| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
We currently crash when reporting a permission denied error for set additions.
This is due to using the wrong location, fix by passing in the set location.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently print a debug message (with debugging) and continue. Output
a proper error message and abort.
While at it, make sure we only report a conflict if there actually is one.
This is not the case similar actions, IOW in case of sets, never, in case
of maps, only if the mapping differs.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Singed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Turn the eval_ctx argument into a list_head to queue the error to.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for human-readable comments:
nft add rule filter input accept comment \"accept all traffic\"
Note that comments *always* come at the end of the rule. This uses
the new data area that allows you to attach information to the rule
via netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The handle's table was being set to the chain name instead of the
chain table attribute.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Takes advantage of the fact that the current maximum label storage area
is 128 bits, i.e. the dynamically allocated extension area in the
kernel will always fit into a nft register.
Currently this re-uses rt_symbol_table_init() to read connlabel.conf.
This works since the format is pretty much the same.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The table object that is allocated is unused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
should always generate cmp op (its enum 0, 1 in kernel).
Note: 'original,reply' will no longer work after this patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We segfault on 'list filter' when meta expr is used as _u8
returns invalid register 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The prefix expression handling is full of bugs:
- netlink_gen_data() is used to construct the prefix mask from the full
prefix expression. This is both conceptually wrong, the prefix expression
is *not* data, and buggy, it only assumes network masks and thus only
handles big endian types.
- Prefix expression reconstruction doesn't check whether the mask is a
valid prefix and reconstructs crap otherwise. It doesn't reconstruct
prefixes for anything but network addresses. On top of that its
needlessly complicated, using the mpz values directly its a simple
matter of finding the sequence of 1's that extend up to the full width.
- Unnecessary cloning of expressions where a simple refcount increase would
suffice.
Rewrite that code properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're currently only converting bitmask types as direct argument to a
relational expression in the form of a flagcmp (expr & mask neq 0) back
into a list of bit values. This means expressions like:
tcp flags & (syn | ack) == syn | ack
won't be shown symbolically. Convert *all* bitmask values back to a sequence
of inclusive or expressions of the individual bits. In case of a flagcmp,
this sequence is further converted to a list (tcp flags syn,ack).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the argument of a binop is a binop itself, we may need to add parens
if the precedence of the argument is lower then the binop.
Before:
tcp flags & syn | ack == syn | ack
tcp flags & syn | ack != syn | ack
After:
tcp flags & (syn | ack) == syn | ack
tcp flags & (syn | ack) != syn | ack
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Always use flagcmp for RHS bitmask expressions, independant of whether
only one or an entire list of bitmask expression is specified.
This makes sure that f.i. "tcp flags ack" will match any combinations
of ACK instead of ACK and only ACK.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a bug with rreply symbol. The rreply and reply symbol were the same.
There is a reproduction of this bug here:
$ sudo nft add rule arp art-t filter arp operation reply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512
}
}
$ sudo nft add rule arp art-t filter arp operation rreply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512 <=====
arp operation 512 <=====
}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bug with rreply symbol. The rreply and reply symbol were the same.
There is a reproduction of this bug here:
$ sudo nft add rule arp art-t filter arp operation reply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512
}
}
$ sudo nft add rule arp art-t filter arp operation rreply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512 <=====
arp operation 512 <=====
}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
The line break is added after printing the rule.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Florian reports that flag comparisons generate incorrect instructions:
$ nft --debug=netlink add rule filter output ct labels foo
ip filter output 0 0
[ ct load labels => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000001 0x00000000 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp neq reg 1 0x00000001 0x00000000 0x00000000 0x00000000 ]
The "cmp new" should compare to zero. This was broken by commit aae836a7
(src: use libnftables by using expr->right instead of zero.
Slightly rearrange the code as well to prevent similar problems in the
future.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
We need a real list_head to splice both the command and potential new commands
added during evaluation.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Add a netlink_location and use it for error messages instead of internal_location.
internal:0:0-0: Error: Could not add set: Operation not permitted
=>
netlink: Error: Could not add set: Operation not permitted
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With incremental evaluation we're first evaluating the command before
adding it to the global command list, so the command's list_head is
uninitialized during evaluation. We need to initialize it to handle the
case that an implicit set declaration will prepend a command to the list.
Also list_splice_tail() needs to be used instead of list_add_tail() to
add the entire list of commands.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes some incorrect behaviour of symbolic variables:
- prohibit redefining an existing symbol
- verify existance of a symbolic variable during parsing instead of evaluation
The second point makes sure we don't allow recursive definitions (var = $var),
which lead to a crash due to stack exhaustion.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Mixed syntactical and non-syntactical errors in individual commands and
blocks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently do parsing and evaluation in two seperate stages. This means
that if any error occurs during parsing, we won't evaluate the syntactical
correct commands and detect possible evaluation errors in them.
In order to improve error reporting, change this to evaluate every command
as soon as it is fully parsed.
With this in place, the ruleset can be fully validated and all errors
reported in one step:
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant
filter input tcp dport tcp dport
~~~~~~~~~~^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move error recovery to the common_block definition to handle errors
in any block. Queue those errors and abort parsing once a threshold
is reached.
With this in place, we can continue parsing when errors occur and
show all of them to the user at once.
tests/error.1:3:8-8: Error: syntax error, unexpected '{', expecting string
filter {
^
tests/error.1:4:13-13: Error: syntax error, unexpected newline
filter input
^
tests/error.1:5:17-17: Error: syntax error, unexpected newline
filter input tcp
^
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Close the scopes when destroying a table_block/chain_block. Also add
assertions to open_scope()/close_scope() to catch memory corruption
early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Don't display "In file included from internal:0:0-0:" for errors occuring
in a parsed file.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Currently always has the value 0.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
When reset_pos() is invoked, YY_USER_ACTION() has already advanced the
line offset to the next line. This causes errors for unexpected newlines
to incorrectly show the following line when reading from files.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The symbol for the relational op is shown in the error message. Since
OP_IMPLICIT doesn't have a symbol, (null) is shown. Fix by determining
the implicit op before checking for constants.
Error: Right hand side of relational expression ((null)) must be constant
=>
Error: Right hand side of relational expression (==) must be constant
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the inclusion of the last rule that didn't fit
into a batch page.
When using sets this has manifested with the -EBUSY error when deleting
the table (it was still containing unused sets after the flush).
The following command line works fine here:
nft -f test ; nft flush table filter ; nft delete chain filter output; nft delete table filter
Tested using this kernel patch: http://patchwork.ozlabs.org/patch/314143/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
|
| | |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 2f61f093c3149465f2a68764b25c817adbe87fcd.
Crap, accidentally committed this.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the following operation:
:~# nft export <xml|json>
The XML/JSON output is provided raw by libnftnl, thus without format.
In case of XML, you can give format with the `xmllint' tool from libxml2-tools:
:~# nft list ruleset xml | xmllint --format -
In case of JSON, you can use `json_pp' from perl standar package:
:~# nft list ruleset json | json_pp
A format field is added in struct cmd, and it will be reused in the import
operation.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\| |
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| | |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Add missing NLM_F_CREATE flag when creating new chains to trigger
module autoloading in the kernel.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch allows to specify a string to indicate the time, eg.
nft add rule filter output ct expiration \"1d2h3m4s\" counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
If a set contains elements, the output is not parsable since the
elements = { ... } is not understood by the parser. Fix this and
also add support for creating constant sets (which only makes sense
when using an initializer).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes two problems:
- the output of "nft list table ..." is not parsable if sets are included
because the parser can't parse the flags.
- set flags can't be specified during set creation.
To fix this, the set output is changed to:
- not print each flag on a single line
- prefix the flags with "flags "
- only show the interval flag since all others are for internal use only
The parser is changed to parse the flags specified in a set declaration.
This allows to parse empty sets. The following patch will take care of
parsing sets that are already populated.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace => by : to make it easier for most shell users, as
> implies a redirection, let's avoid possible confusion that
may result if you forget to escape it.
This works fine if you don't forget to add space between the
key and the value. If you forget to add the space, depending
on the case, the scanner may recognize it correctly or process
it as a string.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| | |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
