summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore9
-rw-r--r--doc/nft.txt40
-rw-r--r--doc/primary-expression.txt7
-rw-r--r--include/Makefile.am1
-rw-r--r--include/cmd.h7
-rw-r--r--include/expression.h4
-rw-r--r--include/linux/netfilter/nf_tables.h47
-rw-r--r--include/list.h11
-rw-r--r--include/mnl.h27
-rw-r--r--include/netlink.h20
-rw-r--r--include/nftables.h5
-rw-r--r--include/parser.h2
-rw-r--r--include/rule.h20
-rw-r--r--include/statement.h1
-rw-r--r--src/Makefile.am1
-rw-r--r--src/cmd.c159
-rw-r--r--src/datatype.c33
-rw-r--r--src/evaluate.c181
-rw-r--r--src/expression.c171
-rw-r--r--src/json.c19
-rw-r--r--src/libnftables.c6
-rw-r--r--src/mnl.c326
-rw-r--r--src/monitor.c3
-rw-r--r--src/netlink.c127
-rw-r--r--src/netlink_delinearize.c131
-rw-r--r--src/netlink_linearize.c83
-rw-r--r--src/parser_bison.y71
-rw-r--r--src/rule.c25
-rw-r--r--src/scanner.l74
-rw-r--r--src/segtree.c117
-rw-r--r--src/statement.c3
-rwxr-xr-xtests/json_echo/run-test.py25
-rwxr-xr-xtests/monitor/run-tests.sh4
-rw-r--r--tests/py/any/ct.t1
-rw-r--r--tests/py/any/ct.t.json51
-rw-r--r--tests/py/any/ct.t.payload21
-rw-r--r--tests/py/inet/meta.t1
-rw-r--r--tests/py/inet/meta.t.json22
-rw-r--r--tests/py/inet/meta.t.payload6
-rw-r--r--tests/py/ip/meta.t.json35
-rw-r--r--tests/py/ip6/meta.t.json35
-rwxr-xr-xtests/py/nft-test.py22
-rwxr-xr-xtests/shell/testcases/chains/0040mark_shift_011
-rwxr-xr-xtests/shell/testcases/chains/0040mark_shift_111
-rw-r--r--tests/shell/testcases/chains/dumps/0040mark_shift_0.nft6
-rw-r--r--tests/shell/testcases/chains/dumps/0040mark_shift_1.nft6
-rwxr-xr-xtests/shell/testcases/include/0017glob_more_than_maxdepth_139
-rwxr-xr-xtests/shell/testcases/include/0018include_error_034
-rwxr-xr-xtests/shell/testcases/include/0019include_error_063
-rw-r--r--tests/shell/testcases/maps/dumps/nat_addr_port.nft129
-rw-r--r--tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft21
-rwxr-xr-xtests/shell/testcases/maps/nat_addr_port207
-rwxr-xr-xtests/shell/testcases/maps/typeof_maps_update_028
-rwxr-xr-xtests/shell/testcases/sets/0025anonymous_set_02
-rwxr-xr-xtests/shell/testcases/sets/0034get_element_02
-rwxr-xr-xtests/shell/testcases/sets/0043concatenated_ranges_0180
-rw-r--r--tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft2
57 files changed, 2345 insertions, 350 deletions
diff --git a/.gitignore b/.gitignore
index 2cb1e2af..6b37b123 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,12 @@ libtool
# Debian package build temporary files
build-stamp
+
+# Tag files for Vim and Emacs.
+TAGS
+tags
+
+# Emacs back-up files.
+*~
+\#*\#
+.\#*
diff --git a/doc/nft.txt b/doc/nft.txt
index 45350253..ba0c8c0b 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -507,8 +507,6 @@ be tuned with the flags that can be specified at set creation time.
*delete*:: Delete the specified set.
*list*:: Display the elements in the specified set.
*flush*:: Remove all elements from the specified set.
-*add element*:: Comma-separated list of elements to add into the specified set.
-*delete element*:: Comma-separated list of elements to delete from the specified set.
.Set specifications
[options="header"]
@@ -550,7 +548,6 @@ MAPS
*add map* ['family'] 'table' 'map' *{ type* 'type' | *typeof* 'expression' [*flags* 'flags' *;*] [*elements = {* 'element'[*,* ...] *} ;*] [*size* 'size' *;*] [*policy* 'policy' *;*] *}*
{*delete* | *list* | *flush*} *map* ['family'] 'table' 'map'
*list maps* ['family']
-{*add* | *delete*} *element* ['family'] 'table' 'map' *{ elements = {* 'element'[*,* ...] *} ; }*
Maps store data based on some specific key used as input. They are uniquely identified by a user-defined name and attached to tables.
@@ -587,6 +584,43 @@ string: performance [default], memory
|=================
+ELEMENTS
+--------
+[verse]
+____
+{*add* | *create* | *delete* | *get* } *element* ['family'] 'table' 'set' *{* 'ELEMENT'[*,* ...] *}*
+
+'ELEMENT' := 'key_expression' 'OPTIONS' [*:* 'value_expression']
+'OPTIONS' := [*timeout* 'TIMESPEC'] [*expires* 'TIMESPEC'] [*comment* 'string']
+'TIMESPEC' := ['num'*d*]['num'*h*]['num'*m*]['num'[*s*]]
+____
+Element-related commands allow to change contents of named sets and maps.
+'key_expression' is typically a value matching the set type.
+'value_expression' is not allowed in sets but mandatory when adding to maps, where it
+matches the data part in it's type definition. When deleting from maps, it may
+be specified but is optional as 'key_expression' uniquely identifies the
+element.
+
+*create* command is similar to *add* with the exception that none of the
+listed elements may already exist.
+
+*get* command is useful to check if an element is contained in a set which may
+be non-trivial in very large and/or interval sets. In the latter case, the
+containing interval is returned instead of just the element itself.
+
+.Element options
+[options="header"]
+|=================
+|Option | Description
+|timeout |
+timeout value for sets/maps with flag *timeout*
+|expires |
+the time until given element expires, useful for ruleset replication only
+|comment |
+per element comment field
+|=================
+
+
FLOWTABLES
-----------
[verse]
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 94eccc20..b5488790 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -36,6 +36,13 @@ add such a rule, it will stop matching if the interface gets renamed and it
will match again in case interface gets deleted and later a new interface
with the same name is created.
+Like with iptables, wildcard matching on interface name prefixes is available for
+*iifname* and *oifname* matches by appending an asterisk (*) character. Note
+however that unlike iptables, nftables does not accept interface names
+consisting of the wildcard character only - users are supposed to just skip
+those always matching expressions. In order to match on literal asterisk
+character, one may escape it using backslash (\).
+
.Meta expression types
[options="header"]
|==================
diff --git a/include/Makefile.am b/include/Makefile.am
index 04a4a619..42f24f35 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -3,6 +3,7 @@ SUBDIRS = linux \
noinst_HEADERS = cli.h \
cache.h \
+ cmd.h \
datatype.h \
expression.h \
fib.h \
diff --git a/include/cmd.h b/include/cmd.h
new file mode 100644
index 00000000..27fa6087
--- /dev/null
+++ b/include/cmd.h
@@ -0,0 +1,7 @@
+#ifndef _NFT_CMD_H_
+#define _NFT_CMD_H_
+
+void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd,
+ struct mnl_err *err);
+
+#endif
diff --git a/include/expression.h b/include/expression.h
index b3e79c49..62fbbbb5 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -72,6 +72,7 @@ enum expr_types {
EXPR_FIB,
EXPR_XFRM,
};
+#define EXPR_MAX EXPR_XFRM
enum ops {
OP_INVALID,
@@ -261,6 +262,8 @@ struct expr {
struct list_head expressions;
unsigned int size;
uint32_t set_flags;
+ uint8_t field_len[NFT_REG32_COUNT];
+ uint8_t field_count;
};
struct {
/* EXPR_SET_REF */
@@ -463,6 +466,7 @@ extern int set_to_intervals(struct list_head *msgs, struct set *set,
struct expr *init, bool add,
unsigned int debug_mask, bool merge,
struct output_ctx *octx);
+extern void concat_range_aggregate(struct expr *set);
extern void interval_map_decompose(struct expr *set);
extern struct expr *get_set_intervals(const struct set *set,
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index c556ccd3..065218a2 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -48,6 +48,7 @@ enum nft_registers {
#define NFT_REG_SIZE 16
#define NFT_REG32_SIZE 4
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
/**
* enum nft_verdicts - nf_tables internal verdicts
@@ -144,12 +145,14 @@ enum nft_list_attributes {
* @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
* @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
* @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
*/
enum nft_hook_attributes {
NFTA_HOOK_UNSPEC,
NFTA_HOOK_HOOKNUM,
NFTA_HOOK_PRIORITY,
NFTA_HOOK_DEV,
+ NFTA_HOOK_DEVS,
__NFTA_HOOK_MAX
};
#define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1)
@@ -299,15 +302,29 @@ enum nft_set_policies {
* enum nft_set_desc_attributes - set element description
*
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
*/
enum nft_set_desc_attributes {
NFTA_SET_DESC_UNSPEC,
NFTA_SET_DESC_SIZE,
+ NFTA_SET_DESC_CONCAT,
__NFTA_SET_DESC_MAX
};
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
/**
+ * enum nft_set_field_attributes - attributes of concatenated fields
+ *
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
+ */
+enum nft_set_field_attributes {
+ NFTA_SET_FIELD_UNSPEC,
+ NFTA_SET_FIELD_LEN,
+ __NFTA_SET_FIELD_MAX
+};
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
+
+/**
* enum nft_set_attributes - nf_tables set netlink attributes
*
* @NFTA_SET_TABLE: table name (NLA_STRING)
@@ -368,6 +385,7 @@ enum nft_set_elem_flags {
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
*/
enum nft_set_elem_attributes {
NFTA_SET_ELEM_UNSPEC,
@@ -380,6 +398,7 @@ enum nft_set_elem_attributes {
NFTA_SET_ELEM_EXPR,
NFTA_SET_ELEM_PAD,
NFTA_SET_ELEM_OBJREF,
+ NFTA_SET_ELEM_KEY_END,
__NFTA_SET_ELEM_MAX
};
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
@@ -483,6 +502,20 @@ enum nft_immediate_attributes {
#define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1)
/**
+ * enum nft_bitwise_ops - nf_tables bitwise operations
+ *
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
+ * XOR boolean operations
+ * @NFT_BITWISE_LSHIFT: left-shift operation
+ * @NFT_BITWISE_RSHIFT: right-shift operation
+ */
+enum nft_bitwise_ops {
+ NFT_BITWISE_BOOL,
+ NFT_BITWISE_LSHIFT,
+ NFT_BITWISE_RSHIFT,
+};
+
+/**
* enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
*
* @NFTA_BITWISE_SREG: source register (NLA_U32: nft_registers)
@@ -490,16 +523,20 @@ enum nft_immediate_attributes {
* @NFTA_BITWISE_LEN: length of operands (NLA_U32)
* @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
* @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations
+ * (NLA_NESTED: nft_data_attributes)
*
- * The bitwise expression performs the following operation:
+ * The bitwise expression supports boolean and shift operations. It implements
+ * the boolean operations by performing the following operation:
*
* dreg = (sreg & mask) ^ xor
*
- * which allow to express all bitwise operations:
+ * with these mask and xor values:
*
* mask xor
* NOT: 1 1
- * OR: 0 x
+ * OR: ~x x
* XOR: 1 x
* AND: x 0
*/
@@ -510,6 +547,8 @@ enum nft_bitwise_attributes {
NFTA_BITWISE_LEN,
NFTA_BITWISE_MASK,
NFTA_BITWISE_XOR,
+ NFTA_BITWISE_OP,
+ NFTA_BITWISE_DATA,
__NFTA_BITWISE_MAX
};
#define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1)
@@ -1520,6 +1559,7 @@ enum nft_object_attributes {
* @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
*/
enum nft_flowtable_attributes {
NFTA_FLOWTABLE_UNSPEC,
@@ -1529,6 +1569,7 @@ enum nft_flowtable_attributes {
NFTA_FLOWTABLE_USE,
NFTA_FLOWTABLE_HANDLE,
NFTA_FLOWTABLE_PAD,
+ NFTA_FLOWTABLE_FLAGS,
__NFTA_FLOWTABLE_MAX
};
#define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1)
diff --git a/include/list.h b/include/list.h
index 75d29212..9c4da817 100644
--- a/include/list.h
+++ b/include/list.h
@@ -33,6 +33,17 @@ static inline void init_list_head(struct list_head *list)
list->prev = list;
}
+/**
+ * list_is_first -- tests whether @list is the first entry in list @head
+ * @list: the entry to test
+ * @head: the head of the list
+ */
+static inline int list_is_first(const struct list_head *list,
+ const struct list_head *head)
+{
+ return list->prev == head;
+}
+
/*
* Insert a new entry between two known consecutive entries.
*
diff --git a/include/mnl.h b/include/mnl.h
index eeba7379..74b1b56f 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -16,6 +16,7 @@ struct mnl_err {
struct list_head head;
int err;
uint32_t seqnum;
+ uint32_t offset;
};
void mnl_err_list_free(struct mnl_err *err);
@@ -28,33 +29,33 @@ void mnl_batch_end(struct nftnl_batch *batch, uint32_t seqnum);
int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
uint32_t num_cmds);
-int mnl_nft_rule_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_rule_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_rule_del(struct netlink_ctx *ctx, const struct cmd *cmd);
-int mnl_nft_rule_replace(struct netlink_ctx *ctx, const struct cmd *cmd);
+int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd);
+int mnl_nft_rule_replace(struct netlink_ctx *ctx, struct cmd *cmd);
struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx,
int family);
-int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_chain_del(struct netlink_ctx *ctx, const struct cmd *cmd);
+int mnl_nft_chain_del(struct netlink_ctx *ctx, struct cmd *cmd);
int mnl_nft_chain_rename(struct netlink_ctx *ctx, const struct cmd *cmd,
const struct chain *chain);
struct nftnl_chain_list *mnl_nft_chain_dump(struct netlink_ctx *ctx,
int family);
-int mnl_nft_table_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_table_del(struct netlink_ctx *ctx, const struct cmd *cmd);
+int mnl_nft_table_del(struct netlink_ctx *ctx, struct cmd *cmd);
struct nftnl_table_list *mnl_nft_table_dump(struct netlink_ctx *ctx,
int family);
-int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_set_del(struct netlink_ctx *ctx, const struct cmd *cmd);
+int mnl_nft_set_del(struct netlink_ctx *ctx, struct cmd *cmd);
struct nftnl_set_list *mnl_nft_set_dump(struct netlink_ctx *ctx, int family,
const char *table);
@@ -71,16 +72,16 @@ struct nftnl_obj_list *mnl_nft_obj_dump(struct netlink_ctx *ctx, int family,
const char *table,
const char *name, uint32_t type,
bool dump, bool reset);
-int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_obj_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_obj_del(struct netlink_ctx *ctx, const struct cmd *cmd, int type);
+int mnl_nft_obj_del(struct netlink_ctx *ctx, struct cmd *cmd, int type);
struct nftnl_flowtable_list *
mnl_nft_flowtable_dump(struct netlink_ctx *ctx, int family, const char *table);
-int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
-int mnl_nft_flowtable_del(struct netlink_ctx *ctx, const struct cmd *cmd);
+int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd);
int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask,
struct output_ctx *octx,
diff --git a/include/netlink.h b/include/netlink.h
index d02533ec..c2eb8949 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -16,6 +16,22 @@
#define MAX_REGS (1 + NFT_REG32_15 - NFT_REG32_00)
+#ifndef NETLINK_EXT_ACK
+#define NETLINK_EXT_ACK 11
+
+enum nlmsgerr_attrs {
+ NLMSGERR_ATTR_UNUSED,
+ NLMSGERR_ATTR_MSG,
+ NLMSGERR_ATTR_OFFS,
+ NLMSGERR_ATTR_COOKIE,
+
+ __NLMSGERR_ATTR_MAX,
+ NLMSGERR_ATTR_MAX = __NLMSGERR_ATTR_MAX - 1
+};
+#define NLM_F_CAPPED 0x100 /* request was capped */
+#define NLM_F_ACK_TLVS 0x200 /* extended ACK TVLs were included */
+#endif
+
struct netlink_parse_ctx {
struct list_head *msgs;
struct table *table;
@@ -176,6 +192,10 @@ struct netlink_mon_handler {
extern int netlink_monitor(struct netlink_mon_handler *monhandler,
struct mnl_socket *nf_sock);
+struct netlink_cb_data {
+ struct netlink_ctx *nl_ctx;
+ struct list_head *err_list;
+};
int netlink_echo_callback(const struct nlmsghdr *nlh, void *data);
struct ruleset_parse {
diff --git a/include/nftables.h b/include/nftables.h
index 90d33196..3556728d 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -122,7 +122,6 @@ struct nft_ctx {
void *scanner;
struct scope *top_scope;
void *json_root;
- FILE *f[MAX_INCLUDE_DEPTH];
};
enum nftables_exit_codes {
@@ -176,6 +175,8 @@ enum input_descriptor_types {
* struct input_descriptor
*
* @location: location, used for include statements
+ * @f: file descriptor
+ * @depth: include depth of the descriptor
* @type: input descriptor type
* @name: name describing the input
* @union: buffer or file descriptor, depending on type
@@ -186,6 +187,8 @@ enum input_descriptor_types {
*/
struct input_descriptor {
struct list_head list;
+ FILE *f;
+ unsigned int depth;
struct location location;
enum input_descriptor_types type;
const char *name;
diff --git a/include/parser.h b/include/parser.h
index 949284d9..636d1c88 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -15,8 +15,6 @@
struct parser_state {
struct input_descriptor *indesc;
- struct input_descriptor *indescs[MAX_INCLUDE_DEPTH];
- unsigned int indesc_idx;
struct list_head indesc_list;
struct list_head *msgs;
diff --git a/include/rule.h b/include/rule.h
index d5b31765..ced63f3e 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -289,7 +289,9 @@ extern struct rule *rule_lookup_by_index(const struct chain *chain,
* @rg_cache: cached range element (left)
* @policy: set mechanism policy
* @automerge: merge adjacents and overlapping elements, if possible
- * @desc: set mechanism desc
+ * @desc.size: count of set elements
+ * @desc.field_len: length of single concatenated fields, bytes
+ * @desc.field_count: count of concatenated fields
*/
struct set {
struct list_head list;
@@ -310,6 +312,8 @@ struct set {
bool key_typeof_valid;
struct {
uint32_t size;
+ uint8_t field_len[NFT_REG32_COUNT];
+ uint8_t field_count;
} desc;
};
@@ -368,6 +372,11 @@ static inline bool set_is_interval(uint32_t set_flags)
return set_flags & NFT_SET_INTERVAL;
}
+static inline bool set_is_non_concat_range(struct set *s)
+{
+ return (s->flags & NFT_SET_INTERVAL) && s->desc.field_count <= 1;
+}
+
#include <statement.h>
struct counter {
@@ -626,6 +635,8 @@ struct monitor {
struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event);
void monitor_free(struct monitor *m);
+#define NFT_NLATTR_LOC_MAX 8
+
/**
* struct cmd - command statement
*
@@ -657,6 +668,11 @@ struct cmd {
struct markup *markup;
struct obj *object;
};
+ struct {
+ uint16_t offset;
+ struct location *location;
+ } attr[NFT_NLATTR_LOC_MAX];
+ int num_attrs;
const void *arg;
};
@@ -669,6 +685,8 @@ extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
const struct location *loc, struct obj *obj);
extern void cmd_free(struct cmd *cmd);
+void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc);
+
#include <payload.h>
#include <expression.h>
diff --git a/include/statement.h b/include/statement.h
index 585908de..8fb459ca 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -125,6 +125,7 @@ struct nat_stmt {
struct expr *proto;
uint32_t flags;
uint8_t family;
+ bool ipportmap;
};
extern struct stmt *nat_stmt_alloc(const struct location *loc,
diff --git a/src/Makefile.am b/src/Makefile.am
index 740c21f2..9142ab44 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -32,6 +32,7 @@ libnftables_la_SOURCES = \
rule.c \
statement.c \
cache.c \
+ cmd.c \
datatype.c \
expression.c \
evaluate.c \
diff --git a/src/cmd.c b/src/cmd.c
new file mode 100644
index 00000000..c8ea4492
--- /dev/null
+++ b/src/cmd.c
@@ -0,0 +1,159 @@
+#include <erec.h>
+#include <mnl.h>
+#include <cmd.h>
+#include <parser.h>
+#include <utils.h>
+#include <iface.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+static int nft_cmd_enoent_table(struct netlink_ctx *ctx, const struct cmd *cmd,
+ struct location *loc)
+{
+ struct table *table;
+
+ table = table_lookup_fuzzy(&cmd->handle, &ctx->nft->cache);
+ if (!table)
+ return 0;
+
+ netlink_io_error(ctx, loc, "%s; did you mean table ‘%s’ in family %s?",
+ strerror(ENOENT), table->handle.table.name,
+ family2str(table->handle.family));
+ return 1;
+}
+
+static int nft_cmd_enoent_chain(struct netlink_ctx *ctx, const struct cmd *cmd,
+ struct location *loc)
+{
+ const struct table *table;
+ struct chain *chain;
+
+ chain = chain_lookup_fuzzy(&cmd->handle, &ctx->nft->cache, &table);
+ if (!chain)
+ return 0;
+
+ netlink_io_error(ctx, loc, "%s; did you mean table ‘%s’ in family %s?",
+ strerror(ENOENT), chain->handle.chain.name,
+ family2str(table->handle.family),
+ table->handle.table.name);
+ return 1;
+}
+
+static int nft_cmd_enoent_set(struct netlink_ctx *ctx, const struct cmd *cmd,
+ struct location *loc)
+{
+ const struct table *table;
+ struct set *set;
+
+ set = set_lookup_fuzzy(cmd->handle.set.name, &ctx->nft->cache, &table);
+ if (!set)
+ return 0;
+
+ netlink_io_error(ctx, loc, "%s; did you mean %s ‘%s’ in table %s ‘%s’?",
+ strerror(ENOENT),
+ set_is_map(set->flags) ? "map" : "set",
+ set->handle.set.name,
+ family2str(set->handle.family),
+ table->handle.table.name);
+ return 1;
+}
+
+static int nft_cmd_enoent_obj(struct netlink_ctx *ctx, const struct cmd *cmd,
+ struct location *loc)
+{
+ const struct table *table;
+ struct obj *obj;
+
+ obj = obj_lookup_fuzzy(cmd->handle.obj.name, &ctx->nft->cache, &table);
+ if (!obj)
+ return 0;
+
+ netlink_io_error(ctx, loc, "%s; did you mean obj ‘%s’ in table %s ‘%s’?",
+ strerror(ENOENT), obj->handle.obj.name,
+ family2str(obj->handle.family),
+ table->handle.table.name);
+ return 1;
+}
+
+static int nft_cmd_enoent_flowtable(struct netlink_ctx *ctx,
+ const struct cmd *cmd, struct location *loc)
+{
+ const struct table *table;
+ struct flowtable *ft;
+
+ ft = flowtable_lookup_fuzzy(cmd->handle.flowtable.name,
+ &ctx->nft->cache, &table);
+ if (!ft)
+ return 0;
+
+ netlink_io_error(ctx, loc, "%s; did you mean flowtable ‘%s’ in table %s ‘%s’?",
+ strerror(ENOENT), ft->handle.flowtable.name,
+ family2str(ft->handle.family),
+ table->handle.table.name);
+ return 1;
+}
+
+static void nft_cmd_enoent(struct netlink_ctx *ctx, const struct cmd *cmd,
+ struct location *loc, int err)
+{
+ int ret = 0;
+
+ switch (cmd->obj) {
+ case CMD_OBJ_TABLE:
+ ret = nft_cmd_enoent_table(ctx, cmd, loc);
+ break;
+ case CMD_OBJ_CHAIN:
+ ret = nft_cmd_enoent_chain(ctx, cmd, loc);
+ break;
+ case CMD_OBJ_SET:
+ ret = nft_cmd_enoent_set(ctx, cmd, loc);
+ break;
+ case CMD_OBJ_COUNTER:
+ case CMD_OBJ_QUOTA:
+ case CMD_OBJ_CT_HELPER:
+ case CMD_OBJ_CT_TIMEOUT:
+ case CMD_OBJ_LIMIT:
+ case CMD_OBJ_SECMARK:
+ case CMD_OBJ_CT_EXPECT:
+ case CMD_OBJ_SYNPROXY:
+ ret = nft_cmd_enoent_obj(ctx, cmd, loc);
+ break;
+ case CMD_OBJ_FLOWTABLE:
+ ret = nft_cmd_enoent_flowtable(ctx, cmd, loc);
+ break;
+ default:
+ break;
+ }
+
+ if (ret)
+ return;
+
+ netlink_io_error(ctx, loc, "Could not process rule: %s", strerror(err));
+}
+
+void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd,
+ struct mnl_err *err)
+{
+ struct location *loc = NULL;
+ int i;
+
+ for (i = 0; i < cmd->num_attrs; i++) {
+ if (!cmd->attr[i].offset)
+ break;
+ if (cmd->attr[i].offset == err->offset)
+ loc = cmd->attr[i].location;
+ }
+
+ if (loc) {
+ if (err->err == ENOENT) {
+ nft_cmd_enoent(ctx, cmd, loc, err->err);
+ return;
+ }
+ } else {
+ loc = &cmd->location;
+ }
+
+ netlink_io_error(ctx, loc, "Could not process rule: %s",
+ strerror(err->err));
+}
diff --git a/src/datatype.c b/src/datatype.c
index 189e1b48..095598d9 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -657,34 +657,13 @@ const struct datatype inet_protocol_type = {
static void inet_service_print(const struct expr *expr, struct output_ctx *octx)
{
- struct sockaddr_in sin = { .sin_family = AF_INET };
- char buf[NI_MAXSERV];
- uint16_t port;
- int err;
-
- sin.sin_port = mpz_get_be16(expr->value);
- err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), NULL, 0,
- buf, sizeof(buf), 0);
- if (err != 0) {
- nft_print(octx, "%u", ntohs(sin.sin_port));
- return;
- }
- port = atoi(buf);
- /* We got a TCP service name string, display it... */
- if (htons(port) != sin.sin_port) {
- nft_print(octx, "\"%s\"", buf);
- return;
- }
+ uint16_t port = mpz_get_be16(expr->value);
+ const struct servent *s = getservbyport(port, NULL);
- /* ...otherwise, this might be a UDP service name. */
- err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), NULL, 0,
- buf, sizeof(buf), NI_DGRAM);
- if (err != 0) {
- /* No service name, display numeric value. */
- nft_print(octx, "%u", ntohs(sin.sin_port));
- return;
- }
- nft_print(octx, "\"%s\"", buf);
+ if (s == NULL)
+ nft_print(octx, "%hu", ntohs(port));
+ else
+ nft_print(octx, "\"%s\"", s->s_name);
}
void inet_service_type_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/src/evaluate.c b/src/evaluate.c
index e7881543..b38ac931 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -136,6 +136,11 @@ static int byteorder_conversion(struct eval_ctx *ctx, struct expr **expr,
if ((*expr)->byteorder == byteorder)
return 0;
+
+ /* Conversion for EXPR_CONCAT is handled for single composing ranges */
+ if ((*expr)->etype == EXPR_CONCAT)
+ return 0;
+
if (expr_basetype(*expr)->type != TYPE_INTEGER)
return expr_error(ctx->msgs, *expr,
"Byteorder mismatch: expected %s, got %s",
@@ -450,7 +455,7 @@ static uint8_t expr_offset_shift(const struct expr *expr, unsigned int offset,
static void expr_evaluate_bits(struct eval_ctx *ctx, struct expr **exprp)
{
- struct expr *expr = *exprp, *and, *mask, *lshift, *off;
+ struct expr *expr = *exprp, *and, *mask, *rshift, *off;
unsigned masklen, len = expr->len, extra_len = 0;
uint8_t shift;
mpz_t bitmask;
@@ -487,15 +492,15 @@ static void expr_evaluate_bits(struct eval_ctx *ctx, struct expr **exprp)
if (shift) {
off = constant_expr_alloc(&expr->location,
expr_basetype(expr),
- BYTEORDER_BIG_ENDIAN,
+ BYTEORDER_HOST_ENDIAN,
sizeof(shift), &shift);
- lshift = binop_expr_alloc(&expr->location, OP_RSHIFT, and, off);
- lshift->dtype = expr->dtype;
- lshift->byteorder = expr->byteorder;
- lshift->len = masklen;
+ rshift = binop_expr_alloc(&expr->location, OP_RSHIFT, and, off);
+ rshift->dtype = expr->dtype;
+ rshift->byteorder = expr->byteorder;
+ rshift->len = masklen;
- *exprp = lshift;
+ *exprp = rshift;
} else
*exprp = and;
@@ -1217,6 +1222,8 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
struct expr *i, *next;
list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
+ unsigned dsize_bytes;
+
if (expr_is_constant(*expr) && dtype && off == 0)
return expr_binary_error(ctx->msgs, i, *expr,
"unexpected concat component, "
@@ -1241,6 +1248,9 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
i->dtype->name);
ntype = concat_subtype_add(ntype, i->dtype->type);
+
+ dsize_bytes = div_round_up(i->dtype->size, BITS_PER_BYTE);
+ (*expr)->field_len[(*expr)->field_count++] = dsize_bytes;
}
(*expr)->flags |= flags;
@@ -2092,14 +2102,10 @@ static int stmt_prefix_conversion(struct eval_ctx *ctx, struct expr **expr,
return 0;
}
-static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
- const struct datatype *dtype, unsigned int len,
- enum byteorder byteorder, struct expr **expr)
+static int __stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
+ const struct datatype *dtype, unsigned int len,
+ enum byteorder byteorder, struct expr **expr)
{
- __expr_set_context(&ctx->ectx, dtype, byteorder, len, 0);
- if (expr_evaluate(ctx, expr) < 0)
- return -1;
-
if ((*expr)->etype == EXPR_PAYLOAD &&
(*expr)->dtype->type == TYPE_INTEGER &&
((*expr)->dtype->type != datatype_basetype(dtype)->type ||
@@ -2137,6 +2143,17 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
return 0;
}
+static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
+ const struct datatype *dtype, unsigned int len,
+ enum byteorder byteorder, struct expr **expr)
+{
+ __expr_set_context(&ctx->ectx, dtype, byteorder, len, 0);
+ if (expr_evaluate(ctx, expr) < 0)
+ return -1;
+
+ return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr);
+}
+
static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
{
if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, 0, &stmt->expr) < 0)
@@ -2340,14 +2357,13 @@ static int stmt_evaluate_meta(struct eval_ctx *ctx, struct stmt *stmt)
static int stmt_evaluate_ct(struct eval_ctx *ctx, struct stmt *stmt)
{
if (stmt_evaluate_arg(ctx, stmt,
- stmt->ct.tmpl->dtype,
- stmt->ct.tmpl->len,
- stmt->ct.tmpl->byteorder,
- &stmt->ct.expr) < 0)
+ stmt->ct.tmpl->dtype,
+ stmt->ct.tmpl->len,
+ stmt->ct.tmpl->byteorder,
+ &stmt->ct.expr) < 0)
return -1;
- if (stmt->ct.key == NFT_CT_SECMARK &&
- expr_is_constant(stmt->ct.expr))
+ if (stmt->ct.key == NFT_CT_SECMARK && expr_is_constant(stmt->ct.expr))
return stmt_error(ctx, stmt,
"ct secmark must not be set to constant value");
@@ -2753,22 +2769,28 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
}
}
+static const struct datatype *get_addr_dtype(uint8_t family)
+{
+ switch (family) {
+ case NFPROTO_IPV4:
+ return &ipaddr_type;
+ case NFPROTO_IPV6:
+ return &ip6addr_type;
+ }
+
+ return &invalid_type;
+}
+
static int evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
struct expr **expr)
{
struct proto_ctx *pctx = &ctx->pctx;
const struct datatype *dtype;
- unsigned int len;
- if (pctx->family == NFPROTO_IPV4) {
- dtype = &ipaddr_type;
- len = 4 * BITS_PER_BYTE;
- } else {
- dtype = &ip6addr_type;
- len = 16 * BITS_PER_BYTE;
- }
+ dtype = get_addr_dtype(pctx->family);
- return stmt_evaluate_arg(ctx, stmt, dtype, len, BYTEORDER_BIG_ENDIAN,
+ return stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
+ BYTEORDER_BIG_ENDIAN,
expr);
}
@@ -2798,9 +2820,10 @@ static int stmt_evaluate_l3proto(struct eval_ctx *ctx,
(nproto == &proto_ip6 && family != NFPROTO_IPV6))
return stmt_binary_error(ctx, stmt,
&ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
- "conflicting protocols specified: %s vs. %s. You must specify ip or ip6 family in tproxy statement",
+ "conflicting protocols specified: %s vs. %s. You must specify ip or ip6 family in %s statement",
ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc->name,
- family2str(stmt->tproxy.family));
+ family2str(family),
+ stmt->ops->name);
return 0;
}
@@ -2809,25 +2832,15 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
struct expr **addr)
{
const struct datatype *dtype;
- unsigned int len;
int err;
if (ctx->pctx.family == NFPROTO_INET) {
- switch (family) {
- case NFPROTO_IPV4:
- dtype = &ipaddr_type;
- len = 4 * BITS_PER_BYTE;
- break;
- case NFPROTO_IPV6:
- dtype = &ip6addr_type;
- len = 16 * BITS_PER_BYTE;
- break;
- default:
+ dtype = get_addr_dtype(family);
+ if (dtype->size == 0)
return stmt_error(ctx, stmt,
"ip or ip6 must be specified with address for inet tables.");
- }
- err = stmt_evaluate_arg(ctx, stmt, dtype, len,
+ err = stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
BYTEORDER_BIG_ENDIAN, addr);
} else {
err = evaluate_addr(ctx, stmt, addr);
@@ -2836,6 +2849,64 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
return err;
}
+static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ struct expr *one, *two, *data, *tmp;
+ const struct datatype *dtype;
+ int addr_type, err;
+
+ switch (stmt->nat.family) {
+ case NFPROTO_IPV4:
+ addr_type = TYPE_IPADDR;
+ break;
+ case NFPROTO_IPV6:
+ addr_type = TYPE_IP6ADDR;
+ break;
+ default:
+ return -1;
+ }
+ dtype = concat_type_alloc((addr_type << TYPE_BITS) | TYPE_INET_SERVICE);
+
+ expr_set_context(&ctx->ectx, dtype, dtype->size);
+ if (expr_evaluate(ctx, &stmt->nat.addr))
+ return -1;
+
+ data = stmt->nat.addr->mappings->set->data;
+ datatype_set(data, dtype);
+
+ if (expr_ops(data)->type != EXPR_CONCAT)
+ return __stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
+ BYTEORDER_BIG_ENDIAN,
+ &stmt->nat.addr);
+
+ one = list_first_entry(&data->expressions, struct expr, list);
+ two = list_entry(one->list.next, struct expr, list);
+
+ if (one == two || !list_is_last(&two->list, &data->expressions))
+ return __stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
+ BYTEORDER_BIG_ENDIAN,
+ &stmt->nat.addr);
+
+ dtype = get_addr_dtype(stmt->nat.family);
+ tmp = one;
+ err = __stmt_evaluate_arg(ctx, stmt, dtype, dtype->size,
+ BYTEORDER_BIG_ENDIAN,
+ &tmp);
+ if (err < 0)
+ return err;
+ if (tmp != one)
+ BUG("Internal error: Unexpected alteration of l3 expression");
+
+ tmp = two;
+ err = nat_evaluate_transport(ctx, stmt, &tmp);
+ if (err < 0)
+ return err;
+ if (tmp != two)
+ BUG("Internal error: Unexpected alteration of l4 expression");
+
+ return err;
+}
+
static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
{
int err;
@@ -2849,6 +2920,15 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
if (err < 0)
return err;
+ if (stmt->nat.ipportmap) {
+ err = stmt_evaluate_nat_map(ctx, stmt);
+ if (err < 0)
+ return err;
+
+ stmt->flags |= STMT_F_TERMINAL;
+ return 0;
+ }
+
err = stmt_evaluate_addr(ctx, stmt, stmt->nat.family,
&stmt->nat.addr);
if (err < 0)
@@ -3346,15 +3426,22 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
return set_key_data_error(ctx, set,
set->key->dtype, type);
}
- if (set->flags & NFT_SET_INTERVAL &&
- set->key->etype == EXPR_CONCAT)
- return set_error(ctx, set, "concatenated types not supported in interval sets");
+
+ if (set->flags & NFT_SET_INTERVAL && set->key->etype == EXPR_CONCAT) {
+ memcpy(&set->desc.field_len, &set->key->field_len,
+ sizeof(set->desc.field_len));
+ set->desc.field_count = set->key->field_count;
+ }
if (set_is_datamap(set->flags)) {
if (set->data == NULL)
return set_error(ctx, set, "map definition does not "
"specify mapping data type");
+ if (set->data->etype == EXPR_CONCAT &&
+ expr_evaluate_concat(ctx, &set->data, false) < 0)
+ return -1;
+
if (set->data->len == 0 && set->data->dtype->type != TYPE_VERDICT)
return set_key_data_error(ctx, set,
set->data->dtype, type);
diff --git a/src/expression.c b/src/expression.c
index cb11cda4..863cf86e 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -829,6 +829,140 @@ static void concat_expr_print(const struct expr *expr, struct output_ctx *octx)
compound_expr_print(expr, " . ", octx);
}
+#define NFTNL_UDATA_SET_KEY_CONCAT_NEST 0
+#define NFTNL_UDATA_SET_KEY_CONCAT_NEST_MAX NFT_REG32_SIZE
+
+#define NFTNL_UDATA_SET_KEY_CONCAT_SUB_TYPE 0
+#define NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA 1
+#define NFTNL_UDATA_SET_KEY_CONCAT_SUB_MAX 2
+
+static int concat_expr_build_udata(struct nftnl_udata_buf *udbuf,
+ const struct expr *concat_expr)
+{
+ struct nftnl_udata *nest;
+ unsigned int i = 0;
+ struct expr *expr;
+
+ list_for_each_entry(expr, &concat_expr->expressions, list) {
+ struct nftnl_udata *nest_expr;
+ int err;
+
+ if (!expr_ops(expr)->build_udata || i >= NFT_REG32_SIZE)
+ return -1;
+
+ nest = nftnl_udata_nest_start(udbuf, NFTNL_UDATA_SET_KEY_CONCAT_NEST + i);
+ nftnl_udata_put_u32(udbuf, NFTNL_UDATA_SET_KEY_CONCAT_SUB_TYPE, expr->etype);
+ nest_expr = nftnl_udata_nest_start(udbuf, NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA);
+ err = expr_ops(expr)->build_udata(udbuf, expr);
+ if (err < 0)
+ return err;
+ nftnl_udata_nest_end(udbuf, nest_expr);
+ nftnl_udata_nest_end(udbuf, nest);
+ i++;
+ }
+
+ return 0;
+}
+
+static int concat_parse_udata_nest(const struct nftnl_udata *attr, void *data)
+{
+ const struct nftnl_udata **ud = data;
+ uint8_t type = nftnl_udata_type(attr);
+ uint8_t len = nftnl_udata_len(attr);
+
+ if (type >= NFTNL_UDATA_SET_KEY_CONCAT_NEST_MAX)
+ return -1;
+
+ if (len <= sizeof(uint32_t))
+ return -1;
+
+ ud[type] = attr;
+ return 0;
+}
+
+static int concat_parse_udata_nested(const struct nftnl_udata *attr, void *data)
+{
+ const struct nftnl_udata **ud = data;
+ uint8_t type = nftnl_udata_type(attr);
+ uint8_t len = nftnl_udata_len(attr);
+
+ switch (type) {
+ case NFTNL_UDATA_SET_KEY_CONCAT_SUB_TYPE:
+ if (len != sizeof(uint32_t))
+ return -1;
+ break;
+ case NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA:
+ if (len <= sizeof(uint32_t))
+ return -1;
+ break;
+ default:
+ return 0;
+ }
+
+ ud[type] = attr;
+ return 0;
+}
+
+static struct expr *concat_expr_parse_udata(const struct nftnl_udata *attr)
+{
+ const struct nftnl_udata *ud[NFTNL_UDATA_SET_KEY_CONCAT_NEST_MAX] = {};
+ struct expr *concat_expr;
+ struct datatype *dtype;
+ unsigned int i;
+ int err;
+
+ err = nftnl_udata_parse(nftnl_udata_get(attr), nftnl_udata_len(attr),
+ concat_parse_udata_nest, ud);
+ if (err < 0)
+ return NULL;
+
+ concat_expr = concat_expr_alloc(&internal_location);
+ if (!concat_expr)
+ return NULL;
+
+ dtype = xzalloc(sizeof(*dtype));
+
+ for (i = 0; i < array_size(ud); i++) {
+ const struct nftnl_udata *nest_ud[NFTNL_UDATA_SET_KEY_CONCAT_SUB_MAX];
+ const struct nftnl_udata *nested, *subdata;
+ const struct expr_ops *ops;
+ struct expr *expr;
+ uint32_t etype;
+
+ if (ud[NFTNL_UDATA_SET_KEY_CONCAT_NEST + i] == NULL)
+ break;
+
+ nested = ud[NFTNL_UDATA_SET_KEY_CONCAT_NEST + i];
+ err = nftnl_udata_parse(nftnl_udata_get(nested), nftnl_udata_len(nested),
+ concat_parse_udata_nested, nest_ud);
+ if (err < 0)
+ goto err_free;
+
+ etype = nftnl_udata_get_u32(nest_ud[NFTNL_UDATA_SET_KEY_CONCAT_SUB_TYPE]);
+ ops = expr_ops_by_type(etype);
+ if (!ops || !ops->parse_udata)
+ goto err_free;
+
+ subdata = nest_ud[NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA];
+ expr = ops->parse_udata(subdata);
+ if (!expr)
+ goto err_free;
+
+ dtype->subtypes++;
+ compound_expr_add(concat_expr, expr);
+ dtype->size += round_up(expr->len, BITS_PER_BYTE * sizeof(uint32_t));
+ }
+
+ concat_expr->dtype = dtype;
+ concat_expr->len = dtype->size;
+
+ return concat_expr;
+
+err_free:
+ expr_free(concat_expr);
+ return NULL;
+}
+
static const struct expr_ops concat_expr_ops = {
.type = EXPR_CONCAT,
.name = "concat",
@@ -836,6 +970,8 @@ static const struct expr_ops concat_expr_ops = {
.json = concat_expr_json,
.clone = compound_expr_clone,
.destroy = concat_expr_destroy,
+ .build_udata = concat_expr_build_udata,
+ .parse_udata = concat_expr_parse_udata,
};
struct expr *concat_expr_alloc(const struct location *loc)
@@ -1185,9 +1321,9 @@ void range_expr_value_high(mpz_t rop, const struct expr *expr)
}
}
-const struct expr_ops *expr_ops(const struct expr *e)
+static const struct expr_ops *__expr_ops_by_type(enum expr_types etype)
{
- switch (e->etype) {
+ switch (etype) {
case EXPR_INVALID:
BUG("Invalid expression ops requested");
break;
@@ -1220,26 +1356,21 @@ const struct expr_ops *expr_ops(const struct expr *e)
case EXPR_XFRM: return &xfrm_expr_ops;
}
- BUG("Unknown expression type %d\n", e->etype);
+ BUG("Unknown expression type %d\n", etype);
}
-const struct expr_ops *expr_ops_by_type(enum expr_types etype)
+const struct expr_ops *expr_ops(const struct expr *e)
{
- switch (etype) {
- case EXPR_PAYLOAD: return &payload_expr_ops;
- case EXPR_EXTHDR: return &exthdr_expr_ops;
- case EXPR_META: return &meta_expr_ops;
- case EXPR_SOCKET: return &socket_expr_ops;
- case EXPR_OSF: return &osf_expr_ops;
- case EXPR_CT: return &ct_expr_ops;
- case EXPR_NUMGEN: return &numgen_expr_ops;
- case EXPR_HASH: return &hash_expr_ops;
- case EXPR_RT: return &rt_expr_ops;
- case EXPR_FIB: return &fib_expr_ops;
- case EXPR_XFRM: return &xfrm_expr_ops;
- default:
- break;
- }
+ return __expr_ops_by_type(e->etype);
+}
- BUG("Unknown expression type %d\n", etype);
+const struct expr_ops *expr_ops_by_type(uint32_t value)
+{
+ /* value might come from unreliable source, such as "udata"
+ * annotation of set keys. Avoid BUG() assertion.
+ */
+ if (value == EXPR_INVALID || value > EXPR_MAX)
+ return NULL;
+
+ return __expr_ops_by_type(value);
}
diff --git a/src/json.c b/src/json.c
index 1906e7db..86028959 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1021,23 +1021,14 @@ json_t *inet_protocol_type_json(const struct expr *expr,
json_t *inet_service_type_json(const struct expr *expr, struct output_ctx *octx)
{
- struct sockaddr_in sin = {
- .sin_family = AF_INET,
- .sin_port = mpz_get_be16(expr->value),
- };
- char buf[NI_MAXSERV];
+ uint16_t port = mpz_get_be16(expr->value);
+ const struct servent *s = NULL;
if (!nft_output_service(octx) ||
- getnameinfo((struct sockaddr *)&sin, sizeof(sin),
- NULL, 0, buf, sizeof(buf), 0))
- return json_integer(ntohs(sin.sin_port));
-
- if (htons(atoi(buf)) == sin.sin_port ||
- getnameinfo((struct sockaddr *)&sin, sizeof(sin),
- NULL, 0, buf, sizeof(buf), NI_DGRAM))
- return json_integer(ntohs(sin.sin_port));
+ (s = getservbyport(port, NULL)) == NULL)
+ return json_integer(ntohs(port));
- return json_string(buf);
+ return json_string(s->s_name);
}
json_t *mark_type_json(const struct expr *expr, struct output_ctx *octx)
diff --git a/src/libnftables.c b/src/libnftables.c
index cd2fcf2f..32da0a29 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -12,7 +12,7 @@
#include <parser.h>
#include <utils.h>
#include <iface.h>
-
+#include <cmd.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
@@ -68,9 +68,7 @@ static int nft_netlink(struct nft_ctx *nft,
list_for_each_entry(cmd, cmds, list) {
if (err->seqnum == cmd->seqnum ||
err->seqnum == batch_seqnum) {
- netlink_io_error(&ctx, &cmd->location,
- "Could not process rule: %s",
- strerror(err->err));
+ nft_cmd_error(&ctx, cmd, err);
errno = err->err;
if (err->seqnum == cmd->seqnum) {
mnl_err_list_free(err);
diff --git a/src/mnl.c b/src/mnl.c
index d5bdff29..bca5add0 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -26,6 +26,7 @@
#include <mnl.h>
#include <string.h>
+#include <net/if.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <fcntl.h>
@@ -37,6 +38,7 @@
struct mnl_socket *nft_mnl_socket_open(void)
{
struct mnl_socket *nf_sock;
+ int one = 1;
nf_sock = mnl_socket_open(NETLINK_NETFILTER);
if (!nf_sock)
@@ -45,6 +47,8 @@ struct mnl_socket *nft_mnl_socket_open(void)
if (fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK))
netlink_init_error();
+ mnl_socket_setsockopt(nf_sock, NETLINK_EXT_ACK, &one, sizeof(one));
+
return nf_sock;
}
@@ -204,11 +208,13 @@ void mnl_batch_reset(struct nftnl_batch *batch)
}
static void mnl_err_list_node_add(struct list_head *err_list, int error,
- int seqnum)
+ int seqnum, uint32_t offset,
+ const char *errmsg)
{
struct mnl_err *err = xmalloc(sizeof(struct mnl_err));
err->seqnum = seqnum;
+ err->offset = offset;
err->err = error;
list_add_tail(&err->head, err_list);
}
@@ -305,6 +311,61 @@ static ssize_t mnl_nft_socket_sendmsg(struct netlink_ctx *ctx,
return sendmsg(mnl_socket_get_fd(ctx->nft->nf_sock), msg, 0);
}
+static int err_attr_cb(const struct nlattr *attr, void *data)
+{
+ const struct nlattr **tb = data;
+ uint16_t type;
+
+ if (mnl_attr_type_valid(attr, NLMSGERR_ATTR_MAX) < 0)
+ return MNL_CB_ERROR;
+
+ type = mnl_attr_get_type(attr);
+ switch (type) {
+ case NLMSGERR_ATTR_OFFS:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ return MNL_CB_ERROR;
+ break;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static int mnl_batch_extack_cb(const struct nlmsghdr *nlh, void *data)
+{
+ struct netlink_cb_data *cb_data = data;
+ struct nlattr *tb[NLMSGERR_ATTR_MAX + 1] = {};
+ const struct nlmsgerr *err = mnl_nlmsg_get_payload(nlh);
+ unsigned int hlen = sizeof(*err);
+ const char *msg = NULL;
+ uint32_t off = 0;
+ int errval;
+
+ if (nlh->nlmsg_len < mnl_nlmsg_size(sizeof(struct nlmsgerr)))
+ return MNL_CB_ERROR;
+
+ if (err->error < 0)
+ errval = -err->error;
+ else
+ errval = err->error;
+
+ if (errval == 0)
+ return MNL_CB_STOP;
+
+ if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
+ hlen += mnl_nlmsg_get_payload_len(&err->msg);
+
+ if (mnl_attr_parse(nlh, hlen, err_attr_cb, tb) != MNL_CB_OK)
+ return MNL_CB_ERROR;
+
+ if (tb[NLMSGERR_ATTR_OFFS])
+ off = mnl_attr_get_u32(tb[NLMSGERR_ATTR_OFFS]);
+
+ mnl_err_list_node_add(cb_data->err_list, errval,
+ nlh->nlmsg_seq, off, msg);
+ return MNL_CB_ERROR;
+}
+
#define NFT_MNL_ECHO_RCVBUFF_DEFAULT (MNL_SOCKET_BUFFER_SIZE * 1024)
int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
@@ -326,6 +387,13 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
unsigned int rcvbufsiz;
size_t batch_size;
fd_set readfds;
+ static mnl_cb_t cb_ctl_array[NLMSG_MIN_TYPE] = {
+ [NLMSG_ERROR] = mnl_batch_extack_cb,
+ };
+ struct netlink_cb_data cb_data = {
+ .err_list = err_list,
+ .nl_ctx = ctx,
+ };
mnl_set_sndbuffer(ctx->nft->nf_sock, ctx->batch);
@@ -361,18 +429,15 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
if (ret == -1)
return -1;
- ret = mnl_cb_run(rcv_buf, ret, 0, portid, &netlink_echo_callback, ctx);
/* Continue on error, make sure we get all acknowledgments */
- if (ret == -1) {
- struct nlmsghdr *nlh = (struct nlmsghdr *)rcv_buf;
-
- mnl_err_list_node_add(err_list, errno, nlh->nlmsg_seq);
- }
+ ret = mnl_cb_run2(rcv_buf, ret, 0, portid,
+ netlink_echo_callback, &cb_data,
+ cb_ctl_array, MNL_ARRAY_SIZE(cb_ctl_array));
}
return 0;
}
-int mnl_nft_rule_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_rule_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
struct rule *rule = cmd->rule;
@@ -385,8 +450,6 @@ int mnl_nft_rule_add(struct netlink_ctx *ctx, const struct cmd *cmd,
memory_allocation_error();
nftnl_rule_set_u32(nlr, NFTNL_RULE_FAMILY, h->family);
- nftnl_rule_set_str(nlr, NFTNL_RULE_TABLE, h->table.name);
- nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, h->chain.name);
if (h->position.id)
nftnl_rule_set_u64(nlr, NFTNL_RULE_POSITION, h->position.id);
if (h->rule_id)
@@ -399,6 +462,12 @@ int mnl_nft_rule_add(struct netlink_ctx *ctx, const struct cmd *cmd,
NFT_MSG_NEWRULE,
cmd->handle.family,
NLM_F_CREATE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, h->chain.name);
+
nftnl_rule_nlmsg_build_payload(nlh, nlr);
nftnl_rule_free(nlr);
@@ -407,7 +476,7 @@ int mnl_nft_rule_add(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_rule_replace(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_rule_replace(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct rule *rule = cmd->rule;
struct handle *h = &rule->handle;
@@ -423,15 +492,20 @@ int mnl_nft_rule_replace(struct netlink_ctx *ctx, const struct cmd *cmd)
memory_allocation_error();
nftnl_rule_set_u32(nlr, NFTNL_RULE_FAMILY, h->family);
- nftnl_rule_set_str(nlr, NFTNL_RULE_TABLE, h->table.name);
- nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, h->chain.name);
- nftnl_rule_set_u64(nlr, NFTNL_RULE_HANDLE, h->handle.id);
netlink_linearize_rule(ctx, nlr, rule);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_NEWRULE,
cmd->handle.family,
NLM_F_REPLACE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, h->chain.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->handle.location);
+ mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(h->handle.id));
+
nftnl_rule_nlmsg_build_payload(nlh, nlr);
nftnl_rule_free(nlr);
@@ -440,9 +514,9 @@ int mnl_nft_rule_replace(struct netlink_ctx *ctx, const struct cmd *cmd)
return 0;
}
-int mnl_nft_rule_del(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd)
{
- const struct handle *h = &cmd->handle;
+ struct handle *h = &cmd->handle;
struct nftnl_rule *nlr;
struct nlmsghdr *nlh;
@@ -451,16 +525,23 @@ int mnl_nft_rule_del(struct netlink_ctx *ctx, const struct cmd *cmd)
memory_allocation_error();
nftnl_rule_set_u32(nlr, NFTNL_RULE_FAMILY, h->family);
- nftnl_rule_set_str(nlr, NFTNL_RULE_TABLE, h->table.name);
- if (h->chain.name)
- nftnl_rule_set_str(nlr, NFTNL_RULE_CHAIN, h->chain.name);
- if (h->handle.id)
- nftnl_rule_set_u64(nlr, NFTNL_RULE_HANDLE, h->handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELRULE,
nftnl_rule_get_u32(nlr, NFTNL_RULE_FAMILY),
0, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name);
+ if (h->chain.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location);
+ mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, h->chain.name);
+ }
+ if (h->handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->handle.location);
+ mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(h->handle.id));
+ }
+
nftnl_rule_nlmsg_build_payload(nlh, nlr);
nftnl_rule_free(nlr);
@@ -524,12 +605,14 @@ err:
/*
* Chain
*/
-int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
int priority, policy, i = 0;
struct nftnl_chain *nlc;
+ unsigned int ifname_len;
const char **dev_array;
+ char ifname[IFNAMSIZ];
struct nlmsghdr *nlh;
struct expr *expr;
int dev_array_len;
@@ -539,8 +622,6 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
memory_allocation_error();
nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FAMILY, cmd->handle.family);
- nftnl_chain_set_str(nlc, NFTNL_CHAIN_TABLE, cmd->handle.table.name);
- nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME, cmd->handle.chain.name);
if (cmd->chain) {
if (cmd->chain->flags & CHAIN_F_BASECHAIN) {
@@ -553,16 +634,16 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nftnl_chain_set_str(nlc, NFTNL_CHAIN_TYPE,
cmd->chain->type);
}
- if (cmd->chain->policy) {
- mpz_export_data(&policy, cmd->chain->policy->value,
- BYTEORDER_HOST_ENDIAN, sizeof(int));
- nftnl_chain_set_u32(nlc, NFTNL_CHAIN_POLICY, policy);
- }
if (cmd->chain->dev_expr) {
dev_array = xmalloc(sizeof(char *) * 8);
dev_array_len = 8;
list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) {
- dev_array[i++] = expr->identifier;
+ ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+ memset(ifname, 0, sizeof(ifname));
+ mpz_export_data(ifname, expr->value,
+ BYTEORDER_HOST_ENDIAN,
+ ifname_len);
+ dev_array[i++] = xstrdup(ifname);
if (i == dev_array_len) {
dev_array_len *= 2;
dev_array = xrealloc(dev_array,
@@ -577,6 +658,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array,
sizeof(char *) * dev_array_len);
+ i = 0;
+ while (dev_array[i] != NULL)
+ xfree(dev_array[i++]);
+
xfree(dev_array);
}
}
@@ -586,6 +671,19 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
NFT_MSG_NEWCHAIN,
cmd->handle.family,
NLM_F_CREATE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, cmd->handle.table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.chain.location);
+ mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, cmd->handle.chain.name);
+
+ if (cmd->chain && cmd->chain->policy) {
+ mpz_export_data(&policy, cmd->chain->policy->value,
+ BYTEORDER_HOST_ENDIAN, sizeof(int));
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->policy->location);
+ mnl_attr_put_u32(nlh, NFTA_CHAIN_POLICY, htonl(policy));
+ }
+
nftnl_chain_nlmsg_build_payload(nlh, nlc);
nftnl_chain_free(nlc);
@@ -624,7 +722,7 @@ int mnl_nft_chain_rename(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_chain_del(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_chain_del(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct nftnl_chain *nlc;
struct nlmsghdr *nlh;
@@ -634,18 +732,23 @@ int mnl_nft_chain_del(struct netlink_ctx *ctx, const struct cmd *cmd)
memory_allocation_error();
nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FAMILY, cmd->handle.family);
- nftnl_chain_set_str(nlc, NFTNL_CHAIN_TABLE, cmd->handle.table.name);
- if (cmd->handle.chain.name)
- nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME,
- cmd->handle.chain.name);
- else if (cmd->handle.handle.id)
- nftnl_chain_set_u64(nlc, NFTNL_CHAIN_HANDLE,
- cmd->handle.handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELCHAIN,
cmd->handle.family,
0, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, cmd->handle.table.name);
+ if (cmd->handle.chain.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.chain.location);
+ mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, cmd->handle.chain.name);
+ } else if (cmd->handle.handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location);
+ mnl_attr_put_u64(nlh, NFTA_CHAIN_HANDLE,
+ htobe64(cmd->handle.handle.id));
+ }
+
nftnl_chain_nlmsg_build_payload(nlh, nlc);
nftnl_chain_free(nlc);
@@ -705,7 +808,7 @@ err:
/*
* Table
*/
-int mnl_nft_table_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
struct nftnl_table *nlt;
@@ -716,7 +819,6 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, const struct cmd *cmd,
memory_allocation_error();
nftnl_table_set_u32(nlt, NFTNL_TABLE_FAMILY, cmd->handle.family);
- nftnl_table_set_str(nlt, NFTNL_TABLE_NAME, cmd->handle.table.name);
if (cmd->table)
nftnl_table_set_u32(nlt, NFTNL_TABLE_FLAGS, cmd->table->flags);
else
@@ -726,6 +828,9 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, const struct cmd *cmd,
NFT_MSG_NEWTABLE,
cmd->handle.family,
flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_TABLE_NAME, cmd->handle.table.name);
nftnl_table_nlmsg_build_payload(nlh, nlt);
nftnl_table_free(nlt);
@@ -734,7 +839,7 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_table_del(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_table_del(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct nftnl_table *nlt;
struct nlmsghdr *nlh;
@@ -744,17 +849,20 @@ int mnl_nft_table_del(struct netlink_ctx *ctx, const struct cmd *cmd)
memory_allocation_error();
nftnl_table_set_u32(nlt, NFTNL_TABLE_FAMILY, cmd->handle.family);
- if (cmd->handle.table.name)
- nftnl_table_set_str(nlt, NFTNL_TABLE_NAME,
- cmd->handle.table.name);
- else if (cmd->handle.handle.id)
- nftnl_table_set_u64(nlt, NFTNL_TABLE_HANDLE,
- cmd->handle.handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELTABLE,
cmd->handle.family,
0, ctx->seqnum);
+
+ if (cmd->handle.table.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_TABLE_NAME, cmd->handle.table.name);
+ } else if (cmd->handle.handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location);
+ mnl_attr_put_u64(nlh, NFTA_TABLE_NAME,
+ htobe64(cmd->handle.handle.id));
+ }
nftnl_table_nlmsg_build_payload(nlh, nlt);
nftnl_table_free(nlt);
@@ -834,10 +942,10 @@ static void set_key_expression(struct netlink_ctx *ctx,
/*
* Set
*/
-int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
- const struct handle *h = &cmd->handle;
+ struct handle *h = &cmd->handle;
struct nftnl_udata_buf *udbuf;
struct set *set = cmd->set;
struct nftnl_set *nls;
@@ -848,8 +956,6 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
memory_allocation_error();
nftnl_set_set_u32(nls, NFTNL_SET_FAMILY, h->family);
- nftnl_set_set_str(nls, NFTNL_SET_TABLE, h->table.name);
- nftnl_set_set_str(nls, NFTNL_SET_NAME, h->set.name);
nftnl_set_set_u32(nls, NFTNL_SET_ID, h->set_id);
nftnl_set_set_u32(nls, NFTNL_SET_FLAGS, set->flags);
@@ -905,6 +1011,13 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
if (set->data)
set_key_expression(ctx, set->data, set->flags, udbuf, NFTNL_UDATA_SET_DATA_TYPEOF);
+ if (set->desc.field_len[0]) {
+ nftnl_set_set_data(nls, NFTNL_SET_DESC_CONCAT,
+ set->desc.field_len,
+ set->desc.field_count *
+ sizeof(set->desc.field_len[0]));
+ }
+
nftnl_set_set_data(nls, NFTNL_SET_USERDATA, nftnl_udata_buf_data(udbuf),
nftnl_udata_buf_len(udbuf));
nftnl_udata_buf_free(udbuf);
@@ -915,6 +1028,12 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
NFT_MSG_NEWSET,
h->family,
NLM_F_CREATE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location);
+ mnl_attr_put_strz(nlh, NFTA_SET_TABLE, h->table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &h->set.location);
+ mnl_attr_put_strz(nlh, NFTA_SET_NAME, h->set.name);
+
nftnl_set_nlmsg_build_payload(nlh, nls);
nftnl_set_free(nls);
@@ -923,7 +1042,7 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_set_del(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_set_del(struct netlink_ctx *ctx, struct cmd *cmd)
{
const struct handle *h = &cmd->handle;
struct nftnl_set *nls;
@@ -934,16 +1053,23 @@ int mnl_nft_set_del(struct netlink_ctx *ctx, const struct cmd *cmd)
memory_allocation_error();
nftnl_set_set_u32(nls, NFTNL_SET_FAMILY, h->family);
- nftnl_set_set_str(nls, NFTNL_SET_TABLE, h->table.name);
- if (h->set.name)
- nftnl_set_set_str(nls, NFTNL_SET_NAME, h->set.name);
- else if (h->handle.id)
- nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELSET,
h->family,
0, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_SET_TABLE, cmd->handle.table.name);
+ if (h->set.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.set.location);
+ mnl_attr_put_strz(nlh, NFTA_SET_NAME, cmd->handle.set.name);
+ } else if (h->handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location);
+ mnl_attr_put_u64(nlh, NFTA_SET_HANDLE,
+ htobe64(cmd->handle.handle.id));
+ }
+
nftnl_set_nlmsg_build_payload(nlh, nls);
nftnl_set_free(nls);
@@ -1009,7 +1135,7 @@ err:
return NULL;
}
-int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_obj_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
struct obj *obj = cmd->object;
@@ -1021,8 +1147,6 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
memory_allocation_error();
nftnl_obj_set_u32(nlo, NFTNL_OBJ_FAMILY, cmd->handle.family);
- nftnl_obj_set_str(nlo, NFTNL_OBJ_TABLE, cmd->handle.table.name);
- nftnl_obj_set_str(nlo, NFTNL_OBJ_NAME, cmd->handle.obj.name);
nftnl_obj_set_u32(nlo, NFTNL_OBJ_TYPE, obj->type);
switch (obj->type) {
@@ -1100,6 +1224,12 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_NEWOBJ, cmd->handle.family,
NLM_F_CREATE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_OBJ_TABLE, cmd->handle.table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.obj.location);
+ mnl_attr_put_strz(nlh, NFTA_OBJ_NAME, cmd->handle.obj.name);
+
nftnl_obj_nlmsg_build_payload(nlh, nlo);
nftnl_obj_free(nlo);
@@ -1108,7 +1238,7 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_obj_del(struct netlink_ctx *ctx, const struct cmd *cmd, int type)
+int mnl_nft_obj_del(struct netlink_ctx *ctx, struct cmd *cmd, int type)
{
struct nftnl_obj *nlo;
struct nlmsghdr *nlh;
@@ -1118,16 +1248,24 @@ int mnl_nft_obj_del(struct netlink_ctx *ctx, const struct cmd *cmd, int type)
memory_allocation_error();
nftnl_obj_set_u32(nlo, NFTNL_OBJ_FAMILY, cmd->handle.family);
- nftnl_obj_set_str(nlo, NFTNL_OBJ_TABLE, cmd->handle.table.name);
nftnl_obj_set_u32(nlo, NFTNL_OBJ_TYPE, type);
- if (cmd->handle.obj.name)
- nftnl_obj_set_str(nlo, NFTNL_OBJ_NAME, cmd->handle.obj.name);
- else if (cmd->handle.handle.id)
- nftnl_obj_set_u64(nlo, NFTNL_OBJ_HANDLE, cmd->handle.handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELOBJ, cmd->handle.family,
0, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_OBJ_TABLE, cmd->handle.table.name);
+
+ if (cmd->handle.obj.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.obj.location);
+ mnl_attr_put_strz(nlh, NFTA_OBJ_NAME, cmd->handle.obj.name);
+ } else if (cmd->handle.handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location);
+ mnl_attr_put_u64(nlh, NFTA_OBJ_HANDLE,
+ htobe64(cmd->handle.handle.id));
+ }
+
nftnl_obj_nlmsg_build_payload(nlh, nlo);
nftnl_obj_free(nlo);
@@ -1435,11 +1573,13 @@ err:
return NULL;
}
-int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
+int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags)
{
struct nftnl_flowtable *flo;
+ unsigned int ifname_len;
const char **dev_array;
+ char ifname[IFNAMSIZ];
struct nlmsghdr *nlh;
int i = 0, len = 1;
struct expr *expr;
@@ -1451,10 +1591,6 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
cmd->handle.family);
- nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_TABLE,
- cmd->handle.table.name);
- nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_NAME,
- cmd->handle.flowtable.name);
nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
cmd->flowtable->hooknum);
mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
@@ -1464,13 +1600,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
len++;
- dev_array = calloc(len, sizeof(char *));
- list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
- dev_array[i++] = expr->identifier;
+ dev_array = xmalloc(sizeof(char *) * len);
+
+ list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) {
+ ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+ memset(ifname, 0, sizeof(ifname));
+ mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN,
+ ifname_len);
+ dev_array[i++] = xstrdup(ifname);
+ }
dev_array[i] = NULL;
nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
dev_array, sizeof(char *) * len);
+
+ i = 0;
+ while (dev_array[i] != NULL)
+ xfree(dev_array[i++]);
+
free(dev_array);
netlink_dump_flowtable(flo, ctx);
@@ -1478,6 +1625,12 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_NEWFLOWTABLE, cmd->handle.family,
NLM_F_CREATE | flags, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_TABLE, cmd->handle.table.name);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.flowtable.location);
+ mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_NAME, cmd->handle.flowtable.name);
+
nftnl_flowtable_nlmsg_build_payload(nlh, flo);
nftnl_flowtable_free(flo);
@@ -1486,7 +1639,7 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
return 0;
}
-int mnl_nft_flowtable_del(struct netlink_ctx *ctx, const struct cmd *cmd)
+int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct nftnl_flowtable *flo;
struct nlmsghdr *nlh;
@@ -1497,18 +1650,25 @@ int mnl_nft_flowtable_del(struct netlink_ctx *ctx, const struct cmd *cmd)
nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
cmd->handle.family);
- nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_TABLE,
- cmd->handle.table.name);
- if (cmd->handle.flowtable.name)
- nftnl_flowtable_set_str(flo, NFTNL_FLOWTABLE_NAME,
- cmd->handle.flowtable.name);
- else if (cmd->handle.handle.id)
- nftnl_flowtable_set_u64(flo, NFTNL_FLOWTABLE_HANDLE,
- cmd->handle.handle.id);
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELFLOWTABLE, cmd->handle.family,
0, ctx->seqnum);
+
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location);
+ mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_TABLE, cmd->handle.table.name);
+
+ if (cmd->handle.flowtable.name) {
+ cmd_add_loc(cmd, nlh->nlmsg_len,
+ &cmd->handle.flowtable.location);
+ mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_NAME,
+ cmd->handle.flowtable.name);
+ } else if (cmd->handle.handle.id) {
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location);
+ mnl_attr_put_u64(nlh, NFTA_FLOWTABLE_HANDLE,
+ htobe64(cmd->handle.handle.id));
+ }
+
nftnl_flowtable_nlmsg_build_payload(nlh, flo);
nftnl_flowtable_free(flo);
diff --git a/src/monitor.c b/src/monitor.c
index 142cc929..bb269c02 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -906,7 +906,8 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data)
int netlink_echo_callback(const struct nlmsghdr *nlh, void *data)
{
- struct netlink_ctx *ctx = data;
+ struct netlink_cb_data *nl_cb_data = data;
+ struct netlink_ctx *ctx = nl_cb_data->nl_ctx;
struct netlink_mon_handler echo_monh = {
.format = NFTNL_OUTPUT_DEFAULT,
.ctx = ctx,
diff --git a/src/netlink.c b/src/netlink.c
index a9ccebaf..0c6b8c58 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -100,10 +100,11 @@ struct nftnl_expr *alloc_nft_expr(const char *name)
static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
const struct expr *expr)
{
- const struct expr *elem, *key, *data;
+ const struct expr *elem, *data;
struct nftnl_set_elem *nlse;
struct nft_data_linearize nld;
struct nftnl_udata_buf *udbuf = NULL;
+ struct expr *key;
nlse = nftnl_set_elem_alloc();
if (nlse == NULL)
@@ -121,6 +122,16 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
netlink_gen_data(key, &nld);
nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY, &nld.value, nld.len);
+
+ if (set->set_flags & NFT_SET_INTERVAL && expr->key->field_count > 1) {
+ key->flags |= EXPR_F_INTERVAL_END;
+ netlink_gen_data(key, &nld);
+ key->flags &= ~EXPR_F_INTERVAL_END;
+
+ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY_END, &nld.value,
+ nld.len);
+ }
+
if (elem->timeout)
nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_TIMEOUT,
elem->timeout);
@@ -158,6 +169,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_CHAIN,
nld.chain, strlen(nld.chain));
break;
+ case EXPR_CONCAT:
+ assert(nld.len > 0);
+ /* fallthrough */
case EXPR_VALUE:
nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_DATA,
nld.value, nld.len);
@@ -188,28 +202,58 @@ void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder,
data->len = len;
}
+static int netlink_export_pad(unsigned char *data, const mpz_t v,
+ const struct expr *i)
+{
+ mpz_export_data(data, v, i->byteorder,
+ div_round_up(i->len, BITS_PER_BYTE));
+
+ return netlink_padded_len(i->len) / BITS_PER_BYTE;
+}
+
+static int netlink_gen_concat_data_expr(int end, const struct expr *i,
+ unsigned char *data)
+{
+ switch (i->etype) {
+ case EXPR_RANGE:
+ i = end ? i->right : i->left;
+ break;
+ case EXPR_PREFIX:
+ if (end) {
+ int count;
+ mpz_t v;
+
+ mpz_init_bitmask(v, i->len - i->prefix_len);
+ mpz_add(v, i->prefix->value, v);
+ count = netlink_export_pad(data, v, i);
+ mpz_clear(v);
+ return count;
+ }
+ return netlink_export_pad(data, i->prefix->value, i);
+ case EXPR_VALUE:
+ break;
+ default:
+ BUG("invalid expression type '%s' in set", expr_ops(i)->name);
+ }
+
+ return netlink_export_pad(data, i->value, i);
+}
+
static void netlink_gen_concat_data(const struct expr *expr,
struct nft_data_linearize *nld)
{
+ unsigned int len = expr->len / BITS_PER_BYTE, offset = 0;
+ int end = expr->flags & EXPR_F_INTERVAL_END;
+ unsigned char data[len];
const struct expr *i;
- unsigned int len, offset;
-
- len = expr->len / BITS_PER_BYTE;
- if (1) {
- unsigned char data[len];
-
- memset(data, 0, sizeof(data));
- offset = 0;
- list_for_each_entry(i, &expr->expressions, list) {
- assert(i->etype == EXPR_VALUE);
- mpz_export_data(data + offset, i->value, i->byteorder,
- div_round_up(i->len, BITS_PER_BYTE));
- offset += netlink_padded_len(i->len) / BITS_PER_BYTE;
- }
- memcpy(nld->value, data, len);
- nld->len = len;
- }
+ memset(data, 0, len);
+
+ list_for_each_entry(i, &expr->expressions, list)
+ offset += netlink_gen_concat_data_expr(end, i, data + offset);
+
+ memcpy(nld->value, data, len);
+ nld->len = len;
}
static void netlink_gen_constant_data(const struct expr *expr,
@@ -773,6 +817,17 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
if (nftnl_set_is_set(nls, NFTNL_SET_DESC_SIZE))
set->desc.size = nftnl_set_get_u32(nls, NFTNL_SET_DESC_SIZE);
+ if (nftnl_set_is_set(nls, NFTNL_SET_DESC_CONCAT)) {
+ uint32_t len = NFT_REG32_COUNT;
+ const uint8_t *data;
+
+ data = nftnl_set_get_data(nls, NFTNL_SET_DESC_CONCAT, &len);
+ if (data) {
+ memcpy(set->desc.field_len, data, len);
+ set->desc.field_count = len;
+ }
+ }
+
return set;
}
@@ -902,6 +957,7 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse,
if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS))
flags = nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_FLAGS);
+key_end:
key = netlink_alloc_value(&netlink_location, &nld);
datatype_set(key, set->key->dtype);
key->byteorder = set->key->byteorder;
@@ -952,6 +1008,10 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse,
NFT_REG_VERDICT : NFT_REG_1);
datatype_set(data, set->data->dtype);
data->byteorder = set->data->byteorder;
+
+ if (set->data->dtype->subtypes)
+ data = netlink_parse_concat_elem(set->data->dtype, data);
+
if (data->byteorder == BYTEORDER_HOST_ENDIAN)
mpz_switch_byteorder(data->value, data->len / BITS_PER_BYTE);
@@ -973,6 +1033,15 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse,
}
out:
compound_expr_add(set->init, expr);
+
+ if (!(flags & NFT_SET_ELEM_INTERVAL_END) &&
+ nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_KEY_END)) {
+ flags |= NFT_SET_ELEM_INTERVAL_END;
+ nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY_END,
+ &nld.len);
+ goto key_end;
+ }
+
return 0;
}
@@ -1011,15 +1080,16 @@ int netlink_list_setelems(struct netlink_ctx *ctx, const struct handle *h,
set->init = set_expr_alloc(&internal_location, set);
nftnl_set_elem_foreach(nls, list_setelem_cb, ctx);
- if (!(set->flags & NFT_SET_INTERVAL))
+ if (set->flags & NFT_SET_INTERVAL && set->desc.field_count > 1)
+ concat_range_aggregate(set->init);
+ else if (set->flags & NFT_SET_INTERVAL)
+ interval_map_decompose(set->init);
+ else
list_expr_sort(&ctx->set->init->expressions);
nftnl_set_free(nls);
ctx->set = NULL;
- if (set->flags & NFT_SET_INTERVAL)
- interval_map_decompose(set->init);
-
return 0;
}
@@ -1028,6 +1098,7 @@ int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h,
struct set *set, struct expr *init)
{
struct nftnl_set *nls, *nls_out = NULL;
+ int err = 0;
nls = nftnl_set_alloc();
if (nls == NULL)
@@ -1051,18 +1122,18 @@ int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h,
set->init = set_expr_alloc(loc, set);
nftnl_set_elem_foreach(nls_out, list_setelem_cb, ctx);
- if (!(set->flags & NFT_SET_INTERVAL))
+ if (set->flags & NFT_SET_INTERVAL && set->desc.field_count > 1)
+ concat_range_aggregate(set->init);
+ else if (set->flags & NFT_SET_INTERVAL)
+ err = get_set_decompose(table, set);
+ else
list_expr_sort(&ctx->set->init->expressions);
nftnl_set_free(nls);
nftnl_set_free(nls_out);
ctx->set = NULL;
- if (set->flags & NFT_SET_INTERVAL &&
- get_set_decompose(table, set) < 0)
- return -1;
-
- return 0;
+ return err;
}
void netlink_dump_obj(struct nftnl_obj *nln, struct netlink_ctx *ctx)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 88dbd5a8..0058e2cf 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -171,7 +171,7 @@ static void netlink_parse_immediate(struct netlink_parse_ctx *ctx,
struct expr *expr;
if (nftnl_expr_is_set(nle, NFTNL_EXPR_IMM_VERDICT)) {
- nld.verdict = nftnl_expr_get_u32(nle, NFTNL_EXPR_IMM_VERDICT);
+ nld.verdict = nftnl_expr_get_u32(nle, NFTNL_EXPR_IMM_VERDICT);
if (nftnl_expr_is_set(nle, NFTNL_EXPR_IMM_CHAIN)) {
nld.chain = nftnl_expr_get(nle, NFTNL_EXPR_IMM_CHAIN,
&nld.len);
@@ -363,22 +363,17 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
ctx->stmt = expr_stmt_alloc(loc, expr);
}
-static void netlink_parse_bitwise(struct netlink_parse_ctx *ctx,
- const struct location *loc,
- const struct nftnl_expr *nle)
+static struct expr *netlink_parse_bitwise_bool(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle,
+ enum nft_registers sreg,
+ struct expr *left)
+
{
struct nft_data_delinearize nld;
- enum nft_registers sreg, dreg;
- struct expr *expr, *left, *mask, *xor, *or;
+ struct expr *expr, *mask, *xor, *or;
mpz_t m, x, o;
- sreg = netlink_parse_register(nle, NFTNL_EXPR_BITWISE_SREG);
- left = netlink_get_register(ctx, loc, sreg);
- if (left == NULL)
- return netlink_error(ctx, loc,
- "Bitwise expression has no left "
- "hand side");
-
expr = left;
nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_MASK, &nld.len);
@@ -430,6 +425,62 @@ static void netlink_parse_bitwise(struct netlink_parse_ctx *ctx,
mpz_clear(x);
mpz_clear(o);
+ return expr;
+}
+
+static struct expr *netlink_parse_bitwise_shift(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle,
+ enum ops op,
+ enum nft_registers sreg,
+ struct expr *left)
+{
+ struct nft_data_delinearize nld;
+ struct expr *expr, *right;
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_DATA, &nld.len);
+ right = netlink_alloc_value(loc, &nld);
+
+ expr = binop_expr_alloc(loc, op, left, right);
+ expr->len = left->len;
+
+ return expr;
+}
+
+static void netlink_parse_bitwise(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg, dreg;
+ struct expr *expr, *left;
+ enum nft_bitwise_ops op;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_BITWISE_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "Bitwise expression has no left "
+ "hand side");
+
+ op = nftnl_expr_get_u32(nle, NFTNL_EXPR_BITWISE_OP);
+
+ switch (op) {
+ case NFT_BITWISE_BOOL:
+ expr = netlink_parse_bitwise_bool(ctx, loc, nle, sreg,
+ left);
+ break;
+ case NFT_BITWISE_LSHIFT:
+ expr = netlink_parse_bitwise_shift(ctx, loc, nle, OP_LSHIFT,
+ sreg, left);
+ break;
+ case NFT_BITWISE_RSHIFT:
+ expr = netlink_parse_bitwise_shift(ctx, loc, nle, OP_RSHIFT,
+ sreg, left);
+ break;
+ default:
+ BUG("invalid bitwise operation %u\n", op);
+ }
+
dreg = netlink_parse_register(nle, NFTNL_EXPR_BITWISE_DREG);
netlink_set_register(ctx, dreg, expr);
}
@@ -927,6 +978,35 @@ static void netlink_parse_reject(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
}
+static bool is_nat_proto_map(const struct expr *addr, uint8_t family)
+{
+ const struct expr *mappings, *data;
+ const struct set *set;
+
+ if (!addr ||
+ expr_ops(addr)->type != EXPR_MAP)
+ return false;
+
+ mappings = addr->right;
+ if (expr_ops(mappings)->type != EXPR_SET_REF)
+ return false;
+
+ set = mappings->set;
+ data = set->data;
+
+ /* if we're dealing with an address:inet_service map,
+ * the length will be bit_sizeof(addr) + 32 (one register).
+ */
+ switch (family) {
+ case NFPROTO_IPV4:
+ return data->len == 32 + 32;
+ case NFPROTO_IPV6:
+ return data->len == 128 + 32;
+ }
+
+ return false;
+}
+
static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
@@ -947,6 +1027,7 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
if (nftnl_expr_is_set(nle, NFTNL_EXPR_NAT_FLAGS))
stmt->nat.flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_FLAGS);
+ addr = NULL;
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MIN);
if (reg1) {
addr = netlink_get_register(ctx, loc, reg1);
@@ -983,6 +1064,13 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
stmt->nat.addr = addr;
}
+ if (is_nat_proto_map(addr, family)) {
+ stmt->nat.family = family;
+ stmt->nat.ipportmap = true;
+ ctx->stmt = stmt;
+ return;
+ }
+
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN);
if (reg1) {
proto = netlink_get_register(ctx, loc, reg1);
@@ -1373,6 +1461,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
}
if (expr_data != NULL) {
+ expr_set_type(expr_data, set->data->dtype, set->data->byteorder);
stmt = map_stmt_alloc(loc);
stmt->map.set = set_ref_expr_alloc(loc, set);
stmt->map.key = expr;
@@ -2056,8 +2145,6 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp, *i;
- //pr_debug("%s len %u\n", expr->ops->name, expr->len);
-
switch (expr->etype) {
case EXPR_MAP:
switch (expr->map->etype) {
@@ -2102,8 +2189,16 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
break;
case EXPR_BINOP:
expr_postprocess(ctx, &expr->left);
- expr_set_type(expr->right, expr->left->dtype,
- expr->left->byteorder);
+ switch (expr->op) {
+ case OP_LSHIFT:
+ case OP_RSHIFT:
+ expr_set_type(expr->right, &integer_type,
+ BYTEORDER_HOST_ENDIAN);
+ break;
+ default:
+ expr_set_type(expr->right, expr->left->dtype,
+ expr->left->byteorder);
+ }
expr_postprocess(ctx, &expr->right);
expr_set_type(expr, expr->left->dtype,
@@ -2361,7 +2456,7 @@ static void stmt_payload_binop_pp(struct rule_pp_ctx *ctx, struct expr *binop)
* the original payload expression because it has an odd size or
* a non-byte divisible offset/length.
*
- * Of that was the case, the 'value' expression is not a value but
+ * If that was the case, the 'value' expression is not a value but
* a binop expression with a munged payload expression on the left
* and a mask to clear the real payload offset/length.
*
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index cb1b7fe1..de461775 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -545,10 +545,37 @@ static void combine_binop(mpz_t mask, mpz_t xor, const mpz_t m, const mpz_t x)
mpz_and(mask, mask, m);
}
-static void netlink_gen_binop(struct netlink_linearize_ctx *ctx,
+static void netlink_gen_shift(struct netlink_linearize_ctx *ctx,
const struct expr *expr,
enum nft_registers dreg)
{
+ enum nft_bitwise_ops op = expr->op == OP_LSHIFT ?
+ NFT_BITWISE_LSHIFT : NFT_BITWISE_RSHIFT;
+ unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
+ struct nft_data_linearize nld;
+ struct nftnl_expr *nle;
+
+ netlink_gen_expr(ctx, expr->left, dreg);
+
+ nle = alloc_nft_expr("bitwise");
+ netlink_put_register(nle, NFTNL_EXPR_BITWISE_SREG, dreg);
+ netlink_put_register(nle, NFTNL_EXPR_BITWISE_DREG, dreg);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_BITWISE_OP, op);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_BITWISE_LEN, len);
+
+ netlink_gen_raw_data(expr->right->value, expr->right->byteorder,
+ sizeof(uint32_t), &nld);
+
+ nftnl_expr_set(nle, NFTNL_EXPR_BITWISE_DATA, nld.value,
+ nld.len);
+
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
+static void netlink_gen_bitwise(struct netlink_linearize_ctx *ctx,
+ const struct expr *expr,
+ enum nft_registers dreg)
+{
struct nftnl_expr *nle;
struct nft_data_linearize nld;
struct expr *left, *i;
@@ -562,8 +589,9 @@ static void netlink_gen_binop(struct netlink_linearize_ctx *ctx,
mpz_init(val);
mpz_init(tmp);
- binops[n++] = left = (void *)expr;
- while (left->etype == EXPR_BINOP && left->left != NULL)
+ binops[n++] = left = (struct expr *) expr;
+ while (left->etype == EXPR_BINOP && left->left != NULL &&
+ (left->op == OP_AND || left->op == OP_OR || left->op == OP_XOR))
binops[n++] = left = left->left;
n--;
@@ -598,6 +626,7 @@ static void netlink_gen_binop(struct netlink_linearize_ctx *ctx,
nle = alloc_nft_expr("bitwise");
netlink_put_register(nle, NFTNL_EXPR_BITWISE_SREG, dreg);
netlink_put_register(nle, NFTNL_EXPR_BITWISE_DREG, dreg);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_BOOL);
nftnl_expr_set_u32(nle, NFTNL_EXPR_BITWISE_LEN, len);
netlink_gen_raw_data(mask, expr->byteorder, len, &nld);
@@ -613,6 +642,21 @@ static void netlink_gen_binop(struct netlink_linearize_ctx *ctx,
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_binop(struct netlink_linearize_ctx *ctx,
+ const struct expr *expr,
+ enum nft_registers dreg)
+{
+ switch(expr->op) {
+ case OP_LSHIFT:
+ case OP_RSHIFT:
+ netlink_gen_shift(ctx, expr, dreg);
+ break;
+ default:
+ netlink_gen_bitwise(ctx, expr, dreg);
+ break;
+ }
+}
+
static enum nft_byteorder_ops netlink_gen_unary_op(enum ops op)
{
switch (op) {
@@ -1008,14 +1052,25 @@ static void netlink_gen_reject_stmt(struct netlink_linearize_ctx *ctx,
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static unsigned int nat_addrlen(uint8_t family)
+{
+ switch (family) {
+ case NFPROTO_IPV4: return 32;
+ case NFPROTO_IPV6: return 128;
+ }
+
+ BUG("invalid nat family %u\n", family);
+ return 0;
+}
+
static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
struct nftnl_expr *nle;
enum nft_registers amin_reg, amax_reg;
enum nft_registers pmin_reg, pmax_reg;
+ uint8_t family = 0;
int registers = 0;
- int family;
int nftnl_flag_attr;
int nftnl_reg_pmin, nftnl_reg_pmax;
@@ -1074,6 +1129,24 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
amin_reg);
}
+ if (stmt->nat.ipportmap) {
+ /* nat_stmt evaluation step doesn't allow
+ * stmt->nat.ipportmap && stmt->nat.proto.
+ */
+ assert(stmt->nat.proto == NULL);
+
+ pmin_reg = amin_reg;
+
+ /* if ipportmap is set, the mapped type is a
+ * concatenation of 'addr . inet_service'.
+ * The map lookup will then return the
+ * concatenated value, so we need to skip
+ * the address and use the register that
+ * will hold the inet_service part.
+ */
+ pmin_reg += netlink_register_space(nat_addrlen(family));
+ netlink_put_register(nle, nftnl_reg_pmin, pmin_reg);
+ }
}
if (stmt->nat.proto) {
@@ -1243,7 +1316,7 @@ static void netlink_gen_queue_stmt(struct netlink_linearize_ctx *ctx,
}
static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+ const struct stmt *stmt)
{
struct nftnl_expr *nle;
enum nft_registers sreg;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 799f7a30..4c27fcc6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -373,6 +373,7 @@ int nft_lex(void *, void *, void *);
%token FLAGS "flags"
%token CPI "cpi"
+%token PORT "port"
%token UDP "udp"
%token SPORT "sport"
%token DPORT "dport"
@@ -1909,9 +1910,9 @@ flowtable_list_expr : flowtable_expr_member
flowtable_expr_member : STRING
{
- $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE,
- current_scope(state),
- $1);
+ $$ = constant_expr_alloc(&@$, &string_type,
+ BYTEORDER_HOST_ENDIAN,
+ strlen($1) * BITS_PER_BYTE, $1);
xfree($1);
}
;
@@ -2141,6 +2142,7 @@ dev_spec : DEVICE string
expr = constant_expr_alloc(&@$, &string_type,
BYTEORDER_HOST_ENDIAN,
strlen($2) * BITS_PER_BYTE, $2);
+ xfree($2);
$$ = compound_expr_alloc(&@$, EXPR_LIST);
compound_expr_add($$, expr);
@@ -2160,7 +2162,8 @@ policy_spec : POLICY policy_expr
expr_free($2);
YYERROR;
}
- $<chain>0->policy = $2;
+ $<chain>0->policy = $2;
+ $<chain>0->policy->location = @$;
}
;
@@ -2231,7 +2234,7 @@ tableid_spec : family_spec HANDLE NUM
memset(&$$, 0, sizeof($$));
$$.family = $1;
$$.handle.id = $3;
- $$.handle.location = @$;
+ $$.handle.location = @3;
}
;
@@ -2246,7 +2249,7 @@ chain_spec : table_spec identifier
chainid_spec : table_spec HANDLE NUM
{
$$ = $1;
- $$.handle.location = @$;
+ $$.handle.location = @3;
$$.handle.id = $3;
}
;
@@ -2270,7 +2273,7 @@ set_spec : table_spec identifier
setid_spec : table_spec HANDLE NUM
{
$$ = $1;
- $$.handle.location = @$;
+ $$.handle.location = @3;
$$.handle.id = $3;
}
;
@@ -2294,7 +2297,7 @@ flowtable_spec : table_spec identifier
flowtableid_spec : table_spec HANDLE NUM
{
$$ = $1;
- $$.handle.location = @$;
+ $$.handle.location = @3;
$$.handle.id = $3;
}
;
@@ -2318,7 +2321,7 @@ obj_spec : table_spec identifier
objid_spec : table_spec HANDLE NUM
{
$$ = $1;
- $$.handle.location = @$;
+ $$.handle.location = @3;
$$.handle.id = $3;
}
;
@@ -2334,7 +2337,7 @@ obj_identifier : identifier
handle_spec : HANDLE NUM
{
memset(&$$, 0, sizeof($$));
- $$.handle.location = @$;
+ $$.handle.location = @2;
$$.handle.id = $2;
}
;
@@ -2992,18 +2995,19 @@ synproxy_sack : /* empty */ { $$ = 0; }
}
;
-primary_stmt_expr : symbol_expr { $$ = $1; }
- | integer_expr { $$ = $1; }
- | boolean_expr { $$ = $1; }
- | meta_expr { $$ = $1; }
- | rt_expr { $$ = $1; }
- | ct_expr { $$ = $1; }
- | numgen_expr { $$ = $1; }
- | hash_expr { $$ = $1; }
- | payload_expr { $$ = $1; }
- | keyword_expr { $$ = $1; }
- | socket_expr { $$ = $1; }
- | osf_expr { $$ = $1; }
+primary_stmt_expr : symbol_expr { $$ = $1; }
+ | integer_expr { $$ = $1; }
+ | boolean_expr { $$ = $1; }
+ | meta_expr { $$ = $1; }
+ | rt_expr { $$ = $1; }
+ | ct_expr { $$ = $1; }
+ | numgen_expr { $$ = $1; }
+ | hash_expr { $$ = $1; }
+ | payload_expr { $$ = $1; }
+ | keyword_expr { $$ = $1; }
+ | socket_expr { $$ = $1; }
+ | osf_expr { $$ = $1; }
+ | '(' basic_stmt_expr ')' { $$ = $2; }
;
shift_stmt_expr : primary_stmt_expr
@@ -3138,6 +3142,12 @@ nat_stmt_args : stmt_expr
{
$<stmt>0->nat.flags = $2;
}
+ | nf_key_proto ADDR DOT PORT TO stmt_expr
+ {
+ $<stmt>0->nat.family = $1;
+ $<stmt>0->nat.addr = $6;
+ $<stmt>0->nat.ipportmap = true;
+ }
;
masq_stmt : masq_stmt_alloc masq_stmt_args
@@ -3592,7 +3602,6 @@ range_rhs_expr : basic_rhs_expr DASH basic_rhs_expr
multiton_rhs_expr : prefix_rhs_expr
| range_rhs_expr
- | wildcard_expr
;
map_expr : concat_expr MAP rhs_expr
@@ -3686,7 +3695,7 @@ set_elem_option : TIMEOUT time_spec
;
set_lhs_expr : concat_rhs_expr
- | multiton_rhs_expr
+ | wildcard_expr
;
set_rhs_expr : concat_rhs_expr
@@ -3939,7 +3948,7 @@ list_rhs_expr : basic_rhs_expr COMMA basic_rhs_expr
;
rhs_expr : concat_rhs_expr { $$ = $1; }
- | multiton_rhs_expr { $$ = $1; }
+ | wildcard_expr { $$ = $1; }
| set_expr { $$ = $1; }
| set_ref_symbol_expr { $$ = $1; }
;
@@ -3980,7 +3989,17 @@ basic_rhs_expr : inclusive_or_rhs_expr
;
concat_rhs_expr : basic_rhs_expr
- | concat_rhs_expr DOT basic_rhs_expr
+ | multiton_rhs_expr
+ | concat_rhs_expr DOT multiton_rhs_expr
+ {
+ struct location rhs[] = {
+ [1] = @2,
+ [2] = @3,
+ };
+
+ $$ = handle_concat_expr(&@$, $$, $1, $3, rhs);
+ }
+ | concat_rhs_expr DOT basic_rhs_expr
{
struct location rhs[] = {
[1] = @2,
diff --git a/src/rule.c b/src/rule.c
index 883b0707..9e58ee66 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -337,7 +337,7 @@ struct set *set_clone(const struct set *set)
new_set->objtype = set->objtype;
new_set->policy = set->policy;
new_set->automerge = set->automerge;
- new_set->desc.size = set->desc.size;
+ new_set->desc = set->desc;
return new_set;
}
@@ -1377,6 +1377,14 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
return cmd;
}
+void cmd_add_loc(struct cmd *cmd, uint16_t offset, struct location *loc)
+{
+ assert(cmd->num_attrs < NFT_NLATTR_LOC_MAX);
+ cmd->attr[cmd->num_attrs].offset = offset;
+ cmd->attr[cmd->num_attrs].location = loc;
+ cmd->num_attrs++;
+}
+
void nft_cmd_expand(struct cmd *cmd)
{
struct list_head new_cmds;
@@ -1540,7 +1548,8 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
return -1;
if (set->init != NULL &&
- set->flags & NFT_SET_INTERVAL) {
+ set->flags & NFT_SET_INTERVAL &&
+ set->desc.field_count <= 1) {
interval_map_decompose(expr);
list_splice_tail_init(&expr->expressions, &set->init->expressions);
set->init->size += expr->size;
@@ -1561,7 +1570,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
table = table_lookup(h, &ctx->nft->cache);
set = set_lookup(table, h->set.name);
- if (set->flags & NFT_SET_INTERVAL &&
+ if (set_is_non_concat_range(set) &&
set_to_intervals(ctx->msgs, set, init, true,
ctx->nft->debug_mask, set->automerge,
&ctx->nft->output) < 0)
@@ -1570,13 +1579,13 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
return __do_add_setelems(ctx, set, init, flags);
}
-static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd,
+static int do_add_set(struct netlink_ctx *ctx, struct cmd *cmd,
uint32_t flags)
{
struct set *set = cmd->set;
if (set->init != NULL) {
- if (set->flags & NFT_SET_INTERVAL &&
+ if (set_is_non_concat_range(set) &&
set_to_intervals(ctx->msgs, set, set->init, true,
ctx->nft->debug_mask, set->automerge,
&ctx->nft->output) < 0)
@@ -1662,7 +1671,7 @@ static int do_delete_setelems(struct netlink_ctx *ctx, struct cmd *cmd)
table = table_lookup(h, &ctx->nft->cache);
set = set_lookup(table, h->set.name);
- if (set->flags & NFT_SET_INTERVAL &&
+ if (set_is_non_concat_range(set) &&
set_to_intervals(ctx->msgs, set, expr, false,
ctx->nft->debug_mask, set->automerge,
&ctx->nft->output) < 0)
@@ -2516,7 +2525,7 @@ static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
set = set_lookup(table, cmd->handle.set.name);
/* Create a list of elements based of what we got from command line. */
- if (set->flags & NFT_SET_INTERVAL)
+ if (set_is_non_concat_range(set))
init = get_set_intervals(set, cmd->expr);
else
init = cmd->expr;
@@ -2529,7 +2538,7 @@ static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
if (err >= 0)
__do_list_set(ctx, cmd, table, new_set);
- if (set->flags & NFT_SET_INTERVAL)
+ if (set_is_non_concat_range(set))
expr_free(init);
set_free(new_set);
diff --git a/src/scanner.l b/src/scanner.l
index 99ee8355..45699c85 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -120,7 +120,7 @@ numberstring ({decstring}|{hexstring})
letter [a-zA-Z]
string ({letter}|[_.])({letter}|{digit}|[/\-_\.])*
quotedstring \"[^"]*\"
-asteriskstring ({string}\*|{string}\\\*)
+asteriskstring ({string}\*|{string}\\\*|\\\*|{string}\\\*{string})
comment #.*$
slash \/
@@ -471,6 +471,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"udplite" { return UDPLITE; }
"sport" { return SPORT; }
"dport" { return DPORT; }
+"port" { return PORT; }
"tcp" { return TCP; }
"ackseq" { return ACKSEQ; }
@@ -668,18 +669,22 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
static void scanner_push_indesc(struct parser_state *state,
struct input_descriptor *indesc)
{
- state->indescs[state->indesc_idx] = indesc;
- state->indesc = state->indescs[state->indesc_idx++];
+ if (!state->indesc)
+ list_add_tail(&indesc->list, &state->indesc_list);
+ else
+ list_add(&indesc->list, &state->indesc->list);
+
+ state->indesc = indesc;
}
static void scanner_pop_indesc(struct parser_state *state)
{
- state->indesc_idx--;
-
- if (state->indesc_idx > 0)
- state->indesc = state->indescs[state->indesc_idx - 1];
- else
+ if (!list_is_first(&state->indesc->list, &state->indesc_list)) {
+ state->indesc = list_entry(state->indesc->list.prev,
+ struct input_descriptor, list);
+ } else {
state->indesc = NULL;
+ }
}
static void scanner_pop_buffer(yyscan_t scanner)
@@ -691,13 +696,15 @@ static void scanner_pop_buffer(yyscan_t scanner)
}
static void scanner_push_file(struct nft_ctx *nft, void *scanner,
- const char *filename, const struct location *loc)
+ FILE *f, const char *filename,
+ const struct location *loc,
+ const struct input_descriptor *parent_indesc)
{
struct parser_state *state = yyget_extra(scanner);
struct input_descriptor *indesc;
YY_BUFFER_STATE b;
- b = yy_create_buffer(nft->f[state->indesc_idx], YY_BUF_SIZE, scanner);
+ b = yy_create_buffer(f, YY_BUF_SIZE, scanner);
yypush_buffer_state(b, scanner);
indesc = xzalloc(sizeof(struct input_descriptor));
@@ -706,20 +713,26 @@ static void scanner_push_file(struct nft_ctx *nft, void *scanner,
indesc->location = *loc;
indesc->type = INDESC_FILE;
indesc->name = xstrdup(filename);
+ indesc->f = f;
+ if (!parent_indesc) {
+ indesc->depth = 1;
+ } else {
+ indesc->depth = parent_indesc->depth + 1;
+ }
init_pos(indesc);
scanner_push_indesc(state, indesc);
- list_add_tail(&indesc->list, &state->indesc_list);
}
static int include_file(struct nft_ctx *nft, void *scanner,
- const char *filename, const struct location *loc)
+ const char *filename, const struct location *loc,
+ const struct input_descriptor *parent_indesc)
{
struct parser_state *state = yyget_extra(scanner);
struct error_record *erec;
FILE *f;
- if (state->indesc_idx == MAX_INCLUDE_DEPTH) {
+ if (parent_indesc && parent_indesc->depth == MAX_INCLUDE_DEPTH) {
erec = error(loc, "Include nested too deeply, max %u levels",
MAX_INCLUDE_DEPTH);
goto err;
@@ -731,8 +744,7 @@ static int include_file(struct nft_ctx *nft, void *scanner,
filename, strerror(errno));
goto err;
}
- nft->f[state->indesc_idx] = f;
- scanner_push_file(nft, scanner, filename, loc);
+ scanner_push_file(nft, scanner, f, filename, loc, parent_indesc);
return 0;
err:
erec_queue(erec, state->msgs);
@@ -743,6 +755,7 @@ static int include_glob(struct nft_ctx *nft, void *scanner, const char *pattern,
const struct location *loc)
{
struct parser_state *state = yyget_extra(scanner);
+ struct input_descriptor *indesc = state->indesc;
struct error_record *erec = NULL;
bool wildcard = false;
glob_t glob_data;
@@ -803,7 +816,7 @@ static int include_glob(struct nft_ctx *nft, void *scanner, const char *pattern,
if (len == 0 || path[len - 1] == '/')
continue;
- ret = include_file(nft, scanner, path, loc);
+ ret = include_file(nft, scanner, path, loc, indesc);
if (ret != 0)
goto err;
}
@@ -840,7 +853,7 @@ err:
int scanner_read_file(struct nft_ctx *nft, const char *filename,
const struct location *loc)
{
- return include_file(nft, nft->scanner, filename, loc);
+ return include_file(nft, nft->scanner, filename, loc, NULL);
}
static bool search_in_include_path(const char *filename)
@@ -906,16 +919,14 @@ void scanner_push_buffer(void *scanner, const struct input_descriptor *indesc,
const char *buffer)
{
struct parser_state *state = yyget_extra(scanner);
+ struct input_descriptor *new_indesc;
YY_BUFFER_STATE b;
- state->indesc = xzalloc(sizeof(struct input_descriptor));
- state->indescs[state->indesc_idx] = state->indesc;
- state->indesc_idx++;
-
- memcpy(state->indesc, indesc, sizeof(*state->indesc));
- state->indesc->data = buffer;
- state->indesc->name = NULL;
- list_add_tail(&state->indesc->list, &state->indesc_list);
+ new_indesc = xzalloc(sizeof(struct input_descriptor));
+ memcpy(new_indesc, indesc, sizeof(*new_indesc));
+ new_indesc->data = buffer;
+ new_indesc->name = NULL;
+ scanner_push_indesc(state, new_indesc);
b = yy_scan_string(buffer, scanner);
assert(b != NULL);
@@ -944,6 +955,10 @@ static void input_descriptor_list_destroy(struct parser_state *state)
struct input_descriptor *indesc, *next;
list_for_each_entry_safe(indesc, next, &state->indesc_list, list) {
+ if (indesc->f) {
+ fclose(indesc->f);
+ indesc->f = NULL;
+ }
list_del(&indesc->list);
input_descriptor_destroy(indesc);
}
@@ -953,15 +968,6 @@ void scanner_destroy(struct nft_ctx *nft)
{
struct parser_state *state = yyget_extra(nft->scanner);
- do {
- yypop_buffer_state(nft->scanner);
-
- if (nft->f[state->indesc_idx]) {
- fclose(nft->f[state->indesc_idx]);
- nft->f[state->indesc_idx] = NULL;
- }
- } while (state->indesc_idx--);
-
input_descriptor_list_destroy(state);
yylex_destroy(nft->scanner);
}
diff --git a/src/segtree.c b/src/segtree.c
index e8e32412..8d79332d 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -650,6 +650,11 @@ struct expr *get_set_intervals(const struct set *set, const struct expr *init)
set_elem_add(set, new_init, i->key->value,
i->flags, i->byteorder);
break;
+ case EXPR_CONCAT:
+ compound_expr_add(new_init, expr_clone(i));
+ i->flags |= EXPR_F_INTERVAL_END;
+ compound_expr_add(new_init, expr_clone(i));
+ break;
default:
range_expr_value_low(low, i);
set_elem_add(set, new_init, low, 0, i->byteorder);
@@ -821,6 +826,9 @@ static int expr_value_cmp(const void *p1, const void *p2)
struct expr *e2 = *(void * const *)p2;
int ret;
+ if (expr_value(e1)->etype == EXPR_CONCAT)
+ return -1;
+
ret = mpz_cmp(expr_value(e1)->value, expr_value(e2)->value);
if (ret == 0) {
if (e1->flags & EXPR_F_INTERVAL_END)
@@ -832,6 +840,115 @@ static int expr_value_cmp(const void *p1, const void *p2)
return ret;
}
+/* Given start and end elements of a range, check if it can be represented as
+ * a single netmask, and if so, how long, by returning zero or a positive value.
+ */
+static int range_mask_len(const mpz_t start, const mpz_t end, unsigned int len)
+{
+ mpz_t tmp_start, tmp_end;
+ int ret;
+
+ mpz_init_set_ui(tmp_start, mpz_get_ui(start));
+ mpz_init_set_ui(tmp_end, mpz_get_ui(end));
+
+ while (mpz_cmp(tmp_start, tmp_end) <= 0 &&
+ !mpz_tstbit(tmp_start, 0) && mpz_tstbit(tmp_end, 0) &&
+ len--) {
+ mpz_fdiv_q_2exp(tmp_start, tmp_start, 1);
+ mpz_fdiv_q_2exp(tmp_end, tmp_end, 1);
+ }
+
+ ret = !mpz_cmp(tmp_start, tmp_end) ? (int)len : -1;
+
+ mpz_clear(tmp_start);
+ mpz_clear(tmp_end);
+
+ return ret;
+}
+
+/* Given a set with two elements (start and end), transform them into a
+ * concatenation of ranges. That is, from a list of start expressions and a list
+ * of end expressions, form a list of start - end expressions.
+ */
+void concat_range_aggregate(struct expr *set)
+{
+ struct expr *i, *start = NULL, *end, *r1, *r2, *next, *r1_next, *tmp;
+ struct list_head *r2_next;
+ int prefix_len, free_r1;
+ mpz_t range, p;
+
+ list_for_each_entry_safe(i, next, &set->expressions, list) {
+ if (!start) {
+ start = i;
+ continue;
+ }
+ end = i;
+
+ /* Walk over r1 (start expression) and r2 (end) in parallel,
+ * form ranges between corresponding r1 and r2 expressions,
+ * store them by replacing r2 expressions, and free r1
+ * expressions.
+ */
+ r2 = list_first_entry(&expr_value(end)->expressions,
+ struct expr, list);
+ list_for_each_entry_safe(r1, r1_next,
+ &expr_value(start)->expressions,
+ list) {
+ mpz_init(range);
+ mpz_init(p);
+
+ r2_next = r2->list.next;
+ free_r1 = 0;
+
+ if (!mpz_cmp(r1->value, r2->value)) {
+ free_r1 = 1;
+ goto next;
+ }
+
+ mpz_sub(range, r2->value, r1->value);
+ mpz_sub_ui(range, range, 1);
+ mpz_and(p, r1->value, range);
+
+ /* Check if we are forced, or if it's anyway preferable,
+ * to express the range as two points instead of a
+ * netmask.
+ */
+ prefix_len = range_mask_len(r1->value, r2->value,
+ r1->len);
+ if (prefix_len < 0 ||
+ !(r1->dtype->flags & DTYPE_F_PREFIX)) {
+ tmp = range_expr_alloc(&r1->location, r1,
+ r2);
+
+ list_replace(&r2->list, &tmp->list);
+ r2_next = tmp->list.next;
+ } else {
+ tmp = prefix_expr_alloc(&r1->location, r1,
+ prefix_len);
+ tmp->len = r2->len;
+
+ list_replace(&r2->list, &tmp->list);
+ r2_next = tmp->list.next;
+ expr_free(r2);
+ }
+
+next:
+ mpz_clear(p);
+ mpz_clear(range);
+
+ r2 = list_entry(r2_next, typeof(*r2), list);
+ compound_expr_remove(start, r1);
+
+ if (free_r1)
+ expr_free(r1);
+ }
+
+ compound_expr_remove(set, start);
+ expr_free(start);
+ start = NULL;
+ }
+}
+
void interval_map_decompose(struct expr *set)
{
struct expr **elements, **ranges;
diff --git a/src/statement.c b/src/statement.c
index be35bcef..182edac8 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -607,6 +607,9 @@ static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
break;
}
+ if (stmt->nat.ipportmap)
+ nft_print(octx, " addr . port");
+
nft_print(octx, " to");
}
diff --git a/tests/json_echo/run-test.py b/tests/json_echo/run-test.py
index a636d5f2..36a377ac 100755
--- a/tests/json_echo/run-test.py
+++ b/tests/json_echo/run-test.py
@@ -4,6 +4,7 @@ from __future__ import print_function
import sys
import os
import json
+import argparse
TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
@@ -13,12 +14,26 @@ from nftables import Nftables
# Change working directory to repository root
os.chdir(TESTS_PATH + "/../..")
-if not os.path.exists('src/.libs/libnftables.so'):
- print("The nftables library does not exist. "
- "You need to build the project.")
+parser = argparse.ArgumentParser(description='Run JSON echo tests')
+parser.add_argument('-H', '--host', action='store_true',
+ help='Run tests against installed libnftables.so.1')
+parser.add_argument('-l', '--library', default=None,
+ help='Path to libntables.so, overrides --host')
+args = parser.parse_args()
+
+check_lib_path = True
+if args.library is None:
+ if args.host:
+ args.library = 'libnftables.so.1'
+ check_lib_path = False
+ else:
+ args.library = 'src/.libs/libnftables.so.1'
+
+if check_lib_path and not os.path.exists(args.library):
+ print("Library not found at '%s'." % args.library)
sys.exit(1)
-nftables = Nftables(sofile = 'src/.libs/libnftables.so')
+nftables = Nftables(sofile = args.library)
nftables.set_echo_output(True)
# various commands to work with
@@ -119,7 +134,7 @@ def get_handle(output, search):
else:
data = item
- k = search.keys()[0]
+ k = list(search.keys())[0]
if not k in data:
continue
diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
index efacdaaa..ffb833a7 100755
--- a/tests/monitor/run-tests.sh
+++ b/tests/monitor/run-tests.sh
@@ -119,6 +119,10 @@ while [ -n "$1" ]; do
test_json=true
shift
;;
+ -H|--host)
+ nft=nft
+ shift
+ ;;
testcases/*.t)
testcases+=" $1"
shift
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index ebc08644..f65d2759 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -57,6 +57,7 @@ ct mark set 0x11333 and 0x11;ok;ct mark set 0x00000011
ct mark set 0x12 or 0x11;ok;ct mark set 0x00000013
ct mark set 0x11;ok;ct mark set 0x00000011
ct mark set mark;ok;ct mark set meta mark
+ct mark set (meta mark | 0x10) << 8;ok;ct mark set (meta mark | 0x00000010) << 8
ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 };ok;ct mark set meta mark map { 0x00000003 : 0x0000001e, 0x00000002 : 0x00000014, 0x00000001 : 0x0000000a}
ct mark set {0x11333, 0x11};fail
diff --git a/tests/py/any/ct.t.json b/tests/py/any/ct.t.json
index 7c16f9df..59ac27c3 100644
--- a/tests/py/any/ct.t.json
+++ b/tests/py/any/ct.t.json
@@ -499,6 +499,29 @@
}
]
+# ct mark set ct mark or 0x00000001
+[
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ 1
+ ]
+ }
+ }
+ }
+]
+
# ct mark 0x00000032
[
{
@@ -701,6 +724,34 @@
}
]
+# ct mark set (meta mark | 0x10) << 8
+[
+ {
+ "mangle": {
+ "key": {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "<<": [
+ {
+ "|": [
+ {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ 16
+ ]
+ },
+ 8
+ ]
+ }
+ }
+ }
+]
+
# ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
[
{
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index bdc6a70e..66159125 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -329,6 +329,27 @@ ip test-ip4 output
[ meta load mark => reg 1 ]
[ ct set mark with reg 1 ]
+# ct mark set (meta mark | 0x10) << 8
+ip test-ip4 output
+ [ meta load mark => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xffffffef ) ^ 0x00000010 ]
+ [ bitwise reg 1 = ( reg 1 << 0x00000008 ) ]
+ [ ct set mark with reg 1 ]
+
+# ct mark set (meta mark | 0x10) << 8
+ip6 test-ip6 output
+ [ meta load mark => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xffffffef ) ^ 0x00000010 ]
+ [ bitwise reg 1 = ( reg 1 << 0x00000008 ) ]
+ [ ct set mark with reg 1 ]
+
+# ct mark set (meta mark | 0x10) << 8
+inet test-inet output
+ [ meta load mark => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0xffffffef ) ^ 0x00000010 ]
+ [ bitwise reg 1 = ( reg 1 << 0x00000008 ) ]
+ [ ct set mark with reg 1 ]
+
# ct mark set mark map { 1 : 10, 2 : 20, 3 : 30 }
__map%d test-ip4 b
__map%d test-ip4 0
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
index df32332f..3638898b 100644
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -16,3 +16,4 @@ meta ipsec exists;ok
meta secpath missing;ok;meta ipsec missing
meta ibrname "br0";fail
meta obrname "br0";fail
+meta mark set ct mark >> 8;ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index 5501f0be..5c0e7d2e 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -213,3 +213,25 @@
}
]
+# meta mark set ct mark >> 8
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ ">>": [
+ {
+ "ct": {
+ "key": "mark"
+ }
+ },
+ 8
+ ]
+ }
+ }
+ }
+]
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
index d7ff7e2d..6ccf6d24 100644
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -73,3 +73,9 @@ inet test-inet input
inet test-inet input
[ meta load secpath => reg 1 ]
[ cmp eq reg 1 0x00000000 ]
+
+# meta mark set ct mark >> 8
+inet test-inet input
+ [ ct load mark => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000008 ) ]
+ [ meta set mark with reg 1 ]
diff --git a/tests/py/ip/meta.t.json b/tests/py/ip/meta.t.json
index f873aa88..f83864f6 100644
--- a/tests/py/ip/meta.t.json
+++ b/tests/py/ip/meta.t.json
@@ -105,3 +105,38 @@
}
]
+# meta sdif "lo" accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "sdif"
+ }
+ },
+ "op": "==",
+ "right": "lo"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# meta sdifname != "vrf1" accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "sdifname"
+ }
+ },
+ "op": "!=",
+ "right": "vrf1"
+ }
+ },
+ {
+ "accept": null
+ }
+]
diff --git a/tests/py/ip6/meta.t.json b/tests/py/ip6/meta.t.json
index 29cf9fd2..e72350f3 100644
--- a/tests/py/ip6/meta.t.json
+++ b/tests/py/ip6/meta.t.json
@@ -105,3 +105,38 @@
}
]
+# meta sdif "lo" accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "sdif"
+ }
+ },
+ "op": "==",
+ "right": "lo"
+ }
+ },
+ {
+ "accept": null
+ }
+]
+
+# meta sdifname != "vrf1" accept
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "sdifname"
+ }
+ },
+ "op": "!=",
+ "right": "vrf1"
+ }
+ },
+ {
+ "accept": null
+ }
+]
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 6edca3c6..01ee6c98 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -1357,10 +1357,16 @@ def main():
dest='force_all_family',
help='keep testing all families on error')
+ parser.add_argument('-H', '--host', action='store_true',
+ help='run tests against installed libnftables.so.1')
+
parser.add_argument('-j', '--enable-json', action='store_true',
dest='enable_json',
help='test JSON functionality as well')
+ parser.add_argument('-l', '--library', default=None,
+ help='path to libntables.so.1, overrides --host')
+
parser.add_argument('-s', '--schema', action='store_true',
dest='enable_schema',
help='verify json input/output against schema')
@@ -1388,9 +1394,17 @@ def main():
# Change working directory to repository root
os.chdir(TESTS_PATH + "/../..")
- if not os.path.exists('src/.libs/libnftables.so'):
- print("The nftables library does not exist. "
- "You need to build the project.")
+ check_lib_path = True
+ if args.library is None:
+ if args.host:
+ args.library = 'libnftables.so.1'
+ check_lib_path = False
+ else:
+ args.library = 'src/.libs/libnftables.so.1'
+
+ if check_lib_path and not os.path.exists(args.library):
+ print("The nftables library at '%s' does not exist. "
+ "You need to build the project." % args.library)
return
if args.enable_schema and not args.enable_json:
@@ -1398,7 +1412,7 @@ def main():
return
global nftables
- nftables = Nftables(sofile = 'src/.libs/libnftables.so')
+ nftables = Nftables(sofile = args.library)
test_files = files_ok = run_total = 0
tests = passed = warnings = errors = 0
diff --git a/tests/shell/testcases/chains/0040mark_shift_0 b/tests/shell/testcases/chains/0040mark_shift_0
new file mode 100755
index 00000000..55447f0b
--- /dev/null
+++ b/tests/shell/testcases/chains/0040mark_shift_0
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+ add table t
+ add chain t c { type filter hook output priority mangle; }
+ add rule t c oif lo ct mark set (meta mark | 0x10) << 8
+"
+
+$NFT --debug=eval -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/0040mark_shift_1 b/tests/shell/testcases/chains/0040mark_shift_1
new file mode 100755
index 00000000..b609f5ef
--- /dev/null
+++ b/tests/shell/testcases/chains/0040mark_shift_1
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+ add table t
+ add chain t c { type filter hook input priority mangle; }
+ add rule t c iif lo ct mark & 0xff 0x10 meta mark set ct mark >> 8
+"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/chains/dumps/0040mark_shift_0.nft b/tests/shell/testcases/chains/dumps/0040mark_shift_0.nft
new file mode 100644
index 00000000..52d59d2c
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0040mark_shift_0.nft
@@ -0,0 +1,6 @@
+table ip t {
+ chain c {
+ type filter hook output priority mangle; policy accept;
+ oif "lo" ct mark set (meta mark | 0x00000010) << 8
+ }
+}
diff --git a/tests/shell/testcases/chains/dumps/0040mark_shift_1.nft b/tests/shell/testcases/chains/dumps/0040mark_shift_1.nft
new file mode 100644
index 00000000..56ec8dc7
--- /dev/null
+++ b/tests/shell/testcases/chains/dumps/0040mark_shift_1.nft
@@ -0,0 +1,6 @@
+table ip t {
+ chain c {
+ type filter hook input priority mangle; policy accept;
+ iif "lo" ct mark & 0x000000ff == 0x00000010 meta mark set ct mark >> 8
+ }
+}
diff --git a/tests/shell/testcases/include/0017glob_more_than_maxdepth_1 b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1
new file mode 100755
index 00000000..6499bcc8
--- /dev/null
+++ b/tests/shell/testcases/include/0017glob_more_than_maxdepth_1
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -e
+
+tmpfile=$(mktemp)
+if [ ! -w $tmpfile ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+fi
+
+tmpdir1=$(mktemp -d)
+if [ ! -d $tmpdir1 ] ; then
+ echo "Failed to create tmp directory" >&2
+ exit 0
+fi
+
+tmpfiles=""
+for i in `seq -w 1 32`; do
+ tmpfile2=$(mktemp -p $tmpdir1)
+ if [ ! -w $tmpfile2 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 0
+ fi
+ tmpfiles="$tmpfiles $tmpfile2"
+done
+
+trap "rm -rf $tmpfile $tmpfiles && rmdir $tmpdir1" EXIT # cleanup if aborted
+
+RULESET=" \
+include \"$tmpdir1/*\"
+"
+
+echo "$RULESET" > $tmpfile
+
+$NFT -f $tmpfile
+if [ $? -ne 0 ] ; then
+ echo "E: unable to load good ruleset" >&2
+ exit 1
+fi
diff --git a/tests/shell/testcases/include/0018include_error_0 b/tests/shell/testcases/include/0018include_error_0
new file mode 100755
index 00000000..ae2dba3c
--- /dev/null
+++ b/tests/shell/testcases/include/0018include_error_0
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+touch $tmpfile1
+
+RULESET="include \"$tmpfile1\"
+)
+"
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+echo "/dev/stdin:2:1-1: Error: syntax error, unexpected ')'
+)
+^" > $tmpfile3
+
+$NFT -I/tmp/ -f - <<< "$RULESET" 2> $tmpfile2
+$DIFF -u $tmpfile2 $tmpfile3
+
+rm $tmpfile1 $tmpfile2 $tmpfile3
diff --git a/tests/shell/testcases/include/0019include_error_0 b/tests/shell/testcases/include/0019include_error_0
new file mode 100755
index 00000000..4b84a578
--- /dev/null
+++ b/tests/shell/testcases/include/0019include_error_0
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+tmpfile1=$(mktemp)
+if [ ! -w $tmpfile1 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+tmpfile2=$(mktemp)
+if [ ! -w $tmpfile2 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+echo "(" >> $tmpfile2
+
+tmpdir=$(mktemp -d)
+
+echo "include \"$tmpfile2\"
+include \"$tmpdir/*.nft\"
+x" > $tmpfile1
+
+echo "=" > $tmpdir/1.nft
+echo ")" > $tmpdir/2.nft
+echo "-" > $tmpdir/3.nft
+
+tmpfile3=$(mktemp)
+if [ ! -w $tmpfile3 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+echo "In file included from $tmpfile1:1:1-30:
+$tmpfile2:1:1-1: Error: syntax error, unexpected '('
+(
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/1.nft:1:1-1: Error: syntax error, unexpected '='
+=
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/2.nft:1:1-1: Error: syntax error, unexpected ')'
+)
+^
+In file included from $tmpfile1:2:1-36:
+$tmpdir/3.nft:1:1-1: Error: syntax error, unexpected -
+-
+^
+$tmpfile1:3:2-2: Error: syntax error, unexpected newline, expecting string
+x
+ ^" > $tmpfile3
+
+tmpfile4=$(mktemp)
+if [ ! -w $tmpfile4 ] ; then
+ echo "Failed to create tmp file" >&2
+ exit 1
+fi
+
+$NFT -I/tmp/ -f $tmpfile1 2> $tmpfile4
+$DIFF -u $tmpfile3 $tmpfile4
+
+rm $tmpfile1 $tmpfile2 $tmpfile3 $tmpfile4
+rm -r $tmpdir
diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
new file mode 100644
index 00000000..89c3bd14
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
@@ -0,0 +1,129 @@
+table ip ipfoo {
+ map t1 {
+ typeof numgen inc mod 2 : ip daddr
+ }
+
+ map t2 {
+ typeof numgen inc mod 2 : ip daddr . tcp dport
+ }
+
+ map x {
+ type ipv4_addr : ipv4_addr
+ }
+
+ map y {
+ type ipv4_addr : ipv4_addr . inet_service
+ elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+ }
+
+ map z {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ iifname != "foobar" accept
+ dnat to ip daddr map @x
+ ip saddr 10.1.1.1 dnat to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat ip addr . port to ip saddr map @y
+ dnat ip addr . port to ip saddr . tcp dport map @z
+ dnat to numgen inc mod 2 map @t1
+ meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
+ }
+}
+table ip6 ip6foo {
+ map t1 {
+ typeof numgen inc mod 2 : ip6 daddr
+ }
+
+ map t2 {
+ typeof numgen inc mod 2 : ip6 daddr . tcp dport
+ }
+
+ map x {
+ type ipv6_addr : ipv6_addr
+ }
+
+ map y {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+
+ map z {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ iifname != "foobar" accept
+ dnat to ip6 daddr map @x
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
+ dnat ip6 addr . port to ip6 saddr . tcp dport map @z
+ dnat to numgen inc mod 2 map @t1
+ meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
+ }
+}
+table inet inetfoo {
+ map t1v4 {
+ typeof numgen inc mod 2 : ip daddr
+ }
+
+ map t2v4 {
+ typeof numgen inc mod 2 : ip daddr . tcp dport
+ }
+
+ map t1v6 {
+ typeof numgen inc mod 2 : ip6 daddr
+ }
+
+ map t2v6 {
+ typeof numgen inc mod 2 : ip6 daddr . tcp dport
+ }
+
+ map x4 {
+ type ipv4_addr : ipv4_addr
+ }
+
+ map y4 {
+ type ipv4_addr : ipv4_addr . inet_service
+ }
+
+ map z4 {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+
+ map x6 {
+ type ipv6_addr : ipv6_addr
+ }
+
+ map y6 {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+
+ map z6 {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ iifname != "foobar" accept
+ dnat ip to ip daddr map @x4
+ ip saddr 10.1.1.1 dnat ip to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242
+ meta l4proto tcp meta nfproto ipv4 dnat ip addr . port to ip saddr map @y4
+ meta nfproto ipv4 dnat ip addr . port to ip saddr . tcp dport map @z4
+ dnat ip to numgen inc mod 2 map @t1v4
+ meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
+ dnat ip6 to ip6 daddr map @x6
+ ip6 saddr dead::1 dnat ip6 to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242
+ meta l4proto tcp meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr map @y6
+ meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
+ dnat ip6 to numgen inc mod 2 map @t1v6
+ meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft
new file mode 100644
index 00000000..698219cb
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.nft
@@ -0,0 +1,21 @@
+table ip kube-nfproxy-v4 {
+ map sticky-set-svc-M53CN2XYVUHRQ7UB {
+ type ipv4_addr : mark
+ size 65535
+ timeout 6m
+ }
+
+ map sticky-set-svc-153CN2XYVUHRQ7UB {
+ typeof ip daddr : meta mark
+ size 65535
+ timeout 1m
+ }
+
+ chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
+ update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x00000002 }
+ }
+
+ chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 {
+ update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x00000003 }
+ }
+}
diff --git a/tests/shell/testcases/maps/nat_addr_port b/tests/shell/testcases/maps/nat_addr_port
new file mode 100755
index 00000000..2804d48c
--- /dev/null
+++ b/tests/shell/testcases/maps/nat_addr_port
@@ -0,0 +1,207 @@
+#!/bin/bash
+
+# skeleton
+$NFT -f /dev/stdin <<EOF || exit 1
+table ip ipfoo {
+ map t1 {
+ typeof numgen inc mod 2 : ip daddr;
+ }
+
+ map t2 {
+ typeof numgen inc mod 2 : ip daddr . tcp dport
+ }
+
+ map x {
+ type ipv4_addr : ipv4_addr
+ }
+ map y {
+ type ipv4_addr : ipv4_addr . inet_service
+ elements = { 192.168.7.2 : 10.1.1.1 . 4242 }
+ }
+ map z {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta iifname != "foobar" accept
+ dnat to ip daddr map @x
+ ip saddr 10.1.1.1 dnat to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat ip addr . port to ip saddr map @y
+ meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z
+ dnat ip to numgen inc mod 2 map @t1
+ meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
+ }
+}
+EOF
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'ip ipfoo c ip saddr 10.1.1.2 dnat to 10.2.3.4:4242' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip ipfoo c dnat to ip daddr map @y' && exit 1
+
+# skeleton 6
+$NFT -f /dev/stdin <<EOF || exit 1
+table ip6 ip6foo {
+ map t1 {
+ typeof numgen inc mod 2 : ip6 daddr;
+ }
+
+ map t2 {
+ typeof numgen inc mod 2 : ip6 daddr . tcp dport
+ }
+
+ map x {
+ type ipv6_addr : ipv6_addr
+ }
+ map y {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+ map z {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta iifname != "foobar" accept
+ dnat to ip6 daddr map @x
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
+ meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z
+ dnat ip6 to numgen inc mod 2 map @t1
+ meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
+ }
+}
+EOF
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'ip6 ip6foo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'ip6 ip6foo c dnat to ip daddr map @y' && exit 1
+
+# skeleton inet
+$NFT -f /dev/stdin <<EOF || exit 1
+table inet inetfoo {
+ map t1v4 {
+ typeof numgen inc mod 2 : ip daddr
+ }
+
+ map t2v4 {
+ typeof numgen inc mod 2 : ip daddr . tcp dport;
+ }
+
+ map t1v6 {
+ typeof numgen inc mod 2 : ip6 daddr;
+ }
+
+ map t2v6 {
+ typeof numgen inc mod 2 : ip6 daddr . tcp dport
+ }
+
+ map x4 {
+ type ipv4_addr : ipv4_addr
+ }
+ map y4 {
+ type ipv4_addr : ipv4_addr . inet_service
+ }
+ map z4 {
+ type ipv4_addr . inet_service : ipv4_addr . inet_service
+ elements = { 192.168.7.2 . 42 : 10.1.1.1 . 4242 }
+ }
+ map x6 {
+ type ipv6_addr : ipv6_addr
+ }
+ map y6 {
+ type ipv6_addr : ipv6_addr . inet_service
+ }
+ map z6 {
+ type ipv6_addr . inet_service : ipv6_addr . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta iifname != "foobar" accept
+ dnat ip to ip daddr map @x4
+ ip saddr 10.1.1.1 dnat to 10.2.3.4
+ ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
+ meta l4proto tcp dnat ip addr . port to ip saddr map @y4
+ meta l4proto tcp dnat ip addr . port to ip saddr . tcp dport map @z4
+ dnat ip to numgen inc mod 2 map @t1v4
+ meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
+ dnat ip6 to ip6 daddr map @x6
+ ip6 saddr dead::1 dnat to feed::1
+ ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
+ meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y6
+ meta l4proto tcp dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
+ dnat ip6 to numgen inc mod 2 map @t1v6
+ meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
+ }
+}
+EOF
+
+# should fail: map has wrong family: 4->6
+$NFT add rule 'inet inetfoo c dnat to ip daddr map @x6' && exit 1
+
+# should fail: map has wrong family: 6->4
+$NFT add rule 'inet inetfoo c dnat to ip6 daddr map @x4' && exit 1
+
+# should fail: rule has no test for l4 protocol
+$NFT add rule 'inet inetfoo c ip6 saddr f0:0b::a3 dnat to [1c::3]:42' && exit 1
+
+# should fail: rule has no test for l4 protocol, but map has inet_service
+$NFT add rule 'inet inetfoo c dnat to ip daddr map @y4' && exit 1
+
+# should fail: rule has test for l4 protocol, but map has wrong family: 4->6
+$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip daddr map @y6' && exit 1
+
+# should fail: rule has test for l4 protocol, but map has wrong family: 6->4
+$NFT add rule 'inet inetfoo c meta l4proto tcp dnat to ip6 daddr map @y4' && exit 1
+
+# fail: inet_service, but expect ipv4_addr
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+ map a {
+ type ipv4_addr : inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to ip saddr map @a
+ }
+}
+EOF
+
+# fail: maps to inet_service . inet_service, not addr . service
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+ map b {
+ type ipv4_addr : inet_service . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to ip saddr map @a
+ }
+}
+EOF
+
+# fail: only accept exactly two sub-expressions: 'addr . service'
+$NFT -f /dev/stdin <<EOF && exit 1
+table inet inetfoo {
+ map b {
+ type ipv4_addr : inet_addr . inet_service . inet_service
+ }
+
+ chain c {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto tcp dnat ip to ip saddr map @a
+ }
+}
+EOF
+
+exit 0
diff --git a/tests/shell/testcases/maps/typeof_maps_update_0 b/tests/shell/testcases/maps/typeof_maps_update_0
new file mode 100755
index 00000000..c233b13f
--- /dev/null
+++ b/tests/shell/testcases/maps/typeof_maps_update_0
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# check update statement doesn't print "invalid dtype" on the data element.
+
+EXPECTED="table ip kube-nfproxy-v4 {
+ map sticky-set-svc-M53CN2XYVUHRQ7UB {
+ type ipv4_addr : mark
+ size 65535
+ timeout 6m
+ }
+
+ map sticky-set-svc-153CN2XYVUHRQ7UB {
+ typeof ip daddr : meta mark
+ size 65535
+ timeout 1m
+ }
+
+ chain k8s-nfproxy-sep-TMVEFT7EX55F4T62 {
+ update @sticky-set-svc-M53CN2XYVUHRQ7UB { ip saddr : 0x2 }
+ }
+ chain k8s-nfproxy-sep-GMVEFT7EX55F4T62 {
+ update @sticky-set-svc-153CN2XYVUHRQ7UB { ip saddr : 0x3 }
+ }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
+
diff --git a/tests/shell/testcases/sets/0025anonymous_set_0 b/tests/shell/testcases/sets/0025anonymous_set_0
index 93a7c022..74777d8e 100755
--- a/tests/shell/testcases/sets/0025anonymous_set_0
+++ b/tests/shell/testcases/sets/0025anonymous_set_0
@@ -14,4 +14,4 @@ $NFT add rule t c ip daddr { \
}
#set : tcp ports
-$NFT add rule t c tcp dport { 22, 23 } counter
+$NFT add rule t c meta oifname \"doesntexist\" tcp dport { 22, 23 } counter
diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0
index c7e7298a..e23dbda0 100755
--- a/tests/shell/testcases/sets/0034get_element_0
+++ b/tests/shell/testcases/sets/0034get_element_0
@@ -3,7 +3,7 @@
RC=0
check() { # (elems, expected)
- out=$($NFT get element ip t s "{ $1 }" 2>/dev/null)
+ out=$($NFT get element ip t s "{ $1 }")
out=$(grep "elements =" <<< "$out")
out="${out#* \{ }"
out="${out% \}}"
diff --git a/tests/shell/testcases/sets/0043concatenated_ranges_0 b/tests/shell/testcases/sets/0043concatenated_ranges_0
new file mode 100755
index 00000000..a783dacc
--- /dev/null
+++ b/tests/shell/testcases/sets/0043concatenated_ranges_0
@@ -0,0 +1,180 @@
+#!/bin/sh -e
+#
+# 0043concatenated_ranges_0 - Add, get, list, timeout for concatenated ranges
+#
+# Cycle over supported data types, forming concatenations of three fields, for
+# all possible permutations, and:
+# - add entries to set
+# - list them
+# - check that they can't be added again
+# - get entries by specifying a value matching ranges for all fields
+# - delete them
+# - add them with 1s timeout
+# - check that they can't be added again right away
+# - check that they are not listed after 1s, just once, for the first entry
+# - delete them
+# - make sure they can't be deleted again
+
+if [ "$(ps -o comm= $PPID)" = "run-tests.sh" ]; then
+ # Skip some permutations on a full test suite run to keep it quick
+ TYPES="ipv4_addr ipv6_addr ether_addr inet_service"
+else
+ TYPES="ipv4_addr ipv6_addr ether_addr inet_proto inet_service mark"
+fi
+
+RULESPEC_ipv4_addr="ip saddr"
+ELEMS_ipv4_addr="192.0.2.1 198.51.100.0/25 203.0.113.0-203.0.113.129"
+ADD_ipv4_addr="192.0.2.252/31"
+GET_ipv4_addr="198.51.100.127 198.51.100.0/25"
+
+RULESPEC_ipv6_addr="ip6 daddr"
+ELEMS_ipv6_addr="2001:db8:c0c:c0de::1-2001:db8:cacc::a 2001:db8::1 2001:db8:dada:da::/64"
+ADD_ipv6_addr="2001:db8::d1ca:d1ca"
+GET_ipv6_addr="2001:db8::1 2001:db8::1"
+
+RULESPEC_ether_addr="ether saddr"
+ELEMS_ether_addr="00:0a:c1:d1:f1:ed-00:0a:c1:dd:ec:af 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00 f0:ca:cc:1a:b0:1a"
+ADD_ether_addr="00:be:1d:ed:ab:e1"
+GET_ether_addr="ac:c1:ac:c0:ce:c0 00:0b:0c:ca:cc:10-c1:a0:c1:cc:10:00"
+
+RULESPEC_inet_proto="meta l4proto"
+ELEMS_inet_proto="tcp udp icmp"
+ADD_inet_proto="sctp"
+GET_inet_proto="udp udp"
+
+RULESPEC_inet_service="tcp dport"
+ELEMS_inet_service="22-23 1024-32768 31337"
+ADD_inet_service="32769-65535"
+GET_inet_service="32768 1024-32768"
+
+RULESPEC_mark="mark"
+ELEMS_mark="0x00000064-0x000000c8 0x0000006f 0x0000fffd-0x0000ffff"
+ADD_mark="0x0000002a"
+GET_mark="0x0000006f 0x0000006f"
+
+tmp="$(mktemp)"
+trap "rm -f ${tmp}" EXIT
+
+render() {
+ eval "echo \"$(cat ${1})\""
+}
+
+cat <<'EOF' > "${tmp}"
+flush ruleset
+
+table inet filter {
+ set test {
+ type ${ta} . ${tb} . ${tc}
+ flags interval,timeout
+ elements = { ${a1} . ${b1} . ${c1} ,
+ ${a2} . ${b2} . ${c2} ,
+ ${a3} . ${b3} . ${c3} }
+ }
+
+ chain output {
+ type filter hook output priority 0; policy accept;
+ ${sa} . ${sb} . ${sc} @test counter
+ }
+}
+EOF
+
+timeout_tested=0
+for ta in ${TYPES}; do
+ eval a=\$ELEMS_${ta}
+ a1=${a%% *}; a2=$(expr "$a" : ".* \(.*\) .*"); a3=${a##* }
+ eval sa=\$RULESPEC_${ta}
+
+ for tb in ${TYPES}; do
+ [ "${tb}" = "${ta}" ] && continue
+ if [ "${tb}" = "ipv6_addr" ]; then
+ [ "${ta}" = "ipv4_addr" ] && continue
+ elif [ "${tb}" = "ipv4_addr" ]; then
+ [ "${ta}" = "ipv6_addr" ] && continue
+ fi
+
+ eval b=\$ELEMS_${tb}
+ b1=${b%% *}; b2=$(expr "$b" : ".* \(.*\) .*"); b3=${b##* }
+ eval sb=\$RULESPEC_${tb}
+
+ for tc in ${TYPES}; do
+ [ "${tc}" = "${ta}" ] && continue
+ [ "${tc}" = "${tb}" ] && continue
+ if [ "${tc}" = "ipv6_addr" ]; then
+ [ "${ta}" = "ipv4_addr" ] && continue
+ [ "${tb}" = "ipv4_addr" ] && continue
+ elif [ "${tc}" = "ipv4_addr" ]; then
+ [ "${ta}" = "ipv6_addr" ] && continue
+ [ "${tb}" = "ipv6_addr" ] && continue
+ fi
+
+ echo "TYPE: ${ta} ${tb} ${tc}"
+
+ eval c=\$ELEMS_${tc}
+ c1=${c%% *}; c2=$(expr "$c" : ".* \(.*\) .*"); c3=${c##* }
+ eval sc=\$RULESPEC_${tc}
+
+ render ${tmp} | ${NFT} -f -
+
+ [ $(${NFT} list set inet filter test | \
+ grep -c -e "${a1} . ${b1} . ${c1}" \
+ -e "${a2} . ${b2} . ${c2}" \
+ -e "${a3} . ${b3} . ${c3}") -eq 3 ]
+
+ ! ${NFT} "add element inet filter test \
+ { ${a1} . ${b1} . ${c1} };
+ add element inet filter test \
+ { ${a2} . ${b2} . ${c2} };
+ add element inet filter test \
+ { ${a3} . ${b3} . ${c3} }" 2>/dev/null
+
+ ${NFT} delete element inet filter test \
+ "{ ${a1} . ${b1} . ${c1} }"
+ ! ${NFT} delete element inet filter test \
+ "{ ${a1} . ${b1} . ${c1} }" 2>/dev/null
+
+ eval add_a=\$ADD_${ta}
+ eval add_b=\$ADD_${tb}
+ eval add_c=\$ADD_${tc}
+ ${NFT} add element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} timeout 1s}"
+ [ $(${NFT} list set inet filter test | \
+ grep -c "${add_a} . ${add_b} . ${add_c}") -eq 1 ]
+ ! ${NFT} add element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} timeout 1s}" \
+ 2>/dev/null
+
+ eval get_a=\$GET_${ta}
+ eval get_b=\$GET_${tb}
+ eval get_c=\$GET_${tc}
+ exp_a=${get_a##* }; get_a=${get_a%% *}
+ exp_b=${get_b##* }; get_b=${get_b%% *}
+ exp_c=${get_c##* }; get_c=${get_c%% *}
+ [ $(${NFT} get element inet filter test \
+ "{ ${get_a} . ${get_b} . ${get_c} }" | \
+ grep -c "${exp_a} . ${exp_b} . ${exp_c}") -eq 1 ]
+
+ ${NFT} "delete element inet filter test \
+ { ${a2} . ${b2} . ${c2} };
+ delete element inet filter test \
+ { ${a3} . ${b3} . ${c3} }"
+ ! ${NFT} "delete element inet filter test \
+ { ${a2} . ${b2} . ${c2} };
+ delete element inet filter test \
+ { ${a3} . ${b3} . ${c3} }" 2>/dev/null
+
+ if [ ${timeout_tested} -eq 1 ]; then
+ ${NFT} delete element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} }"
+ ! ${NFT} delete element inet filter test \
+ "{ ${add_a} . ${add_b} . ${add_c} }" \
+ 2>/dev/null
+ continue
+ fi
+
+ sleep 1
+ [ $(${NFT} list set inet filter test | \
+ grep -c "${add_a} . ${add_b} . ${add_c}") -eq 0 ]
+ timeout_tested=1
+ done
+ done
+done
diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
index 6204b00c..59636994 100644
--- a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
+++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
@@ -2,6 +2,6 @@ table ip t {
chain c {
type filter hook output priority filter; policy accept;
ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 }
- tcp dport { 22, 23 } counter packets 0 bytes 0
+ oifname "doesntexist" tcp dport { 22, 23 } counter packets 0 bytes 0
}
}