summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* src: tproxy: add json supportFlorian Westphal2018-08-293-0/+70
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: tproxy: relax family restrictionsFlorian Westphal2018-08-291-17/+13
| | | | | | | | | | | | | | | | | | evaluation step currently prohibits tproxy ip to 1.2.3.4 in ip family, and tproxy ip6 to dead::1 in ip6. This seems an arbitrary limitation, just accept this. The current restriction would make json output support harder than needed, as the tproxy expression generated from json path would have to special-case the table its currently in, rather than just using the family attribute in the json output. We obviously still reject the family in case it mismatches the table family (e.g., can't use ip address in ip6 table). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: osf: add json supportFlorian Westphal2018-08-293-1/+23
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: avoid nf_key_proto redefinitionsFlorian Westphal2018-08-291-14/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* json: Fix compile errorPhil Sutter2018-08-291-4/+1
| | | | | | | | | | | | | | | | Commit 9e45a28ca467f ("src: honor /etc/services") broke compiling with JSON support enabled: inet_service_type_print() is not suited for converting inet_service datatype into JSON at all. In order to avoid having to replicate the port value resolving into human-readable name in inet_service_type_json(), just return a numeric value. At least for JSON output, this probably makes most sense either way since the output is expected to be parsed by scripts which have an easier time with numers than names anyway. Fixes: 9e45a28ca467f ("src: honor /etc/services") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: honor /etc/servicesPablo Neira Ayuso2018-08-244-360/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This partial patch reverts: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table") so /etc/services is used to interpret service names, eg. # nft add rule x y tcp dport \"ssh\" Then, listing looks like: # nft list ruleset -l table x { chain y { ... tcp dport "ssh" } } Major changes with regards to the original approach are: 1) Services are displayed in text via `-l' option. 2) Services are user-defined, just like mappings in /etc/iproute2/* files and connlabel.conf, so they are displayed enclosed in quotes. Note that original service name code was broken since it parses both udp and tcp service names but it only displays tcp services names as literal. This is because NI_DGRAM is missing. This patch makes nft falls back on udp services if no literal was found in the initial tcp service name query. Proper way to handle would be to add infrastructure to store protocol context information in struct output_ctx. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Make invalid chain priority error more specificMáté Eckl2018-08-242-13/+21
| | | | | | | | | | | | | | | | | | | | | | | | | So far if invalid priority name was specified the error message referred to the whole chain/flowtable specification: nft> add chain ip x h { type filter hook prerouting priority first; } Error: 'first' is invalid priority in this context. add chain ip x h { type filter hook prerouting priority first; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ With this patch this reference is made specific to the priority specification: nft> add chain ip x h { type filter hook prerouting priority first; } Error: 'first' is invalid priority in this context. add chain ip x h { type filter hook prerouting priority first; } ^^^^^^^^^^^^^^ `prio_spec` is also reused to keep naming intuitive. The parser section formerly named `prio_spec` is renamed to `int_num` as it basically provides the mathematical set of integer numbers. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: integrate stateful expressions into sets and mapsPablo Neira Ayuso2018-08-247-24/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following example shows how to populate a set from the packet path using the destination IP address, for each entry there is a counter. The entry expires after the 1 hour timeout if no packets matching this entry are seen. table ip x { set xyz { type ipv4_addr size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook output priority filter; policy accept; update @xyz { ip daddr counter } counter } } Similar example, that creates a mapping better IP address and mark, where the mark is assigned using an incremental sequence generator from 0 to 1 inclusive. table ip x { map xyz { type ipv4_addr : mark size 65535 flags dynamic,timeout timeout 1h } chain y { type filter hook input priority filter; policy accept; update @xyz { ip saddr counter : numgen inc mod 2 } } } Supported stateful statements are: limit, quota, counter and connlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify map statementPablo Neira Ayuso2018-08-245-16/+47
| | | | | | | Instead of using the map expression, store dynamic key and data separately since they need special handling than constant maps. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: do not print elements in dynamically populated sets with `-s'Pablo Neira Ayuso2018-08-241-0/+5
| | | | | | | Ruleset listing with --stateless should not display the content of sets that are dynamically populated from the packet path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: incorrect spacing in set referencePablo Neira Ayuso2018-08-241-3/+3
| | | | | | | | | | | | | | | chain y { type filter hook output priority filter; policy accept; update @xyz{ ip daddr } ^^ Missing space between set reference and the element statement. This does not break restoring the ruleset but it is inconsistent to the viewer. There is also an extra space after the element statement that is enclosed in brackets. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: osf: import nfnl_osf.c to load osf fingerprintsFernando Fernandez Mancera2018-08-244-1/+404
| | | | | | | | Import iptables/utils/nfnl_osf.c into nftables tree with some changes in order to load OS fingerprints automatically from pf.os file. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mnl: make nft_mnl_talk() publicFernando Fernandez Mancera2018-08-231-1/+1
| | | | | | | | As we are going to use the function nft_mnl_talk() from the incoming nftnl_osf.c, we make it public. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix build failure in rule.cDuncan Roe2018-08-201-0/+1
| | | | | | | | | | | | | | | | | Commit c8a0e8c90 added #include <linux/netfilter_bridge.h> but that header needs the definition of IFNAMSIZ from <net/if.h> Sample build failure: CC evaluate.lo In file included from ../include/linux/netfilter_bridge.h:10:0, from rule.c:32: /usr/include/linux/if_pppox.h:42:20: error: 'IFNAMSIZ' undeclared here (not in a function) char dev[IFNAMSIZ]; /* Local device to use */ ^ Makefile:687: recipe for target 'rule.lo' failed Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject: Allow icmpx in inet/bridge familiesPhil Sutter2018-08-141-6/+1
| | | | | | | | | | | | | | | | | | | Commit 3e6ab2b335142 added restraints on reject types for bridge and inet families but aparently those were too strict: If a rule in e.g. inet family contained a match which introduced a protocol dependency, icmpx type rejects were disallowed for no obvious reason. Allow icmpx type rejects in inet family regardless of protocol dependency since we either have IPv4 or IPv6 traffic in there and for both icmpx is fine. Merge restraints in bridge family with those for TCP reset since it already does what is needed, namely checking that ether proto is either IPv4 or IPv6. Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Set/print standard chain prios with textual namesMáté Eckl2018-08-147-15/+242
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the possibility to use textual names to set the chain priority to standard values so that numeric values do not need to be learnt any more for basic usage. Basic arithmetic can also be done with them to ease the addition of relatively higher/lower priority chains. Addition and substraction is possible. Values are also printed with their friendly name within the range of <basicprio> +- 10. Also numeric printing is supported in case of -nnn option (numeric == NFT_NUMERIC_ALL) The supported name-value pairs and where they are valid is based on how x_tables use these values when registering their base chains. (See iptables/nft.c in the iptables repository). Also see the compatibility matrices extracted from the man page: Standard priority names, family and hook compatibility matrix ┌─────────┬───────┬────────────────┬─────────────┐ │Name │ Value │ Families │ Hooks │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │raw │ -300 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │mangle │ -150 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │dstnat │ -100 │ ip, ip6, inet │ prerouting │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │filter │ 0 │ ip, ip6, inet, │ all │ │ │ │ arp, netdev │ │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │security │ 50 │ ip, ip6, inet │ all │ ├─────────┼───────┼────────────────┼─────────────┤ │ │ │ │ │ │srcnat │ 100 │ ip, ip6, inet │ postrouting │ └─────────┴───────┴────────────────┴─────────────┘ Standard priority names and hook compatibility for the bridge family ┌───────┬───────┬─────────────┐ │ │ │ │ │Name │ Value │ Hooks │ ├───────┼───────┼─────────────┤ │ │ │ │ │dstnat │ -300 │ prerouting │ ├───────┼───────┼─────────────┤ │ │ │ │ │filter │ -200 │ all │ ├───────┼───────┼─────────────┤ │ │ │ │ │out │ 100 │ output │ ├───────┼───────┼─────────────┤ │ │ │ │ │srcnat │ 300 │ postrouting │ └───────┴───────┴─────────────┘ This can be also applied for flowtables wher it works as a netdev family chain. Example: nft> add table ip x nft> add chain ip x y { type filter hook prerouting priority raw; } nft> add chain ip x z { type filter hook prerouting priority mangle + 1; } nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; } nft> add chain ip x r { type filter hook prerouting priority filter + 10; } nft> add chain ip x t { type filter hook prerouting priority security; } nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; } nft> add chain ip x h { type filter hook prerouting priority 15; } nft> nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; } nft> nft> add table arp x nft> add chain arp x y { type filter hook input priority filter + 5; } nft> nft> add table bridge x nft> add chain bridge x y { type filter hook input priority filter + 9; } nft> add chain bridge x z { type filter hook prerouting priority dstnat; } nft> add chain bridge x q { type filter hook postrouting priority srcnat; } nft> add chain bridge x k { type filter hook output priority out; } nft> nft> list ruleset table ip x { flowtable y { hook ingress priority filter + 5 devices = { enp0s31f6 } } chain y { type filter hook prerouting priority raw; policy accept; } chain z { type filter hook prerouting priority mangle + 1; policy accept; } chain w { type filter hook prerouting priority dstnat - 5; policy accept; } chain r { type filter hook prerouting priority filter + 10; policy accept; } chain t { type filter hook prerouting priority security; policy accept; } chain q { type filter hook postrouting priority 111; policy accept; } chain h { type filter hook prerouting priority 15; policy accept; } } table arp x { chain y { type filter hook input priority filter + 5; policy accept; } } table bridge x { chain y { type filter hook input priority filter + 9; policy accept; } chain z { type filter hook prerouting priority dstnat; policy accept; } chain q { type filter hook postrouting priority srcnat; policy accept; } chain k { type filter hook output priority out; policy accept; } } nft> # Everything should fail after this nft> add chain ip x h { type filter hook prerouting priority first; } Error: 'first' is invalid priority in this context. add chain ip x h { type filter hook prerouting priority first; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; } Error: 'srcnat' is invalid priority in this context. add chain ip x q { type filter hook prerouting priority srcnat + 11; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain arp x y { type filter hook input priority raw; } Error: 'raw' is invalid priority in this context. add chain arp x y { type filter hook input priority raw; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; } Error: 'magle' is invalid priority. add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain bridge x r { type filter hook postrouting priority dstnat; } Error: 'dstnat' is invalid priority in this context. add chain bridge x r { type filter hook postrouting priority dstnat; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ nft> add chain bridge x t { type filter hook prerouting priority srcnat; } Error: 'srcnat' is invalid priority in this context. add chain bridge x t { type filter hook prerouting priority srcnat; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to use new osf expression from assignment statementPablo Neira Ayuso2018-08-071-0/+1
| | | | | | | | | | So the following rule to set the conntrack mark based on the OS passive recognition works: # nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 } Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use NFT_OSF_MAXGENRELEN instead of IFNAMSIZ in osf.cFernando Fernandez Mancera2018-08-071-3/+1
| | | | | | | | As no "genre" in pf.os exceed 16 bytes of length, we reduce NFT_OSF_MAXGENRELEN parameter to 16 bytes and use it instead of IFNAMSIZ. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce passive OS fingerprint matchingFernando Fernandez Mancera2018-08-047-0/+84
| | | | | | | | | | | | | | Add support for "osf" expression. Example: table ip foo { chain bar { type filter hook input priority 0; policy accept; osf name "Linux" counter packets 3 bytes 132 } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Expose socket mark via socket expressionMáté Eckl2018-08-034-7/+22
| | | | | | | | This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add tproxy supportMáté Eckl2018-08-036-0/+267
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for transparent proxy functionality which is supported in ip, ip6 and inet tables. The syntax is the following: tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>} It looks for a socket listening on the specified address or port and assigns it to the matching packet. In an inet table, a packet matches for both families until address is specified. Network protocol family has to be specified **only** in inet tables if address is specified. As transparent proxy support is implemented for sockets with layer 4 information, a transport protocol header criterion has to be set in the same rule. eg. 'meta l4proto tcp' or 'udp dport 4444' Example ruleset: table ip x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to 1.1.1.1 udp dport ssh tproxy to :2222 } } table ip6 x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to [dead::beef] udp dport ssh tproxy to :2222 } } table inet x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport 321 tproxy to :ssh tcp dport 99 tproxy ip to 1.1.1.1:999 udp dport 155 tproxy ip6 to [dead::beef]:smux } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: always prefix 'meta' for almost all tokensFlorian Westphal2018-07-211-16/+13
| | | | | | | | | | | | | | | | | | got following bug report: nft add ... ct mark set mark and 0x10 ... always sets 0. What reporter meant to write instead was 'ct mark', not 'mark'. We can't just remove support for 'mark' and force 'meta mark', but we can start to discourage it by printing meta prefix too. Later on, we could start to print deprecation warning if needed. Followup patch can also change "iifname" etc. to "meta iifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: list only the table containing objectHarsha Sharma2018-07-101-7/+5
| | | | | | | | | | | | | | | | | | | For e.g. % nft list ct helper ip raw cthelp1 table ip filter { } table ip raw { ct helper cthelp1 { type "ftp" protocol tcp l3proto ip } } With this patch, print only table raw. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: set: print dynamic flag when setFlorian Westphal2018-07-071-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: skip evaluation of datatype concatenationsPablo Neira Ayuso2018-07-071-4/+5
| | | | | | | | | These are not really expressions, so there is not value in place. The expr_evaluate_concat() is called from set_evaluate() to calculate the total length of the tuple. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1265 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --literal optionPablo Neira Ayuso2018-07-073-11/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: limit: don't print default burst valueFlorian Westphal2018-07-041-1/+1
| | | | | | | | | | | | limit http-traffic { rate 1/second } gets printed as limit http-traffic { rate 1/second burst 5 packets } caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0 to return 'DUMP FAIL'. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: Refactor meta_may_dependency_kill()Phil Sutter2018-06-261-40/+43
| | | | | | | | | | | | | | | | The original intent was to fix a bug: The following rule in inet table: | meta nfproto ipv4 icmpv6 type echo-reply Was added correctly but when printing the meta match was falsely removed. The fix is to deny dependency killing if RHS family of nfproto match doesn't match RHS family of l4proto match. Adding this to the already large conditional led to even more unreadable code, therefore this patch tries to clean that up (and also removes the partial code duplication. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: trace: fix policy printingFlorian Westphal2018-06-261-1/+30
| | | | | | | | | | | | | | | | | | | | policy type is erronously handled via verdict, this is wrong. It is a different event type and needs to be handled as such. before: trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 42b54e71 inet filter input verdict continue trace id 42b54e71 inet filter input after: trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 9f40c5c7 inet filter input verdict continue trace id 9f40c5c7 inet filter input policy drop Reported-by: vtol@gmx.net Signed-off-by: Florian Westphal <fw@strlen.de>
* Makefile: Introduce Make_global.amPhil Sutter2018-06-181-1/+3
| | | | | | | | | Analogous to libnftnl's build system, define libnftables interface version in a variable in Make_global.am. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Do not convert tabs into spacesPhil Sutter2018-06-181-15/+1
| | | | | | | | | | | | | | | | | | | | | Commit 2f86dd5a43baf ("erec: Review erec_print()") changed erec_print() function to expect tabs in input by replacing the whitespace character in the marker line at the same offset with a tab character so that the marker aligns with the offending part of input. The need for that came from JSON input not having its tabs converted to spaces, which erec_print() didn't expect. Above change though has a shortcoming: When reading standard syntax input from a file, Flex code converts tabs into spaces. Location information is taken from this converted input, but when printing an error message, the offending input line is read from the input file directly (which still contains tabs). The solution is to simply drop said tab conversion from scanner.l. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-185-11/+10
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix exit_cookie()Phil Sutter2018-06-181-0/+2
| | | | | | | | | | | | | | | | | | The output and error buffer feature depends on cookie->orig_fp to indicate the current status of buffering: If it is set, a prior call to init_cookie() is assumed. Though exit_cookie() missed to reset that pointer to NULL. causing weird behaviour in applications if they do: | nft = nft_ctx_new(0); | nft_ctx_buffer_output(nft); | nft_ctx_unbuffer_output(nft); | nft_ctx_buffer_output(nft); While being at it, apply the same fix to error path in init_cookie() as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dynamic flag and use itPablo Neira Ayuso2018-06-122-0/+3
| | | | | | | We need to signal the kernel to use a set backend that supports dynamic updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add stolen verdictFlorian Westphal2018-06-121-1/+5
| | | | | | | | | | | | | | | using fwd statement causes crash when using nft trace: trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue) trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0" BUG: invalid verdict value 2 nft: datatype.c:282: verdict_type_print: Assertion `0' failed. ADd stolen verdict (2) and remove the BUG statement. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1261 Signed-off-by: Florian Westphal <fw@strlen.de>
* JSON: Support latest enhancements of fwd statementPhil Sutter2018-06-112-4/+49
| | | | | | | | | | | | | JSON equivalent of fwd statement was too primitive to support the added address and family parameters, so make its value an object and accept the device expression as value of a "dev" property in there. Then add optional "addr" and "family" properties to it. While being at it, add a testcase to make sure the extended syntax works right. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for connlimit statementPhil Sutter2018-06-113-0/+30
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Add support for socket expressionPhil Sutter2018-06-113-0/+31
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Don't print burst if equal to 5Phil Sutter2018-06-111-1/+1
| | | | | | | | Analogous to commit 3dddef928d80d ("statement: don't print burst if equals 5"), don't print the default burst value. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Call verdict maps 'vmap' in JSON as wellPhil Sutter2018-06-112-2/+8
| | | | | | | This way JSON format is more consistent with the standard one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: netlink_delinarize: don't stop when encountering unsupported expressionFlorian Westphal2018-06-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | The error message is still shown, but try to make sense of further expressions (if any). I tried to replace the expression by a textual representation. Two variants I tested are: 1. append as comment: ip saddr 127.0.0.2 drop comment "unknown expression 'foo'" This allows nft -f, but it adds/alters a comment. 2. substitute in-place (i.e., add a constant expression with the error message instead of 'unkown' message: unknown expression "foo" ip saddr 127.0.0.2 drop This won't allow 'nft -f' however. I'm not sure this is a problem, in any case we lose information if we can't find an expression (e.g. added by newer version). Signed-off-by: Florian Westphal <fw@strlen.de>
* src: do not reset generation ID on ruleset flushPablo Neira Ayuso2018-06-072-3/+21
| | | | | | | | If 'flush ruleset' command is done, release the cache but still keep the generation ID around. Hence, follow up calls to cache_update() will assume that cache is updated and will not perform a netlink dump. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce socket matchingMáté Eckl2018-06-067-0/+117
| | | | | | | | | | | | | | | | For now it can only match sockets with IP(V6)_TRANSPARENT socket option set. Example: table inet sockin { chain sockchain { type filter hook prerouting priority -150; policy accept; socket transparent 1 mark set 0x00000001 nftrace set 1 counter packets 9 bytes 504 accept } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: extend fwd statement to support address and familyPablo Neira Ayuso2018-06-067-19/+117
| | | | | | | | Allow to forward packets through to explicit destination and interface. nft add rule netdev x y fwd ip to 192.168.2.200 device eth0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: connlimit supportPablo Neira Ayuso2018-06-065-2/+72
| | | | | | | | | | | | | | This patch adds support for the new connlimit stateful expression, that provides a mapping with the connlimit iptables extension through meters. eg. nft add rule filter input tcp dport 22 \ meter test { ip saddr ct count over 2 } counter reject This limits the maximum amount incoming of SSH connections per source address up to 2 simultaneous connections. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nat: Eliminate misuse of AF_*Máté Eckl2018-06-062-5/+5
| | | | | | | | | Although the value of AF_INET and NFPROTO_IPV4 is the same, the use of AF_INET was misleading when checking the proto family. Same with AF_INET6. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: explicitly deny concatenated types in interval setsPhil Sutter2018-06-061-0/+4
| | | | | | | | | | | | | | | | | | | | | Previously, this triggered a program abort: | # nft add table ip t | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }' | # nft add element ip t my_set '{10.0.0.1 . tcp }' | BUG: invalid range expression type concat | nft: expression.c:1085: range_expr_value_low: Assertion `0' failed. With this patch in place, the 'add set' command above gives an error message: | # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }' | Error: concatenated types not supported in interval sets | add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* log: Add support for audit loggingPhil Sutter2018-06-033-3/+10
| | | | | | | | | | | This is implemented via a pseudo log level. The kernel ignores any other parameter, so reject those at evaluation stage. Audit logging is therefore simply a matter of: | log level audit Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Review large number parsing/printingPhil Sutter2018-06-032-25/+29
| | | | | | | | | When parsing large (uint64_t) values, capital 'I' has to be used in format string. While being at it, make sure JSON output code handles those variables correctly, too. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* JSON: Fix replace command parserPhil Sutter2018-06-031-1/+2
| | | | | | | | This was completely broken. Yet another indicator the JSON API part of testsuite is insufficient. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>