summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* scanner: fix out-of-bound memory write in include_file()Eric Jallot2019-12-021-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before patch: # echo 'include "/tmp/rules.nft"' > /tmp/rules.nft # nft -f /tmp/rules.nft In file included from /tmp/rules.nft:1:1-25: from /tmp/rules.nft:1:1-25: [snip] from /tmp/rules.nft:1:1-25: /tmp/rules.nft:1:1-25: Error: Include nested too deeply, max 16 levels include "/tmp/rules.nft" ^^^^^^^^^^^^^^^^^^^^^^^^^ double free or corruption (out) Aborted (core dumped) valgrind reports: ==8856== Invalid write of size 8 ==8856== at 0x4E8FCAF: include_file (scanner.l:718) ==8856== by 0x4E8FEF6: include_glob (scanner.l:793) ==8856== by 0x4E9985D: scanner_include_file (scanner.l:875) ==8856== by 0x4E89D7A: nft_parse (parser_bison.y:828) ==8856== by 0x4E765E1: nft_parse_bison_filename (libnftables.c:394) ==8856== by 0x4E765E1: nft_run_cmd_from_filename (libnftables.c:497) ==8856== by 0x40172D: main (main.c:340) So perform bounds checking on MAX_INCLUDE_DEPTH before writing. After patch: # nft -f /tmp/rules.nft In file included from /tmp/rules.nft:1:1-25: from /tmp/rules.nft:1:1-25: [snip] from /tmp/rules.nft:1:1-25: /tmp/rules.nft:1:1-25: Error: Include nested too deeply, max 16 levels include "/tmp/rules.nft" ^^^^^^^^^^^^^^^^^^^^^^^^^ # echo $? 1 Also: Update scanner_push_file() function definition accordingly. Fixes: 32325e3c3fab4 ("libnftables: Store top_scope in struct nft_ctx") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Set a fixed timezone in nft-test.pyPhil Sutter2019-11-293-2/+3
| | | | | | | | | | | | Payload generated for 'meta time' matches depends on host's timezone and DST setting. To produce constant output, set a fixed timezone in nft-test.py. Choose UTC-2 since most payloads are correct then, adjust the remaining two tests. Fixes: 0518ea3f70d8c ("tests: add meta time test cases") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Ander Juaristi <a@juaristi.eus> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set reference from variable definitionPablo Neira Ayuso2019-11-181-0/+21
| | | | | | | | Allow to define variable using set reference, eg. define x = @z Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add stateful object update operation testFernando Fernandez Mancera2019-11-161-0/+25
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix get element for little endian rangesPhil Sutter2019-11-151-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes get element command for interval sets with host byte order data type, like e.g. mark. During serializing of the range (or element) to query, data was exported in wrong byteorder and consequently not found in kernel. The mystery part is that code seemed correct: When calling constant_expr_alloc() from set_elem_add(), the set key's byteorder was passed with correct value of BYTEORDER_HOST_ENDIAN. Comparison with delete/add element code paths though turned out that in those use-cases, constant_expr_alloc() is called with BYTEORDER_INVALID: - seg_tree_init() takes byteorder field value of first element in init->expressions (i.e., the elements requested on command line) and assigns that to tree->byteorder - tree->byteorder is passed to constant_expr_alloc() in set_insert_interval() - the elements' byteorder happens to be the default value This patch may not fix the right side, but at least it aligns get with add/delete element codes. Fixes: a43cc8d53096d ("src: support for get element command") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Check ranges when deleting elementsPhil Sutter2019-11-141-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure any intervals to delete actually exist, otherwise reject the command. Without this, it is possible to mess up rbtree contents: | # nft list ruleset | table ip t { | set s { | type ipv4_addr | flags interval | auto-merge | elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } | } | } | # nft delete element t s '{ 192.168.1.0/24 }' | # nft list ruleset | table ip t { | set s { | type ipv4_addr | flags interval | auto-merge | elements = { 192.168.1.255-255.255.255.255 } | } | } Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Store top_scope in struct nft_ctxPhil Sutter2019-11-071-0/+22
| | | | | | | | | | | | | | | | Allow for interactive sessions to make use of defines. Since parser is initialized for each line, top scope defines didn't persist although they are actually useful for stuff like: | # nft -i | define goodports = { 22, 23, 80, 443 } | add rule inet t c tcp dport $goodports accept | add rule inet t c tcp sport $goodports accept While being at it, introduce scope_alloc() and scope_free(). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add and use `set_is_meter` helperJeremy Sowden2019-11-061-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sets constructed for meters are flagged as anonymous and dynamic. However, in some places there are only checks that they are dynamic, which can lead to normal sets being classified as meters. For example: # nft add table t # nft add set t s { type ipv4_addr; size 256; flags dynamic,timeout; } # nft add chain t c # nft add rule t c tcp dport 80 meter m size 128 { ip saddr limit rate 10/second } # nft list meters table ip t { set s { type ipv4_addr size 256 flags dynamic,timeout } meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t m table ip t { meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t s Error: No such file or directory list meter t s ^ Add a new helper `set_is_meter` and use it wherever there are checks for meters. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: flowtable: add support for delete command by handleEric Jallot2019-11-061-0/+22
| | | | | | | Also, display handle when listing with '-a'. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flowtable: add support for named flowtable listingEric Jallot2019-10-311-0/+21
| | | | | | | | | | | | | | | | | | | | This patch allows you to dump a named flowtable. # nft list flowtable inet t f table inet t { flowtable f { hook ingress priority filter + 10 devices = { eth0, eth1 } } } Also: libnftables-json.adoc: fix missing quotes. Fixes: db0697ce7f60 ("src: support for flowtable listing") Fixes: 872f373dc50f ("doc: Add JSON schema documentation") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix test script for Python3 tempfilePhil Sutter2019-10-291-4/+4
| | | | | | | | | | | | | When instantiating a temporary file using tempfile's TemporaryFile() constructor, the resulting object's 'name' attribute is of type int. This in turn makes print_msg() puke while trying to concatenate string and int using '+' operator. Fix this by using format strings consequently, thereby cleaning up code a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "main: Fix for misleading error with negative chain priority"Phil Sutter2019-10-231-8/+0
| | | | | | | | | | | This reverts commit 9fc71bc6b602c8706d1214e0100bcd7638c257e3. Given that this change breaks typical commands like 'nft list ruleset -a' while on the other hand escaping of semicolons and (depending on shell) curly braces is still required, decision was made to not go with this solution. Signed-off-by: Phil Sutter <phil@nwl.cc>
* main: Fix for misleading error with negative chain priorityPhil Sutter2019-10-211-0/+8
| | | | | | | | | | | | | | | | | getopt_long() would try to parse the negative priority as an option and return -1 as it is not known: | # nft add chain x y { type filter hook input priority -30\; } | nft: invalid option -- '3' Fix this by prefixing optstring with a plus character. This instructs getopt_long() to not collate arguments but just stop after the first non-option, leaving the rest for manual handling. In fact, this is just what nft desires: mixing options with nft syntax leads to confusive command lines anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/monitor: Fix for changed ct timeout formatPhil Sutter2019-10-171-1/+1
| | | | | | | | | | Commit a9b0c385a1d5e ("rule: print space between policy and timeout") changed spacing in ct timeout objects but missed to adjust related test case. Fixes: a9b0c385a1d5e ("rule: print space between policy and timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* cli: add linenoise CLI implementation.Jeremy Sowden2019-10-151-2/+2
| | | | | | | | By default, continue to use libreadline, but if `--with-cli=linenoise` is passed to configure, build the linenoise implementation instead. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: always close interval in non-anonymous setsPablo Neira Ayuso2019-10-091-0/+32
| | | | | | | Skip this optimization for non-anonymous sets, otherwise, element deletion breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: fix failed tests due to missing quotesEric Jallot2019-10-0814-19/+18
| | | | | | | | | Add double quotes to protect newlines when using <<< redirection. See also commit b878cb7d83855. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: check we can use "dynamic" set for lookupsFlorian Westphal2019-10-071-0/+2
| | | | | | | | Requires kernel commit acab713177377 ("netfilter: nf_tables: allow lookups in dynamic sets"), else the rule add will fail. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: delete flowtable after flush chainPablo Neira Ayuso2019-09-251-0/+9
| | | | | | Returns EBUSY on buggy kernels. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meter: avoid double-space in list ruleset outputFlorian Westphal2019-09-201-1/+1
| | | | | | | | | | changes meter f size 1024 { ip saddr limit rate 10/second} accept to meter f size 1024 { ip saddr limit rate 10/second } accept Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: don't crash in 'list ruleset' if policy is not setSergei Trofimovich2019-09-162-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Minimal reproducer: ``` $ cat nft.ruleset # filters table inet filter { chain prerouting { type filter hook prerouting priority -50 } } # dump new state list ruleset $ nft -c -f ./nft.ruleset table inet filter { chain prerouting { Segmentation fault (core dumped) ``` The crash happens in `chain_print_declaration()`: ``` if (chain->flags & CHAIN_F_BASECHAIN) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); ``` Here `chain->policy` is `NULL` (as textual rule does not mention it). The change is not to print the policy if it's not set (similar to `chain_evaluate()` handling). CC: Florian Westphal <fw@strlen.de> CC: Pablo Neira Ayuso <pablo@netfilter.org> CC: netfilter-devel@vger.kernel.org Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tests: fix typo in ct expectation json testFernando Fernandez Mancera2019-09-151-1/+1
| | | | | | | | | The correct form is "ct expectation" not "ct expect". That was causing the tests/py/ip/object.t json test to fail. Fixes: 1dd08fcfa07a ("src: add ct expectations support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-133-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: fix wrong conversion to "list" in ct markFernando Fernandez Mancera2019-09-102-0/+7
| | | | | | | | | | | We only prefer "list" representation in "ct event". For any other type of "ct" use the "or" representation so nft prints "ct mark set ct mark | 0x00000001" instead of "ct mark set ct mark,0x00000001". Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1364 Fixes: cb8f81ac3079 ("netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add huge transaction from firewalldEric Garver2019-09-101-0/+10
| | | | | | | This is borrowed from one of firewalld's test cases. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add huge JSON transactionEric Garver2019-09-101-0/+16
| | | | | | | | Expand the test case to also check for returned rule handles in the JSON output. Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: verify huge transaction returns expected number of rulesEric Garver2019-09-101-2/+3
| | | | | | | | Verify that we get the expected number of rules with --echo (i.e. the reply wasn't truncated). Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: use-after-free from abort pathPablo Neira Ayuso2019-09-081-0/+19
| | | | | | | Rule that fails to be added while holding a bound set triggers user-after-free from the abort path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: catch invalid 'meta day' values in eval stepFlorian Westphal2019-09-061-0/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add meta time test casesAnder Juaristi2019-09-064-0/+559
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: check that rule add with index works with echoEric Garver2019-09-062-0/+21
| | | | | Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: add ibrpvid and ibrvproto supportwenxu2019-08-303-0/+37
| | | | | | | | | | | This allows you to match the bridge pvid and vlan protocol, for instance: nft add rule bridge firewall zones meta ibrvproto vlan nft add rule bridge firewall zones meta ibrpvid 100 Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: json: add support for element deletionFlorian Westphal2019-08-295-0/+47
| | | | | | | | also add a test case. Fixes: a87f2a2227be2 ("netfilter: support for element deletion") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc>
* tests: make sure i is definedFlorian Westphal2019-08-161-0/+1
| | | | | | | | | | | The test script can die in case there are severe problems, such as rlen being 0 -- in that case i is undefined and script evaluation is aborted. Found during nft development, no existing test case shows this problem. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add json test for vlan rule fixM. Braun2019-08-122-0/+62
| | | | | | | | | | | | | | | This fixes ERROR: did not find JSON equivalent for rule 'ether type vlan ip protocol 1 accept' when running ./nft-test.py -j bridge/vlan.t Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: move chain priority and policy to chain folderPablo Neira Ayuso2019-08-098-0/+0
| | | | | | Move new chain tests for variable priority and policy to chain folder. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-086-0/+80
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variables in the chain priority specificationFernando Fernandez Mancera2019-08-086-0/+80
| | | | | | | | | | | | | | | | | This patch allows you to use variables in chain priority definitions, e.g. define prio = filter define prionum = 10 define prioffset = "filter - 150" add table ip foo add chain ip foo bar { type filter hook input priority $prio; } add chain ip foo ber { type filter hook input priority $prionum; } add chain ip foo bor { type filter hook input priority $prioffset; } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: incorrect flush flag for table/chainLaura Garcia Liebana2019-07-312-0/+32
| | | | | | | | | | | | | | | | | | | After the new cache system, nft raises a table error flushing a chain in a transaction. # nft "flush chain ip nftlb filter-newfarm ; \ add rule ip nftlb filter-newfarm update \ @persist-newfarm { ip saddr : ct mark } ; \ flush chain ip nftlb nat-newfarm" Error: No such file or directory flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...) ^^^^^ This patch sets the cache flag properly to save this case. Fixes: 01e5c6f0ed031 ("src: add cache level flags") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix dumping vlan rulesM. Braun2019-07-313-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Given the following bridge rules: 1. ip protocol icmp accept 2. ether type vlan vlan type ip ip protocol icmp accept The are currently both dumped by "nft list ruleset" as 1. ip protocol icmp accept 2. ip protocol icmp accept Though, the netlink code actually is different bridge filter FORWARD 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] bridge filter FORWARD 5 4 [ payload load 2b @ link header + 12 => reg 1 ] [ cmp eq reg 1 0x00000081 ] [ payload load 2b @ link header + 16 => reg 1 ] [ cmp eq reg 1 0x00000008 ] [ payload load 1b @ network header + 9 => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ immediate reg 0 accept ] What happens here is that: 1. vlan type ip kills ether type vlan 2. ip protocol icmp kills vlan type ip Fix this by avoiding the removal of all vlan statements in the given example. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for table re-definition usecaseFlorian Westphal2019-07-231-0/+15
| | | | | | | | | | | | | | | | | | | | Make sure nft behaves like 0.9.0 -- the ruleset flush ruleset table inet filter { } table inet filter { chain test { counter } } loads again without crashing/generating an error message. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1351 Fixes: e5382c0d08e3c ("src: Support intra-transaction rule references") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: evaluate: support prefix expression in statementsFlorian Westphal2019-07-223-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | Currently nft dumps core when it encounters a prefix expression as part of a statement, e.g. iifname ens3 snat to 10.0.0.0/28 yields: BUG: unknown expression type prefix nft: netlink_linearize.c:688: netlink_gen_expr: Assertion `0' failed. This assertion is correct -- we can't linearize a prefix because kernel doesn't know what that is. For LHS prefixes, they get converted to a binary 'and' such as '10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar and convert them into a range. snat to 10.0.0.0/28 will be converted into: iifname "ens3" snat to 10.0.0.0-10.0.0.15 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1187 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing json outputsFernando Fernandez Mancera2019-07-171-0/+25
| | | | | | Fixes: 1188a69604c3 ("src: introduce SYNPROXY matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce SYNPROXY matchingFernando Fernandez Mancera2019-07-173-0/+156
| | | | | | | | | | | | | | | | | | | | Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix up two broken json test casesFlorian Westphal2019-07-172-3/+25
| | | | | | | | | Forgot to add a json test case for the recently added ct ip addr in map case. Fix up rawpayload.t for json, it needs to expect new "th dport" when listing. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add ct expectations supportStéphane Veyret2019-07-166-1/+51
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: incorrect flags for create commandsPablo Neira Ayuso2019-07-162-0/+10
| | | | | | | | | | | | | | | # nft create table testD # nft create chain testD test6 Error: No such file or directory create chain testD test6 ^^^^^ Handle 'create' command just like 'add' and 'insert'. Check for object types to dump the tables for more fine grain listing, instead of dumping the whole ruleset. Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before evaluation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: missing object maps handling in list and flush commandsPablo Neira Ayuso2019-07-163-0/+57
| | | | | | | | | | | | | | | | | | | | NFT_SET_OBJECT tells there is an object map. # nft list ruleset table inet filter { map countermap { type ipv4_addr : counter } } The following command fails: # nft flush set inet filter countermap This patch checks for NFT_SET_OBJECT from new set_is_literal() and map_is_literal() functions. This patch also adds tests for this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: make sure we test nft binary from working tree, not hostFlorian Westphal2019-07-151-2/+0
| | | | | | | This tests the installed host nft binary, which fails on my test vm. Using the one from the working tree makes this test pass. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-153-1/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>