summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests/py: Use libnftables instead of calling nft binaryPhil Sutter2018-04-1119-120/+339
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a simple nftables Python class in py/nftables.py which gives access to libnftables API via ctypes module. nft-test.py is extended to make use of the above class instead of calling nft binary. Since command line formatting had to be touched anyway, this patch also streamlines things a bit by introducing __str__ methods to classes Table and Chain and making extensive use of format strings instead of onerously adding all string parts together. Since the called commands don't see a shell anymore, all shell meta character escaping done in testcases is removed. The visible effects of this change are: * Four new warnings in ip/flowtable.t due to changing objref IDs (will be addressed later in a patch to libnftnl). * Reported command line in warning and error messages changed slightly for obvious reasons. * Reduction of a full test run's runtime by a factor of four. Status diff after running with 'time': < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify cookie integrationPhil Sutter2018-04-112-66/+44
| | | | | | | | | This increases the size of struct output_ctx quite a bit, but allows to simplify internal functions dealing with the cookies mainly because output_fp becomes accessible from struct cookie. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Support buffering output and errorPhil Sutter2018-04-113-0/+153
| | | | | | | | | | | When integrating libnftables into Python code using ctypes module, having to use a FILE pointer for output becomes a show-stopper. Therefore make Python hackers' lives (a little) less painful by providing convenience functions to setup buffering output and error streams using fopencookie() and retrieving the buffers. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce nft_ctx_set_error()Phil Sutter2018-04-114-4/+17
| | | | | | | | Analogous to nft_ctx_set_output(), this allows to set a custom file pointer for writing error messages to. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix for input without trailing newlinePhil Sutter2018-04-113-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Input parser implementation requires a newline at end of input, otherwise the last pattern may not be recognized correctly. If input comes from a file, the culprit was YY_INPUT macro not expecting the last line not ending with a newline, so the last word wasn't accepted. This is easily fixed by checking for feof(yyin) in there. A simple test case for that is: | echo -en "table ip t {\nchain c {\n}\n}" >/tmp/foo | nft -f /tmp/foo Input from a string buffer is a bit more tricky: The culprit here is that detection of classid pattern is done by checking the character following it which makes it impossible to sit right at end of input and I haven't found an alternative to that. After dropping the manual newline appending when combining argv into a single buffer in main(), a rule like this won't be recognized anymore: | nft add rule ip t c meta priority feed:babe Since a direct call to run_cmd_from_buffer() via libnftables bypasses the sanitizing done in main() entirely, it has to happen in libnftables instead which means creating a newline-terminated duplicate of the input buffer. Note that main() created a buffer one byte longer than needed since it accounts for whitespace at end of each argv but doesn't add it to the buffer for the last one, so buffer length is reduced by two bytes instead of just one although only one less character is printed into it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Fix output_fp bypass in ct_print()Phil Sutter2018-04-101-1/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: don't enable xtables when --without-xtables is passedFlorian Westphal2018-04-041-1/+1
| | | | | | | | | | | | | AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given, so use 'withval'. After this patch: ./configure -> xtables off ./configure --with-xtables -> xtables on ./configure --without-xtables -> xtables off (was on). Reported-by: Alexander Dahl <ada@thorsis.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: use recursive call for SET_REF handlingFlorian Westphal2018-04-031-29/+1
| | | | | | We can now call the helper again, with set->init as new RHS expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: handle EXPR_MAPPINGFlorian Westphal2018-04-031-0/+4
| | | | | | | | Needed by followup patch. EXPR_SET_REF handling is bonkers, it "works" when using { key : value } because ->key and ->left are aliased in struct expr to the same location. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: split binop xfer to separate functionFlorian Westphal2018-04-031-16/+31
| | | | | | to reuse this in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: move lhs fixup to a helperFlorian Westphal2018-04-031-19/+28
| | | | | | ... to reuse this in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: floating point exception with concatenationsPablo Neira Ayuso2018-04-031-1/+1
| | | | | | | If the length is less than 1 byte, this codepath hits a floating point exception, use div_round_up() as everywhere else in the code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: propagate binop_transfer() adjustment to set key sizePablo Neira Ayuso2018-04-031-1/+2
| | | | | | | | | The right shift transfer may be result in adjusting the set key size, eg. ip6 dscp results in fetching 6 bits that are splitted between two bytes, hence the set element ends up being 16 bytes long. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: do not inconditionally update cache from flush commandPablo Neira Ayuso2018-04-011-5/+15
| | | | | | This is only required by sets, maps and meters, skip cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use mini-gmp 6.1.2 stable releasePablo Neira Ayuso2018-04-011-66/+52
| | | | | | Instead of a snapshot from the gmp hg repository. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ip6: fix 'missing payload' errorFlorian Westphal2018-04-011-1/+1
| | | | | | ERROR: line 2: did not find payload information for rule 'iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade' Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-test: check start of rule with sets tooFlorian Westphal2018-04-011-0/+4
| | | | | | | | | | | | | | | We special case rules with sets ({}) so set members are sorted properly. But we failed to check start of rule: input: meta mark { 1, 2 } bar expect: meta mark { 1, 2 } bar We made sure 'bar' is equal in both input and expected output, but we did not check start (before {). This causes a gazillion of warnings, will fix in followup commit. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct, meta: fixes for upcoming nft-test.py fixFlorian Westphal2018-04-013-28/+28
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: mh: fix expected test outputFlorian Westphal2018-04-011-1/+1
| | | | | | | Forgot to include '!=', this doesn't trigger at the moment due to a bug in nft-test.py, so fix this before fixing our test script. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: redirect: fix tests for upcoming nft-test.py fixFlorian Westphal2018-04-017-11/+11
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: kill dependency before eval of 'redirect' stmtFlorian Westphal2018-04-011-1/+3
| | | | | | | | | | | | | ip protocol 6 redirect to :tcp dport map { 22 : 8000, 80 : 8080} is printed as redirect to :tcp dport map { 22 : 8000, 80 : 8080} but that input yields: Error: transport protocol mapping is only valid after transport protocol match so kill dependencies beforehand so nft won't remove it. Signed-off-by: Florian Westphal <fw@strlen.de>
* statement: print space before "{" in set addFlorian Westphal2018-04-011-1/+1
| | | | | | | | | old: add @set5{ ip6 saddr . ip6 daddr} new: add @set5 { ip6 saddr . ip6 daddr} Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Updates for mini-gmp.{c,h}Harsha Sharma2018-03-312-199/+245
| | | | | | | updates from latest stable release of libgmp to get in sync with them Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "payload: don't remove icmp family dependency in special cases"Florian Westphal2018-03-281-9/+0
| | | | | | | | This reverts commit 126706c23c0458b07d54550dc27561b30f8a43f2. As its now ok to use icmp-in-ip6 family we can remove the dependency. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: permit icmp-in-ipv6 and icmpv6-in-ipv4Florian Westphal2018-03-285-7/+49
| | | | | | | | | | | | | | | | | Jozsef points out that meta l4proto icmp icmp type destination-unreachable is hard to read. So, lets just add icmp/icmpv6 to ip/ip6 protocol base so users can just go with icmp type destination-unreachable and let nft fill in needed dependency. After this patch, the recent patch to not remove the dependency can be reverted again. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: don't remove icmp family dependency in special casesFlorian Westphal2018-03-271-0/+9
| | | | | | | | | | | | | | | | | | | | | | | When using nftables to filter icmp-in-ipv6 or icmpv6-in-ipv4 we erronously removed the dependency, i.e. "lis ruleset" shows table ip6 filter { chain output { type filter hook output priority 0; policy accept; icmp type destination-unreachable } } but that won't restore because of ip vs ipv6 conflict. After this patch, this lists as meta l4proto icmp icmp type destination-unreachable instead. We still remove the dependency in "ip" family. Same applies to icmpv6-in-ip. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: meta: icmp, icmpv6: don't kill required dependenciesFlorian Westphal2018-03-275-8/+48
| | | | | | | | when explicitly filtering icmp-in-ipv6 and icmp6-in-ip don't remove the required l3 protocol dependency, else "nft list ruleset" can't be read via nft -f anymore. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: avoid errouneous assert with map+concatFlorian Westphal2018-03-271-0/+8
| | | | | | | | | | | | | | | | | | Phil reported following assert: add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \ map { dead::beef . f00::. 22 : 1 } nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. This happens because "mark set" will allocate one register (the dreg), but netlink_gen_concat_expr will populate a lot more register space if the concat expression strings a lot of expressions together. As the assert is useful pseudo-reserve the register space as per concat->len and undo after generating the expressions. Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.8 more spelling fixesDuncan Roe2018-03-272-27/+244
| | | | | | | | | | | | | | | | | | | | | | | | I ran the following command: ispell -p ./ispell_nft -H nft.xml to create the local dictionary ispell_nft. ispell_nft contains almost every special word in nft.xml. The idea is that anyone can run ispell the same way and only have to accept: - alpha strings in hexadecimal numbers - "FIXME" : that has to be fixed eventually - "differv" : I don't know what that is or whether it's correct You need to use the English (i.e. American) dictionary, and you want the screen to be about 100 chars wide (at least). The patch enforces consistent capitalisation of words, e.g. IPv4 is always that way but ipv4_addr stays as before. The existing dictionary suggested capital Ethernet so that is in there too. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* remove todo listFlorian Westphal2018-03-261-25/+0
| | | | | | its outdated. Signed-off-by: Florian Westphal <fw@strlen.de>
* Export libnftables (again)Phil Sutter2018-03-215-3/+21
| | | | | | | | | | | | | | This reverts commits d572d59788143945c2a638f12a5227d9b21ce489 and 9f5e49e147219cd161de8cd80cadf8a444969ef0. Current libnftables API should be stable enough to release it into the public, and after 4aba100e593f ("rule: reset cache iff there is an existing cache") we have a simple way to batch commands through this API. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Test flush and nat chain recreate in one goPhil Sutter2018-03-211-0/+17
| | | | | | | | This tests what kernel commit ae6153b50f9bf ("netfilter: nf_tables: permit second nat hook if colliding hook is going away") fixed for. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Allow to specify multiple testcasesPhil Sutter2018-03-201-4/+6
| | | | | | | | | | | Extend run-tests.sh a bit so that all remaining arguments after option parsing are treated as filenames to test and complain if one doesn't seem like such. This allows for doing stuff like: | ./run-tests.sh testcases/include/000* Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Fix sporadic fail of include/0007glob_double_0Phil Sutter2018-03-202-21/+9
| | | | | | | | | | | | Since ruleset listing shows tables sorted by handle (which in turn depends on table creation ordering), using random filenames here guarantees to make the test fail randomly. Since the include files reside in a temporary directory anyway, there is no need to randomize their names so simplify the whole test a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Make parsing a little more robustPhil Sutter2018-03-203-1/+21
| | | | | | | | | | It was surprisingly easy to crash nft with invalid syntax in 'add flowtable' command. Catch at least three possible ways (illustrated in provided test case) by making evaluation phase survive so that bison gets a chance to complain. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Fix flowtable test casesPhil Sutter2018-03-207-14/+14
| | | | | | | | | | | | | The major problem here was that existence of network interfaces 'eth0' and 'wlan0' was assumed. Overcome this by just using 'lo' instead, which exists even in newly created netns by default. Another minor issue was false naming of 0004delete_after_add0 - the expected return code is supposed to be separated by '_' from the remaining filename. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: Fix dump of chains/0016delete_handle_0Phil Sutter2018-03-201-6/+0
| | | | | | | | | The purpose of this test is to delete some chains by their handle and that is supposed to succeed. So the respective dump should not contain them anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Support 'nft -f -' to read from stdinPhil Sutter2018-03-2059-620/+116
| | | | | | | | | | | | | | | | | | In libnftables, detect if given filename is '-' and treat it as the common way of requesting to read from stdin, then open /dev/stdin instead. (Calling 'nft -f /dev/stdin' worked before as well, but this makes it official.) With this in place and bash's support for here strings, review all tests in tests/shell for needless use of temp files. Note that two categories of test cases were intentionally left unchanged: - Tests creating potentially large rulesets to avoid running into shell parameter length limits. - Tests for 'include' directive for obvious reasons. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: reset cache iff there is an existing cachePablo Neira Ayuso2018-03-191-1/+3
| | | | | | | | | | | | | | If genid is unset, then do not reset existing cache. In the kernel, generation ID is assumed to be always != zero. This patch fixes: nft 'add table x; add chain x y;' that allow us to send several commands in one single batch from the command line. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8 aim for consistent synopses throughout (again)Duncan Roe2018-03-191-15/+7
| | | | | | | | | Fix a few more items as per commit f9cb9580b924f6320005f429f7d59e52a38aff82 Also insert a missing space I noticed along the way Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: describe table dormant flagFlorian Westphal2018-03-171-1/+62
| | | | | | | | also mention how to quit interactive mode and provide small table add example. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Combine redir and masq statements into natPhil Sutter2018-03-176-262/+89
| | | | | | | | | | | | | | | | | | | All these statements are very similar, handling them with the same code is obvious. The only thing required here is a custom extension of enum nft_nat_types which is used in nat_stmt to distinguish between snat and dnat already. Though since enum nft_nat_types is part of kernel uAPI, create a local extended version containing the additional fields. Note that nat statement printing got a bit more complicated to get the number of spaces right for every possible combination of attributes. Note also that there wasn't a case for STMT_MASQ in rule_parse_postprocess(), which seems like a bug. Since STMT_MASQ became just a variant of STMT_NAT, postprocessing will take place for it now anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: add preliminary binop transfer support for vmapsFlorian Westphal2018-03-171-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | nftables doesn't support vmap with bit-sized headers, such as flow label or dscp: nft add rule ip filter input ip dscp vmap \{ 4 : accept, 63 : continue \} BUG: invalid binary operation 5 Unlike plain "ip dscp { 4, 63 }", we don't have a relational operation in case of vmap. Binop fixups need to be done when evaluating map statements. This patch is incomplete. 'ip dscp' works, but this won't: nft add rule --debug=netlink ip6 test-ip6 input ip6 dscp vmap { 0x04 : accept, 0x3f : continue } The generated expressions look sane, however there is disagreement on the sets key size vs. the sizes of the individual elements in the set. This is because ip6 dscp spans a byte boundary. Key set size is still set to one byte (dscp type is 6bits). However, binop expansion requirements result in 2 byte loads, i.e. set members will be 2 bytes in size as well. This can hopefully get addressed in an incremental patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: handle binop adjustment recursivelyFlorian Westphal2018-03-171-21/+32
| | | | | | | | | | | | | | | currently this is fine, but a followup commit will add EXPR_SET_ELEM handling. And unlike RANGE we cannot assume the key is a value. Therefore make binop_can_transfer and binop_transfer_one handle right hand recursively if needed. For RANGE, call it again with from/to. For future SET_ELEM, we can then just call the function recursively again with right->key as new RHS. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: segtree: use value expression lengthFlorian Westphal2018-03-171-1/+1
| | | | | | | | | | In case of EXPR_MAPPING, expr->len is 0, we need to use the length of the key instead. Without this we can get assertion failure later on: nft: netlink_delinearize.c:1484: binop_adjust_one: Assertion `value->len >= binop->right->len' failed. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: netlink_delinearize: don't assume element contains a valueFlorian Westphal2018-03-171-1/+1
| | | | | | | | | | | We cannot assume i->key->key is EXPR_VALUE, we could look e.g. at a range, which will trigger an assertion failure in binop_adjust_one(). We should call __binop_adjust recursively again in the EXPR_SET_ELEM case, using key as new input. Fixes: b8b8e7b6ae10 ("evaluate: transfer right shifts to set reference side") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test cases for vmap binop transferFlorian Westphal2018-03-178-0/+138
| | | | | | they fail with 'BUG: invalid binary operation 5'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add srh test casesFlorian Westphal2018-03-172-0/+86
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: fix routing header supportFlorian Westphal2018-03-173-25/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can't use nft_exthdr_op to encode routing header, it breaks ipv6 extension header support. When encountering RT header, userspace did now set a new ipv6 exthdr mode, but old kernel doesn't know about this, so this failed with -EOPNOTSUPP. Revert that part and use NFT_EXTHDR_OP_IPV6. When decoding a routing extension header, try the various route types until we find a match. Note this patch isn't complete: 'srh tag 127' creates following expressions: [ exthdr load 2b @ 43 + 6 => reg 1 ] [ cmp eq reg 1 0x00007f00 ] It should instead insert a dependency test ("rt type 4"): [ exthdr load 1b @ 43 + 2 => reg 1 ] [ cmp eq reg 1 0x00000004 ] [ exthdr load 2b @ 43 + 6 => reg 1 ] [ cmp eq reg 1 0x00007e00 ] nft should then use this to infer the routing header type. While add it, document the srh option. Fixes: 1400288f6d39d ("src: handle rt0 and rt2 properly") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Ahmed Abdelsalam <amsalam20@gmail.com>
* tests: update to new syntax to add/update set from packet pathPablo Neira Ayuso2018-03-169-11/+11
| | | | | Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>