summaryrefslogtreecommitdiffstats
path: root/src/evaluate.c
Commit message (Collapse)AuthorAgeFilesLines
* evaluate: set evaluation context for set elementsFlorian Westphal13 days1-2/+9
| | | | | | | | | | | | | This resolves same issue as previous patch when such expression is used as a set key: set z { typeof ct zone - elements = { 1, 512, 768, 1024, 1280, 1536 } + elements = { 1, 2, 3, 4, 5, 6 } } Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: pick data element byte order, not dtype oneFlorian Westphal13 days1-1/+1
| | | | | | | | | | | | | Some expressions have integer base type, not a specific one, e.g. 'ct zone'. In that case nft used the wrong byte order. Without this, nft adds elements = { "eth0" : 256, "eth1" : 512, "veth4" : 256 } instead of 1, 2, 3. This is not a 'display bug', the added elements have wrong byte order. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: incorrect usage of stmt_binary_error() in rejectPablo Neira Ayuso2021-02-091-3/+2
| | | | | | | Don't pass ctx->pctx.protocol[PROTO_BASE_LL_HDR] to stmt_binary_error(), it's not useful for the error reporting as location is not available. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add negation match on singleton bitmask valuePablo Neira Ayuso2021-02-051-0/+8
| | | | | | | | | | | | | | | | | This patch provides a shortcut for: ct status and dnat == 0 which allows to check for the packet whose dnat bit is unset: # nft add rule x y ct status ! dnat counter This operation is only available for expression with a bitmask basetype, eg. # nft describe ct status ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: do not crash if dynamic set has no statementsFlorian Westphal2021-02-051-4/+6
| | | | | | | | list_first_entry() returns garbage when the list is empty. There is no need to run the following loop if we have no statements, so just return 0. Signed-off-by: Florian Westphal <fw@strlen.de>
* reject: Fix for missing dependencies in netdev familyPhil Sutter2021-01-271-1/+2
| | | | | | | | | | | | | | | Like with bridge family, rejecting with either icmp or icmpv6 must create a dependency match on meta protocol. Upon delinearization, treat netdev reject identical to bridge as well so no family info is lost. This makes reject statement in netdev family fully symmetric so fix the tests in tests/py/netdev/reject.t, adjust the related payload dumps and add JSON equivalents which were missing altogether. Fixes: 0c42a1f2a0cc5 ("evaluate: add netdev support for reject default") Fixes: a51a0bec1f698 ("tests: py: add netdev folder and reject.t icmp cases") Cc: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: evaluate: reset context maxlen value before prio evaluationFlorian Westphal2021-01-261-2/+2
| | | | | | | | | | unshare -n tests/shell/run-tests.sh tests/shell/testcases/nft-f/0024priority_0 W: [FAILED] tests/shell/testcases/nft-f/0024priority_0: got 1 /dev/stdin:8:47-49: Error: Value 100 exceeds valid range 0-15 type filter hook postrouting priority 100 Reported-by: Andreas Schultz <andreas.schultz@travelping.com Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: remove tcp dependency for tcp option matchingFlorian Westphal2021-01-261-3/+1
| | | | | | Kernel won't search for tcp options in non-tcp packets. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: disallow ct original {s,d}ddr from concatenationsPablo Neira Ayuso2021-01-251-0/+17
| | | | | | | | | | | | | | | | Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from maps") to cover concatenations too. Error: specify either ip or ip6 for address matching add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 } ^^^^^^^^^^^^^^^^^ The old syntax for ct original saddr without either ip or ip6 results in unknown key size, which breaks the listing. The old syntax is only allowed in simple rules for backward compatibility. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disallow ct original {s,d}ddr from mapsPablo Neira Ayuso2021-01-151-0/+6
| | | | | | | | | test.nft:6:55-71: Error: specify either ip or ip6 for address matching add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 } ^^^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: set on flags to request multi-statement supportPablo Neira Ayuso2021-01-041-0/+8
| | | | | | | Old kernel reject requests for element with multiple statements because userspace sets on the flags for multi-statements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element multi-statement supportPablo Neira Ayuso2020-12-181-14/+43
| | | | | | | | Extend the set element infrastructure to support for several statements. This patch places the statements right after the key when printing it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for multi-statement in dynamic sets and mapsPablo Neira Ayuso2020-12-171-10/+14
| | | | | | | | This patch allows for two statements for dynamic set updates, e.g. nft rule x y add @y { ip daddr limit rate 1/second counter } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add auto-dependencies for ipv6 icmp6Florian Westphal2020-12-091-1/+1
| | | | | | Extend the earlier commit to also cover icmpv6. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add auto-dependencies for ipv4 icmpFlorian Westphal2020-12-091-1/+19
| | | | | | | | | | | | | | The ICMP header has field values that are only exist for certain types. Mark the icmp proto 'type' field as a nextheader field and add a new th description to store the icmp type dependency. This can later be re-used for other protocol dependend definitions such as mptcp options -- which are all share the same tcp option number and have a special 4 bit marker inside the mptcp option space that tells how the remaining option looks like. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: split tcpopt_hdr_fields into per-option enumFlorian Westphal2020-11-091-10/+6
| | | | | | | | | | | | | | | | | | Currently we're limited to ten template fields in exthdr_desc struct. Using a single enum for all tpc option fields thus won't work indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get added. Fortunately we can just use one enum per tcp option to avoid this. As a side effect this also allows to simplify the sack offset calculations. Rather than computing that on-the-fly, just add extra fields to the SACK template. expr->exthdr.offset now holds the 'raw' value, filled in from the option template. This would ease implementation of 'raw option matching' using offset and length to load from the option. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: add netdev support for reject defaultJose M. Guisado Gomez2020-11-021-0/+1
| | | | | | | | | | Enables not specifying any icmp type and code when using reject inside netdev. This patch completely enables using reject for the netdev family. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ingress inet supportPablo Neira Ayuso2020-10-131-2/+6
| | | | | | | | | | | | | | | | | | Add support for inet ingress chains. table inet filter { chain ingress { type filter hook ingress device "veth0" priority filter; policy accept; } chain input { type filter hook input priority filter; policy accept; } chain forward { type filter hook forward priority filter; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Reject quoted strings containing only wildcardPhil Sutter2020-10-061-2/+5
| | | | | | | | | | | | | | | | | | | | | Fix for an assertion fail when trying to match against an all-wildcard interface name: | % nft add rule t c iifname '"*"' | nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed. | zsh: abort nft add rule t c iifname '"*"' Fix this by detecting the string in expr_evaluate_string() and returning an error message: | % nft add rule t c iifname '"*"' | Error: All-wildcard strings are not supported | add rule t c iifname "*" | ^^^ While being at it, drop the 'datalen >= 1' clause from the following conditional as together with the added check for 'datalen == 0', all possible other values have been caught already.
* src: context tracking for multiple transport protocolsPablo Neira Ayuso2020-09-151-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch extends the protocol context infrastructure to track multiple transport protocols when they are specified from sets. This removes errors like: "transport protocol mapping is only valid after transport protocol match" when invoking: # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80 This patch also catches conflicts like: # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ and: # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ Note that: - the singleton protocol context tracker is left in place until the existing users are updated to use this new multiprotocol tracker. Moving forward, it would be good to consolidate things around this new multiprotocol context tracker infrastructure. - link and network layers are not updated to use this infrastructure yet. The code that deals with vlan conflicts relies on forcing protocol context updates to the singleton protocol base. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove one indent level in __expr_evaluate_payload()Pablo Neira Ayuso2020-09-141-25/+24
| | | | | | | If there is protocol context for this base, just return from function to remove one level of indentation. This patch is cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* socket: add support for "wildcard" keyBalazs Scheidler2020-08-291-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables had a "-m socket --transparent" which didn't match sockets that are bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was possible to override this behavior by using --nowildcard, in which case it did match zero bound sockets as well. The issue is that nftables never included the wildcard check, so in effect it behaved like "iptables -m socket --transparent --nowildcard" with no means to exclude wildcarded listeners. This is a problem as a user-space process that binds to 0.0.0.0:<port> that enables IP_TRANSPARENT would effectively intercept traffic going in _any_ direction on the specific port, whereas in most cases, transparent proxies would only need this for one specific address. The solution is to add "socket wildcard" key to the nft_socket module, which makes it possible to match on the wildcardness of a socket from one's ruleset. This is how to use it: table inet haproxy { chain prerouting { type filter hook prerouting priority -150; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 } } This patch effectively depends on its counterpart in the kernel. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add chain hashtable cachePablo Neira Ayuso2020-08-261-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | This significantly improves ruleset listing time with large rulesets (~50k rules) with _lots_ of non-base chains. # time nft list ruleset &> /dev/null Before this patch: real 0m11,172s user 0m6,810s sys 0m4,220s After this patch: real 0m4,747s user 0m0,802s sys 0m3,912s This patch also removes list_bindings from netlink_ctx since there is no need to keep a temporary list of chains anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disregard ct address matching without familyPablo Neira Ayuso2020-07-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | The following rule: # nft add rule ip x y ct original daddr @servers breaks with: # nft list ruleset nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed. Aborted Bail out if this syntax is used, instead users should rely on: # nft add rule ip x y ct original ip daddr @servers ~~ which uses NFT_CT_{SRC,DST}_{IP,IP6} in the bytecode generation. This issue is described in 7f742d0a9071 ("ct: support for NFT_CT_{SRC,DST}_{IP,IP6}"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: UAF in hook priority expressionPablo Neira Ayuso2020-07-291-1/+1
| | | | | | | | Release priority expression right before assigning the constant expression that results from the evaluation. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: memleak in invalid default policy definitionPablo Neira Ayuso2020-07-291-1/+3
| | | | | | | Release the clone expression from the exit path. Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove table from cache on delete tablePablo Neira Ayuso2020-07-291-0/+15
| | | | | | | | | | | | | | | | | | | | | The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove cache lookups after the evaluation phasePablo Neira Ayuso2020-07-291-5/+8
| | | | | | | | | | | | This patch adds a new field to the cmd structure for elements to store a reference to the set. This saves an extra lookup in the netlink bytecode generation step. This patch also allows to incrementally update during the evaluation phase according to the command actions, which is required by the follow up ("evaluate: remove table from cache on delete table") bugfix patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: flush set cache from the evaluation phasePablo Neira Ayuso2020-07-291-0/+15
| | | | | | | | This patch reworks 40ef308e19b6 ("rule: flush set cache before flush command"). This patch flushes the set cache earlier, from the command evaluation step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: bail out with concatenations and singleton valuesPablo Neira Ayuso2020-07-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | The rule: # nft add rule x y iifname . oifname p . q is equivalent to: # nft add rule x y iifname p oifname q Bail out with: Error: Use concatenations with sets and maps, not singleton values add rule x y iifname . oifname p . q ^^^^^^^^^^^^^^^^^ ~~~~~ instead of: BUG: invalid expression type concat nft: evaluate.c:1916: expr_evaluate_relational: Assertion `0' failed. Aborted Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: replace variable expression by the value expressionPablo Neira Ayuso2020-07-221-1/+4
| | | | | | | | The variable expression provides the binding between the variable dereference and the value expression. Replace the variable expression by the real value expression after the evaluation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: permit get element on mapsFlorian Westphal2020-07-221-12/+0
| | | | | | | | | | | | | | | | | | | | | | Its possible to add an element to a map, but you can't read it back: before: nft add element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" Error: No such file or directory; did you mean map ‘test’ in table inet ‘filter’? get element inet filter test { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 } ^^^^ after: nft get element inet filter test "{ 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x42 }" table inet filter { map test { type ipv4_addr . ether_addr . inet_service : mark flags interval,timeout elements = { 18.51.100.17 . ad:c1:ac:c0:ce:c0 . 3761 : 0x00000042 } } } Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: use evaluate_expr_variable() for chain policy evaluationPablo Neira Ayuso2020-07-211-20/+3
| | | | | | evaluate_policy() is very similar to evaluate_expr_variable(), replace it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use variables in flowtable and chain devicesPablo Neira Ayuso2020-07-211-0/+69
| | | | | | | | | | | | | | | This patch adds support for using variables for devices in the chain and flowtable definitions, eg. define if_main = lo table netdev filter1 { chain Main_Ingress1 { type filter hook ingress device $if_main priority -500; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: UAF in stmt_evaluate_log_prefix()Pablo Neira Ayuso2020-07-151-5/+4
| | | | | | | | Release existing list expression including variables after creating the prefix string. Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for implicit chain bindingsPablo Neira Ayuso2020-07-151-1/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to group rules in a subchain, e.g. table inet x { chain y { type filter hook input priority 0; tcp dport 22 jump { ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept ip6 saddr ::1/128 accept; } } } This also supports for the `goto' chain verdict. This patch adds a new chain binding list to avoid a chain list lookup from the delinearize path for the usual chains. This can be simplified later on with a single hashtable per table for all chains. From the shell, you have to use the explicit separator ';', in bash you have to escape this: # nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow for variables in the log prefix stringPablo Neira Ayuso2020-07-081-1/+48
| | | | | | | | | | | | | | | | | | | For example: define test = "state" define foo = "match" table x { chain y { ct state invalid log prefix "invalid $test $foo:" } } This patch scans for variables in the log prefix string. The log prefix expression is a list of constant and variable expression that are converted into a constant expression from the evaluation phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow for empty set variable definitionPablo Neira Ayuso2020-07-041-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove superfluous check in set_evaluate()Pablo Neira Ayuso2020-06-071-5/+0
| | | | | | If set_is_objmap() is true, then set->data is always NULL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing datatype definition in implicit_set_declaration()Pablo Neira Ayuso2020-06-071-10/+12
| | | | | | | | | | | | | | | | | | | | | | set->data from implicit_set_declaration(), otherwise, set_evaluation() bails out with: # nft -f /etc/nftables/inet-filter.nft /etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify mapping data type tcp dport vmap { 22 : jump ssh_input } ^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify mapping data type iif vmap { "eth0" : jump wan_input } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Add a test to cover this case. Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add devices to an existing flowtablePablo Neira Ayuso2020-06-021-11/+10
| | | | | | | | This patch allows you to add new devices to an existing flowtables. # nft add flowtable x y { devices = { eth0 } \; } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Perform set evaluation on implicitly declared (anonymous) setsStefano Brivio2020-05-281-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a set is implicitly declared, set_evaluate() is not called as a result of cmd_evaluate_add(), because we're adding in fact something else (e.g. a rule). Expression-wise, evaluation still happens as the implicit set expression is eventually found in the tree and handled by expr_evaluate_set(), but context-wise evaluation (set_evaluate()) is skipped, and this might be relevant instead. This is visible in the reported case of an anonymous set including concatenated ranges: # nft add rule t c ip saddr . tcp dport { 192.0.2.1 . 20-30 } accept BUG: invalid range expression type concat nft: expression.c:1160: range_expr_value_low: Assertion `0' failed. Aborted because we reach do_add_set() without properly evaluated flags and set description, and eventually end up in expr_to_intervals(), which can't handle that expression. Explicitly call set_evaluate() as we add anonymous sets into the context, and instruct the same function to: - skip expression-wise set evaluation if the set is anonymous, as that happens later anyway as part of the general tree evaluation - skip the insertion in the set cache, as it makes no sense to have sets that shouldn't be referenced there For object maps, the allocation of the expression for set->data is already handled by set_evaluate(), so we can now drop that from stmt_evaluate_objref_map(). v2: - skip insertion of set in cache (Pablo Neira Ayuso) - drop double allocation of expression (and leak of the first one) for object maps (Pablo Neira Ayuso) Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: enable reject with 802.1qMichael Braun2020-05-281-1/+1
| | | | | | | | | | | | This enables the use nft bridge reject with bridge vlan filtering. It depends on a kernel patch to make the kernel preserve the vlan id in nft bridge reject generation. [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTSPablo Neira Ayuso2020-05-141-3/+3
| | | | | | | | The CMD_OBJ_ELEMENTS provides an expression that contains the list of set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow up patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: fix error rule reporting with missing table/chain and anonymous setsPablo Neira Ayuso2020-05-141-0/+1
| | | | | | | | | | | | | | | | | handle_merge() skips handle location initialization because set name != NULL. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f64f1e in erec_print (octx=0x55555555d2c0, erec=0x55555555fcf0, debug_mask=0) at erec.c:95 95 switch (indesc->type) { (gdb) bt buf=0x55555555db20 "add rule inet traffic-filter input tcp dport { 22, 80, 443 } accept") at libnftables.c:459 (gdb) p indesc $1 = (const struct input_descriptor *) 0x0 Closes: http://bugzilla.opensuse.org/show_bug.cgi?id=1171321 Fixes: 086ec6f30c96 ("mnl: extended error support for create command") Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix memleak in stmt_evaluate_reject_icmp()Pablo Neira Ayuso2020-05-061-0/+2
| | | | | | | | | | | | | | | | | | ==26297==ERROR: LeakSanitizer: detected memory leaks c Direct leak of 512 byte(s) in 4 object(s) allocated from: #0 0x7f46f8167330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f46f7b3cf1c in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 #2 0x7f46f7b3d075 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65 #3 0x7f46f7a85760 in expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:45 #4 0x7f46f7a8915d in constant_expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:388 #5 0x7f46f7a7bad4 in symbolic_constant_parse /home/pablo/devel/scm/git-netfilter/nftables/src/datatype.c:173 #6 0x7f46f7a7af5f in symbol_parse /home/pablo/devel/scm/git-netfilter/nftables/src/datatype.c:132 #7 0x7f46f7abf2bd in stmt_evaluate_reject_icmp /home/pablo/devel/scm/git-netfilter/nftables./src/evaluate.c:2739 [...] SUMMARY: AddressSanitizer: 544 byte(s) leaked in 8 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct_timeout: release policy string and state listPablo Neira Ayuso2020-05-051-0/+1
| | | | | | | | | | | | | | | | | | | ================================================================= ==19037==ERROR: LeakSanitizer: detected memory leaks Direct leak of 18 byte(s) in 2 object(s) allocated from: #0 0x7ff6ee6f9810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7ff6ee22666d in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75 #2 0x7ff6ee28cce9 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792 #3 0x4b903f302c8010a (<unknown module>) Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x7ff6ee7a8330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7ff6ee226578 in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36 SUMMARY: AddressSanitizer: 34 byte(s) leaked in 3 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add rule_stmt_insert_at() and use itPablo Neira Ayuso2020-05-051-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | This helper function adds a statement at a given position and it updates the rule statement counter. This patch fixes this: flush table bridge test-bridge add rule bridge test-bridge input vlan id 1 ip saddr 10.0.0.1 rule.c:2870:5: runtime error: index 2 out of bounds for type 'stmt *[*]' ================================================================= ==1043==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdd69c1350 at pc 0x7f1036f53330 bp 0x7ffdd69c1300 sp 0x7ffdd69c12f8 WRITE of size 8 at 0x7ffdd69c1350 thread T0 #0 0x7f1036f5332f in payload_try_merge /home/mbr/nftables/src/rule.c:2870 #1 0x7f1036f534b7 in rule_postprocess /home/mbr/nftables/src/rule.c:2885 #2 0x7f1036fb2785 in rule_evaluate /home/mbr/nftables/src/evaluate.c:3744 #3 0x7f1036fb627b in cmd_evaluate_add /home/mbr/nftables/src/evaluate.c:3982 #4 0x7f1036fbb9e9 in cmd_evaluate /home/mbr/nftables/src/evaluate.c:4462 #5 0x7f10370652d2 in nft_evaluate /home/mbr/nftables/src/libnftables.c:414 #6 0x7f1037065ba1 in nft_run_cmd_from_buffer /home/mbr/nftables/src/libnftables.c:447 Reported-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: incorrect byteorder with typeof and integer_datatypePablo Neira Ayuso2020-04-291-1/+2
| | | | | | | | | | | | | | | | | | | | table bridge t { set s3 { typeof meta ibrpvid elements = { 2, 3, 103 } } } # nft --debug=netlink -f test.nft s3 t 0 s3 t 0 element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end] ^^^^^^^^ The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly handled as BYTEORDER_BIG_ENDIAN). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix crash when handling concatenation without mapPablo Neira Ayuso2020-04-281-0/+3
| | | | | | | | Fix a crash when map is not specified, e.g. nft add rule x y snat ip addr . port to 1.1.1.1 . 22 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>