| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release dynamically allocated string by lex from the YYERROR path, e.g.
# cat test.nft
table x {
map test {
type ipv4_addr . foo . inet_service : ipv4_addr . inet_service
}
}
# nft -f test.nft
test.nft:3:20-22: Error: unknown datatype foo
type ipv4_addr . foo . inet_service : ipv4_addr . inet_service
^^^
test.nft:6-9: Error: set definition does not specify key
map test {
^^^^
==29692==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x7f6c869e8810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f6c8637f63a in xstrdup /home/test/nftables/src/utils.c:85
#2 0x7f6c8648a4d3 in nft_lex /home/test/nftables/src/scanner.l:740
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The err->seqnum == batch_seqnum case results in a memleak of mnl_err
objects under some scenarios such as nf_tables kernel support is not
available or user runs the nft executable as non-root.
Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_evaluate_concat() is overloaded, it deals with two cases:
#1 set key and data definitions, this case uses the special
dynamically created concatenation datatype which is taken
from the context.
#2 set elements, this case iterates over the set key and data
expressions that are components of the concatenation tuple,
to fetch the corresponding datatype.
Add a new function to deal with case #1 specifically.
This patch is implicitly fixing up map that include arbitrary
concatenations. This is failing with a spurious error report such as:
# cat bug.nft
table x {
map test {
type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
}
}
# nft -f bug.nft
bug.nft:3:48-71: Error: datatype mismatch, expected concatenation of (IPv4 address, Internet protocol, internet network service), expression has type concatenation of (IPv4 address, internet network service)
type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This allows to chose a queue number at run time using map statements,
e.g.:
queue flags bypass to ip saddr map { 192.168.7/24 : 0, 192.168.0/24 : 1 }
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
back in 2016 Liping Zhang added support to kernel and libnftnl to
specify a source register containing the queue number to use.
This was never added to nft itself, so allow this.
On linearization side, check if attached expression is a range.
If its not, allocate a new register and set NFTNL_EXPR_QUEUE_SREG_QNUM
attribute after generating the lowlevel expressions for the kernel.
On delinarization we need to check for presence of
NFTNL_EXPR_QUEUE_SREG_QNUM and decode the expression(s) when present.
Also need to do postprocessing for STMT_QUEUE so that the protocol
context is set correctly, without this only raw payload expressions
will be shown (@nh,32,...) instead of 'ip ...'.
Next patch adds test cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename existing rules to _compat to make sure old rules using 'queue'
statement will work.
Next patch adds distinct input format where flags are explicitly
provided:
queue flags name,<nextflag> num 1
Without this, extension of queue expression to handle arbitrary
expression instead of queue number or range results in parser errors.
Example:
queue num jhash ip saddr mod 4 and 1 bypass
will fail because scanner is still in 'ip' state, not 'queue', when
"bypass" is read.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Preparation patch to avoid too much $<stmt>$ references in the parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Else we run into trouble once we allow
queue num symhash mod 4 and 1
and so on. Example problem:
queue num jhash ip saddr mod 4 and 1 bypass
This will fail to parse because the scanner is in the wrong state
(ip, not queue), so 'bypass' is parsed as a string.
Currently, while nft will eat the above just fine (minus 'bypass'),
nft rejects this from the evaluation phase with
Error: queue number is not constant
So seems we are lucky and can restrict the supported expressions
to integer and range.
Furthermore, the line looks wrong because this statement:
queue num jhash ip saddr mod 4 and 1 bypass
doesn't specifiy a number, "queue num 4" does, or "queue num 1-2" do.
For arbitrary expr support it seems sensible to enforce stricter
ordering to avoid any problems with the flags, for example:
queue bypass,futurekeyword to jhash ip saddr mod 42
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
It needs to account for the offset too.
Fixes: 9bee0c86f179 ("src: add offset attribute for hash expression")
Fixes: d4f9a8fb9e9a ("src: add offset attribute for numgen expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Release list of ct timeout policy when object is freed.
Direct leak of 160 byte(s) in 2 object(s) allocated from:
#0 0x7fc0273ad330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fc0231377c4 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7fc023137983 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7fc0231f64d6 in nft_parse /home/.../devel/nftables/src/parser_bison.y:4448
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release osf string flag after processing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
listing a ruleset containing:
ct event set new,related,destroy,label
results in memleak:
Direct leak of 3672 byte(s) in 27 object(s) allocated from:
#0 0x7fa5465c0330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fa54233772c in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7fa5423378eb in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7fa5422488c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7fa54224fb91 in binop_expr_alloc /home/.../devel/nftables/src/expression.c:698
#5 0x7fa54224ddf8 in bitmask_expr_to_binops /home/.../devel/nftables/src/expression.c:512
#6 0x7fa5423102ca in expr_postprocess /home/.../devel/nftables/src/netlink_delinearize.c:2448
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Release the array of intervals and the segtree in case of error,
otherwise these structures and objects are never released:
SUMMARY: AddressSanitizer: 2864 byte(s) leaked in 37 allocation(s).
Moreover, improve existing a test coverage of this error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Listing a matching wilcard string results in a memleak: ifname "dummy*"
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f27b9e1d5f3 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7f27b9d2e8c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7f27b9d326e9 in constant_expr_alloc /home/.../devel/nftables/src/expression.c:419
#5 0x7f27b9db9318 in netlink_alloc_value /home/.../devel/nftables/src/netlink.c:390
#6 0x7f27b9de0433 in netlink_parse_cmp /home/.../devel/nftables/src/netlink_delinearize.c:321
#7 0x7f27b9deb025 in netlink_parse_expr /home/.../devel/nftables/src/netlink_delinearize.c:1764
#8 0x7f27b9deb0de in netlink_parse_rule_expr /home/.../devel/nftables/src/netlink_delinearize.c:1776
#9 0x7f27b860af7b in nftnl_expr_foreach /home/.../devel/libnftnl/src/rule.c:690
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f27b96975c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove useless reference count grabbing on constant expression that
results in a memleak.
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f4cd54af330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f4cd4d9e489 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f4cd4d9e648 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7f4cd4caf8c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7f4cd4cb36e9 in constant_expr_alloc /home/.../devel/nftables/src/expression.c:419
#5 0x7f4cd4ca714c in integer_type_parse /home/.../devel/nftables/src/datatype.c:397
#6 0x7f4cd4ca4bee in symbolic_constant_parse /home/.../devel/nftables/src/datatype.c:165
#7 0x7f4cd4ca4572 in symbol_parse /home/.../devel/nftables/src/datatype.c:135
#8 0x7f4cd4cc333f in expr_evaluate_symbol /home/.../devel/nftables/src/evaluate.c:251
[...]
Indirect leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f4cd54af330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f4cd4d9e489 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f4cd46185c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Verdict maps in combination with interval concatenations are broken, e.g.
# nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
Retrieve the concatenation field length and count from the map->map
expressions that represents the key of the implicit map.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Set element keys are of EXPR_SET_ELEM expression type, however, mappings
use the EXPR_MAPPING expression to wrap the EXPR_SET_ELEM key
(mapping->left) and the corresponding data (mapping->right).
This patch adds a wrapper function to fetch the EXPR_SET_ELEM expression
from the key in case of mappings and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check that nft doesn't remove the dependency in these cases:
icmp type echo-reply icmp id 1
("icmp id" matches both echo request and reply).
Add icmpv6 test cases. These fail without the previous patches:
add rule ip6 test-ip6 input icmpv6 id 1:
'icmpv6 id 1' mismatches
'icmpv6 type { echo-request, echo-reply} icmpv6 parameter-problem 65536/16'
add rule ip6 test-ip6 input icmpv6 type echo-reply icmpv6 id 65534':
'icmpv6 type echo-reply icmpv6 id 65534' mismatches
'icmpv6 type echo-reply @th,32,16 65534'
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
"icmp type echo-request icmp id 2" and "icmp id 2" are not the same,
the latter gains an implicit dependency on both echo-request and
echo-reply.
Change payload dependency tracking to not store dependency in case
the value type is ICMP(6)_ECHO(REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports following input and output:
in: icmpv6 id 1
out: icmpv6 type { echo-request, echo-reply } icmpv6 parameter-problem 65536/16
Reason is that icmp fields overlap, decoding of the correct name requires
check of the icmpv6 type. This only works for equality tests, for
instance
in: icmpv6 type echo-request icmpv6 id 1
will be listed as "icmpv6 id 1" (which is not correct either, since the
input only matches on echo-request).
with this patch, output of 'icmpv6 id 1' is
icmpv6 type { echo-request, echo-reply } icmpv6 id 1
The second problem, the removal of a single check (request OR reply),
is resolved in the followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Add a test to cover table T1 containing the definition of chain C1, and
table T1' (actually the same definition as T1) that contains a (jump)
reference to chain C1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Extend existing test to add a ct count expression in the set definition.
This test cover the upstream kernel fix ad9f151e560b ("netfilter:
nf_tables: initialize set before expression setup").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use set_is_anonymous() to check for the NFT_SET_ANONYMOUS set flag
instead.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, assertion to ensure that no colission occur is hit due to
uninitialized hashtable memory area:
nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed.
Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
67d3969a7244 ("evaluate: add set to the cache") re-adds the set into the
cache again.
This bug was hidden behind 5ec5c706d993 ("cache: add hashtable cache for
table") which broke set_evaluate() for anonymous sets.
Phil reported a gcc compilation warning which uncovered this problem.
Reported-by: Phil Sutter <phil@nwl.cc>
Fixes: 67d3969a7244 ("evaluate: add set to the cache")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Fix
ERROR: did not find JSON equivalent for rule 'ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }'
when running nft-test.py -j
Fixes: bbcc5eda7e58 ("evaluate: restore interval + concatenation in anonymous set")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The test case exists twice, once with new dei, once with old 'cfi',
so we need to retain the cfi one in the json file too.
Else we get:
WARNING: line 2: Wrote JSON equivalent for rule vlan id 4094 vlan dei 1
Fixes: d2fba515ff94 ("src: add vlan dei")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Using num_attrs as index means it must be at max one less than the
array's size at function start.
Fixes: 27362a5bfa433 ("rule: larger number of error locations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Parameter passed to sizeof() was wrong. While being at it, replace the
whole call with xmalloc_array() which takes care of error checking.
Fixes: 913979f882d13 ("src: add expression handler hashtable")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If parsing udata fails, 'obj' has to be freed before returning to
caller.
Fixes: 293c9b114faef ("src: add comment support for objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If parsing udata fails, 'table' has to be freed before returning to
caller.
Fixes: c156232a530b3 ("src: add comment support when adding tables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If parsing udata fails, 'chain' has to be freed before returning to
caller.
Fixes: 702ac2b72c0e8 ("src: add comment support for chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Duplicate string 'comment' later when the function does not fail
anymore.
Fixes: 0864c2d49ee8a ("src: add comment support for set declarations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
The updated value of 'is_exists' is no longer read at this point.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
It is certainly intentional, so just mark it as such.
Fixes: b4775dec9f80b ("src: ingress inet support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If 'kind' value is invalid, the function returned without freeing 'expr'
first. Fix this by performing the check before allocation.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Have to include ctype.h to make it known.
Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform the table and set lookup only for non-anonymous sets, where the
incremental cache update is required.
The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on
implicitly declared (anonymous) sets") resurrected after the cache
rework.
# nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept }
BUG: invalid range expression type concat
nft: expression.c:1422: range_expr_value_low: Assertion `0' failed.
Abort
Add a test case to make sure this does not happen again.
Fixes: 5ec5c706d993 ("cache: add hashtable cache for table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
the CFI bit has been repurposed as DEI "Drop Eligible Indicator"
since 802.1Q-2011.
The vlan cfi field is still retained for compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
mention various 'nft list' options, such as secmarks, flow tables, and
so on.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example output:
$ nft list hook ip input
family ip hook input {
+0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input
+0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}
$ nft list hooks netdev type ingress device lo
family netdev hook ingress device lo {
+0000000000 nft_do_chain_netdev [nf_tables]
}
$ nft list hooks inet
family ip hook prerouting {
-0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
-0000000300 iptable_raw_hook [iptable_raw]
-0000000290 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain raw_PREROUTING
-0000000200 ipv4_conntrack_in [nf_conntrack]
-0000000140 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain mangle_PREROUTING
-0000000100 nf_nat_ipv4_pre_routing [nf_nat]
}
...
'nft list hooks' will display everyting except the netdev family
via successive dump request for all family:hook combinations.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Followup patch will add new 'hooks' keyword for
nft list hooks
Add a scope for list to avoid exposure of the new keyword in nft
rulesets.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.
With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Unsurprisingly, printing warnings to stdout results in malformed JSON.
Signed-off-by: Kerin Millar <kfm@plushkava.net>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1511
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Provide an ordered list of devices for (netdev) chain and flowtable.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1525
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the fuzzy lookup provides a table, check if it is an inexact
matching, in that case, report that the table does not exist and provide
a mispelling suggestion for the non-existing table.
Initialize table to NULL since the fuzzy lookup might return no table
at all.
This patch fixes misleading error reporting:
# nft delete chain xxx yyy
Error: No such file or directory; did you mean chain ‘B’ in table ip ‘A’?
delete chain xxx yyy
^^^
This refers to table 'xxx' but the suggestion refers to the chain instead.
Therefore, if the fuzzy lookup provides an exact matching table, then do
the fuzzy lookup for the next non-existing object (either chain, set,
...).
Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not clone the set and zap the elements during the set and map
expansion to the CMD_OBJ_SETELEMS command.
Instead, update the CMD_OBJ_SET command to add the set to the kernel
(without elements) and let CMD_OBJ_SETELEMS add the elements. The
CMD_OBJ_SET command calls set_to_intervals() to update set->init->size
(NFTNL_SET_DESC_SIZE) before adding the set to the kernel. Updating the
set size from do_add_setelems() comes too late, it might result in
spurious ENFILE errors for interval sets.
Moreover, skip CMD_OBJ_SETELEMS if the set definition specifies no
elements.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1500
Fixes: c9eae091983a ("src: add CMD_OBJ_SETELEMS")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Also add a few examples that should not be changed:
- anon set with 2 elements
- anon map with 1 element
- anon set with a concatenation
The latter could be done with cmp but this currently triggers
'Error: Use concatenations with sets and maps, not singleton values'
after removing the anon set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
