summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* doc: osf: add ttl option to man pageFernando Fernandez Mancera2018-10-231-4/+16
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* osf: add ttl option supportFernando Fernandez Mancera2018-10-2312-11/+133
| | | | | | | | | | | | | | Add support for ttl option in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: reset mnl_socket field in struct nft_ctx on EINTRPablo Neira Ayuso2018-10-223-5/+4
| | | | | | Otherwise we keep using the old netlink socket if we hit EINTR. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: pass struct nft_ctx through struct netlink_ctxPablo Neira Ayuso2018-10-2210-195/+156
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: pass struct nft_ctx through struct eval_ctxPablo Neira Ayuso2018-10-223-75/+69
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Extend get element testPhil Sutter2018-10-221-0/+7
| | | | | | | | | Despite the recent fixes, the test still fails. While trying to address the remaining issues, I found more potentially problematic inputs so extend the test by those. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document ct timeout supportHarsha Sharma2018-10-182-5/+106
| | | | | | | | Add documentation for creating ct timeout objects and assigning timeout policies via rules. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: bogus bail out with raw expression from dynamic setsPablo Neira Ayuso2018-10-172-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following ruleset that uses raw expressions: table ip nftlb { map persistency { type inet_service : mark size 65535 timeout 1h elements = { 53 expires 59m55s864ms : 0x00000064, 80 expires 59m58s924ms : 0x00000065, 443 expires 59m56s220ms : 0x00000064 } } chain pre { type filter hook prerouting priority filter; policy accept; ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 } } } bogusly bails out with: /tmp/test:9:57-64: Error: datatype mismatch: expected internet network service, expression has type integer ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 } ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix the problem by evaluating expression basetype and length in this case. Reported-by: Laura Garcia <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove opts field from struct xt_stmtPablo Neira Ayuso2018-10-173-8/+2
| | | | | | | | This is never used, ie. always NULL. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* src: add support for setting secmarkChristian Göttsche2018-10-1510-6/+187
| | | | | | | | | | | | | | | | | | | | | | | | | Add support for new nft object secmark holding security context strings. The following should demonstrate its usage (based on SELinux context): # define a tag containing a context string nft add secmark inet filter sshtag \"system_u:object_r:ssh_server_packet_t:s0\" nft list secmarks # set the secmark nft add rule inet filter input tcp dport 22 meta secmark set sshtag # map usage nft add map inet filter secmapping { type inet_service : secmark \; } nft add element inet filter secmapping { 22 : sshtag } nft list maps nft list map inet filter secmapping nft add rule inet filter input meta secmark set tcp dport map @secmapping [ Original patch based on v0.9.0. Rebase on top on git HEAD. --pablo ] Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix memleak in dup_stmt_json()Phil Sutter2018-10-151-1/+1
| | | | | | | | | The variable 'root' is always assigned to after initialization, so there is no point in initializing it upon declaration. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Fix for ineffective family value checksPhil Sutter2018-10-151-99/+70
| | | | | | | | | | | | | Since handle->family is unsigned, checking for value < 0 never yields true. Overcome this by changing parse_family() to return an error code and write the parsed family value into a pointer passed as parameter. The above change required a bit more cleanup to avoid passing pointers to signed variables to the function. Also leverage json_parse_family() a bit more to reduce code side. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix memleak in nft_parse_bison_filename()Phil Sutter2018-10-151-4/+3
| | | | | | | | | Allocated scanner object leaks when returning to caller. For some odd reason, this was missed by the commit referenced below. Fixes: bd82e03e15df8 ("libnftables: Move scanner object into struct nft_ctx") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix memleak in netlink_parse_fwd() error pathPhil Sutter2018-10-151-5/+8
| | | | | | | | Make sure allocated 'stmt' is freed before returning to caller. Fixes: 30d45266bf38b ("expr: extend fwd statement to support address and family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: Test JSON output as wellPhil Sutter2018-10-158-11/+117
| | | | | | | | Enhance monitor test suite to test check JSON output as well. Note that for now there is no support for --echo output testing with JSON. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Use libnftables JSON outputPhil Sutter2018-10-154-140/+251
| | | | | | | | This switches 'nft monitor' JSON output from using libnftnl's to libnftables' implementation. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix printing of ct objectsPhil Sutter2018-10-156-25/+63
| | | | | | | | | | | | | | | Monitor output is supposed to be single lined without tabs, but ct object were printed with newlines and tabs hard-coded. Fixing this wasn't too hard given that there is 'stmt_separator' to also include semi-colons where required if newline was removed. A more obvious mistake was position of object type in monitor output: Like with other object types, it has to occur between command and table spec. As a positive side-effect, this aligns ct objects better with others (see obj_type_name_array for instance). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Drop 'update table' and 'update chain' casesPhil Sutter2018-10-151-8/+2
| | | | | | | | | There seems to be no situation where this comes to play. Also, since there is no 'nft update table/chain' command, this is inconsistent with input. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Drop fake XML supportPhil Sutter2018-10-151-6/+0
| | | | | | | | Since libnftnl doesn't support XML formatting, pretending to do so in nft monitor is pointless. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Add ct timeout supportPhil Sutter2018-10-153-1/+117
| | | | | | | Add support for printing and parsing ct timeout objects to JSON API. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Drop unused symbolic_constant_json() stubPhil Sutter2018-10-151-6/+0
| | | | | | | | | This seems like a left-over from day 1: Said function is static in json.c, so there is no point in providing a stub when compiling with JSON disabled. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Add missing JSON bits for inet/meta.tPhil Sutter2018-10-152-3/+20
| | | | | | | | Those were forgotten when renaming meta secpath to meta ipsec. Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: set proper error cause on existing elementsPablo Neira Ayuso2018-10-101-0/+2
| | | | | | | | | | | | | | | | | | Adding new elements result in a confusing "Success" error message. # nft add element x y { 0-3 } [...] Error: Could not process rule: Success add element x y { 0-3 } ^^^^^^^^^^^^^^^^^^^^^^^^ after this patch, this reports: Error: Could not process rule: File exists add element x y { 0-3 } ^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: incorrect handling of last element in get_set_decompose()Pablo Neira Ayuso2018-10-101-1/+1
| | | | | | | Add range to the list of matching elements. Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing elements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove netlink_flush_chain()Pablo Neira Ayuso2018-10-103-8/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove netlink_flush_table()Pablo Neira Ayuso2018-10-103-12/+1
| | | | | | | Just a simple wrapper function, replace it by direct call to mnl_nft_rule_del(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove alloc_nftnl_set()Pablo Neira Ayuso2018-10-105-210/+209
| | | | | | | We can remove alloc_nftnl_set() and consolidate infrastructure in the src/mnl.c file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove alloc_nftnl_rule()Pablo Neira Ayuso2018-10-105-110/+84
| | | | | | | We can remove alloc_nftnl_rule() and consolidate infrastructure in the src/mnl.c file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove alloc_nftnl_chain()Pablo Neira Ayuso2018-10-045-107/+96
| | | | | | | | The netlink layer sits in between the mnl and the rule layers, remove it. We can remove alloc_nftnl_chain() and consolidate infrastructure in the src/mnl.c file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove alloc_nftnl_table()Pablo Neira Ayuso2018-10-045-85/+52
| | | | | | | | The netlink layer sits in between the mnl and the rule layers, remove it. We can remove alloc_nftnl_table() and consolidate infrastructure in the src/mnl.c file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of netlink_genid_get()Pablo Neira Ayuso2018-10-043-8/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove markup json parsing codePablo Neira Ayuso2018-10-042-327/+2
| | | | | | | | We have better json support these days, remove libnftnl json support. While at it, remove test file for this too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Fix for ECN keyword in LHS of relationalPhil Sutter2018-10-045-9/+54
| | | | | | | | | | | | | | | | | | | | Of all possible TCP flags, 'ecn' is special since it is recognized by lex as a keyword (there is a a field in IPv4 and IPv6 headers with the same name). Therefore it is listed in keyword_expr, but that was sufficient for RHS only. The following statement reproduces the issue: | tcp flags & (syn | ecn) == (syn | ecn) The solution is to limit binop expressions to accept an RHS expression on RHS ("real" LHS expressions don't make much sense there anyway), which then allows keyword_expr to occur there. In order to maintain the recursive behaviour if braces are present, allow primary_rhs_expr to consist of a basic_rhs_expr enclosed in braces. This in turn requires for braced RHS part in relational_expr to be dropped, otherwise bison complains about shift/reduce conflict. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: stop iteration on existing elements in case range is foundPablo Neira Ayuso2018-10-031-4/+6
| | | | | | No need to keep iterating once the range object has been allocated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: fix memleak in do_get_setelems()Pablo Neira Ayuso2018-10-031-5/+3
| | | | | | Release set and elements in case of error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: memleak in get_set_decompose()Pablo Neira Ayuso2018-10-031-0/+2
| | | | | | | Release set content on error. Moreover, release input set content in case we finally manage to decompose it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: disantangle get_set_interval_end()Pablo Neira Ayuso2018-10-031-15/+22
| | | | | | | | | | This function overrides the left pointer. Instead update this function to return the range that we found to enclose the left element. Note that we may not find a closing right element - therefore, it is a standalone element - in that case this function returns NULL. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: bogus range via get set element on existing elementsPablo Neira Ayuso2018-10-033-5/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | table ip x { set y { type inet_service flags interval elements = { 10, 20-30, 40, 50-60 } } } # nft get element x y { 20-40 } table ip x { set y { type inet_service flags interval elements = { 20-40 } } } 20 and 40 exist in the tree, but they are part of different ranges. This patch adds a new get_set_decompose() function to validate that the left and the right side of the range. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Test 'get element' commandPhil Sutter2018-10-031-0/+37
| | | | | | | | This command is currently broken when used in sets with ranges. Test various variants against known data and check if output is as expected. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add missing xfrm.h to Makefile.amFernando Fernandez Mancera2018-09-301-0/+1
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Improve performance of 0021prio_0Phil Sutter2018-09-261-7/+17
| | | | | | | | | | | | | This test called nft binary 391 times and took about 38s to complete on my testing VM. Improve this by writing all commands into a temporary file for processing in a single nft call. Reduces run-time to about 4s. Interestingly, piping the sub-process's output directly into 'nft -f -' leads to spurious errors (parser complaining about perfectly fine syntax). It seems like handling large input this way is not possible. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Improve gen_chains() in 0021prio_0Phil Sutter2018-09-261-11/+4
| | | | | | | | | Enhance the function to accept an optional fourth parameter specifying the device name, then use it for netdev family. Also remove dubled empty lines and instead put together what belongs together. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Drop one-time use variables in 0021prio_0Phil Sutter2018-09-261-30/+15
| | | | | | | | | There is really no point in declaring a variable which is used just once. Also mark function local variables as such to make sure they don't overwrite global ones. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: Fix indenting in 0021prio_0Phil Sutter2018-09-261-34/+33
| | | | | | | | Pointless indenting doesn't increase readability, merely makes the script seem more complicated than it actually is. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: Fix for chain prio name 'out'Phil Sutter2018-09-261-3/+12
| | | | | | | | | | | Since 'out' is defined as a keyword in scanner.l, using it as a chain priority name without quotes is not possible. Fix this by introducing 'extended_prio_name' in bison which may be either a string (as before) or OUT, which is then converted into a string. Fixes: c8a0e8c90e2d1 ("src: Set/print standard chain prios with textual names") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add ipsec (xfrm) expressionMáté Eckl2018-09-2117-11/+674
| | | | | | | | | | | | | | | | This allows matching on ipsec tunnel/beet addresses in xfrm state associated with a packet, ipsec request id and the SPI. Examples: ipsec in ip saddr 192.168.1.0/24 ipsec out ip6 daddr @endpoints ipsec in spi 1-65536 Joint work with Florian Westphal. Cc: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: rename meta secpath to meta ipsecFlorian Westphal2018-09-215-7/+11
| | | | | | | for symmetry with 'rt ipsec'. "meta secpath" still works. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rt: add support to check if route will perform ipsec transformationFlorian Westphal2018-09-219-0/+56
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Re-work RULES:add/insert/replace to read better.Duncan Roe2018-09-211-7/+7
| | | | | | | | | It was tempting to remove "position" from the synopsis, but have left that for another patch. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: throw distinct error if map exists but contains no objectsFlorian Westphal2018-09-201-2/+4
| | | | | | | | | | | | | | | | | | | | | nft would throw misleading error in case map exists but doesn't contain expected objects. nft add rule filter in ct helper set tcp dport map @foo Error: Expression is not a map add rule filter in ct helper set tcp dport map @foo ^^^^ nft list table filter table ip filter { map foo { type inet_service : ifname } ... clarify this. Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de>