summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: simplify netlink_get_setelems() and rename it to netlink_list_setelems()Pablo Neira Ayuso2018-04-243-13/+9
| | | | | | | | This is called from cache population path, remove netlink_io_error() call since this is not needed. Rename it for consistency with similar netlink_list_*() NLM_F_DUMP functions. Get rid of location parameter. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove unused function declarationsPablo Neira Ayuso2018-04-241-4/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: don't pass location to netlink_list_*() functionPablo Neira Ayuso2018-04-243-38/+21
| | | | | | Not needed anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: netlink_list_chains() callers always wants all existing chainsPablo Neira Ayuso2018-04-241-15/+1
| | | | | | | Remove dead code, callers always need this to dump all of the existing chains. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: pass cmd object to netlink function callsPablo Neira Ayuso2018-04-243-163/+129
| | | | | | Simplify function footprint. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove dead netlink_io_error() callsPablo Neira Ayuso2018-04-201-58/+4
| | | | | | | | | This error path is never entered since mnl_nft_*_batch_{add,del,replace} calls never fail, and if they ever do fail it will be because we are hitting OOM, in such case we can display a more generic non-netlink error. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove non-batch netlink codePablo Neira Ayuso2018-04-202-149/+0
| | | | | | This functions have no clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: clear expression context before cmd evaluationFlorian Westphal2018-04-192-0/+11
| | | | | | | | | | | | We also need to clear expr ctx before we eval a command. This is a followup fix to 'evaluate: reset eval context when evaluating set definitions'. The first patch only fixed set evaluation when dealing with a complete table representation rather than individual commands. Reported-by: David Fabian <david.fabian@bosson.cz> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: use ibrname and obrnamePablo Neira Ayuso2018-04-198-18/+18
| | | | | | | | | Legacy tool name is 'brctl' and so the 'br' prefix is already known. If we use ibrname and obrname it looks consistent with iifname and oifname. So let's this instead of ibridgename and obridgename since Florian likes this too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing rules for IBRIDGENAME and OBRIDGENAMEPablo Neira Ayuso2018-04-191-0/+2
| | | | | Fixes: 3baa28f24b3d ("src: rename ibrportname, obrportname") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: fix constant expression allocation on big endian with partial bytesSabrina Dubroca2018-04-191-1/+1
| | | | | | | | | | | | | | | | Commit 5259feeb7cda ("expression: fix constant expression allocation on big endian") improved constant handling on big endian, but didn't handle the case of partial bytes correctly. Currently, constant_data_ptr(val, 6) points to the item after val, instead of the last byte of val. Thanks to Stefano for providing the correct expression. Fixes: 5259feeb7cda ("expression: fix constant expression allocation on big endian") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reset eval context when evaluating set definitionsFlorian Westphal2018-04-183-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | David reported nft chokes on this: nft -f /tmp/A /tmp/A:9:22-45: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, IPv4 address), expression has type concatenation of (IPv4 address, internet network service) cat /tmp/A flush ruleset; table ip filter { set setA { type ipv4_addr . inet_service . ipv4_addr flags timeout } set setB { type ipv4_addr . inet_service flags timeout } } Problem is we leak set definition details of setA to setB via eval context, so reset this. Also add test case for this. Reported-by: David Fabian <david.fabian@bosson.cz> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: rename ibrportname, obrportnameFlorian Westphal2018-04-178-6/+42
| | | | | | | | | | | | | | | For bridge, iifname is the port name, whereas 'ibrport' is the logical name of the bridge ("br0") the port ("iifname") is enslaved to. So, 'ibrport' is a misnomer. libnftl calls these 'bri_iifname' and 'bri_oifname', which is good but using 'briiifname' in nft is rather ugly, so use 'ibridgename' and 'obridgename' instead. Old names are still recognized, listing shows the new names. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add helpers tokenFlorian Westphal2018-04-171-0/+1
| | | | | | | | | without it, you get: nft list ct helpers table filter Error: syntax error, unexpected string, expecting helper or helpers Fixes: 14fd3ad720f6e ("src: prepare for future ct timeout policy support") Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: Pass struct nft_ctx to parser_init()Phil Sutter2018-04-143-16/+10
| | | | | | | | | Signature of parser_init() got quite huge, so simply pass the whole context pointer to it - most of the parameters are just taken from there anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Keep cmds list outside of parser_statePhil Sutter2018-04-143-20/+29
| | | | | | | | | | | | | | | Parser basically turns input into a list of commands and error messages. Having the commands list being part of struct parser_state does not make sense from this point of view, also it will have to go away with upcoming JSON support anyway. While being at it, change nft_netlink() to take just the list of commands instead of the whole parser state as parameter, also take care of command freeing in nft_run_cmd_from_* functions (where the list resides as auto-variable) instead of from inside nft_run(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Remove duplicate include of gmputil.hPhil Sutter2018-04-141-1/+0
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Review .gitignore files contentsPhil Sutter2018-04-142-19/+8
| | | | | | | | | | | | | * Move entries belonging to src/ into src/.gitignore. * Drop lines for files inside build-aux/ since that is ignored already. * No need to ignore src/Makefile.in, the entry 'Makefile.in' catches that already. * Remove entry for '.*.d', (recent?) autotools doesn't create any matching files. * Drop entries for non-existent parser.c and parser.h files. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix differences printing for rules with setsPhil Sutter2018-04-141-2/+2
| | | | | | | | If a rule contained a set, it would always print the tested rule as differing from the output instead of any given output (if defined). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: rt.t: Drop needless rule outputPhil Sutter2018-04-141-1/+1
| | | | | | | It is identical to the tested rule, so no point in keeping it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix for last elem at interval endPhil Sutter2018-04-142-11/+15
| | | | | | | | | | | | | | Unclosed interval check at end of interval_map_decompose() missed to check whether interval start is the last possible element in given set before creating a range expression. This led to the last element incorrectly printed as range from itself to itself. Fix this by comparing the upper boundary against the lower one. In order to keep indenting level low, invert the entry check and jump to the end if it matches. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Review raw payload allocation pointsPhil Sutter2018-04-142-6/+1
| | | | | | | | | | | | In parser_bison.y, call payload_init_raw() instead of assigning all fields manually. Also drop manual initialization of flags field: it is not touched in allocation path, so no need for that. In stmt_evaluate_payload(), setting dtype field is redundant since payload_init_raw() does that already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix memory leaksPhil Sutter2018-04-141-6/+21
| | | | | | | | | | | | | | | | | | | This fixes memory leaks in three places: * set_overlap(): The allocated intervals have to be freed again before returning to caller. While being at it, reduce indenting level in said function to stay below 80 columns boundary. * range_is_prefix(): * interval_map_decompose(): GMP documentation suggests to call mpz_clear() for all mpz_t type variables once they are not used anymore to free the space they occupy. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Free table->objs in table_free()Phil Sutter2018-04-141-0/+3
| | | | | | | This fixes a memory leak identified by valgrind. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix forgotten bit after introducing error_fpPhil Sutter2018-04-141-3/+0
| | | | | | | | | Like nft_run_cmd_from_buffer, nft_run_cmd_from_filename doesn't need to change output_fp temporarily when printing error records anymore. Fixes: 4176e24e14f07 ("libnftables: Introduce nft_ctx_set_error()") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* erec: Review erec_print()Phil Sutter2018-04-143-42/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A new requirement to erec for the upcoming JSON support is printing records with file input descriptors without open stream. The approach is to treat 'name' field as file name, open it, extract the offending line and close it again. Further changes to libnftables input parsing routines though have shown that the whole concept of file pointer reuse in erec is tedious and not worth keeping: * Closed files are to be supported as well, so there needs to be fallback code for opening the file anyway. * When input descriptor is duplicated from parser state into an error record, the file pointer is copied as well. Therefore care has to be taken to not free the parser state before any error records have been printed. This is the only point where old and duplicated input descriptors are connected. Therefore drop struct input_descriptor's 'fp' field and just always open the file by name. This way also the old stream offset doesn't have to be restored after reading. While being at it, this patch fixes two other (potential) problems: * If the offending line from input contains tabs, add them at the right position in the marker buffer as well to avoid misalignment. * The input file may not be seekable (/dev/stdin for instance), so skip printing of offending line and markers if it couldn't be read properly. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: Drop String termination workaroundPhil Sutter2018-04-111-9/+1
| | | | | | | | | | This spot was missed by commit 2b3f18e0cf7a7 ("libnftables: Fix for input without trailing newline") - since line termination is now added in nft_run_cmd_from_buffer(), cli is relieved from doing so. Fixes: 2b3f18e0cf7a7 ("libnftables: Fix for input without trailing newline") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: remove object ID from payload filePablo Neira Ayuso2018-04-111-4/+4
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Allow passing multiple files to nft-test.pyPhil Sutter2018-04-111-5/+6
| | | | | | | | | | This allows to run the testsuite over a subset of test cases, e.g. like so: | ./nft-test.py bridge/*.t Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Review print statements in nft-test.pyPhil Sutter2018-04-111-41/+39
| | | | | | | | | | | | | | | | Make use of format strings as they are easier to read than manual string concatenation. Also use class Table's __str__ method instead of printing the 'name' attribute. This changes the output in that table names are prepended by their family, but the extra information may come in handy when analyzing issues. Since class Chain's __str__ method returns just the 'name' attribute content, it may be used as synonym. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Use libnftables instead of calling nft binaryPhil Sutter2018-04-1119-120/+339
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a simple nftables Python class in py/nftables.py which gives access to libnftables API via ctypes module. nft-test.py is extended to make use of the above class instead of calling nft binary. Since command line formatting had to be touched anyway, this patch also streamlines things a bit by introducing __str__ methods to classes Table and Chain and making extensive use of format strings instead of onerously adding all string parts together. Since the called commands don't see a shell anymore, all shell meta character escaping done in testcases is removed. The visible effects of this change are: * Four new warnings in ip/flowtable.t due to changing objref IDs (will be addressed later in a patch to libnftnl). * Reported command line in warning and error messages changed slightly for obvious reasons. * Reduction of a full test run's runtime by a factor of four. Status diff after running with 'time': < 83 test files, 77 files passed, 1724 unit tests, 0 error, 33 warning < 87.23user 696.13system 15:11.82elapsed 85%CPU (0avgtext+0avgdata 9604maxresident)k < 8inputs+36800outputs (0major+35171235minor)pagefaults 0swaps > 83 test files, 77 files passed, 1724 unit tests, 4 error, 33 warning > 6.80user 30.18system 3:45.86elapsed 16%CPU (0avgtext+0avgdata 14064maxresident)k > 0inputs+35808outputs (0major+2874minor)pagefaults 0swaps Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify cookie integrationPhil Sutter2018-04-112-66/+44
| | | | | | | | | This increases the size of struct output_ctx quite a bit, but allows to simplify internal functions dealing with the cookies mainly because output_fp becomes accessible from struct cookie. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Support buffering output and errorPhil Sutter2018-04-113-0/+153
| | | | | | | | | | | When integrating libnftables into Python code using ctypes module, having to use a FILE pointer for output becomes a show-stopper. Therefore make Python hackers' lives (a little) less painful by providing convenience functions to setup buffering output and error streams using fopencookie() and retrieving the buffers. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Introduce nft_ctx_set_error()Phil Sutter2018-04-114-4/+17
| | | | | | | | Analogous to nft_ctx_set_output(), this allows to set a custom file pointer for writing error messages to. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix for input without trailing newlinePhil Sutter2018-04-113-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Input parser implementation requires a newline at end of input, otherwise the last pattern may not be recognized correctly. If input comes from a file, the culprit was YY_INPUT macro not expecting the last line not ending with a newline, so the last word wasn't accepted. This is easily fixed by checking for feof(yyin) in there. A simple test case for that is: | echo -en "table ip t {\nchain c {\n}\n}" >/tmp/foo | nft -f /tmp/foo Input from a string buffer is a bit more tricky: The culprit here is that detection of classid pattern is done by checking the character following it which makes it impossible to sit right at end of input and I haven't found an alternative to that. After dropping the manual newline appending when combining argv into a single buffer in main(), a rule like this won't be recognized anymore: | nft add rule ip t c meta priority feed:babe Since a direct call to run_cmd_from_buffer() via libnftables bypasses the sanitizing done in main() entirely, it has to happen in libnftables instead which means creating a newline-terminated duplicate of the input buffer. Note that main() created a buffer one byte longer than needed since it accounts for whitespace at end of each argv but doesn't add it to the buffer for the last one, so buffer length is reduced by two bytes instead of just one although only one less character is printed into it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: Fix output_fp bypass in ct_print()Phil Sutter2018-04-101-1/+1
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: don't enable xtables when --without-xtables is passedFlorian Westphal2018-04-041-1/+1
| | | | | | | | | | | | | AC_ARG_WITH runs this when EITHER --with-foo or --without-foo is given, so use 'withval'. After this patch: ./configure -> xtables off ./configure --with-xtables -> xtables on ./configure --without-xtables -> xtables off (was on). Reported-by: Alexander Dahl <ada@thorsis.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: use recursive call for SET_REF handlingFlorian Westphal2018-04-031-29/+1
| | | | | | We can now call the helper again, with set->init as new RHS expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: handle EXPR_MAPPINGFlorian Westphal2018-04-031-0/+4
| | | | | | | | Needed by followup patch. EXPR_SET_REF handling is bonkers, it "works" when using { key : value } because ->key and ->left are aliased in struct expr to the same location. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: split binop xfer to separate functionFlorian Westphal2018-04-031-16/+31
| | | | | | to reuse this in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: move lhs fixup to a helperFlorian Westphal2018-04-031-19/+28
| | | | | | ... to reuse this in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: floating point exception with concatenationsPablo Neira Ayuso2018-04-031-1/+1
| | | | | | | If the length is less than 1 byte, this codepath hits a floating point exception, use div_round_up() as everywhere else in the code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: propagate binop_transfer() adjustment to set key sizePablo Neira Ayuso2018-04-031-1/+2
| | | | | | | | | The right shift transfer may be result in adjusting the set key size, eg. ip6 dscp results in fetching 6 bits that are splitted between two bytes, hence the set element ends up being 16 bytes long. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: do not inconditionally update cache from flush commandPablo Neira Ayuso2018-04-011-5/+15
| | | | | | This is only required by sets, maps and meters, skip cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use mini-gmp 6.1.2 stable releasePablo Neira Ayuso2018-04-011-66/+52
| | | | | | Instead of a snapshot from the gmp hg repository. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ip6: fix 'missing payload' errorFlorian Westphal2018-04-011-1/+1
| | | | | | ERROR: line 2: did not find payload information for rule 'iifname "eth0" ct state established,new tcp dport vmap {22 : drop, 222 : drop } masquerade' Signed-off-by: Florian Westphal <fw@strlen.de>
* nft-test: check start of rule with sets tooFlorian Westphal2018-04-011-0/+4
| | | | | | | | | | | | | | | We special case rules with sets ({}) so set members are sorted properly. But we failed to check start of rule: input: meta mark { 1, 2 } bar expect: meta mark { 1, 2 } bar We made sure 'bar' is equal in both input and expected output, but we did not check start (before {). This causes a gazillion of warnings, will fix in followup commit. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: ct, meta: fixes for upcoming nft-test.py fixFlorian Westphal2018-04-013-28/+28
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: mh: fix expected test outputFlorian Westphal2018-04-011-1/+1
| | | | | | | Forgot to include '!=', this doesn't trigger at the moment due to a bug in nft-test.py, so fix this before fixing our test script. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: redirect: fix tests for upcoming nft-test.py fixFlorian Westphal2018-04-017-11/+11
| | | | | | | nft-test.py currently fails to properly compare tests involving a set, after that bug is fixed these lines would fail, so fix this up before. Signed-off-by: Florian Westphal <fw@strlen.de>