summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* include: nf_tables: correct bitwise header comment.HEADmasterJeremy Sowden43 hours1-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | The comment documenting how bitwise expressions work includes a table which summarizes the mask and xor arguments combined to express the supported boolean operations. However, the row for OR: mask xor 0 x is incorrect. dreg = (sreg & 0) ^ x is not equivalent to: dreg = sreg | x What the code actually does is: dreg = (sreg & ~x) ^ x Update the documentation to match. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: update list of rmmod modulesPablo Neira Ayuso43 hours1-2/+2
| | | | | | | * Missing nft_fib_inet. * nft_chain_nat_ipv4 and nft_chain_nat_ipv6 became nft_chain_nat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set lookup and set updatePablo Neira Ayuso43 hours1-0/+21
| | | | | | A simple test to cover set lookup and update in one rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt()Phil Sutter2 days1-1/+1
| | | | | | | | | | With payload_needs_l4csum_update_pseudohdr() unconditionally dereferencing passed 'desc' parameter and a previous check for it to be non-NULL, make sure to call the function only if input is sane. Fixes: 68de70f2b3fc6 ("netlink_linearize: fix IPv6 layer 4 checksum mangling") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Fix leaks in netlink_parse_cmp()Phil Sutter2 days1-6/+13
| | | | | | | | | | | | This fixes several problems at once: * Err path would leak expr 'right' in two places and 'left' in one. * Concat case would leak 'right' by overwriting the pointer. Introduce a temporary variable to hold the new pointer. Fixes: 6377380bc265f ("netlink_delinearize: handle relational and lookup concat expressions") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Fix leak in unterminated string deserializerPhil Sutter2 days1-2/+4
| | | | | | | | | Allocated 'mask' expression is not freed before returning to caller, although it is used temporarily only. Fixes: b851ba4731d9f ("src: add interface wildcard matching") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: better error notice when interval flag is not set onPablo Neira Ayuso8 days1-5/+2
| | | | | | | | | | | | | Users get confused with the existing error notice, let's try a different one: # nft add element x y { 1.1.1.0/24 } Error: You must add 'flags interval' to your set declaration if you want to add prefix elements add element x y { 1.1.1.0/24 } ^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1380 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* cache: Fix for doubled output after reset commandPhil Sutter8 days3-3/+16
| | | | | | | | | | | | | | | Reset command causes a dump of the objects to reset and adds those to cache. Yet it ignored if the object in question was already there and up to now CMD_RESET was flagged as NFT_CACHE_FULL. Tackle this from two angles: First, reduce cache requirements of reset command to the necessary bits which is table cache. This alone would suffice if there wasn't interactive mode (and other libnftables users): A cache containing the objects to reset might be in place already, so add dumped objects to cache only if they don't exist already. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Search diff tool once and for allPhil Sutter8 days33-75/+46
| | | | | | | | | | | | | | | Instead of calling 'which diff' over and over again, just detect the tool's presence in run-tests.sh and pass $DIFF to each testcase just like with nft binary. Fall back to using 'true' command to avoid the need for any conditional calling in test cases. While being at it, unify potential diff calls so that a string comparison in shell happens irrespective of diff presence. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xfrm: spi is big-endianFlorian Westphal10 days2-2/+1
| | | | | | | the kernel stores spi in a __be32, so fix up the byteorder annotation. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix output for ranges in anonymous setsPhil Sutter11 days3-1/+11
| | | | | | | | | | | | | | | | | | Previous fix for named interval sets was simply wrong: Instead of limiting decomposing to anonymous interval sets, it effectively disabled it entirely. Since code needs to check for both interval and anonymous bits separately, introduce set_is_interval() helper to keep the code readable. Also extend test case to assert ranges in anonymous sets are correctly printed by echo or monitor modes. Without this fix, range boundaries are printed as individual set elements. Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: Support running individual test casesPhil Sutter2020-01-101-2/+7
| | | | | | | | Recognize testcase paths on command line and limit testing on those only. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Fix for use after free when printing map elementsPhil Sutter2020-01-101-1/+2
| | | | | | | | | When populating the dummy set, 'data' field must be cloned just like 'key' field. Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: Do not decompose non-anonymous setsPhil Sutter2020-01-102-1/+21
| | | | | | | | | They have been decomposed already, trying to do that again causes a segfault. This is a similar fix as in commit 8ecb885589591 ("src: restore --echo with anonymous sets"). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: restore --debugPablo Neira Ayuso2020-01-091-2/+4
| | | | | | | Broken since options are mandatory before commands. Fixes: fb9cea50e8b3 ("main: enforce options before commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix expr_set_context call for shift binops.Jeremy Sowden2020-01-081-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | expr_evaluate_binop calls expr_set_context for shift expressions to set the context data-type to `integer`. This clobbers the byte-order of the context, resulting in unexpected conversions to NBO. For example: $ sudo nft flush ruleset $ sudo nft add table t $ sudo nft add chain t c '{ type filter hook output priority mangle; }' $ sudo nft add rule t c oif lo tcp dport ssh ct mark set '0x10 | 0xe' $ sudo nft add rule t c oif lo tcp dport ssh ct mark set '0xf << 1' $ sudo nft list table t table ip t { chain c { type filter hook output priority mangle; policy accept; oif "lo" tcp dport 22 ct mark set 0x0000001e oif "lo" tcp dport 22 ct mark set 0x1e000000 } } Replace it with a call to __expr_set_context and set the byteorder to that of the left operand since this is the value being shifted. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete flowtable after flushing chainPablo Neira Ayuso2020-01-051-0/+10
| | | | | | | This patch adds a test to cover delete flowtable after chain flush including two rule references to the flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: incorrect error reporting after file inclusionPablo Neira Ayuso2020-01-051-3/+19
| | | | | | | | | | | scanner_pop_buffer() incorrectly sets the current input descriptor. The state->indesc_idx field actually stores the number of input descriptors in the stack, decrement it and then update the current input descriptor accordingly. Fixes: 60e917fa7cb5 ("src: dynamic input_descriptor allocation") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1383 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add slave device matchingFlorian Westphal2020-01-037-0/+45
| | | | | | | | Adds "meta sdif" and "meta sdifname". Both only work in input/forward hook of ipv4/ipv6/inet family. Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Fix typo in IGMP sectionBenjamin Poirier2019-12-301-1/+1
| | | | | Signed-off-by: Benjamin Poirier <benjamin.poirier@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: enforce options before commandsPablo Neira Ayuso2019-12-1811-12/+64
| | | | | | | | | | | | | | | | | This patch turns on POSIXLY_CORRECT on the getopt parser to enforce options before commands. Users get a hint in such a case: # nft list ruleset -a Error: syntax error, options must be specified before commands nft list ruleset -a ^ ~~ This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with negative chain priority"). Tests have been updated. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention 'typeof' as alternative to 'type' keywordFlorian Westphal2019-12-171-3/+9
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: print a hint about 'typeof' syntax on 0 keylenFlorian Westphal2019-12-171-5/+18
| | | | | | | | | | If user says 'type integer; ...' in a set definition, don't just throw an error -- provide a hint that the typeof keyword can be used to provide the needed size information. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add typeof test casesFlorian Westphal2019-12-174-0/+91
| | | | | | | | Add sets using unspecific string/integer types, one with osf name, other with vlan id. Neither type can be used directly, as they lack the type size information. Signed-off-by: Florian Westphal <fw@strlen.de>
* mnl: round up the map data size tooFlorian Westphal2019-12-171-1/+1
| | | | | | | | | | Same as key: if the size isn't divisible by BITS_PER_BYTE, we need to round up, not down. Without this, you can't store vlan ids in a map, as they are truncated to 8 bit. Signed-off-by: Florian Westphal <fw@strlen.de>
* xfrm: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+62
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* fib: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-2/+59
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* rt: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+52
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* hash: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+73
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* numgen: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+63
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+57
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* osf: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+14
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* socket: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+52
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-0/+75
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: add exthdr_desc_id enum and use itPablo Neira Ayuso2019-12-172-0/+43
| | | | | | | This allows to identify the exthdr protocol from the userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: add parse and build userdata interfacePablo Neira Ayuso2019-12-172-2/+53
| | | | | | | Add support for meta userdata area. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add "typeof" build/parse/print supportFlorian Westphal2019-12-177-20/+262
| | | | | | | | | | | | | | | | | | | | This patch adds two new expression operations to build and to parse the userdata area that describe the set key and data typeof definitions. For maps, the grammar enforces either "type data_type : data_type" or or "typeof expression : expression". Check both key and data for valid user typeof info first. If they check out, flag set->key_typeof_valid as true and use it for printing the key info. This patch comes with initial support for using payload expressions with the 'typeof' keyword, followup patches will add support for other expressions as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: add typeof keyword for declarationsPablo Neira Ayuso2019-12-172-2/+38
| | | | | | | | | | | | | | | | | | Add a typeof keyword to automatically use the correct type in set and map declarations. table filter { set blacklist { typeof ip saddr } chain input { ip saddr @blacklist counter drop } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: add expr_ops_by_type()Pablo Neira Ayuso2019-12-162-0/+13
| | | | | | | Fetch expression operation from the expression type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: add proto_desc_id enumerationPablo Neira Ayuso2019-12-162-0/+73
| | | | | | | This allows to uniquely identify the protocol description. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: store expr, not dtype to track data in setsFlorian Westphal2019-12-1614-63/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will be needed once we add support for the 'typeof' keyword to handle maps that could e.g. store 'ct helper' "type" values. Instead of: set foo { type ipv4_addr . mark; this would allow set foo { typeof(ip saddr) . typeof(ct mark); (exact syntax TBD). This would be needed to allow sets that store variable-sized data types (string, integer and the like) that can't be used at at the moment. Adding special data types for everything is problematic due to the large amount of different types needed. For anonymous sets, e.g. "string" can be used because the needed size can be inferred from the statement, e.g. 'osf name { "Windows", "Linux }', but in case of named sets that won't work because 'type string' lacks the context needed to derive the size information. With 'typeof(osf name)' the context is there, but at the moment it won't help because the expression is discarded instantly and only the data type is retained. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: add a helper for concat expression handlingFlorian Westphal2019-12-161-56/+43
| | | | | | Cull the repeated copy&paste snippets and add/use a helper for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* py: load the SONAME-versioned shared objectArturo Borrero Gonzalez2019-12-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Instruct the python module to load the SONAME versioned shared object. Normal end-user systems may only have available libnftables.so.1.0.0 and not libnftables.so which is usually only present in developer systems. In Debian systems, for example: % dpkg -L libnftables1 | grep so.1 /usr/lib/x86_64-linux-gnu/libnftables.so.1.0.0 /usr/lib/x86_64-linux-gnu/libnftables.so.1 % dpkg -L libnftables-dev | grep so /usr/lib/x86_64-linux-gnu/libnftables.so The "1" is not a magic number, is the SONAME of libnftables in the current version, as stated in Make_global.am. Reported-by: Michael Biebl <biebl@debian.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: don't remove nul-root element from interval setPablo Neira Ayuso2019-12-095-10/+33
| | | | | | | | | | | | | Check from the delinearize set element path if the nul-root element already exists in the interval set. Hence, the element insertion path skips the implicit nul-root interval insertion. Under some circunstances, nft bogusly fails to delete the last element of the interval set and to create an element in an existing empty internal set. This patch includes a test that reproduces the issue. Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Remove repeated paragraph and fix typonl67202019-12-091-7/+1
| | | | | | | [ Florian: Expand "ininterface" to "incoming interface" ] Signed-off-by: nl6720 <nl6720@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Clarify conditions under which a reject verdict is permissibleDuncan Roe2019-12-061-2/+3
| | | | | | | | | A phrase like "input chain" is a throwback to xtables documentation. In nft, chains are containers for rules. They do have a type, but what's important here is which hook each uses. Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: nftables 0.9.3 depends on libnftnl 1.1.5Pablo Neira Ayuso2019-12-051-1/+1
| | | | | | | | nftables 0.9.3 requires libnftnl 1.1.5, otherwise compilation breaks: https://bugs.gentoo.org/701976. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* include: add nf_tables_compat.h to tarballsPablo Neira Ayuso2019-12-031-0/+1
| | | | | | Add it to Makefile.am so make distcheck adds this header to tarballs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.9.3v0.9.3Pablo Neira Ayuso2019-12-021-2/+2
| | | | | | | | Update release name based on Jazz series, Count Basie's "Topsy": https://www.youtube.com/watch?v=Up78NJHESKE Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: off-by-one write in netdev chain device arrayPablo Neira Ayuso2019-12-021-2/+2
| | | | | | | | | | | | | | | | | | ==728473== Invalid write of size 8 ==728473== at 0x48960F2: netlink_delinearize_chain (netlink.c:422) ==728473== by 0x4896252: list_chain_cb (netlink.c:459) ==728473== by 0x4896252: list_chain_cb (netlink.c:441) ==728473== by 0x4F2C654: nftnl_chain_list_foreach (chain.c:1011) ==728473== by 0x489629F: netlink_list_chains (netlink.c:478) ==728473== by 0x4882303: cache_init_objects (rule.c:177) ==728473== by 0x4882303: cache_init (rule.c:222) ==728473== by 0x4882303: cache_update (rule.c:272) ==728473== by 0x48A7DCE: nft_evaluate (libnftables.c:408) ==728473== by 0x48A86D9: nft_run_cmd_from_buffer (libnftables.c:449) ==728473== by 0x10A5D6: main (main.c:338) Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>