| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In addition to the package-version and release-name, output the CLI
implementation (if any) and whether mini-gmp was used, e.g.:
$ ./src/nft -V
nftables v0.9.3 (Topsy)
cli: linenoise
json: yes
minigmp: no
libxtables: yes
[pablo@netfilter.org: add json and libxtables, use -V ]
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Some bitmask variables are not cleared.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
The RHS operand for bitwise shift is in HBO. Set this explicitly.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Endianness is not meaningful for objects smaller than 2 bytes and the
byte-order conversions are no-ops in the kernel, so just update the
expression as if it were constant.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Since shift operations require host byte-order, we need to be able to
convert the result of the shift back to network byte-order, in a rule
like:
nft add rule ip t c tcp dport set tcp dport lshift 1
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Payload munging means that evaluation of payload expressions may not be
idempotent. Add a flag to prevent them from being evaluated more than
once.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Use div_round_up and one statement.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
stmt_evaluate_payload has distinct variables for some, but not all, the
binop expressions it creates. Add variables for the rest.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the basechain definition to allow users to specify
the offload flag. This flag enables hardware offload if your drivers
supports it.
# cat file.nft
table netdev x {
chain y {
type filter hook ingress device eth0 priority 10; flags offload;
}
}
# nft -f file.nft
Note: You have to enable offload via ethtool:
# ethtool -K eth0 hw-tc-offload on
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous patches allow to pass concatenations as the mapped-to
data type.
This doesn't work with typeof() because the concat expression has
no support to store the typeof data in the kernel, leading to:
map t2 {
typeof numgen inc mod 2 : ip daddr . tcp dport
being shown as
type 0 : ipv4_addr . inet_service
... which can't be parsed back by nft.
This allows the concat expression to store the sub-expressions
in set of nested attributes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
stmt_evaluate_nat_map() is only called when the parser sets on
stmt->nat.ipportmap.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch extends the parser to define the mapping datatypes, eg.
... dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 }
... dnat ip addr . port to ip saddr map @y
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft will now be able to handle
map destinations {
type ipv4_addr . inet_service : ipv4_addr . inet_service
}
chain f {
dnat to ip daddr . tcp dport map @destinations
}
Something like this won't work though:
meta l4proto tcp dnat ip6 to numgen inc mod 4 map { 0 : dead::f001 . 8080, ..
as we lack the type info to properly dissect "dead::f001" as an ipv6
address.
For the named map case, this info is available in the map
definition, but for the anon case we'd need to resort to guesswork.
Support is added by peeking into the map definition when evaluating
a nat statement with a map.
Right now, when a map is provided as address, we will only check that
the mapped-to data type matches the expected size (of an ipv4 or ipv6
address).
After this patch, if the mapped-to type is a concatenation, it will
take a peek at the individual concat expressions. If its a combination
of address and service, nft will translate this so that the kernel nat
expression looks at the returned register that would store the
inet_service part of the octet soup returned from the lookup expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to support 'dnat to ip saddr map @foo', where @foo returns
both an address and a inet_service, we will need to peek into the map
and process the concatenations sub-expressions.
Add two helpers for this, will be used in followup patches.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
We can already handle concatenated keys, this extends concat
coverage to the data type as well, i.e. this can be dissected:
type ipv4_addr : ipv4_addr . inet_service
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Needed to avoid triggering the 'dtype->size == 0' tests.
Evaluation will build a new concatenated type that holds the
size of the aggregate.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Will be extended to cover upcoming
'dnat to ip saddr . tcp dport map { \
1.2.3.4 . 80 : 5.6.7.8 : 8080,
2.2.3.4 . 80 : 7.6.7.8 : 1234,
...
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Useless duplication. Also, this avoids bloating expr_ops_by_type()
when it needs to cope with more expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Dump validation may fail:
- tcp dport { 22, 23 } counter packets 0 bytes 0
+ tcp dport { 22, 23 } counter packets 9 bytes 3400
... which is normal on host namespace.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
run_tests.sh alreadty discards stderr by default, but will show it in
case the test script is run directly (passed as argument).
Discarding stderr also in the script prevents one from seeing
BUG() assertions and the like.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
nft add rule inet filter c ip daddr 1.2.3.4 dnat ip6 to f00::1
Error: conflicting protocols specified: ip vs. unknown. You must specify ip or ip6 family in tproxy statement
Should be: ... "in nat statement".
Fixes: fbe27464dee4588d90 ("src: add nat support for the inet family")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
This string might not be nul-terminated, resulting in spurious errors
when adding netdev chains.
Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
Fixes: 92911b362e90 ("src: add support to add flowtables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==1135425== 9 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1135425== at 0x483577F: malloc (vg_replace_malloc.c:309)
==1135425== by 0x4BE846A: strdup (strdup.c:42)
==1135425== by 0x48A5EDD: xstrdup (utils.c:75)
==1135425== by 0x48C9A20: nft_lex (scanner.l:640)
==1135425== by 0x48BC1A4: nft_parse (parser_bison.c:5682)
==1135425== by 0x48AC336: nft_parse_bison_buffer (libnftables.c:375)
==1135425== by 0x48AC336: nft_run_cmd_from_buffer (libnftables.c:443)
==1135425== by 0x10A707: main (main.c:384)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test checks that set elements can be added, deleted, that
addition and deletion are refused when appropriate, that entries
time out properly, and that they can be fetched by matching values
in the given ranges.
v5:
- speed this up by performing the timeout test for one single
permutation (Phil Sutter), by decreasing the number of
permutations from 96 to 12 if this is invoked by run-tests.sh
(Pablo Neira Ayuso) and by combining some commands into single
nft calls where possible: with dash 0.5.8 on AMD Epyc 7351 the
test now takes 1.8s instead of 82.5s
- renumber test to 0043, 0042 was added meanwhile
v4: No changes
v3:
- renumber test to 0042, 0041 was added meanwhile
v2:
- actually check an IPv6 prefix, instead of specifying everything
as explicit ranges in ELEMS_ipv6_addr
- renumber test to 0041, 0038 already exists
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft delete rule ip y z handle 7
Error: Could not process rule: No such file or directory
delete rule ip y z handle 7
^
# nft delete rule ip x z handle 7
Error: Could not process rule: No such file or directory
delete rule ip x z handle 7
^
# nft delete rule ip x x handle 7
Error: Could not process rule: No such file or directory
delete rule ip x x handle 7
^
# nft replace rule x y handle 10 ip saddr 1.1.1.2 counter
Error: Could not process rule: No such file or directory
replace rule x y handle 10 ip saddr 1.1.1.2 counter
^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to set a policy to non-base chain:
# nft add chain x y { policy accept\; }
Error: Could not process rule: Operation not supported
add chain x y { policy accept; }
^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft create table x
Error: Could not process rule: File exists
create table x
^
# nft create chain x y
Error: Could not process rule: File exists
create chain x y
^
# nft create set x y { typeof ip saddr\; }
Error: Could not process rule: File exists
create set x y { typeof ip saddr; }
^
# nft create counter x y
Error: Could not process rule: File exists
create counter x y
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Preliminary support: only for the deletion command, e.g.
# nft delete table twst
Error: No such file or directory; did you mean table ‘test’ in family ip?
delete table twst
^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch correlates the in-kernel extended netlink error offset and
the location information.
Assuming 'foo' table does not exist, then error reporting shows:
# nft delete table foo
Error: Could not process rule: No such file or directory
delete table foo
^^^
Similarly, if table uniquely identified by handle '1234' does not exist,
then error reporting shows:
# nft delete table handle 1234
Error: Could not process rule: No such file or directory
delete table handle 1234
^^^^
Assuming 'bar' chain does not exists in the kernel, while 'foo' does:
# nft delete chain foo bar
Error: Could not process rule: No such file or directory
delete chain foo bar
^^^
This also gives us a hint when adding rules:
# nft add rule ip foo bar counter
Error: Could not process rule: No such file or directory
add rule ip foo bar counter
^^^
This is based on ("src: basic support for extended netlink errors") from
Florian Westphal, posted in 2018, with no netlink offset correlation
support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Handle location is not correct, this leads to misleading error
reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
!list_empty() always stands true since the list is never empty
when calling scanner_pop_indesc().
Check for list_is_first() which actually tells us this is the
initial input file, hence, state->indesc is set to NULL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
What we want:
- update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 }
what we got:
+ update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2000000 [invalid type] }
Reported-by: Serguei Bezverkhi <sbezverk@gmail.com>
Close: https://bugzilla.netfilter.org/show_bug.cgi?id=1405
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Including more than MAX_INCLUDE_DEPTH file in one statement should succeed.
This reproduces bug #1243.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Now that we have a proper stack implementation, we don't need an
additional counter for the number of buffer state pushed.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This fixes the location displayed in error messages.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This static array is redundant with the indesc_list structure, but
is less flexible.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Having a single point makes refactoring easier.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This prevents a static allocation of file descriptors array, thus allows
more flexibility.
Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Accept escaped asterisks also mid-string and as only character.
Especially the latter will help when translating from iptables where
asterisk has no special meaning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Special meaning of asterisk in interface names wasn't described
anywhere.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This unifies the redundant information in sets and maps sections and
also covers 'get' command.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add a couple of Python test-cases for setting the CT mark to a bitwise
expression derived from the packet mark and vice versa.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The JSON output was missing for some existing tests.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add a couple of shell test-cases for setting the CT mark to a bitwise
expression derived from the packet mark and vice versa.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|