summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* src: support zone set statement with optional directionFlorian Westphal2017-02-284-5/+29
| | | | | | | | | | | | nft automatically understands 'ct zone set 1' but when a direction is specified too we get a parser error since they are currently only allowed for plain ct expressions. This permits the existing syntax ('ct original zone') for all tokens with an optional direction also for set statements. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: refactor print function so it can be re-used for ct statementFlorian Westphal2017-02-281-4/+9
| | | | | | | | | Once directional zone support is added we also need to print the direction of the statement, so factor the common code to re-use this helper from the statement print function. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add conntrack zone supportFlorian Westphal2017-02-283-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This enables zone get/set support. As the zone can be optionally tied to a direction as well we need a new token for this (unless we turn reply/original into tokens in which case we could handle zone via STRING). There was some discussion on how zone set support should be handled, especially 'zone set 1'. There are several issues to consider: 1. its not possible to change a zone 'later on', any given conntrack flow has exactly one zone for its entire lifetime. 2. to create conntracks in a given zone, the zone therefore has to be assigned *before* the packet gets picked up by conntrack (so that lookup finds the correct existing flow or the flow is created with the desired zone id). In iptables, this is enforced because zones are assigned with CT target and this is restricted to the 'raw' table in iptables, which runs after defragmentation but before connection tracking. 3. Thus, in nftables the 'ct zone set' rule needs to hook before conntrack too, e.g. via table raw { chain pre { type filter hook prerouting priority -300; iif eth3 ct zone set 23 } chain out { type filter hook output priority -300; oif eth3 ct zone set 23 } } ... but this is not enforced. There were two alternatives to better document this. One was to use an explicit 'template' keyword: nft ... template zone set 23 ... but 'connection tracking templates' are a kernel detail that users should not and need not know about. The other one was to use the meta keyword instead since we're (from a practical point of view) assigning the zone to the packet, not the conntrack: nft ... meta zone set 23 However, next patch also supports 'directional' zones, and nft ... meta original zone 23 makes no sense because 'direction' refers to a direction as understood by the connection tracker. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: store byteorder for set dataPablo Neira Ayuso2017-02-283-2/+20
| | | | | | | | | Add new UDATA_SET_DATABYTEORDER attribute for NFTA_SET_UDATA to store the datatype byteorder. This is required if integer_type is used on the rhs of the mapping given that this datatype comes with no specific byteorder. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: rework NFTNL_SET_USERDATA to accomodate new attributesPablo Neira Ayuso2017-02-281-32/+18
| | | | | | | Rework the NFTNL_SET_USERDATA in netlink_delinearize_set() to accomodate rhs datatype byteorder in mappings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename set_keytype_alloc() to set_datatype_alloc()Pablo Neira Ayuso2017-02-284-6/+6
| | | | | | | This function can be used either side of the map, so rename it to something generic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: set byteorder as lhs expression context in stmt_evaluate_arg()Pablo Neira Ayuso2017-02-281-9/+15
| | | | | | | stmt_evaluate_arg() needs to take the lhs map expression byteorder in order to evaluate the lhs of mappings accordingly. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add DTYPE_F_CLONE flagPablo Neira Ayuso2017-02-251-2/+3
| | | | | | | | | | | | | | This flag allows us to identify datatypes that are instances from original datatypes. This fixes a possible double free when attaching a concatenation datatype to set->keytype while being also referenced from concatenation expressions. ip6/flowtable.t: ERROR: line 5: src/nft add rule --debug=netlink ip6 test-ip6 input flow table acct_out { meta iif . ip6 saddr timeout 600s counter }: This rule should not have failed. *** Error in `src/nft': double free or corruption (fasttop): 0x000000000117ce70 *** Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: remove integer_type_postprocess()Pablo Neira Ayuso2017-02-251-29/+0
| | | | | | | | | | Not required anymore since the set definition now comes with the right byteorder for integer types via NFTA_SET_USERDATA area. So we don't need to look at the lhs anymore. Note that this was a workaround that does not work with named sets, where we cannot assume we have a lhs, since it is valid to have a named set that is not referenced from any rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: store set byteorder in NFTA_SET_USERDATAPablo Neira Ayuso2017-02-251-1/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The integer datatype has neither specific byteorder nor length. This results in the following broken output: # nft list ruleset table ip x { chain y { mark set cpu map { 0 : 0x00000001, 16777216 : 0x00000002} } } Currently, with BYTEORDER_INVALID, nft defaults on network byteorder, hence the output above. This patch stores the key byteorder in the userdata using a TLV structure in the NFTA_SET_USERDATA area, so nft can interpret key accordingly when dumping the set back to userspace. Thus, after this patch the listing is correct: # nft list ruleset table ip x { chain y { mark set cpu map { 0 : 0x00000001, 1 : 0x00000002} } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: store byteorder for set keysPablo Neira Ayuso2017-02-253-11/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Selectors that rely on the integer type and expect host endian byteorder don't work properly. We need to keep the byteorder around based on the left hand size expression that provides the context, so store the byteorder when evaluating the map. Before this patch. # nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 } __map%d x b __map%d x 0 element 00000000 : 00000001 0 [end] element 01000000 : 00000002 0 [end] ^^^^^^^^ This is expressed in network byteorder, because the invalid byteorder defaults on this. After this patch: # nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 } __map%d x b __map%d x 0 element 00000000 : 00000001 0 [end] element 00000001 : 00000002 0 [end] ^^^^^^^^ This is in host byteorder, as the key selector in the map mandates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: Fix input descriptors for included filesAnatole Denis2017-02-251-1/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, when creating an error record (erec), the current location in the file is duplicated, but not the input_descriptor inside it. Input descriptors are added and removed by the parser when including files, and memory references in the error record thus become incorrect when a subsequent file is included. This patch copies the input descriptors recursively to ensure each erec has the correct chain of input descriptors at the time of printing. For example: badinclude.nft: ``` include "error.nft" include "empty.nft" ``` a.nft: ``` add rule t c obvious syntax error ``` b.nft: (empty file) Results in the last included file being referenced and quoted for all errors $ nft -f badinclude.nft In file included from badinclude.nft:2:1-20: ./empty.nft:1:34-34: Error: syntax error, unexpected newline ^ Expected behavior: $ nft -f badinclude.nft -I. In file included from badinclude.nft:1:1-20: ./error.nft:1:34-34: Error: syntax error, unexpected newline add rule t c obvious syntax error ^ Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: automatically kill dependencies for exthdr and tcpoptManuel Messner2017-02-122-1/+15
| | | | | | | | | | | | | | | | | | | This patch automatically removes the dependencies for exthdr and tcpopt. # nft add rule filter input tcp option maxseg kind 3 counter. # nft list table filter input Before: # ip protocol 6 tcp option maxseg kind 3 counter After: # tcp option maxseg kind 3 counter Thus allowing to write tests as follows: # tcp option maxseg kind 3;ok Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: insert implicit meta tcp dependency when matching tcp optionsFlorian Westphal2017-02-121-1/+15
| | | | | | | | | | | nft add rule inet filter input tcp option sack 4 left 1 <cmdline>:1:28-49: Error: Cannot generate dependency: no network layer protocol specified Users can avoid this via 'meta l4proto tcp', this enables implicit dependency injection for the inet/bridge/netdev families. Reviewed-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add TCP option matchingManuel Messner2017-02-128-11/+378
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables nft to match against TCP options. Currently these TCP options are supported: * End of Option List (eol) * No-Operation (noop) * Maximum Segment Size (maxseg) * Window Scale (window) * SACK Permitted (sack_permitted) * SACK (sack) * Timestamps (timestamp) Syntax: tcp options $option_name [$offset] $field_name Example: # count all incoming packets with a specific maximum segment size `x` # nft add rule filter input tcp option maxseg size x counter # count all incoming packets with a SACK TCP option where the third # (counted from zero) left field is greater `x`. # nft add rule filter input tcp option sack 2 left \> x counter If the offset (the `2` in the example above) is zero, it can optionally be omitted. For all non-SACK TCP options it is always zero, thus can be left out. Option names and field names are parsed from templates, similar to meta and ct options rather than via keywords to prevent adding more keywords than necessary. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: prepare exthdr_gen_dependency for tcp supportManuel Messner2017-02-122-8/+10
| | | | | | | | | | | | currently exthdr always needs ipv6 dependency (i.e. link layer), but with upcomming TCP option matching we also need to include TCP at the network layer. This patch prepares this change by adding two parameters to exthdr_gen_dependency. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: prepare for tcp supportManuel Messner2017-02-123-5/+8
| | | | | | | | | | | right now exthdr only deals with ipv6 extension headers, followup patch will enable tcp option matching. This adds the 'op' arg to exthdr_init. Signed-off-by: Manuel Messner <mm@skelett.io> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* statement: Avoid rounding bytes in get_rate()Elise Lennion2017-02-121-10/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | get_rate() is used to print quotas and limits and currently rounds the number of bytes: $ nft add quota filter https-quota 4000 kbytes $ nft list ruleset table ip filter { quota https-quota { 3 mbytes } } This may be a problem when loading your configuration after saving it with 'list ruleset'. With this patch the values are represented in a greater unit only when there is no rest in the conversion: $ nft add quota filter https-quota2 2048 kbytes $ nft list ruleset table ip filter { quota https-quota { 4000 kbytes } quota https-quota2 { 2 mbytes } } Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: Replace getaddrinfo() by internal lookup tableElise Lennion2017-02-061-8/+10
| | | | | | | | | | | | Nftables uses a internal service table to print service names. This table should be used when parsing new rules, to avoid conflicts between nft service table and the local /etc/services, when loading an exported ruleset. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1118 Fixes: ccc5da4 ("datatype: Replace getnameinfo() by internal lookup table") Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: fix print of ip dnat addressFlorian Westphal2017-02-051-0/+2
| | | | | | | | | | | | the change causes non-ipv6 addresses to not be printed at all in case a nfproto was given. Also add a test case to catch this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117 Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with brackets") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Always print range expressions numericallyElise Lennion2017-02-052-1/+9
| | | | | | | | | | | Because the rules are more legible this way. Also, the parser doesn't accept strings on ranges, so, printing ranges numerically better match the rules definition. Fixes(Bug 1046 - mobility header with range gives illegible rule). Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Validate the number of numeric optionsElise Lennion2017-02-051-1/+6
| | | | | | | | The number of numeric options influences the behavior and the user should be warned if a invalid number is used. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix typoManuel Messner2017-02-021-1/+1
| | | | | Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Allow list stateful objects in a tableElise Lennion2017-01-272-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, stateful objects can be listed by: listing all objects in all tables; listing a single object in a table. Now it's allowed to list all objects in a table. $ nft list counters table filter table ip filter { counter https-traffic { packets 14825 bytes 950063 } counter http-traffic { packets 117 bytes 9340 } } $ nft list quotas table filter table ip filter { quota https-quota { 25 mbytes used 2 mbytes } quota http-quota { 25 mbytes used 10 kbytes } } Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Evaluate table name before reset stateful objects in a tableElise Lennion2017-01-271-3/+4
| | | | | | | | Reseting stateful objects in a single table is already implemented and cmd_evaluate_reset() now tests for the table name. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow list single stateful objectElise Lennion2017-01-272-1/+25
| | | | | | | | | | | | | | | | | | | | | | Currently the stateful objects can only be listed in groups. With this patch listing a single object is allowed: $ nft list counter filter https-traffic table ip filter { counter https-traffic { packets 4014 bytes 228948 } } $ nft list quota filter https-quota table ip filter { quota https-quota { 25 mbytes used 278 kbytes } } Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow reset single stateful objectElise Lennion2017-01-275-9/+50
| | | | | | | | | | | | | | | | | | | | | | | | Currently the stateful objects can only be reseted in groups. With this patch reseting a single object is allowed: $ nft reset counter filter https-traffic table ip filter { counter https-traffic { packets 8774 bytes 542668 } } $ nft list counter filter https-traffic table ip filter { counter https-traffic { packets 0 bytes 0 } } Heavily based on work from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: explicit network ctx assignment for icmp/icmp6 in special familiesArturo Borrero Gonzalez2017-01-271-40/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the inet, bridge and netdev families, we can add rules like these: % nft add rule inet t c ip protocol icmp icmp type echo-request % nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request However, when we print the ruleset: % nft list ruleset table inet t { chain c { icmpv6 type echo-request icmp type echo-request } } These rules we obtain can't be added again: % nft add rule inet t c icmp type echo-request <cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp add rule inet t c icmp type echo-request ^^^^^^^^^ % nft add rule inet t c icmpv6 type echo-request <cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6 add rule inet t c icmpv6 type echo-request ^^^^^^^^^^^ Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet carrying ICMP, if the link layer is inet, the network layer protocol context can be safely update to 'ip' or 'ip6'. Moreover, nft currently generates a 'meta nfproto ipvX' depedency when using icmp or icmp6 in the inet family, and similar in netdev and bridge families. While at it, a bit of code factorization is introduced. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073 Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: check for errors from cache_init_objects() for stateful objectsPablo Neira Ayuso2017-01-231-4/+3
| | | | | | Catch -1 case, so we have a chance to handle EINTR. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: don't bail out on dump errorsPablo Neira Ayuso2017-01-231-15/+5
| | | | | | | | | | | | | | This patch removes the existing error messages on netlink dump errors. These functions used to be called from list commands. These days they are called from the cache cache population path. Note that nft breaks with older kernels at netlink_list_objs() since we have no stateful objects support there. Silence errors at this stage and return an empty list, thus, nft bails out on explicit user commands if no nf_tables support is available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Honor obligatory stateless printing of flow tablesElise Lennion2017-01-232-2/+7
| | | | | | | | Always print flow statement as stateless expressions, given that this just defines the flow table statement instance that is allocated per entry. Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
* evaluate: fix export length and data corruptionFlorian Westphal2017-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | Pablo reported that ipv6 tests would fail on some systems: WARNING: 'add rule --debug=netlink ip6 test-ip6 input ip6 flowlabel set 0': '[ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]' mismatches '[ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]' ^ should be 'f' Problem is that mpz_export_data expects the size of the output buffer in bytes, but this gave bit-based size. Then, when mpz_export_data clears the output buffer it will also clear 8 extra bytes on stack; depending on compiler version (stack layout) this will then clear the bitmask value that we want to export. Fixes: 78936d50f306c ("evaluate: add support to set IPv6 non-byte header fields") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow to list ruleset without stateful informationElise Lennion2017-01-163-4/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently only counter and quota have stateful information. For named counters, packets and bytes are displayed as 0. Standard list ruleset: table ip filter { counter https { packets 161942 bytes 10253353 } chain output { type filter hook output priority 0; policy accept; counter name tcp dport map { https : "https"} tcp dport https counter packets 171211 bytes 10869045 tcp dport https quota 25 mbytes used 10 mbytes } } With stateless option, -s: table ip filter { counter https { packets 0 bytes 0 } chain output { type filter hook output priority 0; policy accept; counter name tcp dport map { https : "https"} tcp dport https counter tcp dport https quota 25 mbytes } } Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: add average bytes per packet counter supportLiping Zhang2017-01-163-0/+5
| | | | | | | | | | | | | | | | | Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add missing backslash to list of CFLAGSTobias Klauser2017-01-161-1/+1
| | | | | | | | | Due to a missing backslash in the AM_CFLAGS list some warning flags do not get added to the generated default CLFAGS. Add the missing backslash to include them as well. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: sort set elements in netlink_get_setelems()Elise Lennion2017-01-103-0/+105
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | So users can better track their ruleset via git. Without sorting, the elements can be listed in a different order every time the set is created, generating unnecessary git changes. Mergesort is used. Doesn't sort sets with 'flags interval' set on. Pablo appends to this changelog description: Currently these interval set elements are dumped in order. We'll likely get new representations soon that may not guarantee this anymore, so let's revisit this later in case we need it. Without this patch, nft list ruleset with a set containing 40000 elements takes on my laptop: real 0m2.742s user 0m0.112s sys 0m0.280s With this patch: real 0m2.846s user 0m0.180s sys 0m0.284s Difference is small, so don't get nft more complicated with yet another getopt() option, enable this by default. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: use nftnl_nlmsg_build_hdr()Pablo Neira Ayuso2017-01-101-106/+103
| | | | | | | | Instead of nftnl_.*_nlmsg_build_hdr() since they rely on this generic function. This also helps us clean up source code indentation around this function call. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: remove obsolete tokensFlorian Westphal2017-01-081-6/+0
| | | | | | removed in c992153402c78d91e8be ("ct: allow resolving ct keys at run time"). Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: printf format warnings on 32-bit buildDuncan Roe2017-01-031-1/+1
| | | | | | | | This is %lu with uint64_t again. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1109 Signed-off-by: Duncan Roe <duncan_roe@acslink.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix search_in_include_path testAnatole Denis2017-01-031-2/+2
| | | | | | | | | | | clang emits a warning in this function as we're using a boolean as the third argument to strncmp. Indeed, this function only checks the first byte of the path as is, so files beginning with . will be incorrectly included from the current working directory instead of the include directory. Fixes: f92a1a5c4a87 ("scanner: honor absolute and relative paths via include file") Signed-off-by: Anatole Denis <anatole@rezel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful object monitoringPablo Neira Ayuso2017-01-032-0/+159
| | | | | | | This patch extends the event monitoring infrastructure to catch events of addition and removal of stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for stateful object mapsPablo Neira Ayuso2017-01-036-14/+180
| | | | | | | | | | | | | | | | | | | | | | | | | | | | You can create these maps using explicit map declarations: # nft add table filter # nft add chain filter input { type filter hook input priority 0\; } # nft add map filter badguys { type ipv4_addr : counter \; } # nft add rule filter input counter name ip saddr map @badguys # nft add counter filter badguy1 # nft add counter filter badguy2 # nft add element filter badguys { 192.168.2.3 : "badguy1" } # nft add element filter badguys { 192.168.2.4 : "badguy2" } Or through implicit map definitions: table ip filter { counter http-traffic { packets 8 bytes 672 } chain input { type filter hook input priority 0; policy accept; counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"} } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add stateful object reference expressionPablo Neira Ayuso2017-01-036-0/+112
| | | | | | | | | This patch adds a new objref statement to refer to existing stateful objects from rules, eg. # nft add rule filter input counter name test counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow RESET token from rhsPablo Neira Ayuso2017-01-031-8/+8
| | | | | | | | | | Stateful objects have introduced a RESET token in the parser. This breaks the use of RESET from the rhs, to fix this: 1) I added a new rule to catch this case, thus, dccp doesn't break. 2) Update reject_opts so reject with tcp reset still works. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: reset internal stateful objectsPablo Neira Ayuso2017-01-036-11/+96
| | | | | | | | | | | | | | | | | | | | | This patch allows you to atomically dump and reset stateful objects, eg. # nft list counters table ip filter { counter test { packets 1024 bytes 100000 } } # nft reset quotas table filter counter test { packets 1024 bytes 100000 } # nft reset quotas table filter counter test { packets 0 bytes 0 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add/create/delete stateful objectsPablo Neira Ayuso2017-01-035-2/+310
| | | | | | | | | | | | | | | | This patch allows you to add and to delete objects, eg. # nft add quota filter test 1234567 bytes # nft list quotas table ip filter { quota test { 1234567 bytes } } # nft delete quota filter test Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: listing of stateful objectsPablo Neira Ayuso2017-01-037-3/+300
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to dump existing stateful objects, eg. # nft list ruleset table ip filter { counter test { packets 64 bytes 1268 } quota test { over 1 mbytes used 1268 bytes } chain input { type filter hook input priority 0; policy accept; quota name test drop counter name test } } # nft list quotas table ip filter { quota test { over 1 mbytes used 1268 bytes } } # nft list counters table ip filter { counter test { packets 64 bytes 1268 } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add used quota supportPablo Neira Ayuso2017-01-035-3/+29
| | | | | | | | | | | | | table ip x { chain y { type filter hook forward priority 0; policy accept; quota over 200 mbytes used 1143 kbytes drop } } This patch allows us to list and to restore used quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove SET_F_* flag definitionsPablo Neira Ayuso2017-01-036-44/+44
| | | | | | | They map exactly one to one to we have in the kernel headers, so use kernel definitions instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: allocate memory for arrays on heapOleksandr Natalenko2017-01-031-1/+10
| | | | | | | | | Huge sets may cause stack to be exhausted. So, put allocate memory for arrays in interval_map_decompose() function on heap. Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Florian Westphal <fw@strlen.de>