| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also delete the redundant '\n'.
This fixes:
# nft add rule filter test meta priority set root
# nft list chain filter test
table ip filter {
chain test {
meta priority set root
none
ffff:ffff
}
}
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example, after we add rule to set priority 1:2, it will be displayed in network
byte order as 0200:0100, this is wrong:
# nft add rule filter test meta priority set 1:2
# nft list chain filter test
table ip filter {
chain test {
meta priority set 0200:0100
}
}
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The set element comment is stored in nftnl_set_elem->user.data using
libnftnl/udata infrastructure. This allows store multiple variable length
user data into set element.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
meta_match_postprocess uses meta.base which is only accessible if
left expression has EXPR_META type, so we can't use it to handle ct postprocessing.
To reduce copy-pastry factor the common part into ct_meta_common_postprocess(),
then call that from both meta and ct postprocessing.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, we memory leak this area since nftnl_rule_set_data() now
makes a copy of the user data which receives. This is happening since
libnftnl's ("rule: Fix segfault due to invalid free of rule user data"),
it is not necessary make a copy before call it.
Note: Carlos originally posted this patch under the name of ("nftables:
Fix memory leak linearizing user data").
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This commit adds a new command that displays the definition of a single
flow table:
If no family is specified, ip is assumed.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new command that lists flow tables:
# nft list flow tables [family]
Only the declaration is displayed. If no family is specified, all flow
tables of all families are listed.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If we add a such nft rule:
nft add rule filter input ip protocol icmp tcp dport 0
we will always meet the assert condition:
nft: evaluate.c:536: resolve_protocol_conflict: Assertion `base < (__PROTO_BASE_MAX - 1)' failed.
Aborted (core dumped)
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
While at it, get rid of bug comments on ip6/frag.t, since they are not
valid anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The location shouldn't ever alter the expression.
And this fixes this compilation warning:
netlink_delinearize.c: In function ‘netlink_parse_expr’:
netlink_delinearize.c:1008:10: warning: assignment discards ‘const’ qualifier from pointer target type
loc.nle = nle;
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before we release next nft version, update the syntax to wrap the flow
table definition between brackets, eg.
# nft add rule filter input tcp dport 22 ct state new \
flow table ssh { ip saddr limit rate 10/second }
# nft add rule filter input \
flow table acct { iif . ip saddr timeout 60s counter }
When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.
For example:
# nft add rule filter input \
flow table acct iif . ip saddr timeout 60s counter limit rate 10/second
~~~~~~~~~~~~~~~~~~~~
Note that this limit rate applies globally, so this patch resolves this
ambiguity.
This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport limit rate 10/second
# nft filter input flow table acct iif . ip saddr timeout 60s counter
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The flow statement contains a stateful per flow statement, which is not
directly part of the rule. Allow generating these statements without adding
them to the rule and mark the supported statements using a new flag
STMT_F_STATEFUL.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Return the parsed statement instead of adding it to the rule in order to
parse statements contained in the flow statement.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Original patch posted in the mailing list from Patrick, I have refreshed
this so it applies on top of current HEAD.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Support explicitly names implicitly declared sets.
Also change the template names for literal sets and maps to use identifiers
that can not clash with user supplied identifiers.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Currently all implicitly declared sets are marked as constant. The flow
statement needs to implicitly declare non-constant sets, so instead of
unconditionally marking the set as constant, only do so if the declaring
expression is itself a constant set.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of having several extern function declarations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Constify:
* netlink_dump*()
* netlink_delinearize_*()
* netlink_add_rule_list()
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Print a line with the name of the testcase being executed, and then delete it
with the result.
There are tests which may take a long time and its good to know what is doing
the testsuite.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Let's sort tests files before iterating over them.
Put the find string in a separated function so it's more readable.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This helps to catch 5afa5a1 ("evaluate: check for NULL datatype in rhs
in lookup expr").
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's tests loading a ruleset with actions.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we are evaluating an EXPR_SET_REF, check if right->dtype is not NULL.
We can hit SEGFAULT if for whatever reason the referenced object does not
exist.
Using this testfile (note the invalid set syntax):
% cat test.nft
flush ruleset
add table t
add chain t c
add set t s {type ipv4_addr\;}
add rule t c ip saddr @s
Without this patch:
% nft -f test.nft
Segmentation fault
With this patch:
% nft -f test.nft
t.nft:4:28-28: Error: syntax error, unexpected junk, expecting newline or semicolon
add set t s {type ipv4_addr\;}
^
t.nft:4:13-29: Error: set definition does not specify key data type
add set t s {type ipv4_addr\;}
^^^^^^^^^^^^^^^^^
t.nft:5:23-24: Error: the referenced set does not exist
add rule t c ip saddr @s
~~~~~~~~ ^^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This value needs to be lshift one bit to be correct.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set elements were miscalculated.
After this patch:
element 00000801 : 0 [end]
^^^^
Which looks correct according to my calculations:
>>> print hex(socket.htons(33 << 3))
0x801
^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This supports both IPv4:
# nft --debug=netlink add rule ip filter forward ip ecn ce counter
ip filter forward
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000003 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000003 ]
[ counter pkts 0 bytes 0 ]
For IPv6:
# nft --debug=netlink add rule ip6 filter forward ip6 ecn ce counter
ip6 filter forward
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x00000030 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000030 ]
[ counter pkts 0 bytes 0 ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This supports both IPv4:
# nft --debug=netlink add rule filter forward ip dscp cs1 counter
ip filter forward
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x000000fc ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000080 ]
[ counter pkts 0 bytes 0 ]
And also IPv6, note that in this case we take two bytes from the payload:
# nft --debug=netlink add rule ip6 filter input ip6 dscp cs4 counter
ip6 filter input
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = (reg=1 & 0x0000c00f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000008 ]
[ counter pkts 0 bytes 0 ]
Given the DSCP is split in two bytes, the less significant nibble
of the first byte and the two most significant 2 bits of the second
byte.
The 8 bit traffic class in RFC2460 after the version field are used for
DSCP (6 bit) and ECN (2 bit). Support for ECN comes in a follow up
patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This is actually part of the traffic class field according to RFC2460.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This is a 20 bit field according to Section 3. IPv6 Header Format.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the bits are split between two bytes and the payload field is
smaller than one byte, we need to extend the expression length on both
sides (payload and constant) of the relational expression.
The existing trimming from the delinerization step handles the listing
for us, so no changes on that front.
This patch allows us to match the IPv6 DSCP field which falls into the
case that is described above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generating the bitwise logic to match sub-byte payload fields from the
linearize step has several problems:
1) When the bits are split between two bytes and the payload field is
smaller than one byte, we need to extend the expression length on
both sides (payload and constant) of the relational expression.
2) Explicit bitmask operations on sub-byte payload fields need to be
merge to the implicit bitmask operation, otherwise we generate two
bitwise instructions. This is not resolved by this patch, but we
should have a look at some point to this.
With this approach, we can benefit from the binary operation transfer
for shifts to provide a generic way to adjust the constant side of the
expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This provides a generic way to transfer shifts from the left hand side
to the right hand range side of a relational expression when performing
transformations from the evaluation step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This provides a generic way to transfer shifts from the left hand side
to the right hand range side of a relational expression when performing
transformations from the evaluation step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This provides a generic way to transfer shifts from the left hand side
to the right hand constant side of a relational expression when
performing transformations from the evaluation step.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If we include tests/ in the release tarball, downstream distributors
can run the testsuites themselves while developing the packages.
This way, tests can be run in a more integrated environment and they can
discover errors related to the integration with the given distribution itself.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow to run tests with other nft binaries by reading a 'NFT'
environment variable, allowing arbitrary locations for the nft binary.
This is what the tests/shell/run-tests.sh script does.
Among other thing, this allow us to properly hook this testsuite
from the Debian CI environment (https://ci.debian.net) where we can perform
tests for packages 'as installed'.
Examples:
# run with default config (ie src/nft)
% ./nft-test.py
# run with installed binary (ie /usr/sbin/nft)
% NFT=/usr/sbin/nft ./nft-test.py
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add some initial tests to cover dynamic interval sets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds explicit set type in test definitions, as well as flags.
This has triggered a rework that starts by introducing a Set class to
make this whole code more extensible and maintainable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Let's add some testcases for named sets with intervals and ranges.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Make sure the new intervals that we want to add are not overlapping with
any of the existing ones.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function is modified by a follow up patch to take the set object,
so rename it to init.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Refactor code to add the new expr_to_intervals(). This function takes
the list of set element expressions and convert them to a list of
half-closed intervals.
This is useful for different purposes, such as interval overlap
and conflicts detection.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This field needs to be set for the new interval overlap detection.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you declare a set with no interval flag, you get this bug message:
# nft add element filter myset { 192.168.1.100/24 }
BUG: invalid data expression type prefix
nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
Aborted
After this patch, we provide a clue to the user:
# nft add element filter myset { 192.168.1.100/24 }
<cmdline>:1:23-38: Error: Set member cannot be prefix, missing interval flag on declaration
add element filter myset { 192.168.1.100/24 }
^^^^^^^^^^^^^^^^
# nft add element filter myset { 192.168.1.100-192.168.1.200 }
<cmdline>:1:23-49: Error: Set member cannot be range, missing interval flag on declaration
add element filter myset { 192.168.1.100-192.168.1.200 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add the first non-matching segment if the set is empty or if the set
becomes empty after the element removal.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Introduce __do_add_setelems() and do_delete_setelems() to support
incremental set interval element updates.
From do_add_set(), use netlink_add_setelems() not to try to re-add the
same elements again
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Allow explicit compound expression to initialize the set intervals.
Incremental updates to interval sets require this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
