| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Add some more consistency by using _addr for all address types, _proto
for all protocol types and iface_ for all interface types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy
|
| |
|
|
|
|
|
|
| |
Handle the docbook2x-man mess that is called differently on different distributions.
Also switch to dblatex since db2pdf is unable to handle XML on Fedora (and probably
other distributions).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
The length is measured in bytes, not bits.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
For data of byteorder BYTEORDER_HOST_ENDIAN we need to set the word order
dependant on the host byte order.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When allocating a constant expression, a pointer to the data is passed
to the allocation function. When the variable used to store the data
is larger than the size of the data type, this fails on big endian since
the most significant bytes (being zero) come first.
Add a helper function to calculate the proper address for the cases
where this is needed.
This currently affects symbolic tables for values < u64 and payload
dependency generation for protocol values < u32.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Two issues with these:
1. They compile & run a test program, which won't work when cross-compiling
2. When libnftnl has just been installed and is not (yet) in linker path, the
test fails since loader won't find libnftnl.
In that case configure will succeed without obvious errors, but config.h
re-defines malloc/realloc with rpl_ prefix, which then results in a
linker error ("undefined reference to `rpl_realloc'") on 'make'.
These macros are only useful to check that malloc(0) returns non-NULL
and that realloc(NULL, ... works.
For nftables the former is irrelevant and the latter a safe assumption,
so lets just remove them.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |/
|
|
|
|
|
|
|
|
| |
Due to the renaming of the "eth" keyword to "ether", parsing of arphrd
type "ether" fails.
Fix similar to TCP, UDP etc by allocating a constant arphrd expression for
the ether keyword without a following key.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
The cast to char * in the container_of() marcro causes warnings for all
list iteration helpers on sparc:
warning: cast increases required alignment of target type [-Wcast-align]
Fix by using a void * for address calculations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It fixes an invalid read that is shown by valgrind.
==3962== Invalid read of size 4
==3962== at 0x407040: do_command (rule.c:692)
==3962== by 0x40588C: nft_run (main.c:183)
==3962== by 0x405469: main (main.c:334)
==3962== Address 0x10 is not stack'd, malloc'd or (recently) free'd
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
bitmask types default to flagcmp now, thus do not suppress OP_EQ. Else,
rule filter output tcp flags syn
rule filter output tcp flags == syn
are both displayed as 'flags syn'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the result of command line 'nft list sets FAMILY'. It shows the
following error message:
"Error: syntax error, unexpected end of file, expecting string"
Now, it is possible shows right this information:
$ sudo nft -nna list sets ip
set set_test {
type ipv4_address
elements = { 192.168.3.45, 192.168.3.43, 192.168.3.42, 192.168.3.4}
}
set set_test2 {
type ipv4_address
elements = { 192.168.3.43, 192.168.3.42, 192.168.3.4}
}
set set0 {
type ipv4_address
flags constant
elements = { 127.0.0.12, 12.11.11.11}
}
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the possibility to set ct keys using nft. Currently, the
connection mark is supported. This functionality enables creating rules
performing the same action as iptables -j CONNMARK --save-mark. For example:
table ip filter {
chain postrouting {
type filter hook postrouting priority 0;
ip protocol icmp ip daddr 8.8.8.8 ct mark set meta mark
}
}
My patch is based on the original http://patchwork.ozlabs.org/patch/307677/
by Kristian Evensen <kristian.evensen@gmail.com>.
I simply did a rebase and some testing. To test, I added rules like these:
counter meta mark set 1 counter
counter ct mark set mark counter
counter ct mark 1 counter
The last matching worked as expected, which means the second rule is also
working as expected.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Acked-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit e7b43ec0 [expr: make expr_binary_error() usable outside of evaluation]
seem to change expr_binary_error() interface.
Later, several compilation warning appears.
The expr_binary_error() function and expr_error() macro both expect
`struct list_head *', so I simply changed callers to send `ctx->msgs'.
[...]
src/evaluate.c: In function ‘byteorder_conversion’:
src/evaluate.c:166:3: warning: passing argument 1 of ‘expr_binary_error’ from incompatible pointer type [enabled by default]
In file included from src/evaluate.c:21:0:
include/expression.h:275:12: note: expected ‘struct list_head *’ but argument is of type ‘struct eval_ctx *’
src/evaluate.c: In function ‘expr_evaluate_symbol’:
src/evaluate.c:204:4: warning: passing argument 1 of ‘expr_binary_error’ from incompatible pointer type [enabled by default]
In file included from src/evaluate.c:21:0:
include/expression.h:275:12: note: expected ‘struct list_head *’ but argument is of type ‘struct eval_ctx *’
[...]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The decomposition phase currently depends on the kernel returning elements
in sorted order. This is a fragile assumption, change the code to sort the
elements itself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the parser accepts verdicts in regular maps and non-verdicts
in verdict maps and we have to check matching types during evaluation.
Add grammar rules for verdict maps and seperate them from regular maps.
This has a couple of advantages:
- We recognize verdict maps completely in the parser and any attempt to
mix verdicts and other expressions will result in a syntax error.
So far this hasn't actually been checked.
- Using verdicts in non-verdict mappings will also result in a syntax
error instead of a datatype mismatch.
- There's a grammatical distinction between dictionaries and verdict
maps, which are actually statements.
This is needed as preparation for a following patch to turn verdicts
into pure statements, which in turn is needed to reinstate support for
using the queue verdict in maps, which was broken by the introduction
of the queue statement.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
We currently crash when reporting a permission denied error for set additions.
This is due to using the wrong location, fix by passing in the set location.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently print a debug message (with debugging) and continue. Output
a proper error message and abort.
While at it, make sure we only report a conflict if there actually is one.
This is not the case similar actions, IOW in case of sets, never, in case
of maps, only if the mapping differs.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Singed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Turn the eval_ctx argument into a list_head to queue the error to.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for human-readable comments:
nft add rule filter input accept comment \"accept all traffic\"
Note that comments *always* come at the end of the rule. This uses
the new data area that allows you to attach information to the rule
via netlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The handle's table was being set to the chain name instead of the
chain table attribute.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Takes advantage of the fact that the current maximum label storage area
is 128 bits, i.e. the dynamically allocated extension area in the
kernel will always fit into a nft register.
Currently this re-uses rt_symbol_table_init() to read connlabel.conf.
This works since the format is pretty much the same.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The table object that is allocated is unused.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
should always generate cmp op (its enum 0, 1 in kernel).
Note: 'original,reply' will no longer work after this patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We segfault on 'list filter' when meta expr is used as _u8
returns invalid register 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The prefix expression handling is full of bugs:
- netlink_gen_data() is used to construct the prefix mask from the full
prefix expression. This is both conceptually wrong, the prefix expression
is *not* data, and buggy, it only assumes network masks and thus only
handles big endian types.
- Prefix expression reconstruction doesn't check whether the mask is a
valid prefix and reconstructs crap otherwise. It doesn't reconstruct
prefixes for anything but network addresses. On top of that its
needlessly complicated, using the mpz values directly its a simple
matter of finding the sequence of 1's that extend up to the full width.
- Unnecessary cloning of expressions where a simple refcount increase would
suffice.
Rewrite that code properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're currently only converting bitmask types as direct argument to a
relational expression in the form of a flagcmp (expr & mask neq 0) back
into a list of bit values. This means expressions like:
tcp flags & (syn | ack) == syn | ack
won't be shown symbolically. Convert *all* bitmask values back to a sequence
of inclusive or expressions of the individual bits. In case of a flagcmp,
this sequence is further converted to a list (tcp flags syn,ack).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the argument of a binop is a binop itself, we may need to add parens
if the precedence of the argument is lower then the binop.
Before:
tcp flags & syn | ack == syn | ack
tcp flags & syn | ack != syn | ack
After:
tcp flags & (syn | ack) == syn | ack
tcp flags & (syn | ack) != syn | ack
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Always use flagcmp for RHS bitmask expressions, independant of whether
only one or an entire list of bitmask expression is specified.
This makes sure that f.i. "tcp flags ack" will match any combinations
of ACK instead of ACK and only ACK.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a bug with rreply symbol. The rreply and reply symbol were the same.
There is a reproduction of this bug here:
$ sudo nft add rule arp art-t filter arp operation reply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512
}
}
$ sudo nft add rule arp art-t filter arp operation rreply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512 <=====
arp operation 512 <=====
}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bug with rreply symbol. The rreply and reply symbol were the same.
There is a reproduction of this bug here:
$ sudo nft add rule arp art-t filter arp operation reply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512
}
}
$ sudo nft add rule arp art-t filter arp operation rreply
$ sudo nft list table arp art-t
table arp art-t {
chain filter {
type filter hook input priority 0;
arp operation 512 <=====
arp operation 512 <=====
}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
The line break is added after printing the rule.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Florian reports that flag comparisons generate incorrect instructions:
$ nft --debug=netlink add rule filter output ct labels foo
ip filter output 0 0
[ ct load labels => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000001 0x00000000 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
[ cmp neq reg 1 0x00000001 0x00000000 0x00000000 0x00000000 ]
The "cmp new" should compare to zero. This was broken by commit aae836a7
(src: use libnftables by using expr->right instead of zero.
Slightly rearrange the code as well to prevent similar problems in the
future.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
We need a real list_head to splice both the command and potential new commands
added during evaluation.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Add a netlink_location and use it for error messages instead of internal_location.
internal:0:0-0: Error: Could not add set: Operation not permitted
=>
netlink: Error: Could not add set: Operation not permitted
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With incremental evaluation we're first evaluating the command before
adding it to the global command list, so the command's list_head is
uninitialized during evaluation. We need to initialize it to handle the
case that an implicit set declaration will prepend a command to the list.
Also list_splice_tail() needs to be used instead of list_add_tail() to
add the entire list of commands.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes some incorrect behaviour of symbolic variables:
- prohibit redefining an existing symbol
- verify existance of a symbolic variable during parsing instead of evaluation
The second point makes sure we don't allow recursive definitions (var = $var),
which lead to a crash due to stack exhaustion.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Mixed syntactical and non-syntactical errors in individual commands and
blocks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently do parsing and evaluation in two seperate stages. This means
that if any error occurs during parsing, we won't evaluate the syntactical
correct commands and detect possible evaluation errors in them.
In order to improve error reporting, change this to evaluate every command
as soon as it is fully parsed.
With this in place, the ruleset can be fully validated and all errors
reported in one step:
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant
filter input tcp dport tcp dport
~~~~~~~~~~^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move error recovery to the common_block definition to handle errors
in any block. Queue those errors and abort parsing once a threshold
is reached.
With this in place, we can continue parsing when errors occur and
show all of them to the user at once.
tests/error.1:3:8-8: Error: syntax error, unexpected '{', expecting string
filter {
^
tests/error.1:4:13-13: Error: syntax error, unexpected newline
filter input
^
tests/error.1:5:17-17: Error: syntax error, unexpected newline
filter input tcp
^
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Close the scopes when destroying a table_block/chain_block. Also add
assertions to open_scope()/close_scope() to catch memory corruption
early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Don't display "In file included from internal:0:0-0:" for errors occuring
in a parsed file.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Currently always has the value 0.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
When reset_pos() is invoked, YY_USER_ACTION() has already advanced the
line offset to the next line. This causes errors for unexpected newlines
to incorrectly show the following line when reading from files.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
