* [PATCH net-next] netlink: specs: nftables: allow decode of default firewalld ruleset
@ 2024-09-02 8:57 Florian Westphal
2024-09-02 10:41 ` Donald Hunter
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2024-09-02 8:57 UTC (permalink / raw)
To: netdev; +Cc: netfilter-devel, Florian Westphal, Donald Hunter
This update allows listing default firewalld ruleset on Fedora 40 via
tools/net/ynl/cli.py --spec \
Documentation/netlink/specs/nftables.yaml --dump getrule
Default ruleset uses fib, reject and objref expressions which were
missing.
Other missing expressions can be added later.
Improve decoding while at it:
- add bitwise, ct and lookup attributes
- wire up the quota expression
- translate raw verdict codes to a human reable name, e.g.
'code': 4294967293 becomes 'code': 'jump'.
Cc: Donald Hunter <donald.hunter@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
Documentation/netlink/specs/nftables.yaml | 253 +++++++++++++++++++++-
1 file changed, 249 insertions(+), 4 deletions(-)
diff --git a/Documentation/netlink/specs/nftables.yaml b/Documentation/netlink/specs/nftables.yaml
index dff2a18f3d90..aba4772cd262 100644
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -62,6 +62,13 @@ definitions:
- sdif
- sdifname
- bri-broute
+ -
+ name: bitwise-ops
+ type: enum
+ entries:
+ - bool
+ - lshift
+ - rshift
-
name: cmp-ops
type: enum
@@ -125,6 +132,98 @@ definitions:
- object
- concat
- expr
+ -
+ name: lookup-flags
+ type: flags
+ entries:
+ - invert
+ -
+ name: ct-keys
+ type: enum
+ entries:
+ - state
+ - direction
+ - status
+ - mark
+ - secmark
+ - expiration
+ - helper
+ - l3protocol
+ - src
+ - dst
+ - protocol
+ - proto-src
+ - proto-dst
+ - labels
+ - pkts
+ - bytes
+ - avgpkt
+ - zone
+ - eventmask
+ - src-ip
+ - dst-ip
+ - src-ip6
+ - dst-ip6
+ - ct-id
+ -
+ name: ct-direction
+ type: enum
+ entries:
+ - original
+ - reply
+ -
+ name: quota-flags
+ type: flags
+ entries:
+ - invert
+ - depleted
+ -
+ name: verdict-code
+ type: enum
+ entries:
+ - name: continue
+ value: 0xffffffff
+ - name: break
+ value: 0xfffffffe
+ - name: jump
+ value: 0xfffffffd
+ - name: goto
+ value: 0xfffffffc
+ - name: return
+ value: 0xfffffffb
+ - name: drop
+ value: 0
+ - name: accept
+ value: 1
+ - name: stolen
+ value: 2
+ - name: queue
+ value: 3
+ - name: repeat
+ value: 4
+ -
+ name: fib-result
+ type: enum
+ entries:
+ - oif
+ - oifname
+ -
+ name: fib-flags
+ type: flags
+ entries:
+ - saddr
+ - daddr
+ - mark
+ - iif
+ - oif
+ - present
+ -
+ name: reject-types
+ type: enum
+ entries:
+ - icmp-unreach
+ - tcp-rst
+ - icmpx-unreach
attribute-sets:
-
@@ -611,9 +710,10 @@ attribute-sets:
type: u64
byte-order: big-endian
-
- name: flags # TODO
+ name: flags
type: u32
byte-order: big-endian
+ enum: quota-flags
-
name: pad
type: pad
@@ -664,6 +764,38 @@ attribute-sets:
name: devs
type: nest
nested-attributes: hook-dev-attrs
+ -
+ name: expr-bitwise-attrs
+ attributes:
+ -
+ name: sreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: dreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: len
+ type: u32
+ byte-order: big-endian
+ -
+ name: mask
+ type: nest
+ nested-attributes: data-attrs
+ -
+ name: xor
+ type: nest
+ nested-attributes: data-attrs
+ -
+ name: op
+ type: u32
+ byte-order: big-endian
+ enum: bitwise-ops
+ -
+ name: data
+ type: nest
+ nested-attributes: data-attrs
-
name: expr-cmp-attrs
attributes:
@@ -698,6 +830,7 @@ attribute-sets:
name: code
type: u32
byte-order: big-endian
+ enum: verdict-code
-
name: chain
type: string
@@ -718,6 +851,43 @@ attribute-sets:
-
name: pad
type: pad
+ -
+ name: expr-fib-attrs
+ attributes:
+ -
+ name: dreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: result
+ type: u32
+ byte-order: big-endian
+ enum: fib-result
+ -
+ name: flags
+ type: u32
+ byte-order: big-endian
+ enum: fib-flags
+ -
+ name: expr-ct-attrs
+ attributes:
+ -
+ name: dreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: key
+ type: u32
+ byte-order: big-endian
+ enum: ct-keys
+ -
+ name: direction
+ type: u8
+ enum: ct-direction
+ -
+ name: sreg
+ type: u32
+ byte-order: big-endian
-
name: expr-flow-offload-attrs
attributes:
@@ -736,6 +906,31 @@ attribute-sets:
name: data
type: nest
nested-attributes: data-attrs
+ -
+ name: expr-lookup-attrs
+ attributes:
+ -
+ name: set
+ type: string
+ doc: Name of set to use
+ -
+ name: set id
+ type: u32
+ byte-order: big-endian
+ doc: ID of set to use
+ -
+ name: sreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: dreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: flags
+ type: u32
+ byte-order: big-endian
+ enum: lookup-flags
-
name: expr-meta-attrs
attributes:
@@ -820,6 +1015,17 @@ attribute-sets:
name: csum-flags
type: u32
byte-order: big-endian
+ -
+ name: expr-reject-attrs
+ attributes:
+ -
+ name: type
+ type: u32
+ byte-order: big-endian
+ enum: reject-types
+ -
+ name: icmp-code
+ type: u8
-
name: expr-tproxy-attrs
attributes:
@@ -835,13 +1041,38 @@ attribute-sets:
name: reg-port
type: u32
byte-order: big-endian
+ -
+ name: expr-objref-attrs
+ attributes:
+ -
+ name: imm-type
+ type: u32
+ byte-order: big-endian
+ -
+ name: imm-name
+ type: string
+ doc: object name
+ -
+ name: set-sreg
+ type: u32
+ byte-order: big-endian
+ -
+ name: set-name
+ type: string
+ doc: name of object map
+ -
+ name: set-id
+ type: u32
+ byte-order: big-endian
+ doc: id of object map
sub-messages:
-
name: expr-ops
formats:
-
- value: bitwise # TODO
+ value: bitwise
+ attribute-set: expr-bitwise-attrs
-
value: cmp
attribute-set: expr-cmp-attrs
@@ -849,7 +1080,11 @@ sub-messages:
value: counter
attribute-set: expr-counter-attrs
-
- value: ct # TODO
+ value: ct
+ attribute-set: expr-ct-attrs
+ -
+ value: fib
+ attribute-set: expr-fib-attrs
-
value: flow_offload
attribute-set: expr-flow-offload-attrs
@@ -857,16 +1092,26 @@ sub-messages:
value: immediate
attribute-set: expr-immediate-attrs
-
- value: lookup # TODO
+ value: lookup
+ attribute-set: expr-lookup-attrs
-
value: meta
attribute-set: expr-meta-attrs
-
value: nat
attribute-set: expr-nat-attrs
+ -
+ value: objref
+ attribute-set: expr-objref-attrs
-
value: payload
attribute-set: expr-payload-attrs
+ -
+ value: quota
+ attribute-set: quota-attrs
+ -
+ value: reject
+ attribute-set: expr-reject-attrs
-
value: tproxy
attribute-set: expr-tproxy-attrs
--
2.46.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] netlink: specs: nftables: allow decode of default firewalld ruleset
2024-09-02 8:57 [PATCH net-next] netlink: specs: nftables: allow decode of default firewalld ruleset Florian Westphal
@ 2024-09-02 10:41 ` Donald Hunter
2024-09-02 11:22 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Donald Hunter @ 2024-09-02 10:41 UTC (permalink / raw)
To: Florian Westphal; +Cc: netdev, netfilter-devel
Florian Westphal <fw@strlen.de> writes:
> This update allows listing default firewalld ruleset on Fedora 40 via
> tools/net/ynl/cli.py --spec \
> Documentation/netlink/specs/nftables.yaml --dump getrule
>
> Default ruleset uses fib, reject and objref expressions which were
> missing.
>
> Other missing expressions can be added later.
>
> Improve decoding while at it:
> - add bitwise, ct and lookup attributes
> - wire up the quota expression
> - translate raw verdict codes to a human reable name, e.g.
> 'code': 4294967293 becomes 'code': 'jump'.
>
> Cc: Donald Hunter <donald.hunter@gmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
One minor question below, otherwise LGTM.
Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
> + name: fib-result
> + type: enum
> + entries:
> + - oif
> + - oifname
Did you intentionally leave out addrtype from the enum?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] netlink: specs: nftables: allow decode of default firewalld ruleset
2024-09-02 10:41 ` Donald Hunter
@ 2024-09-02 11:22 ` Florian Westphal
0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2024-09-02 11:22 UTC (permalink / raw)
To: Donald Hunter; +Cc: Florian Westphal, netdev, netfilter-devel
Donald Hunter <donald.hunter@gmail.com> wrote:
> Florian Westphal <fw@strlen.de> writes:
>
> > This update allows listing default firewalld ruleset on Fedora 40 via
> > tools/net/ynl/cli.py --spec \
> > Documentation/netlink/specs/nftables.yaml --dump getrule
> >
> > Default ruleset uses fib, reject and objref expressions which were
> > missing.
> >
> > Other missing expressions can be added later.
> >
> > Improve decoding while at it:
> > - add bitwise, ct and lookup attributes
> > - wire up the quota expression
> > - translate raw verdict codes to a human reable name, e.g.
> > 'code': 4294967293 becomes 'code': 'jump'.
> >
> > Cc: Donald Hunter <donald.hunter@gmail.com>
> > Signed-off-by: Florian Westphal <fw@strlen.de>
>
> One minor question below, otherwise LGTM.
>
> Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
>
>
> > + name: fib-result
> > + type: enum
> > + entries:
> > + - oif
> > + - oifname
>
> Did you intentionally leave out addrtype from the enum?
No, I'm just incompetent.
Will send a v2 tomorrow.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-09-02 11:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-02 8:57 [PATCH net-next] netlink: specs: nftables: allow decode of default firewalld ruleset Florian Westphal
2024-09-02 10:41 ` Donald Hunter
2024-09-02 11:22 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).