| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Add new examples folder, other `make distcheck' fails.
Fixes: caf2a6ad2d22 ("examples: add libnftables example program")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Still requires libnftnl 1.2.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
It's not used outside of rt_hdr_expr, so move it out of INIT scope.
Fixes: 8861db1b771a6 ("scanner: rt: move to own scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
'hour' and 'day' are allowed as unqualified meta expressions, so leave
them alone.
Fixes: eae2525685252 ("scanner: limit: move to own scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
This was missed when introducing SCANSTATE_CMD_LIST, no other command
operates on "maps".
Fixes: 6a24ffb04642e ("scanner: add list cmd parser scope")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
This wasn't covered at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Release removed interval expressions before get_set_interval_find()
fails. The memleak can be triggered through:
testcases/sets/0034get_element_0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
alloc_nftnl_setelem() needs to check for EXPR_CONCAT before accessing
field_count.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add an example to load a ruleset file expressed in JSON.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Create an example folder to add example source code files to show how to
use libnftables. Add first example program using the buffer API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Normal input parser allows flowtables without 'devices' token, which
makes the json export part elide 'dev' entirely, this then breaks on
re-import:
$ nft -j -f json.dump
/tmp/json_1:1:14-14: Error: Object item not found: dev
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Failed with: BUG: invalid expresion type symbol
Fixes: 78bbe7f7a55be489 ("mnl: do not use expr->identifier to fetch device name")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
flow statement has no export, its shown as:
".. }, "flow add @ft" ] } }"
With this patch:
".. }, {"flow": {"op": "add", "flowtable": "@ft"}}]}}"
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
If interface netlink dump is interrupted, then retry.
Before this patch, the netlink socket is reopened to drop stale dump
messages, instead empty the netlink queue and retry.
Reviewed-by: Eugene Crosser <crosser@average.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Merging raw expressions results in a valid concatenation which throws:
Error: can not use variable sized data types (integer) in concat expressions
Disable merging raw expressions until this is supported by skipping raw
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Extend the existing checks to cover the payload base and offset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge two consecutive verdict maps with the same lookup key.
For instance, merge the following:
table inet x {
chain filter_in_tcp {
tcp dport vmap {
80 : accept,
81 : accept,
443 : accept,
931 : accept,
5001 : accept,
5201 : accept,
}
tcp dport vmap {
6800-6999 : accept,
33434-33499 : accept,
}
}
}
into:
table inet x {
chain filter_in_tcp {
tcp dport vmap {
80 : accept,
81 : accept,
443 : accept,
931 : accept,
5001 : accept,
5201 : accept,
6800-6999 : accept,
33434-33499 : accept,
}
}
}
This patch updates statement comparison routine to inspect the verdict
expression type to detect possible merger.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add helper function to compare expression to allow for reuse.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Library functions should not use exit(), application that uses the
library may contain error handling path, that cannot be executed if
library functions calls exit(). For truly fatal errors, using abort() is
more acceptable than exit().
Signed-off-by: Eugene Crosser <crosser@average.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update parser to allow for maps with synproxy.
Fixes: f44ab88b1088 ("src: add synproxy stateful object support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Now that we keep track of more payload dependencies, more redundant
payloads are eliminated. Remove these from the shell test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Now that we keep track of more payload dependencies, more redundant
payloads are eliminated. Remove these from the Python test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Change the payload-dependency context to store a dependency for every
protocol layer. This allows us to eliminate more redundant protocol
expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, with only one base and dependency stored this is superfluous,
but it will become more useful when the next commit adds support for
storing a payload for every base.
Remove redundant `ctx->pbase` check.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Correct the statement used to load the protocol in the bridge payload
of one of the ip tests.
A previous commit was supposed, in part, to do this, but the update got
lost.
Fixes: 4b8e51ea5fc8 ("tests: py: fix inet/ip.t payloads")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
cache.c:504:22: warning: ‘chain’ may be used uninitialized in this function [-Wmaybe-uninitialized]
cache.c:504:22: warning: ‘table’ may be used uninitialized in this function [-Wmaybe-uninitialized]
erec.c:128:16: warning: ‘line’ may be used uninitialized in this function [-Wmaybe-uninitialized]
optimize.c:524:9: warning: ‘line’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Fixes: 8ad4056e9182 ("erec: expose print_location() and line_location()")
Fixes: afbd102211dc ("src: do not use the nft_cache_filter object from mnl.c")
Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Instead of realloc(), so process stops execution in case memory
allocation fails.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If the user is requesting a chain listing, e.g. nft list chain x y
and a rule refers to an anonymous chain that cannot be found in the cache,
then fetch such anonymous chain and its ruleset.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1577
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add a helper function to dump the rules and add them to the
corresponding chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The 'ret' variable is already set to a negative value to report an
error, do not set it again to a negative value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Pass the table and chain strings to mnl_nft_rule_dump() instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Transform:
ip saddr 1.1.1.1 ip daddr 2.2.2.2 accept
ip saddr 2.2.2.2 ip daddr 3.3.3.3 drop
into:
ip saddr . ip daddr vmap { 1.1.1.1 . 2.2.2.2 : accept, 2.2.2.2 . 3.3.3.3 : drop }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Transform:
ct state invalid drop
ct state established,related accept
into:
ct state vmap { established : accept, related : accept, invalid : drop }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the ruleset optimization infrastructure to collapse
several rules with the same selectors into a concatenation.
Transform:
meta iifname eth1 ip saddr 1.1.1.1 ip daddr 2.2.2.3 accept
meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.2.5 accept
meta iifname eth2 ip saddr 1.1.1.3 ip daddr 2.2.2.6 accept
into:
meta iifname . ip saddr . ip daddr { eth1 . 1.1.1.1 . 2.2.2.6, eth1 . 1.1.1.2 . 2.2.2.5 , eth1 . 1.1.1.3 . 2.2.2.6 } accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new -o/--optimize option to enable ruleset
optimization.
You can combine this option with the dry run mode (--check) to review
the proposed ruleset updates without actually loading the ruleset, e.g.
# nft -c -o -f ruleset.test
Merging:
ruleset.nft:16:3-37: ip daddr 192.168.0.1 counter accept
ruleset.nft:17:3-37: ip daddr 192.168.0.2 counter accept
ruleset.nft:18:3-37: ip daddr 192.168.0.3 counter accept
into:
ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } counter packets 0 bytes 0 accept
This infrastructure collects the common statements that are used in
rules, then it builds a matrix of rules vs. statements. Then, it looks
for common statements in consecutive rules which allows to merge rules.
This ruleset optimization always performs an implicit dry run to
validate that the original ruleset is correct. Then, on a second pass,
it performs the ruleset optimization and add the rules into the kernel
(unless --check has been specified by the user).
From libnftables perspective, there is a new API to enable
this feature:
uint32_t nft_ctx_get_optimize(struct nft_ctx *ctx);
void nft_ctx_set_optimize(struct nft_ctx *ctx, uint32_t flags);
This patch adds support for the first optimization: Collapse a linear
list of rules matching on a single selector into a set as exposed in the
example above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is used in --debug=eval mode to annotate symbols that have not yet
been evaluated, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reading from stdin requires to store the ruleset in a buffer so error
reporting works accordingly, eg.
# cat ruleset.nft | nft -f -
/dev/stdin:3:13-13: Error: unknown identifier 'x'
ip saddr $x
^
The error reporting infrastructure performs a fseek() on the file
descriptor which does not work in this case since the data from the
descriptor has been already consumed.
This patch adds a new stdin input descriptor to perform this special
handling which consists on re-routing this request through the buffer
functions.
Fixes: 935f82e7dd49 ("Support 'nft -f -' to read from stdin")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add a few helper functions to reuse code in the new rule optimization
infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several places where we check whether `ctx->pdctx.pbase`
equal to `PROTO_BASE_INVALID` and don't bother trying to free the
dependency if so. However, these checks are redundant.
In `payload_match_expand` and `trace_gen_stmts`, we skip a call to
`payload_dependency_kill`, but that calls `payload_dependency_exists` to check a
dependency exists before doing anything else.
In `ct_meta_common_postprocess`, we skip an open-coded equivalent to
`payload_dependency_kill` which performs some different checks, but the
first is the same: a call to `payload_dependency_exists`.
Therefore, we can drop the redundant checks and simplify the flow-
control in the functions.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Re-arrange some switch-cases and conditionals to reduce levels of
indentation.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Instead of subtracting a boolean from the protocol base for stacked
payloads, just decrement the base variable itself.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Correct spelling in comment.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Contrary to the comment and expected output, nft does _not_ eliminate
the redundant `ip protocol` expression from the second test. Dependency
elimination requires a higher level expression. `ip saddr` cannot lead
to the elimination of `ip protocol` since they are both L3 expressions.
`tcp dport` cannot because although `ip saddr` and `ip protocol` both
imply that the L3 protocol is `ip`, only protocol matches are stored as
dependencies, so the redundancy is not apparent, and in fact,
`payload_may_dependency_kill` explicitly checks for the combination of
inet, bridge or netdev family, L4 expression and L3 ipv4 or ipv6
dependency and returns false.
Correct the expected output and comment.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
In one of the bridge payloads, the wrong command is given to load the
protocol.
[ fw@strlen.de: remove the duplicated netdev payload ]
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
The netdev payload for one of the inet/sets.t tests was cut-and-pasted
from the inet payload without being properly updated.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When passing no upper size limit, the dynset expression forces
an internal 64k upperlimit.
In some cases, this can result in 'nft -f' to restore the ruleset.
Avoid this by always setting the EVAL flag on a set definition when
we encounter packet-path update attempt in the batch.
Reported-by: Yi Chen <yiche@redhat.com>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Devices with interface names starting with a digit can not be configured
in flowtables. Trying to do so throws the following error:
Error: syntax error, unexpected number, expecting comma or '}'
devices = { eth0, 6in4-wan6 };
This is however a perfectly valid interface name. Solve the issue by
allowing the use of quoted strings.
Suggested-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
automake recommends shipping the output of bison and lex in distribution
tar-balls and runs bison and lex during `make dist` (this has the
advantage that end-users don't need to have bison or lex installed to
compile the software). Accordingly, automake also recommends removing
these files with `make maintainer-clean` and generates rules to do so.
Therefore, remove scanner.c and parser_bison.c from `CLEANFILES`.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Move the check for NULL protocol description away from the loop to avoid
too long line.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|