summaryrefslogtreecommitdiffstats
path: root/src/scanner.l
Commit message (Collapse)AuthorAgeFilesLines
* libnftables: Introduce getters and setters for everythingPhil Sutter2017-10-241-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces getter/setter pairs for all parts in struct nft_ctx (and contained structs) which should be configurable. Most of them are simple ones, just allowing to get/set a given field: * nft_ctx_{get,set}_dry_run() -> ctx->check * nft_ctx_output_{get,set}_numeric() -> ctx->output.numeric * nft_ctx_output_{get,set}_stateless() -> ctx->output.stateless * nft_ctx_output_{get,set}_ip2name() -> ctx->output.ip2name * nft_ctx_output_{get,set}_debug() -> ctx->debug_mask * nft_ctx_output_{get,set}_handle() -> ctx->output.handle * nft_ctx_output_{get,set}_echo() -> ctx->output.echo A more complicated case is include paths handling: In order to keep the API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate nft_ctx field include_paths instead. So there is: * nft_ctx_add_include_path() -> add an include path to the list * nft_ctx_clear_include_paths() -> flush the list of include paths Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: IPv4-Mapped IPv6 addresses supportPablo Neira Ayuso2017-10-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The scanner rejects IPv4-Mapped IPv6 addresses, eg. # cat test #!/usr/sbin/nft -f flush ruleset table inet global { set blackhole_ipv6 { type ipv6_addr flags interval elements = { ::ffff:0.0.0.0/96 } } } # nft -f test test:8:30-38: Error: syntax error, unexpected string, expecting comma or '}' elements = { ::ffff:0.0.0.0/96 } ^^^^^^^^^^ According to RFC4291, Sect. 2.5.5.2. IPv4-Mapped IPv6 Address: | 80 bits | 16 | 32 bits | +--------------------------------------+--------------------------+ |0000..............................0000|FFFF| IPv4 address | +--------------------------------------+----+---------------------+ Update scanner bits to parse this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1188 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: use keywords in ct expressionPablo Neira Ayuso2017-09-271-0/+9
| | | | | | | | Using string give us more chances to hit shift/reduce conflicts when extending this grammar, more specifically, from the stmt_expr rule, so add keywords for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add stateful object support for limitPablo M. Bermudo Garay2017-09-041-0/+1
| | | | | | | | This patch adds support for a new type of stateful object: limit. Creation, deletion and listing operations are supported. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Make use of yylex_init_extra()Phil Sutter2017-08-241-2/+1
| | | | | | This combines the calls to yylex_init() and yyset_extra(). Signed-off-by: Phil Sutter <phil@nwl.cc>
* scanner: Fix for wrong parameter type of scanner_destroy()Phil Sutter2017-08-241-1/+1
| | | | | | | | The function takes the scanner as argument, not the state. This wasn't a real issue since scanner is a void pointer, which means it's only casted around without need. So this fix is a rather cosmetic one. Signed-off-by: Phil Sutter <phil@nwl.cc>
* scanner: Fix for memleak due to unclosed file pointerPhil Sutter2017-08-241-1/+2
| | | | | | | | | | | | | | | | | | | | When including a file, it is opened by fopen() and therefore needs to be closed after scanning has finished using fclose(), otherwise valgrind will report a memleak. This patch changes struct input_descriptor to track the opened FILE pointer instead of the file descriptor so the pointer is available for closing in scanner_destroy(). While at it, change erec_print() to work on the open FILE pointer so it doesn't have to call fileno() in beforehand. And as a little bonus, use C99 initializer of the buffer to get rid of the call to memset(). Note that it is necessary to call erec_print_list() prior to destroying the scanner, otherwise it will start manipulating an already freed FILE pointer (and therefore crash the program). Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add include_paths to struct nft_ctxPablo Neira Ayuso2017-08-231-5/+5
| | | | | | | Not convenient to keep this as static for the upcoming library, so let's move it where it belongs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: handle rule tracing as an monitor objectPablo Neira Ayuso2017-08-021-0/+1
| | | | | | Traces are not an event type, they should be handled as an object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: free filename when destroying scannerEric Leblond2017-07-171-2/+9
| | | | | | | | To be able to do so we duplicate the name in the indesc if it is set. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: support for wildcards in include statements.Ismo Puustinen2017-06-271-119/+107
| | | | | | | | | | | | | | | | Use glob() to find paths in include statements. The rules are these: 1. If no files can be found in the pattern with wildcards, do not return an error. 2. Do not match any files beginning with '.'. 3. Do not handle include directories anymore. For example, the statement: include "foo/" would now need to be rewritten: include "foo/*" Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: add files in include dirs in alphabetical order.Ismo Puustinen2017-06-071-27/+70
| | | | | | | | | | | | | | | | | | This means that if you have a directory structure like this /foo /foo/02_rules.nft /foo/01_rules.nft where *.nft files in directory /foo are nft scripts, then an include statement in another nft script like this include "/foo/" guarantees that "01_rules.nft" is loaded before "02_rules.nft". Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: add support for include directoriesIsmo Puustinen2017-06-061-23/+109
| | | | | | | | | | | | | | | | If a string after "include" keyword points to a directory instead of a file, consider the directory to contain only nft rule files and try to load them all. This helps with a use case where services drop their own firewall configuration files into a directory and nft needs to include those without knowing the exact file names. File loading order from the include directory is not specified, so the files inside an include directory should not depend on each other. Fixes(Bug 1154 - Allow include statement to operate on directories and/or wildcards). Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement existence checkPhil Sutter2017-03-101-0/+2
| | | | | | | | | | | This allows to check for existence of an IPv6 extension or TCP option header by using the following syntax: | exthdr frag exists | tcpopt window exists Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Introduce boolean datatype and boolean expressionPhil Sutter2017-03-101-0/+3
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: hash: support of symmetric hashLaura Garcia Liebana2017-03-061-0/+1
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revisit tcp options supportPablo Neira Ayuso2017-02-281-0/+19
| | | | | | | | | | | | | | | | | | | Rework syntax, add tokens so we can extend the grammar more easily. This has triggered several syntax changes with regards to the original patch, specifically: tcp option sack0 left 1 There is no space between sack and the block number anymore, no more offset field, now they are a single field. Just like we do with rt, rt0 and rt2. This simplifies our grammar and that is good since it makes our life easier when extending it later on to accomodate new features. I have also renamed sack_permitted to sack-permitted. I couldn't find any option using underscore so far, so let's keep it consistent with what we have. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add conntrack zone supportFlorian Westphal2017-02-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set support should be handled, especially 'zone set 1'. There are several issues to consider: 1. its not possible to change a zone 'later on', any given conntrack flow has exactly one zone for its entire lifetime. 2. to create conntracks in a given zone, the zone therefore has to be assigned *before* the packet gets picked up by conntrack (so that lookup finds the correct existing flow or the flow is created with the desired zone id). In iptables, this is enforced because zones are assigned with CT target and this is restricted to the 'raw' table in iptables, which runs after defragmentation but before connection tracking. 3. Thus, in nftables the 'ct zone set' rule needs to hook before conntrack too, e.g. via table raw { chain pre { type filter hook prerouting priority -300; iif eth3 ct zone set 23 } chain out { type filter hook output priority -300; oif eth3 ct zone set 23 } } ... but this is not enforced. There were two alternatives to better document this. One was to use an explicit 'template' keyword: nft ... template zone set 23 ... but 'connection tracking templates' are a kernel detail that users should not and need not know about. The other one was to use the meta keyword instead since we're (from a practical point of view) assigning the zone to the packet, not the conntrack: nft ... meta zone set 23 However, next patch also supports 'directional' zones, and nft ... meta original zone 23 makes no sense because 'direction' refers to a direction as understood by the connection tracker. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matchingManuel Messner2017-02-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options $option_name [$offset] $field_name Example: # count all incoming packets with a specific maximum segment size `x` # nft add rule filter input tcp option maxseg size x counter # count all incoming packets with a SACK TCP option where the third # (counted from zero) left field is greater `x`. # nft add rule filter input tcp option sack 2 left \> x counter If the offset (the `2` in the example above) is zero, it can optionally be omitted. For all non-SACK TCP options it is always zero, thus can be left out. Option names and field names are parsed from templates, similar to meta and ct options rather than via keywords to prevent adding more keywords than necessary. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-161-0/+1
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix search_in_include_path testAnatole Denis2017-01-031-2/+2
| | | | | | | | | | | clang emits a warning in this function as we're using a boolean as the third argument to strncmp. Indeed, this function only checks the first byte of the path as is, so files beginning with . will be incorrectly included from the current working directory instead of the include directory. Fixes: f92a1a5c4a87 ("scanner: honor absolute and relative paths via include file") Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add stateful object reference expressionPablo Neira Ayuso2017-01-031-0/+1
| | | | | | | | | This patch adds a new objref statement to refer to existing stateful objects from rules, eg. # nft add rule filter input counter name test counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: reset internal stateful objectsPablo Neira Ayuso2017-01-031-0/+1
| | | | | | | | | | | | | | | | | | | | | This patch allows you to atomically dump and reset stateful objects, eg. # nft list counters table ip filter { counter test { packets 1024 bytes 100000 } } # nft reset quotas table filter counter test { packets 1024 bytes 100000 } # nft reset quotas table filter counter test { packets 0 bytes 0 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: listing of stateful objectsPablo Neira Ayuso2017-01-031-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to dump existing stateful objects, eg. # nft list ruleset table ip filter { counter test { packets 64 bytes 1268 } quota test { over 1 mbytes used 1268 bytes } chain input { type filter hook input priority 0; policy accept; quota name test drop counter name test } } # nft list quotas table ip filter { quota test { over 1 mbytes used 1268 bytes } } # nft list counters table ip filter { counter test { packets 64 bytes 1268 } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add used quota supportPablo Neira Ayuso2017-01-031-0/+1
| | | | | | | | | | | | | table ip x { chain y { type filter hook forward priority 0; policy accept; quota over 200 mbytes used 1143 kbytes drop } } This patch allows us to list and to restore used quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add log flags syntax supportLiping Zhang2016-11-241-0/+3
| | | | | | | | | | | | | | | | | | | | | Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly. Like iptables LOG target, we can log TCP sequence numbers, TCP options, IP options, UID owning local socket and decode MAC header. Note the log flags are mutually exclusive with group. Some examples are listed below: # nft add rule t c log flags tcp sequence,options # nft add rule t c log flags ip options # nft add rule t c log flags skuid # nft add rule t c log flags ether # nft add rule t c log flags all # nft add rule t c log flags all group 1 <cmdline>:1:14-16: Error: flags and group are mutually exclusive add rule t c log flags all group 1 ^^^ Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack supportPablo Neira Ayuso2016-11-141-0/+2
| | | | | | | This patch adds the notrack statement, to skip connection tracking for certain packets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fib expressionFlorian Westphal2016-10-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule x prerouting fib saddr . iif oif eq 0 drop # accept only if from eth0 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept # accept if from any valid interface # nft add rule x prerouting fib saddr oif accept Querying of address type is also supported. This can be used to e.g. only accept packets to addresses configured in the same interface: # fib daddr . iif type local Its also possible to use mark and verdict map, e.g.: # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : drop, unicast : accept } Signed-off-by: Florian Westphal <fw@strlen.de>
* rt: introduce routing expressionAnders K. Pedersen2016-10-281-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1. # nft add rule filter postrouting \ flow table acct { rt nexthop timeout 600s counter } # nft add rule ip6 filter postrouting \ flow table acct { rt nexthop timeout 600s counter } These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes. # nft add rule inet filter postrouting \ ether type ip \ flow table acct { rt nexthop timeout 600s counter } # nft add rule inet filter postrouting \ ether type ip6 \ flow table acct { rt nexthop timeout 600s counter } Same as above, but via the inet family, where the ether type must be specified explicitly. "rt classid" is also implemented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: allow resolving meta keys at run timeFlorian Westphal2016-10-271-2/+0
| | | | | | | | | use the meta template to translate the textual token to the enum value. This allows to remove two keywords from the scanner and also means we do not need to introduce new keywords when more meta keys get added. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-271-6/+0
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add offset keyword and parser rulePablo Neira Ayuso2016-10-271-0/+1
| | | | | | This is required by the numgen and jhash expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't need keyword for log levelPablo Neira Ayuso2016-10-211-8/+0
| | | | | | | We can handle log levels without keywords in our grammar, use string instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add hash expressionPablo Neira Ayuso2016-08-291-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is special expression that transforms an input expression into a 32-bit unsigned integer. This expression takes a modulus parameter to scale the result and the random seed so the hash result becomes harder to predict. You can use it to set the packet mark, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 seed 0xdeadbeef You can combine this with maps too, eg. # nft add rule x y dnat to jhash ip saddr mod 2 seed 0xdeadbeef map { \ 0 : 192.168.20.100, \ 1 : 192.168.30.100 \ } Currently, this expression implements the jenkins hash implementation available in the Linux kernel: http://lxr.free-electrons.com/source/include/linux/jhash.h But it should be possible to extend it to support any other hash function type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add numgen expressionPablo Neira Ayuso2016-08-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new expression allows us to generate incremental and random numbers bound to a specified modulus value. The following rule sets the conntrack mark of 0 to the first packet seen, then 1 to second packet, then 0 again to the third packet and so on: # nft add rule x y ct mark set numgen inc mod 2 A more useful example is a simple load balancing scenario, where you can also use maps to set the destination NAT address based on this new numgen expression: # nft add rule nat prerouting \ dnat to numgen inc mod 2 map { 0 : 192.168.10.100, 1 : 192.168.20.200 } So this is distributing new connections in a round-robin fashion between 192.168.10.100 and 192.168.20.200. Don't forget the special NAT chain semantics: Only the first packet evaluates the rule, follow up packets rely on conntrack to apply the NAT information. You can also emulate flow distribution with different backend weights using intervals: # nft add rule nat prerouting \ dnat to numgen inc mod 10 map { 0-5 : 192.168.10.100, 6-9 : 192.168.20.200 } So 192.168.10.100 gets 60% of the workload, while 192.168.20.200 gets 40%. We can also be mixed with dynamic sets, thus weight can be updated in runtime. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add quota statementPablo Neira Ayuso2016-08-291-0/+2
| | | | | | | | | | | | | This new statement is stateful, so it can be used from flow tables, eg. # nft add rule filter input \ flow table http { ip saddr timeout 60s quota over 50 mbytes } drop This basically sets a quota per source IP address of 50 mbytes after which packets are dropped. Note that the timeout releases the entry if no traffic is seen from this IP after 60 seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta priority support using tc classidPablo Neira Ayuso2016-08-181-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the missing bits to scan and parse the meta priority handle as expressed by tc classid major:minor syntax. The :minor syntax is not support for two reason: major is always >= 1 and this clashes with port syntax in nat. Here below, several example on how to match the packet priority field: nft add rule filter forward meta priority abcd:0 nft add rule filter forward meta priority abcd:1234 and to set it, you have to: nft add rule filter forward meta priority set abcd:1234 The priority expression in flex looks ahead to restrict the pattern to avoid problems with mappings: {classid}/[ \t\n:\-},] So the following doesn't break: ... vmap { 25:accept } ^^^^^ The lookahead expression requires a slight change to extend the input string in one byte. This patch is conservative as you always have to explicity indicate major and minor numbers even if zero. We could consider supporting this shortcut in the future: abcd: However, with regards to this: :abcd We don't need to support it since major number is assumed to be >= 1. However, if we ever decide to support this, we'll have problems since this clashes with our port representation in redirect and mangle. So let's keep this simple and start with this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove range expressionPablo Neira Ayuso2016-08-181-1/+0
| | | | | | This expression is not used anywhere in this scanner code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow strings starting by underscores and dotsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says: "The set of characters from which portable filenames are constructed. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -" On top of that it says: "The <hyphen> character should not be used as the first character of a portable user name." This allows a bit more things that NAME_REGEX though, but this still looks fine to me. For more info, see: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431 http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_278 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for RFC2732 IPv6 address format with bracketsPablo Neira Ayuso2016-08-181-0/+7
| | | | | | | | | | | | | | The statement: dnat to 2001:838:35f:1:::80 is very confusing as it is not so easy to identify where address ends and the port starts. This even harder to read with ranges. So this patch adds squared brackets as RFC2732 to enclose the IPv6 address. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't break line on include error messagePablo Neira Ayuso2016-08-101-1/+1
| | | | | | | For consistency with other error messages in this codebase, don't add a line break. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't fall back on current directory if include is not foundPablo Neira Ayuso2016-08-101-7/+6
| | | | | | | | | This resolves an ambiguity if the same file name is used both under sysconfdir and the current working directory. You can use dot slash ./ to explicitly refer to files in the current working directory. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: honor absolute and relative paths via include filePablo Neira Ayuso2016-08-101-7/+17
| | | | | | | | If the path refers to an absolute or relative path, do not check for the default include paths, eg. /etc/nftables/. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add 'list maps' supportPablo M. Bermudo Garay2016-05-311-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a new command that lists maps: # nft list maps [family] Only the declaration is displayed. If no family is specified, all maps of all families are listed. Example: # nft list maps table ip filter { map test { type ipv4_addr : inet_service } } table ip6 filter { map test { type ipv6_addr : inet_service } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flow statementPatrick McHardy2016-05-131-0/+2
| | | | | | | | | | | | | | | The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport limit rate 10/second # nft filter input flow table acct iif . ip saddr timeout 60s counter Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ecn supportPablo Neira Ayuso2016-05-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule ip filter forward ip ecn ce counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000003 ] [ counter pkts 0 bytes 0 ] For IPv6: # nft --debug=netlink add rule ip6 filter forward ip6 ecn ce counter ip6 filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x00000030 ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000030 ] [ counter pkts 0 bytes 0 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dscp supportPablo Neira Ayuso2016-05-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This supports both IPv4: # nft --debug=netlink add rule filter forward ip dscp cs1 counter ip filter forward [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ] [ cmp neq reg 1 0x00000080 ] [ counter pkts 0 bytes 0 ] And also IPv6, note that in this case we take two bytes from the payload: # nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter ip6 filter input [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000008 ] [ counter pkts 0 bytes 0 ] Given the DSCP is split in two bytes, the less significant nibble of the first byte and the two most significant 2 bits of the second byte. The 8 bit traffic class in RFC2460 after the version field are used for DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: remove 'reset' as reserve keywordPablo Neira Ayuso2016-03-071-1/+0
| | | | | | | | | The 'reset' keyword can be used as dccp type, so don't qualify it as reserve keyword to avoid a conflict with this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1055 Reported-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-311-0/+1
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-0/+2
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>