summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* main: remove duplicate output flag assignment.Jeremy Sowden2019-10-231-1/+0
| | | | | | | | | `NFT_CTX_OUTPUT_NUMERIC_TIME` is implicit in `NFT_CTX_OUTPUT_NUMERIC_ALL`: there are is no need explicitly to OR it into output_flags when `--numeric` is passed. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add missing `OPT_NUMERIC_PROTO` long option.Jeremy Sowden2019-10-231-0/+4
| | | | | | | | The `options` array is missing an entry for `OPT_NUMERIC_PROTO`. Add a new option, `--numeric-protocol`, consistent with the documentation. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "main: Fix for misleading error with negative chain priority"Phil Sutter2019-10-231-1/+1
| | | | | | | | | | | This reverts commit 9fc71bc6b602c8706d1214e0100bcd7638c257e3. Given that this change breaks typical commands like 'nft list ruleset -a' while on the other hand escaping of semicolons and (depending on shell) curly braces is still required, decision was made to not go with this solution. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add --terse to suppress output of set elements.Jeremy Sowden2019-10-222-2/+12
| | | | | | | | | | | | Listing an entire ruleset or a table with `nft list` prints the elements of all set definitions within the ruleset or table. Seeing the full set contents is not often necessary especially when requesting to see someone's ruleset for help and support purposes. Add a new option '-t, --terse' options to suppress the output of set contents. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use `-T` as the short option for `--numeric-time`.Jeremy Sowden2019-10-221-3/+3
| | | | | | | | | A new `--terse` option will be introduced in a later patch. Change the short option used for `--numeric-time` from `-t` to `-T` in order to leave `-t` free. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Fix for misleading error with negative chain priorityPhil Sutter2019-10-211-1/+1
| | | | | | | | | | | | | | | | | getopt_long() would try to parse the negative priority as an option and return -1 as it is not known: | # nft add chain x y { type filter hook input priority -30\; } | nft: invalid option -- '3' Fix this by prefixing optstring with a plus character. This instructs getopt_long() to not collate arguments but just stop after the first non-option, leaving the rest for manual handling. In fact, this is just what nft desires: mixing options with nft syntax leads to confusive command lines anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tproxy: Add missing error checking when parsing from netlinkPhil Sutter2019-10-211-0/+4
| | | | | | | | | | netlink_get_register() may return NULL and every other caller checks that. Assuming this situation is not expected, just jump to 'err' label without queueing an explicit error message. Fixes: 2be1d52644cf7 ("src: Add tproxy support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Fix checking of parse_policy() return codePhil Sutter2019-10-211-1/+1
| | | | | | | | | The function was changed to return an expression or NULL but error checking wasn't adjusted while doing so. Fixes: dba4a9b4b5fe2 ("src: allow variable in chain policy") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: restore --echo with anonymous setsPablo Neira Ayuso2019-10-182-20/+12
| | | | | | | | | | | | If --echo is passed, then the cache already contains the commands that have been sent to the kernel. However, anonymous sets are an exception since the cache needs to be updated in this case. Remove the old cache logic from the monitor code that has been replaced by 01e5c6f0ed03 ("src: add cache level flags"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* flowtable: fix memleak in exit pathEric Jallot2019-10-182-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add missing loop in table_free(). Free all objects in flowtable_free() and add conditions in case of error recovery in the parser (See commit 4be0a3f922a29). Also, fix memleak in the parser. This fixes the following memleak: # valgrind --leak-check=full nft add flowtable inet raw f '{ hook ingress priority filter; devices = { eth0 }; }' ==15414== Memcheck, a memory error detector ==15414== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==15414== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==15414== Command: nft add flowtable inet raw f {\ hook\ ingress\ priority\ filter;\ devices\ =\ {\ eth0\ };\ } ==15414== ==15414== ==15414== HEAP SUMMARY: ==15414== in use at exit: 266 bytes in 4 blocks ==15414== total heap usage: 55 allocs, 51 frees, 208,105 bytes allocated ==15414== ==15414== 5 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x5C64AA9: strdup (strdup.c:42) ==15414== by 0x4E705ED: xstrdup (utils.c:75) ==15414== by 0x4E93F01: nft_lex (scanner.l:648) ==15414== by 0x4E85C1C: nft_parse (parser_bison.c:5577) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) ==15414== ==15414== 261 (128 direct, 133 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x4E705AD: xmalloc (utils.c:36) ==15414== by 0x4E705AD: xzalloc (utils.c:65) ==15414== by 0x4E560B6: expr_alloc (expression.c:45) ==15414== by 0x4E56288: symbol_expr_alloc (expression.c:286) ==15414== by 0x4E8A601: nft_parse (parser_bison.y:1842) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) Fixes: 92911b362e906 ("src: add support to add flowtables") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: define flowtable device compound as a listPablo Neira Ayuso2019-10-182-2/+2
| | | | | | | | This fixes a memleak when releasing the compound expression via expr_free(). Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix for single line ct timeout printingPhil Sutter2019-10-171-1/+1
| | | | | | | | | | | Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") removed an extra semicolon at end of line, but thereby broke single line output. The correct fix is to use opts->stmt_separator which holds either newline or semicolon chars depending on output mode. Fixes: 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* monitor: Add missing newline to error messagePhil Sutter2019-10-171-1/+1
| | | | | | | | | These shouldn't happen in practice and printing to stderr is not the right thing either, but fix this anyway. Fixes: f9563c0feb24d ("src: add events reporting") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* mnl: Don't use nftnl_set_set()Phil Sutter2019-10-151-1/+1
| | | | | | | | | The function is unsafe to use as it effectively bypasses data length checks. Instead use nftnl_set_set_str() which at least asserts a const char pointer is passed. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: add linenoise CLI implementation.Jeremy Sowden2019-10-151-9/+55
| | | | | | | | By default, continue to use libreadline, but if `--with-cli=linenoise` is passed to configure, build the linenoise implementation instead. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: extend 'nft describe' to allow listing data typesFlorian Westphal2019-10-141-9/+25
| | | | | | | | | | | | | | | | | nft describe ct_status before: symbol expression, datatype invalid (invalid), 0 bits after: datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits pre-defined symbolic constants (in hexadecimal): expected 0x00000001 seen-reply 0x00000002 [..] Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: display description for header field < 8 bitsPablo Neira Ayuso2019-10-101-1/+1
| | | | | | | | | | | | # nft describe ip dscp payload expression, datatype dscp (Differentiated Services Code Point) (basetype integer), 6 bits pre-defined symbolic constants (in hexadecimal): nft: datatype.c:209: switch_byteorder: Assertion `len > 0' failed. Aborted Fixes: c89a0801d077 ("datatype: Display pre-defined inet_service values in host byte order") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: always close interval in non-anonymous setsPablo Neira Ayuso2019-10-091-1/+2
| | | | | | | Skip this optimization for non-anonymous sets, otherwise, element deletion breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: fix memleak in parser_bison.yEric Jallot2019-10-091-56/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Each object (secmark, synproxy, quota, limit, counter) is dynamically allocated by the parser and not freed at exit. However, there is no need to use dynamic allocation here because struct obj already provides the required storage. Update the grammar to ensure that obj_alloc() is called before config occurs. This fixes the following memleak (secmark as example): # valgrind --leak-check=full nft add secmark inet raw ssh \"system_u:object_r:ssh_server_packet_t:s0\" ==14643== Memcheck, a memory error detector ==14643== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14643== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==14643== Command: nft add secmark inet raw ssh "system_u:object_r:ssh_server_packet_t:s0" ==14643== ==14643== ==14643== HEAP SUMMARY: ==14643== in use at exit: 256 bytes in 1 blocks ==14643== total heap usage: 41 allocs, 40 frees, 207,809 bytes allocated ==14643== ==14643== 256 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==14643== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==14643== by 0x4E72074: xmalloc (utils.c:36) ==14643== by 0x4E72074: xzalloc (utils.c:65) ==14643== by 0x4E89A31: nft_parse (parser_bison.y:3706) ==14643== by 0x4E778E7: nft_parse_bison_buffer (libnftables.c:375) ==14643== by 0x4E778E7: nft_run_cmd_from_buffer (libnftables.c:443) ==14643== by 0x40170F: main (main.c:326) Fixes: f44ab88b1088e ("src: add synproxy stateful object support") Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Fixes: c0697eabe832d ("src: add stateful object support for limit") Fixes: 4d38878b39be4 ("src: add/create/delete stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: obj: fix memleak in handle_free()Eric Jallot2019-09-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using limit object as example: # valgrind --leak-check=full nft list ruleset ==9937== Memcheck, a memory error detector ==9937== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9937== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==9937== Command: nft list ruleset ==9937== table inet raw { limit lim1 { rate 1/second } } ==9937== ==9937== HEAP SUMMARY: ==9937== in use at exit: 5 bytes in 1 blocks ==9937== total heap usage: 50 allocs, 49 frees, 212,065 bytes allocated ==9937== ==9937== 5 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==9937== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==9937== by 0x5C65AA9: strdup (strdup.c:42) ==9937== by 0x4E720A3: xstrdup (utils.c:75) ==9937== by 0x4E660FF: netlink_delinearize_obj (netlink.c:972) ==9937== by 0x4E6641C: list_obj_cb (netlink.c:1064) ==9937== by 0x50E8993: nftnl_obj_list_foreach (object.c:494) ==9937== by 0x4E664EA: netlink_list_objs (netlink.c:1085) ==9937== by 0x4E4FE82: cache_init_objects (rule.c:188) ==9937== by 0x4E4FE82: cache_init (rule.c:221) ==9937== by 0x4E4FE82: cache_update (rule.c:271) ==9937== by 0x4E7716E: nft_evaluate (libnftables.c:406) ==9937== by 0x4E778F7: nft_run_cmd_from_buffer (libnftables.c:447) ==9937== by 0x40170F: main (main.c:326) Fixes: 4756d92e517ae ("src: listing of stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: memleak when list of commands is emptyPablo Neira Ayuso2019-09-271-1/+1
| | | | | | | | | | | | | ==9946== 200,807 (40 direct, 200,767 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==9946== at 0x4837B65: calloc (vg_replace_malloc.c:762) ==9946== by 0x4F28216: nftnl_batch_alloc (batch.c:66) ==9946== by 0x48A33E8: mnl_batch_init (mnl.c:164) ==9946== by 0x48A736F: nft_netlink.isra.0 (libnftables.c:29) ==9946== by 0x48A7D03: nft_run_cmd_from_filename (libnftables.c:508) ==9946== by 0x10A621: main (main.c:328) Fixes: fc6d0f8b0cb1 ("libnftables: get rid of repeated initialization of netlink_ctx") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: do not cache sender buffer sizePablo Neira Ayuso2019-09-221-6/+6
| | | | | | | | | | | SO_SNDBUF never fails, this socket option just provides a hint to the kernel. SO_SNDBUFFORCE sets the buffer size to zero if the value goes over INT_MAX. Userspace is caching the buffer hint that sends to the kernel, so it might leave userspace out of sync if the kernel ignores the hint. Do not make assumptions, fetch the sender buffer size from the kernel via getsockopt(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meter: avoid double-space in list ruleset outputFlorian Westphal2019-09-201-1/+1
| | | | | | | | | | changes meter f size 1024 { ip saddr limit rate 10/second} accept to meter f size 1024 { ip saddr limit rate 10/second } accept Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parser_json: fix crash while restoring secmark objectEric Jallot2019-09-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # nft -j list ruleset | tee rules.json | jq '.' { "nftables": [ { "metainfo": { "version": "0.9.2", "release_name": "Scram", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "t", "handle": 11 } }, { "secmark": { "family": "inet", "name": "s", "table": "t", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0" } } ] } # nft flush ruleset # nft -j -f rules.json Segmentation fault Use "&tmp" instead of "tmp" in json_unpack() while translating "context" keyword. After patch: # nft -j -f rules.json # nft list ruleset table inet t { secmark s { "system_u:object_r:ssh_server_packet_t:s0" } } Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* nftables: don't crash in 'list ruleset' if policy is not setSergei Trofimovich2019-09-161-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Minimal reproducer: ``` $ cat nft.ruleset # filters table inet filter { chain prerouting { type filter hook prerouting priority -50 } } # dump new state list ruleset $ nft -c -f ./nft.ruleset table inet filter { chain prerouting { Segmentation fault (core dumped) ``` The crash happens in `chain_print_declaration()`: ``` if (chain->flags & CHAIN_F_BASECHAIN) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); ``` Here `chain->policy` is `NULL` (as textual rule does not mention it). The change is not to print the policy if it's not set (similar to `chain_evaluate()` handling). CC: Florian Westphal <fw@strlen.de> CC: Pablo Neira Ayuso <pablo@netfilter.org> CC: netfilter-devel@vger.kernel.org Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: Fix 'exists' keyword on Big EndianPhil Sutter2019-09-142-3/+5
| | | | | | | | | | | | | | | | | | Size value passed to constant_expr_alloc() must correspond with actual data size, otherwise wrong portion of data will be taken later when serializing into netlink message. Booleans require really just a bit, but make type of boolean_keys be uint8_t (introducing new 'val8' name for it) and pass the data length using sizeof() to avoid any magic numbers. While being at it, fix len value in parser_json.c as well although it worked before due to the value being rounded up to the next multiple of 8. Fixes: 9fd9baba43c8e ("Introduce boolean datatype and boolean expression") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* json: fix type mismatch on "ct expect" json exportingFernando Fernandez Mancera2019-09-131-1/+1
| | | | | | | | | | The size field in ct_expect struct should be parsed as json integer and not as a string. Also, l3proto field is parsed as string and not as an integer. That was causing a segmentation fault when exporting "ct expect" objects as json. Fixes: 1dd08fcfa07a ("src: add ct expectations support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-139-7/+256
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: use-after-free in exit pathPablo Neira Ayuso2019-09-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | ==29699== Invalid read of size 8 ==29699== at 0x507E140: ct_label_table_exit (ct.c:239) ==29699== by 0x5091877: nft_exit (libnftables.c:97) ==29699== by 0x5091877: nft_ctx_free (libnftables.c:297) [...] ==29699== Address 0xb251008 is 136 bytes inside a block of size 352 free'd ==29699== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==29699== by 0x509186F: nft_ctx_free (libnftables.c:296) [...] ==29699== Block was alloc'd at ==29699== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==29699== by 0x508C51D: xmalloc (utils.c:36) ==29699== by 0x508C51D: xzalloc (utils.c:65) ==29699== by 0x50916BE: nft_ctx_new (libnftables.c:151) [...] Release symbol tables before context object. Fixes: 45cb29a2ada4 ("src: remove global symbol_table") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix wrong conversion to "list" in ct markFernando Fernandez Mancera2019-09-101-1/+2
| | | | | | | | | | | We only prefer "list" representation in "ct event". For any other type of "ct" use the "or" representation so nft prints "ct mark set ct mark | 0x00000001" instead of "ct mark set ct mark,0x00000001". Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: fix --echo buffer size againPablo Neira Ayuso2019-09-101-12/+14
| | | | | | | | | | | | | | | | If restart is triggered with --echo, it causes rules to be duplicated which is not correct. Remove restart logic. 1. If user passes --echo, use a default 4mb buffer. 2. assume each element in the batch will result in a 1k notification. This passes tests both in x86_64 and s390. Joint work with Florian Westphal. Fixes: 877baf9538f6 ("src: mnl: retry when we hit -ENOBUFS") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: fix crash on insert rule to bad referencesEric Garver2019-09-101-1/+5
| | | | | | | | | | Pass the location via the handle so the error leg in erec_print_list() can reference it. Applies to invalid references to tables, chains, and indexes. Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: flag fwd and queue statements as terminalFlorian Westphal2019-09-071-0/+2
| | | | | | | | | | | | | | | | | | Both queue and fwd statement end evaluation of a rule: in ... fwd to "eth0" accept ... queue accept "accept" is redundant and never evaluated in the kernel. Add the missing "TERMINAL" flag so the evaluation step will catch any trailing expressions: nft add rule filter input queue counter Error: Statement after terminal statement has no effect Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: catch invalid 'meta day' values in eval stepFlorian Westphal2019-09-061-4/+13
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-066-1/+339
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* evaluate: New internal helper __expr_evaluate_rangeAnder Juaristi2019-09-061-4/+16
| | | | | | | | | | | | | This is used by the followup patch to evaluate a range without emitting an error when the left value is larger than the right one. This is done to handle time-matching such as 23:00-01:00 -- expr_evaluate_range() will reject this, but we want to be able to evaluate and then handle this as a request to match from 23:00 to 1am. Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* cache: fix --echo with index/positionEric Garver2019-09-061-4/+2
| | | | | | | | | Always call evaluate_cache_add() so it can set special flags - in this case NFT_CACHE_UPDATE. Fixes: 01e5c6f0ed03 ("src: add cache level flags") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add ibrpvid and ibrvproto supportwenxu2019-08-301-0/+6
| | | | | | | | | | | This allows you to match the bridge pvid and vlan protocol, for instance: nft add rule bridge firewall zones meta ibrvproto vlan nft add rule bridge firewall zones meta ibrpvid 100 Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: add support for element deletionFlorian Westphal2019-08-291-0/+2
| | | | | | | | also add a test case. Fixes: a87f2a2227be2 ("netfilter: support for element deletion") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* netfilter: support for element deletionAnder Juaristi2019-08-292-0/+2
| | | | | | | | | | | | | | | | | | | | | | | This patch implements element deletion from ruleset. Example: table ip set-test { set testset { type ipv4_addr; flags timeout; } chain outputchain { policy accept; type filter hook output priority filter; delete @testset { ip saddr } } } Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: secmark: fix brace indentation and missing quotes in selctx outputEric Jallot2019-08-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # nft list secmarks | tee rules.nft table inet t { secmark s { system_u:object_r:ssh_server_packet_t:s0 } } # nft flush ruleset # nft -f rules.nft rules.nft:3:11-11: Error: syntax error, unexpected colon system_u:object_r:ssh_server_packet_t:s0 Colon is not allowed in strings and breaks nft -f. So move to quoted string in selctx output. After patch: # nft list secmarks | tee rules.nft table inet t { secmark s { "system_u:object_r:ssh_server_packet_t:s0" } } # nft flush ruleset # nft -f rules.nft Fixes: 3bc84e5c ("src: add support for setting secmark") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: libnftnl: run single-initcalls only onceFlorian Westphal2019-08-191-5/+9
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: json: fix constant parsing on bigendianFlorian Westphal2019-08-141-1/+1
| | | | | | | | | | | | json restore is broken on big-endian because we errounously passed uint8_t with 64 bit size indicator. On bigendian, this causes all values to get shifted by 56 bit, this will then cause the eval step to bail because all values are outside of the 8bit 0-255 protocol range. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: support json restore for "th" pseudoheaderFlorian Westphal2019-08-141-4/+9
| | | | | | | | | Json output could not be restored back by nft because it did not recognize the new "th" pseudoheader. Fixes: a43a696443a150f44 ("proto: add pseudo th protocol to match d/sport in generic way") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gmputil: assert length is non-zeroPablo Neira Ayuso2019-08-141-9/+7
| | | | | | | | | | | | | Importing, exporting and byteswapping zero length data should not happen. Use macro definition so we know from where the assertion is triggered in the code for easier diagnosing in the future. When importing datatype.h from gmputil.h, it seems gcc complains on missing declarations in json.h. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mnl: retry when we hit -ENOBUFSFlorian Westphal2019-08-141-2/+10
| | | | | | | | | | | | | | | | | | | | tests/shell/testcases/transactions/0049huge_0 still fails with ENOBUFS error after endian fix done in previous patch. Its enough to increase the scale factor (4) on s390x, but rather than continue with these "guess the proper size" game, just increase the buffer size and retry up to 3 times. This makes above test work on s390x. So, implement what Pablo suggested in the earlier commit: We could also explore increasing the buffer and retry if mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again. v2: call setsockopt unconditionally, then increase on error. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parser: fix parsing of chain priority and policy on bigendianFlorian Westphal2019-08-141-2/+4
| | | | | | | | | | | | | | | | | | | tests/shell/testcases/flowtable/0001flowtable_0 tests/shell/testcases/nft-f/0008split_tables_0 fail the 'dump compare' on s390x. The priority (10) turns to 0, and accept turned to drop. Problem is that '$1' is a 64bit value -- then we pass the address and import 'int' -- we then get the upper all zero bits. Add a 32bit interger type and use that. v2: add uint32_t type to union, v1 used temporary value instead. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Fixes: dba4a9b4b5fe ("src: allow variable in chain policy") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix jumps on bigendian archesFlorian Westphal2019-08-142-12/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | table bla { chain foo { } chain bar { jump foo } } } Fails to restore on big-endian platforms: jump.nft:5:2-9: Error: Could not process rule: No such file or directory jump foo nft passes a 0-length name to the kernel. This is because when we export the value (the string), we provide the size of the destination buffer. In earlier versions, the parser allocated the name with the same fixed size and all was fine. After the fix, the export places the name in the wrong location in the destination buffer. This makes tests/shell/testcases/chains/0001jumps_0 work on s390x. v2: convert one error check to a BUG(), it should not happen unless kernel abi is broken. Fixes: 142350f154c78 ("src: invalid read when importing chain name") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mnl: fix setting rcvbuffer sizeFlorian Westphal2019-08-131-1/+1
| | | | | | | | | | | | | Kernel expects socklen_t (int). Using size_t causes kernel to read upper 0-bits. This caused tests/shell/testcases/transactions/0049huge_0 to fail on s390x -- it uses 'echo' mode and will quickly overrun the tiny buffer size set due to this bug. Fixes: 89c82c261bb5 ("mnl: estimate receiver buffer size") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-088-17/+112
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>