| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform the table and set lookup only for non-anonymous sets, where the
incremental cache update is required.
The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on
implicitly declared (anonymous) sets") resurrected after the cache
rework.
# nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept }
BUG: invalid range expression type concat
nft: expression.c:1422: range_expr_value_low: Assertion `0' failed.
Abort
Add a test case to make sure this does not happen again.
Fixes: 5ec5c706d993 ("cache: add hashtable cache for table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
the CFI bit has been repurposed as DEI "Drop Eligible Indicator"
since 802.1Q-2011.
The vlan cfi field is still retained for compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example output:
$ nft list hook ip input
family ip hook input {
+0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input
+0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}
$ nft list hooks netdev type ingress device lo
family netdev hook ingress device lo {
+0000000000 nft_do_chain_netdev [nf_tables]
}
$ nft list hooks inet
family ip hook prerouting {
-0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
-0000000300 iptable_raw_hook [iptable_raw]
-0000000290 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain raw_PREROUTING
-0000000200 ipv4_conntrack_in [nf_conntrack]
-0000000140 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain mangle_PREROUTING
-0000000100 nf_nat_ipv4_pre_routing [nf_nat]
}
...
'nft list hooks' will display everyting except the netdev family
via successive dump request for all family:hook combinations.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Followup patch will add new 'hooks' keyword for
nft list hooks
Add a scope for list to avoid exposure of the new keyword in nft
rulesets.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.
With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Unsurprisingly, printing warnings to stdout results in malformed JSON.
Signed-off-by: Kerin Millar <kfm@plushkava.net>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1511
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Provide an ordered list of devices for (netdev) chain and flowtable.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1525
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the fuzzy lookup provides a table, check if it is an inexact
matching, in that case, report that the table does not exist and provide
a mispelling suggestion for the non-existing table.
Initialize table to NULL since the fuzzy lookup might return no table
at all.
This patch fixes misleading error reporting:
# nft delete chain xxx yyy
Error: No such file or directory; did you mean chain ‘B’ in table ip ‘A’?
delete chain xxx yyy
^^^
This refers to table 'xxx' but the suggestion refers to the chain instead.
Therefore, if the fuzzy lookup provides an exact matching table, then do
the fuzzy lookup for the next non-existing object (either chain, set,
...).
Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not clone the set and zap the elements during the set and map
expansion to the CMD_OBJ_SETELEMS command.
Instead, update the CMD_OBJ_SET command to add the set to the kernel
(without elements) and let CMD_OBJ_SETELEMS add the elements. The
CMD_OBJ_SET command calls set_to_intervals() to update set->init->size
(NFTNL_SET_DESC_SIZE) before adding the set to the kernel. Updating the
set size from do_add_setelems() comes too late, it might result in
spurious ENFILE errors for interval sets.
Moreover, skip CMD_OBJ_SETELEMS if the set definition specifies no
elements.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1500
Fixes: c9eae091983a ("src: add CMD_OBJ_SETELEMS")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Auto-replace lookups in single-element anon sets with a standard compare.
'add rule foo bar meta iif { "lo" }' gets replaced with
'add rule foo bar meta iif "lo"'.
The former is a set lookup, the latter is a comparision.
Comparisions are faster for the one-element case.
Only prefixes, ranges and values are handled at this time.
Anonymous maps are left alone, same for concatenations.
Concatenations could be handled, but it would require more work:
the concatenation would have to be replaced with a singleton value.
Evaluation step rejects concat RHS on a relational expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of:
ct count 2 accept
^^
simply print:
ct count 2 accept
While at it, add incomplete reference 'ct count' to manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Treat '*' as catchall element, not as a symbol.
Also add missing json test cases for wildcard set support.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The json test case for the flagcmp notation ('tcp flags syn,fin / syn,fin') fails with:
command: {"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"&": [{"payload": {"field": "flags", "protocol": "tcp"}}, ["fin", "syn"]]}, "op": "==", "right": ["fin", "syn"]}}]}}}]}
internal:0:0-0: Error: List expression only allowed on RHS or in statement expression.
internal:0:0-0: Error: Failed to parse RHS of binop expression.
internal:0:0-0: Error: Invalid LHS of relational.
internal:0:0-0: Error: Parsing expr array at index 0 failed.
internal:0:0-0: Error: Parsing command array at index 0 failed.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
nft-test.py -j fails with
python: json.c:243: chain_print_json: Assertion `__out' failed.
The member was changed from char * to a struct, pass the name again.
Fixes: 5008798157e2114f ("libnftables: location-based error reporting for chain type")
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit cabe8992b3ee4eb0001a07075b317d966df6bcbd)
|
|
|
|
|
|
|
|
| |
# nft describe foo
datatype foo is invalid
Fixes: 21cbab5b6ffe ("expression: extend 'nft describe' to allow listing data types")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flags / mask syntax only allows for ==, != and the implicit
operation (which is == in this case).
# nft add rule x y tcp flags ! syn / syn,ack
Error: either == or != is allowed
add rule x y tcp flags ! syn / syn,ack
^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Parsing a range expression, the switch case fell through to prefix
expression case, thereby recursing once more for expr->left. This seems
not to have caused harm, but is certainly not intended.
Fixes: ee4391d0ac1e7 ("nat: transform range to prefix expression when possible")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The fuzzy lookup is exercised from the error path, when no object is
found. Remove branch that checks for exact matching since that should
not ever happen.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refer to chain, not table.
Error: No such file or directory; did you mean table ‘z’ in family ip?
add chain x y { type filter nat prerouting priority dstnat; }
^
It should say instead:
Error: No such file or directory; did you mean chain ‘z’ in table ip ‘x’?
[ Florian added args check for fmt to the netlink_io_error() prototype. ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Store the location of the chain type for better error reporting.
Several users that compile custom kernels reported that error
reporting is misleading when accidentally selecting
CONFIG_NFT_NAT=n.
After this patch, a better hint is provided:
# nft 'add chain x y { type nat hook prerouting priority dstnat; }'
Error: Could not process rule: No such file or directory
add chain x y { type nat hook prerouting priority dstnat; }
^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend exthdr expression to support scanning through SCTP packet chunks
and matching on fixed fields' values.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This was just duplicate code apart from the object's name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
This isolates only "vtag" token for now.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cgroupv2 path is expressed from the /sys/fs/cgroup folder, update
listing to skip it.
# nft add rule x y socket cgroupv2 level 1 "user.slice" counter
# nft list ruleset
table ip x {
chain y {
type filter hook input priority filter; policy accept;
socket cgroupv2 level 1 "user.slice" counter
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following compilation warnings on x86_32.
datatype.c: In function ‘cgroupv2_type_print’:
datatype.c:1387:22: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Wformat=]
nft_print(octx, "%lu", id);
~~^ ~~
%llu
meta.c: In function ‘date_type_print’:
meta.c:411:21: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Wformat=]
nft_print(octx, "%lu", tstamp);
~~^ ~~~~~~
%llu
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following shortcut syntax:
expression flags / flags
instead of:
expression and flags == flags
For example:
tcp flags syn,ack / syn,ack,fin,rst
^^^^^^^ ^^^^^^^^^^^^^^^
value mask
instead of:
tcp flags and (syn|ack|fin|rst) == syn|ack
The second list of comma-separated flags represents the mask which are
examined and the first list of comma-separated flags must be set.
You can also use the != operator with this syntax:
tcp flags != fin,rst / syn,ack,fin,rst
This shortcut is based on the prefix notation, but it is also similar to
the iptables tcp matching syntax.
This patch introduces the flagcmp expression to print the tcp flags in
this new notation. The delinearize path transforms the binary expression
to this new flagcmp expression whenever possible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
if genid changes during cache_init(), check_genid() sets errno to EINTR to force
a re-init of the cache.
cache_release() may inadvertly change errno by calling free(). Indeed free()
may invoke madvise() that changes errno to ENOSYS on system where kernel is
configured without support for this syscall.
Signed-off-by: Marco Oliverio <marco.oliverio@tanaza.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the right-hand side expression of the binary expression is a set,
then, skip the postprocessing step otherwise the tests/py report the
following warning:
# ./nft-test.py inet/tcp.t
inet/tcp.t: WARNING: line 80: 'add rule ip test-ip4 input tcp flags & (syn|fin) == (syn|fin)': 'tcp flags & (fin | syn) == fin | syn' mismatches 'tcp flags ! fin,syn'
inet/tcp.t: WARNING: line 83: 'add rule ip test-ip4 input tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }': 'tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }' mismatches 'tcp flags ! fin,syn,rst,psh,ack,urg'
This listing is not correct.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Cache updates have resurrected the bug described in 5afa5a164ff1
("evaluate: check for NULL datatype in rhs in lookup expr").
This is triggered by testcases/cache/0008_delete_by_handle_0.
Fixes: df48e56e987f ("cache: add hashtable cache for sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a catchall expression (EXPR_SET_ELEM_CATCHALL).
Use the asterisk (*) to represent the catch-all set element, e.g.
table x {
set y {
type ipv4_addr
counter
elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 }
}
}
Special handling for segtree: zap the catch-all element from the set
element list and re-add it after processing.
Remove wildcard_expr deadcode in src/parser_bison.y
This patch also adds several tests for the tests/py and tests/shell
infrastructures.
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add a rule to specify the set key expression in preparation for the
catch-all element support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As concatenated ranges are fetched from kernel sets and displayed to
the user, range_mask_len() evaluates whether the range is suitable for
display as netmask, and in that case it calculates the mask length by
right-shifting the endpoints until no set bits are left, but in the
existing version the temporary copies of the endpoints are derived by
copying their unsigned int representation, which doesn't suffice for
IPv6 netmask lengths, in general.
PetrB reports that, after inserting a /56 subnet in a concatenated set
element, it's listed as a /64 range. In fact, this happens for any
IPv6 mask shorter than 64 bits.
Fix this issue by simply sourcing the range endpoints provided by the
caller and setting the temporary copies with mpz_init_set(), instead
of fetching the unsigned int representation. The issue only affects
displaying of the masks, setting elements already works as expected.
Reported-by: PetrB <petr.boltik@gmail.com>
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1520
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Add support for matching on the cgroups version 2.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Update the cache to remove this object from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update the cache to remove this flowtable from the evaluation phase.
Add flowtable_cache_del() function for this purpose.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Update the cache to remove this set from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update the cache to remove this chain from the evaluation phase. Add
chain_cache_del() function for this purpose.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a hashtable for fast table lookups.
Tables that reside in the cache use the table->cache_hlist and
table->cache_list heads.
Table that are created from command line / ruleset are also added
to the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If the cache does not contain this object that is defined in this batch,
add it to the cache. This allows for references to this new object in
the same batch.
This patch also adds missing handle_merge() to set the object name,
otherwise object name is NULL and obj_cache_find() crashes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Populate the cache with tables for several policy objects types.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If the cache does not contain this flowtable that is defined in this
batch, then add it to the cache. This allows for references to this new
flowtable in the same batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
If the cache does not contain the set that is defined in this batch, add
it to the cache. This allows for references to this new set in the same
batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Update set_cache_del() from the monitor path to remove sets
in the cache.
Fixes: df48e56e987f ("cache: add hashtable cache for sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Add flowtable hashtable cache.
Actually I am not expecting that many flowtables to benefit from the
hashtable to be created by streamline this code with tables, chains,
sets and policy objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a hashtable for object lookups.
This patch also splits table->objs in two:
- Sets that reside in the cache are stored in the new
tables->cache_obj and tables->cache_obj_ht.
- Set that defined via command line / ruleset file reside in
tables->obj.
Sets in the cache (already in the kernel) are not placed in the
table->objs list.
By keeping separated lists, objs defined via command line / ruleset file
can be added to cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch consolidates the object cache infrastructure. Update set and
chains to use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
- prepend nft_ prefix to nft_cache API and internal functions
- move declarations to cache.h (and remove redundant declarations)
- move struct nft_cache definition to cache.h
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
You can identify chains through the unique handle in deletions, update
this interface to take a string instead of the handle to prepare for
the introduction of 64-bit handle chain lookups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Deletion by handle, if incorrect, should not exercise the misspell
lookup functions.
Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use NFTA_TABLE_HANDLE instead of NFTA_TABLE_NAME to refer to the
table 64-bit unique handle.
Fixes: 7840b9224d5b ("evaluate: remove table from cache on delete table")
Fixes: f8aec603aa7e ("src: initial extended netlink error reporting")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|