Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netlink: specs: nftables: allow decode of default firewalld ruleset
This update allows listing default firewalld ruleset on Fedora 40 via
tools/net/ynl/cli.py --spec \
Documentation/netlink/specs/nftables.yaml --dump getrule
Default ruleset uses fib, reject and objref expressions which were
missing.
Other missing expressions can be added later.
Improve decoding while at it:
- add bitwise, ct and lookup attributes
- wire up the quota expression
- translate raw verdict codes to a human reable name, e.g.
'code': 4294967293 becomes 'code': 'jump'.
v2: forgot fib addrtype in enum list (Donald Hunter)
Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20240902214112.2549-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
authored by
Florian Westphal
and committed by
Jakub Kicinski
d2088ca8
1232e93b
+250
-4
+250
-4
Documentation/netlink/specs/nftables.yaml
+250
-4
Documentation/netlink/specs/nftables.yaml
···
63
63
- sdifname
64
64
- bri-broute
65
65
-
66
+
name: bitwise-ops
67
+
type: enum
68
+
entries:
69
+
- bool
70
+
- lshift
71
+
- rshift
72
+
-
66
73
name: cmp-ops
67
74
type: enum
68
75
entries:
···
132
125
- object
133
126
- concat
134
127
- expr
128
+
-
129
+
name: lookup-flags
130
+
type: flags
131
+
entries:
132
+
- invert
133
+
-
134
+
name: ct-keys
135
+
type: enum
136
+
entries:
137
+
- state
138
+
- direction
139
+
- status
140
+
- mark
141
+
- secmark
142
+
- expiration
143
+
- helper
144
+
- l3protocol
145
+
- src
146
+
- dst
147
+
- protocol
148
+
- proto-src
149
+
- proto-dst
150
+
- labels
151
+
- pkts
152
+
- bytes
153
+
- avgpkt
154
+
- zone
155
+
- eventmask
156
+
- src-ip
157
+
- dst-ip
158
+
- src-ip6
159
+
- dst-ip6
160
+
- ct-id
161
+
-
162
+
name: ct-direction
163
+
type: enum
164
+
entries:
165
+
- original
166
+
- reply
167
+
-
168
+
name: quota-flags
169
+
type: flags
170
+
entries:
171
+
- invert
172
+
- depleted
173
+
-
174
+
name: verdict-code
175
+
type: enum
176
+
entries:
177
+
- name: continue
178
+
value: 0xffffffff
179
+
- name: break
180
+
value: 0xfffffffe
181
+
- name: jump
182
+
value: 0xfffffffd
183
+
- name: goto
184
+
value: 0xfffffffc
185
+
- name: return
186
+
value: 0xfffffffb
187
+
- name: drop
188
+
value: 0
189
+
- name: accept
190
+
value: 1
191
+
- name: stolen
192
+
value: 2
193
+
- name: queue
194
+
value: 3
195
+
- name: repeat
196
+
value: 4
197
+
-
198
+
name: fib-result
199
+
type: enum
200
+
entries:
201
+
- oif
202
+
- oifname
203
+
- addrtype
204
+
-
205
+
name: fib-flags
206
+
type: flags
207
+
entries:
208
+
- saddr
209
+
- daddr
210
+
- mark
211
+
- iif
212
+
- oif
213
+
- present
214
+
-
215
+
name: reject-types
216
+
type: enum
217
+
entries:
218
+
- icmp-unreach
219
+
- tcp-rst
220
+
- icmpx-unreach
135
221
136
222
attribute-sets:
137
223
-
···
711
611
type: u64
712
612
byte-order: big-endian
713
613
-
714
-
name: flags # TODO
614
+
name: flags
715
615
type: u32
716
616
byte-order: big-endian
617
+
enum: quota-flags
717
618
-
718
619
name: pad
719
620
type: pad
···
766
665
type: nest
767
666
nested-attributes: hook-dev-attrs
768
667
-
668
+
name: expr-bitwise-attrs
669
+
attributes:
670
+
-
671
+
name: sreg
672
+
type: u32
673
+
byte-order: big-endian
674
+
-
675
+
name: dreg
676
+
type: u32
677
+
byte-order: big-endian
678
+
-
679
+
name: len
680
+
type: u32
681
+
byte-order: big-endian
682
+
-
683
+
name: mask
684
+
type: nest
685
+
nested-attributes: data-attrs
686
+
-
687
+
name: xor
688
+
type: nest
689
+
nested-attributes: data-attrs
690
+
-
691
+
name: op
692
+
type: u32
693
+
byte-order: big-endian
694
+
enum: bitwise-ops
695
+
-
696
+
name: data
697
+
type: nest
698
+
nested-attributes: data-attrs
699
+
-
769
700
name: expr-cmp-attrs
770
701
attributes:
771
702
-
···
831
698
name: code
832
699
type: u32
833
700
byte-order: big-endian
701
+
enum: verdict-code
834
702
-
835
703
name: chain
836
704
type: string
···
853
719
name: pad
854
720
type: pad
855
721
-
722
+
name: expr-fib-attrs
723
+
attributes:
724
+
-
725
+
name: dreg
726
+
type: u32
727
+
byte-order: big-endian
728
+
-
729
+
name: result
730
+
type: u32
731
+
byte-order: big-endian
732
+
enum: fib-result
733
+
-
734
+
name: flags
735
+
type: u32
736
+
byte-order: big-endian
737
+
enum: fib-flags
738
+
-
739
+
name: expr-ct-attrs
740
+
attributes:
741
+
-
742
+
name: dreg
743
+
type: u32
744
+
byte-order: big-endian
745
+
-
746
+
name: key
747
+
type: u32
748
+
byte-order: big-endian
749
+
enum: ct-keys
750
+
-
751
+
name: direction
752
+
type: u8
753
+
enum: ct-direction
754
+
-
755
+
name: sreg
756
+
type: u32
757
+
byte-order: big-endian
758
+
-
856
759
name: expr-flow-offload-attrs
857
760
attributes:
858
761
-
···
907
736
name: data
908
737
type: nest
909
738
nested-attributes: data-attrs
739
+
-
740
+
name: expr-lookup-attrs
741
+
attributes:
742
+
-
743
+
name: set
744
+
type: string
745
+
doc: Name of set to use
746
+
-
747
+
name: set id
748
+
type: u32
749
+
byte-order: big-endian
750
+
doc: ID of set to use
751
+
-
752
+
name: sreg
753
+
type: u32
754
+
byte-order: big-endian
755
+
-
756
+
name: dreg
757
+
type: u32
758
+
byte-order: big-endian
759
+
-
760
+
name: flags
761
+
type: u32
762
+
byte-order: big-endian
763
+
enum: lookup-flags
910
764
-
911
765
name: expr-meta-attrs
912
766
attributes:
···
1017
821
type: u32
1018
822
byte-order: big-endian
1019
823
-
824
+
name: expr-reject-attrs
825
+
attributes:
826
+
-
827
+
name: type
828
+
type: u32
829
+
byte-order: big-endian
830
+
enum: reject-types
831
+
-
832
+
name: icmp-code
833
+
type: u8
834
+
-
1020
835
name: expr-tproxy-attrs
1021
836
attributes:
1022
837
-
···
1042
835
name: reg-port
1043
836
type: u32
1044
837
byte-order: big-endian
838
+
-
839
+
name: expr-objref-attrs
840
+
attributes:
841
+
-
842
+
name: imm-type
843
+
type: u32
844
+
byte-order: big-endian
845
+
-
846
+
name: imm-name
847
+
type: string
848
+
doc: object name
849
+
-
850
+
name: set-sreg
851
+
type: u32
852
+
byte-order: big-endian
853
+
-
854
+
name: set-name
855
+
type: string
856
+
doc: name of object map
857
+
-
858
+
name: set-id
859
+
type: u32
860
+
byte-order: big-endian
861
+
doc: id of object map
1045
862
1046
863
sub-messages:
1047
864
-
1048
865
name: expr-ops
1049
866
formats:
1050
867
-
1051
-
value: bitwise # TODO
868
+
value: bitwise
869
+
attribute-set: expr-bitwise-attrs
1052
870
-
1053
871
value: cmp
1054
872
attribute-set: expr-cmp-attrs
···
1081
849
value: counter
1082
850
attribute-set: expr-counter-attrs
1083
851
-
1084
-
value: ct # TODO
852
+
value: ct
853
+
attribute-set: expr-ct-attrs
854
+
-
855
+
value: fib
856
+
attribute-set: expr-fib-attrs
1085
857
-
1086
858
value: flow_offload
1087
859
attribute-set: expr-flow-offload-attrs
···
1093
857
value: immediate
1094
858
attribute-set: expr-immediate-attrs
1095
859
-
1096
-
value: lookup # TODO
860
+
value: lookup
861
+
attribute-set: expr-lookup-attrs
1097
862
-
1098
863
value: meta
1099
864
attribute-set: expr-meta-attrs
···
1102
865
value: nat
1103
866
attribute-set: expr-nat-attrs
1104
867
-
868
+
value: objref
869
+
attribute-set: expr-objref-attrs
870
+
-
1105
871
value: payload
1106
872
attribute-set: expr-payload-attrs
873
+
-
874
+
value: quota
875
+
attribute-set: quota-attrs
876
+
-
877
+
value: reject
878
+
attribute-set: expr-reject-attrs
1107
879
-
1108
880
value: tproxy
1109
881
attribute-set: expr-tproxy-attrs