| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 9fa3fbed73a36111e308c9856514a032f5444564 upstream.
If there is no priority.expr set, assume hook.num is bogus, too.
While this is fixing JSON output, it's hard to tell what commit this is
actually fixing: Before commit 627c451b23513 ("src: allow variables in
the chain priority specification"), there was no way to detect
flowtables missing hook specs (e.g. when printing flowtable delete
monitor event).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit 73a8adfc2432ec8337288cc90e7c9f4509139846 upstream.
These were entirely ignored before, add the necessary code analogous to
e.g. objects.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit d3339f9e35ee4dddf290fcc3e9cc63dac8cb836a upstream.
We can't recover from errors here, but we can abort with a more
precise reason than 'segmentation fault', or stack corruptions
that get caught way later, or not at all.
expr->value is going to be read, we can't cope with other expression
types here.
We will copy to stack buffer of IFNAMSIZ size, abort if we would
overflow.
Check there is a NUL byte present too.
This is a preemptive patch, I've seen one crash in this area but
no reproducer yet.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit 89b60bc18ca76e45b1682d8c56a0d01fffedebad upstream.
expr_evaluate_set() turns sets with singleton element into value,
nft_dev_add() expects a list of expression, so it crashes.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1676
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 99b56d4ee1442ccfa0aadde3cb3ecee74a4de815 upstream.
This patch extends existing flowtable support to improve error
reporting:
# nft add flowtable inet x y '{ devices = { x } ; }'
Error: Could not process rule: No such file or directory
add flowtable inet x y { devices = { x } ; }
^
# nft delete flowtable inet x y '{ devices = { x } ; }'
Error: Could not process rule: No such file or directory
delete flowtable inet x y { devices = { x } ; }
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit 610089f273c968c983d965f3cac42e4d9784cde8 upstream.
If netlink_delinearize_obj() fails, it will print an error message. Skip
this object and keep going.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit 31732dea34a2a4c484df13c4003728eca396e573 upstream.
Print an error message and try to deserialize the remaining elements
instead of calling BUG().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit 6296f09b8b8ecb6d46cfcd90fd955a39bd86c6c9 upstream.
Prepare for calling netlink_io_error() which needs the context pointer.
Trade this in for the cache pointer since no caller uses a special one.
No functional change intended.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit 9f2a11aa15422333d1812501dd4f294348d6e0d5 upstream.
Netlink parser tries to keep going despite errors. Faced with an
incompatible ruleset, this is much more user-friendly than exiting the
program upon the first obstacle. This patch fixes three more spots to
support this.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 690f19eadde5cb607ec3d8d471c86d558c7229bd upstream.
Print an error message and discard the object instead of returning it to
the caller. At least when trying to print it, we would hit an assert()
in obj_type_name() anyway.
Fixes: 4756d92e517ae ("src: listing of stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
commit 89645d04106d45d5e23b6d5206777dad1fb3e6bf upstream.
Since netlink_parse_set_expr() may return NULL, the following deref must
be guarded.
Fixes: e6d1d0d611958 ("src: add set element multi-statement support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
commit 1b3c33a7931967fb7afe4efdf68deb7781786489 upstream.
No point in repeating 'to map' here.
Fixes: 19d73ccdd39fa ("doc: add nat examples")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 19d73ccdd39fae49b44330097ecd2bc507e63d1b upstream.
nftables nat is much more capable than what the existing
documentation describes.
In particular, nftables can fully emulate iptables
NETMAP target and can perform n:m address mapping.
Add a new example section extracted from commit log
messages when those features got added.
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit be737a1986bfee0ddea4bee7863dca0123a2bcbc upstream.
Whenever a new version adds udata support to an expression, then old
versions of nft will crash when trying to list such a ruleset generated
by a more recent version of nftables.
Fix this by falling back to 'type' format.
Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support')
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 3d0ce3c19d319a5aae806b617905cfa1ee7f87f4 upstream.
Make fewer assumptions about the underlying integer type of the enum.
Instead, be clear about where we have an untrusted uint32_t from netlink
and an enum. Rename expr_ops_by_type() to expr_ops_by_type_u32() to make
this clearer. Later we might make the enum as packed, when this starts
to matter more.
Also, only the code path expr_ops() wants strict validation and assert
against valid enum values. Move the assertion out of
__expr_ops_by_type(). Then expr_ops_by_type_u32() does not need to
duplicate the handling of EXPR_INVALID. We still need to duplicate the
check against EXPR_MAX, to ensure that the uint32_t value can be cast to
an enum value.
[ Remove cast on EXPR_MAX. --pablo ]
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit f7d932bff5c9550905659dd4a5df23ca46f84935 upstream.
No idea how this happened, remove it.
Reported-by: Sunny73Cr <Sunny73Cr@protonmail.com>
Fixes: 058246016188 ("src: allow to map key to nfqueue number")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 7f60519e356833ca007b138c00b9f5de09f21b56 upstream.
If we have an incomplete rule like "ct original saddr" in inet
family, this function generates an error because it can't determine the required protocol
dependency, hinting at missing ip/ip6 keyword.
We should not go on in this case to avoid a redundant followup error:
nft add rule inet f c ct original saddr 1.2.3.4
Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
add rule inet f c ct original saddr 1.2.3.4
^^^^^^^^^^^^^^^^^
Error: Could not parse symbolic invalid expression
add rule inet f c ct original saddr 1.2.3.4
After this change only the first error is shown.
Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit cc7a7d025a60dced5f5e894aa1688014c9deef3d upstream.
Propagate error to caller so it bails out on malformed set statements.
Fixes: 07958ec53830 ("json: add set statement list support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit 85b5b051f0e64f106cee078fc6d66d0872770e79 upstream.
Upfront reject of non stateful statements in set elements.
Fixes: 07958ec53830 ("json: add set statement list support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 9cce81701a033c4ff5e804fbf7a1149acb9e115a upstream.
When parsing a verdict map json where element jumps to chain represented
as empty string.
internal:0:0-0: Error: Parsing list expression item at index 0 failed.
internal:0:0-0: Error: Invalid set elem at index 0.
internal:0:0-0: Error: Invalid set elem expression.
internal:0:0-0: Error: Parsing command array at index 2 failed.
Fixes: 586ad210368b ("libnftables: Implement JSON parser")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 40b0708ca6dee4829a9b6e1c2f4677ff2c206b43 upstream.
"-j list synproxys" triggers a BUG().
Rewrite this so that all enum values are handled so the compiler can alert
us to a missing value in case there are more commands in the future.
While at it, implement a few low-hanging fruites as well.
Not-yet-supported cases are simply ignored.
v2: return EOPNOTSUPP for unsupported commands (Pablo Neira Ayuso)
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit a8ff324dc64fd76f7d218d3d94c5885250951258 upstream.
Just like "ct timeout", "ct expectation" is in need of the same fix,
we get segfault on "nft list ct expectation table t", if table t exists.
This is the exact same pattern as resolved for "ct timeout" in commit
1d2e22fc0521 ("ct timeout: fix 'list object x' vs. 'list objects in table' confusion").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 1d2e22fc0521bcf73ee1f891c291dc1bde47a6bb upstream.
<empty ruleset>
$ nft list ct timeout table t
Error: No such file or directory
list ct timeout table t
^
This is expected to list all 'ct timeout' objects.
The failure is correct, the table 't' does not exist.
But now lets add one:
$ nft add table t
$ nft list ct timeout table t
Segmentation fault (core dumped)
... and thats not expected, nothing should be shown
and nft should exit normally.
Because of missing TIMEOUTS command enum, the backend thinks
it should do an object lookup, but as frontend asked for
'list of objects' rather than 'show this object',
handle.obj.name is NULL, which then results in this crash.
Update the command enums so that backend knows what the
frontend asked for.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
commit 2200a105d4befc15b0cfa6cc24282e493888dc82 upstream.
Identical bug and thus same fix as
853d3a2d3cbd ("rule: return error if table does not exist"),
but this time for json.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
commit de447e248cce3ca3fd7040c386ac798c35721415 upstream.
The payload statement evaluation pretends that it can handle any
expression for bitfields, but the existing evaluation code only knows
how to handle value expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit 6d9297f278290888e7e26762ee72ed6afa22a97e upstream.
Instead of allocating a lshift expression and relying on the binary
operation transfer propagate this to the mask value, lshift the mask
value immediately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
backport commit c4c740117f6fbf39dd67dd87635ea8b497718ad7 upstream.
To remove the following WARNING when running JSON tests:
WARNING: Recorded JSON output matches input for: meter acct_out size 4096 { meta iif . ip6 saddr timeout 600s counter }
WARNING: Recorded JSON output matches input for: meter acct_out size 12345 { ip6 saddr . meta iif timeout 600s counter }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 4725f4887da84b1b6bbfd0c138bc48a707301fa1.
This 1.0.6.y branch does not contain the follow upstream commits:
38f99ee84fe6 ("json: Print single synproxy flags as non-array")
dbe5c44f2b89 ("json: Print single fib flag as non-array")
Therefore, such commit above is not required.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit c2ee1d5978bf6ea10e3b1a74125da5b5e8468f26 upstream.
Blamed commits change output format but did not adjust existing tests:
inet/fib.t: WARNING: line 16: '{"nftables": ..
Fixes: 38f99ee84fe6 ("json: Print single synproxy flags as non-array")
Fixes: dbe5c44f2b89 ("json: Print single fib flag as non-array")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 7b3ee497040ff8efb131c566e1c6b466e16f45cc upstream.
We can't remove 'meta nfproto' dependencies for all cases.
Its removed for ip/ip6 families, this works fine.
But for others, e.g. inet, removal is not as simple.
For example
meta nfproto ipv4 ct protocol tcp
is listed as 'ct protocol tcp', even when this is uses in the inet
table.
Meta L4PROTO removal checks were correct, but refactor this
into a helper function to split meta/ct checks from the common
calling function.
Ct check was lacking, we need to examine ct keys more closely
to figure out if they need to retain the network protocol depenency
or not. Elide for NFT_CT_SRC/DST and its variants, as those imply
the network protocol to use, all others must keep it as-is.
Also extend test coverage for this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1783
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit c0843dec745433ac36aafb5726c580449e522d1d upstream.
proto_th carries no information about the proto number, we need to
preserve the L4 protocol expression unless we can be sure that
For example, if "meta l4proto 91 @th,0,16 0" is simplified to
"th sport 0", the information of protocol number is lost.
Based on initial patch from Xiao Liang.
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit b7a11c691d459d06a801a28ae9a52bc564584a1a upstream.
Revert commit d1a7b9e19fe65 ("tests: py: update netdev reject test
file"), the stored JSON equivalents were correct in that they matched
the standard syntax input.
In fact, we missed a .json.output file recording the expected deviation
in JSON output.
Fixes: d1a7b9e19fe65 ("tests: py: update netdev reject test file")
Fixes: 7ca3368cd7575 ("reject: Unify inet, netdev and bridge delinearization")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
commit 857904bdfaf7aa624d974ed6533fd4d4cd39babd upstream.
Add more test cases to exercise binop elimination for raw
payload matches.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit c1c0c54e237c880adaa8172b93d7450e6c617cfc upstream.
When running a test for which no corresponding *.payload file exists,
the *.payload.got file name was incorrectly constructed due to
'payload_path' variable not being set.
Fixes: 2cfab7a3e10fc ("tests/py: Write dissenting payload into the right file")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 036a1eb3304995e4e000c552b9dfd33b1073ddb6 upstream.
Preceeding commit switched udp to use the inkernel csum parser, so tests
warn:
WARNING: line 7: 'add rule ip test-ip4 input iif "lo" udp checksum set 0':
'[ payload write reg 1 => 2b @ transport header + 6 csum_type 1 csum_off 6 csum_flags 0x0 ]' mismatches
'[ payload write reg 1 => 2b @ transport header + 6 csum_type 0 csum_off 0 csum_flags 0x1 ]'
Fixes: f89abfb4068d ("proto: use NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag to mangle UDP checksum")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
commit f13fd62ef1e2755ed5eef11adbe0e8a479528f72 upstream.
8abe71f862e6 ("tests: py: Warn if recorded JSON output matches the input")
adds a warning on duplicated JSON outputs.
Remove them when running tests with -j:
WARNING: Recorded JSON output matches input for: icmp code { 2, 4, 54, 33, 56}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit 1702bfd70b39fe955d5e2c4b93f7dc07acb79027 upstream.
Update json update and leftover payload update to complete
5fecd2a6ef61 ("src: disentangle ICMP code types").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
commit 07c9733a4b4ab5b6f6fb94f305d323528a058823 upstream.
These match the input already, no need to track them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
commit 8abe71f862e6248517365bec4bac31d85141cf69 upstream.
Actively support spring-cleaning by nagging callers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 0c17b910b3e19c4eacf5567f90b6545ed1fd8aac upstream.
Make sure they match the standard syntax input as much as possible.
For some reason inet/tcp.t.json was using plain arrays in place of
binary OR expressions in many cases. These arrays are interpreted as
list expressions, which seems to be semantically identical but the goal
here is to present an accurate equivalent to the rule in standard
syntax.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
commit 04fc306359a49bc9f314ae82520218f5dfebfef1 upstream.
Add a test case that would fail without preceeding fix.
[ NB. Precending fix is f35a0d78fe870737fa39d859bd2e3ac25bf1b12e ]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
commit f58e72a2f5aa134653e7ee8b5432b23eb0674c3c upstream.
Fixes: bridge/vlan.t: WARNING: line 56: ...
Fixes: 8b9ae77598b4 ("tests: never merge across non-expression statements redux 2")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
commit 1ee84db0360db0da336d5b1ee92807d29fcfbbe1 upstream.
These tests will fail once the kernel checks for overflow
in the internal token bucken counter, so drop them.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
commit 5fec559727ffd2c6c8958748beab782096385758 upstream.
Fix this warning due to missing coverage:
tests/py/any/meta.t.json.got: WARNING: line 2: Wrote JSON equivalent for rule meta mark set vlan id map { 1 : 0x00000001, 4095 : 0x00004095 }
ERROR: did not find JSON equivalent for rule 'meta mark set vlan id map @map1
Fixes: 8d3de823b622 ("evaluate: reset statement length context before evaluating statement")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit 94fd162ea4d25fe6b0b4d58dcb7ff66dc55f3247 upstream.
Add missing json output.
Fixes: 99ab1b8feb16 ("rule: never merge across non-expression statements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
commit 998c09a2cb011735cbe96c8182ef34e32603b4fc upstream.
This bytecode output file contains many duplicated entries, remove them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
commit 3e22505e470966635facc0395541ec80c587c063 upstream.
Cover matching on DF and MF bits and fragments.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
commit 50bebfaf9d558d539f06c0710781a49e8b58f25f upstream.
Mostly identify the various files that (may) appear or exist already and
how to deal with them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 646acfaceb1f550c982c31ba6e60996b0bb012d7 upstream.
The following syntax:
type filter hook ingress priority 0; devices = { d0 };
is not parsed in 1.0.6.y.
And remove device deletion, this is only available since 1.0.8 in:
commit a66b5ad9540dd64c7c67006201b8b3ccf8e4316b
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Apr 19 11:50:01 2023 +0200
src: allow for updating devices on existing netdev chain
skip netdev_chain_dormant_autoremove for new kernels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Revert commit 156b5936b3b7a0b1ee590a02874beaba5235f758 upstream.
It fails for unknown reason to me.
|
