netlink: specs: nftables: allow decode of default firewalld ruleset

This update allows listing default firewalld ruleset on Fedora 40 via tools/net/ynl/cli.py --spec \ Documentation/netlink/specs/nftables.yaml --dump getrule Default ruleset uses fib, reject and objref expressions which were missing. Other missing expressions can be added later. Improve decoding while at it: - add bitwise, ct and lookup attributes - wire up the quota expression - translate raw verdict codes to a human reable name, e.g. 'code': 4294967293 becomes 'code': 'jump'. v2: forgot fib addrtype in enum list (Donald Hunter) Reviewed-by: Donald Hunter <donald.hunter@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://patch.msgid.link/20240902214112.2549-1-fw@strlen.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>

netlink: specs: nftables: allow decode of default firewalld ruleset
This update allows listing default firewalld ruleset on Fedora 40 via tools/net/ynl/cli.py --spec \ Documentation/netlink/specs/nftables.yaml --dump getrule Default ruleset uses fib, reject and objref expressions which were missing. Other missing expressions can be added later. Improve decoding while at it: - add bitwise, ct and lookup attributes - wire up the quota expression - translate raw verdict codes to a human reable name, e.g. 'code': 4294967293 becomes 'code': 'jump'. v2: forgot fib addrtype in enum list (Donald Hunter) Reviewed-by: Donald Hunter <donald.hunter@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://patch.msgid.link/20240902214112.2549-1-fw@strlen.deSigned-off-by: Jakub Kicinski <kuba@kernel.org>
d2088ca8 · Florian Westphal · Jakub Kicinski · 1232e93b · d2088ca8
Commit d2088ca8 authored Sep 02, 2024 by Florian Westphal Committed by Jakub Kicinski Sep 03, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 250 additions and 4 deletions

Documentation/netlink/specs/nftables.yaml Documentation/netlink/specs/nftables.yaml +250 -4

No files found.
--- a/Documentation/netlink/specs/nftables.yaml
+++ b/Documentation/netlink/specs/nftables.yaml
@@ -62,6 +62,13 @@ definitions:
      - sdif
      - sdifname
      - bri-broute
+  -
+    name: bitwise-ops
+    type: enum
+    entries:
+      - bool
+      - lshift
+      - rshift
  -
    name: cmp-ops
    type: enum
@@ -125,6 +132,99 @@ definitions:
      - object
      - concat
      - expr
+  -
+    name: lookup-flags
+    type: flags
+    entries:
+      - invert
+  -
+    name: ct-keys
+    type: enum
+    entries:
+      - state
+      - direction
+      - status
+      - mark
+      - secmark
+      - expiration
+      - helper
+      - l3protocol
+      - src
+      - dst
+      - protocol
+      - proto-src
+      - proto-dst
+      - labels
+      - pkts
+      - bytes
+      - avgpkt
+      - zone
+      - eventmask
+      - src-ip
+      - dst-ip
+      - src-ip6
+      - dst-ip6
+      - ct-id
+  -
+    name: ct-direction
+    type: enum
+    entries:
+      - original
+      - reply
+  -
+    name: quota-flags
+    type: flags
+    entries:
+      - invert
+      - depleted
+  -
+    name: verdict-code
+    type: enum
+    entries:
+      - name: continue
+        value: 0xffffffff
+      - name: break
+        value: 0xfffffffe
+      - name: jump
+        value: 0xfffffffd
+      - name: goto
+        value: 0xfffffffc
+      - name: return
+        value: 0xfffffffb
+      - name: drop
+        value: 0
+      - name: accept
+        value: 1
+      - name: stolen
+        value: 2
+      - name: queue
+        value: 3
+      - name: repeat
+        value: 4
+  -
+    name: fib-result
+    type: enum
+    entries:
+      - oif
+      - oifname
+      - addrtype
+  -
+    name: fib-flags
+    type: flags
+    entries:
+      - saddr
+      - daddr
+      - mark
+      - iif
+      - oif
+      - present
+  -
+    name: reject-types
+    type: enum
+    entries:
+      - icmp-unreach
+      - tcp-rst
+      - icmpx-unreach
 attribute-sets:
  -
@@ -611,9 +711,10 @@ attribute-sets:
        type: u64
        byte-order: big-endian
      -
-        name: flags # TODO
+        name: flags
        type: u32
        byte-order: big-endian
+        enum: quota-flags
      -
        name: pad
        type: pad
@@ -664,6 +765,38 @@ attribute-sets:
        name: devs
        type: nest
        nested-attributes: hook-dev-attrs
+  -
+    name: expr-bitwise-attrs
+    attributes:
+      -
+        name: sreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: dreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: len
+        type: u32
+        byte-order: big-endian
+      -
+        name: mask
+        type: nest
+        nested-attributes: data-attrs
+      -
+        name: xor
+        type: nest
+        nested-attributes: data-attrs
+      -
+        name: op
+        type: u32
+        byte-order: big-endian
+        enum: bitwise-ops
+      -
+        name: data
+        type: nest
+        nested-attributes: data-attrs
  -
    name: expr-cmp-attrs
    attributes:
@@ -698,6 +831,7 @@ attribute-sets:
        name: code
        type: u32
        byte-order: big-endian
+        enum: verdict-code
      -
        name: chain
        type: string
@@ -718,6 +852,43 @@ attribute-sets:
      -
        name: pad
        type: pad
+  -
+    name: expr-fib-attrs
+    attributes:
+      -
+        name: dreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: result
+        type: u32
+        byte-order: big-endian
+        enum: fib-result
+      -
+        name: flags
+        type: u32
+        byte-order: big-endian
+        enum: fib-flags
+  -
+    name: expr-ct-attrs
+    attributes:
+      -
+        name: dreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: key
+        type: u32
+        byte-order: big-endian
+        enum: ct-keys
+      -
+        name: direction
+        type: u8
+        enum: ct-direction
+      -
+        name: sreg
+        type: u32
+        byte-order: big-endian
  -
    name: expr-flow-offload-attrs
    attributes:
@@ -736,6 +907,31 @@ attribute-sets:
        name: data
        type: nest
        nested-attributes: data-attrs
+  -
+    name: expr-lookup-attrs
+    attributes:
+      -
+        name: set
+        type: string
+        doc: Name of set to use
+      -
+        name: set id
+        type: u32
+        byte-order: big-endian
+        doc: ID of set to use
+      -
+        name: sreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: dreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: flags
+        type: u32
+        byte-order: big-endian
+        enum: lookup-flags
  -
    name: expr-meta-attrs
    attributes:
@@ -820,6 +1016,17 @@ attribute-sets:
        name: csum-flags
        type: u32
        byte-order: big-endian
+  -
+    name: expr-reject-attrs
+    attributes:
+      -
+        name: type
+        type: u32
+        byte-order: big-endian
+        enum: reject-types
+      -
+        name: icmp-code
+        type: u8
  -
    name: expr-tproxy-attrs
    attributes:
@@ -835,13 +1042,38 @@ attribute-sets:
        name: reg-port
        type: u32
        byte-order: big-endian
+  -
+    name: expr-objref-attrs
+    attributes:
+      -
+        name: imm-type
+        type: u32
+        byte-order: big-endian
+      -
+        name: imm-name
+        type: string
+        doc: object name
+      -
+        name: set-sreg
+        type: u32
+        byte-order: big-endian
+      -
+        name: set-name
+        type: string
+        doc: name of object map
+      -
+        name: set-id
+        type: u32
+        byte-order: big-endian
+        doc: id of object map
 sub-messages:
  -
    name: expr-ops
    formats:
      -
-        value: bitwise # TODO
+        value: bitwise
+        attribute-set: expr-bitwise-attrs
      -
        value: cmp
        attribute-set: expr-cmp-attrs
@@ -849,7 +1081,11 @@ sub-messages:
        value: counter
        attribute-set: expr-counter-attrs
      -
-        value: ct # TODO
+        value: ct
+        attribute-set: expr-ct-attrs
+      -
+        value: fib
+        attribute-set: expr-fib-attrs
      -
        value: flow_offload
        attribute-set: expr-flow-offload-attrs
@@ -857,16 +1093,26 @@ sub-messages:
        value: immediate
        attribute-set: expr-immediate-attrs
      -
-        value: lookup # TODO
+        value: lookup
+        attribute-set: expr-lookup-attrs
      -
        value: meta
        attribute-set: expr-meta-attrs
      -
        value: nat
        attribute-set: expr-nat-attrs
+      -
+        value: objref
+        attribute-set: expr-objref-attrs
      -
        value: payload
        attribute-set: expr-payload-attrs
+      -
+        value: quota
+        attribute-set: quota-attrs
+      -
+        value: reject
+        attribute-set: expr-reject-attrs
      -
        value: tproxy
        attribute-set: expr-tproxy-attrs