| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
to reuse this in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
... to reuse this in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
If the length is less than 1 byte, this codepath hits a floating point
exception, use div_round_up() as everywhere else in the code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The right shift transfer may be result in adjusting the set key size,
eg. ip6 dscp results in fetching 6 bits that are splitted between two
bytes, hence the set element ends up being 16 bytes long.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This is only required by sets, maps and meters, skip cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of a snapshot from the gmp hg repository.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
ERROR: line 2: did not find payload information for rule 'iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade'
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We special case rules with sets ({}) so set members are sorted properly.
But we failed to check start of rule:
input: meta mark { 1, 2 } bar
expect: meta mark { 1, 2 } bar
We made sure 'bar' is equal in both input and expected output,
but we did not check start (before {).
This causes a gazillion of warnings, will fix in followup commit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Forgot to include '!=', this doesn't trigger at the moment due to
a bug in nft-test.py, so fix this before fixing our test script.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nft-test.py currently fails to properly compare tests involving a set,
after that bug is fixed these lines would fail, so fix this up before.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080}
is printed as
redirect to :tcp dport map { 22 : 8000, 80 : 8080}
but that input yields:
Error: transport protocol mapping is only valid after transport protocol match
so kill dependencies beforehand so nft won't remove it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
old:
add @set5{ ip6 saddr . ip6 daddr}
new:
add @set5 { ip6 saddr . ip6 daddr}
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
updates from latest stable release of libgmp to get in sync with them
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This reverts commit 126706c23c0458b07d54550dc27561b30f8a43f2.
As its now ok to use icmp-in-ip6 family we can remove the dependency.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Jozsef points out that
meta l4proto icmp icmp type destination-unreachable
is hard to read. So, lets just add icmp/icmpv6 to
ip/ip6 protocol base so users can just go with
icmp type destination-unreachable
and let nft fill in needed dependency.
After this patch, the recent patch to not remove the
dependency can be reverted again.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we
erronously removed the dependency, i.e. "lis ruleset" shows
table ip6 filter { chain output {
type filter hook output priority 0; policy accept;
icmp type destination-unreachable
} }
but that won't restore because of ip vs ipv6 conflict.
After this patch, this lists as
meta l4proto icmp icmp type destination-unreachable
instead. We still remove the dependency in "ip" family.
Same applies to icmpv6-in-ip.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
when explicitly filtering icmp-in-ipv6 and icmp6-in-ip don't remove the
required l3 protocol dependency, else "nft list ruleset" can't be read
via nft -f anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Phil reported following assert:
add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \
map { dead::beef . f00::. 22 : 1 }
nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.
This happens because "mark set" will allocate one register (the dreg),
but netlink_gen_concat_expr will populate a lot more register space if
the concat expression strings a lot of expressions together.
As the assert is useful pseudo-reserve the register space as per
concat->len and undo after generating the expressions.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I ran the following command:
ispell -p ./ispell_nft -H nft.xml
to create the local dictionary ispell_nft.
ispell_nft contains almost every special word in nft.xml.
The idea is that anyone can run ispell the same way and only have to accept:
- alpha strings in hexadecimal numbers
- "FIXME" : that has to be fixed eventually
- "differv" : I don't know what that is or whether it's correct
You need to use the English (i.e. American) dictionary, and you want the screen
to be about 100 chars wide (at least).
The patch enforces consistent capitalisation of words, e.g. IPv4 is always that
way but ipv4_addr stays as before. The existing dictionary suggested capital
Ethernet so that is in there too.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
its outdated.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commits d572d59788143945c2a638f12a5227d9b21ce489 and
9f5e49e147219cd161de8cd80cadf8a444969ef0.
Current libnftables API should be stable enough to release it into the
public, and after 4aba100e593f ("rule: reset cache iff there is an
existing cache") we have a simple way to batch commands through this
API.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This tests what kernel commit ae6153b50f9bf ("netfilter: nf_tables:
permit second nat hook if colliding hook is going away") fixed for.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Extend run-tests.sh a bit so that all remaining arguments after option
parsing are treated as filenames to test and complain if one doesn't
seem like such. This allows for doing stuff like:
| ./run-tests.sh testcases/include/000*
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Since ruleset listing shows tables sorted by handle (which in turn
depends on table creation ordering), using random filenames here
guarantees to make the test fail randomly.
Since the include files reside in a temporary directory anyway, there is
no need to randomize their names so simplify the whole test a bit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
It was surprisingly easy to crash nft with invalid syntax in 'add
flowtable' command. Catch at least three possible ways (illustrated in
provided test case) by making evaluation phase survive so that bison
gets a chance to complain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The major problem here was that existence of network interfaces 'eth0'
and 'wlan0' was assumed. Overcome this by just using 'lo' instead, which
exists even in newly created netns by default.
Another minor issue was false naming of 0004delete_after_add0 - the
expected return code is supposed to be separated by '_' from the
remaining filename.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The purpose of this test is to delete some chains by their handle and
that is supposed to succeed. So the respective dump should not contain
them anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In libnftables, detect if given filename is '-' and treat it as the
common way of requesting to read from stdin, then open /dev/stdin
instead. (Calling 'nft -f /dev/stdin' worked before as well, but this
makes it official.)
With this in place and bash's support for here strings, review all tests
in tests/shell for needless use of temp files. Note that two categories
of test cases were intentionally left unchanged:
- Tests creating potentially large rulesets to avoid running into shell
parameter length limits.
- Tests for 'include' directive for obvious reasons.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If genid is unset, then do not reset existing cache. In the kernel,
generation ID is assumed to be always != zero.
This patch fixes:
nft 'add table x; add chain x y;'
that allow us to send several commands in one single batch from the
command line.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Fix a few more items as per commit f9cb9580b924f6320005f429f7d59e52a38aff82
Also insert a missing space I noticed along the way
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
also mention how to quit interactive mode and provide
small table add example.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All these statements are very similar, handling them with the same code
is obvious. The only thing required here is a custom extension of enum
nft_nat_types which is used in nat_stmt to distinguish between snat and
dnat already. Though since enum nft_nat_types is part of kernel uAPI,
create a local extended version containing the additional fields.
Note that nat statement printing got a bit more complicated to get the
number of spaces right for every possible combination of attributes.
Note also that there wasn't a case for STMT_MASQ in
rule_parse_postprocess(), which seems like a bug. Since STMT_MASQ became
just a variant of STMT_NAT, postprocessing will take place for it now
anyway.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nftables doesn't support vmap with bit-sized headers, such as flow label or dscp:
nft add rule ip filter input ip dscp vmap \{ 4 : accept, 63 : continue \}
BUG: invalid binary operation 5
Unlike plain "ip dscp { 4, 63 }", we don't have a relational operation in
case of vmap. Binop fixups need to be done when evaluating map statements.
This patch is incomplete. 'ip dscp' works, but this won't:
nft add rule --debug=netlink ip6 test-ip6 input ip6 dscp vmap { 0x04 : accept, 0x3f : continue }
The generated expressions look sane, however there is disagreement on
the sets key size vs. the sizes of the individual elements in the set.
This is because ip6 dscp spans a byte boundary.
Key set size is still set to one byte (dscp type is 6bits).
However, binop expansion requirements result in 2 byte loads, i.e.
set members will be 2 bytes in size as well.
This can hopefully get addressed in an incremental patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently this is fine, but a followup commit will add
EXPR_SET_ELEM handling.
And unlike RANGE we cannot assume the key is a value.
Therefore make binop_can_transfer and binop_transfer_one handle
right hand recursively if needed. For RANGE, call it again with
from/to.
For future SET_ELEM, we can then just call the function recursively
again with right->key as new RHS.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
In case of EXPR_MAPPING, expr->len is 0, we need to use
the length of the key instead.
Without this we can get assertion failure later on:
nft: netlink_delinearize.c:1484: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
We cannot assume i->key->key is EXPR_VALUE, we could look e.g. at a range,
which will trigger an assertion failure in binop_adjust_one().
We should call __binop_adjust recursively again in the EXPR_SET_ELEM case,
using key as new input.
Fixes: b8b8e7b6ae10 ("evaluate: transfer right shifts to set reference side")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
they fail with 'BUG: invalid binary operation 5'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We can't use nft_exthdr_op to encode routing header, it breaks
ipv6 extension header support.
When encountering RT header, userspace did now set a new ipv6 exthdr mode,
but old kernel doesn't know about this, so this failed with -EOPNOTSUPP.
Revert that part and use NFT_EXTHDR_OP_IPV6.
When decoding a routing extension header, try the various route
types until we find a match.
Note this patch isn't complete:
'srh tag 127' creates following expressions:
[ exthdr load 2b @ 43 + 6 => reg 1 ]
[ cmp eq reg 1 0x00007f00 ]
It should instead insert a dependency test ("rt type 4"):
[ exthdr load 1b @ 43 + 2 => reg 1 ]
[ cmp eq reg 1 0x00000004 ]
[ exthdr load 2b @ 43 + 6 => reg 1 ]
[ cmp eq reg 1 0x00007e00 ]
nft should then use this to infer the routing header type.
While add it, document the srh option.
Fixes: 1400288f6d39d ("src: handle rt0 and rt2 properly")
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Ahmed Abdelsalam <amsalam20@gmail.com>
|
| |
|
|
|
| |
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For sets, we allow this:
nft add rule x y ip protocol tcp update @y { ip saddr}
For maps:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
update @persistencia \
{ @nh,96,32 : numgen inc mod 2 offset 100 }
}
}
nft --debug=netlink add rule ip nftlb pre add @persistencia \
{ ip saddr : numgen inc mod 2 offset 100 }
More compact and it doesn't gets it confused with a simple map update
command (interesting that bison didn't spew any conflict error).
Former syntax for sets is preserved.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since netlink_gen_relational() didn't do much anymore after meta OP
treating had been removed, it makes sense to merge it with the only
function it dispached to.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With a bit of code reorganization, relational meta OPs OP_RANGE,
OP_FLAGCMP and OP_LOOKUP become unused and can be removed. The only meta
OP left is OP_IMPLICIT which is usually treated as alias to OP_EQ.
Though it needs to stay in place for one reason: When matching against a
bitmask (e.g. TCP flags or conntrack states), it has a different
meaning:
| nft --debug=netlink add rule ip t c tcp flags syn
| ip t c
| [ meta load l4proto => reg 1 ]
| [ cmp eq reg 1 0x00000006 ]
| [ payload load 1b @ transport header + 13 => reg 1 ]
| [ bitwise reg 1 = (reg=1 & 0x00000002 ) ^ 0x00000000 ]
| [ cmp neq reg 1 0x00000000 ]
| nft --debug=netlink add rule ip t c tcp flags == syn
| ip t c
| [ meta load l4proto => reg 1 ]
| [ cmp eq reg 1 0x00000006 ]
| [ payload load 1b @ transport header + 13 => reg 1 ]
| [ cmp eq reg 1 0x00000002 ]
OP_IMPLICIT creates a match which just checks the given flag is present,
while OP_EQ creates a match which ensures the given flag and no other is
present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Don't assume the system's nft binary is able to correctly list rulesets
generated in tests.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
This reverts commit 9047cc7ae746b1c9abd4e11ed476e37d8716d400, this is breaking
tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New prefered syntax is:
{add,update} set { key } @name
# nft list ruleset
table ip x {
set y {
type ipv4_addr
}
chain y {
ip protocol tcp add set { ip saddr} @y
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The support of dynamic adds and updates are only available for sets
and meters. This patch gives such abilities to maps as well.
This patch is useful in cases where dynamic population of maps are
required, for example, to maintain a persistence during some period
of time.
Example:
table ip nftlb {
map persistencia {
type ipv4_addr : mark
timeout 1h
elements = { 192.168.1.132 expires 59m55s : 0x00000064,
192.168.56.101 expires 59m24s : 0x00000065 }
}
chain pre {
type nat hook prerouting priority 0; policy accept;
map update \
{ @nh,96,32 : numgen inc mod 2 offset 100 } @persistencia
}
}
An example of the netlink generated sequence:
nft --debug=netlink add rule ip nftlb pre map add \
{ ip saddr : numgen inc mod 2 offset 100 } @persistencia
ip nftlb pre
[ payload load 4b @ network header + 12 => reg 1 ]
[ numgen reg 2 = inc mod 2 offset 100 ]
[ dynset add reg_key 1 set persistencia sreg_data 2 ]
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
the '_array' variant is just a wrapper for get/set api; this
allows the array variant to be removed from libnftnl.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Segment Routing Header "SRH" is new type of IPv6 Routing extension
header (type 4).
SRH contains a list of segments (each is represented as an IPv6 address)
to be visited by packets during the journey from source to destination.
The SRH specification are defined in the below IETF SRH draft.
https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
