| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
SO_SNDBUF never fails, this socket option just provides a hint to the
kernel. SO_SNDBUFFORCE sets the buffer size to zero if the value goes
over INT_MAX. Userspace is caching the buffer hint that sends to the
kernel, so it might leave userspace out of sync if the kernel ignores
the hint. Do not make assumptions, fetch the sender buffer size from the
kernel via getsockopt().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
cli.h includes a forward declaration of struct parser_state which is not
needed. Remove it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
configure.ac contains a couple of AC_SUBST macros which serve no
purpose. Remove them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
changes
meter f size 1024 { ip saddr limit rate 10/second} accept
to
meter f size 1024 { ip saddr limit rate 10/second } accept
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before patch:
# nft -j list ruleset | tee rules.json | jq '.'
{
"nftables": [
{
"metainfo": {
"version": "0.9.2",
"release_name": "Scram",
"json_schema_version": 1
}
},
{
"table": {
"family": "inet",
"name": "t",
"handle": 11
}
},
{
"secmark": {
"family": "inet",
"name": "s",
"table": "t",
"handle": 1,
"context": "system_u:object_r:ssh_server_packet_t:s0"
}
}
]
}
# nft flush ruleset
# nft -j -f rules.json
Segmentation fault
Use "&tmp" instead of "tmp" in json_unpack() while translating "context" keyword.
After patch:
# nft -j -f rules.json
# nft list ruleset
table inet t {
secmark s {
"system_u:object_r:ssh_server_packet_t:s0"
}
}
Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark")
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Minimal reproducer:
```
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
```
The crash happens in `chain_print_declaration()`:
```
if (chain->flags & CHAIN_F_BASECHAIN) {
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
```
Here `chain->policy` is `NULL` (as textual rule does not mention it).
The change is not to print the policy if it's not set
(similar to `chain_evaluate()` handling).
CC: Florian Westphal <fw@strlen.de>
CC: Pablo Neira Ayuso <pablo@netfilter.org>
CC: netfilter-devel@vger.kernel.org
Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
The correct form is "ct expectation" not "ct expect". That was causing the
tests/py/ip/object.t json test to fail.
Fixes: 1dd08fcfa07a ("src: add ct expectations support")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Size value passed to constant_expr_alloc() must correspond with actual
data size, otherwise wrong portion of data will be taken later when
serializing into netlink message.
Booleans require really just a bit, but make type of boolean_keys be
uint8_t (introducing new 'val8' name for it) and pass the data length
using sizeof() to avoid any magic numbers.
While being at it, fix len value in parser_json.c as well although it
worked before due to the value being rounded up to the next multiple of
8.
Fixes: 9fd9baba43c8e ("Introduce boolean datatype and boolean expression")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
The size field in ct_expect struct should be parsed as json integer and not as
a string. Also, l3proto field is parsed as string and not as an integer. That
was causing a segmentation fault when exporting "ct expect" objects as json.
Fixes: 1dd08fcfa07a ("src: add ct expectations support")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "synproxy" stateful object. For example (for TCP port 80 and
using maps with saddr):
table ip foo {
synproxy https-synproxy {
mss 1460
wscale 7
timestamp sack-perm
}
synproxy other-synproxy {
mss 1460
wscale 5
}
chain bar {
tcp dport 80 synproxy name "https-synproxy"
synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==29699== Invalid read of size 8
==29699== at 0x507E140: ct_label_table_exit (ct.c:239)
==29699== by 0x5091877: nft_exit (libnftables.c:97)
==29699== by 0x5091877: nft_ctx_free (libnftables.c:297)
[...]
==29699== Address 0xb251008 is 136 bytes inside a block of size 352 free'd
==29699== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==29699== by 0x509186F: nft_ctx_free (libnftables.c:296)
[...]
==29699== Block was alloc'd at
==29699== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==29699== by 0x508C51D: xmalloc (utils.c:36)
==29699== by 0x508C51D: xzalloc (utils.c:65)
==29699== by 0x50916BE: nft_ctx_new (libnftables.c:151)
[...]
Release symbol tables before context object.
Fixes: 45cb29a2ada4 ("src: remove global symbol_table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
We only prefer "list" representation in "ct event". For any other type of "ct"
use the "or" representation so nft prints "ct mark set ct mark | 0x00000001"
instead of "ct mark set ct mark,0x00000001".
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364
Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If restart is triggered with --echo, it causes rules to be duplicated
which is not correct. Remove restart logic.
1. If user passes --echo, use a default 4mb buffer.
2. assume each element in the batch will result in a 1k
notification.
This passes tests both in x86_64 and s390.
Joint work with Florian Westphal.
Fixes: 877baf9538f6 ("src: mnl: retry when we hit -ENOBUFS")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Pass the location via the handle so the error leg in
erec_print_list() can reference it. Applies to invalid references
to tables, chains, and indexes.
Fixes: 586ad210368b ("libnftables: Implement JSON parser")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
This is borrowed from one of firewalld's test cases.
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Expand the test case to also check for returned rule handles in the JSON
output.
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Verify that we get the expected number of rules with --echo (i.e. the
reply wasn't truncated).
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Rule that fails to be added while holding a bound set triggers
user-after-free from the abort path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both queue and fwd statement end evaluation of a rule:
in
... fwd to "eth0" accept
... queue accept
"accept" is redundant and never evaluated in the kernel.
Add the missing "TERMINAL" flag so the evaluation step will catch
any trailing expressions:
nft add rule filter input queue counter
Error: Statement after terminal statement has no effect
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp),
an hour in the day (which is converted to the number of seconds since midnight) and a day of week.
When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp,
we need to substract it the GMT difference in seconds, that is, the value
of the 'tm_gmtoff' field in the tm structure. This is because the kernel
doesn't know about time zones. And hence the kernel manages different timestamps
than those that are advertised in userspace when running, for instance, date +%s.
The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight
as well.
The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC)
is negative.
We also introduce a new command line option (-t, --seconds) to show the actual
timestamps when printing the values, rather than the ISO dates, or the hour.
Some usage examples:
time < "2019-06-06 17:00" drop;
time < "2019-06-06 17:20:20" drop;
time < 12341234 drop;
day "Saturday" drop;
day 6 drop;
hour >= 17:00 drop;
hour >= "17:00:01" drop;
hour >= 63000 drop;
We need to convert an ISO date to a timestamp
without taking into account the time zone offset, since comparison will
be done in kernel space and there is no time zone information there.
Overwriting TZ is portable, but will cause problems when parsing a
ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must
not do time zone conversion, but that will be automatically done if TZ has
been overwritten to UTC.
Hence, we use timegm() to parse the 'time' type, even though it's not portable.
Overwriting TZ seems to be a much worse solution.
Finally, be aware that timestamps are converted to nanoseconds when
transferring to the kernel (as comparison is done with nanosecond
precision), and back to seconds when retrieving them for printing.
We swap left and right values in a range to properly handle
cross-day hour ranges (e.g. 23:15-03:22).
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is used by the followup patch to evaluate a range without emitting
an error when the left value is larger than the right one.
This is done to handle time-matching such as
23:00-01:00 -- expr_evaluate_range() will reject this, but
we want to be able to evaluate and then handle this as a request
to match from 23:00 to 1am.
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Always call evaluate_cache_add() so it can set special flags - in this
case NFT_CACHE_UPDATE.
Fixes: 01e5c6f0ed03 ("src: add cache level flags")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows you to match the bridge pvid and vlan protocol, for
instance:
nft add rule bridge firewall zones meta ibrvproto vlan
nft add rule bridge firewall zones meta ibrpvid 100
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
also add a test case.
Fixes: a87f2a2227be2 ("netfilter: support for element deletion")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements element deletion from ruleset.
Example:
table ip set-test {
set testset {
type ipv4_addr;
flags timeout;
}
chain outputchain {
policy accept;
type filter hook output priority filter;
delete @testset { ip saddr }
}
}
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before patch:
# nft list secmarks | tee rules.nft
table inet t {
secmark s {
system_u:object_r:ssh_server_packet_t:s0 }
}
# nft flush ruleset
# nft -f rules.nft
rules.nft:3:11-11: Error: syntax error, unexpected colon
system_u:object_r:ssh_server_packet_t:s0
Colon is not allowed in strings and breaks nft -f.
So move to quoted string in selctx output.
After patch:
# nft list secmarks | tee rules.nft
table inet t {
secmark s {
"system_u:object_r:ssh_server_packet_t:s0"
}
}
# nft flush ruleset
# nft -f rules.nft
Fixes: 3bc84e5c ("src: add support for setting secmark")
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Update dependency on libnftnl. Missing nf_synproxy.h in Makefile.am too.
Update release name based Jazz series, Fats Waller performing "Scram":
https://www.youtube.com/watch?v=c9-noJc9ifI
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The test script can die in case there are severe problems,
such as rlen being 0 -- in that case i is undefined and script
evaluation is aborted.
Found during nft development, no existing test case shows this
problem.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
We don't need to check asciidoc output with xmllint because the generated XML
is generated by a tool, not by a human. Moreover, xmllint can cause
problems because it will try to download the DTD and that is problematic in
build systems with no network access.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
json restore is broken on big-endian because we errounously
passed uint8_t with 64 bit size indicator.
On bigendian, this causes all values to get shifted by 56 bit,
this will then cause the eval step to bail because all values
are outside of the 8bit 0-255 protocol range.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Json output could not be restored back by nft because it did
not recognize the new "th" pseudoheader.
Fixes: a43a696443a150f44 ("proto: add pseudo th protocol to match d/sport in generic way")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Importing, exporting and byteswapping zero length data should not
happen.
Use macro definition so we know from where the assertion is triggered in
the code for easier diagnosing in the future.
When importing datatype.h from gmputil.h, it seems gcc complains on
missing declarations in json.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/shell/testcases/transactions/0049huge_0
still fails with ENOBUFS error after endian fix done in
previous patch. Its enough to increase the scale factor (4)
on s390x, but rather than continue with these "guess the proper
size" game, just increase the buffer size and retry up to 3 times.
This makes above test work on s390x.
So, implement what Pablo suggested in the earlier commit:
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
v2: call setsockopt unconditionally, then increase on error.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tests/shell/testcases/flowtable/0001flowtable_0
tests/shell/testcases/nft-f/0008split_tables_0
fail the 'dump compare' on s390x.
The priority (10) turns to 0, and accept turned to drop.
Problem is that '$1' is a 64bit value -- then we pass the address
and import 'int' -- we then get the upper all zero bits.
Add a 32bit interger type and use that.
v2: add uint32_t type to union, v1 used temporary value instead.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Fixes: dba4a9b4b5fe ("src: allow variable in chain policy")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table bla {
chain foo { }
chain bar { jump foo }
}
}
Fails to restore on big-endian platforms:
jump.nft:5:2-9: Error: Could not process rule: No such file or directory
jump foo
nft passes a 0-length name to the kernel.
This is because when we export the value (the string), we provide
the size of the destination buffer.
In earlier versions, the parser allocated the name with the same
fixed size and all was fine.
After the fix, the export places the name in the wrong location
in the destination buffer.
This makes tests/shell/testcases/chains/0001jumps_0 work on s390x.
v2: convert one error check to a BUG(), it should not happen unless
kernel abi is broken.
Fixes: 142350f154c78 ("src: invalid read when importing chain name")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel expects socklen_t (int).
Using size_t causes kernel to read upper 0-bits.
This caused tests/shell/testcases/transactions/0049huge_0
to fail on s390x -- it uses 'echo' mode and will quickly
overrun the tiny buffer size set due to this bug.
Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes
ERROR: did not find JSON equivalent for rule 'ether type vlan ip
protocol 1 accept'
when running
./nft-test.py -j bridge/vlan.t
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Refresh it to fetch what we have in 5.3-rc1.
Remove NFT_OSF_F_VERSION definition, this is already available in
include/linux/netfilter/nf_tables.h
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Move new chain tests for variable priority and policy to chain folder.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain policy definition, e.g.
define default_policy = "accept"
add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain priority definitions,
e.g.
define prio = filter
define prionum = 10
define prioffset = "filter - 150"
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Store symbol tables in context object instead. Use the nft_ctx object to
store the dynamic symbol table. Pass it on to the parse_ctx object so
this can be accessed from the parse routines. This dynamic symbol table
is also accesible from the output_ctx object for print routines.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This object stores the dynamic symbol tables that are loaded from files.
Pass this object to datatype parse functions, although this new
parameter is not used yet, this is just a preparation patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the new cache system, nft raises a table error flushing a chain in
a transaction.
# nft "flush chain ip nftlb filter-newfarm ; \
add rule ip nftlb filter-newfarm update \
@persist-newfarm { ip saddr : ct mark } ; \
flush chain ip nftlb nat-newfarm"
Error: No such file or directory
flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...)
^^^^^
This patch sets the cache flag properly to save this case.
Fixes: 01e5c6f0ed031 ("src: add cache level flags")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Given the following bridge rules:
1. ip protocol icmp accept
2. ether type vlan vlan type ip ip protocol icmp accept
The are currently both dumped by "nft list ruleset" as
1. ip protocol icmp accept
2. ip protocol icmp accept
Though, the netlink code actually is different
bridge filter FORWARD 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
bridge filter FORWARD 5 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
[ payload load 2b @ link header + 16 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
What happens here is that:
1. vlan type ip kills ether type vlan
2. ip protocol icmp kills vlan type ip
Fix this by avoiding the removal of all vlan statements
in the given example.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Bison-3.3 significantly increased warnings for POSIX incompatibilities,
it now complains about missing support for %name-prefix, %define,
%destructor and string literals. The latter applies to parameter of
%name-prefix and all relevant %token statements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
