summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* payload: add payload_is_stacked()Patrick McHardy2016-04-242-23/+25
| | | | | | | Add payload_is_stacked() to determine whether a protocol expression match defines a stacked protocol on the same layer. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: move payload depedency tracking to payload.cPatrick McHardy2016-04-242-50/+64
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: fix stacked headers protocol context trackingPatrick McHardy2016-04-244-43/+26
| | | | | | | | | | | | | | | The code contains multiple scattered around fragments to fiddle with the protocol contexts to work around the fact that stacked headers update the context for the incorrect layer. Fix this by updating the correct layer in payload_expr_pctx_update() and also take care of offset adjustments there and only there. Remove all manual protocol context fiddling and change protocol context debugging to also print the offset for stacked headers. All previously successful testcases pass. Signed-off-by: Patrick McHardy <kaber@trash.net>
* payload: only merge if adjacent and combined size fits into a registerFlorian Westphal2016-04-192-8/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | add rule ip6 filter input ip6 saddr ::1/128 ip6 daddr ::1/128 fails, we ask to compare a 32byte immediate which is not supported: [ payload load 32b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 0x00000000 0x00000000 0x00000000 0x02000000 ] We would need to use two cmps in this case, i.e.: [ payload load 32b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] [ cmp eq reg 2 0x00000000 0x00000000 0x00000000 0x02000000 ] Seems however that this requires a bit more changes to how nft handles register allocations, we'd also need to undo the constant merge. Lets disable merging for now so that we generate [ payload load 16b @ network header + 8 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] [ payload load 16b @ network header + 24 => reg 1 ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x02000000 ] ... if merge would bring us over the 128 bit register size. Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=1032 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Use libnftnl user data TLV infrastructureCarlos Falgueras García2016-04-142-5/+56
| | | | | | | | | Now it is possible to store multiple variable length user data into rule. Modify the parser in order to fill the nftnl_udata with the comment, and the print function for extract these commentary and print it to user. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: Show error for fanout without balanceShivani Bhardwaj2016-04-132-0/+6
| | | | | | | | | | | | | | | | | | | | The idea of fanout option is to improve the performance by indexing CPU ID to map packets to the queues. This is used for load balancing. Fanout option is not required when there is a single queue specified. According to iptables, queue balance should be specified in order to use fanout. Following that, throw an error in nftables if the range of queues for load balancing is not specified with the fanout option. After this patch, $ sudo nft add rule ip filter forward counter queue num 0 fanout <cmdline>:1:46-46: Error: fanout requires a range to be specified add rule ip filter forward counter queue num 0 fanout ^^^^^ Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: improve rule management checksArturo Borrero2016-04-131-1/+67
| | | | | | | | | | | Improve checks (and error reporting) for basic rule management operations. This includes a fix for netfilter bug #965. Netfilter bug: http://bugzilla.netfilter.org/show_bug.cgi?id=965 Reported-by: Jesper Sander Lindgren <sander.contrib@gmail.com> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: store parser location for handle and position specifiersPablo Neira Ayuso2016-03-304-17/+26
| | | | | | | | | Store the parser location structure for handle and position IDs so we can use this information from the evaluation step, to provide better error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: don't print trailing statement whitespaceArturo Borrero2016-03-291-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | This trailing whitespace is annoying when working with the textual output of nft. Before: table t { chain c { ct state new ^ } } After: table t { chain c { ct state new } } Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: release parsed type and hook name stringsPablo Neira Ayuso2016-03-151-0/+4
| | | | | | | | | | | | | | | | The scanner allocates memory for this, so release them given that we don't attach them to any object. ==6277== 42 bytes in 6 blocks are definitely lost in loss record 2 of 4 ==6277== at 0x4C28C20: malloc (vg_replace_malloc.c:296) ==6277== by 0x57AC9D9: strdup (strdup.c:42) ==6277== by 0x41B82D: xstrdup (utils.c:64) ==6277== by 0x41F510: nft_lex (scanner.l:511) ==6277== by 0x427FD1: nft_parse (parser_bison.c:3690) ==6277== by 0x4063AC: nft_run (main.c:231) ==6277== by 0x40600C: main (main.c:361) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: duplicate string returned by chain_type_name_lookup()Pablo Neira Ayuso2016-03-151-1/+1
| | | | | | | | | This chain type string is released via chain_free() since b7cb6915a88f, so duplicate it so we don't try to release statically allocated memory. Fixes: b7cb6915a88f ("rule: Remove memory leak") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: simplify hook_spec rulePablo Neira Ayuso2016-03-151-51/+15
| | | | | | | Consolidate this rule by introducing the dev_spec and prio_spec, we save 50 LOC with this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Remove memory leakPiyush Pangtey2016-03-151-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added matching xfree calls in chain_free(), for the chain members 'type' and 'dev'. It can be reproduced by : nft add chain x y { type filter hook input priority 0; } Then: $ sudo valgrind --leak-check=full nft list tables ==2899== HEAP SUMMARY: ==2899== in use at exit: 327 bytes in 10 blocks ==2899== total heap usage: 145 allocs, 135 frees, 211,462 bytes allocated ==2899== ==2899== 63 bytes in 9 blocks are definitely lost in loss record 1 of 2 ==2899== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==2899== by 0x57A3839: strdup (strdup.c:42) ==2899== by 0x41C05D: xstrdup (utils.c:64) ==2899== by 0x411E9B: netlink_delinearize_chain.isra.3 (netlink.c:717) ==2899== by 0x411F70: list_chain_cb (netlink.c:748) ==2899== by 0x504A943: nft_chain_list_foreach (chain.c:1015) ==2899== by 0x4145AE: netlink_list_chains (netlink.c:771) ==2899== by 0x40793F: cache_init_objects (rule.c:90) ==2899== by 0x40793F: cache_init (rule.c:130) ==2899== by 0x40793F: cache_update (rule.c:147) ==2899== by 0x40FB59: cmd_evaluate (evaluate.c:2475) ==2899== by 0x429A1C: nft_parse (parser_bison.y:655) ==2899== by 0x40651C: nft_run (main.c:231) ==2899== by 0x40618C: main (main.c:357) ==2899== ==2899== LEAK SUMMARY: ==2899== definitely lost: 63 bytes in 9 blocks ==2899== indirectly lost: 0 bytes in 0 blocks ==2899== possibly lost: 0 bytes in 0 blocks ==2899== still reachable: 264 bytes in 1 blocks ==2899== suppressed: 0 bytes in 0 blocks ==2899== Reachable blocks (those to which a pointer was found) are not shown. ==2899== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==2899== ==2899== For counts of detected and suppressed errors, rerun with: -v ==2899== Use --track-origins=yes to see where uninitialised values come from ==2899== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 0 from 0) Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: use table_lookup_global() from expr_evaluate_symbol()Pablo Neira Ayuso2016-03-141-15/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | If there's already a table 'test' defined in the kernel and you load another table 'test' via `nft -f', table_lookup() returns the table that already exists in the kernel, so if you look up for objects that are defined in the file, nft bails out with 'Set does not exist'. Use table_lookup_global() function returns the existing table that is defined in the file and that it is set as context via ctx->handle->table. This is not a complete fix, we should splice the existing kernel objects into the userspace declaration. We just need some way to identify what objects are already in the kernel so we don't send them again (otherwise we will hit EEXIST errors). I'll follow up with this full fix asap. Anyway, this patch fixes this shell test: I: [OK] ./testcases/sets/cache_handling_0 So at least by now we have all shell test returning OK. I'll add more tests to catch the case I describe above once it is fixed too. Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revisit cache population logicPablo Neira Ayuso2016-03-142-16/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We get a partial cache (tables, chains and sets) when: * We see a set reference from a rule, since this set object may be already defined in kernelspace and we need to fetch the datatype for evaluation. * We add/delete a set element, we need this to evaluate if the element datatype is correct. * We rename a chain, since we need to know the chain handle. * We add a chain/set. This isn't needed for simple command line invocations. However, since the existing codepath is also exercised from `nft -f' context, we need to know if the object exists in the kernel. Thus, if this a newly declared object (not yet in the kernel) we add it to the cache, otherwise, we will not find follow up references to this object in our cache. We get a full cache when: * We list the ruleset. We can provide finer grain listing though, via partial cache, later. * We monitor updates, since this displays incremental updates based on the existing objects. * We export the ruleset, since this dumps all of the existing objects. * We push updates via `nft -f'. We need to know what objects are already in the kernel for incremental updates. Otherwise, cache_update() hits a bogus 'set doesn't exist' error message for just declared set in this batch. To avoid this problem, we need a way to differentiate between what objects in the lists that are already defined in the kernel and what are just declared in this batch (hint: the location structure information is set for just declared objects). We don't get a cache at all when: * We flush the ruleset, this is important in case of delinearize bugs, so you don't need to reboot or manually flush the ruleset via libnftnl examples/nft-table-flush. * We delete any object, except for set elements (as we describe above). * We add a rule, so you can generate via --debug=netlink the expression without requiring a table and chain in place. * We describe a expression. This patch also includes some intentional adjustments to the shell tests to we don't get bogus errors due to changes in the list printing. BTW, this patch also includes a revert for 97493717e738 ("evaluate: check if table and chain exists when adding rules") since that check is not possible anymore with this logic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinarize: shift constant for ranges tooFlorian Westphal2016-03-101-0/+2
| | | | | | | | | ... else rule like vlan pcp 1-3 won't work and will be displayed as 0-0 (reverse direction already works since range is represented as two lte/gte compare expressions). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix bogus offset w exthdr expressionsFlorian Westphal2016-03-101-1/+6
| | | | | | | Need to fetch the offset from the exthdr template. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Add router advertisement and solicitation icmp typesLaura Garcia Liebana2016-03-101-0/+2
| | | | | | | | | | | Enable support for router-advertisement and router-solicitation icmp types in nft. Example: $ sudo nft add rule ip filter input icmp type router-advertisement counter accept $ sudo nft add rule ip filter input icmp type router-solicitation counter accept Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow 'snat' and 'dnat' keywords from the right-hand sidePablo Neira Ayuso2016-03-091-0/+12
| | | | | | | | | | Parse 'snat' and 'dnat' reserved keywords from the right-hand side as symbols. Thus, we can use them as values from ct status. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=950 Reported-by: Ana Rey <anarey@gmail.com> Reported-by: Karol Babioch <karol@babioch.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Modified punctuation used in nft's show_helpPiyush Pangtey2016-03-091-7/+7
| | | | | | | Replaced '/' between shortopt and longopt with ',' , as used by other utilities. Signed-off-by: Piyush Pangtey <gokuvsvegita@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: remove 'reset' as reserve keywordPablo Neira Ayuso2016-03-072-4/+8
| | | | | | | | | The 'reset' keyword can be used as dccp type, so don't qualify it as reserve keyword to avoid a conflict with this. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1055 Reported-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: simplify ("rule: delete extra space in sets printing")Pablo Neira Ayuso2016-03-041-4/+1
| | | | | | | | | This simplifies bd23f7628570 ("rule: delete extra space in sets printing") by passing the whitespace from set_print_plain() called from the monitoring path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* rule: delete extra space in sets printingArturo Borrero2016-03-031-1/+4
| | | | | | | | | | | | | | | | The extra space is printed when sets are printed in tabulated format. table inet test { set test { ^ type ipv4_addr } } However, the space is still required in printing in plain format (ie, monitor). Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for masquerade port selectionShivani Bhardwaj2016-03-035-8/+85
| | | | | | | | | Provide full support for masquerading by allowing port range selection, eg. # nft add rule nat postrouting ip protocol tcp masquerade to :1024-10024 Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: handle extension header templates with odd sizesFlorian Westphal2016-03-022-4/+39
| | | | | | | | | | | | | | | | | | This enables nft to display frag frag-off 33 ... by considering a mask during binop postprocess in case the initial template lookup done when the exthdr expression was created did not yield a match. In the above example, kernel netlink data specifies 16bits, but the frag field is only 13bits wide. We use the implicit binop mask to re-do the template lookup with corrected offset and size information. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: prepare binop_postprocess for exthdr demuxFlorian Westphal2016-03-021-8/+7
| | | | | | | | | | | | | | | binop_postprocess takes care of removing masks if we're dealing with payload expressions that have non-byte divisible sizes or offsets. Same can happen when matching some extension header fields, i.e. this also needs to handle exthdr expression, not just payload. So rename payload to left and move test for left type to binop_postprocess. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: store offset for later useFlorian Westphal2016-03-021-0/+2
| | | | | | | | Its possible that we cannot find the template without also considering an implicit mask. For this we need to store the offset. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove implicit dependenciesFlorian Westphal2016-03-021-3/+10
| | | | | | | | exthdr expression requires a dependency on ipv6; we can thus remove an ipv6 protocol test if its present. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: generate dependencies for inet/bridge/netdev familyFlorian Westphal2016-03-022-3/+29
| | | | | | | Should treat this as if user would have asked to match ipv6 header field. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* payload: move payload_gen_dependency generic part to helperFlorian Westphal2016-03-021-28/+38
| | | | | | | | | | | | | | | We should treat exthdr just as if user asked for e.g. ip6 saddr and inject the needed dependency statement. payload_gen_dependency cannot be used since the *expr needs to be a payload expression, but the actual dependency generation doesn't depend on a particular expression type. In order to reuse this part for future exthdr dependency injection move it to a helper. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add and use netlink_gen_exthdr_maskFlorian Westphal2016-03-021-3/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | rule ip6 filter input frag frag-off 33 before patch: [ exthdr load 1b @ 44 + 2 => reg 1 ] [ cmp eq reg 1 0x00002100 ] We truncated 13bit field to 1 byte. after patch: [ exthdr load 2b @ 44 + 2 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000f8ff ) ^ 0x00000000 ] [ cmp eq reg 1 0x00000801 ] - ask for 2 bytes - mask out the 3 lower bits - shift the value by 3 so equality test will pass for 33 This causes test failures, will be fixed up in a later patch (the test suite expects the old, broken input). It also misses the reverse translation to remove the binop, find the right template and undo the shift of the value. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: split generic part of netlink_gen_payload_mask into helperFlorian Westphal2016-03-021-12/+23
| | | | | | | | | | | netlink_gen_payload_mask assumes expr is a payload expression, but most of this function would work fine with exthdr too. So split the gernic part into a helper, followup patch will add netlink_gen_exthdr_mask. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: enforce ip6 proto with exthdr expressionFlorian Westphal2016-03-021-1/+17
| | | | | | | | | | | | | | Don't allow use of exthdr with e.g. ip family. Move frag.t to ip6 directory and don't use it with ipv4 anymore. This change causes major test failures for all exthdr users since they now fail with inet/bridge/netdev families. Will be resolved in a later patch -- we need to add an ipv6 dependency for them. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject set references in set elementsFlorian Westphal2016-03-021-0/+5
| | | | | | | | | | | | | | | | | | | | | given table filter { set local { type iface_index elements = { lo } } chain input { type filter hook input priority 0; iif { @lan, } accept; } } nft BUG()s. I don't see how we could support sets-in-set; add a sanity check and error out instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix error checks in tc handle parserFlorian Westphal2016-02-171-3/+3
| | | | | | | | 'meta priority foobar' did not return an error -- instead we used min/max values with undefined content. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: use parameter-problem for icmpv6 typePablo Neira Ayuso2016-02-011-1/+1
| | | | | | | To keep it consistent with icmpv4 naming. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=911 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: prune implicit binop before payload_match_postprocess()Pablo Neira Ayuso2016-02-011-3/+2
| | | | | | | | | | | | payload_match_postprocess() expects a relational with payload of his lhs and value on the rhs. Moreover, payload_match_expand() releases the previous expression so valgrind reports an use-after-free when pruning the implicit binop. Fix this by calling payload_match_postprocess() in first place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: annotate follow up dependency just after killing anotherPablo Neira Ayuso2016-01-311-18/+27
| | | | | | | | The inet and netdev families generate two implicit dependencies to check for the interface type, so we have to check just after killing an implicit dependency if there is another that we should annotate to kill it as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: proto_dev_type() returns interface type for base protocols tooPablo Neira Ayuso2016-01-311-2/+10
| | | | | | | | | | | | | | | The device protocol definition provides a mapping between the interface type, ie. ARPHDR_*, and the overlying protocol base definition, eg. proto_eth. This patch updates proto_dev_type() so it also returns a mapping for these overlying ethernet protocol definitions, ie. ip, ip6, vlan, ip, arp. This patch required to resolve problems with automatic dependency generation for vlan in the netdev and inet families. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: generate ether type payload after meta iiftypePablo Neira Ayuso2016-01-311-7/+10
| | | | | | | | | | | | | | | Once the meta iiftype is generated, we shouldn't return from resolve_protocol_conflict() since we also need to generate the ether type payload implicit match after it. This gets rid of the manual proto-ctx update from meta_iiftype_gen_dependency() that we don't need since stmt_evaluate() already handles this for us. Moreover, skip error reporting once we verify that the protocol conflict has been resolved. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: wrap protocol context debunk into functionPablo Neira Ayuso2016-01-311-6/+19
| | | | | | | | ether type vlan sets the network layer protocol context to vlan. This function debunks the existing link layer protocol context by setting it to vlan. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: assert on invalid base in resolve_protocol_conflict()Pablo Neira Ayuso2016-01-311-11/+11
| | | | | | | We already have similar code in the tree, we shouldn't see bases over transport yet. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: only try to replace dummy protocol from link-layer contextPablo Neira Ayuso2016-01-311-11/+14
| | | | | | | | | | | | | Add proto_is_dummy() that returns true for netdev and inet family, the only two using a dummy link-layer protocol base definition. Rename supersede_dep() to meta_iiftype_gen_dependency() since this is generating the implicit meta iiftype check for netdev and inet. This patch also gets rid of the have->length check. The tests pass fine without this so I suspect this is superfluos. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: don't adjust offset from resolve_protocol_conflict()Pablo Neira Ayuso2016-01-311-5/+8
| | | | | | This is not itself a conflict, move this check out of this function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check if we have to resolve a conflict in first placePablo Neira Ayuso2016-01-311-11/+14
| | | | | | | So we enter resolve_protocol_conflict() only when we really have a conflict that we want to try to resolve. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: move inet/netdev protocol context supersede logic to supersede_dep()Pablo Neira Ayuso2016-01-311-23/+25
| | | | | | This is a cleanup to untangle this logic a bit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: resolve_protocol_conflict() should return intPablo Neira Ayuso2016-01-311-12/+14
| | | | | | | Instead of bool, expr_error() returns -1 if we fail to create dependencies. We need to propagate this error value. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: netlink_linearize: Fix bug for redirect targetShivani Bhardwaj2016-01-311-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch, $ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200 ip nat post [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] [ redir proto_min reg 1 proto_max reg 5 ] <cmdline>:1:1-56: Error: Could not process rule: Invalid argument add rule ip nat post ip protocol tcp redirect to 100-200 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ After this patch, $ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200 ip nat post [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ immediate reg 1 0x00006400 ] [ immediate reg 2 0x0000c800 ] [ redir proto_min reg 1 proto_max reg 2 ] Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-316-1/+106
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement for netdevPablo Neira Ayuso2016-01-311-0/+15
| | | | | | | | | | | | This patch contains the missing chunk to add support for the netdev family. Part of the support slipped through in the original patch to add the dup statement for IPv4 and IPv6. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress dup to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>