summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Warn for tables with compat expressions in rulesHEADmasterPhil Sutter11 days3-3/+16
| | | | | | | | | | | | | | | | | | While being able to "look inside" compat expressions using nft is a nice feature, it is also (yet another) pitfall for unaware users, deceiving them into assuming interchangeability (or at least compatibility) between iptables-nft and nft. In reality, which involves 'nft list ruleset | nft -f -', any correctly translated compat expressions will turn into native nftables ones not understood by (the version of) iptables-nft which created them in the first place. Other compat expressions will vanish, potentially compromising the firewall ruleset. Emit a warning (as comment) to give users a chance to stop and reconsider before shooting their own foot. Signed-off-by: Phil Sutter <phil@nwl.cc>
* monitor: missing cache and set handle initializationPablo Neira Ayuso2022-11-112-0/+8
| | | | | | | | | | | | | | | | | This leads to a crash when adding stateful expressions to sets: netlink.c:928:38: runtime error: member access within null pointer of type 'struct nft_ctx' AddressSanitizer:DEADLYSIGNAL ================================================================= ==13781==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d0 (pc 0x7fc96fc2b6b2 bp 0x7ffc0e26b080 sp 0x7ffc0e26b020 T0) ==13781==The signal is caused by a READ memory access. ==13781==Hint: address points to the zero page. #0 0x7fc96fc2b6b2 in table_cache_find /home/pablo/devel/scm/git-netfilter/nftables/src/cache.c:456 #1 0x7fc96fd244d4 in netlink_parse_set_expr /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_delinearize.c:1857 #2 0x7fc96fcf1b4d in netlink_delinearize_set /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:928 #3 0x7fc96fd41966 in netlink_events_cache_addset /home/pablo/devel/scm/git-netfilter/nftables/src/monitor.c:649 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: no reset support for limitPablo Neira Ayuso2022-11-091-1/+1
| | | | | | | Remove reset command, this not supported for ratelimit. Fixes: eff2d606d20d ("doc: document a few reset commands supported by the parser") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: document a few reset commands supported by the parserPablo Neira Ayuso2022-11-091-2/+10
| | | | | | | | | | | | | The following are missing in the manpage: *reset counters* ['family'] *reset quotas* ['family'] *reset counters* ['family'] *table* 'table' *reset quotas* ['family'] *table* 'table' While at it, expand type to the supported stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: handle prefix and range when merging into set + concatenationPablo Neira Ayuso2022-11-053-1/+5
| | | | | | | | | | | | | | | | The following ruleset fails to be merged using set + concatenation: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept hitting the following assertion: nft: optimize.c:585: __merge_concat_stmts: Assertion `0' failed. Abort This patch also updates tests/shell. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: do not kill dependency for proto_unknownPablo Neira Ayuso2022-10-314-2/+45
| | | | | | | | | | | | | Unsupported meta match on layer 4 protocol sets on protocol context to proto_unknown, handle anything coming after it as a raw expression in payload_expr_expand(). Moreover, payload_dependency_kill() skips dependency removal if protocol is unknown, so raw payload expression leaves meta layer 4 protocol remains in place. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: complete payload expression in payload statementPablo Neira Ayuso2022-10-311-3/+4
| | | | | | | | | | | | | | Call payload_expr_complete() to complete payload expression in payload statement, otherwise expr->payload.desc is set to proto_unknown. Call stmt_payload_binop_postprocess() introduced by 50ca788ca4d0 ("netlink: decode payload statment") if payload_expr_complete() fails to provide a protocol description (eg. ip dscp). Follow up patch does not allow to remove redundant payload dependency if proto_unknown is used to deal with the raw payload expression case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: deletion from interval concatenationPablo Neira Ayuso2022-10-182-0/+25
| | | | | | | | Deleting item from concatenated set stops working at least in 5.15.64. Add test to cover this use case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1638 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: do not transfer binary operation to non-anonymous setsPablo Neira Ayuso2022-10-123-0/+40
| | | | | | | | | | | | | | | | Michael Braun says: This results for nft list ruleset in nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed. This is due to binop_adjust_one setting value->len to left->len, which is shorther than right->len. Additionally, it does not seem correct to alter set elements from parsing a rule, so remove that part all together. Reported-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: do not display handle for implicit chainPablo Neira Ayuso2022-10-071-0/+6
| | | | | | | | | Implicit chains do not allow for incremental updates, do not display rule handle since kernel refuses to update an implicit chain which is already bound. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: display too many levels of nesting errorPablo Neira Ayuso2022-10-072-4/+24
| | | | | | | | | | | | | Instead of hitting this assertion: nft: parser_bison.y:70: open_scope: Assertion `state->scope < array_size(state->scopes) - 1' failed. Aborted this is easier to trigger with implicit chains where one level of nesting from the existing chain scope is supported. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: datatype memleak after binop transferPablo Neira Ayuso2022-10-061-1/+0
| | | | | | | | | | | | | | The following ruleset: ip version vmap { 4 : jump t3, 6 : jump t4 } results in a memleak. expr_evaluate_shift() overrides the datatype which results in a datatype memleak after the binop transfer that triggers a left-shift of the constant (in the map). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: bogus datatype assertion in binary operation evaluationPablo Neira Ayuso2022-10-063-1/+14
| | | | | | | | | | Use datatype_equal(), otherwise dynamically allocated datatype fails to fulfill the datatype pointer check, triggering the assertion: nft: evaluate.c:1249: expr_evaluate_binop: Assertion `expr_basetype(left) == expr_basetype(right)' failed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1636 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Sanitize startup race conditionPhil Sutter2022-09-303-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During startup, 'nft monitor' first fetches the current ruleset and then keeps this cache up to date based on received events. This is racey, as any ruleset changes in between the initial fetch and the socket opening are not recognized. This script demonstrates the problem: | #!/bin/bash | | while true; do | nft flush ruleset | iptables-nft -A FORWARD | done & | maniploop=$! | | trap "kill $maniploop; kill \$!; wait" EXIT | | while true; do | nft monitor rules >/dev/null & | sleep 0.2 | kill $! | done If the table add event is missed, the rule add event callback fails to deserialize the rule and calls abort(). Avoid the inconvenient program exit by returning NULL from netlink_delinearize_rule() instead of aborting and make callers check the return value. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: add vlan test case for ip/inet familyFlorian Westphal2022-09-295-0/+94
| | | | | | | | | | | | | | | | | | | before fixup, this failed with: line 4: 'add rule ip test-ip4 input vlan id 1': '[ payload load 2b @ link header + 12 => reg 1 ]' mismatches '[ payload load 2b @ link header + 0 => reg 1 ]' ... because the auto-dependency did not add the preceeding ethernet header, so vlan was using the wrong offset. Note than vlan id match in inet input families will only work if header removal was disabled, i.e. ... add link vethin1 name vethin1.3 type vlan id 3 reorder_hdr off otherwise, kernel will strip the vlan tag and interface appears as a normal ethernet interface. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: add ethernet header size offset for implicit vlan dependencyFlorian Westphal2022-09-291-1/+19
| | | | | | | | | | 'vlan id 1' must also add a ethernet header dep, else nft fetches the payload from header offset 0 instead of 14. Reported-by: Yi Chen <yiche@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: mention vlan matching in ip/ip6/inet familiesFlorian Westphal2022-09-281-0/+8
| | | | | | | It only works if vlan_reorder is turned off to disable the vlan tag removal. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: allow implicit ether -> vlan depFlorian Westphal2022-09-281-0/+1
| | | | | | | | | | nft add rule inet filter input vlan id 2 Error: conflicting protocols specified: ether vs. vlan Refresh the current dependency after superseding the dummy dependency to make this work. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc, src: make some spelling and grammatical improvementsJeremy Sowden2022-09-226-16/+16
| | | | | | | | | | | | | Fix a couple of spelling mistakes: 'expresion' -> 'expression' and correct some non-native usages: 'allows to' -> 'allows one to' Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: fix decomposition of unclosed intervals containing address prefixesJeremy Sowden2022-09-213-16/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code which decomposes unclosed intervals doesn't check for prefixes. This leads to incorrect output for sets which contain these. For example, # nft -f - <<END table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 192.0.0.0/2, 10.0.0.0/8 } drop } } table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { ff00::/8, fe80::/10 } drop } } END # nft list table ip6 t table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop } } # nft list table ip t table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop } } Instead of treating the final unclosed interval as a special case, reuse the code which correctly handles closed intervals. Add a shell test-case. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018156 Fixes: 86b965bdab8d ("segtree: fix decomposition of unclosed intervals") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: refactor decomposition of closed intervalsJeremy Sowden2022-09-211-33/+38
| | | | | | | | | | | Move the code in `interval_map_decompose` which adds a new closed interval to the set into a separate function. In addition to the moving of the code, there is one other change: `compound_expr_add` is called once, after the main conditional, instead of being called in each branch. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: un-break rule insert with intervalsFlorian Westphal2022-09-203-0/+6
| | | | | | | | | 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docsFernando Fernandez Mancera2022-09-161-0/+11
| | | | | | | | Add missing documentation for nft_ctx_add_var() and nft_ctx_clear_vars() functions. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: support variables management and fix formattingFernando Fernandez Mancera2022-09-161-13/+30
| | | | | | | | | | | | | Add nft_ctx_add_var() and nft_ctx_clear_vars() support through add_var() and clear_vars(). Also, fix some functions documentation and drop unnecesary comments. In addition, modify get_dry_run() to return the previous value set. This is needed to be consistent with the rest of the python API. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: extend python API to support libnftables APIPeter Collinson2022-09-161-0/+82
| | | | | | | | | | | Allows py/nftables.py to support full mapping to the libnftables API. The changes allow python code to talk in text to the kernel rather than just using json. The Python API can now also use dry run to test changes. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Peter Collinson <pc@hillside.co.uk> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add stateful object comment supportFernando Fernandez Mancera2022-09-164-0/+24
| | | | | | | | | | | | | | | | | | | | | | When listing a stateful object with JSON support, the comment was ignored. Output example: { "counter": { "family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0 } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1611 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add secmark object reference supportFernando Fernandez Mancera2022-09-163-0/+45
| | | | | | | | | The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2022-09-161-1/+27
| | | | | | Get this header in sync with nf-next as of 6.0-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix empty statement list output in sets and mapsFernando Fernandez Mancera2022-09-051-29/+32
| | | | | | | | | | | | JSON output of sets and map should not include the statements list if is empty. The statement output should be stateless also. In addition, removes duplicated code. Fixes: 07958ec53830 ("json: add set statement list support") Fixes: e66f3187d891 ("json: add table map statement support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix json schema version verificationFernando Fernandez Mancera2022-09-035-7/+28
| | | | | | | | | | nft should ignore malformed or missing entries of `json_schema_version` but check the value when it is integer. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add table map statement supportFernando Fernandez Mancera2022-09-034-29/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a map with statements with JSON support, the statement list were ignored. Output example: { "map": { "family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: check address family in set collapseDerek Hageman2022-09-013-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 498a5f0c219d added collapsing of set operations in different commands. However, the logic is currently too relaxed. It is valid to have a table and set with identical names on different address families. For example: table ip a { set x { type inet_service; } } table ip6 a { set x { type inet_service; } } add element ip a x { 1 } add element ip a x { 2 } add element ip6 a x { 2 } The above currently results in nothing being added to the ip6 family table due to being collapsed into the ip table add. Prior to 498a5f0c219d the set add would work. The fix is simply to check the family in addition to the table and set names before allowing a collapse. [ Add testcase to tests/shell --pablo ] Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Derek Hageman <hageman@inthat.cloud> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add set statement list supportFernando Fernandez Mancera2022-09-014-2/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a set with statements with JSON support, the statements were ignored. Output example: { "set": { "op": "add", "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, "stmt": [ { "limit": { "rate": 10, "burst": 5, "per": "second" } }, { "counter": { "packets": 0, "bytes": 0 } } ], "set": "@my_ssh_meter" } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: missing userdata in netlink payloadPablo Neira Ayuso2022-08-311-3/+3
| | | | | | | | Since libnftnl's 212479ad2c92 ("rule, set_elem: fix printing of user data"), userdata is missing in netlink payload printing via --debug. Update tests/py/ip6/srh.t.payload to silence warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow burst 0 for byte ratelimit and use it as defaultPablo Neira Ayuso2022-08-317-41/+44
| | | | | | | | | | | | | | | | | Packet-based limit burst is set to 5, as in iptables. However, byte-based limit burst adds to the rate to calculate the bucket size, and this is also sets this to 5 (... bytes in this case). Update it to use zero byte burst by default instead. This patch also updates manpage to describe how the burst value influences the kernel module's token bucket in each of the two modes. This documentation update is based on original text by Phil Sutter. Adjust tests/py to silence warnings due to mismatching byte burst. Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: update EXPR_MAX and add missing commentsFlorian Westphal2022-08-301-1/+6
| | | | | | | | | | | | | | | WHen flagcmp and catchall expressions got added the EXPR_MAX definition wasn't changed. Should have no impact in practice however, this value is only checked to prevent crash when old nft release is used to list a ruleset generated by a newer nft release and a unknown 'typeof' expression. v2: Pablo suggested to add EXPR_MAX into enum so its easier to spot. Adding __EXPR_MAX + define EXPR_MAX (__EXPR_MAX - 1) causes '__EXPR_MAX not handled in switch' warnings, hence the 'EXPR_MAX =' solution. Signed-off-by: Florian Westphal <fw@strlen.de>
* erec: Dump locations' expressions only if setPhil Sutter2022-08-301-0/+2
| | | | | | | | | | | | Calling netlink_dump_expr() with a NULL pointer leads to segfault within libnftnl. Internal ("fake") locations such as 'netlink_location' don't have an expression assigned so expect this and skip the call. Simple reproducer (list ruleset with netlink debugging as non-root): | $ nft -d netlink list ruleset Reported-by: Fran├žois Rigault <frigo@amadeus.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: nft.8: Add missing '-T' in synopsisPhil Sutter2022-08-301-1/+1
| | | | | | | | Originally a typo in fixed commit: It added 't' in lower case, but meanwhile '-t' was added as well. Fixes: f8f32deda31df ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Phil Sutter <phil@nwl.cc>
* optimize: expand implicit set element when merging into concatenationPablo Neira Ayuso2022-08-303-10/+81
| | | | | | | | | | | | | | | | | | | | | | | | Generalize the existing code to deal with implicit sets. When merging a ruleset like the following: udp dport 128 iifname "foo" #1 udp dport { 67, 123 } iifname "bar" #2 into a concatenation of statements, the following expansion need to be done for rule #2: 67 . "bar" 123 . "bar" The expansion logic consists of cloning the existing concatenation being built and then append each element in the implicit set. A list of ongoing concatenations being built is maintained, so further expansions are also supported. Extend test to cover for this use-case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1628 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Don't parse string as verdict in mapXiao Liang2022-08-193-13/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In verdict map, string values are accidentally treated as verdicts. For example: table t { map foo { type ipv4_addr : verdict elements = { 192.168.0.1 : bar } } chain output { type filter hook output priority mangle; ip daddr vmap @foo } } Though "bar" is not a valid verdict (should be "jump bar" or something), the string is taken as the element value. Then NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by recent kernels. On older ones (e.g. v5.4.x) that don't validate the type, a warning can be seen when the rule is hit, because of the corrupted verdict value: [5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables] Indeed, we don't parse verdicts during evaluation, but only chain names, which is of type string rather than verdict. For example, "jump $var" is a verdict while "$var" is a string. Fixes: c64457cff967 ("src: Allow goto and jump to a variable") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: check for mergeable rulesPablo Neira Ayuso2022-08-113-1/+55
| | | | | | Rules that are equal need to have at least one mergeable statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merging concatenation is unsupportedPablo Neira Ayuso2022-08-113-0/+6
| | | | | | | | | | | Existing concatenation cannot be merge at this stage, skip them otherwise this assertion is hit: nft: optimize.c:434: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed Extend existing test to cover this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for a tainted kernelFlorian Westphal2022-08-111-0/+16
| | | | | | | If a test case results in a kernel taint (WARN splat for example), make sure the test script indicates this. Signed-off-by: Florian Westphal <fw@strlen.de>
* concat with dynamically sized fields like vlan idMichael Braun2022-08-112-0/+18
| | | | | | | | | | | | | | This enables commands like nft set bridge t s4 '{typeof vlan id . ip daddr; elements = { 3567 . 1.2.3.4 }; }' Which would previously fail with Error: can not use variable sized data types (integer) in concat expressions Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to 1.0.5v1.0.5Pablo Neira Ayuso2022-08-091-3/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: disable arp family for queue statementPablo Neira Ayuso2022-08-091-1/+0
| | | | | | | | | | | | | | Kernel commit: commit 47f4f510ad586032b85c89a0773fbb011d412425 Author: Florian Westphal <fw@strlen.de> Date: Tue Jul 26 19:49:00 2022 +0200 netfilter: nft_queue: only allow supported familes and hooks restricts supported families, excluding arp. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: don't use non-POSIX formats in strptime()Jo-Philipp Wich2022-08-091-4/+4
| | | | | | | | | | | | | The current strptime() invocations in meta.c use the `%F` format which is not specified by POSIX and thus unimplemented by some libc flavors such as musl libc. Replace all occurrences of `%F` with an equivalent `%Y-%m-%d` format in order to be able to properly parse user supplied dates in such environments. Signed-off-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow anon set concatenation with ether and vlanFlorian Westphal2022-08-056-5/+91
| | | | | | | | | | | | | | | | | | | | | | | vlan id uses integer type (which has a length of 0). Using it was possible, but listing would assert: python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed. There are two reasons for this. First reason is that the udata/typeof information lacks the 'vlan id' part, because internally this is 'payload . binop(payload AND mask)'. binop lacks an udata store. It makes little sense to store it, 'typeof' keyword expects normal match syntax. So, when storing udata, store the left hand side of the binary operation, i.e. the load of the 2-byte key. With that resolved, delinerization could work, but concat_elem_expr() would splice 12 bits off the elements value, but it should be 16 (on a byte boundary). Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: search stacked header list for matching payload depFlorian Westphal2022-08-055-6/+110
| | | | | | | | | | | | | | "ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails: "vlan id 2 ether saddr 0:1:2:3:4:6" will give Error: conflicting protocols specified: vlan vs. ether After "proto: track full stack of seen l2 protocols, not just cumulative offset", we have a list of all l2 headers, so search those to see if we had this proto base in the past before rejecting this. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: also postprocess OP_AND in set element contextFlorian Westphal2022-08-053-1/+19
| | | | | | | | | | | | | Pablo reports: add rule netdev nt y update @macset { vlan id timeout 5s } listing still shows the raw expression: update @macset { @ll,112,16 & 0xfff timeout 5s } so also cover the 'set element' case. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>