summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* parser_json: fix crash on insert rule to bad referencesEric Garver2019-09-101-1/+5
| | | | | | | | | | Pass the location via the handle so the error leg in erec_print_list() can reference it. Applies to invalid references to tables, chains, and indexes. Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add huge transaction from firewalldEric Garver2019-09-101-0/+10
| | | | | | | This is borrowed from one of firewalld's test cases. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add huge JSON transactionEric Garver2019-09-101-0/+16
| | | | | | | | Expand the test case to also check for returned rule handles in the JSON output. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: verify huge transaction returns expected number of rulesEric Garver2019-09-101-2/+3
| | | | | | | | Verify that we get the expected number of rules with --echo (i.e. the reply wasn't truncated). Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: use-after-free from abort pathPablo Neira Ayuso2019-09-081-0/+19
| | | | | | | Rule that fails to be added while holding a bound set triggers user-after-free from the abort path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: flag fwd and queue statements as terminalFlorian Westphal2019-09-071-0/+2
| | | | | | | | | | | | | | | | | | Both queue and fwd statement end evaluation of a rule: in ... fwd to "eth0" accept ... queue accept "accept" is redundant and never evaluated in the kernel. Add the missing "TERMINAL" flag so the evaluation step will catch any trailing expressions: nft add rule filter input queue counter Error: Statement after terminal statement has no effect Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: catch invalid 'meta day' values in eval stepFlorian Westphal2019-09-062-4/+17
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add meta time test casesAnder Juaristi2019-09-064-0/+559
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-0613-4/+390
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* evaluate: New internal helper __expr_evaluate_rangeAnder Juaristi2019-09-061-4/+16
| | | | | | | | | | | | | This is used by the followup patch to evaluate a range without emitting an error when the left value is larger than the right one. This is done to handle time-matching such as 23:00-01:00 -- expr_evaluate_range() will reject this, but we want to be able to evaluate and then handle this as a request to match from 23:00 to 1am. Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: check that rule add with index works with echoEric Garver2019-09-062-0/+21
| | | | | Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: fix --echo with index/positionEric Garver2019-09-061-4/+2
| | | | | | | | | Always call evaluate_cache_add() so it can set special flags - in this case NFT_CACHE_UPDATE. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add ibrpvid and ibrvproto supportwenxu2019-08-304-0/+43
| | | | | | | | | | | This allows you to match the bridge pvid and vlan protocol, for instance: nft add rule bridge firewall zones meta ibrvproto vlan nft add rule bridge firewall zones meta ibrpvid 100 Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: add support for element deletionFlorian Westphal2019-08-296-0/+49
| | | | | | | | also add a test case. Fixes: a87f2a2227be2 ("netfilter: support for element deletion") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* netfilter: support for element deletionAnder Juaristi2019-08-293-0/+3
| | | | | | | | | | | | | | | | | | | | | | | This patch implements element deletion from ruleset. Example: table ip set-test { set testset { type ipv4_addr; flags timeout; } chain outputchain { policy accept; type filter hook output priority filter; delete @testset { ip saddr } } } Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: secmark: fix brace indentation and missing quotes in selctx outputEric Jallot2019-08-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # nft list secmarks | tee rules.nft table inet t { secmark s { system_u:object_r:ssh_server_packet_t:s0 } } # nft flush ruleset # nft -f rules.nft rules.nft:3:11-11: Error: syntax error, unexpected colon system_u:object_r:ssh_server_packet_t:s0 Colon is not allowed in strings and breaks nft -f. So move to quoted string in selctx output. After patch: # nft list secmarks | tee rules.nft table inet t { secmark s { "system_u:object_r:ssh_server_packet_t:s0" } } # nft flush ruleset # nft -f rules.nft Fixes: 3bc84e5c ("src: add support for setting secmark") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.9.2v0.9.2Pablo Neira Ayuso2019-08-192-3/+4
| | | | | | | | | Update dependency on libnftnl. Missing nf_synproxy.h in Makefile.am too. Update release name based Jazz series, Fats Waller performing "Scram": https://www.youtube.com/watch?v=c9-noJc9ifI Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: libnftnl: run single-initcalls only onceFlorian Westphal2019-08-191-5/+9
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: make sure i is definedFlorian Westphal2019-08-161-0/+1
| | | | | | | | | | | The test script can die in case there are severe problems, such as rlen being 0 -- in that case i is undefined and script evaluation is aborted. Found during nft development, no existing test case shows this problem. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: don't check asciidoc output with xmllintArturo Borrero Gonzalez2019-08-151-1/+1
| | | | | | | | | | We don't need to check asciidoc output with xmllint because the generated XML is generated by a tool, not by a human. Moreover, xmllint can cause problems because it will try to download the DTD and that is problematic in build systems with no network access. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: fix constant parsing on bigendianFlorian Westphal2019-08-141-1/+1
| | | | | | | | | | | | json restore is broken on big-endian because we errounously passed uint8_t with 64 bit size indicator. On bigendian, this causes all values to get shifted by 56 bit, this will then cause the eval step to bail because all values are outside of the 8bit 0-255 protocol range. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: support json restore for "th" pseudoheaderFlorian Westphal2019-08-141-4/+9
| | | | | | | | | Json output could not be restored back by nft because it did not recognize the new "th" pseudoheader. Fixes: a43a696443a150f44 ("proto: add pseudo th protocol to match d/sport in generic way") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gmputil: assert length is non-zeroPablo Neira Ayuso2019-08-143-16/+37
| | | | | | | | | | | | | Importing, exporting and byteswapping zero length data should not happen. Use macro definition so we know from where the assertion is triggered in the code for easier diagnosing in the future. When importing datatype.h from gmputil.h, it seems gcc complains on missing declarations in json.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mnl: retry when we hit -ENOBUFSFlorian Westphal2019-08-141-2/+10
| | | | | | | | | | | | | | | | | | | | tests/shell/testcases/transactions/0049huge_0 still fails with ENOBUFS error after endian fix done in previous patch. Its enough to increase the scale factor (4) on s390x, but rather than continue with these "guess the proper size" game, just increase the buffer size and retry up to 3 times. This makes above test work on s390x. So, implement what Pablo suggested in the earlier commit: We could also explore increasing the buffer and retry if mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again. v2: call setsockopt unconditionally, then increase on error. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parser: fix parsing of chain priority and policy on bigendianFlorian Westphal2019-08-141-2/+4
| | | | | | | | | | | | | | | | | | | tests/shell/testcases/flowtable/0001flowtable_0 tests/shell/testcases/nft-f/0008split_tables_0 fail the 'dump compare' on s390x. The priority (10) turns to 0, and accept turned to drop. Problem is that '$1' is a 64bit value -- then we pass the address and import 'int' -- we then get the upper all zero bits. Add a 32bit interger type and use that. v2: add uint32_t type to union, v1 used temporary value instead. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Fixes: dba4a9b4b5fe ("src: allow variable in chain policy") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix jumps on bigendian archesFlorian Westphal2019-08-142-12/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | table bla { chain foo { } chain bar { jump foo } } } Fails to restore on big-endian platforms: jump.nft:5:2-9: Error: Could not process rule: No such file or directory jump foo nft passes a 0-length name to the kernel. This is because when we export the value (the string), we provide the size of the destination buffer. In earlier versions, the parser allocated the name with the same fixed size and all was fine. After the fix, the export places the name in the wrong location in the destination buffer. This makes tests/shell/testcases/chains/0001jumps_0 work on s390x. v2: convert one error check to a BUG(), it should not happen unless kernel abi is broken. Fixes: 142350f154c78 ("src: invalid read when importing chain name") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mnl: fix setting rcvbuffer sizeFlorian Westphal2019-08-131-1/+1
| | | | | | | | | | | | | Kernel expects socklen_t (int). Using size_t causes kernel to read upper 0-bits. This caused tests/shell/testcases/transactions/0049huge_0 to fail on s390x -- it uses 'echo' mode and will quickly overrun the tiny buffer size set due to this bug. Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add json test for vlan rule fixM. Braun2019-08-122-0/+62
| | | | | | | | | | | | | | | This fixes ERROR: did not find JSON equivalent for rule 'ether type vlan ip protocol 1 accept' when running ./nft-test.py -j bridge/vlan.t Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cached copyPablo Neira Ayuso2019-08-092-6/+17
| | | | | | | | | Refresh it to fetch what we have in 5.3-rc1. Remove NFT_OSF_F_VERSION definition, this is already available in include/linux/netfilter/nf_tables.h Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: move chain priority and policy to chain folderPablo Neira Ayuso2019-08-098-0/+0
| | | | | | Move new chain tests for variable priority and policy to chain folder. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-0816-18/+194
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variables in the chain priority specificationFernando Fernandez Mancera2019-08-0816-46/+250
| | | | | | | | | | | | | | | | | This patch allows you to use variables in chain priority definitions, e.g. define prio = filter define prionum = 10 define prioffset = "filter - 150" add table ip foo add chain ip foo bar { type filter hook input priority $prio; } add chain ip foo ber { type filter hook input priority $prionum; } add chain ip foo bor { type filter hook input priority $prioffset; } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove global symbol_tablePablo Neira Ayuso2019-08-0810-79/+56
| | | | | | | | | Store symbol tables in context object instead. Use the nft_ctx object to store the dynamic symbol table. Pass it on to the parse_ctx object so this can be accessed from the parse routines. This dynamic symbol table is also accesible from the output_ctx object for print routines. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add parse_ctx objectPablo Neira Ayuso2019-08-087-31/+68
| | | | | | | | This object stores the dynamic symbol tables that are loaded from files. Pass this object to datatype parse functions, although this new parameter is not used yet, this is just a preparation patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: incorrect flush flag for table/chainLaura Garcia Liebana2019-07-313-1/+32
| | | | | | | | | | | | | | | | | | | After the new cache system, nft raises a table error flushing a chain in a transaction. # nft "flush chain ip nftlb filter-newfarm ; \ add rule ip nftlb filter-newfarm update \ @persist-newfarm { ip saddr : ct mark } ; \ flush chain ip nftlb nat-newfarm" Error: No such file or directory flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...) ^^^^^ This patch sets the cache flag properly to save this case. Fixes: 01e5c6f0ed031 ("src: add cache level flags") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix dumping vlan rulesM. Braun2019-07-314-0/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Given the following bridge rules: 1. ip protocol icmp accept 2. ether type vlan vlan type ip ip protocol icmp accept The are currently both dumped by "nft list ruleset" as 1. ip protocol icmp accept 2. ip protocol icmp accept Though, the netlink code actually is different bridge filter FORWARD 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] bridge filter FORWARD 5 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] What happens here is that: 1. vlan type ip kills ether type vlan 2. ip protocol icmp kills vlan type ip Fix this by avoiding the removal of all vlan statements in the given example. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Call bison with -Wno-yacc to silence warningsPhil Sutter2019-07-301-1/+1
| | | | | | | | | | Bison-3.3 significantly increased warnings for POSIX incompatibilities, it now complains about missing support for %name-prefix, %define, %destructor and string literals. The latter applies to parameter of %name-prefix and all relevant %token statements. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Fix for deprecated statementsPhil Sutter2019-07-301-2/+2
| | | | | | | | | | | | | | | | | | | | | Bison-3.3 started to warn about: /home/n0-1/git/nftables/src/parser_bison.y:117.1-19: warning: deprecated directive, use ‘%define api.prefix {nft_}’ [-Wdeprecated] 117 | %name-prefix "nft_" | ^~~~~~~~~~~~~~~~~~~ /home/n0-1/git/nftables/src/parser_bison.y:119.1-12: warning: deprecated directive, use ‘%define api.pure’ [-Wdeprecated] 119 | %pure-parser | ^~~~~~~~~~~~ /home/n0-1/git/nftables/src/parser_bison.y:124.1-14: warning: deprecated directive, use ‘%define parse.error verbose’ [-Wdeprecated] 124 | %error-verbose | ^~~~~~~~~~~~~~ Replace the last two as suggested but leave the first one in place as that causes compilation errors in scanner.l - flex seems not to pick up the changed internal symbol names. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't rely on fseek for input stream repositioningFlorian Westphal2019-07-301-15/+20
| | | | | | | | | | It doesn't work when reading from a pipe, leading to parser errors in case of 'cat foo | nft -f -', whereas 'nft -f < foo' works fine. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1354 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fib: explain example in more detailFlorian Westphal2019-07-251-0/+6
| | | | | | | | | As noted by Felix Dreissig, fib documentation is quite terse, so explain the 'saddr . iif' example with a few more words. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1220 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Sync comments with current expr definitionBrett Mastbergen2019-07-231-2/+2
| | | | | | | ops has been removed, and etype has been added Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for table re-definition usecaseFlorian Westphal2019-07-231-0/+15
| | | | | | | | | | | | | | | | | | | | Make sure nft behaves like 0.9.0 -- the ruleset flush ruleset table inet filter { } table inet filter { chain test { counter } } loads again without crashing/generating an error message. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1351 Fixes: e5382c0d08e3c ("src: Support intra-transaction rule references") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: add NFT_CACHE_UPDATE and NFT_CACHE_FLUSHED flagsPablo Neira Ayuso2019-07-235-25/+25
| | | | | | | | | | | | | | | | | | | NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to populate the cache, since the existing ruleset is going to flushed by this batch. NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to the cache based on the existing batch, this is required by the rule commands that use the index and the position selectors. This patch removes cache_flush() which is not required anymore. This cache removal is coming too late, in the evaluation phase, after the initial cache_update() invocation. Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if NFT_CACHE_FLUSHED is set on. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: removed duplicate member initializer.Jeremy Sowden2019-07-221-1/+0
| | | | | | | | | | Initialization of a netlink_ctx included two initializers for .nft. Removed one of them. Fixes: 2dc07bcd7eaa ("src: pass struct nft_ctx through struct netlink_ctx") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: get rid of repeated initialization of netlink_ctxJeremy Sowden2019-07-221-13/+10
| | | | | | | | | | | | Most members in the context don't change, so there is no need to memset it and reassign them on every iteration. Moved that code out of the loop. Fixes: a72315d2bad4 ("src: add rule batching support") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: osf: fix snprintf -Wformat-truncation warningFernando Fernandez Mancera2019-07-221-9/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)), osf produces following warnings: -Wformat-truncation warning have been introduced in the version 7.1 of gcc. Also, remove a unneeded address check of "tmp + 1" in nf_osf_strchr(). nfnl_osf.c: In function ‘nfnl_osf_load_fingerprints’: nfnl_osf.c:292:39: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 128 [-Wformat-truncation=] 292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~ nfnl_osf.c:292:9: note: ‘snprintf’ output between 2 and 1025 bytes into a destination of size 128 292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:302:46: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~ nfnl_osf.c:302:10: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:309:49: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~ nfnl_osf.c:309:9: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nfnl_osf.c:317:47: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 32 [-Wformat-truncation=] 317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~ nfnl_osf.c:317:7: note: ‘snprintf’ output between 1 and 1024 bytes into a destination of size 32 317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: missing location for chain nested in table definitionPablo Neira Ayuso2019-07-221-0/+1
| | | | | | error reporting may crash because location is unset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: support prefix expression in statementsFlorian Westphal2019-07-224-0/+89
| | | | | | | | | | | | | | | | | | | | | | | | Currently nft dumps core when it encounters a prefix expression as part of a statement, e.g. iifname ens3 snat to 10.0.0.0/28 yields: BUG: unknown expression type prefix nft: netlink_linearize.c:688: netlink_gen_expr: Assertion `0' failed. This assertion is correct -- we can't linearize a prefix because kernel doesn't know what that is. For LHS prefixes, they get converted to a binary 'and' such as '10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar and convert them into a range. snat to 10.0.0.0/28 will be converted into: iifname "ens3" snat to 10.0.0.0-10.0.0.15 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1187 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fib: explain example in more detailFlorian Westphal2019-07-221-0/+6
| | | | | | | | As noted by Felix Dreissig, fib documentation is quite terse, so explain the 'saddr . iif' example with a few more words. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1220 Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: bogus error when refering to existing non-base chainPablo Neira Ayuso2019-07-181-6/+3
| | | | | | | | add rule ip testNEW test6 jump test8 ^^^^^ Error: invalid verdict chain expression value Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>