summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* segtree: memleaks in interval_map_decompose()HEADmasterPablo Neira Ayuso4 days1-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mpz_init_bitmask() overrides the existing memory area: ==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==19179== at 0x483577F: malloc (vg_replace_malloc.c:299) ==19179== by 0x489C718: xmalloc (utils.c:36) ==19179== by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2) f ==19179== by 0x4880239: constant_expr_alloc (expression.c:400) ==19179== by 0x489B8A1: interval_map_decompose (segtree.c:1098) ==19179== by 0x489017D: netlink_list_setelems (netlink.c:1220) ==19179== by 0x48779AC: cache_init_objects (rule.c:170) 5 ==19179== by 0x48779AC: cache_init (rule.c:228) ==19179== by 0x48779AC: cache_update (rule.c:279) ==19179== by 0x48A21AE: nft_evaluate (libnftables.c:406) left-hand side of the interval is leaked when building the range: ==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5 ==25835== at 0x483577F: malloc (vg_replace_malloc.c:299) ==25835== by 0x489B628: xmalloc (utils.c:36) ==25835== by 0x489B6F8: xzalloc (utils.c:65) ==25835== by 0x487E176: expr_alloc (expression.c:45) ==25835== by 0x487F960: mapping_expr_alloc (expression.c:1149) ==25835== by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166) ==25835== by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725) ==25835== by 0x488F0D5: netlink_list_setelems (netlink.c:1215) ==25835== by 0x487695C: cache_init_objects (rule.c:170) ==25835== by 0x487695C: cache_init (rule.c:228) ==25835== by 0x487695C: cache_update (rule.c:279) ==25835== by 0x48A10BE: nft_evaluate (libnftables.c:406) ==25835== by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451) ==25835== by 0x10A8E1: main (main.c:487) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0044interval_overlap_0: Repeat insertion tests with timeoutStefano Brivio5 days1-19/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mike Dillinger reported issues with insertion of entries into sets supporting intervals that were denied because of false conflicts with elements that were already expired. Partial failures would occur to, leading to the generation of new intervals the user didn't specify, as only the opening or the closing elements wouldn't be inserted. The reproducer provided by Mike looks like this: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m which, run in a loop at different intervals, show the different kind of failures. Extend the existing test case for overlapping and non-overlapping intervals to systematically cover sets with a configured timeout. As reported by Pablo, the test would fail if we keep a one-second timeout if it runs on a "slow" kernel (e.g. with KASan), using the libtool wrapper in src/nft as $NFT, because we can't issue 218 commands within one second. To avoid that, introduce an adaptive timeout based on how many times we can list a single entry with a fixed one-second timeout. On a single 2.9GHz AMD Epyc 7351 thread: test run nft commands/s timeout - src/nft libtool wrapper, KASan: 68.4s 10 32s - nft binary, KASan: 5.1s 168 2s - src/nft libtool wrapper, w/o KASan: 18.3s 37 8s - nft binary, w/o KASan: 2.4s 719 1s While at it, fix expectation for insertion of '15-20 . 50-60' (it's expected to succeed, given the list), and the reason why I didn't notice: a simple command preceded by ! won't actually result in the shell exiting, even if it fails. Add some clearer failure reports too. v2: - adjust set timeouts to nft commands/s - fix checks on expected outcome of insertions and reports Reported-by: Mike Dillinger <miked@softtalker.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0043concatenated_ranges_0: Fix checks for add/delete failuresStefano Brivio5 days1-18/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The test won't stop if we simply precede commands expected to fail by !. POSIX.1-2017 says: -e When this option is on, if a simple command fails for any of the reasons listed in Consequences of Shell Errors or returns an exit status value >0, and is not part of the compound list following a while, until or if keyword, and is not a part of an AND or OR list, and is not a pipeline preceded by the "!" reserved word, then the shell will immediately exit. ...but I didn't care about the last part. Replace those '! nft ...' commands by 'nft ... && exit 1' to actually detect failures. As a result, I didn't notice that now, correctly, inserting elements into a set that contains the same exact element doesn't actually fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop re-insertions from the checks we perform here, overlapping elements are already covered by other tests. Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix obj list output when reset commandJose M. Guisado Gomez6 days1-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables json output when doing a reset command. Previously do_list_obj was called at the end of do_command_reset to list the named object affected by the reset, this function is for nft output only. Listing affected objects using do_command_list ensures output flags will be honored. Eg: For a ruleset like table inet x { counter user123 { packets 12 bytes 1433 } counter user321 { packets 0 bytes 0 } quota user123 { over 2000 bytes } quota user124 { over 2000 bytes } set y { type ipv4_addr } ... } { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "counter": { "bytes": 0, "family": "inet", "handle": 3, "name": "user321", "packets": 0, "table": "x" } }, { "counter": { "bytes": 1433, "family": "inet", "handle": 2, "name": "user123", "packets": 12, "table": "x" } } ] } Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1336 Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disregard ct address matching without familyPablo Neira Ayuso9 days1-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | The following rule: # nft add rule ip x y ct original daddr @servers breaks with: # nft list ruleset nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed. Aborted Bail out if this syntax is used, instead users should rely on: # nft add rule ip x y ct original ip daddr @servers ~~ which uses NFT_CT_{SRC,DST}_{IP,IP6} in the bytecode generation. This issue is described in 7f742d0a9071 ("ct: support for NFT_CT_{SRC,DST}_{IP,IP6}"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: transform binary operation to prefix only with valuesPablo Neira Ayuso11 days1-1/+1
| | | | | | | | | | | | | | | The following rule: nft add rule inet filter input ip6 saddr and ffff:ffff:ffff:ffff:: @allowable counter when listing the ruleset becomes: ip6 saddr @allowable/64 counter packets 3 bytes 212 This transformation is unparseable, allow prefix transformation only for values. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: UAF in hook priority expressionPablo Neira Ayuso11 days1-1/+1
| | | | | | | | Release priority expression right before assigning the constant expression that results from the evaluation. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: memleak in invalid default policy definitionPablo Neira Ayuso11 days1-1/+3
| | | | | | | Release the clone expression from the exit path. Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak symbol redefinitionPablo Neira Ayuso11 days1-0/+1
| | | | | | Missing expr_free() from the error path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove table from cache on delete tablePablo Neira Ayuso11 days3-0/+37
| | | | | | | | | | | | | | | | | | | | | The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove cache lookups after the evaluation phasePablo Neira Ayuso11 days7-46/+40
| | | | | | | | | | | | This patch adds a new field to the cmd structure for elements to store a reference to the set. This saves an extra lookup in the netlink bytecode generation step. This patch also allows to incrementally update during the evaluation phase according to the command actions, which is required by the follow up ("evaluate: remove table from cache on delete table") bugfix patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: flush set cache from the evaluation phasePablo Neira Ayuso11 days2-16/+15
| | | | | | | | This patch reworks 40ef308e19b6 ("rule: flush set cache before flush command"). This patch flushes the set cache earlier, from the command evaluation step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: rearrange help output to group related options togetherArturo Borrero Gonzalez11 days2-91/+139
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It has been reported that nft options are a bit chaotic. With a growing list of options for the nft CLI, we can do better when presenting them to the user who requests help. This patch introduces a textual output grouping for options, in 4 groups: * Options (general) -- common Unix utility options * Options (operative) -- the options that modify the operative behaviour of nft * Options (translation) -- output text modifiers for data translation * Options (parsing) -- output text modifiers for parsing and other operations There is no behavior change in this patch, is mostly a cosmetic change in the hope that users will find the nft tool a bit less confusing to use. After this patch, the help output is: === 8< === % nft --help Usage: nft [ options ] [ cmds... ] Options (general): -h, help Show this help -v, version Show version information -V Show extended version information Options (ruleset input handling): -f, file <filename> Read input from <filename> -i, interactive Read input from interactive CLI -I, includepath <directory> Add <directory> to the paths searched for include files. Defaul[..] -c, check Check commands validity without actually applying the changes. Options (ruleset list formatting): -a, handle Output rule handle. -s, stateless Omit stateful information of ruleset. -t, terse Omit contents of sets. -S, service Translate ports to service names as described in /etc/services. -N, reversedns Translate IP addresses to names. -u, guid Print UID/GID as defined in /etc/passwd and /etc/group. -n, numeric Print fully numerical output. -y, numeric-priority Print chain priority numerically. -p, numeric-protocol Print layer 4 protocols numerically. -T, numeric-time Print time values numerically. Options (command output format): -e, echo Echo what has been added, inserted or replaced. -j, json Format output in JSON -d, debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, p[..] === 8< === While at it, refresh the man page to better reflex this new grouping, and add some missing options. Joint work with Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Expect refcount increment by json_array_extend()Phil Sutter11 days1-2/+4
| | | | | | | | | | | This function is apparently not "joining" two arrays but rather copying all items from the second array to the first, leaving the original reference in place. Therefore it naturally increments refcounts, which means if used to join two arrays caller must explicitly decrement the second array's refcount. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: bail out with concatenations and singleton valuesPablo Neira Ayuso2020-07-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | The rule: # nft add rule x y iifname . oifname p . q is equivalent to: # nft add rule x y iifname p oifname q Bail out with: Error: Use concatenations with sets and maps, not singleton values add rule x y iifname . oifname p . q ^^^^^^^^^^^^^^^^^ ~~~~~ instead of: BUG: invalid expression type concat nft: evaluate.c:1916: expr_evaluate_relational: Assertion `0' failed. Aborted Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend 0043concatenated_ranges_0 to cover maps tooFlorian Westphal2020-07-231-28/+50
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: fix concat range expansion in map caseFlorian Westphal2020-07-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Maps with range + concatenation do not work: Input to nft -f: map map_test_concat_interval { type ipv4_addr . ipv4_addr : mark flags interval elements = { 192.168.0.0/24 . 192.168.0.0/24 : 1, 192.168.0.0/24 . 10.0.0.1 : 2, 192.168.1.0/24 . 10.0.0.1 : 3, 192.168.0.0/24 . 192.168.1.10 : 4, } } nft list: map map_test_concat_interval { type ipv4_addr . ipv4_addr : mark flags interval elements = { 192.168.0.0 . 192.168.0.0-10.0.0.1 : 0x00000002, 192.168.1.0-192.168.0.0 . 10.0.0.1-192.168.1.10 : 0x00000004 } } This is not a display bug, nft sends broken information to kernel. Use the correct key expression to fix this. Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
* src: allow for negative value in variable definitionsPablo Neira Ayuso2020-07-223-1/+32
| | | | | | Extend test to cover for negative value in chain priority definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: replace variable expression by the value expressionPablo Neira Ayuso2020-07-221-1/+4
| | | | | | | | The variable expression provides the binding between the variable dereference and the value expression. Replace the variable expression by the real value expression after the evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: permit get element on mapsFlorian Westphal2020-07-221-12/+0
| | | | | | | | | | | | | | | | | | | | | | Its possible to add an element to a map, but you can't read it back: before: nft add element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" Error: No such file or directory; did you mean map ‘test’ in table inet ‘filter’? get element inet filter test { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 } ^^^^ after: nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" table inet filter { map test { type ipv4_addr . ether_addr . inet_service : mark flags interval,timeout elements = { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x00000042 } } } Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: missing map command expansionPablo Neira Ayuso2020-07-211-0/+1
| | | | | | | Maps also need to be split in two commands for proper error reporting. Fixes: c9eae091983a ("src: add CMD_OBJ_SETELEMS") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: flush set cache before flush commandPablo Neira Ayuso2020-07-213-0/+40
| | | | | | Flush the set cache before adding the flush command to the netlink batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: remove check for reject from preroutingPablo Neira Ayuso2020-07-211-11/+0
| | | | | | | | | | | | It reports a failure with the following kernel patch: commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9 Author: Laura Garcia Liebana <nevola@gmail.com> Date: Sun May 31 22:26:23 2020 +0200 netfilter: introduce support for reject at prerouting stage Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: use evaluate_expr_variable() for chain policy evaluationPablo Neira Ayuso2020-07-211-20/+3
| | | | | | evaluate_policy() is very similar to evaluate_expr_variable(), replace it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use variables in flowtable and chain devicesPablo Neira Ayuso2020-07-216-0/+180
| | | | | | | | | | | | | | | This patch adds support for using variables for devices in the chain and flowtable definitions, eg. define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: chmod 755 testcases/chains/0030create_0Pablo Neira Ayuso2020-07-211-0/+0
| | | | | | Update permissions in this test script. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: extend existing dormat test case to catch a kernel bugFlorian Westphal2020-07-182-0/+5
| | | | | | | This is a test case for the kernel bug fixed by: netfilter: nf_tables: fix nat hook table deletion Signed-off-by: Florian Westphal <fw@strlen.de>
* monitor: print "dormant" flag in monitor modeFlorian Westphal2020-07-181-0/+4
| | | | | | | This distinction is important: a table with this flag is inert -- all base chains are unregistered and see no traffic. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: UAF in stmt_evaluate_log_prefix()Pablo Neira Ayuso2020-07-151-5/+4
| | | | | | | | Release existing list expression including variables after creating the prefix string. Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak in log prefix stringPablo Neira Ayuso2020-07-151-0/+1
| | | | | | | Release the string after creating the constant expression. Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for implicit chain bindingsPablo Neira Ayuso2020-07-1516-34/+324
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: convert chain name from gmp value to stringPablo Neira Ayuso2020-07-152-8/+15
| | | | | | | Add expr_chain_export() helper function to convert the chain name that is stored in a gmp value variable to string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for variables in the log prefix stringPablo Neira Ayuso2020-07-084-5/+187
| | | | | | | | | | | | | | | | | | | For example: define test = "state" define foo = "match" table x { chain y { ct state invalid log prefix "invalid $test $foo:" } } This patch scans for variables in the log prefix string. The log prefix expression is a list of constant and variable expression that are converted into a constant expression from the evaluation phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use expression to store the log prefixPablo Neira Ayuso2020-07-0810-12/+48
| | | | | | Intsead of using an array of char. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: zap element statement when decomposing intervalPablo Neira Ayuso2020-07-063-0/+48
| | | | | | | | Otherwise, interval sets do not display element statement such as counters. Fixes: 6d80e0f15492 ("src: support for counter in set definition") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow for empty set variable definitionPablo Neira Ayuso2020-07-045-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: revisit meta/rt primary expressions and ct statementFlorian Westphal2020-06-252-4/+12
| | | | | | | Clarify meta/rt ipsec examples and document that 'ct helper set' needs to be used *after* conntrack lookup. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Document notrack statementPhil Sutter2020-06-221-0/+14
| | | | | | | | Merely a stub, but better to mention it explicitly instead of having it appear in synproxy examples and letting users guess as to what it does. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* tests: shell: Allow wrappers to be passed as nft commandStefano Brivio2020-06-151-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current check on $NFT only allows to directly pass an executable, so I've been commenting it out locally for a while to run tests with valgrind. Instead of using the -x test, run nft without arguments and check the exit status. POSIX.1-2017, Shell and Utilities volume, par. 2.8.2 ("Exit Status for Commands") states: If a command is not found, the exit status shall be 127. If the command name is found, but it is not an executable utility, the exit status shall be 126. Applications that invoke utilities without using the shell should use these exit status values to report similar errors. While this script isn't POSIX-compliant, it requires bash, and any modern version of bash complies with those exit status requirements. Also valgrind complies with this. We need to quote the NFT variable passed to execute the commands in the main loop and adjust error and informational messages, too. This way, for example, export NFT="valgrind nft" can be issued to run tests with valgrind. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Run in separate network namespace, don't break connectivityStefano Brivio2020-06-152-0/+15
| | | | | | | | | | | | | It might be convenient to run tests from a development branch that resides on another host, and if we break connectivity on the test host as tests are executed, we can't run them this way. If kernel implementation (CONFIG_NET_NS), unshare(1), or Python bindings for unshare() are not available, warn and continue. Suggested-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.9.6v0.9.6Pablo Neira Ayuso2020-06-151-2/+2
| | | | | | | | | | v0.9.5 broke 'vmap' support: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Release new version to fix this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: rename testcases/map/dump/0009vmap_0dump.nftPablo Neira Ayuso2020-06-141-1/+1
| | | | | | | Missing .nft extension in dump file. Fixes: 54eb1e16cc47 ("evaluate: missing datatype definition in implicit_set_declaration()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: fix build with gcc <= 4.8Fabrice Fontaine2020-06-081-1/+3
| | | | | | | | | | | | | | | Since commit 719e44277f8e89323a87219b4d4bc7abac05b051, build with gcc <= 4.8 fails on: main.c:186:2: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = IDX_INTERACTIVE + 1; i < NR_NFT_OPTIONS; ++i) ^ Fixes: - http://autobuild.buildroot.org/results/cf2359b8311fe91f9335c91f2bb4a730c9f4c9dc Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cmd: add misspelling suggestions for rule commandsPablo Neira Ayuso2020-06-081-0/+38
| | | | | | | | | # nft add rule foo ber counter Error: No such file or directory; did you mean chain ‘bar’ in table ip ‘foo’? add rule foo ber counter ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix asan runtime error in tc handlePablo Neira Ayuso2020-06-081-1/+1
| | | | | | | | | | ASAN reports: meta.c:92:17: runtime error: left shift of 34661 by 16 places cannot be represented in type 'int' use 32-bit integer as tmp variable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: fix asan runtime errorPablo Neira Ayuso2020-06-081-2/+2
| | | | | | | | | | ASAN reports: segtree.c:387:30: runtime error: variable length array bound evaluates to non-positive value 0 Update array definition to be the set size plus 1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: release dummy rule object from netlink_parse_set_expr()Pablo Neira Ayuso2020-06-083-1/+38
| | | | | | | | | | | | | | | | | | | | | netlink_parse_set_expr() creates a dummy rule object to reuse the existing netlink parser. Release the rule object to fix a memleak. Zap the statement list to avoid a use-after-free since the statement needs to remain in place after releasing the rule. ==21601==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2016 byte(s) in 4 object(s) allocated from: #0 0x7f7824b26330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f78245fcebd in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 #2 0x7f78245fd016 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65 #3 0x7f782456f0b5 in rule_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/rule.c:623 Add a test to check for set counters. SUMMARY: AddressSanitizer: 2016 byte(s) leaked in 4 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove superfluous check in set_evaluate()Pablo Neira Ayuso2020-06-071-5/+0
| | | | | | If set_is_objmap() is true, then set->data is always NULL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing datatype definition in implicit_set_declaration()Pablo Neira Ayuso2020-06-073-10/+44
| | | | | | | | | | | | | | | | | | | | | | set->data from implicit_set_declaration(), otherwise, set_evaluation() bails out with: # nft -f /etc/nftables/inet-filter.nft /etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify mapping data type tcp dport vmap { 22 : jump ssh_input } ^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify mapping data type iif vmap { "eth0" : jump wan_input } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Add a test to cover this case. Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.9.5v0.9.5Pablo Neira Ayuso2020-06-061-4/+4
| | | | | | | | Update release name based on Jazz series, Gene Krupa's "Capital Idea". Bump dependencies on libmnl and libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>