| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--terse does not apply to anonymous set, add a NFT_CACHE_TERSE bit
to skip named sets only.
Moreover, prioritize specific listing filter over --terse to avoid a
bogus:
netlink: Error: Unknown set '__set0' in lookup expression
when invoking:
# nft -ta list set inet filter example
Extend existing test to improve coverage.
Fixes: 9628d52e46ac ("cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Requires libnftnl 1.2.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this, nft monitor will either print garbage or even segfault
when encountering a concat set because we pass expr->value to libgmp
helpers for concat (non-value) expressions.
Also, for concat case, we need to call concat_range_aggregate() helper.
Add a test case for this. Without this patch, it gives:
tests/monitor/run-tests.sh: line 98: 1163 Segmentation fault
(core dumped) $nft -nn -e -f $command_file > $echo_output
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Add missing "ih" base raw payload and extend tests/py to cover this new
usecase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Remove new 'ih' token, allow to represent the raw payload base with a
string instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following tests shows a warning in the netdev family:
ip/ip_tcp.t: WARNING: line 9: 'add rule netdev test-netdev ingress ip protocol tcp tcp dport 22': 'tcp dport 22' mismatches 'ip protocol 6 tcp dport 22'
'ip protocol tcp' can be removed in the ip family, but not in netdev.
This test is specific of the ip family, remove the netdev lines.
Fixes: 510c4fad7e78 ("src: Support netdev egress hook")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update json output for 'meta protocol ip6 udp dport 67'.
Fixes: 646c5d02a5db ("rule: remove redundant meta protocol from the evaluation step")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Missing json update for new tests added recently.
Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Missing json update for three new tests added recently.
Fixes: 640dc0c8a3da ("tests: py: extend coverage for dnat with classic range representation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With an autogenerated ruleset with ~20k chains.
# time nft list ruleset &> /dev/null
real 0m1,712s
user 0m1,258s
sys 0m0,454s
Speed up listing of a specific chain:
# time nft list chain nat MWDG-UGR-234PNG3YBUOTS5QD &> /dev/null
real 0m0,542s
user 0m0,251s
sys 0m0,292s
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Check family when filtering out listing of tables and sets.
Fixes: 3f1d3912c3a6 ("cache: filter out tables that are not requested")
Fixes: 635ee1cad8aa ("cache: filter out sets and maps that are not requested")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Skip set element netlink dump if set is flushed, this speeds up
set flush + add element operation in a batch file for an existing set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Wrap the table and set fields for list filtering to prepare for the
introduction element filters.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
docs are too terse and did not have the list of valid timeout states.
While at it, adjust default stream timeout of udp to 120, this is the
current kernel default.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Missing update of json test.
Fixes: 6ad2058da66a ("datatype: add xinteger_type alias to print in hexadecimal")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Do not clone expression when evaluation a set expression, grabbing the
reference counter to reuse the object is sufficient.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Clone the expression that defines the variable value if there are
multiple references to it in the ruleset. This saves heap memory
consumption in case the variable defines a set with a huge number of
elements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not call alloc_setelem_cache() to build the set element list in
nftnl_set. Instead, translate one single set element expression to
nftnl_set_elem object at a time and use this object to build the netlink
header.
Using a huge test set containing 1.1 million element blocklist, this
patch is reducing userspace memory consumption by 40%.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel does not allow for NFT_SET_ELEM_INTERVAL_END flag and
NFTA_SET_ELEM_DATA. The closing end interval represents a mismatch,
therefore, no verdict can be applied. The existing payload files show
the drop verdict when this is unset (because NF_DROP=0).
This update is required to fix payload warnings in tests/py after
libnftnl's ("set: use NFTNL_SET_ELEM_VERDICT to print verdict").
Fixes: 6671d9d137f6 ("mnl: Set NFTNL_SET_DATA_TYPE before dumping set elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to match on inner header / payload data:
# nft add rule x y @ih,32,32 0x14000000 counter
you can also mangle payload data:
# nft add rule x y @ih,32,32 set 0x14000000 counter
This update triggers a checksum update at the layer 4 header via
csum_flags, mangling odd bytes is also aligned to 16-bits.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The variable has to undergo word splitting, otherwise the shell tries
to find the variable value as an executable, which breaks in cases that
7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
intends to support.
Mention this in the shell tests README.
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit 4d26b6dd3c4c, test file name suffix no longer reflects
expected exit code in all cases.
Move the sentence "Since they are located with `find', test files can
be put in any subdirectory." to a separate paragraph.
Fixes: 4d26b6dd3c4c ("tests: shell: change all test scripts to return 0")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Since commit 7c8a44b25c22, $NFT can contain an arbitrary command,
e.g. 'valgrind nft'.
Fixes: 7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Grammar, wording, formatting fixes (no substantial change of meaning).
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Add an alias of the integer type to print raw payload expressions in
hexadecimal.
Update tests/py.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
evaluation
Fix bogus error report when using transport protocol as map key.
Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The documentation describes the syntax of limit statements thus:
limit rate [over] packet_number / TIME_UNIT [burst packet_number packets]
limit rate [over] byte_number BYTE_UNIT / TIME_UNIT [burst byte_number BYTE_UNIT]
TIME_UNIT := second | minute | hour | day
BYTE_UNIT := bytes | kbytes | mbytes
From this one might infer that a limit may be specified by any of the
following:
limit rate 1048576/second
limit rate 1048576 mbytes/second
limit rate 1048576 / second
limit rate 1048576 mbytes / second
However, the last does not currently parse:
$ sudo /usr/sbin/nft add filter input limit rate 1048576 mbytes / second
Error: wrong rate format
add filter input limit rate 1048576 mbytes / second
^^^^^^^^^^^^^^^^^^^^^^^^^
Extend the `limit_rate_bytes` parser rule to support it, and add some
new Python test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Factor the `N / time-unit` and `N byte-unit / time-unit` expressions
from limit expressions out into separate `limit_rate_pkts` and
`limit_rate_bytes` rules respectively.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Refactor the `N byte-unit` expression out of the `limit_bytes_burst`
rule into a separate `limit_bytes` rule.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
POSIX [1] does not specify the behavior of `exit' with arguments
outside the 0-255 range, but what generally (bash, dash, zsh, OpenBSD
ksh, busybox) seems to happen is the shell exiting with status & 255
[2], which results in zero exit for certain non-zero arguments.
[1] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#exit
[2] https://git.savannah.gnu.org/cgit/bash.git/tree/builtins/common.c#n579
Fixes: 0c6592420586 ("tests: fix return codes")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Previous fix for HZ=100 was not sufficient, a kernel with HZ=250 rounds
the 10ms to 8ms it seems. Do as Lukas suggests and accept the occasional
input/output asymmetry instead of continuing the hide'n'seek game.
Fixes: c9c5b5f621c37 ("tests: shell: Fix bogus testsuite failure with 100Hz")
Suggested-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add userspace support for the netdev egress hook which is queued up for
v5.16-rc1, complete with documentation and tests. Usage is identical to
the ingress hook.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The fwd and dup statements are specific to netdev hooks, so move their
tests to the appropriate subdirectory.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Compare listing with and without --terse for:
nft list ruleset
nft list set x y
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Instead of NFT_CACHE_SETELEM which also disables set dump.
Fixes: 6bcd0d576a60 ("cache: unset NFT_CACHE_SETELEM with --terse listing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This change ensures that when listing rulesets with the terse flag that the
terse flag is maintained.
Fixes: 6bcd0d576a60 ("cache: unset NFT_CACHE_SETELEM with --terse listing")
Signed-off-by: Chris Arges <carges@cloudflare.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Check if table mismatch, in case the same set name is used in different
tables.
Fixes: 635ee1cad8aa ("cache: filter out sets and maps that are not requested")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fetch table, set and set elements only for set listing commands, e.g.
nft list set inet filter ipv4_bogons.
Fixes: 635ee1cad8aa ("cache: filter out sets and maps that are not requested")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This flag forces a refresh of the cache on list commands, several
object types are missing this flag, this fixes nft --interactive
mode.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
readline support only compiles for libreadline5, set libedit as default
library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
interval set")
Test inspired by [1] with both the set and stack size reduced by the
same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
hand, and make the test successfully complete (post-baecd1cf2685) in a
few seconds even on weaker hardware on the other.
(The reason I stopped at 128kB stack size is that with 64kB I was
getting segfaults even with baecd1cf2685 applied.)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Helped-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently some people think its a good idea to make nft setuid so
unrivilged users can change settings.
"nft -f /etc/shadow" is just one example of why this is a bad idea.
Disable this. Do not print anything, fd cannot be trusted.
This change intentionally doesn't affect libnftables, on the off-chance
that somebody creates an suid program and knows what they're doing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This is the nft equivalent of the syzbot report that lead to
kernel commit 68a3765c659f8
("netfilter: nf_tables: skip netdev events generated on netns removal").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
When outputting set definitions, merge three consecutive
`if (!list_empty(&set->stmt_list))` conditionals.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before outputting counters in set definitions the
`NFT_CTX_OUTPUT_STATELESS` flag was set to suppress output of the
counter state and unconditionally cleared afterwards, regardless of
whether it had been originally set. Record the original set of flags
and restore it.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994273
Fixes: 6d80e0f15492 ("src: support for counter in set definition")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
When `-s` is passed, no state is output for named quotas and counter and
quota rules, but fake zero state is output for named counters. Remove
the output of named counters to match the remaining stateful objects.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
- Add missing comma between array elements.
- Fix chain 'name' property.
- Match 'op' property is mandatory.
Fixes: 2e56f533b36a ("doc: Improve example in libnftables-json(5)")
Fixes: 90d4ee087171 ("JSON: Make match op mandatory, introduce 'in' operator")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Skip populating the set element cache in this case to speed up listing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Do not fetch set content for list commands that specify a
set name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not fetch table content for list commands that specify a
table name, e.g.
# nft list table filter
This speeds up listing of a given table by not populating the
cache with tables that are not needed.
- Full ruleset (huge with ~100k lines).
# sudo nft list ruleset &> /dev/null
real 0m3,049s
user 0m2,080s
sys 0m0,968s
- Listing per table is now faster:
# nft list table nat &> /dev/null
real 0m1,969s
user 0m1,412s
sys 0m0,556s
# nft list table filter &> /dev/null
real 0m0,697s
user 0m0,478s
sys 0m0,220s
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1326
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|