summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: py: Fix for changed concatenated ranges outputPhil Sutter2020-12-153-3/+3
| | | | | | | Payload didn't change but libnftnl was fixed to print the key_end data reg of concat-range elements, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: trace: print packet unconditionallyFlorian Westphal2020-12-121-4/+4
| | | | | | | | | | | The kernel includes the packet dump once for each base hook. This means that in case a table contained no matching rule(s), the packet dump will be included in the base policy dump. Simply move the packet dump request out of the switch statement so the debug output shows current packet even with no matched rule. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmp, icmpv6: check we don't add second dependencyFlorian Westphal2020-12-094-0/+23
| | | | | | If dependency is already fulfilled, do not add another one. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ip: add one test case to cover both id and sequenceFlorian Westphal2020-12-092-0/+14
| | | | | | | | | These are two 2-byte matches, so nft will merge the accesses to a single 4-byte load+compare. Check this is properly demangled. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: icmp, icmpv6: avoid remaining warningsFlorian Westphal2020-12-092-42/+34
| | | | | | | | | In case of id/sequence, both 'reply' and 'request' are valid types. nft currently does not remove dependencies that don't have a fixed rhs constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: auto-remove simple icmp/icmpv6 dependency expressionsFlorian Westphal2020-12-093-4/+53
| | | | | | | | | | | | Instead of: icmpv6 type packet-too-big icmpv6 mtu 1280 display just icmpv6 mtu 1280 The dependency added for id/sequence is still kept, its handled by a anon set instead to cover both the echo 'request' and 'reply' cases. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmpv6 expressionsFlorian Westphal2020-12-091-10/+97
| | | | | | nft will now auto-insert a icmpv6 type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add auto-dependencies for ipv6 icmp6Florian Westphal2020-12-094-12/+53
| | | | | | Extend the earlier commit to also cover icmpv6. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: fix exepcted payload of icmp expressionsFlorian Westphal2020-12-091-1/+130
| | | | | | after previous change nft will insert explicit icmp type match. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add auto-dependencies for ipv4 icmpFlorian Westphal2020-12-095-11/+182
| | | | | | | | | | | | | | The ICMP header has field values that are only exist for certain types. Mark the icmp proto 'type' field as a nextheader field and add a new th description to store the icmp type dependency. This can later be re-used for other protocol dependend definitions such as mptcp options -- which are all share the same tcp option number and have a special 4 bit marker inside the mptcp option space that tells how the remaining option looks like. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: reduce size of proto_desc structureFlorian Westphal2020-12-091-7/+7
| | | | | | | This will need an additional field. We can compress state here to avoid further size increase. Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: remove unused proto_key member from structFlorian Westphal2020-12-093-6/+0
| | | | | | also, no need for this struct to be in the parser. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: timeouts later than 23 daysPablo Neira Ayuso2020-12-082-0/+29
| | | | | | | Test timeout later than 23 days in set definitions and dynamic set insertions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: double close_scope() call for implicit chainsPablo Neira Ayuso2020-12-081-1/+1
| | | | | | | | Call close_scope() from chain_block_alloc only. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1485 Fixes: c330152b7f77 ("src: support for implicit chain bindings") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document 'dccp type' matchPhil Sutter2020-12-082-1/+47
| | | | | | | Add a description of dccp_pkttype and extend DCCP header expression synopsis by the 'type' argument. Signed-off-by: Phil Sutter <phil@nwl.cc>
* monitor: fix formatting of if statementsJose M. Guisado Gomez2020-12-081-6/+6
| | | | | | | Replace some "if(" introduced in cb7e02f4 by "if (" Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: add assignment check for json_echoJose M. Guisado Gomez2020-12-081-2/+2
| | | | | | | | | | | | | When --echo and --json is specified and native syntax is read, only the last instruction is printed. This happens because the reference to the json_echo is reassigned each time netlink_echo_callback is executed for an instruction to be echoed. Add an assignment check for json_echo to avoid reassigning it. Fixes: cb7e02f44d6a (src: enable json echo output when reading native syntax) Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: report EPERM for non-root usersPablo Neira Ayuso2020-12-042-2/+7
| | | | | | | | | $ /usr/sbin/nft list ruleset Operation not permitted (you must be root) Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1372 Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZEPablo Neira Ayuso2020-12-042-1/+22
| | | | | | | | | | | | | | | | | Netlink attribute maximum size is 65536 bytes (given nla_len is 16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as possible that can fit into this netlink attribute. Netlink messages with NLMSG_ERROR type originating from the kernel contain the original netlink message as payload, they might be larger than 65536 bytes. Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header coming as (error) reply from the kernel. This estimate is based on the maximum netlink message size that nft sends from userspace. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to restore limit from dynamic setPablo Neira Ayuso2020-12-042-0/+51
| | | | | | | Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix seqnum_to_json() functionalityPhil Sutter2020-12-041-4/+23
| | | | | | | | | | | | | | | | | | | Introduction of json_cmd_assoc_hash missed that by the time the hash table insert happens, the struct cmd object's 'seqnum' field which is used as key is not initialized yet. This doesn't happen until nft_netlink() prepares the batch object which records the lowest seqnum. Therefore push all json_cmd_assoc objects into a temporary list until the first lookup happens. At this time, all referenced cmd objects have their seqnum set and the list entries can be moved into the hash table for fast lookups. To expose such problems in the future, make json_events_cb() emit an error message if the passed message has a handle but no assoc entry is found for its seqnum. Fixes: 389a0e1edc89a ("json: echo: Speedup seqnum_to_json()") Cc: Derek Dai <daiderek@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: enable json echo output when reading native syntaxJose M. Guisado Gomez2020-12-025-17/+65
| | | | | | | | | | | | | | | | | | | | This patch fixes a bug in which nft did not print any output when specifying --echo and --json and reading nft native syntax. This patch respects behavior when input is json, in which the output would be the identical input plus the handles. Adds a json_echo member inside struct nft_ctx to build and store the json object containing the json command objects, the object is built using a mock monitor to reuse monitor json code. This json object is only used when we are sure we have not read json from input. [ added json_alloc_echo() to compile without json support --pablo ] Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1446 Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: echo: Speedup seqnum_to_json()Phil Sutter2020-11-231-10/+18
| | | | | | | | | | | | | | | | | | | | | | | | | Derek Dai reports: "If there are a lot of command in JSON node, seqnum_to_json() will slow down application (eg: firewalld) dramatically since it iterate whole command list every time." He sent a patch implementing a lookup table, but we can do better: Speed this up by introducing a hash table to store the struct json_cmd_assoc objects in, taking their netlink sequence number as key. Quickly tested restoring a ruleset containing about 19k rules: | # time ./before/nft -jeaf large_ruleset.json >/dev/null | 4.85user 0.47system 0:05.48elapsed 97%CPU (0avgtext+0avgdata 69732maxresident)k | 0inputs+0outputs (15major+16937minor)pagefaults 0swaps | # time ./after/nft -jeaf large_ruleset.json >/dev/null | 0.18user 0.44system 0:00.70elapsed 89%CPU (0avgtext+0avgdata 68484maxresident)k | 0inputs+0outputs (15major+16645minor)pagefaults 0swaps Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1479 Reported-by: Derek Dai <daiderek@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: update format of registers in bitwise payloads.Jeremy Sowden2020-11-1624-248/+248
| | | | | | | | | libnftnl has been changed to bring the format of registers in bitwise dumps in line with those in other types of expression. Update the expected output of Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: Fix ARP header field orderingPhil Sutter2020-11-107-2/+113
| | | | | | | | | | | | | | | | | | | | | | | In ARP header, destination ether address sits between source IP and destination IP addresses. Enum arp_hdr_fields had this wrong, which in turn caused wrong ordering of entries in proto_arp->templates. When expanding a combined payload expression, code assumes that template entries are ordered by header offset, therefore the destination ether address match was printed as raw if an earlier field was matched as well: | arp saddr ip 192.168.1.1 arp daddr ether 3e:d1:3f:d6:12:0b was printed as: | arp saddr ip 192.168.1.1 @nh,144,48 69068440080907 Note: Although strictly not necessary, reorder fields in proto_arp->templates as well to match their actual ordering, just to avoid confusion. Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: remove duplicate payloads.Jeremy Sowden2020-11-097-575/+0
| | | | | | | | | nft-test.py only needs one payload per rule, but a number of rules have duplicates, typically one per address family, so just keep the last payload for rules listed more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* json: tcp: add raw tcp option match supportFlorian Westphal2020-11-093-26/+82
| | | | | | | | | To similar change as in previous one, this time for the jason (de)serialization. Re-uses the raw payload match syntax, i.e. base,offset,length. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcp: add raw tcp option match supportFlorian Westphal2020-11-096-4/+31
| | | | | | tcp option @42,16,4 (@kind,offset,length). Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: allow to check for presence of any tcp optionFlorian Westphal2020-11-098-57/+65
| | | | | | | | | | | | | nft currently doesn't allow to check for presence of arbitrary tcp options. Only known options where nft provides a template can be tested for. This allows to test for presence of raw protocol values as well. Example: tcp option 42 exists Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: split tcpopt_hdr_fields into per-option enumFlorian Westphal2020-11-099-105/+139
| | | | | | | | | | | | | | | | | | Currently we're limited to ten template fields in exthdr_desc struct. Using a single enum for all tpc option fields thus won't work indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get added. Fortunately we can just use one enum per tcp option to avoid this. As a side effect this also allows to simplify the sack offset calculations. Rather than computing that on-the-fly, just add extra fields to the SACK template. expr->exthdr.offset now holds the 'raw' value, filled in from the option template. This would ease implementation of 'raw option matching' using offset and length to load from the option. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: rename noop to nopFlorian Westphal2020-11-095-21/+7
| | | | | | | 'nop' is the tcp padding "option". "noop" is retained for compatibility on parser side. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopts: clean up parser -> tcpopt.c plumbingFlorian Westphal2020-11-096-95/+75
| | | | | | | | | | | | | | | | | tcpopt template mapping is asymmetric: one mapping is to match dumped netlink exthdr expression to the original tcp option template. This struct is indexed by the raw, on-write kind/type number. The other mapping maps parsed options to the tcp option template. Remove the latter. The parser is changed to translate the textual option name, e.g. "maxseg" to the on-wire number. This avoids the second mapping, it will also allow to more easily support raw option matching in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: merge sack-perm/sack-permitted and maxseg/mssFlorian Westphal2020-11-097-28/+26
| | | | | | | | | | | | | | | | | | | | | | One was added by the tcp option parsing ocde, the other by synproxy. So we have: synproxy ... sack-perm synproxy ... mss and tcp option maxseg tcp option sack-permitted This kills the extra tokens on the scanner/parser side, so sack-perm and sack-permitted can both be used. Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too. On the output side, the shorter form is now preferred, i.e. sack-perm and mss. Signed-off-by: Florian Westphal <fw@strlen.de>
* json: fix ip6 dnat test case after range to prefix transformation changeFlorian Westphal2020-11-071-8/+9
| | | | | | | | Tests currently fail with ip6/dnat.t: WARNING: line 8: ... because test still expects a range expression. Fixes: ee4391d0ac1e7 ("nat: transform range to prefix expression when possible") Signed-off-by: Florian Westphal <fw@strlen.de>
* json: add missing nat_type flag and netmap nat flagFlorian Westphal2020-11-053-10/+211
| | | | | | | | | | | | | | | | JSON in/output doesn't know about nat_type and thus cannot save/restore nat mappings involving prefixes or concatenations because the snat statement lacks the prefix/concat/interval type flags. Furthermore, bison parser was extended to support netmap. This is done with an internal 'netmap' flag that is passed to the kernel. We need to dump/restore that as well. Also make sure ip/snat.t passes in json mode. Fixes: 35a6b10c1bc4 ("src: add netmap support") Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps") Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: avoid warning and add missing json test casesFlorian Westphal2020-11-052-2/+57
| | | | | | make dnat.t pass in json mode. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: json: add missing test case outputFlorian Westphal2020-11-055-4/+150
| | | | | | | | | | | | Fix warnings and errors when running nf-test.py -j due to missing json test case updates. This also makes bridge/reject.t pass in json mode. No code changes. Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q") Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t") Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: Optimize prefix matches on byte-boundariesPhil Sutter2020-11-049-29/+18
| | | | | | | | | | | | | | | | If a prefix expression's length is on a byte-boundary, it is sufficient to just reduce the length passed to "cmp" expression. No need for explicit bitwise modification of data on LHS. The relevant code is already there, used for string prefix matches. There is one exception though, namely zero-length prefixes: Kernel doesn't accept zero-length "cmp" expressions, so keep them in the old code-path for now. This patch depends upon the previous one to correctly parse odd-sized payload matches but has to extend support for non-payload LHS as well. In practice, this is needed for "ct" expressions as they allow matching against IP address prefixes, too. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: Support odd-sized payload matchesPhil Sutter2020-11-042-0/+11
| | | | | | | | | | | | When expanding a payload match, don't disregard oversized templates at the right offset. A more flexible user may extract less bytes from the packet if only parts of a field are interesting, e.g. only the prefix of source/destination address. Support that by using the template, but fix the length. Later when creating a relational expression for it, detect the unusually small payload expression length and turn the RHS value into a prefix expression. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: py: add netdev folder and reject.t icmp casesJose M. Guisado Gomez2020-11-023-1/+81
| | | | | | | | | | Add unit tests for the use of reject with icmp inside netdev family. reject.t from inet family couldn't be reused because it was using meta nfproto which is not supported inside netdev. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add netdev support for reject defaultJose M. Guisado Gomez2020-11-021-0/+1
| | | | | | | | | | Enables not specifying any icmp type and code when using reject inside netdev. This patch completely enables using reject for the netdev family. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: correct chain name in example of adding a ruleJeremy Sowden2020-11-011-1/+1
| | | | | | | The example adds a rule to the `output` chain, not the `input` chain. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/shell: Improve fix in sets/0036add_set_element_expiration_0Phil Sutter2020-10-311-1/+1
| | | | | | | | | | Explicitly eliminate the newgen message from output instead of just the last line to make sure no other output is dropped by accident. This also allows the test to pass in unpatched kernels which do not emit the newgen message despite NLM_F_ECHO if no netlink listeners are present. Fixes: 46b54fdcf266d ("Revert "monitor: do not print generation ID with --echo"") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: exercise validation with nft -cPablo Neira Ayuso2020-10-311-0/+12
| | | | | | | Using oif in fib from prerouting is not support, make sure -c reports an error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: Bump version to v0.9.7v0.9.7Pablo Neira Ayuso2020-10-261-3/+3
| | | | | | | | Update release name based on the Fearless Fosdick series: Anyface. Bump dependencies on libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "monitor: do not print generation ID with --echo"Pablo Neira Ayuso2020-10-232-2/+2
| | | | | | | | | | | | | Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo"). There is actually a kernel bug which is preventing from displaying this generation ID message. Update the tests/shell to remove the last line of the --echo output which displays the generation ID once the "netfilter: nftables: fix netlink report logic in flowtable and genid" kernel fix is applied. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: do not print generation ID with --echoPablo Neira Ayuso2020-10-221-1/+1
| | | | | | This fixes testcases/sets/0036add_set_element_expiration_0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix memleak in set_dtype_json()Phil Sutter2020-10-221-1/+1
| | | | | | | | | Turns out json_string() already dups the input, so the temporary dup passed to it is lost. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: UAF in interval_map_decompose()Pablo Neira Ayuso2020-10-201-3/+5
| | | | | | | | | | | reported by tests/monitor# bash run-tests.sh ... SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops Due to incorrect structure layout when calling interval_expr_copy(). Fixes: c1f0476fd590 ("segtree: copy expr data to closing element") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve rule error reportingPablo Neira Ayuso2020-10-203-62/+201
| | | | | | | | | | | | | | | | | | | | | Kernel provides information regarding expression since 83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for expressions"). A common mistake is to refer a chain which does not exist, e.g. # nft add rule x y jump test Error: Could not process rule: No such file or directory add rule x y jump test ^^^^ Use the existing netlink extended error reporting infrastructure to provide better error reporting as in the example above. Requires Linux kernel patch 83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for expressions"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>