| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 9e45a28ca467f ("src: honor /etc/services") broke compiling with
JSON support enabled: inet_service_type_print() is not suited for
converting inet_service datatype into JSON at all.
In order to avoid having to replicate the port value resolving into
human-readable name in inet_service_type_json(), just return a numeric
value. At least for JSON output, this probably makes most sense either
way since the output is expected to be parsed by scripts which have an
easier time with numers than names anyway.
Fixes: 9e45a28ca467f ("src: honor /etc/services")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partial patch reverts:
ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table")
so /etc/services is used to interpret service names, eg.
# nft add rule x y tcp dport \"ssh\"
Then, listing looks like:
# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}
Major changes with regards to the original approach are:
1) Services are displayed in text via `-l' option.
2) Services are user-defined, just like mappings in /etc/iproute2/*
files and connlabel.conf, so they are displayed enclosed in quotes.
Note that original service name code was broken since it parses both udp
and tcp service names but it only displays tcp services names as
literal. This is because NI_DGRAM is missing. This patch makes nft falls
back on udp services if no literal was found in the initial tcp service
name query. Proper way to handle would be to add infrastructure to store
protocol context information in struct output_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically
provides the mathematical set of integer numbers.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.
table ip x {
map xyz {
type ipv4_addr : mark
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook input priority filter; policy accept;
update @xyz { ip saddr counter : numgen inc mod 2 }
}
}
Supported stateful statements are: limit, quota, counter and connlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of using the map expression, store dynamic key and data
separately since they need special handling than constant maps.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Ruleset listing with --stateless should not display the content of
sets that are dynamically populated from the packet path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
chain y {
type filter hook output priority filter; policy accept;
update @xyz{ ip daddr }
^^
Missing space between set reference and the element statement. This does
not break restoring the ruleset but it is inconsistent to the viewer.
There is also an extra space after the element statement that is
enclosed in brackets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order
to load OS fingerprints automatically from pf.os file.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
As we are going to use the function nft_mnl_talk() from the incoming
nftnl_osf.c, we make it public.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit c8a0e8c90 added #include <linux/netfilter_bridge.h> but that header needs
the definition of IFNAMSIZ from <net/if.h>
Sample build failure:
CC evaluate.lo
In file included from ../include/linux/netfilter_bridge.h:10:0,
from rule.c:32:
/usr/include/linux/if_pppox.h:42:20: error: 'IFNAMSIZ' undeclared here (not in a function)
char dev[IFNAMSIZ]; /* Local device to use */
^
Makefile:687: recipe for target 'rule.lo' failed
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the possibility to use textual names to set the chain priority
to standard values so that numeric values do not need to be learnt any more for
basic usage.
Basic arithmetic can also be done with them to ease the addition of
relatively higher/lower priority chains.
Addition and substraction is possible.
Values are also printed with their friendly name within the range of
<basicprio> +- 10.
Also numeric printing is supported in case of -nnn option
(numeric == NFT_NUMERIC_ALL)
The supported name-value pairs and where they are valid is based on how
x_tables use these values when registering their base chains. (See
iptables/nft.c in the iptables repository).
Also see the compatibility matrices extracted from the man page:
Standard priority names, family and hook compatibility matrix
┌─────────┬───────┬────────────────┬─────────────┐
│Name │ Value │ Families │ Hooks │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│raw │ -300 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│mangle │ -150 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│dstnat │ -100 │ ip, ip6, inet │ prerouting │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│filter │ 0 │ ip, ip6, inet, │ all │
│ │ │ arp, netdev │ │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│security │ 50 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│srcnat │ 100 │ ip, ip6, inet │ postrouting │
└─────────┴───────┴────────────────┴─────────────┘
Standard priority names and hook compatibility for the bridge family
┌───────┬───────┬─────────────┐
│ │ │ │
│Name │ Value │ Hooks │
├───────┼───────┼─────────────┤
│ │ │ │
│dstnat │ -300 │ prerouting │
├───────┼───────┼─────────────┤
│ │ │ │
│filter │ -200 │ all │
├───────┼───────┼─────────────┤
│ │ │ │
│out │ 100 │ output │
├───────┼───────┼─────────────┤
│ │ │ │
│srcnat │ 300 │ postrouting │
└───────┴───────┴─────────────┘
This can be also applied for flowtables wher it works as a netdev family
chain.
Example:
nft> add table ip x
nft> add chain ip x y { type filter hook prerouting priority raw; }
nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
nft> add chain ip x t { type filter hook prerouting priority security; }
nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; }
nft> add chain ip x h { type filter hook prerouting priority 15; }
nft>
nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; }
nft>
nft> add table arp x
nft> add chain arp x y { type filter hook input priority filter + 5; }
nft>
nft> add table bridge x
nft> add chain bridge x y { type filter hook input priority filter + 9; }
nft> add chain bridge x z { type filter hook prerouting priority dstnat; }
nft> add chain bridge x q { type filter hook postrouting priority srcnat; }
nft> add chain bridge x k { type filter hook output priority out; }
nft>
nft> list ruleset
table ip x {
flowtable y {
hook ingress priority filter + 5
devices = { enp0s31f6 }
}
chain y {
type filter hook prerouting priority raw; policy accept;
}
chain z {
type filter hook prerouting priority mangle + 1; policy accept;
}
chain w {
type filter hook prerouting priority dstnat - 5; policy accept;
}
chain r {
type filter hook prerouting priority filter + 10; policy accept;
}
chain t {
type filter hook prerouting priority security; policy accept;
}
chain q {
type filter hook postrouting priority 111; policy accept;
}
chain h {
type filter hook prerouting priority 15; policy accept;
}
}
table arp x {
chain y {
type filter hook input priority filter + 5; policy accept;
}
}
table bridge x {
chain y {
type filter hook input priority filter + 9; policy accept;
}
chain z {
type filter hook prerouting priority dstnat; policy accept;
}
chain q {
type filter hook postrouting priority srcnat; policy accept;
}
chain k {
type filter hook output priority out; policy accept;
}
}
nft> # Everything should fail after this
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
Error: 'srcnat' is invalid priority in this context.
add chain ip x q { type filter hook prerouting priority srcnat + 11; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
Error: 'magle' is invalid priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x r { type filter hook postrouting priority dstnat; }
Error: 'dstnat' is invalid priority in this context.
add chain bridge x r { type filter hook postrouting priority dstnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x t { type filter hook prerouting priority srcnat; }
Error: 'srcnat' is invalid priority in this context.
add chain bridge x t { type filter hook prerouting priority srcnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
So the following rule to set the conntrack mark based on the OS passive
recognition works:
# nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 }
Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
As no "genre" in pf.os exceed 16 bytes of length, we reduce
NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority 0; policy accept;
osf name "Linux" counter packets 3 bytes 132
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This can be used like ct mark or meta mark except it cannot be set. doc
and tests are included.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for transparent proxy functionality which is
supported in ip, ip6 and inet tables.
The syntax is the following:
tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>}
It looks for a socket listening on the specified address or port and
assigns it to the matching packet.
In an inet table, a packet matches for both families until address is
specified.
Network protocol family has to be specified **only** in inet tables if
address is specified.
As transparent proxy support is implemented for sockets with layer 4
information, a transport protocol header criterion has to be set in the
same rule. eg. 'meta l4proto tcp' or 'udp dport 4444'
Example ruleset:
table ip x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to 1.1.1.1
udp dport ssh tproxy to :2222
}
}
table ip6 x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport ntp tproxy to [dead::beef]
udp dport ssh tproxy to :2222
}
}
table inet x {
chain y {
type filter hook prerouting priority -150; policy accept;
tcp dport 321 tproxy to :ssh
tcp dport 99 tproxy ip to 1.1.1.1:999
udp dport 155 tproxy ip6 to [dead::beef]:smux
}
}
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
got following bug report:
nft add ... ct mark set mark and 0x10
... always sets 0.
What reporter meant to write instead was 'ct mark', not 'mark'.
We can't just remove support for 'mark' and force
'meta mark', but we can start to discourage it by printing meta prefix too.
Later on, we could start to print deprecation warning if needed.
Followup patch can also change
"iifname" etc. to "meta iifname".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For e.g.
% nft list ct helper ip raw cthelp1
table ip filter {
}
table ip raw {
ct helper cthelp1 {
type "ftp" protocol tcp
l3proto ip
}
}
With this patch, print only table raw.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
These are not really expressions, so there is not value in place. The
expr_evaluate_concat() is called from set_evaluate() to calculate the
total length of the tuple.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1265
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default not to print the service name as we discussed during the NFWS.
# nft list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1.1.1.1
}
}
# nft -l list ruleset
table ip x {
chain y {
tcp dport ssh
ip saddr 1.1.1.1
}
}
# nft -ll list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1dot1dot1dot1.cloudflare-dns.com
}
}
Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N)
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
limit http-traffic { rate 1/second } gets printed as
limit http-traffic { rate 1/second burst 5 packets }
caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0
to return 'DUMP FAIL'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intent was to fix a bug: The following rule in inet table:
| meta nfproto ipv4 icmpv6 type echo-reply
Was added correctly but when printing the meta match was falsely
removed. The fix is to deny dependency killing if RHS family of nfproto
match doesn't match RHS family of l4proto match. Adding this to the
already large conditional led to even more unreadable code, therefore
this patch tries to clean that up (and also removes the partial code
duplication.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
policy type is erronously handled via verdict, this is wrong.
It is a different event type and needs to be handled as such.
before:
trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 ..
trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue)
trace id 42b54e71 inet filter input verdict continue
trace id 42b54e71 inet filter input
after:
trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 ..
trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue)
trace id 9f40c5c7 inet filter input verdict continue
trace id 9f40c5c7 inet filter input policy drop
Reported-by: vtol@gmx.net
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Analogous to libnftnl's build system, define libnftables interface
version in a variable in Make_global.am.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 2f86dd5a43baf ("erec: Review erec_print()") changed erec_print()
function to expect tabs in input by replacing the whitespace character
in the marker line at the same offset with a tab character so that the
marker aligns with the offending part of input.
The need for that came from JSON input not having its tabs converted to
spaces, which erec_print() didn't expect.
Above change though has a shortcoming: When reading standard syntax
input from a file, Flex code converts tabs into spaces. Location
information is taken from this converted input, but when printing an
error message, the offending input line is read from the input file
directly (which still contains tabs).
The solution is to simply drop said tab conversion from scanner.l.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With libnftables documentation being upstream and one confirmed external
user (nftlb), time to break the API!
First of all, the command buffer passed to nft_run_cmd_from_buffer may
(and should) be const. One should consider it a bug if that function
ever changed it's content.
On the other hand, there is no point in passing the buffer's length as
separate argument: NULL bytes are not expected to occur in the input, so
it is safe to rely upon strlen(). Also, the actual parsers don't require
a buffer length passed to them, either. The only use-case for it is when
reallocating the buffer to append a final newline character, there
strlen() is perfectly sufficient.
Suggested-by: Harald Welte <laforge@gnumonks.org>
Cc: Laura Garcia Liebana <nevola@gmail.com>
Cc: Eric Leblond <eric@regit.org>
Cc: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The output and error buffer feature depends on cookie->orig_fp to
indicate the current status of buffering: If it is set, a prior call to
init_cookie() is assumed. Though exit_cookie() missed to reset that
pointer to NULL. causing weird behaviour in applications if they do:
| nft = nft_ctx_new(0);
| nft_ctx_buffer_output(nft);
| nft_ctx_unbuffer_output(nft);
| nft_ctx_buffer_output(nft);
While being at it, apply the same fix to error path in init_cookie() as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We need to signal the kernel to use a set backend that supports dynamic
updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
using fwd statement causes crash when using nft trace:
trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4
trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue)
trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0"
BUG: invalid verdict value 2
nft: datatype.c:282: verdict_type_print: Assertion `0' failed.
ADd stolen verdict (2) and remove the BUG statement.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1261
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
JSON equivalent of fwd statement was too primitive to support the added
address and family parameters, so make its value an object and accept
the device expression as value of a "dev" property in there. Then add
optional "addr" and "family" properties to it.
While being at it, add a testcase to make sure the extended syntax works
right.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Analogous to commit 3dddef928d80d ("statement: don't print burst if
equals 5"), don't print the default burst value.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This way JSON format is more consistent with the standard one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The error message is still shown, but try to make sense of further
expressions (if any).
I tried to replace the expression by a textual representation.
Two variants I tested are:
1. append as comment:
ip saddr 127.0.0.2 drop comment "unknown expression 'foo'"
This allows nft -f, but it adds/alters a comment.
2. substitute in-place (i.e., add a constant expression
with the error message instead of 'unkown' message:
unknown expression "foo" ip saddr 127.0.0.2 drop
This won't allow 'nft -f' however.
I'm not sure this is a problem, in any case we lose information
if we can't find an expression (e.g. added by newer version).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
If 'flush ruleset' command is done, release the cache but still keep the
generation ID around. Hence, follow up calls to cache_update() will
assume that cache is updated and will not perform a netlink dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For now it can only match sockets with IP(V6)_TRANSPARENT socket option
set. Example:
table inet sockin {
chain sockchain {
type filter hook prerouting priority -150; policy accept;
socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept
}
}
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Allow to forward packets through to explicit destination and interface.
nft add rule netdev x y fwd ip to 192.168.2.200 device eth0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of
AF_INET was misleading when checking the proto family.
Same with AF_INET6.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, this triggered a program abort:
| # nft add table ip t
| # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }'
| # nft add element ip t my_set '{10.0.0.1 . tcp }'
| BUG: invalid range expression type concat
| nft: expression.c:1085: range_expr_value_low: Assertion `0' failed.
With this patch in place, the 'add set' command above gives an error
message:
| # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }'
| Error: concatenated types not supported in interval sets
| add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When parsing large (uint64_t) values, capital 'I' has to be used in
format string. While being at it, make sure JSON output code handles
those variables correctly, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This was completely broken. Yet another indicator the JSON API part of
testsuite is insufficient.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
