Commit d2088ca8 authored by Florian Westphal's avatar Florian Westphal Committed by Jakub Kicinski
Browse files

netlink: specs: nftables: allow decode of default firewalld ruleset 



This update allows listing default firewalld ruleset on Fedora 40 via
  tools/net/ynl/cli.py --spec \
     Documentation/netlink/specs/nftables.yaml --dump getrule

Default ruleset uses fib, reject and objref expressions which were
missing.

Other missing expressions can be added later.

Improve decoding while at it:
- add bitwise, ct and lookup attributes
- wire up the quota expression
- translate raw verdict codes to a human reable name, e.g.
  'code': 4294967293 becomes 'code': 'jump'.

v2: forgot fib addrtype in enum list (Donald Hunter)

Reviewed-by: default avatarDonald Hunter <donald.hunter@gmail.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20240902214112.2549-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 1232e93b

Documentation/netlink/specs/nftables.yaml

+250 −4
Original line number Diff line number Diff line
@@ -62,6 +62,13 @@ definitions: 
      - sdif

      - sdifname

      - bri-broute

  -

    name: bitwise-ops

    type: enum

    entries:

      - bool

      - lshift

      - rshift

  -

    name: cmp-ops

    type: enum
@@ -125,6 +132,99 @@ definitions: 
      - object

      - concat

      - expr

  -

    name: lookup-flags

    type: flags

    entries:

      - invert

  -

    name: ct-keys

    type: enum

    entries:

      - state

      - direction

      - status

      - mark

      - secmark

      - expiration

      - helper

      - l3protocol

      - src

      - dst

      - protocol

      - proto-src

      - proto-dst

      - labels

      - pkts

      - bytes

      - avgpkt

      - zone

      - eventmask

      - src-ip

      - dst-ip

      - src-ip6

      - dst-ip6

      - ct-id

  -

    name: ct-direction

    type: enum

    entries:

      - original

      - reply

  -

    name: quota-flags

    type: flags

    entries:

      - invert

      - depleted

  -

    name: verdict-code

    type: enum

    entries:

      - name: continue

        value: 0xffffffff

      - name: break

        value: 0xfffffffe

      - name: jump

        value: 0xfffffffd

      - name: goto

        value: 0xfffffffc

      - name: return

        value: 0xfffffffb

      - name: drop

        value: 0

      - name: accept

        value: 1

      - name: stolen

        value: 2

      - name: queue

        value: 3

      - name: repeat

        value: 4

  -

    name: fib-result

    type: enum

    entries:

      - oif

      - oifname

      - addrtype

  -

    name: fib-flags

    type: flags

    entries:

      - saddr

      - daddr

      - mark

      - iif

      - oif

      - present

  -

    name: reject-types

    type: enum

    entries:

      - icmp-unreach

      - tcp-rst

      - icmpx-unreach



attribute-sets:

  -
@@ -611,9 +711,10 @@ attribute-sets: 
        type: u64

        byte-order: big-endian

      -

        name: flags # TODO

        name: flags

        type: u32

        byte-order: big-endian

        enum: quota-flags

      -

        name: pad

        type: pad
@@ -664,6 +765,38 @@ attribute-sets: 
        name: devs

        type: nest

        nested-attributes: hook-dev-attrs

  -

    name: expr-bitwise-attrs

    attributes:

      -

        name: sreg

        type: u32

        byte-order: big-endian

      -

        name: dreg

        type: u32

        byte-order: big-endian

      -

        name: len

        type: u32

        byte-order: big-endian

      -

        name: mask

        type: nest

        nested-attributes: data-attrs

      -

        name: xor

        type: nest

        nested-attributes: data-attrs

      -

        name: op

        type: u32

        byte-order: big-endian

        enum: bitwise-ops

      -

        name: data

        type: nest

        nested-attributes: data-attrs

  -

    name: expr-cmp-attrs

    attributes:
@@ -698,6 +831,7 @@ attribute-sets: 
        name: code

        type: u32

        byte-order: big-endian

        enum: verdict-code

      -

        name: chain

        type: string
@@ -718,6 +852,43 @@ attribute-sets: 
      -

        name: pad

        type: pad

  -

    name: expr-fib-attrs

    attributes:

      -

        name: dreg

        type: u32

        byte-order: big-endian

      -

        name: result

        type: u32

        byte-order: big-endian

        enum: fib-result

      -

        name: flags

        type: u32

        byte-order: big-endian

        enum: fib-flags

  -

    name: expr-ct-attrs

    attributes:

      -

        name: dreg

        type: u32

        byte-order: big-endian

      -

        name: key

        type: u32

        byte-order: big-endian

        enum: ct-keys

      -

        name: direction

        type: u8

        enum: ct-direction

      -

        name: sreg

        type: u32

        byte-order: big-endian

  -

    name: expr-flow-offload-attrs

    attributes:
@@ -736,6 +907,31 @@ attribute-sets: 
        name: data

        type: nest

        nested-attributes: data-attrs

  -

    name: expr-lookup-attrs

    attributes:

      -

        name: set

        type: string

        doc: Name of set to use

      -

        name: set id

        type: u32

        byte-order: big-endian

        doc: ID of set to use

      -

        name: sreg

        type: u32

        byte-order: big-endian

      -

        name: dreg

        type: u32

        byte-order: big-endian

      -

        name: flags

        type: u32

        byte-order: big-endian

        enum: lookup-flags

  -

    name: expr-meta-attrs

    attributes:
@@ -820,6 +1016,17 @@ attribute-sets: 
        name: csum-flags

        type: u32

        byte-order: big-endian

  -

    name: expr-reject-attrs

    attributes:

      -

        name: type

        type: u32

        byte-order: big-endian

        enum: reject-types

      -

        name: icmp-code

        type: u8

  -

    name: expr-tproxy-attrs

    attributes:
@@ -835,13 +1042,38 @@ attribute-sets: 
        name: reg-port

        type: u32

        byte-order: big-endian

  -

    name: expr-objref-attrs

    attributes:

      -

        name: imm-type

        type: u32

        byte-order: big-endian

      -

        name: imm-name

        type: string

        doc: object name

      -

        name: set-sreg

        type: u32

        byte-order: big-endian

      -

        name: set-name

        type: string

        doc: name of object map

      -

        name: set-id

        type: u32

        byte-order: big-endian

        doc: id of object map



sub-messages:

  -

    name: expr-ops

    formats:

      -

        value: bitwise # TODO

        value: bitwise

        attribute-set: expr-bitwise-attrs

      -

        value: cmp

        attribute-set: expr-cmp-attrs
@@ -849,7 +1081,11 @@ sub-messages: 
        value: counter

        attribute-set: expr-counter-attrs

      -

        value: ct # TODO

        value: ct

        attribute-set: expr-ct-attrs

      -

        value: fib

        attribute-set: expr-fib-attrs

      -

        value: flow_offload

        attribute-set: expr-flow-offload-attrs
@@ -857,16 +1093,26 @@ sub-messages: 
        value: immediate

        attribute-set: expr-immediate-attrs

      -

        value: lookup # TODO

        value: lookup

        attribute-set: expr-lookup-attrs

      -

        value: meta

        attribute-set: expr-meta-attrs

      -

        value: nat

        attribute-set: expr-nat-attrs

      -

        value: objref

        attribute-set: expr-objref-attrs

      -

        value: payload

        attribute-set: expr-payload-attrs

      -

        value: quota

        attribute-set: quota-attrs

      -

        value: reject

        attribute-set: expr-reject-attrs

      -

        value: tproxy

        attribute-set: expr-tproxy-attrs