| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
... so one doesn't need to install new binary into $PATH (or
change PATH... ) during development.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This has to be related to libnftnl's 0edeb667a2cf ("expr: redir: fix snprintf
to return the number of bytes printed").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Since e715f6d1241c ("netlink: don't call netlink_dump_*() from listing
functions with --debug=netlink"), there is no debugging from the listing path.
Thus, we can remove the set line from the test files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Now that we always retrieve the object list to build a cache before executing
the command, this results in fully listing of existing objects in the kernel.
This is confusing when adding a simple rule, so better not to call
netlink_dump_*() from listing functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
nft list chain ip test output
<cmdline>:1:1-25: Error: Could not process rule: Chain 'output' does not exist
list chain ip test output
^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The only remaining caller that needs this is netlink_dump_ruleset(), that is
used to export the ruleset using markup representation. We can remove it and
handle this from do_command_export() now that we have a centralized point to
build up the object cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Populate the cache iff the user requests a ruleset listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Populate the cache iff the user requests a ruleset listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Make sure the table that we want to rename already exist. This is required by
the follow up patch that that adds chains to the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The chain list is obtained if the user requests a listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
When adding declared chains to the cache, we may hold more than one single
reference from struct cmd and the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
By when the set is created, so element in the batch use this set ID as
reference.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds set objects to the cache if they don't exist in the kernel, so
they can be referenced from this batch. This occurs from the evaluation step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch populates the cache only once through netlink_list_sets() during
evaluation. As a result, there is a single call to netlink_list_sets().
After this change, we can rid of get_set(). This function was fine by the time
we had no transaction support, but this doesn't work for set objects that are
declared in this batch, so inquiring the kernel doesn't help since they are not
yet available.
As a result from this update, the monitor code gets simplified quite a lot
since it can rely of the set cache. Moreover, we can now validate that the
table and set exists from evaluation path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Add declared table objects to the cache, thus we can refer to objects that
come in this batch but that are not yet available in the kernel. This happens
from the evaluation step.
Get rid of code that is doing this from the later do_command_*() stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We may hold multiple references to table objects in follow up patches when
adding object declarations to the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This function validates that the table that we want to list already exists by
looking it up from the cache.
This also adds cmd_error() to display an error from the evaluation step, when
the objects that the rule indicates do not exist.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the generic object cache that is populated during the
evaluation phase.
The first client of this infrastructure are table objects. As a result, there
is a single call to netlink_list_tables().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This branch adds support for the new 'netdev' family. This also resolves a
simple conflict with the default chain policy printing.
Conflicts:
src/rule.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds support for the new 'netdev' table. So far, this table allows
you to create filter chains from ingress.
The following example shows a very simple base configuration with one table that
contains a basechain that is attached to the 'eth0':
# nft list table netdev filter
table netdev filter {
chain eth0-ingress {
type filter hook ingress device eth0 priority 0; policy accept;
}
}
You can test that this works by adding a simple rule with counters:
# nft add rule netdev filter eth0-ingress counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ payload load 4b @ network header + 12 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0xff000000 ) ^ 0x00000000 ]
[ cmp eq reg 1 ...
.. to make sure that later support to match header elements that have odd
(non-byte aligned) lengths/offsets doesn't erronously eliminate explicitly
added binops while searching expressions for implicit binops.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Iterate over the ctx->list which is where the table objects are after
calling netlink_list_tables().
Fixes: e4d21958c835 ("rule: add do_list_tables()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
compare netlink instructions generated by given nft command line
with recorded version.
Example: udp dport 80 accept in ip family should look like
ip test-ip4 input
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00005000 ]
[ immediate reg 0 accept ]
This is stored in udp.t.payload.ip
Other suffixes:
.payload.ip6
.payload.inet
.payload ('any')
The test script first looks for 'testname.t.payload.$family', if that
doesn't exist 'testname.t.payload' is used.
This allows for family independent test (e.g. meta), where we don't
expect/have any family specific expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Florian Westphal says:
09565a4b1ed4863d44c4509a93c50f44efd12771 ("netlink_delinearize: consolidate
range printing") causes nft to segfault on 32bit machine when printing l4proto
ranges.
The problem is that meta_expr_pctx_update() assumes that right is a value, but
after this change it can also be a range.
Thus, expr->value contents are undefined (its union). On x86_64 this is also
broken but by virtue of struct layout and pointer sizes, value->_mp_size will
almost always be 0 so mpz_get_uint8() returns 0.
But on x86-32 _mp_size will be huge value (contains expr->right pointer of
range), so we crash in libgmp.
Pablo says:
We shouldn't call pctx_update(), before the transformation we had
there a expr->op == { OP_GT, OP_GTE, OP_LT, OP_LTE }. So we never
entered that path as the assert in payload_expr_pctx_update()
indicates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I get failures here since 'man' has different uid vs. what
test suite expects.
Furthermore, this box does not have a 'backup' user.
Switch to root/bin/daemon -- those exist on both debian and fedora.
After this meta.t passes on all my machines.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... 2001:838:35f:1::-2001:838:35f:2:: :80-100' mismatches
... 2001:838:35f:1::-2001:838:35f:2:::80-100'
nft accepts both, so just alter test to not complain.
Also, fix test script to display the expected output rather than
the input. Otherwise, a rule like
some_input;ok;expected_output
may display nonsensical message like
warning: some_input mismatches some_input
This also fixes the icmpv6 test accordingly, nft displays ranges
correctly.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# nft add chain filter input { type filter hook inputt priority 0\; }
<cmdline>:1:43-48: Error: unknown chain hook inputt
add chain filter input { type filter hook inputt priority 0; }
^^^^^^
Before:
# echo $?
0
After:
# echo $?
1
Note that nft_parse() returns 1 on parsing errors and 0 + state->errs on
evaluation problems, so return -1 as other functions do here to pass up the
error to the main routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As the documentation indicates "The most common mistake for this macro is to
consider the two actions as action-if-enabled and action-if-disabled."
Use AS_IF in the action-if-present to check the real argument that we're
getting from the user.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
Instead of xfree().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
Wrap code to list existing tables in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
Set human readable hookname chain->hookstr field from delinearize.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# nft list tables
table ip nat
instead of:
# nft list tables
table nat
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
nft -i --debug=all
nft> add rule ip filter foo mark 42
dies with sigfpe; seems mpz doesn't like len 0:
#1 0x0805f2ee in mpz_export_data (data=0xbfeda588, op=0x9d9fb08, byteorder=BYTEORDER_HOST_ENDIAN, len=0) at gmputil.c:115
After patch this prints 0x0000002a.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
As pointed out by Patrick McHardy the order in the inet switch
in payload_gen_dependency was not consistent.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
# nft --debug=netlink add rule bridge filter input tcp dport 22
bridge filter input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In case we are reading the rules from a file we need to reset the
file descriptor to the original position when calling erec_print.
This was not the case in previous code and was leading to valid
file to be seen as invalid when treated in debug mode.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.
This patch now uses a allocated buffer to avoid the problem.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
h.table stores a pointer to a nftnl table object that is gone just after
assignment. Release this object once its content is not referenced anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
| |
Update the grammar to accept a MARK token as datatype.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1012
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
getnameinfo() displays this:
::1234:1234:1234:1234:1234:1234:1234
as:
0:1234:1234:1234:1234:1234:1234:1234
which is basically equivalent. nft accepts both inputs.
So add some exceptions to the tests to reduce the amount of noise in the tests,
so we can focus on real problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Reconstruct the concat expressions in set data by splicing off the
subtype values based on the keytype of the set.
Signed-off-by: Patrick McHardy
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the RHS length differs from the LHS length (which is only the
first expression), both expressions are assumed to be concat expressions.
The LHS concat expression is reconstructed from the available register
values, advancing by the number of registers required by the subexpressions'
register space, until the RHS length has been reached.
The RHS concat expression is reconstructed by splitting the data value
into multiple subexpressions based on the LHS concat expressions types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce a helper function to translate register numbers from the kernel
from the compat values to the NFT_REG32 values.
Internally we use the register numbers 0-16:
* 0 is the verdict register in both old and new addressing modes.
* 1-16 are the 32 bit data registers
The NFT_REG32_00 values are mapped to 1-16, the NFT_REG_1-NFT_REG_4
values are each use up 4 registers starting at 1 (1, 5, 9, 13).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
Pad all but the last sub-expressions of a concat expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| | |
Use the real length for reserving/releasing registers when generating
concat expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prepare netlink_linearize for 32 bit register usage:
Switch to use 16 data registers of 32 bit each. A helper function takes
care of mapping the registers to the NFT_REG32 values and, if the
register refers to the beginning of an 128 bit area, the old NFT_REG_1-4
values for compatibility.
New register reservation and release helper function take the size into
account and reserve the required amount of registers.
The reservation and release functions will so far still always allocate
128 bit. If no other expression in a rule uses a 32 bit register directly,
these will be mapped to the old register values, meaning everything
continues to work with old kernel versions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
Prepare for taking the expression size into account.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|