| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Add tests for tunnel statement and object support. Shell and python
tests both cover standard nft output and json.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the tunnel metadata object to define geneve tunnel
specific configurations:
table netdev x {
tunnel y {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 10
dport 20
ttl 10
geneve {
class 0x1010 opt-type 0x1 data "0x12345678"
class 0x1020 opt-type 0x2 data "0x87654321"
class 0x2020 opt-type 0x3 data "0x87654321abcdeffe"
}
}
}
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the tunnel metadata object to define vxlan tunnel
specific configurations:
table netdev x {
tunnel y {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 10
dport 20
ttl 10
vxlan {
gbp 200
}
}
}
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to attach tunnel metadata through the tunnel
statement.
The following example shows how to redirect traffic to the erspan0
tunnel device which will take the tunnel configuration that is
specified by the ruleset.
table netdev x {
tunnel y {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 10
dport 20
ttl 10
erspan {
version 1
index 2
}
}
chain x {
type filter hook ingress device veth0 priority 0;
ip daddr 10.141.10.123 tunnel name y fwd to erspan0
}
}
This patch also allows to match on tunnel metadata via tunnel expression.
Joint work with Fernando.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the tunnel metadata object to define erspan tunnel
specific configurations:
table netdev x {
tunnel y {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 10
dport 20
ttl 10
erspan {
version 1
index 2
}
}
}
Joint work with Fernando.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds tunnel template support, this allows to attach a
metadata template that provides the configuration for the tunnel driver.
Example of generic tunnel configuration:
table netdev x {
tunnel y {
id 10
ip saddr 192.168.2.10
ip daddr 192.168.2.11
sport 10
dport 20
ttl 10
}
}
This still requires the tunnel statement to attach this metadata
template, this comes in a follow up patch.
Joint work with Fernando.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Same behaviour as in the original patch:
--with-unitdir auto-detects the systemd unit path.
--with-unitdir=PATH uses the PATH
no --with-unitdir means this does not install the systemd unit file.
INSTALL file description looks fine for what this does after this
patch.
While at this, extend tests/build/ to cover for this new option.
Fixes: c4b17cf830510 ("tools: add a systemd unit for static rulesets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Make sure the files in tools/ are added to the tarball and that the
created nftables.service file is removed upon 'make clean'.
Fixes: c4b17cf830510 ("tools: add a systemd unit for static rulesets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A user reports that:
nft -f ruleset.nft
fails with:
netlink: Error: Could not process rule: No buffer space available
This was triggered by:
table ip6 fule {
set domestic_ip6 {
type ipv6_addr
flags dynamic,interval
elements = $domestic_ip6
}
chain prerouting {
type filter hook prerouting priority 0;
ip6 daddr @domestic_ip6 counter
}
}
where $domestic_ip6 contains a large number of IPv6 addresses.
This set declaration is not supported currently, because dynamic sets
with intervals are not supported, then every IPv6 address that is added
triggers an error, overruning the userspace socket buffer with lots of
NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
socket buffer).
In the particular context of batch processing, ENOBUFS is just an
indication that too many errors have occurred. The kernel cannot store
any more NLMSG_ERROR messages into the userspace socket buffer.
However, there are still NLMSG_ERROR messages in the socket buffer to be
processed that can provide a hint on what is going on.
Instead of breaking on ENOBUFS in batches, continue error processing.
After this patch, the ruleset above displays:
ruleset.nft:2367:7-18: Error: Could not process rule: Operation not supported
set domestic_ip6 {
^^^^^^^^^^^^
ruleset.nft:2367:7-18: Error: Could not process rule: No such file or directory
set domestic_ip6 {
^^^^^^^^^^^^
Fixes: a72315d2bad4 ("src: add rule batching support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The allocated 'list_expr' may leak.
Fixes: cfd768615235b ("src: add conntrack information to trace monitor mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Missed to adjust the expected JSON output in this test suite, too.
Fixes: 5e492307c2c93 ("json: Do not reduce single-item arrays on output")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
See ip_route_input_slow() in net/ipv4/route.c in the Linux
kernel sources.
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 14.3.0 reports this:
src/mnl.c: In function 'mnl_nft_chain_add':
src/mnl.c:916:25: warning: 'nest' may be used uninitialized [-Wmaybe-uninitialized]
916 | mnl_attr_nest_end(nlh, nest);
I guess its because compiler can't know that the conditions cannot change
in-between and assumes nest_end() can be called without nest_start().
Fixes: 01277922fede ("src: ensure chain policy evaluation when specified")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add a testcase to cover for merging two rules into verdict map, added by
345d9260f7fe ("optimize: merge several selectors with different verdict into verdict map").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Extend tests/shell coverage to exercise merging nested sets, provided
by fixes such as:
a6b75b837f5e ("evaluate: set: Allow for set elems to be sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSON output for the fib expression changed:
- "result": "check"
+ "result": "oif"
This breaks third party JSON parsers, revert this change for relational
expressions only via workaround until there are clear rules on how to
proceed with JSON schema updates.
As for set and map statements, keep this new "check" result type since
it is not possible to peek on rhs in such case to guess if the
NFT_FIB_F_PRESENT flag needs to be set on.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806
Fixes: f4b646032acf ("fib: allow to check if route exists in maps")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is a customer request (bugreport) for wanting to trivially load a ruleset
from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
service unit is hereby added to provide that functionality. This is based on
various distributions attempting to do same, for example,
https://src.fedoraproject.org/rpms/nftables/tree/rawhide
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
chain_stmt_destroy is called from bison destructor, but it turns out
this function won't free the associated chain.
There is no memory leak when bison can parse the input because the chain
statement evaluation step queues the embedded anon chain via cmd_alloc.
Then, a later cmd_free() releases the chain and the embedded statements.
In case of a parser error, the evaluation step is never reached and the
chain object leaks, e.g. in
foo bar jump { return }
Bison calls the right destructor but the anonon chain and all
statements/expressions in it are not released:
HEAP SUMMARY:
in use at exit: 1,136 bytes in 4 blocks
total heap usage: 98 allocs, 94 frees, 840,255 bytes allocated
1,136 (568 direct, 568 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
at: calloc (vg_replace_malloc.c:1675)
by: xzalloc (in libnftables.so.1.1.0)
by: chain_alloc (in libnftables.so.1.1.0)
by: nft_parse (in libnftables.so.1.1.0)
by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0)
by: nft_run_cmd_from_filename (in libnftables.so.1.1.0)
To resolve this, make chain_stmt_destroy also release the embedded
chain. This in turn requires chain refcount increases whenever a chain
is assocated with a chain statement, else we get double-free of the
chain.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set on CHAIN_F_BASECHAIN when policy is specified in chain, otherwise
chain priority is not evaluated.
Toggling this flag requires needs three adjustments to work though:
1) chain_evaluate() needs skip evaluation of hook name and priority if
not specified to allow for updating the default chain policy, e.g.
chain ip x y { policy accept; }
2) update netlink bytecode generation for chain to skip NFTA_CHAIN_HOOK
so update path is exercised in the kernel.
3) error reporting needs to check if basechain priority and type is
set on, otherwise skip further hints.
Fixes: acdfae9c3126 ("src: allow to specify the default policy for base chains")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Uncovered by the compound_expr_remove() replacement by type safe function
coming after this patch.
Add expression to the concatenation which is reachable via expr_value().
This bug is subtle, I could not spot any reproducible buggy behaviour
when using the wrong type when running the existing tests.
Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of commit a740f2036ad0d ("json: Introduce
json_add_array_new()"), keeping the function but eliminating its primary
task which is to replace arrays of size 1 by their only item. While
support for this on input is convenient for users, it means extra casing
in JSON output parsers to cover for it. The minor reduction in output
size does not justify that.
Fixes: a740f2036ad0d ("json: Introduce json_add_array_new()")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
There was a duplicate test, also stored JSON equivalents should match
input as much as possible. The expected deviation in output (just like
with standard syntax) is stored in the .json.output file instead.
Fixes: 2e86f45d0260a ("icmpv6: Allow matching target address in NS/NA, redirect and MLD")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This payload actually belongs to ip/dnat.t.payload, fixed commit added
it to the wrong file.
Fixes: 8f3048954d40d ("evaluate: postpone transport protocol match check after nat expression evaluation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Looks like these were added by accident, fixed commit did not add these
test cases.
Fixes: 8221d86e616bd ("tests: py: add test-cases for ct and packet mark payload expressions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The test syntax was changed, but the respective JSON equivalent remained
in place.
Fixes: 9b169bfc650eb ("src: remove STMT_NAT_F_INTERVAL flags and interval keyword")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Each was present multiple times, introduced probably by copying from a
respective .got file.
Fixes: 77def2d43466e ("netlink_delinearize: support for bitfield payload statement with binary operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The test was duplicate since day 1. The duplicate JSON equivalent was
added later (semi-automated), remove it as well.
Fixes: df81baa4c2bef ("tests: py: add vxlan tests")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The test was changed but JSON equivalents not updated. Commit
c0b685951fabb ("json: fix parse of flagcmp expression") then added an
equivalent matching the changed test, so just drop the old one.
Fixes: c3d57114f119b ("parser_bison: add shortcut syntax for matching flags without binary operations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The test was duplicate since day 1. The duplicate JSON equivalent was
added later (semi-automated), remove it as well.
Fixes: 39a68d9ffd25c ("tests: py: add gretap tests")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The test was duplicate since day 1. The duplicate JSON equivalent was
added later (semi-automated), remove it as well.
Fixes: c04ef8d104ec6 ("tests: py: add gre tests")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The test was duplicate since day 1. The duplicate JSON equivalent was
added later (semi-automated), remove it as well.
Fixes: 2b9143bc7ab81 ("tests: py: add geneve tests")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
There never was a test corresponding to this payload.
Fixes: 857904bdfaf7a ("tests: py: extend raw payload match tests")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Fixed commit left stale JSON equivalents and payload records in place,
drop them.
Fixes: ec1ea13314fa5 ("tests: remove redundant test cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The expected invalid meta hour argument of 24:00 is tested already.
Fixes: a6717ae094db2 ("evaluate: Fix for 'meta hour' ranges spanning date boundaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
One to validate parsing, and one to test that packets match the
expected mapping.
omits json file because of:
internal:0:0-0: Error: Expression type payload not allowed in context (RHS, STMT).
i.e. there is more work to be done on json side to support this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Now that we support non-constant RHS side in binary operations,
reject XOR with non-constant key: we cannot transfer the expression.
Fixes: 54bfc38c522b ("src: allow binop expressions with variable right-hand operands")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
At the time the comment was written the patch wasn't yet upstream
so replace this with the right id and title.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Catch the error condition in callers to avoid crashes.
Fixes: c156232a530b3 ("src: add comment support when adding tables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
These fail for kernels with 'CONFIG_NFT_EXTHDR_DCCP is not set', remove
the tests in anticipation of a future removal from both kernel and
nftables.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test would spuriously fail on RHEL9 due to the penultimate socat
call exiting 0 despite the connection being expected to fail. Florian
writes:
| It's the socat version in rhel9. With plain reject (icmp error):
|
| read(0, "AAA\n", 8192) = 4
| recvfrom(3, 0x7ffd59cf1ab0, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| [..]
| write(5, "AAA\n", 4) = 4
| recvfrom(3, 0x7ffd59cf1f90, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| [..]
| read(0, "", 8192) = 0
| recvfrom(3, 0x7ffd59cf1ab0, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| shutdown(5, SHUT_WR) = 0
| shutdown(5, SHUT_RDWR) = 0
| recvfrom(3, 0x7ffd59cf2260, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| exit_group(0)
|
| ---> indicates success, even though it did not receive any data.
[...]
| Replacing "reject" with a "reject with tcp reset" gives:
| read(0, "AAA\n", 8192) = 4
| recvfrom(3, 0x7ffcffd04220, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| [..]
| write(5, "AAA\n", 4) = -1 ECONNREFUSED (Connection refused)
| recvfrom(3, 0x7ffcffd04700, 519, MSG_DONTWAIT, NULL, NULL) = -1
| EAGAIN (Resource temporarily unavailable)
| [..] = 10212
| write(2, "2025/08/06 08:34:29 socat[10212]"..., 832025/08/06
| 08:34:29 socat[10212] E write(5, 0x55a4f0652000, 4): Connection
| refused
| ) = 83
| shutdown(5, SHUT_RDWR) = -1 ENOTCONN (Transport
| endpoint is not connected)
| exit_group(1) = ?
|
| -> so failure is detected and the script passes.
While this is likely a bug in socat, working around it is simple so
let's tackle it on this side, too.
Note: The second chunk is sufficient to resolve the issue, probably
because the initial ruleset's rate limiter does not trigger during TCP
handshake. Adjust it anyway to keep things consistent.
Suggested-by: Florian Westphal <fw@strlen.de>
Fixes: 9352fa7fb0a31 ("test: shell: Add rate_limit test case for 'limit statement'.")
Cc: Yi Chen <yiche@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
so `make distcheck` works fine.
Fixes: 8e03d59b5aa4 ("src: split monitor trace code into new trace.c")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Synopsis insinuates an IP address argument is mandatory in snat/dnat
statements although specifying ports alone is perfectly fine. Adjust it
accordingly and add a paragraph briefly describing the behaviour.
While at it, update the redirect statement description with more
relevant examples, the current one is wrong: To *only* alter the
destination port, dnat statement must be used, not redirect.
Fixes: 6908a677ba04c ("nft.8: Enhance NAT documentation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing
of meta hour ranges where the lower boundary has a higher value than the
upper boundary. This may happen outside of user control due to the fact
that given ranges are converted to UTC which is the kernel's native
timezone.
Perform the conditional match and op inversion with the new RHS
expression type as well after expanding it so values are comparable.
Since this replaces the whole range expression, make it replace the
relational's RHS entirely.
While at it extend testsuites to cover these corner-cases.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1805
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Apply the bison parser changes in commit 347039f64509e ("src: add symbol
range expression to further compact intervals") to JSON parser as well.
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Annotate and combine the 'etype' and 'symtype' checks done in bison
parser for readability and because JSON parser will start doing the same
in a follow-up patch.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the hook location is invalid we error out but we do leak both
the priority expression and the flowtable name. Example:
valgrind --leak-check=full nft -f flowtable-parser-err-memleak
[..] Error: unknown chain hook
hook enoent priority filter + 10
^^^^^^
[..]
2 bytes in 1 blocks are definitely lost in loss record 1 of 3
at: malloc (vg_replace_malloc.c:446)
by: strdup (in libc.so.6)
by: xstrdup (in libnftables.so.1.1.0)
by: nft_lex (in libnftables.so.1.1.0)
by: nft_parse (in libnftables.so.1.1.0)
by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0)
by: nft_run_cmd_from_filename (in libnftables.so.1.1.0)
First two reports are due to the priority expression: this needs to call
expr_free(). Third report is due to the flowtable name, the destructor
was missing so add one.
After fix:
All heap blocks were freed -- no leaks are possible
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
nft: src/mnl.c:744: nft_dev_add: Assertion `ifname_len > 0' failed.
After:
internal:0:0-0: Error: empty interface name
Bison checks this upfront, do same in json.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
