Skip to content

Commit

Permalink
netlink: specs: nftables: allow decode of default firewalld ruleset
Browse files Browse the repository at this point in the history 
This update allows listing default firewalld ruleset on Fedora 40 via
  tools/net/ynl/cli.py --spec \
     Documentation/netlink/specs/nftables.yaml --dump getrule

Default ruleset uses fib, reject and objref expressions which were
missing.

Other missing expressions can be added later.

Improve decoding while at it:
- add bitwise, ct and lookup attributes
- wire up the quota expression
- translate raw verdict codes to a human reable name, e.g.
  'code': 4294967293 becomes 'code': 'jump'.

v2: forgot fib addrtype in enum list (Donald Hunter)

Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20240902214112.2549-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
  • Loading branch information
Florian Westphal authored and Jakub Kicinski committed Sep 3, 2024
1 parent 1232e93 commit d2088ca
Showing 1 changed file with 250 additions and 4 deletions.
254 changes: 250 additions & 4 deletions Documentation/netlink/specs/nftables.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,13 @@ definitions:
- sdif
- sdifname
- bri-broute
-
name: bitwise-ops
type: enum
entries:
- bool
- lshift
- rshift
-
name: cmp-ops
type: enum
Expand Down Expand Up @@ -125,6 +132,99 @@ definitions:
- object
- concat
- expr
-
name: lookup-flags
type: flags
entries:
- invert
-
name: ct-keys
type: enum
entries:
- state
- direction
- status
- mark
- secmark
- expiration
- helper
- l3protocol
- src
- dst
- protocol
- proto-src
- proto-dst
- labels
- pkts
- bytes
- avgpkt
- zone
- eventmask
- src-ip
- dst-ip
- src-ip6
- dst-ip6
- ct-id
-
name: ct-direction
type: enum
entries:
- original
- reply
-
name: quota-flags
type: flags
entries:
- invert
- depleted
-
name: verdict-code
type: enum
entries:
- name: continue
value: 0xffffffff
- name: break
value: 0xfffffffe
- name: jump
value: 0xfffffffd
- name: goto
value: 0xfffffffc
- name: return
value: 0xfffffffb
- name: drop
value: 0
- name: accept
value: 1
- name: stolen
value: 2
- name: queue
value: 3
- name: repeat
value: 4
-
name: fib-result
type: enum
entries:
- oif
- oifname
- addrtype
-
name: fib-flags
type: flags
entries:
- saddr
- daddr
- mark
- iif
- oif
- present
-
name: reject-types
type: enum
entries:
- icmp-unreach
- tcp-rst
- icmpx-unreach

attribute-sets:
-
Expand Down Expand Up @@ -611,9 +711,10 @@ attribute-sets:
type: u64
byte-order: big-endian
-
name: flags # TODO
name: flags
type: u32
byte-order: big-endian
enum: quota-flags
-
name: pad
type: pad
Expand Down Expand Up @@ -664,6 +765,38 @@ attribute-sets:
name: devs
type: nest
nested-attributes: hook-dev-attrs
-
name: expr-bitwise-attrs
attributes:
-
name: sreg
type: u32
byte-order: big-endian
-
name: dreg
type: u32
byte-order: big-endian
-
name: len
type: u32
byte-order: big-endian
-
name: mask
type: nest
nested-attributes: data-attrs
-
name: xor
type: nest
nested-attributes: data-attrs
-
name: op
type: u32
byte-order: big-endian
enum: bitwise-ops
-
name: data
type: nest
nested-attributes: data-attrs
-
name: expr-cmp-attrs
attributes:
Expand Down Expand Up @@ -698,6 +831,7 @@ attribute-sets:
name: code
type: u32
byte-order: big-endian
enum: verdict-code
-
name: chain
type: string
Expand All @@ -718,6 +852,43 @@ attribute-sets:
-
name: pad
type: pad
-
name: expr-fib-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: result
type: u32
byte-order: big-endian
enum: fib-result
-
name: flags
type: u32
byte-order: big-endian
enum: fib-flags
-
name: expr-ct-attrs
attributes:
-
name: dreg
type: u32
byte-order: big-endian
-
name: key
type: u32
byte-order: big-endian
enum: ct-keys
-
name: direction
type: u8
enum: ct-direction
-
name: sreg
type: u32
byte-order: big-endian
-
name: expr-flow-offload-attrs
attributes:
Expand All @@ -736,6 +907,31 @@ attribute-sets:
name: data
type: nest
nested-attributes: data-attrs
-
name: expr-lookup-attrs
attributes:
-
name: set
type: string
doc: Name of set to use
-
name: set id
type: u32
byte-order: big-endian
doc: ID of set to use
-
name: sreg
type: u32
byte-order: big-endian
-
name: dreg
type: u32
byte-order: big-endian
-
name: flags
type: u32
byte-order: big-endian
enum: lookup-flags
-
name: expr-meta-attrs
attributes:
Expand Down Expand Up @@ -820,6 +1016,17 @@ attribute-sets:
name: csum-flags
type: u32
byte-order: big-endian
-
name: expr-reject-attrs
attributes:
-
name: type
type: u32
byte-order: big-endian
enum: reject-types
-
name: icmp-code
type: u8
-
name: expr-tproxy-attrs
attributes:
Expand All @@ -835,38 +1042,77 @@ attribute-sets:
name: reg-port
type: u32
byte-order: big-endian
-
name: expr-objref-attrs
attributes:
-
name: imm-type
type: u32
byte-order: big-endian
-
name: imm-name
type: string
doc: object name
-
name: set-sreg
type: u32
byte-order: big-endian
-
name: set-name
type: string
doc: name of object map
-
name: set-id
type: u32
byte-order: big-endian
doc: id of object map

sub-messages:
-
name: expr-ops
formats:
-
value: bitwise # TODO
value: bitwise
attribute-set: expr-bitwise-attrs
-
value: cmp
attribute-set: expr-cmp-attrs
-
value: counter
attribute-set: expr-counter-attrs
-
value: ct # TODO
value: ct
attribute-set: expr-ct-attrs
-
value: fib
attribute-set: expr-fib-attrs
-
value: flow_offload
attribute-set: expr-flow-offload-attrs
-
value: immediate
attribute-set: expr-immediate-attrs
-
value: lookup # TODO
value: lookup
attribute-set: expr-lookup-attrs
-
value: meta
attribute-set: expr-meta-attrs
-
value: nat
attribute-set: expr-nat-attrs
-
value: objref
attribute-set: expr-objref-attrs
-
value: payload
attribute-set: expr-payload-attrs
-
value: quota
attribute-set: quota-attrs
-
value: reject
attribute-set: expr-reject-attrs
-
value: tproxy
attribute-set: expr-tproxy-attrs
Expand Down

0 comments on commit d2088ca

Please sign in to comment.