[nftables 0/4] misc improvements and cleaning

[nftables 0/4] misc improvements and cleaning

[Eric Leblond]

Hello Pablo,

Here's a small patchset. This is a series of patches on nftables
which appear to be needed when I've play a bit with it.

Patchset statistics:
 files/nftables/bridge-filter |  6 +++---
 files/nftables/ipv4-filter   |  6 +++---
 files/nftables/ipv4-mangle   |  6 +-----
 files/nftables/ipv4-nat      |  6 ++++++
 files/nftables/ipv4-raw      |  6 ------
 files/nftables/ipv4-security |  7 -------
 files/nftables/ipv6-filter   |  6 +++---
 files/nftables/ipv6-mangle   |  6 +-----
 files/nftables/ipv6-nat      |  6 ++++++
 files/nftables/ipv6-raw      |  6 ------
 files/nftables/ipv6-security |  7 -------
 src/netlink_linearize.c      |  4 ++++
 src/rule.c                   | 20 +++++++++++++++++++-
 13 files changed, 46 insertions(+), 46 deletions(-)

BR,
--
Eric

[nftables PATCH 1/4] nat: add mandatory family attribute

[Eric Leblond]

NFT_EXPR_NAT_FAMILY is a mandatory attribute for NAT rules and
it was not set by nftables.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/netlink_linearize.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 427fdb6..72c59e5 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -572,10 +572,14 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
 	enum nft_registers amin_reg, amax_reg;
 	enum nft_registers pmin_reg, pmax_reg;
 	int registers = 0;
+	int family;
 
 	nle = alloc_nft_expr("nat");
 	nft_rule_expr_set_u32(nle, NFT_EXPR_NAT_TYPE, stmt->nat.type);
 
+	family = nft_rule_attr_get_u32(ctx->nlr, NFT_RULE_ATTR_FAMILY);
+	nft_rule_expr_set_u32(nle, NFT_EXPR_NAT_FAMILY, family);
+
 	if (stmt->nat.addr) {
 		amin_reg = get_register(ctx);
 		registers++;
-- 
1.8.4.rc3

[nftables PATCH 2/4] Suppress non working examples.

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 files/nftables/ipv4-raw      | 6 ------
 files/nftables/ipv4-security | 7 -------
 files/nftables/ipv6-raw      | 6 ------
 files/nftables/ipv6-security | 7 -------
 4 files changed, 26 deletions(-)
 delete mode 100644 files/nftables/ipv4-raw
 delete mode 100644 files/nftables/ipv4-security
 delete mode 100644 files/nftables/ipv6-raw
 delete mode 100644 files/nftables/ipv6-security

diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
deleted file mode 100644
index 6bc2181..0000000
--- a/files/nftables/ipv4-raw
+++ /dev/null
@@ -1,6 +0,0 @@
-#! nft -f
-
-table raw {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-300; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-300; }
-}
diff --git a/files/nftables/ipv4-security b/files/nftables/ipv4-security
deleted file mode 100644
index 3ac5bd2..0000000
--- a/files/nftables/ipv4-security
+++ /dev/null
@@ -1,7 +0,0 @@
-#! nft -f
-
-table security {
-	chain input		{ hook NF_INET_LOCAL_IN		50; }
-	chain forward		{ hook NF_INET_FORWARD		50; }
-	chain output		{ hook NF_INET_LOCAL_OUT	50; }
-}
diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
deleted file mode 100644
index 54940ca..0000000
--- a/files/nftables/ipv6-raw
+++ /dev/null
@@ -1,6 +0,0 @@
-#! nft -f
-
-table ip6 raw {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-2147483647; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-2147483647; }
-}
diff --git a/files/nftables/ipv6-security b/files/nftables/ipv6-security
deleted file mode 100644
index f379bfd..0000000
--- a/files/nftables/ipv6-security
+++ /dev/null
@@ -1,7 +0,0 @@
-#! nft -f
-
-table ip6 security {
-	chain input		{ hook NF_INET_LOCAL_IN		50; }
-	chain forward		{ hook NF_INET_FORWARD		50; }
-	chain output		{ hook NF_INET_LOCAL_OUT	50; }
-}
-- 
1.8.4.rc3

[nftables PATCH 3/4] Update chain creation format.

[Eric Leblond]

type keyword is now mandatory when creating a new chain. This
patc halso implement the change required following the usage of human
notation in hook.

It also suppressed non currently supported mangle chains.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 files/nftables/bridge-filter | 6 +++---
 files/nftables/ipv4-filter   | 6 +++---
 files/nftables/ipv4-mangle   | 6 +-----
 files/nftables/ipv4-nat      | 6 ++++++
 files/nftables/ipv6-filter   | 6 +++---
 files/nftables/ipv6-mangle   | 6 +-----
 files/nftables/ipv6-nat      | 6 ++++++
 7 files changed, 23 insertions(+), 19 deletions(-)
 create mode 100644 files/nftables/ipv4-nat
 create mode 100644 files/nftables/ipv6-nat

diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
index ca306d4..6ed303e 100644
--- a/files/nftables/bridge-filter
+++ b/files/nftables/bridge-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table bridge filter {
-	chain input		{ hook NF_INET_LOCAL_IN		-200; }
-	chain forward		{ hook NF_INET_FORWARD		-200; }
-	chain output		{ hook NF_INET_LOCAL_OUT	200; }
+	chain input		{ table filter hook input priority -200; }
+	chain forward		{ table filter hook forward priority -200; }
+	chain output		{ table filter hook output priority 200; }
 }
diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter
index 3f96214..3174e7a 100644
--- a/files/nftables/ipv4-filter
+++ b/files/nftables/ipv4-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table filter {
-	chain input		{ hook NF_INET_LOCAL_IN		0; }
-	chain forward		{ hook NF_INET_FORWARD		0; }
-	chain output		{ hook NF_INET_LOCAL_OUT	0; }
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
 }
diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle
index 339cace..27327d3 100644
--- a/files/nftables/ipv4-mangle
+++ b/files/nftables/ipv4-mangle
@@ -1,9 +1,5 @@
 #! nft -f
 
 table mangle {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-150; }
-	chain input		{ hook NF_INET_LOCAL_IN		-150; }
-	chain forward		{ hook NF_INET_FORWARD		-150; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-150; }
-	chain postrouting	{ hook NF_INET_POST_ROUTING	-150; }
+	chain output		{ type route hook output priority -150; }
 }
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
new file mode 100644
index 0000000..99d6951
--- /dev/null
+++ b/files/nftables/ipv4-nat
@@ -0,0 +1,6 @@
+#! nft -f
+
+table nat {
+	chain prerouting	{ type nat hook prerouting priority -150; }
+	chain postrouting	{ type nat hook postrouting priority -150; }
+}
diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter
index 9e41278..98fce02 100644
--- a/files/nftables/ipv6-filter
+++ b/files/nftables/ipv6-filter
@@ -1,7 +1,7 @@
 #! nft -f
 
 table ip6 filter {
-	chain input		{ hook NF_INET_LOCAL_IN		0; }
-	chain forward		{ hook NF_INET_FORWARD		0; }
-	chain output		{ hook NF_INET_LOCAL_OUT	0; }
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
 }
diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle
index dc18c7a..7274353 100644
--- a/files/nftables/ipv6-mangle
+++ b/files/nftables/ipv6-mangle
@@ -1,9 +1,5 @@
 #! nft -f
 
 table ip6 mangle {
-	chain prerouting	{ hook NF_INET_PRE_ROUTING	-150; }
-	chain input		{ hook NF_INET_LOCAL_IN		-150; }
-	chain forward		{ hook NF_INET_FORWARD		-150; }
-	chain output		{ hook NF_INET_LOCAL_OUT	-150; }
-	chain postrouting	{ hook NF_INET_POST_ROUTING	-150; }
+	chain output		{ type route hook output priority -150; }
 }
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
new file mode 100644
index 0000000..33ecf9b
--- /dev/null
+++ b/files/nftables/ipv6-nat
@@ -0,0 +1,6 @@
+#! nft -f
+
+table ip6 nat {
+	chain prerouting	{ type nat hook prerouting priority -150; }
+	chain postrouting	{ type nat hook postrouting priority -150; }
+}
-- 
1.8.4.rc3

[nftables PATCH 4/4] display family in table listing.

[Eric Leblond]

As family was not displayed in table listing, it was not possible
to restore an ipv6 table saved via 'nft list table ip6 TABLE'.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/rule.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/rule.c b/src/rule.c
index 2cf024a..52f5e16 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -269,6 +269,23 @@ struct chain *chain_lookup(const struct table *table, const struct handle *h)
 	return NULL;
 }
 
+static const char *family2str(unsigned int family)
+{
+	switch (family) {
+		case NFPROTO_IPV4:
+			return "ip";
+		case NFPROTO_IPV6:
+			return "ip6";
+		case NFPROTO_ARP:
+			return "arp";
+		case NFPROTO_BRIDGE:
+			return "bridge";
+		default:
+			break;
+	}
+	return "unknown";
+}
+
 static const char *hooknum2str(unsigned int family, unsigned int hooknum)
 {
 	switch (family) {
@@ -371,8 +388,9 @@ static void table_print(const struct table *table)
 	struct chain *chain;
 	struct set *set;
 	const char *delim = "";
+	const char *family = family2str(table->handle.family);
 
-	printf("table %s {\n", table->handle.table);
+	printf("table %s %s {\n", family, table->handle.table);
 	list_for_each_entry(set, &table->sets, list) {
 		if (set->flags & SET_F_ANONYMOUS)
 			continue;
-- 
1.8.4.rc3

Re: [nftables PATCH 3/4] Update chain creation format.

[Florian Westphal]

Eric Leblond <eric@regit.org> wrote:
> type keyword is now mandatory when creating a new chain. This
> patc halso implement the change required following the usage of human
> notation in hook.

> diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
> index ca306d4..6ed303e 100644
> --- a/files/nftables/bridge-filter
> +++ b/files/nftables/bridge-filter
> @@ -1,7 +1,7 @@
>  #! nft -f
>  
>  table bridge filter {
> -	chain input		{ hook NF_INET_LOCAL_IN		-200; }
> -	chain forward		{ hook NF_INET_FORWARD		-200; }
> -	chain output		{ hook NF_INET_LOCAL_OUT	200; }
> +	chain input		{ table filter hook input priority -200; }
> +	chain forward		{ table filter hook forward priority -200; }
> +	chain output		{ table filter hook output priority 200; }
>  }

Did you mean 'type filter' instead of 'table' here?

Re: [nftables PATCH 3/4] Update chain creation format.

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

Hi,

Le lundi 16 septembre 2013 à 22:21 +0200, Florian Westphal a écrit :
> Eric Leblond <eric@regit.org> wrote:
> > type keyword is now mandatory when creating a new chain. This
> > patc halso implement the change required following the usage of human
> > notation in hook.
> 
> > diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
> > index ca306d4..6ed303e 100644
> > --- a/files/nftables/bridge-filter
> > +++ b/files/nftables/bridge-filter
> > @@ -1,7 +1,7 @@
> >  #! nft -f
> >  
> >  table bridge filter {
> > -	chain input		{ hook NF_INET_LOCAL_IN		-200; }
> > -	chain forward		{ hook NF_INET_FORWARD		-200; }
> > -	chain output		{ hook NF_INET_LOCAL_OUT	200; }
> > +	chain input		{ table filter hook input priority -200; }
> > +	chain forward		{ table filter hook forward priority -200; }
> > +	chain output		{ table filter hook output priority 200; }
> >  }
> 
> Did you mean 'type filter' instead of 'table' here?

Argh! (Banging head on the desk) Yes, good catch.

BR,
--
Eric

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [nftables 0/4] misc improvements and cleaning

[Pablo Neira Ayuso]

On Mon, Sep 16, 2013 at 06:27:34PM +0200, Eric Leblond wrote:
> Hello Pablo,
> 
> Here's a small patchset. This is a series of patches on nftables
> which appear to be needed when I've play a bit with it.

Applied, I have mangled the one that Florian spotted the mistake.
Thanks.