summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: restore --echo with anonymous setsHEADmasterPablo Neira Ayuso3 days3-21/+12
| | | | | | | | | | | | If --echo is passed, then the cache already contains the commands that have been sent to the kernel. However, anonymous sets are an exception since the cache needs to be updated in this case. Remove the old cache logic from the monitor code that has been replaced by 01e5c6f0ed03 ("src: add cache level flags"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* flowtable: fix memleak in exit pathEric Jallot3 days2-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add missing loop in table_free(). Free all objects in flowtable_free() and add conditions in case of error recovery in the parser (See commit 4be0a3f922a29). Also, fix memleak in the parser. This fixes the following memleak: # valgrind --leak-check=full nft add flowtable inet raw f '{ hook ingress priority filter; devices = { eth0 }; }' ==15414== Memcheck, a memory error detector ==15414== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==15414== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==15414== Command: nft add flowtable inet raw f {\ hook\ ingress\ priority\ filter;\ devices\ =\ {\ eth0\ };\ } ==15414== ==15414== ==15414== HEAP SUMMARY: ==15414== in use at exit: 266 bytes in 4 blocks ==15414== total heap usage: 55 allocs, 51 frees, 208,105 bytes allocated ==15414== ==15414== 5 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x5C64AA9: strdup (strdup.c:42) ==15414== by 0x4E705ED: xstrdup (utils.c:75) ==15414== by 0x4E93F01: nft_lex (scanner.l:648) ==15414== by 0x4E85C1C: nft_parse (parser_bison.c:5577) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) ==15414== ==15414== 261 (128 direct, 133 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x4E705AD: xmalloc (utils.c:36) ==15414== by 0x4E705AD: xzalloc (utils.c:65) ==15414== by 0x4E560B6: expr_alloc (expression.c:45) ==15414== by 0x4E56288: symbol_expr_alloc (expression.c:286) ==15414== by 0x4E8A601: nft_parse (parser_bison.y:1842) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) Fixes: 92911b362e906 ("src: add support to add flowtables") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: define flowtable device compound as a listPablo Neira Ayuso3 days2-2/+2
| | | | | | | | This fixes a memleak when releasing the compound expression via expr_free(). Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix for single line ct timeout printingPhil Sutter4 days1-1/+1
| | | | | | | | | | | Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") removed an extra semicolon at end of line, but thereby broke single line output. The correct fix is to use opts->stmt_separator which holds either newline or semicolon chars depending on output mode. Fixes: 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests/monitor: Fix for changed ct timeout formatPhil Sutter4 days1-1/+1
| | | | | | | | | | Commit a9b0c385a1d5e ("rule: print space between policy and timeout") changed spacing in ct timeout objects but missed to adjust related test case. Fixes: a9b0c385a1d5e ("rule: print space between policy and timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* monitor: Add missing newline to error messagePhil Sutter4 days1-1/+1
| | | | | | | | | These shouldn't happen in practice and printing to stderr is not the right thing either, but fix this anyway. Fixes: f9563c0feb24d ("src: add events reporting") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* mnl: Don't use nftnl_set_set()Phil Sutter6 days1-1/+1
| | | | | | | | | The function is unsafe to use as it effectively bypasses data length checks. Instead use nftnl_set_set_str() which at least asserts a const char pointer is passed. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: add linenoise CLI implementation.Jeremy Sowden6 days4-15/+70
| | | | | | | | By default, continue to use libreadline, but if `--with-cli=linenoise` is passed to configure, build the linenoise implementation instead. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: extend 'nft describe' to allow listing data typesFlorian Westphal7 days3-10/+41
| | | | | | | | | | | | | | | | | nft describe ct_status before: symbol expression, datatype invalid (invalid), 0 bits after: datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits pre-defined symbolic constants (in hexadecimal): expected 0x00000001 seen-reply 0x00000002 [..] Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: display description for header field < 8 bitsPablo Neira Ayuso11 days1-1/+1
| | | | | | | | | | | | # nft describe ip dscp payload expression, datatype dscp (Differentiated Services Code Point) (basetype integer), 6 bits pre-defined symbolic constants (in hexadecimal): nft: datatype.c:209: switch_byteorder: Assertion `len > 0' failed. Aborted Fixes: c89a0801d077 ("datatype: Display pre-defined inet_service values in host byte order") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: always close interval in non-anonymous setsPablo Neira Ayuso12 days2-1/+34
| | | | | | | Skip this optimization for non-anonymous sets, otherwise, element deletion breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: fix memleak in parser_bison.yEric Jallot12 days1-56/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Each object (secmark, synproxy, quota, limit, counter) is dynamically allocated by the parser and not freed at exit. However, there is no need to use dynamic allocation here because struct obj already provides the required storage. Update the grammar to ensure that obj_alloc() is called before config occurs. This fixes the following memleak (secmark as example): # valgrind --leak-check=full nft add secmark inet raw ssh \"system_u:object_r:ssh_server_packet_t:s0\" ==14643== Memcheck, a memory error detector ==14643== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14643== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==14643== Command: nft add secmark inet raw ssh "system_u:object_r:ssh_server_packet_t:s0" ==14643== ==14643== ==14643== HEAP SUMMARY: ==14643== in use at exit: 256 bytes in 1 blocks ==14643== total heap usage: 41 allocs, 40 frees, 207,809 bytes allocated ==14643== ==14643== 256 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==14643== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==14643== by 0x4E72074: xmalloc (utils.c:36) ==14643== by 0x4E72074: xzalloc (utils.c:65) ==14643== by 0x4E89A31: nft_parse (parser_bison.y:3706) ==14643== by 0x4E778E7: nft_parse_bison_buffer (libnftables.c:375) ==14643== by 0x4E778E7: nft_run_cmd_from_buffer (libnftables.c:443) ==14643== by 0x40170F: main (main.c:326) Fixes: f44ab88b1088e ("src: add synproxy stateful object support") Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Fixes: c0697eabe832d ("src: add stateful object support for limit") Fixes: 4d38878b39be4 ("src: add/create/delete stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: fix failed tests due to missing quotesEric Jallot13 days14-19/+18
| | | | | | | | | Add double quotes to protect newlines when using <<< redirection. See also commit b878cb7d83855. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: check we can use "dynamic" set for lookupsFlorian Westphal14 days1-0/+2
| | | | | | | | Requires kernel commit acab713177377 ("netfilter: nf_tables: allow lookups in dynamic sets"), else the rule add will fail. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: obj: fix memleak in handle_free()Eric Jallot2019-09-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using limit object as example: # valgrind --leak-check=full nft list ruleset ==9937== Memcheck, a memory error detector ==9937== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9937== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==9937== Command: nft list ruleset ==9937== table inet raw { limit lim1 { rate 1/second } } ==9937== ==9937== HEAP SUMMARY: ==9937== in use at exit: 5 bytes in 1 blocks ==9937== total heap usage: 50 allocs, 49 frees, 212,065 bytes allocated ==9937== ==9937== 5 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==9937== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==9937== by 0x5C65AA9: strdup (strdup.c:42) ==9937== by 0x4E720A3: xstrdup (utils.c:75) ==9937== by 0x4E660FF: netlink_delinearize_obj (netlink.c:972) ==9937== by 0x4E6641C: list_obj_cb (netlink.c:1064) ==9937== by 0x50E8993: nftnl_obj_list_foreach (object.c:494) ==9937== by 0x4E664EA: netlink_list_objs (netlink.c:1085) ==9937== by 0x4E4FE82: cache_init_objects (rule.c:188) ==9937== by 0x4E4FE82: cache_init (rule.c:221) ==9937== by 0x4E4FE82: cache_update (rule.c:271) ==9937== by 0x4E7716E: nft_evaluate (libnftables.c:406) ==9937== by 0x4E778F7: nft_run_cmd_from_buffer (libnftables.c:447) ==9937== by 0x40170F: main (main.c:326) Fixes: 4756d92e517ae ("src: listing of stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: memleak when list of commands is emptyPablo Neira Ayuso2019-09-271-1/+1
| | | | | | | | | | | | | ==9946== 200,807 (40 direct, 200,767 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==9946== at 0x4837B65: calloc (vg_replace_malloc.c:762) ==9946== by 0x4F28216: nftnl_batch_alloc (batch.c:66) ==9946== by 0x48A33E8: mnl_batch_init (mnl.c:164) ==9946== by 0x48A736F: nft_netlink.isra.0 (libnftables.c:29) ==9946== by 0x48A7D03: nft_run_cmd_from_filename (libnftables.c:508) ==9946== by 0x10A621: main (main.c:328) Fixes: fc6d0f8b0cb1 ("libnftables: get rid of repeated initialization of netlink_ctx") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete flowtable after flush chainPablo Neira Ayuso2019-09-251-0/+9
| | | | | | Returns EBUSY on buggy kernels. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: do not cache sender buffer sizePablo Neira Ayuso2019-09-221-6/+6
| | | | | | | | | | | SO_SNDBUF never fails, this socket option just provides a hint to the kernel. SO_SNDBUFFORCE sets the buffer size to zero if the value goes over INT_MAX. Userspace is caching the buffer hint that sends to the kernel, so it might leave userspace out of sync if the kernel ignores the hint. Do not make assumptions, fetch the sender buffer size from the kernel via getsockopt(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: remove unused declaration.Jeremy Sowden2019-09-201-1/+0
| | | | | | | | cli.h includes a forward declaration of struct parser_state which is not needed. Remove it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: remove unused AC_SUBST macros.Jeremy Sowden2019-09-201-2/+0
| | | | | | | | configure.ac contains a couple of AC_SUBST macros which serve no purpose. Remove them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meter: avoid double-space in list ruleset outputFlorian Westphal2019-09-202-2/+2
| | | | | | | | | | changes meter f size 1024 { ip saddr limit rate 10/second} accept to meter f size 1024 { ip saddr limit rate 10/second } accept Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parser_json: fix crash while restoring secmark objectEric Jallot2019-09-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # nft -j list ruleset | tee rules.json | jq '.' { "nftables": [ { "metainfo": { "version": "0.9.2", "release_name": "Scram", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "t", "handle": 11 } }, { "secmark": { "family": "inet", "name": "s", "table": "t", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0" } } ] } # nft flush ruleset # nft -j -f rules.json Segmentation fault Use "&tmp" instead of "tmp" in json_unpack() while translating "context" keyword. After patch: # nft -j -f rules.json # nft list ruleset table inet t { secmark s { "system_u:object_r:ssh_server_packet_t:s0" } } Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* nftables: don't crash in 'list ruleset' if policy is not setSergei Trofimovich2019-09-163-5/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Minimal reproducer: ``` $ cat nft.ruleset # filters table inet filter { chain prerouting { type filter hook prerouting priority -50 } } # dump new state list ruleset $ nft -c -f ./nft.ruleset table inet filter { chain prerouting { Segmentation fault (core dumped) ``` The crash happens in `chain_print_declaration()`: ``` if (chain->flags & CHAIN_F_BASECHAIN) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); ``` Here `chain->policy` is `NULL` (as textual rule does not mention it). The change is not to print the policy if it's not set (similar to `chain_evaluate()` handling). CC: Florian Westphal <fw@strlen.de> CC: Pablo Neira Ayuso <pablo@netfilter.org> CC: netfilter-devel@vger.kernel.org Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tests: fix typo in ct expectation json testFernando Fernandez Mancera2019-09-151-1/+1
| | | | | | | | | The correct form is "ct expectation" not "ct expect". That was causing the tests/py/ip/object.t json test to fail. Fixes: 1dd08fcfa07a ("src: add ct expectations support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: Fix 'exists' keyword on Big EndianPhil Sutter2019-09-142-3/+5
| | | | | | | | | | | | | | | | | | Size value passed to constant_expr_alloc() must correspond with actual data size, otherwise wrong portion of data will be taken later when serializing into netlink message. Booleans require really just a bit, but make type of boolean_keys be uint8_t (introducing new 'val8' name for it) and pass the data length using sizeof() to avoid any magic numbers. While being at it, fix len value in parser_json.c as well although it worked before due to the value being rounded up to the next multiple of 8. Fixes: 9fd9baba43c8e ("Introduce boolean datatype and boolean expression") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* json: fix type mismatch on "ct expect" json exportingFernando Fernandez Mancera2019-09-131-1/+1
| | | | | | | | | | The size field in ct_expect struct should be parsed as json integer and not as a string. Also, l3proto field is parsed as string and not as an integer. That was causing a segmentation fault when exporting "ct expect" objects as json. Fixes: 1dd08fcfa07a ("src: add ct expectations support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-1314-8/+312
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: use-after-free in exit pathPablo Neira Ayuso2019-09-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | ==29699== Invalid read of size 8 ==29699== at 0x507E140: ct_label_table_exit (ct.c:239) ==29699== by 0x5091877: nft_exit (libnftables.c:97) ==29699== by 0x5091877: nft_ctx_free (libnftables.c:297) [...] ==29699== Address 0xb251008 is 136 bytes inside a block of size 352 free'd ==29699== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==29699== by 0x509186F: nft_ctx_free (libnftables.c:296) [...] ==29699== Block was alloc'd at ==29699== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==29699== by 0x508C51D: xmalloc (utils.c:36) ==29699== by 0x508C51D: xzalloc (utils.c:65) ==29699== by 0x50916BE: nft_ctx_new (libnftables.c:151) [...] Release symbol tables before context object. Fixes: 45cb29a2ada4 ("src: remove global symbol_table") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix wrong conversion to "list" in ct markFernando Fernandez Mancera2019-09-103-1/+9
| | | | | | | | | | | We only prefer "list" representation in "ct event". For any other type of "ct" use the "or" representation so nft prints "ct mark set ct mark | 0x00000001" instead of "ct mark set ct mark,0x00000001". Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: fix --echo buffer size againPablo Neira Ayuso2019-09-101-12/+14
| | | | | | | | | | | | | | | | If restart is triggered with --echo, it causes rules to be duplicated which is not correct. Remove restart logic. 1. If user passes --echo, use a default 4mb buffer. 2. assume each element in the batch will result in a 1k notification. This passes tests both in x86_64 and s390. Joint work with Florian Westphal. Fixes: 877baf9538f6 ("src: mnl: retry when we hit -ENOBUFS") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: fix crash on insert rule to bad referencesEric Garver2019-09-101-1/+5
| | | | | | | | | | Pass the location via the handle so the error leg in erec_print_list() can reference it. Applies to invalid references to tables, chains, and indexes. Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add huge transaction from firewalldEric Garver2019-09-101-0/+10
| | | | | | | This is borrowed from one of firewalld's test cases. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add huge JSON transactionEric Garver2019-09-101-0/+16
| | | | | | | | Expand the test case to also check for returned rule handles in the JSON output. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: verify huge transaction returns expected number of rulesEric Garver2019-09-101-2/+3
| | | | | | | | Verify that we get the expected number of rules with --echo (i.e. the reply wasn't truncated). Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: use-after-free from abort pathPablo Neira Ayuso2019-09-081-0/+19
| | | | | | | Rule that fails to be added while holding a bound set triggers user-after-free from the abort path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: flag fwd and queue statements as terminalFlorian Westphal2019-09-071-0/+2
| | | | | | | | | | | | | | | | | | Both queue and fwd statement end evaluation of a rule: in ... fwd to "eth0" accept ... queue accept "accept" is redundant and never evaluated in the kernel. Add the missing "TERMINAL" flag so the evaluation step will catch any trailing expressions: nft add rule filter input queue counter Error: Statement after terminal statement has no effect Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: catch invalid 'meta day' values in eval stepFlorian Westphal2019-09-062-4/+17
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add meta time test casesAnder Juaristi2019-09-064-0/+559
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-0613-4/+390
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* evaluate: New internal helper __expr_evaluate_rangeAnder Juaristi2019-09-061-4/+16
| | | | | | | | | | | | | This is used by the followup patch to evaluate a range without emitting an error when the left value is larger than the right one. This is done to handle time-matching such as 23:00-01:00 -- expr_evaluate_range() will reject this, but we want to be able to evaluate and then handle this as a request to match from 23:00 to 1am. Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: check that rule add with index works with echoEric Garver2019-09-062-0/+21
| | | | | Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: fix --echo with index/positionEric Garver2019-09-061-4/+2
| | | | | | | | | Always call evaluate_cache_add() so it can set special flags - in this case NFT_CACHE_UPDATE. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add ibrpvid and ibrvproto supportwenxu2019-08-304-0/+43
| | | | | | | | | | | This allows you to match the bridge pvid and vlan protocol, for instance: nft add rule bridge firewall zones meta ibrvproto vlan nft add rule bridge firewall zones meta ibrpvid 100 Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: add support for element deletionFlorian Westphal2019-08-296-0/+49
| | | | | | | | also add a test case. Fixes: a87f2a2227be2 ("netfilter: support for element deletion") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* netfilter: support for element deletionAnder Juaristi2019-08-293-0/+3
| | | | | | | | | | | | | | | | | | | | | | | This patch implements element deletion from ruleset. Example: table ip set-test { set testset { type ipv4_addr; flags timeout; } chain outputchain { policy accept; type filter hook output priority filter; delete @testset { ip saddr } } } Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: secmark: fix brace indentation and missing quotes in selctx outputEric Jallot2019-08-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # nft list secmarks | tee rules.nft table inet t { secmark s { system_u:object_r:ssh_server_packet_t:s0 } } # nft flush ruleset # nft -f rules.nft rules.nft:3:11-11: Error: syntax error, unexpected colon system_u:object_r:ssh_server_packet_t:s0 Colon is not allowed in strings and breaks nft -f. So move to quoted string in selctx output. After patch: # nft list secmarks | tee rules.nft table inet t { secmark s { "system_u:object_r:ssh_server_packet_t:s0" } } # nft flush ruleset # nft -f rules.nft Fixes: 3bc84e5c ("src: add support for setting secmark") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.9.2v0.9.2Pablo Neira Ayuso2019-08-192-3/+4
| | | | | | | | | Update dependency on libnftnl. Missing nf_synproxy.h in Makefile.am too. Update release name based Jazz series, Fats Waller performing "Scram": https://www.youtube.com/watch?v=c9-noJc9ifI Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: libnftnl: run single-initcalls only onceFlorian Westphal2019-08-191-5/+9
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: make sure i is definedFlorian Westphal2019-08-161-0/+1
| | | | | | | | | | | The test script can die in case there are severe problems, such as rlen being 0 -- in that case i is undefined and script evaluation is aborted. Found during nft development, no existing test case shows this problem. Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: don't check asciidoc output with xmllintArturo Borrero Gonzalez2019-08-151-1/+1
| | | | | | | | | | We don't need to check asciidoc output with xmllint because the generated XML is generated by a tool, not by a human. Moreover, xmllint can cause problems because it will try to download the DTD and that is problematic in build systems with no network access. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>