libnftnl

mirror of https://git.netfilter.org/libnftnl synced 2026-01-28 03:14:09 +00:00

Author	SHA1	Message	Date
Fernando Fernandez Mancera	dd25d61281	expr: meta: introduce ibrhwaddr meta expression Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de>	2025-10-14 18:28:54 +02:00
Phil Sutter	f30eae26d8	utils: Add helpers for interface name wildcards Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to and from the human-readable asterisk-suffix notation. Signed-off-by: Phil Sutter <phil@nwl.cc>	2025-09-30 23:02:32 +02:00
Florian Westphal	56e37303ed	trace: add support for TRACE_CT information Decode direction/id/state/status information. This will be used by 'nftables monitor trace' to print a packets conntrack state. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>	2025-07-04 10:34:39 +02:00
Florian Westphal	81d19bc4a5	set: dump set backend name (hash, rbtree...) and elem count, if available In case kernel provided the information do include it in debug dump: nft --debug=netlink list ruleset family 2 s t 0 backend nft_set_rhash_type family 2 __set0 t 3 size 3 backend nft_set_hash_fast_type count 3 family 2 __set1 t 3 size 2 backend nft_set_bitmap_type count 2 [..] Signed-off-by: Florian Westphal <fw@strlen.de>	2025-06-22 19:38:17 +02:00
Jeremy Sowden	12bd1aea52	include: add new bitwise boolean attributes to nf_tables.h The kernel now has native support for AND, OR and XOR bitwise operations. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2024-11-19 16:05:41 +01:00
Pablo Neira Ayuso	faab4a3007	include: refresh nf_tables.h copy Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2024-10-12 19:18:09 +02:00
Phil Sutter	9da7658c6e	include: Sync nf_log.h with kernel headers Next patch needs NF_LOG_PREFIXLEN define. Signed-off-by: Phil Sutter <phil@nwl.cc>	2024-03-06 15:40:37 +01:00
Sriram Yagnaraman	86a5461dad	expr: meta: introduce broute meta expression libnftnl support for broute meta statement introduced in: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/ Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2023-03-15 12:40:49 +01:00
Pablo Neira Ayuso	3f3909afd7	expr: add inner support This patch adds support for the inner expression which allows you to match on the inner tunnel headers, eg. VxLAN. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2023-01-02 15:15:48 +01:00
Pablo Neira Ayuso	8a6d0073f0	expr: payload: print inner header base offset Update string array to print the "inner" header string, instead of printing "unknown". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2021-11-17 11:05:11 +01:00
Pablo Neira Ayuso	cd3c21e618	expr: missing netlink attribute in last expression NFTA_LAST_SET is missing, add it. Fixes: ed7c442c2d04 ("expr: add last match time support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-10 20:48:21 +02:00
Pablo Neira Ayuso	7af5f32171	include: update nf_tables.h Get header in sync with 5.13.0-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-08 19:59:10 +02:00
Pablo Neira Ayuso	88baf77b09	expr: socket: add cgroups v2 support Add NFT_SOCKET_CGROUPSV2 key type and NFTA_SOCKET_LEVEL attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2021-05-03 00:14:55 +02:00
Pablo Neira Ayuso	985955fe41	table: add table owner support Add support for NFTA_TABLE_OWNER. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2021-03-01 16:18:22 +01:00
Pablo Neira Ayuso	7d010b8f5b	src: add NFTNL_SET_ELEM_EXPRESSIONS NFTNL_SET_ELEM_EXPR defines the stateful expression type that this element stores. This is useful to restore runtime set element stateful expressions (when saving, then reboot and restore). This patch adds support for the set element expression list, which generalizes NFTNL_SET_ELEM_EXPR. This patch also adds nftnl_set_elem_add_expr() to add new expressions to set elements and nftnl_set_elem_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-12-17 15:38:41 +01:00
Pablo Neira Ayuso	4bbe82df9c	expr: socket: add wildcard support Add missing NFT_SOCKET_WILDCARD definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-12 03:22:16 +02:00
Jose M. Guisado Gomez	76b82c4258	chain: add userdata and comment support Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains. Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a comment. Relies on NFTA_CHAIN_USERDATA. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-09-30 12:08:06 +02:00
Jose M. Guisado Gomez	e0dfd0df70	object: add userdata and comment support This patch adds NFTNL_OBJ_USERDATA to support userdata for objects. Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects, stored in userdata space. Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to enable getting object attributes/data. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-09-08 16:39:23 +02:00
Jose M. Guisado Gomez	99be0e6d06	table: add userdata support This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to support for table comments. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-08-28 19:32:18 +02:00
Pablo Neira Ayuso	20e0e8f2be	src: add support for chain ID attribute his patch allows you to refer to chains via the chain ID. The semantics are similar to the NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-21 02:34:29 +02:00
Pablo Neira Ayuso	60e6d9bc76	include: update nf_tables.h. Get header in sync with 5.7.0-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-31 20:52:36 +02:00
Pablo Neira Ayuso	c76d36a1a2	set: support for NFTNL_SET_EXPR This patch adds support for the NFTA_SET_EXPR netlink attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-17 14:14:27 +01:00
Jeremy Sowden	8db0a9417b	include: update nf_tables.h. Pick up a couple of new bitwise netlink attributes. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-02 13:09:19 +01:00
Stefano Brivio	131a6c2fa4	include: resync nf_tables.h cache copy Get this header in sync with nf-next as of merge commit b3a608222336 (5.6-rc1-ish). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-02-05 15:49:11 +01:00
Jeremy Sowden	3fb5640916	include: update nf_tables.h. The kernel UAPI header includes a couple of new bitwise netlink attributes and an enum. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2020-01-18 21:23:29 +01:00
Florian Westphal	6079297fff	expr: meta: add slave device matching Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>	2020-01-03 13:05:15 +01:00
Pablo Neira Ayuso	d1c4b98c73	flowtable: remove NFTA_FLOWTABLE_SIZE Never defined in upstream Linux kernel uAPI, remove it. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Eric Garver <eric@garver.life>	2019-11-18 19:31:29 +01:00
Pablo Neira Ayuso	e3ac19b5ec	chain: multi-device support Add support for NFTA_HOOK_DEVS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-10-28 11:02:41 +01:00
Fernando Fernandez Mancera	609a13fc29	src: synproxy stateful object support This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-09-10 22:47:53 +02:00
Ander Juaristi	f4c6574ac0	expr: meta: Make NFT_DYNSET_OP_DELETE known Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-27 14:58:03 +02:00
Ander Juaristi	4e6a11c67b	expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} known Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-27 14:13:21 +02:00
Pablo Neira Ayuso	239fabea9a	include: resync nf_tables.h cache copy Get this header in sync with 5.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-13 21:45:02 +02:00
Phil Sutter	2e8cbec5c3	expr: meta: Make NFT_META_{I,O}IFKIND known This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-18 20:04:45 +02:00
Fernando Fernandez Mancera	a6a2d0c9fd	src: add synproxy support Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-06 00:03:55 +02:00
Stephen Suryaputra	60d9378df4	src: add support for matching IPv4 options Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-07-04 14:24:54 +02:00
Brett Mastbergen	3587ad1e75	src: Add ct id support The 'id' key returns the id of the connection entry Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-21 17:47:58 +02:00
Stéphane Veyret	c4b6aa09b8	src: add ct expectation support Add support for ct expectation objects, used to define specific expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-19 13:11:13 +02:00
Fernando Fernandez Mancera	05123215d4	expr: osf: add version option support Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-04-08 23:46:19 +02:00
Phil Sutter	7a7137adf6	src: rule: Support NFTA_RULE_POSITION_ID attribute Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-01-28 11:12:57 +01:00
Laura Garcia Liebana	abd42d9a8d	Revert "expr: add map lookups for hash statements" A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: bb4b75aea5c0 ("expr: add map lookups for hash statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-01-28 11:00:13 +01:00
Laura Garcia Liebana	acdd360a65	Revert "expr: add map lookups for numgen statements" A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: b97f45c2ebaa ("expr: add map lookups for numgen statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2019-01-28 11:00:07 +01:00
Fernando Fernandez Mancera	1f5373b14d	expr: osf: add ttl option support Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-10-15 14:04:27 +02:00
Christian Göttsche	aaf20ad0dc	src: add support for new secmark object The new object will hold security context strings. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-10-09 00:12:28 +02:00
Florian Westphal	f4621a6f87	expr: add xfrm support Joint work with Máté Eckl. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-09-21 11:59:50 +02:00
Florian Westphal	43146d504c	expr: rt: ipsec match support Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-09-21 11:58:42 +02:00
Harsha Sharma	0adceeab15	src: add ct timeout support Add support for ct timeout objects, used to assign connection tracking timeout policies. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-13 12:29:43 +02:00
Pablo Neira Ayuso	42468fb6df	expr: add support for matching tunnel metadata Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-06 13:35:05 +02:00
Pablo Neira Ayuso	ea63a05272	obj: add tunnel support Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-06 13:35:00 +02:00
Fernando Fernandez Mancera	7f7850fd39	expr: add osf support Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-07-30 14:10:47 +02:00
Máté Eckl	c5a9819552	expr: Add tproxy support Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>	2018-07-30 14:10:24 +02:00

1 2 3 4

162 Commits