| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
kernel can only deal with byte-sized and byte-aligned payload
expressions.
If the payload expression doesn't fit this requirement userspace
has to add explicit binop masks to remove the unwanted part(s).
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently print 'unknown' rather than the raw offset values
for unrecognized header values.
If its unknown, prefer to print
payload @nh,0,16 set payload @nh,0,16
rather than 'unknown'.
Also add a helper to check if payload expression has a description
assigned to it.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
binop_adjust takes an expression whose LHS is expected to be
the binop expression that we use to adjust a payload expression
based on a mask (to match sub-byte headers like iphdr->version).
A followup patch has to pass the binop directly, so add
add a helper for it.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you add a map with timeouts, eg.
# nft add table x
# nft add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; }
The listing shows a set instead of a map:
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags timeout
}
}
This patch fixes the parser to keep the map flag around when timeout
flag (or any other flags) are specified.
This patch also comes with a regression test.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Adapt this code to the new interface that introduces
struct xt_xlate_{mt,tg}_params.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
... and fix missing line in ip6 test.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
payload set operations should work at least for byte-sized
quantities >= 2 byte.
Before adding support for odd-sized writes (ecn, dscp, ip6 flowlabel
...) add a bunch of tests to cover current state.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of using /etc/xtables use the nftables syconfdir.
Also update error message to tell which label failed translation
and which config file was used for this:
nft add filter input ct label foo
<cmdline>:1:27-29: Error: /etc/nftables/connlabel.conf: could not parse conntrack label "foo"
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"meta random" fills a register with a 32bit pseudo-random number.
For instance one can now use
meta random <= 2147483647
... to match every 2nd packet on average.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add test to cover split table definition in one single file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
"redefinition" instead of "redfinition".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At compilation time, you have to pass this option.
# ./configure --with-xtables
And libxtables needs to be installed in your system.
This patch allows to list a ruleset containing xt extensions loaded
through iptables-compat-restore tool.
Example:
$ iptables-save > ruleset
$ cat ruleset
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
COMMIT
$ sudo iptables-compat-restore ruleset
$ sudo nft list rulseset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Needed by the follow up xt compatibility layer patch.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The xt over nft support that comes in follow up patches need this, and update
the corresponding Makefile.am.
Based on patch from Arturo Borrero Gonzalez.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Otherwise kernel bails out with EINVAL in case that the sets got no
timeout flag.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new set_elem_expr_stmt production to handle dynamic set element
updates from rules.
Quickly tested this here through:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add set filter myset { type inet_service\; flags timeout\; }
# nft add rule filter input set add tcp sport timeout 60s @myset
# nft list ruleset
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s}
}
chain input {
type filter hook input priority 0; policy accept;
set add tcp dport timeout 1m @myset
}
}
Fixes: a3e60492a684 ("parser: restrict relational rhs expression recursion")
Reported-by: Anders K. Pedersen <akp@akp.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Kernel expects milliseconds, so fix this datatype to use
milliseconds instead of seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add a configure switch to enable and disable PDF document generation.
This switch is to replace the current method of automatically detecting
dblatex and building the PDF documentation when present.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Better use the local tree nft binary rather than the installed one.
Requested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch covers transactions using the flat syntax representation, eg.
add table x
add chain x y { type filter hook forward priority 0; }
add chain x y { policy drop; }
This also covers things like:
add element x whitelist { 1.1.1.1 }
delete element x whitelist { 1.1.1.1 }
The one above may look silly from a human behaviour point of view, but
silly robots may very well behave like this.
These tests require several kernel patches though in order to pass
successfully.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
| |
If the set comes without definition (ie. no elements) then skip check
for overlaps since set->init is NULL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use new definitions in libnftnl, so we can consider getting rid of them
at some point.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It uses a bogus pattern which was cleaned up already in others testscases,
and this is a leftover.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This ${TESTS_OUTPUT} variable is empty. Delete it.
It was probably an idea about dinamically redirecting testscases output.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add some tests for endless jump loop validation.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In my mechain, port 12345 is mapped to italk in /etc/services:
italk 12345/tcp # Italk Chat System
So when we add nft rule with udp port "12345", nft list ruleset
will displayed it as "italk", that cause the result is not same
with expected, then testcase fail.
Add "-nn" option when dump the rulesets from the kernel, make
testcases which using tcp/udp port more rubost.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit
20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking")
we deref null pointer if we can't find a description for the desired
protocol, so "ip protocol 254" crashes while testing protocols 6 or 17
(tcp, udp) works.
Also add a test case for this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Fix references to obsolete datatypes in the manpage. We renamed them at
some point in the development but we forgot to update this
documentation.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
instead. Update some FIXME datatypes.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Special sets like maps and flow tables have their own commands to be
listed and inspected.
Before this patch, "nft list set" was able to display these special sets
content:
# nft list set filter test
table ip filter {
map test {
type ipv4_addr : inet_service
elements = { 192.168.1.101 : http-alt}
}
}
Now an error is shown:
# nft list set filter test
<cmdline>:1:1-20: Error: Could not process rule: Set 'test' does not exist
list set filter test
^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix the compression parameter index 'cpi' instead of 'cfi'.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new command that displays the definition of a single
map:
# nft list map [family] <table> <map>
If no family is specified, ip is assumed.
Example:
# nft list map ip6 filter test
table ip6 filter {
map test {
type ipv6_addr : inet_service
elements = { 2001:db8::ff00:42:8329 : http}
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new command that lists maps:
# nft list maps [family]
Only the declaration is displayed. If no family is specified, all maps
of all families are listed.
Example:
# nft list maps
table ip filter {
map test {
type ipv4_addr : inet_service
}
}
table ip6 filter {
map test {
type ipv6_addr : inet_service
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo rewrites this description to:
"The user data area available is 256 bytes (NFT_USERDATA_MAXLEN). We plan
to allow storing other useful information such as datatypes in set
elements, so make sure there is room for this."
Example:
> nft add table t
> nft add chain t c
> nft add rule t c ip saddr 1.1.1.1 counter comment "abc...xyz" # len > 128
<cmdline>:1:47-N: Error: Comment too long. 128 characters maximum allowed
add rule t c ip saddr 1.1.1.1 counter comment abc...xyz
^^^^^^^^^
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use comment_spec both from rule and set element productions.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If we add a chain and specify the nonexistent chain type, chain_type_name_lookup
will return a NULL pointer, and meet the assert condition in xstrdup.
Fix crash like this:
# nft add chain filter input {type none hook input priority 0\;}
nft: utils.c:63: xstrdup: Assertion `s != ((void *)0)' failed.
Aborted (core dumped)
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also delete the redundant '\n'.
This fixes:
# nft add rule filter test meta priority set root
# nft list chain filter test
table ip filter {
chain test {
meta priority set root
none
ffff:ffff
}
}
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example, after we add rule to set priority 1:2, it will be displayed in network
byte order as 0200:0100, this is wrong:
# nft add rule filter test meta priority set 1:2
# nft list chain filter test
table ip filter {
chain test {
meta priority set 0200:0100
}
}
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The set element comment is stored in nftnl_set_elem->user.data using
libnftnl/udata infrastructure. This allows store multiple variable length
user data into set element.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
meta_match_postprocess uses meta.base which is only accessible if
left expression has EXPR_META type, so we can't use it to handle ct postprocessing.
To reduce copy-pastry factor the common part into ct_meta_common_postprocess(),
then call that from both meta and ct postprocessing.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, we memory leak this area since nftnl_rule_set_data() now
makes a copy of the user data which receives. This is happening since
libnftnl's ("rule: Fix segfault due to invalid free of rule user data"),
it is not necessary make a copy before call it.
Note: Carlos originally posted this patch under the name of ("nftables:
Fix memory leak linearizing user data").
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This commit adds a new command that displays the definition of a single
flow table:
If no family is specified, ip is assumed.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new command that lists flow tables:
# nft list flow tables [family]
Only the declaration is displayed. If no family is specified, all flow
tables of all families are listed.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If we add a such nft rule:
nft add rule filter input ip protocol icmp tcp dport 0
we will always meet the assert condition:
nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base < (__PROTO_BASE_MAX - 1)' failed.
Aborted (core dumped)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
While at it, get rid of bug comments on ip6/frag.t, since they are not
valid anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The location shouldn't ever alter the expression.
And this fixes this compilation warning:
netlink_delinearize.c: In function ‘netlink_parse_expr’:
netlink_delinearize.c:1008:10: warning: assignment discards ‘const’ qualifier from pointer target type
loc.nle = nle;
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before we release next nft version, update the syntax to wrap the flow
table definition between brackets, eg.
# nft add rule filter input tcp dport 22 ct state new \
flow table ssh { ip saddr limit rate 10/second }
# nft add rule filter input \
flow table acct { iif . ip saddr timeout 60s counter }
When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.
For example:
# nft add rule filter input \
flow table acct iif . ip saddr timeout 60s counter limit rate 10/second
~~~~~~~~~~~~~~~~~~~~
Note that this limit rate applies globally, so this patch resolves this
ambiguity.
This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
