Commit Graph

220 Commits

Author SHA1 Message Date
turekt 6ddeb7caed
Implement cthelper object expr (#268) 2024-08-15 08:47:35 +02:00
turekt 38e481bfc4
Added GetNamedObjects and ResetNamedObjects (#267) 2024-08-14 08:10:09 +02:00
turekt 4d451ef75f
Fix staticcheck issues (#266) 2024-08-11 10:00:48 +02:00
Aleksei Ilin b76fdc8f90
ct: Specify direction for saddr, daddr, proto-src, proto-dst (#264)
The CT keys require direction parameter.
2024-08-05 08:38:34 +02:00
turekt 3b928008ad
refactor nftable Object handling (NamedObj type) (#259)
* Refactored obj.go to a more generic approach
* Added object support for already implemented expressions
* Added test for limit object

fixes https://github.com/google/nftables/issues/253
2024-07-29 08:43:58 +02:00
turekt 912dee68b1
Refactor expr for obj reimplementation (#265)
Added marshalData func to expressions
Prepare parseexprfunc for obj implementation refactor

related to #253
2024-07-24 08:26:13 +02:00
TheDiveO aa8348f790
feat: add xt.Comment (#260)
Signed-off-by: thediveo <thediveo@gmx.eu>
2024-04-22 08:53:34 +02:00
dependabot[bot] 20edd38e22
Bump golang.org/x/net from 0.22.0 to 0.23.0 (#261)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 19:12:50 +02:00
turekt 5e242ec578
List table or chain by name (#258)
Adds functionality to list table or chain by specifying its name
2024-04-14 11:19:27 +02:00
Daniel Mack 8ffcbc2d36 Chain: add 'device' as hook attribute
NETDEV tables can specify a device the apply to.
Add support for this by augmenting the `Chain` struct.
2024-04-01 11:26:10 +02:00
Daniel Mack 4dbe06f125 chain: add ChainHookEgress
NETDEV tables can have egress hooks. Add the definition to enable that case.
2024-04-01 11:26:10 +02:00
Lionel Jouin 0b98a7af91
Replace TODO const by golang.org/x/sys/unix (#256)
Replace some hardcoded consts by the ones provided in
golang.org/x/sys/unix
2024-03-18 08:32:45 +01:00
Michael Stapelberg 5494b7c55f bump go.mod to go1.21, update deps
fixes https://github.com/google/nftables/issues/254
2024-03-10 13:09:31 +01:00
Francesco Cheinasso 33ee8df9d8 NAT: prefix test 2024-01-12 21:30:04 +01:00
Francesco Cheinasso ef45dd3322
NAT: prefix support (#251) 2023-12-22 08:33:18 +01:00
Michael Stapelberg 6d4c531bb6 monitor: add example and documentation 2023-12-13 08:31:13 +01:00
singchia 5555df300c
feat: add monitor on table chain rule set setelem and obj events (#250)
fixes https://github.com/google/nftables/issues/224
2023-12-13 08:23:07 +01:00
turekt 0f60df61a2
Support for quota as object (#244)
Fixes https://github.com/google/nftables/issues/238
2023-12-12 21:49:45 +01:00
black-desk 32bfbb6627
feat: add Conn.CreateTable (#246)
`Conn.AddTable` use netlink.Create which will not emit an error
if the table we want to create already existed,
just like the `nft add table ...` command works.

The caller should use netlink.Excl to
get an EEXIST error for that already existed,

So I add another method `Conn.CreateTable`
which works just like `nft create table ...` command.

Related: #245

Signed-off-by: black-desk <me@black-desk.cn>
2023-10-24 08:57:23 +02:00
black-desk 6df7a82bbd
fix: correct error handling in receiveAckAware (#243)
Related: #242

After 7879d7ecf6, it seems that
any multi-message operation performed without CAP_SYS_ADMIN will
leads to forever block inside nftables.Conn.Flush.

For example:

```go
package main

import "github.com/google/nftables"

func main() {
	conn, err := nftables.New()
	if err != nil {
		panic(err)
	}

	t := conn.AddTable(&nftables.Table{})

	err = conn.AddSet(&nftables.Set{Table: t}, []nftables.SetElement{})
	if err != nil {
		panic(err)
	}

	conn.AddSet(&nftables.Set{Table: t}, []nftables.SetElement{})
	if err != nil {
		panic(err)
	}

	err = conn.Flush()
	if err != nil {
		panic(err)
	}

	return
}
```

That's because that although we send multiple messages on netlink
socket, kernel will only sends one permission error message as reply.

Signed-off-by: black-desk <me@black-desk.cn>
2023-10-21 22:11:55 +02:00
dependabot[bot] 4efd25beb8
Bump golang.org/x/net from 0.7.0 to 0.17.0 (#241)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.7.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 08:09:03 +02:00
Ronak Jain 7879d7ecf6
Flush: fix error leak when flushing multiple messages (#239)
When you flush multiple messages/ops on a connection, and if flush fails
to apply, the netlink connection returns errors per command. Since we
are returning on noticing the first error, the rest of the errors are
buffered and leaks into the result of next flush.

This pull request invokes `conn.Receive()` * number of messages to drain
any buffered errors in the connection.
2023-10-01 23:06:11 +02:00
turekt 0d9bfa4d18
Fix overflow in Flush by using receiveAckAware and handling the overrun flag (#237)
Fixes https://github.com/google/nftables/issues/235
Added support for messages having overrun flag
Changed `conn.Receive` call to `receiveAckAware` in `Flush`
2023-09-23 17:08:35 +02:00
Lars Lehtonen 6a61933ab7
Fix dropped error (#240)
Signed-off-by: Lars Lehtonen <lars.lehtonen@gmail.com>
2023-09-16 08:51:22 +02:00
Rafael Campos Las Heras d27cc52f15
hash: Fix hash seed conditional (#234)
Fix the marshall of the hash seed to be conditional, only if it is
explicitly set, we need to add it to the kernel as stated on the
libnftl and nftables projects.
Refence: https://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=25e7b99cc450490c38becb03d8bddd0199cfd3f9#n174

Otherwise, having a hash expression similar to this:
```
ip daddr set jhash tcp sport mod 2 seed 0x0 map { 0 : 192.168.0.1, 1 : 192.168.2.2 }
```
end up setting only the first IP and ignoring the second one.

Signed-off-by: Rafael Campos <methril@gmail.com>
2023-08-03 08:14:23 +02:00
black-desk 8a10f68900
Add address field for expr tproxy (#231)
* Add address field for expr tproxy

Signed-off-by: black-desk <me@black-desk.cn>
Co-authored-by: MrRedhat <Redhatminzhe@Gmail.com>
2023-07-10 08:38:01 +02:00
Rafael Campos 8f2d395e10 set: Parse bytes length on sets
Parse the bytes length for key and data types when reading the sets.

Signed-off-by: Rafael Campos <methril@gmail.com>
2023-06-14 20:10:15 +02:00
Rafael Campos 98de8c8ac9 expr: Add Hash to the expr type
Add the Hash type to the expr read parser.

Signed-off-by: Rafael Campos <methril@gmail.com>
2023-06-14 20:10:15 +02:00
Ronak Jain 45645ffbf5
Parse set element counters (#230) 2023-05-20 18:23:52 +02:00
Michael Stapelberg cf9b0d57e8 GitHub Actions: switch to setup-go@v4 which enables caching 2023-05-20 14:47:36 +02:00
turekt d746ecb0e4
Implement set KeyByteOrder (#226)
Fixes https://github.com/google/nftables/issues/225
Introduced KeyByteOrder in sets which fills UDATA with endianess information
2023-05-18 18:05:49 +02:00
black-desk b18665a6ec
Implement socket expr (#222)
Signed-off-by: black-desk <me@black-desk.cn>
2023-05-06 10:49:33 +02:00
Liu Xiangchao a58e58ca6b
add set element expires field (#223) 2023-04-21 08:26:50 +02:00
Steffen Vogel 1510be9a55 userdata: Add TLV parser/serialized for rule user data
This TLV format is compatible with the one used by libnftables.
Hence with this change, we can now de/encode comments and other
user data information which is compatible with the Netfilter
command line tooling.

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
2023-04-18 08:53:20 +02:00
Steffen Vogel 971247e1b2 Move setup/teardown of system NFT connection to internal package
As we want to reuse it also in other test packages.

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
2023-04-18 08:53:20 +02:00
konradh a93939a185
Fix getting concatenated data types for maps (#217)
This also implements parsing of concatenated data types.
2023-04-02 10:11:12 +02:00
Raman Shishniou 2729c5a5ee
Drop unnecessary table rewrite in GetRules() after 3e042f7 (#219) 2023-03-16 12:38:54 +01:00
dependabot[bot] e016b4e9fa
Bump golang.org/x/net from 0.4.0 to 0.7.0 (#216)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-18 14:01:22 +01:00
turekt 9aa6fdf5a2
Masq marshal fix (#214)
Fixes https://github.com/google/nftables/issues/213
2023-01-15 21:51:35 +01:00
Michael Stapelberg 2a00dee9fc pull in latest mdlayher/netlink
related to issue #210
2022-12-12 17:19:45 +01:00
TheDiveO d1d398adb7
alignedbuff: fix alignment test issue on 32-bit machines (#211)
- fixes issue #209 where two unit tests for alignedbuff were incorrectly calculating the expected marshalled data length on 32bit machines (whereas actual padding/alignment itself was done correctly).
- adds documentation reference to kernel's xtables.h UAPI regarding alignment.
2022-12-12 08:51:36 +01:00
xiaoff 1aef2ba20e
Fix: add NFTA_RULE_COMPAT attribute (#207)
xt_matches or xt_targets like xt_tcpudp may have specific compat policy and
if not set flush rule will error with EINVAL
according to https://elixir.bootlin.com/linux/v3.13/source/net/netfilter/x_tables.c#L563

Signed-off-by: xiaoff <zhaofeng_0019@163.com>
2022-12-08 09:05:15 +01:00
turekt 130caa4c31
Reject expression fix (#206)
Added missing reject expression to exprsFromMsg
2022-11-07 20:04:33 +01:00
turekt 0dda43a5f9
Fix size for TypeTimeHour (#203)
Corresponding nftables commit: https://git.netfilter.org/nftables/commit/src/meta.c?id=4e1abfc552170d6db5c511634a29918e64c1b51b
2022-11-01 21:27:48 +01:00
turekt c89a57ce19
Flowtables implementation (#201)
Added flowtables implementation | Added flow_offload expression | Added tests
2022-11-01 07:48:00 +01:00
Michael Stapelberg 3ad45c080c use “test” as set name in tests 2022-10-29 08:34:19 +02:00
Joe Williams 0929dfc8bf
Support set element counters (#199) 2022-10-29 08:33:22 +02:00
Joe Williams 4f5cd5826f
add int32 and string types to alignedbuff (#195) 2022-10-15 21:04:45 +02:00
Andrew LeFevre d007ae63f1
fix queue expression getting skipped when unmarshaling rules (#197) 2022-10-15 19:08:15 +02:00
turekt 535f5eb8da
Fix incorrect netlink acknowledgement handling (#194)
fixes https://github.com/google/nftables/issues/175
2022-10-02 16:01:48 +02:00