| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
We can delete some of the payload files now as ip/ip6/inet produce
same implicit meta l4proto dep.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
after ip6 nexthdr also switch ip to meta l4proto instead of ip protocol.
While its needed for ipv6 (due to extension headers) this isn't needed
for ip but it has the advantage that
tcp dport 22
produces same expressions for ip/ip6/inet families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset'
This will be fixed by removing the implicit dependency in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.
in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
families only care about the lower layer protocol.
In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
(and ipv4 check in icmp case).
This extends payload_gen_special_dependency() to consider this.
With this patch:
add rule $pf filter input meta l4proto icmpv6
add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
add rule $pf filter input icmpv6 type echo-request
will work in all tables and all families.
For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
of the ip family.
Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
explicit dependency:
add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...
Implicit dependencies won't get removed at the moment, so
bridge ... icmp type echo-request
will be shown as
ether type ip meta l4proto 1 icmp type echo-request
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using rule like
ip6 filter input tcp dport 22
nft generates:
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
which is: ip6 filter input ip6 nexthdr tcp dport 22
IOW, such a rule won't match if e.g. a fragment header is in place.
This changes ip6_proto to use 'meta l4proto' which is the protocol header
found by exthdr walk.
A side effect is that for bridge we get a shorter dependency chain as it
no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep.
Only problem:
ip6 nexthdr tcp tcp dport 22
will now inject a (useless) meta l4 dependency as ip6 nexthdr is no
longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper
that skips the unneded meta dependency in that case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
<cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
add icmpv6 to nexthdr list so base gets updated correctly.
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
will be re-used in folloup patch for icmp/icmpv6 depenency
handling.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
... to avoid resetting e.g. the ssh session to the vm that runs
nft-test.py.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
We can remove a l4 dependency in ip/ipv6 families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
at first I thought this was a bug but this in fact seems the right
thing, add a comment/example why adding dependency as first statement makes
sense.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the dumping operation is interrupted, we will restart the
cache_init(), but unfortunatly, we forget to delete the old cache.
So in extreme case, we will leak a huge amount of memory.
Running the following commands can simulate the extreme case:
# nft add table t
# nft add set t s {type inet_service \;}
# for i in $(seq 65000); do
nft add element t s {$i}
done &
# while : ; do
time nft list ruleset -nn
done
After a while, oom killer will be triggered:
[ 2808.243537] Out of memory: Kill process 16975 (nft) score 649 or
sacrifice child
[ 2808.255372] Killed process 16975 (nft) total-vm:1955348kB,
anon-rss:1952120kB, file-rss:0kB, shmem-rss:0kB
[ 2858.353729] nft invoked oom-killer: gfp_mask=0x14201ca(GFP_HIGHUSER_
MOVABLE|__GFP_COLD), nodemask=(null), order=0,
oom_score_adj=0
[ 2858.374521] nft cpuset=/ mems_allowed=0
...
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
map m {
type inet_service . iface_index : verdict
elements = { 123 . "lo" : accept,
1234 . "lo" : accept,
12345 . "lo" : accept,
12346 . "lo" : accept,
12347 . "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
check
'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.
Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
add a test case for previous commit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently translates
ip protocol tcp meta mark set 1 tcp dport 22
to
mark set 0x00000001 tcp dport 22
This is wrong, the latter form is same as
mark set 0x00000001 ip protocol tcp tcp dport 22
and thats not correct (original rule sets mark for tcp packets only).
We need to clear the dependency stack whenever we see a statement other
than stmt_expr, as these will have side effects (counter, payload
mangling, logging and the like).
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently nft can lists sets:
nft list sets
but unlike e.g. 'quotas' or 'counters' we didn't support restricting it to
a table. Now its possible to restrict set definition listing to one table:
nft list sets table inet filter
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This adds documentation about masquerade and redirect statements, points
out that for any NAT statement both prerouting and postrouting chains
are required and adds a bunch of examples to the section's end.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds a test to test refcounting from element to chain and
objects.
Reported-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will
not generate a random seed, instead, the seed will always be zero.
So if seed option is empty, we shoulde not set the NFTA_HASH_SEED
attribute, then a random seed will be generated in the kernel.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
datatype.c:182:13: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=] printf("%lu", val);
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if kernel is older it won't understand the EXTHDR_OP attribute, i.e.
the rule gets accepted as a check for ipv6 exthdr.
On dump nft is then presented with a invalid ipv6 exthdr.
So we need to get rid of the assert and output an "invalid" message on
list. Longterm we need a proper vm description or kernel-side check
to reject such messages in first place.
After patch, test suite yields erros of type
ip6/tcpopt.t: WARNING: 'src/nft add rule --debug=netlink ip6 test-ip6 \
input tcp option sack right 1': 'tcp option sack right 1' mismatches
'ip6 nexthdr 6 unknown-exthdr unknown 0x1 [invalid type]'
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
There are several typos there that may confuse users, fix them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tests warned about a problem with the seed listing.
/tests/py# ./nft-test.py ip/hash.t
ip/hash.t: WARNING: line: 4: 'src/nft add rule --debug=netlink \
ip test-ip4 pre ct mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef': 'ct mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef' mismatches 'ct mark set jhash ip saddr . ip \
daddr mod 2'
ip/hash.t: WARNING: line: 6: 'src/nft add rule --debug=netlink \
ip test-ip4 pre ct mark set jhash ip saddr . ip daddr mod 2 seed \
0xdeadbeef offset 100': 'ct mark set jhash ip saddr . ip daddr \
mod 2 seed 0xdeadbeef offset 100' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash")
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This tests the selectiveness of flush command on structures that use the
generic set infrastructure (sets, maps and flow tables).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The internal set infrastructure is used for sets, maps and flow tables.
The flush command requires the set type but currently it works for all
of them. E.g. if there is a set named 's' in a table 't' the following
command shouldn't be valid but still executes:
$ nft flush flow table t s
This patch makes the flush command selective so 'flush flow table' only
works in flow tables and so on.
Fixes: 6d37dae ("parser_bison: Allow flushing maps")
Fixes: 2daa0ee ("parser_bison: Allow flushing flow tables")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Not having a space between the last element in a set and the closing
curly brace looks ugly, so add it here.
This also adjusts all shell testcases as they match whitespace in nft
output and therefore fail otherwise.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If rule set applying failed, this would leave a stray netns in place.
Interestingly, this situation led to other, seemingly unrelated
testcases to fail with spurious errors, e.g. sets/0015rulesetflush_0:
| $ ./run-tests.sh testcases/sets/0015rulesetflush_0
| I: using nft binary ../../src/nft
|
| W: [FAILED] testcases/sets/0015rulesetflush_0: expected 0 but got 1
| /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported
| table inet filter {
| ^^
| /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory
| add element inet filter blacklist_v4 {
| ^^
| /tmp/tmp.BY7cuUYL8f:5:1-2: Error: Could not process rule: Operation not supported
| table inet filter {
| ^^
| /tmp/tmp.BY7cuUYL8f:9:1-2: Error: Could not process rule: No such file or directory
| add element inet filter blacklist_v4 {
| ^^
|
| I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
|
| $ ip netns list
| 1_0003many_0
| $ ip netns del 1_0003many_0
|
| $ ./run-tests.sh testcases/sets/0015rulesetflush_0
| I: using nft binary ../../src/nft
|
| I: [OK] testcases/sets/0015rulesetflush_0
|
| I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This makes sure nesting of anonymous sets works regardless of whether
defines are used or not. As a side-effect, it also checks that overlap
checking when IP address prefixes are used, works.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When merging a nested set into the parent one, we are actually replacing
one item with the items of the nested set. Therefore we have to remove
the replaced item from size.
The respective bug isn't as easy to trigger, since the size field seems
to be relevant only when set elements are ranges which are checked for
overlaps. Here's an example of how to trigger it:
| add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recursive use of sets is handled in parts by parser_bison.y, which
has a rule for inline unnamed sets in set_list_member_expr, e.g. like
this:
| add rule ip saddr { { 1.1.1.0, 2.2.2.0 }, 3.3.3.0 }
Yet there is another way to have an unnamed set inline, which is via
define:
| define myset = {
| 1.1.1.0,
| 2.2.2.0,
| }
| add rule ip saddr { $myset, 3.3.3.0 }
This didn't work because the inline set comes in as EXPR_SET_ELEM with
EXPR_SET as key. This patch handles that case by replacing the former by
a copy of the latter, so the following set list merging can take place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The add / delete operations weren't documented yet. They fit better
in the sets and maps blocks since these operations are used to directly
modify their content.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the command flush on maps, which removes all
entries in it:
$ nft flush map filter map1
Command above flushes map 'map1' in table 'filter'.
The documentation was updated accordingly.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the command flush on flow tables, which removes all
entries in it:
$ nft flush flow table filter ft-https
Command above flushes flow table 'ft-https' in table 'filter'.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This adds a description of the icmp and icmpv6 expressions (to match
various ICMP header fields) as well as the icmp and icmpv6 type types
(yay) which are used for ICMP(v6) type field.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for matching on inverse ND messages as defined by
RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810.
Note that ICMPV6_MLD2_REPORT macro is defined in linux/icmpv6.h but
including that header leads to conflicts with symbols defined in
netinet/icmp6.h.
In addition to the above, "mld-listener-done" is introduced as an alias
for "mld-listener-reduction".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
It should not be possible to add a ip6 restricted helper to ip family.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
needs minor tweak to nft-test.py so we don't zap the ';' withhin the {}.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
this implements
nft list ct helpers table filter
table ip filter {
ct helper ftp-standard {
..
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
... to make adding CMD_OBJ_CT_HELPER support easier.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds initial support for defining conntrack helper objects
which can then be assigned to connections using the objref infrastructure:
table ip filter {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain y {
tcp dport 21 ct helper set "ftp-standard"
}
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Fixes: 0d7fdb10b10c7a6c ("doc: payload and conntrack statement")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
useful for the 'ct zone set' statement, it has to be done before
the conntrack lookup but preferrably after the defragmention hook.
In iptables, the functionality resides in the CT target which is
restricted to the raw table. This provides the skeleton for nft.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Just a test to cover the bitmap backend implementation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Debug output from libnftnl has changed to include 'present' keyword if
NFT_EXTHDR_F_PRESENT flag is set in expression.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to check whether a FIB entry exists for a given packet by
comparing the expression with a boolean keyword like so:
| fib daddr oif exists
The implementation requires introduction of a generic expression flag
EXPR_F_BOOLEAN which allows relational expression to signal it's LHS
that a boolean comparison is being done (indicated by boolean type on
RHS). In contrast to exthdr existence checks, fib expression can't know
this in beforehand because the LHS syntax is absolutely identical to a
non-boolean comparison.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
