| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
The kernel can handle this, nftables should also.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The ethernet header type is in big endian byte order, the ETH_P_* values
are in host byte order however. Fix this using __constant_htons().
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
symbolic_constant_print() uses mpz_cmp_ui() to find the matching symbol.
Since GMP internally treats all values as being in host byte, this
doesn't work when the constant value is non-host byteorder, such as
the ethernet protocol type.
Export the expression's value in its original byteorder for comparison
to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
payload_expr_pctx_update() uses the numeric protocol value in host byte
order to find the upper layer protocol. This obviously doesn't work for
protocol expressions in other byte orders, such as the ethernet protocol
on little endian.
Export the protocol value in the correct byte order and use that value
to look up the upper layer protocol.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
If we add a unary expression which the operation is ntoh, we use hton.
This looks like a typo.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Some memories are forgotten to release on the error path in get operation.
Just release them. Also, in netlink_get_chain, it's better to return
immediately when a error is detected.
Signed-off-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Let's add info about 'monitor' and 'export'.
While at it, fix other minors things, like the no-netlink return code and
indentations of the document.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is required if you use upcoming Linux kernels >= 3.17
which come with a complete logging support for nf_tables.
If you use 'log' without options, the kernel logging buffer is used:
nft> add rule filter input log
You can also specify the logging prefix string:
nft> add rule filter input log prefix "input: "
You may want to specify the log level:
nft> add rule filter input log prefix "input: " level notice
By default, if not specified, the default level is 'warn' (just like
in iptables).
If you specify the group, then nft uses the nfnetlink_log instead:
nft> add rule filter input log prefix "input: " group 10
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft crashes when adding many elements into a set for two reasons:
1) The overflow of the nla_len field for the NFTA_SET_ELEM_LIST_ELEMENTS
attribute.
2) Out-of-bound memory writes to the reserved area for the netlink
message, which is solved by the patch entitled ("mnl: introduce
NFT_NLMSG_MAXSIZE").
This patch adds the corresponding nla_len overflow check for
NFTA_SET_ELEM_LIST_ELEMENTS and it splits the elements in several
netlink messages. This should be enough when set updates are handled
by the transaction infrastructure.
With this patch, nft should be now capable of adding an unlimited
number of elements to a given set.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=898
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NFT_NLMSG_MAXSIZE constant defines the maximum nf_tables netlink
message. Currently, the largest is the set element message, which
contains the NFTA_SET_ELEM_LIST_ELEMENTS attribute. This attribute is
a nest that describes the set elements. Given that the netlink attribute
length (nla_len) is 16 bits, the largest message is a bit larger than
64 KBytes. Thus, the proposed value of NFT_NLMSG_MAXSIZE is set to
(1 << 16) + getpagesize().
This new constant is used to calculate the length of:
1) the batch page length, when the batching mode is used.
2) the buffer that stores the netlink message in the send (when no
batching is used) and receive paths.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
# nft add rule ip test input ip hdrlength 3
<cmdline>:1:1-37: Error: Could not process rule: Invalid argument
add rule ip test input ip hdrlength 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# echo $?
0
After:
# nft add rule ip test input ip hdrlength 3
<cmdline>:1:1-37: Error: Could not process rule: Invalid argument
add rule ip test input ip hdrlength 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# echo $?
1
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks the batching logic in several aspects:
1) New batch pages are now always added into the batch page list in
first place. Then, in the send path, if the last batch page is
empty, it is removed from the batch list.
2) nft_batch_page_add() is only called if the current batch page is
full. Therefore, it is guaranteed to find a valid netlink message
in the batch page when moving the tail that didn't fit into a new
batch page.
3) The batch paging is initialized and released from the nft_netlink()
path.
4) No more global struct mnl_nlmsg_batch *batch that points to the
current batch page. Instead, it is retrieved from the tail of the
batch list, which indicates the current batch page.
This patch fixes a crash due to access of uninitialized memory area in
due to calling batch_page_add() with an empty batch in the send path,
and the memleak of the batch page contents. Reported in:
http://patchwork.ozlabs.org/patch/367085/
http://patchwork.ozlabs.org/patch/367774/
The patch is larger, but this saves the zeroing of the batch page area.
Reported-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Save some LOC with this function that wraps typical handling
after pushing the netlink message into the batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous to this patch, if we add a rule like this:
nft add rule filter test ip saddr { 1.1.1.1-2.2.2.2 }
The monitor operation output shows:
add rule ip filter test ip saddr { 0.0.0.0, 1.1.1.1, 2.2.2.3}
The fix suggested by Pablo is to call interval_map_decompose().
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds a helper function to handle lookup expressions with a callback,
so we can make an action for each set referenced by the rule.
Basically this is a refactorization, useful for follow-up patches.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
|
|
| |
This flag allows to detect that an update has ocurred while dumping
any of the object lists. In case of interference, nft cancels the
netlink socket to skip processing the remaining stale entries and
it retries to obtain fresh list of objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
If this fails to fetch any of the objects, stop handling inmediately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Otherwise, you may crash in:
nft add rule bridge filter input ether type ip
Reported-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The type in the evaluation context needs to be reset to avoid treating
the concatenation as a right hand side relational expression.
# nft filter output mark set ip daddr . tcp dport map { 192.168.0.1 . 22 : 1 }
<cmdline>:1:24-43: Error: datatype mismatch, expected packet mark, expression has type concatenation of (IPv4 address, internet network service)
filter output mark set ip daddr . tcp dport map { 192.168.0.1 . 22 : 1 }
^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Fix segfaults when delinearizing the set fails and abort on error when
listing sets.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Packages can be accounted by nftables through such command.
% nft add rule filter output ip daddr 8.8.8.8 counter
You can also give the initial values of packets and bytes.
% nft add rule filter output ip daddr 8.8.8.8 counter packets 10 bytes 20
But packets and bytes are both initialized to 10 in above command for there is
a mistake in the program.
Signed-off-by: Yanchuan Nian <ycnian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:
nft add rule filter input tcp dport 22 reject with host-unreach
nft add rule filter input udp dport 22 reject with host-unreach
In this case, it will use the host unreachable code to reject traffic.
The default code field still is network unreachable and we can also
use the rules without the with like that:
nft add rule filter input udp dport 22 reject
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch uses the protocol context to initialize the reject type
considering if the transport protocol is tcp, udp, etc. Before this
patch, this was left unset.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to use a new syntax more compact and break
the current syntax. This new syntax is more similar than the nftables
syntax that we use usually. We can use range like we have used in
other case in nftables. Here, we have some examples:
Before, If we want to declare a queue, we have used a syntax like this:
nft add rule test input queue num 1 total 3 options bypass,fanout
If we want to use the queue number 1 and the two next (total 3),
we use a range in the new syntax, for example:
nft add rule test input queue num 1-3 bypass fanout
Also if we want to use only one queue, the new rules are like:
nft add rule test input queue num 1 # queue 1
or
nft add rule test input queue # queue 0
And if we want to add a specific flags we only need to put
what flags we want to use:
nft add rule test input queue bypass
we don't need to use options and the comma for indicating the
flags.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When try to input multiline command in "nft -i", it crashes.
Issue is, function cli_append_multiline() return null in case of
multiline command. But in the calling function cli_complete(),
cli_exit is getting called, which in turn calls
rl_callback_handler_remove() and the handler is getting removed.
[root@localhost ~]# nft -i
nft> add table filter
nft> list table \
readline: readline_callback_read_char() called with no handler!
Aborted (core dumped)
[root@localhost ~]#
After this patch, it shows:
nft> list table \
.... filter
table ip filter {
}
nft>
The ".... " prompt is used to indicate a multiline command, similar to
what Python does.
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This removes a bug that displays strange hook priorities
like "type route hook output priority 4294967146".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fix the bug:
http://bugzilla.netfilter.org/show_bug.cgi?id=924
Before, nftables doesn't permit invert ranges. This patch allows
add rules like this:
nft add rule ip test input ip daddr != 192.168.1.2-192.168.1.55
or
nft add rule ip test input ip daddr == 192.168.1.2-192.168.1.55
Also, we still have the option for adding rules like this:
sudo nft add rule ip test output frag id 33-45
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we add this rule:
sudo nft add rule ip test input ip protocol != icmp
and we try to list the rules in the table test, nftables
show this error:
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op == OP_EQ' failed.
This patch change the function payload_match_postprocess for updating
only the context in equality relations case.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If we add a udplite rule, we can't because we have forgot
to add this token in the scanner.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to close a descriptor which failed to be opened.
==6231== Process terminating with default action of signal 11 (SIGSEGV)
==6231== Access not within mapped region at address 0x0
==6231== at 0x5503E21: mnl_socket_close (socket.c:248)
==6231== by 0x40517F: netlink_close_sock (netlink.c:68)
==6231== by 0x400EFEE: _dl_fini (dl-fini.c:253)
==6231== by 0x5740AA0: __run_exit_handlers (exit.c:77)
==6231== by 0x5740B24: exit (exit.c:99)
==6231== by 0x40F16F: netlink_open_error (netlink.c:105)
==6231== by 0x405642: netlink_open_sock (netlink.c:54)
==6231== by 0x424E6C: __libc_csu_init (in /usr/sbin/nft)
==6231== by 0x5728924: (below main) (libc-start.c:219)
==6231== If you believe this happened as a result of a stack
==6231== overflow in your program's main thread (unlikely but
==6231== possible), you can try to increase the size of the
==6231== main thread stack using the --main-stacksize= flag.
==6231== The main thread stack size used in this run was 8388608.
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=881
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Like in 0dbced3 ("parser: use symbolic expressions for parsing
keywords as protocol values"), convert `ether' to use a symbolic
expression.
This fixes:
# nft add rule ip filter input meta iiftype ether
# nft list table filter
table ip filter {
...
iiftype 256
which was converted to network byte order.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The delinearize functions for tables, chains and sets add these objects
to the ctx->list. In the chain case, this is not required. Regarding
tables and sets, those are added to the cache.
This patch implicitly fixes an use chain object after free that result
in random crashes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
free(expr->right) and free(value) point to the same object, so one
single free() is enough.
This manifests in valgrind with:
==4020== Invalid read of size 4
==4020== at 0x40A429: expr_free (expression.c:65)
==4020== by 0x414032: expr_postprocess (netlink_delinearize.c:747)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020== Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd
==4020== at 0x4C2AF5C: free (vg_replace_malloc.c:446)
==4020== by 0x41402A: expr_postprocess (netlink_delinearize.c:746)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020==
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These new tokens were introduced in f9563c0 ("src: add events reporting")
to allow filtering based on the event type.
This confuses the parser when parsing the "new" token:
test:32:33-35: Error: syntax error, unexpected new
add rule filter output ct state new,established counter
^^^
This patch fixes this by replacing these event type tokens by the
generic string token, which is then interpreted during the parsing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch moves the table messages to the netlink batch that
is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch moves the chain netlink messages to the big netlink
batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the netlink set messages to the batch that contains
the rules. This helps to speed up rule-set restoration time by
changing the operational. To achieve this, an internal set ID which
is unique to the batch is allocated as suggested by Patrick.
To retain backward compatibility, nft initially guesses if the
kernel supports set in batches. Otherwise, it falls back to the
previous (slowier) operational.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Let's split talk() and recv() functions, so they can be used independently.
While at it, lets rename mnl_talk() to nft_mnl_talk() so we avoid potential
clashes with other functions in external libs.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a basic events reporting option to nft.
The syntax is:
% nft monitor [new|destroy] [tables|chains|rules|sets|elements] [xml|json]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a simple helper function to report errors while
opening the Netlink socket.
To help users to diagnose problems, a new NFT_EXIT_NONL exit code is included,
which is 3.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Lets refactorize set_elem handling.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This code is suitable to be reusable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's make this code reusable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Lest generalize the chain_print() function, so we can print a plain chain
as the user typed in the basic CLI.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's factorize this code, so it can be reused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow to print sets with or without format.
This is useful in situations where we want to print more or less the same
the user typed (IOW, in one single line, and with family/table info).
While at it, make family2str() function public, so it can be used in
other places.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add support to get an input or output bridge interface name through the
relevant meta keys.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|