summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* src: add support for flowtable counterHEADmasterPablo Neira Ayuso3 days4-0/+13
| | | | | | | | | | | | | | | | | | Allow users to enable flow counters via control plane toggle, e.g. table ip x { flowtable y { hook ingress priority 0; counter; } chain z { type filter hook ingress priority filter; flow add @z } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for counter in set definitionPablo Neira Ayuso9 days5-0/+36
| | | | | | | | | | | | | | | | | | | | | This patch allows you to turn on counter for each element in the set. table ip x { set y { typeof ip saddr counter elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } } chain z { type filter hook output priority filter; policy accept; ip daddr @y } } This example shows how to turn on counters globally in the set 'y'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add range specified flag setting (missing ↵Pablo Neira Ayuso10 days1-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NF_NAT_RANGE_PROTO_SPECIFIED) Sergey reports: With nf_tables it is not possible to use port range for masquerading. Masquerade statement has option "to [:port-port]" which give no effect to translation behavior. But it must change source port of packet to one from ":port-port" range. My network: +-----------------------------+ | ROUTER | | | | Masquerade| | 10.0.0.1 1.1.1.1 | | +------+ +------+ | | | eth1 | | eth2 | | +-+--^---+-----------+---^--+-+ | | | | +----v------+ +------v----+ | | | | | 10.0.0.2 | | 1.1.1.2 | | | | | |PC1 | |PC2 | +-----------+ +-----------+ For testing i used rule like this: rule ip nat POSTROUTING oifname eth2 masquerade to :666 Run netcat for 1.1.1.2 667(UDP) and get dump from PC2: 15:22:25.591567 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.34466 > 1.1.1.2.667: UDP, length 1 Address translation works fine, but source port are not belongs to specified range. I see in similar source code (i.e. nft_redir.c, nft_nat.c) that there is setting NF_NAT_RANGE_PROTO_SPECIFIED flag. After adding this, repeat test for kernel with this patch, and get dump: 16:16:22.324710 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.666 > 1.1.1.2.667: UDP, length 1 Now it is works fine. Reported-by: Sergey Marinkevich <s@marinkevich.ru> Tested-by: Sergey Marinkevich <s@marinkevich.ru> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for restoring element countersPablo Neira Ayuso11 days3-2/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to restore counters in dynamic sets: table ip test { set test { type ipv4_addr size 65535 flags dynamic,timeout timeout 30d gc-interval 1d elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 } } chain output { type filter hook output priority 0; update @test { ip saddr } } } You can also add counters to elements from the control place, ie. table ip test { set test { type ipv4_addr size 65535 elements = { 192.168.2.1 counter packets 75 bytes 19043 } } chain output { type filter hook output priority filter; policy accept; ip daddr @test } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove unused parameter from netlink_gen_stmt_stateful()Pablo Neira Ayuso11 days1-23/+13
| | | | | | Remove context from netlink_gen_stmt_stateful(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Support ranges in concat expressionsPhil Sutter2020-03-101-22/+29
| | | | | | | | | | Duplicate commit 8ac2f3b2fca38's changes to bison parser into JSON parser by introducing a new context flag signalling we're parsing concatenated expressions. Fixes: 8ac2f3b2fca38 ("src: Add support for concatenated set ranges") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Eric Garver <eric@garver.life>
* main: use one data-structure to initialize getopt_long(3) arguments and help.Jeremy Sowden2020-03-101-113/+138
| | | | | | | | By generating the getopt_long(3) optstring and options, and the help from one source, we reduce the chance that they may get out of sync. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: interpolate default include path into help format-string.Jeremy Sowden2020-03-101-2/+2
| | | | | | | | The default include path is a string literal defined as a preprocessor macro by autoconf. We can just interpolate it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '--reversedns' in help.Jeremy Sowden2020-03-101-1/+1
| | | | | | | The long option for '-N' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '-d' in help.Jeremy Sowden2020-03-101-20/+20
| | | | | | | The short option for '--debug' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fix rshift statement expression.Jeremy Sowden2020-03-091-1/+1
| | | | | | | | | The RHS of RSHIFT statement expressions should be primary_stmt_expr, not primary_rhs_expr. Fixes: dccab4f646b4 ("parser_bison: consolidate stmt_expr rule") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: remove duplicates from option string.Jeremy Sowden2020-03-051-1/+1
| | | | | | | | The string of options passed to getopt_long(3) contains duplicates. Update it to match the opt_vals enum which immediately precedes it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add more information to `nft -V`.Jeremy Sowden2020-03-052-1/+54
| | | | | | | | | | | | | | | | | In addition to the package-version and release-name, output the CLI implementation (if any) and whether mini-gmp was used, e.g.: $ ./src/nft -V nftables v0.9.3 (Topsy) cli: linenoise json: yes minigmp: no libxtables: yes [pablo@netfilter.org: add json and libxtables, use -V ] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix leaks.Jeremy Sowden2020-03-042-0/+3
| | | | | | | Some bitmask variables are not cleared. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: set shift RHS byte-order.Jeremy Sowden2020-03-041-0/+1
| | | | | | | The RHS operand for bitwise shift is in HBO. Set this explicitly. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: no need to swap byte-order for values of fewer than 16 bits.Jeremy Sowden2020-03-041-1/+1
| | | | | | | | | Endianness is not meaningful for objects smaller than 2 bytes and the byte-order conversions are no-ops in the kernel, so just update the expression as if it were constant. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: convert the byte-order of payload statement arguments.Jeremy Sowden2020-03-041-0/+5
| | | | | | | | | | | Since shift operations require host byte-order, we need to be able to convert the result of the shift back to network byte-order, in a rule like: nft add rule ip t c tcp dport set tcp dport lshift 1 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: don't evaluate payloads twice.Jeremy Sowden2020-03-041-0/+5
| | | | | | | | | Payload munging means that evaluation of payload expressions may not be idempotent. Add a flag to prevent them from being evaluated more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: simplify calculation of payload size.Jeremy Sowden2020-03-041-2/+2
| | | | | | | Use div_round_up and one statement. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: add separate variables for lshift and xor binops.Jeremy Sowden2020-03-041-17/+17
| | | | | | | | stmt_evaluate_payload has distinct variables for some, but not all, the binop expressions it creates. Add variables for the rest. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for offload chain flagPablo Neira Ayuso2020-03-034-0/+16
| | | | | | | | | | | | | | | | | | | | This patch extends the basechain definition to allow users to specify the offload flag. This flag enables hardware offload if your drivers supports it. # cat file.nft table netdev x { chain y { type filter hook ingress device eth0 priority 10; flags offload; } } # nft -f file.nft Note: You have to enable offload via ethtool: # ethtool -K eth0 hw-tc-offload on Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expressions: concat: add typeof supportFlorian Westphal2020-02-261-0/+136
| | | | | | | | | | | | | | | | | | | | | Previous patches allow to pass concatenations as the mapped-to data type. This doesn't work with typeof() because the concat expression has no support to store the typeof data in the kernel, leading to: map t2 { typeof numgen inc mod 2 : ip daddr . tcp dport being shown as type 0 : ipv4_addr . inet_service ... which can't be parsed back by nft. This allows the concat expression to store the sub-expressions in set of nested attributes. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: stmt_evaluate_nat_map() only if stmt->nat.ipportmap == truePablo Neira Ayuso2020-02-251-17/+11
| | | | | | | stmt_evaluate_nat_map() is only called when the parser sets on stmt->nat.ipportmap. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: nat concatenation support with anonymous mapsPablo Neira Ayuso2020-02-245-3/+32
| | | | | | | | | This patch extends the parser to define the mapping datatypes, eg. ... dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 } ... dnat ip addr . port to ip saddr map @y Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow nat maps containing both ip(6) address and portFlorian Westphal2020-02-243-1/+122
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft will now be able to handle map destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service } chain f { dnat to ip daddr . tcp dport map @destinations } Something like this won't work though: meta l4proto tcp dnat ip6 to numgen inc mod 4 map { 0 : dead::f001 . 8080, .. as we lack the type info to properly dissect "dead::f001" as an ipv6 address. For the named map case, this info is available in the map definition, but for the anon case we'd need to resort to guesswork. Support is added by peeking into the map definition when evaluating a nat statement with a map. Right now, when a map is provided as address, we will only check that the mapped-to data type matches the expected size (of an ipv4 or ipv6 address). After this patch, if the mapped-to type is a concatenation, it will take a peek at the individual concat expressions. If its a combination of address and service, nft will translate this so that the kernel nat expression looks at the returned register that would store the inet_service part of the octet soup returned from the lookup expression. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add two new helpersFlorian Westphal2020-02-241-29/+32
| | | | | | | | | | | In order to support 'dnat to ip saddr map @foo', where @foo returns both an address and a inet_service, we will need to peek into the map and process the concatenations sub-expressions. Add two helpers for this, will be used in followup patches. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: handle concatenations on set elements mappingsFlorian Westphal2020-02-241-0/+7
| | | | | | | | | | We can already handle concatenated keys, this extends concat coverage to the data type as well, i.e. this can be dissected: type ipv4_addr : ipv4_addr . inet_service Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: process concat expressions when used as mapped-to exprFlorian Westphal2020-02-241-0/+4
| | | | | | | | | Needed to avoid triggering the 'dtype->size == 0' tests. Evaluation will build a new concatenated type that holds the size of the aggregate. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: use common code for expr_ops/expr_ops_by_typeFlorian Westphal2020-02-231-20/+15
| | | | | | | Useless duplication. Also, this avoids bloating expr_ops_by_type() when it needs to cope with more expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: print correct statement name on family mismatchFlorian Westphal2020-02-221-2/+3
| | | | | | | | | | nft add rule inet filter c ip daddr 1.2.3.4 dnat ip6 to f00::1 Error: conflicting protocols specified: ip vs. unknown. You must specify ip or ip6 family in tproxy statement Should be: ... "in nat statement". Fixes: fbe27464dee4588d90 ("src: add nat support for the inet family") Signed-off-by: Florian Westphal <fw@strlen.de>
* mnl: do not use expr->identifier to fetch device namePablo Neira Ayuso2020-02-192-7/+32
| | | | | | | | | This string might not be nul-terminated, resulting in spurious errors when adding netdev chains. Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak in device parserPablo Neira Ayuso2020-02-191-0/+1
| | | | | | | | | | | | | | ==1135425== 9 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==1135425== at 0x483577F: malloc (vg_replace_malloc.c:309) ==1135425== by 0x4BE846A: strdup (strdup.c:42) ==1135425== by 0x48A5EDD: xstrdup (utils.c:75) ==1135425== by 0x48C9A20: nft_lex (scanner.l:640) ==1135425== by 0x48BC1A4: nft_parse (parser_bison.c:5682) ==1135425== by 0x48AC336: nft_parse_bison_buffer (libnftables.c:375) ==1135425== by 0x48AC336: nft_run_cmd_from_buffer (libnftables.c:443) ==1135425== by 0x10A707: main (main.c:384) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve error reporting when remove rulesPablo Neira Ayuso2020-02-191-11/+23
| | | | | | | | | | | | | | | | | | | | | | | | # nft delete rule ip y z handle 7 Error: Could not process rule: No such file or directory delete rule ip y z handle 7 ^ # nft delete rule ip x z handle 7 Error: Could not process rule: No such file or directory delete rule ip x z handle 7 ^ # nft delete rule ip x x handle 7 Error: Could not process rule: No such file or directory delete rule ip x x handle 7 ^ # nft replace rule x y handle 10 ip saddr 1.1.1.2 counter Error: Could not process rule: No such file or directory replace rule x y handle 10 ip saddr 1.1.1.2 counter ^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve error reporting when setting policy on non-base chainPablo Neira Ayuso2020-02-192-6/+9
| | | | | | | | | | | When trying to set a policy to non-base chain: # nft add chain x y { policy accept\; } Error: Could not process rule: Operation not supported add chain x y { policy accept; } ^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: extended error support for create commandPablo Neira Ayuso2020-02-192-18/+34
| | | | | | | | | | | | | | | | | | | | | | | | # nft create table x Error: Could not process rule: File exists create table x ^ # nft create chain x y Error: Could not process rule: File exists create chain x y ^ # nft create set x y { typeof ip saddr\; } Error: Could not process rule: File exists create set x y { typeof ip saddr; } ^ # nft create counter x y Error: Could not process rule: File exists create counter x y ^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: combine extended netlink error reporting with mispelling supportPablo Neira Ayuso2020-02-192-21/+161
| | | | | | | | | | | Preliminary support: only for the deletion command, e.g. # nft delete table twst Error: No such file or directory; did you mean table ‘test’ in family ip? delete table twst ^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: initial extended netlink error reportingPablo Neira Ayuso2020-02-195-50/+175
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch correlates the in-kernel extended netlink error offset and the location information. Assuming 'foo' table does not exist, then error reporting shows: # nft delete table foo Error: Could not process rule: No such file or directory delete table foo ^^^ Similarly, if table uniquely identified by handle '1234' does not exist, then error reporting shows: # nft delete table handle 1234 Error: Could not process rule: No such file or directory delete table handle 1234 ^^^^ Assuming 'bar' chain does not exists in the kernel, while 'foo' does: # nft delete chain foo bar Error: Could not process rule: No such file or directory delete chain foo bar ^^^ This also gives us a hint when adding rules: # nft add rule ip foo bar counter Error: Could not process rule: No such file or directory add rule ip foo bar counter ^^^ This is based on ("src: basic support for extended netlink errors") from Florian Westphal, posted in 2018, with no netlink offset correlation support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: incorrect handle locationPablo Neira Ayuso2020-02-171-6/+6
| | | | | | | Handle location is not correct, this leads to misleading error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: use list_is_first() from scanner_pop_indesc()Pablo Neira Ayuso2020-02-131-1/+1
| | | | | | | | | | !list_empty() always stands true since the list is never empty when calling scanner_pop_indesc(). Check for list_is_first() which actually tells us this is the initial input file, hence, state->indesc is set to NULL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: maps: update data expression dtype based on setFlorian Westphal2020-02-131-0/+1
| | | | | | | | | | | What we want: - update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 } what we got: + update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2000000 [invalid type] } Reported-by: Serguei Bezverkhi <sbezverk@gmail.com> Close: https://bugzilla.netfilter.org/show_bug.cgi?id=1405 Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: remove parser_state->indesc_idxLaurent Fasnacht2020-02-131-6/+0
| | | | | | | | Now that we have a proper stack implementation, we don't need an additional counter for the number of buffer state pushed. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: fix indesc_list stack to be in the correct orderLaurent Fasnacht2020-02-131-1/+5
| | | | | | | This fixes the location displayed in error messages. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Inclusion depth was computed incorrectly for glob includes.Laurent Fasnacht2020-02-131-6/+14
| | | | | Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove parser_state->indescs static arrayLaurent Fasnacht2020-02-131-6/+7
| | | | | | | | This static array is redundant with the indesc_list structure, but is less flexible. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: move indesc list append in scanner_push_indescLaurent Fasnacht2020-02-111-9/+7
| | | | | | | Having a single point makes refactoring easier. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: move the file descriptor to be in the input_descriptor structureLaurent Fasnacht2020-02-111-9/+9
| | | | | | | | This prevents a static allocation of file descriptors array, thus allows more flexibility. Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Extend asteriskstring definitionPhil Sutter2020-02-101-1/+1
| | | | | | | | Accept escaped asterisks also mid-string and as only character. Especially the latter will help when translating from iptables where asterisk has no special meaning. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: compute mnemonic port name much easierJan Engelhardt2020-02-072-41/+11
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: change shift byte-order to host-endian.Jeremy Sowden2020-02-071-1/+1
| | | | | | | | | | | The byte-order of the righthand operands of the right-shifts generated for payload and exthdr expressions is big-endian. However, all right operands should be host-endian. Since evaluation of the shift binop will insert a byte-order conversion to enforce this, change the endianness in order to avoid the extra operation. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: correct variable name.Jeremy Sowden2020-02-071-6/+6
| | | | | | | | Rename the `lshift` variable used to store an right-shift expression to `rshift`. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>