| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Monitor output is supposed to be single lined without tabs, but ct
object were printed with newlines and tabs hard-coded. Fixing this
wasn't too hard given that there is 'stmt_separator' to also include
semi-colons where required if newline was removed.
A more obvious mistake was position of object type in monitor output:
Like with other object types, it has to occur between command and table
spec. As a positive side-effect, this aligns ct objects better with
others (see obj_type_name_array for instance).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
There seems to be no situation where this comes to play. Also, since
there is no 'nft update table/chain' command, this is inconsistent with
input.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Since libnftnl doesn't support XML formatting, pretending to do so in
nft monitor is pointless.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add support for printing and parsing ct timeout objects to JSON API.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding new elements result in a confusing "Success" error message.
# nft add element x y { 0-3 }
[...]
Error: Could not process rule: Success
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
after this patch, this reports:
Error: Could not process rule: File exists
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add range to the list of matching elements.
Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Just a simple wrapper function, replace it by direct call to
mnl_nft_rule_del().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can remove alloc_nftnl_set() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can remove alloc_nftnl_rule() and consolidate infrastructure in the
src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_chain() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_table() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We have better json support these days, remove libnftnl json support.
While at it, remove test file for this too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Of all possible TCP flags, 'ecn' is special since it is recognized by
lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
same name). Therefore it is listed in keyword_expr, but that was
sufficient for RHS only. The following statement reproduces the issue:
| tcp flags & (syn | ecn) == (syn | ecn)
The solution is to limit binop expressions to accept an RHS expression
on RHS ("real" LHS expressions don't make much sense there anyway),
which then allows keyword_expr to occur there. In order to maintain the
recursive behaviour if braces are present, allow primary_rhs_expr to
consist of a basic_rhs_expr enclosed in braces. This in turn requires
for braced RHS part in relational_expr to be dropped, otherwise bison
complains about shift/reduce conflict.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
No need to keep iterating once the range object has been allocated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release set and elements in case of error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Release set content on error. Moreover, release input set content in
case we finally manage to decompose it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since 'out' is defined as a keyword in scanner.l, using it as a chain
priority name without quotes is not possible. Fix this by introducing
'extended_prio_name' in bison which may be either a string (as before)
or OUT, which is then converted into a string.
Fixes: c8a0e8c90e2d1 ("src: Set/print standard chain prios with textual names")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.
Examples:
ipsec in ip saddr 192.168.1.0/24
ipsec out ip6 daddr @endpoints
ipsec in spi 1-65536
Joint work with Florian Westphal.
Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
for symmetry with 'rt ipsec'. "meta secpath" still works.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft would throw misleading error in case map exists but doesn't contain
expected objects.
nft add rule filter in ct helper set tcp dport map @foo
Error: Expression is not a map
add rule filter in ct helper set tcp dport map @foo
^^^^
nft list table filter
table ip filter {
map foo {
type inet_service : ifname
}
...
clarify this.
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This applies the same change as in commit 85b1e3c0052ef ("src: Always
print range expressions numerically") to JSON output for consistency.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This brings inet_service_type_json() on par with
inet_service_type_print(). Despite datatype_print()'s ability to use the
'print' callback, a dedicated 'json' callback is required to make port
numbers appear as numbers in JSON output instead of strings. Therefore
go with a bit of code duplication here.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
If a datatype doesn't provide a 'json' callback, datatype_json() uses
fmemopen() to grab the output from 'print' callback. When doing so,
reuse the existing output context instead of creating a dedicated one to
make sure all output-related settings are exactly as expected.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since literal option is supposed to be a level, matching for equality is
not correct here since the level may be higher than NFT_LITERAL_PORT.
This fixes for ports being printed numerically if '-l' option was given
twice.
Fixes: b0f6a45b25dd1 ("src: add --literal option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Andrew A. Sabitov says:
I'd like to use a set (concatenation) of icmpv6 type and icmpv6 code
and check incoming icmpv6 traffic against it:
add set inet fw in_icmpv6_types { type icmpv6_type . icmpv6_code; }
add element inet fw in_icmpv6_types { 1 . 0 } # no route to destination
add element inet fw in_icmpv6_types { 1 . 1 } # communication with destination administratively prohibited
# ...
add rule inet fw in_icmpv6 icmpv6 type . icmpv6 code @in_icmpv6_types \
limit rate 15/minute accept
yields:
Error: can not use variable sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @in_icmpv6_types
~~~~~~~~~~~~~~^^^^^^^^^^^
Change 'code' type to the icmp/icmpv6 code type.
Needs minor change to test suite as nft will now display
human-readable names instead of numeric codes.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1276
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Otherwise this breaks tests/py/.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Remove osf_init variable and call nfnl_osf_load_fingerprints() from
expr_evaluate_osf() instead of doing that from do_command_add() path.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for adding, listing and deleting ct timeout
objects which can be assigned via rule to assign connection tracking
timeout policies via objref infrastructure.
% nft add table filter
% nft add chain filter output
% nft add ct timeout filter test-tcp { protocol tcp \; policy = { established: 132, close: 13, close_wait: 17 } \; }
% nft add rule filter output ct timeout set test-tcp
% nft list ruleset
table ip filter {
ct timeout test-tcp {
protocol tcp;
l3proto ip
policy = {established: 132, close_wait: 17, close: 13}
}
chain output {
ct timeout set "test-tcp"
}
}
% nft delete rule filter output handle <handle>
% nft delete ct timeout filter test-tcp
Note: Original patch has been rework to use fixed size array for
timeouts and to validate timeout policy from the evaluation phase, once
we have access to the layer 4 protocol number. --pablo
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
When trying to add a chain to a non-existing table, error reporting
tries to dereference indesc pointer of the table's location. Hence make
sure the latter is initialized correctly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Right now this object merely contains the nftables version and release
name as well as a JSON schema version, but it could be extended
arbitrarily. In the future, this will also allow for non-compatible
schema changes should the need for this arise.
Adjust the parser to accept metainfo objects and make it verify
json_schema_version to be less than or equal to the one hard-coded in
the library.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This special operator is required for cases where missing operator does
not lead to same results as equal operator, i.e. with bitmasks on RHS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of the generic "left" and "right", use "key" and "value".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Change the rather generic "left" and "right" into "key" and "data" as
suggested at NFWS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
For raw payloads, property "name" is not needed, it's clearly identified
by base/offset/len properties.
In non-raw payload expressions, rename property "name" to "protocol" as
suggested during NFWS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Change jump and goto verdicts to become extensible by dedicating an
object for the target parameter.
While being at it, drop break and queue verdict expressions since they
don't seem to exist, no idea where I got those from in the first place.
For queue, there is a dedicated expression at least.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Lessons learned from fwd statement: We must not assume a given
statement/expression may not receive further properties in the future.
Therefore make meta value an object with a property "key" instead of
just a string containing the key name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 9e45a28ca467f ("src: honor /etc/services") broke compiling with
JSON support enabled: inet_service_type_print() is not suited for
converting inet_service datatype into JSON at all.
In order to avoid having to replicate the port value resolving into
human-readable name in inet_service_type_json(), just return a numeric
value. At least for JSON output, this probably makes most sense either
way since the output is expected to be parsed by scripts which have an
easier time with numers than names anyway.
Fixes: 9e45a28ca467f ("src: honor /etc/services")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partial patch reverts:
ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table")
so /etc/services is used to interpret service names, eg.
# nft add rule x y tcp dport \"ssh\"
Then, listing looks like:
# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}
Major changes with regards to the original approach are:
1) Services are displayed in text via `-l' option.
2) Services are user-defined, just like mappings in /etc/iproute2/*
files and connlabel.conf, so they are displayed enclosed in quotes.
Note that original service name code was broken since it parses both udp
and tcp service names but it only displays tcp services names as
literal. This is because NI_DGRAM is missing. This patch makes nft falls
back on udp services if no literal was found in the initial tcp service
name query. Proper way to handle would be to add infrastructure to store
protocol context information in struct output_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically
provides the mathematical set of integer numbers.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example shows how to populate a set from the packet path
using the destination IP address, for each entry there is a counter. The
entry expires after the 1 hour timeout if no packets matching this entry
are seen.
table ip x {
set xyz {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook output priority filter; policy accept;
update @xyz { ip daddr counter } counter
}
}
Similar example, that creates a mapping better IP address and mark,
where the mark is assigned using an incremental sequence generator from
0 to 1 inclusive.
table ip x {
map xyz {
type ipv4_addr : mark
size 65535
flags dynamic,timeout
timeout 1h
}
chain y {
type filter hook input priority filter; policy accept;
update @xyz { ip saddr counter : numgen inc mod 2 }
}
}
Supported stateful statements are: limit, quota, counter and connlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of using the map expression, store dynamic key and data
separately since they need special handling than constant maps.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
