on the event type. This confuses the parser when parsing the "new" token: test:32:33-35: Error: syntax error, unexpected new add rule filter output ct state new,established counter ^^^ This patch fixes this by replacing these event type tokens by the generic string token, which is then interpreted during the parsing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add events reportingArturo Borrero2014-04-251-0/+5
| | | | | | | | | | This patch adds a basic events reporting option to nft. The syntax is: % nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Add support for input and output bridge interface nameTomasz Bursztyka2014-04-241-0/+2
| | | | | | | | Add support to get an input or output bridge interface name through the relevant meta keys. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for rule human-readable commentsPablo Neira Ayuso2014-02-271-0/+1
| | | | | | | | | | | | This patch adds support for human-readable comments: nft add rule filter input accept comment \"accept all traffic\" Note that comments *always* come at the end of the rule. This uses the new data area that allows you to attach information to the rule via netlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: connlabel matching supportFlorian Westphal2014-02-181-0/+1
| | | | | | | | | | | Takes advantage of the fact that the current maximum label storage area is 128 bits, i.e. the dynamically allocated extension area in the kernel will always fit into a nft register. Currently this re-uses rt_symbol_table_init() to read connlabel.conf. This works since the format is pretty much the same. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: update last_line in struct locationPatrick McHardy2014-02-041-0/+1
| | | | | | Currently always has the value 0. Signed-off-by: Patrick McHardy <kaber@trash.net>
* scanner: don't update location's line_offset for newlinesPatrick McHardy2014-02-041-1/+0
| | | | | | | | When reset_pos() is invoked, YY_USER_ACTION() has already advanced the line offset to the next line. This causes errors for unexpected newlines to incorrectly show the following line when reading from files. Signed-off-by: Patrick McHardy <kaber@trash.net>
* ruleset: add XML/JSON exportArturo Borrero Gonzalez2014-01-231-0/+4
| | | | | | | | | | | | | | | | | | | | This patch adds the following operation: :~# nft export <xml|json> The XML/JSON output is provided raw by libnftnl, thus without format. In case of XML, you can give format with the `xmllint' tool from libxml2-tools: :~# nft list ruleset xml | xmllint --format - In case of JSON, you can use `json_pp' from perl standar package: :~# nft list ruleset json | json_pp A format field is added in struct cmd, and it will be reused in the import operation. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* cmd: add create command for tables and chainsPatrick McHardy2014-01-211-0/+1
| | | | | | | | | We currently always use NLM_F_EXCL for add, which makes adding existing chains or tables fail. There's usually no reason why you would care about this, so change "add" to not use NLM_F_EXCL and add a new "create" command in case you do care. Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/master' into next-3.14Patrick McHardy2014-01-161-1/+4
|\ | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Conflicts: include/nftables.h src/main.c