interesting
/
nftables
mirror of https://github.com/google/nftables.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
223 Commits 1 Branch 2 Tags 2.1 MiB
Commit Graph

69 Commits

Author SHA1 Message Date
Aleksei Ilin 7a6c4ef3e7
nat: Add flag for specified range in DNAT (#270) 
Example: meta l4proto tcp dnat to 10.200.45.6:9080

  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ immediate reg 1 0x062dc80a ]
  [ immediate reg 2 0x00007823 ]
  [ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
 2024-08-30 09:01:02 +02:00
turekt adb98462ee
Add synproxy obj (#269) 2024-08-27 09:06:28 +02:00
turekt 6ddeb7caed
Implement cthelper object expr (#268) 2024-08-15 08:47:35 +02:00
Aleksei Ilin b76fdc8f90
ct: Specify direction for saddr, daddr, proto-src, proto-dst (#264) 
The CT keys require direction parameter.
 2024-08-05 08:38:34 +02:00
turekt 912dee68b1
Refactor expr for obj reimplementation (#265) 
Added marshalData func to expressions
Prepare parseexprfunc for obj implementation refactor

related to #253
 2024-07-24 08:26:13 +02:00
Lionel Jouin 0b98a7af91
Replace TODO const by golang.org/x/sys/unix (#256) 
Replace some hardcoded consts by the ones provided in
golang.org/x/sys/unix
 2024-03-18 08:32:45 +01:00
Francesco Cheinasso ef45dd3322
NAT: prefix support (#251) 2023-12-22 08:33:18 +01:00
Rafael Campos Las Heras d27cc52f15
hash: Fix hash seed conditional (#234) 
Fix the marshall of the hash seed to be conditional, only if it is
explicitly set, we need to add it to the kernel as stated on the
libnftl and nftables projects.
Refence: https://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=25e7b99cc450490c38becb03d8bddd0199cfd3f9#n174

Otherwise, having a hash expression similar to this:
```
ip daddr set jhash tcp sport mod 2 seed 0x0 map { 0 : 192.168.0.1, 1 : 192.168.2.2 }
```
end up setting only the first IP and ignoring the second one.

Signed-off-by: Rafael Campos <methril@gmail.com>
 2023-08-03 08:14:23 +02:00
black-desk 8a10f68900
Add address field for expr tproxy (#231) 
* Add address field for expr tproxy

Signed-off-by: black-desk <me@black-desk.cn>
Co-authored-by: MrRedhat <Redhatminzhe@Gmail.com>
 2023-07-10 08:38:01 +02:00
Rafael Campos 98de8c8ac9 expr: Add Hash to the expr type 
Add the Hash type to the expr read parser.

Signed-off-by: Rafael Campos <methril@gmail.com>
 2023-06-14 20:10:15 +02:00
black-desk b18665a6ec
Implement socket expr (#222) 
Signed-off-by: black-desk <me@black-desk.cn>
 2023-05-06 10:49:33 +02:00
turekt 9aa6fdf5a2
Masq marshal fix (#214) 
Fixes https://github.com/google/nftables/issues/213
 2023-01-15 21:51:35 +01:00
turekt 130caa4c31
Reject expression fix (#206) 
Added missing reject expression to exprsFromMsg
 2022-11-07 20:04:33 +01:00
turekt c89a57ce19
Flowtables implementation (#201) 
Added flowtables implementation | Added flow_offload expression | Added tests
 2022-11-01 07:48:00 +01:00
Andrew LeFevre d007ae63f1
fix queue expression getting skipped when unmarshaling rules (#197) 2022-10-15 19:08:15 +02:00
vsandonis 0aa65c0fdd
Fix Objref expression parsing (#193) 
The Objref expression was not considered when parsing raw expressions
bytes to construct nftables expressions.

Add unit test to check that a rule with an Objref expression is
properly obtained by GetRules().

Signed-off-by: Victor Sandonis Consuegra <vsandonis@ibm.com>
 2022-09-28 18:33:16 +02:00
turekt e4bff45b7f
IsDestRegSet unmarshaling fix (#178) 
Fixes https://github.com/google/nftables/issues/176 | Added test case
 2022-08-30 19:03:33 +02:00
Rafael Campos Las Heras 2eca001357
Fix Meta unmarshal when is Source Register (#174) 
The Meta nftables expression was not filling the Register and SourceRegister
fields when unmarshalling.

Add a check for NFTA_META_SREG message when unmarshalling to fill the Meta
fields.
Add Unit Test for source and destination unmarshall.

Signed-off-by: Rafael Campos <rafael.campos.lasheras@ibm.com>
 2022-08-08 17:45:52 +02:00
turekt ec1e802faf
Added dynset exprs support (#173) 
fixes https://github.com/google/nftables/issues/172

- Rearranged `exprFromMsg` function
- Rearranged limit expr marshaling logic
- Added dynamic flag for sets
- Implemented connlimit
- Added missing constants 
- Added tests
 2022-07-29 18:32:59 +02:00
thediveo 8ea944061f add typed xtables information un/marshalling 
more tests and fixes

more info support; refactoring
 2022-05-15 23:12:26 +02:00
thediveo 3e042f75d7 refactor: pass table family when un/marshalling expr 2022-05-15 23:12:26 +02:00
TheDiveO aeea153026
un/marshal Match and Target expressions (#163) 2022-05-12 17:33:22 +02:00
Rafael Campos Las Heras 950e408d48 Fix range expression unmarshalling 
Fix the range expression unmarshalling on the `FromData` and `ToData`
Range expression fields.
 2022-04-07 21:54:05 +02:00
Rafael Campos Las Heras d46a80e963 Fix payload unmarshall operation type. 
When unmarshalling the Payload expression the operation type is not
updated. Apply the same logic for unmarshalling that we apply for
marshalling.
 2022-04-07 21:54:05 +02:00
Ben de Graaff 2ba518ec5c
Unmarshal Exthdr and support DestRegister/Flags for reads (#151) (#152) 
* Unmarshal Exthdr and support DestRegister/Flags for reads

Some fields in Exthdr are context-sensitive. Mixing unexpected fields
will result in EOPNOTSUPP.

* Fix order in which Exthdr attributes are written
 2022-04-05 21:44:27 +02:00
Gustavo Iñiguez Goia 5a9391c12f
Added support for quota expression (#149) 2022-03-29 18:00:11 +02:00
turekt 211824995d
Log expression refactor (#147) 
Fixes https://github.com/google/nftables/issues/113

Log expression implementation changed to better support different log options
Added uint16 support to the binaryutil package
Changed old log expression tests that were failing after change
Added a new test to check the implementation for multiple log options
 2022-02-21 22:42:39 +01:00
pengyuan.dai 5573dab9cc
Add CtStateBit constants and related usage test #121 (#122) 
fixes #121
 2021-05-14 16:05:40 +02:00
Paul Greenberg c25e4f69b4
fix: unmarshaling verdicts with chain information (#106) 
Before this commit: the unmarshaling of a verdict pointing
to a chain fails.

After this commit: the unmarshaling of a rule with a verdict
pointing to a chain succeeds and the information about the
chain gets put in `Verdict.Chain`.

Resolves: #105

Signed-off-by: Paul Greenberg <greenpau@outlook.com>
 2020-08-02 19:55:06 +02:00
Grégoire Delattre 7127d9d224
Add support for rate limiting (#101) 2020-03-16 08:58:19 +01:00
Grégoire Delattre 21c5c5c425
Add missing VerdictKind (#99) 2020-03-06 11:32:18 +01:00
Serguei Bezverkhi 1c56a1906f Add Dynset expression and unit test (#97) 
* Add dynset expression and unit test

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2020-02-10 11:14:20 +01:00
Alexis PIRES 9a6c96795b Stateless NAT and notrack support (#82) 2019-12-17 21:54:26 +01:00
Alexis PIRES e2e83d0ff5 Add dup expr support (#81) 2019-12-13 23:35:06 +01:00
Serguei Bezverkhi 9dee196925 Add expression and tests for numgen (#77) 
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-11-28 09:43:38 +01:00
Serguei Bezverkhi e0f4f3f8f8 Add bitwise decoder logic (#71) 2019-11-07 15:38:12 +01:00
Minaru 35de0a609f Hash expr implementation (#68) 
* [expr] Implement Hash expr.

* [test] Add Hash test case.
 2019-10-19 08:53:53 +02:00
Maxime Demode 71337b220c [expr] Add SourceRegister field and modify marshal function to work with it. 2019-10-15 18:31:07 +02:00
Maxime Demode 3c7d959797 [expr] Replace Key type in Ct struct by CtKey. 2019-10-15 18:02:12 +02:00
Maxime Demode 29d7aa173f [expr] Create CtKey type and add const values. 2019-10-15 18:01:31 +02:00
Serguei Bezverkhi 5d14089d2e Adding to nat expression additional parameters (#59) 
* Change in dnat logic to cover all combinations

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

* Add parameter to cover all possible nat combinations

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-09-06 08:28:27 +02:00
Serguei Bezverkhi 4b2264477a lookup dest reg check fix (#57) 
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-08-31 09:36:20 +02:00
Serguei Bezverkhi 85a78b5285 Adding Fib expression and unit tests (#54) 2019-08-27 08:49:06 +02:00
Serguei Bezverkhi d514535a0c Reject expression and Unit tests (#53) 2019-08-26 09:57:52 +02:00
Serguei Bezverkhi ec0390b058 Extend Masq support and add unit testing (#52) 2019-08-25 23:43:47 +02:00
Serguei Bezverkhi 6925991d82 Meta SREG and DREG (#51) 
* meta requires to use source and destination registers

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-08-19 23:36:36 +02:00
Serguei Bezverkhi 9907ca3831 Add log expression and test (#42) 
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-08-01 12:41:37 -07:00
Serguei Bezverkhi 7895e345f5 Add Connection tracking expression and test (#38) 
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-07-20 13:20:42 +02:00
Serguei Bezverkhi 7a68526274 tproxy expression support and test (#32) 
Add support for tproxy expression

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>
 2019-06-30 01:06:32 +02:00
Serguei Bezverkhi 8d26daf060 Implement range expression (#22) 
Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

fixes #19
 2019-06-05 13:15:05 +02:00