| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
This is not itself a conflict, move this check out of this function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
So we enter resolve_protocol_conflict() only when we really have a
conflict that we want to try to resolve.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This is a cleanup to untangle this logic a bit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Instead of bool, expr_error() returns -1 if we fail to create
dependencies. We need to propagate this error value.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 1 0x00006400 ]
[ immediate reg 2 0x0000c800 ]
[ redir proto_min reg 1 proto_max reg 5 ]
<cmdline>:1:1-56: Error: Could not process rule: Invalid argument
add rule ip nat post ip protocol tcp redirect to 100-200
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 1 0x00006400 ]
[ immediate reg 2 0x0000c800 ]
[ redir proto_min reg 1 proto_max reg 2 ]
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add support for the forward statement, only available at the
netdev family.
# nft add table netdev filter
# nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; }
# nft add rule netdev filter ingress fwd to dummy0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch contains the missing chunk to add support for the netdev
family. Part of the support slipped through in the original patch to
add the dup statement for IPv4 and IPv6.
# nft add table netdev filter
# nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; }
# nft add rule netdev filter ingress dup to dummy0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add tests for the icmpv6 packet types policy-fail and reject-route to be
used with REJECT target.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add the missing symbols and correct the macros corresponding to the
existing symbols.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check for OP_EQ before removing a dependency, else we may zap wrong one,
changing the meaning of the rule.
Listing without patch:
ip protocol udp udp dport ssh
ip protocol udp udp dport ssh
counter packets 1 bytes 308 ip protocol udp udp dport ssh
With patch:
ip protocol != tcp udp dport ssh
ip protocol != udp udp dport ssh
ip protocol != tcp counter packets 1 bytes 308 udp dport ssh
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
old nft list:
mark set unknown unknown & 0xfff [invalid type] map { 3 : 0x00000017, 1 : 0x0000002a}
new:
mark set vlan id map { 3 : 0x00000017, 1 : 0x0000002a}
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
One normal map lookup, one with an explicit binop.
The latter is supposed to also work with the followup patch applied.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Just move the payload trim part to a separate function.
Next patch will add a second call site to deal with map ops
that use a lookup based on a binop result.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far it was only possible to match packet under a rate limit, this
patch allows you to explicitly indicate if you want to match packets
that goes over or until the rate limit, eg.
... limit rate over 3/second counter log prefix "OVERLIMIT: " drop
... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop
... ct state invalid limit rate until 1/second counter log prefix "INVALID: "
When listing rate limit until, this shows:
... ct state invalid limit rate 1/second counter log prefix "INVALID: "
thus, the existing syntax is still valid (i.e. default to rate limit until).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
We have tests for these in ip/ct.t.
(We cannot use ipv4 addresses e.g. in ipv6 family).
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft generated two 4-byte swaps for conntrack byte/packet counters,
which are 64bit host-endian values:
byteorder reg 1 = hton(reg 1, 4, 8) ]
This makes the kernel perform two htonl() calls, but we need
a cpu_to_be64 conversion instead (reg 1, 8, 8).
Without this a rule like 'ct original packets > 10'
matched when counter was between 1 and 10.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packets and bytes need special treatment -- we want to be able to get
packet/byte counter in either direction, but also express
'fetch in *BOTH* directions', i.e.
ct packets original + ct packets reply > 1000
This either requires a '+' expression, a new 'both' direction, or
keys where direction is optional, i.e.
ct packets > 12345 ; original + reply
ct original packets > 12345 ; original
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
old: ct saddr original 1.2.3.4
new: ct original saddr 1.2.3.4
The advantage is that this allows to add ct keys where direction is optional
without creating ambiguities in the parser.
So we can have
ct packets gt 42
ct original packets gt 42
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch enables tests for the new netdev family and its ingress
chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
The existing test was checking for the ip family three times, fix it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
I think this unit tests should be self-contained at some level. The
shell/ directory should be used to catch regressions at ruleset level,
ie. these kind of combinations.
Another motivation is that I want that netdev/ingress gets tested
(coming in a follow up patch), and we don't support log there yet, so I
would need to skip this test for that case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use rhs_expr and list_rhs_expr as possible occurrences of
initializer_expr since we may only find constant expressions on the
right hand side of the assignment.
Fixes: 2a5d44d8b3c (parser: get rid of multiton_expr from lhs relational expression)
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Florian Westphal <fw@strlen.de>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
|
|
|
|
|
|
|
| |
The test files have been adapted to the syntax defined in the previous
commit "tests/py: modify supported test file syntax"
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the syntax to represent tables and chains in test files was:
*ip;test-ip4
*ip6;test-ip6
*inet;test-inet
:input;type filter hook input priority 0
Where lines starting with * are tables and lines starting with : are
chains.
This commit change the test script to deal with new syntax:
:input;type filter hook input priority 0
*ip;test-ip4;input
*ip6;test-ip6;input
*inet;test-inet;input
Now the chains should be included before tables. Also, lines defining
tables have a new third part (delimited by semicolon) where the chains
needed by the table are declared. If table needs to include more than
one chain, those must be separated by commas:
:input;type filter hook input priority 0
:forward;type filter hook forward priority 0
:output;type filter hook output priority 0
*arp;test-arp;input,forward,output
This new syntax allow to include in the same test file chains not
supported by all families of tables tested.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Now these concepts are represented by objects instead of lists or sparse
parameters.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The script made a messy use of globals, these was sometimes accessed
directly and passed as parameter in other cases.
Since is not expected having to deal with threads in the script, now the
globals are always accessed directly for the sake of simplicity.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
- Adjust lines to 80 columns style
- Add two lines of separation between functions
- Remove redundant parentheses and semicolons
- Apply other minor style fixes
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Only that. The script had a lot of unused variables.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't list anonymous sets when listing all sets.
For example, using this ruleset:
==== 8< ====
table inet test {
set set1 {
type ipv4_addr
}
chain test {
tcp dport { 80 } accept
}
}
==== 8< ====
Before this patch:
% nft list sets
table inet test {
set set0 {
type inet_service
flags constant
}
set set1 {
type ipv4_addr
}
}
After this patch:
% nft list sets
table inet test {
set set1 {
type ipv4_addr
}
}
Fixes: 8f297010 ("rule: `list sets' only displays declaration, not definition")
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Cannot check e.g. saddr for 192.168.0.1 for 'any' protocol, nft
needs to expect arguments of a specific address type.
So e.g. when using 'inet' we need to add a rule that makes the expected
family explicit, e.g. 'meta nfproto ipv4'.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
ct l3proto original == ipv6
<cmdline>:1:56-59: Error: Can't parse symbolic invalid expressions
Its just the nf protocol number -- no dependencies. Just set right type.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
During delinearization we attempt to remove masks, for instance
ip saddr $x/32. (mask matches the entire size).
However, in some special cases the lhs size is unknown (0), this
happens f.e. with
'ct saddr original 1.2.3.4/24' which had its '/24' chopped off.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr->len 0 can appear for some data types whose size can be different
based on some external state, e.g. the conntrack src/dst addresses.
The nft type is 'invalid/0-length' in the template definition, the
size is set (on linearization) based on the network base family,
i.e. the type is changed to ip or ipv6 address at a later stage.
For delinarization, skip zero-length expression as concat type
and give expr_postprocess a chance to fix the types.
Without this change the previous patch will result in nft consuming all
available memory when trying to display e.g. a 'ct saddr' rule.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few keys in the ct expression are directional, i.e.
we need to tell kernel if it should fetch REPLY or ORIGINAL direction.
Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys
that the kernel rejects unless also given a direction.
During postprocessing we also need to invoke ct_expr_update_type,
problem is that e.g. ct saddr can be any family (ip, ipv6) so we need
to update the expected data type based on the network base.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Reintroduce bitwise operation on constants that was removed in ("parser:
restrict relational rhs expression recursion") since we support this
since the beginning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This rule catches occurrences from the constant rhs, rename it for
readability reasons.
Note that this rule is still used from the set lhs definition that is
always constant (as it represents the key to look up for the
corresponding element).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The multiton_expr rule matches range, prefix and wildcard expressions
which don't make sense from the non-constant lhs. This rule is there to
handle the nat statement case, whose expression may be composed of
address and port ranges (hence range expressions).
To resolve this, this patch adds the stmt_expr rule to handle the
possible occurrences of map, multiton and primary expressions from
statements.
This results in more rules but it narrows down what we can find from
expressions that are part of action statements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
So we can use the 'redirect' reserve word as constant from the rhs
expression. Thus, we can use it as icmp type.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The relational expression allows recursion from both sides, this doesn't
allow us to know what hand side the input is coming from. This patch
adds a new expr_rhs rule that specifies what can be found on the
constant side of the relational.
Besides making it easier to understand what is actually supported, this
allows us to use reserve words both as constant and statements. This is
used by the following patch to allow to use redirect as constant from
the icmp payload match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This relies on NFT_META_PROTOCOL instead of ethernet protocol type
header field to prepare support for non-ethernet protocols in the
future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Here some tests for optional things like rule handles and comments.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This testcase for sets catch a cache bug.
By the time of this commit this test is failing, so the test suite shows:
% sudo ./run-tests.sh
I: using nft binary /usr/local/sbin/nft
I: [OK] ./testcases/maps/anonymous_snat_map_0
I: [OK] ./testcases/maps/named_snat_map_0
W: [FAILED] ./testcases/sets/cache_handling_0
I: [OK] ./testcases/optionals/comments_0
I: [OK] ./testcases/optionals/comments_handles_monitor_0
I: [OK] ./testcases/optionals/handles_1
I: [OK] ./testcases/optionals/handles_0
I: [OK] ./testcases/optionals/comments_handles_0
I: results: [OK] 7 [FAILED] 1 [TOTAL] 8
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Let's add some tests cases for maps.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new test-suite is intended to perform tests of higher level than
the other reggresion test-suite.
It can run arbitrary executables which can perform any test apart of testing
the nft syntax or netlink code (which is what the regression tests does).
To run the test suite (as root):
% cd tests/shell
% ./run-tests.sh
Test files are executables files with the pattern <<name_N>>, where N is the
expected return code of the executable. Since they are located with `find',
test-files can be spreaded in any sub-directories.
You can turn on a verbose execution by calling:
% ./run-tests.sh -v
Before each call to the test-files, `nft flush ruleset' will be called.
Also, test-files will receive the environment variable $NFT which contains the
path to the nftables binary being tested.
You can pass an arbitrary $NFT value as well:
% NFT=../../src/nft ./run-tests.sh
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
564b0e7c13f9 ("netlink_delinearize: postprocess expression before range
merge") crashes nft when the previous statement is removed via
payload_dependency_kill() as this pointer is not valid anymore.
Move the pointer to the previous statement to rule_pp_ctx and invalidate
it when required.
Reported-by: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Reported-by: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
|