| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This was surprisingly hard to get right, but this should do the trick.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Not only ./configure, but make sure compilation does not break for each
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Just for sanity reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Plain user is just fine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This adds unnecessary complexity to our build infrastructure. People can
just manually generate them in PDF in case they need too. So let's keep
it simple and remove this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Update script with missing new kernel modules.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Since 6dd848339444 ("src: meta: always prefix 'meta' for almost all
tokens"), the unqualified meta are discouraged. Adjust test not to fail.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the possibility to use textual names to set the chain priority
to standard values so that numeric values do not need to be learnt any more for
basic usage.
Basic arithmetic can also be done with them to ease the addition of
relatively higher/lower priority chains.
Addition and substraction is possible.
Values are also printed with their friendly name within the range of
<basicprio> +- 10.
Also numeric printing is supported in case of -nnn option
(numeric == NFT_NUMERIC_ALL)
The supported name-value pairs and where they are valid is based on how
x_tables use these values when registering their base chains. (See
iptables/nft.c in the iptables repository).
Also see the compatibility matrices extracted from the man page:
Standard priority names, family and hook compatibility matrix
┌─────────┬───────┬────────────────┬─────────────┐
│Name │ Value │ Families │ Hooks │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│raw │ -300 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│mangle │ -150 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│dstnat │ -100 │ ip, ip6, inet │ prerouting │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│filter │ 0 │ ip, ip6, inet, │ all │
│ │ │ arp, netdev │ │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│security │ 50 │ ip, ip6, inet │ all │
├─────────┼───────┼────────────────┼─────────────┤
│ │ │ │ │
│srcnat │ 100 │ ip, ip6, inet │ postrouting │
└─────────┴───────┴────────────────┴─────────────┘
Standard priority names and hook compatibility for the bridge family
┌───────┬───────┬─────────────┐
│ │ │ │
│Name │ Value │ Hooks │
├───────┼───────┼─────────────┤
│ │ │ │
│dstnat │ -300 │ prerouting │
├───────┼───────┼─────────────┤
│ │ │ │
│filter │ -200 │ all │
├───────┼───────┼─────────────┤
│ │ │ │
│out │ 100 │ output │
├───────┼───────┼─────────────┤
│ │ │ │
│srcnat │ 300 │ postrouting │
└───────┴───────┴─────────────┘
This can be also applied for flowtables wher it works as a netdev family
chain.
Example:
nft> add table ip x
nft> add chain ip x y { type filter hook prerouting priority raw; }
nft> add chain ip x z { type filter hook prerouting priority mangle + 1; }
nft> add chain ip x w { type filter hook prerouting priority dstnat - 5; }
nft> add chain ip x r { type filter hook prerouting priority filter + 10; }
nft> add chain ip x t { type filter hook prerouting priority security; }
nft> add chain ip x q { type filter hook postrouting priority srcnat + 11; }
nft> add chain ip x h { type filter hook prerouting priority 15; }
nft>
nft> add flowtable ip x y { hook ingress priority filter + 5 ; devices = {enp0s31f6}; }
nft>
nft> add table arp x
nft> add chain arp x y { type filter hook input priority filter + 5; }
nft>
nft> add table bridge x
nft> add chain bridge x y { type filter hook input priority filter + 9; }
nft> add chain bridge x z { type filter hook prerouting priority dstnat; }
nft> add chain bridge x q { type filter hook postrouting priority srcnat; }
nft> add chain bridge x k { type filter hook output priority out; }
nft>
nft> list ruleset
table ip x {
flowtable y {
hook ingress priority filter + 5
devices = { enp0s31f6 }
}
chain y {
type filter hook prerouting priority raw; policy accept;
}
chain z {
type filter hook prerouting priority mangle + 1; policy accept;
}
chain w {
type filter hook prerouting priority dstnat - 5; policy accept;
}
chain r {
type filter hook prerouting priority filter + 10; policy accept;
}
chain t {
type filter hook prerouting priority security; policy accept;
}
chain q {
type filter hook postrouting priority 111; policy accept;
}
chain h {
type filter hook prerouting priority 15; policy accept;
}
}
table arp x {
chain y {
type filter hook input priority filter + 5; policy accept;
}
}
table bridge x {
chain y {
type filter hook input priority filter + 9; policy accept;
}
chain z {
type filter hook prerouting priority dstnat; policy accept;
}
chain q {
type filter hook postrouting priority srcnat; policy accept;
}
chain k {
type filter hook output priority out; policy accept;
}
}
nft> # Everything should fail after this
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain ip x q { type filter hook prerouting priority srcnat + 11; }
Error: 'srcnat' is invalid priority in this context.
add chain ip x q { type filter hook prerouting priority srcnat + 11; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain arp x y { type filter hook input priority raw; }
Error: 'raw' is invalid priority in this context.
add chain arp x y { type filter hook input priority raw; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
Error: 'magle' is invalid priority.
add flowtable ip x y { hook ingress priority magle; devices = {enp0s31f6}; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x r { type filter hook postrouting priority dstnat; }
Error: 'dstnat' is invalid priority in this context.
add chain bridge x r { type filter hook postrouting priority dstnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft> add chain bridge x t { type filter hook prerouting priority srcnat; }
Error: 'srcnat' is invalid priority in this context.
add chain bridge x t { type filter hook prerouting priority srcnat; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If there is no basechain, the validation is never exercised.
Too deep nested chains are fine as long as they are not connected to a
basechain.
Update test to add a basechain so we exercise validation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
So the following rule to set the conntrack mark based on the OS passive
recognition works:
# nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 }
Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This can be used like ct mark or meta mark except it cannot be set. doc
and tests are included.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
got following bug report:
nft add ... ct mark set mark and 0x10
... always sets 0.
What reporter meant to write instead was 'ct mark', not 'mark'.
We can't just remove support for 'mark' and force
'meta mark', but we can start to discourage it by printing meta prefix too.
Later on, we could start to print deprecation warning if needed.
Followup patch can also change
"iifname" etc. to "meta iifname".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
kernel currently permits chains with same name when a transaction renames
2 chains to the same new name. Add a test case for this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Original script from Taehee Yoo.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add tests for listing specific object for a given table name and all
objects of a table.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
error was:
nft create set inet filter keepalived_ranges4 { type inet_service . ifname \; }
Error: Empty string is not allowed
This was fixed in
6b00b9537e181 ("evaluate: skip evaluation of datatype concatenations").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Default not to print the service name as we discussed during the NFWS.
# nft list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1.1.1.1
}
}
# nft -l list ruleset
table ip x {
chain y {
tcp dport ssh
ip saddr 1.1.1.1
}
}
# nft -ll list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1dot1dot1dot1.cloudflare-dns.com
}
}
Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N)
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Shell prompt ends with:
"%", indicates a C shell.
"$", indicates shell that's compatible with the Bash.
"#", indicates shell is running as the system's root.
So, "%" is replaced with "$" or "#".
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intent was to fix a bug: The following rule in inet table:
| meta nfproto ipv4 icmpv6 type echo-reply
Was added correctly but when printing the meta match was falsely
removed. The fix is to deny dependency killing if RHS family of nfproto
match doesn't match RHS family of l4proto match. Adding this to the
already large conditional led to even more unreadable code, therefore
this patch tries to clean that up (and also removes the partial code
duplication.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Move import and use explicit parameter in object creation.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We need to signal the kernel to use a set backend that supports dynamic
updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
JSON equivalent of fwd statement was too primitive to support the added
address and family parameters, so make its value an object and accept
the device expression as value of a "dev" property in there. Then add
optional "addr" and "family" properties to it.
While being at it, add a testcase to make sure the extended syntax works
right.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Changing the reference lines is not enough, the actual JSON has to be
adjusted as well. Since after the changes output for ip/flowtable.t is
now symmetric, ip/flowtable.t.json.output can be removed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This way JSON format is more consistent with the standard one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
4s5ms gets rounded to 4s8ms with HZ=250, which is a common setting.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
bash 4.3.30 removes newlines in RULESET when "" are omitted, which
then causes nft -f to complain about invalid syntax.
As a result, all test cases that use this here-doc style fail.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports set test fails with HZ=250, as it lists "324ms" instead
of "321". This is because of rounding errors that occur when converting
from user-side millisecond scale to kernel-internal jiffies one.
use 100ms for now to avoid this error.
Alternatives would be to store use-provided value in kernel or to avoid
the conversions; this would require a change to make timeout independent from
jiffies on kernel side.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two reports point to a crash in nft when 'flush' is provided
on existing ruleset. In that case, nft will crash with a null-ptr
dereference.
"evaluate: do not inconditionally update cache from flush command"
causes the commit to fail due to a cache inconsistency, we then trip
over NULL location->indesc. Cause of 2nd bug not known yet, not sure
how to fix cache issue either, so only adding reproducer so this can be
fixed later.
Without erec bug, the (errnoeous) error message would be
Could not process rule: File exists
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Reported-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is implemented via a pseudo log level. The kernel ignores any other
parameter, so reject those at evaluation stage. Audit logging is
therefore simply a matter of:
| log level audit
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The output differs from input in added size property.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Commit 71624f25f22b1 ("tests: py: add expires tests with different time
bases") removed two testcases and added five other ones, adjust JSON
equivalent and recorded output to those changes.
Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* There is no need to prefix element-specific properties with 'elem_',
they can't conflict.
* In json_parse_set_stmt(), searching for above properties is pointless
since that's already done by called function.
* Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt():
json_parse_flagged_expr() may return NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, don't print the position property when listing rules. This
was there only because libnftnl JSON output has it too, but since the
preferred way to *add* a rule at some location is via 'handle' keyword,
keeping "position" in output would be non-intuitive. Changing "position"
property name to "handle" instead is also a no-go since that would clash
with the real rule handle.
Secondly, turn all handle output on regardless of octx->handle setting.
For a programmatic API like JSON, this should be fine.
Thirdly, fix rule locations when parsing JSON: Respect "handle" property
for CMD_INSERT and CMD_ADD and ignore "pos" at all (actually even a
typo, should have read "position"). Also support "index" property
recently added to standard syntax.
Finally, adjust nft-test.py for the above changes: There is no
"position" property to drop from rule output, and "handle" property will
always be present.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
