summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-251-0/+15
| | | | | | | This patch validates that creation of an already existing element bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: create element commandPablo Neira Ayuso2016-08-254-14/+20
| | | | | | | | | | | | | | | This patch adds the create command, that send the NLM_F_EXCL flag so nf_tables bails out if the element already exists, eg. # nft add element x y { 1.1.1.1 } # nft create element x y { 1.1.1.1 } <cmdline>:1:1-31: Error: Could not process rule: File exists create element x y { 1.1.1.1 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This update requires nf_tables kernel patches to honor the NLM_F_EXCL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: cover add and create set commandPablo Neira Ayuso2016-08-241-0/+14
| | | | | | | This patch validates that creation of an already existing set bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add create set commandPablo Neira Ayuso2016-08-244-12/+29
| | | | | | | | | | | | | | | | | | | | | | Add support for the 'create' command, we already support this in other existing objects, so support this for sets too, eg. # nft add set x y { type ipv4_addr\; } # nft create set x y { type ipv4_addr\; } <cmdline>:1:1-35: Error: Could not process rule: File exists create set x y { type ipv4_addr; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # nft add set x y { type ipv4_addr\; } # This command sets the NLM_F_EXCL netlink flag, so if the object already exists, nf_tables returns -EEXIST. This is changing the existing behaviour of 'nft add set' which was setting this flag, this is inconsistent with regards to the way other objects behave. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: explicit indication on export rulesetPablo Neira Ayuso2016-08-231-1/+7
| | | | | | | | | | | | | | | This patch modifies the grammar to explicitly indicate what you want to export, eg. # nft export ruleset json This leaves room to extend this later on to support other object types, such as integrating conntrack into nft. This also leaves the syntax in consistent state wrt. other existing objects. The existing syntax is still preserved. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Simplify parser rule_spec treeCarlos Falgueras García2016-08-232-89/+22
| | | | | | | | | | This patch separates the rule identification from the rule localization, so the logic moves from the evaluator to the parser. This allows to revert the patch "evaluate: improve rule managment checks" (4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: display bit number instead of raw valueFlorian Westphal2016-08-223-1/+16
| | | | | | | | | | ... and add test cases for ct label. Currently this dumped 'label 0x2', now 'label 1' would be shown. This makes add/list behave the same. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow numeric conntrack labelsFlorian Westphal2016-08-221-8/+22
| | | | | | | | | | | | | | | When dumping labels in rule list we try to print a symbolic name. If we don't find one, we print the bit number instead. This changes nft to also allow use of the number instead of a name when adding ct label rules so that such dumps can also be restored again. This is similar to other cases, e.g. skuid root vs skuid 0 which are both valid. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add testcase for reject exprLiping Zhang2016-08-221-0/+9
| | | | | | | | | | | Reject expr is only valid in input/forward/output chain, and if user can add reject expr in prerouting chain, kernel panic will happen. So add a simple test case to cover this situation. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: keep snat/dnat existing syntax unchangedLiping Zhang2016-08-221-1/+14
| | | | | | | | | | | | | | | | | | | We should keep existing syntax unchanged, and this was emphasized in the commit 850f0a56b6ad ("src: add 'to' for snat and dnat")'s commit log: "Existing syntax is still preserved, but the listing shows the one including 'to'." This problem was found by running shell test: # ./run-tests.sh [ ... ] W: [FAILED] ./testcases/maps/anonymous_snat_map_0 I: [OK] ./testcases/maps/map_with_flags_0 W: [FAILED] ./testcases/maps/named_snat_map_0 [ ... ] Fixes: 850f0a56b6ad ("src: add 'to' for snat and dnat") Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: redirect to :port for consistency with nat/masq statementPablo Neira Ayuso2016-08-185-38/+47
| | | | | | | Use the colon port syntax for consistency with other statements. Existing syntax is still preserved but the output displays the colon. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta priority support using tc classidPablo Neira Ayuso2016-08-188-22/+132
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the missing bits to scan and parse the meta priority handle as expressed by tc classid major:minor syntax. The :minor syntax is not support for two reason: major is always >= 1 and this clashes with port syntax in nat. Here below, several example on how to match the packet priority field: nft add rule filter forward meta priority abcd:0 nft add rule filter forward meta priority abcd:1234 and to set it, you have to: nft add rule filter forward meta priority set abcd:1234 The priority expression in flex looks ahead to restrict the pattern to avoid problems with mappings: {classid}/[ \t\n:\-},] So the following doesn't break: ... vmap { 25:accept } ^^^^^ The lookahead expression requires a slight change to extend the input string in one byte. This patch is conservative as you always have to explicity indicate major and minor numbers even if zero. We could consider supporting this shortcut in the future: abcd: However, with regards to this: :abcd We don't need to support it since major number is assumed to be >= 1. However, if we ever decide to support this, we'll have problems since this clashes with our port representation in redirect and mangle. So let's keep this simple and start with this approach. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify classid printing using %x instead of %04xPablo Neira Ayuso2016-08-181-8/+1
| | | | | | | | | No need to print this in iptables CLASSIFY target format, eg. 0004:1230, this is innecessarily large. And always print major and minor numbers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename datatype name from tc_handle to classidPablo Neira Ayuso2016-08-182-5/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: remove range expressionPablo Neira Ayuso2016-08-181-1/+0
| | | | | | This expression is not used anywhere in this scanner code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow strings starting by underscores and dotsPablo Neira Ayuso2016-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says: "The set of characters from which portable filenames are constructed. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -" On top of that it says: "The <hyphen> character should not be used as the first character of a portable user name." This allows a bit more things that NAME_REGEX though, but this still looks fine to me. For more info, see: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431 http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_278 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing token string in QUOTED_ASTERISK and ASTERISK_STRINGPablo Neira Ayuso2016-08-181-2/+2
| | | | | | | | <cmdline>:1:24-24: Error: syntax error, unexpected newline, expecting string or QUOTED_STRING or ASTERISK_STRING add rule x y log prefix ^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for RFC2732 IPv6 address format with bracketsPablo Neira Ayuso2016-08-186-10/+46
| | | | | | | | | | | | | | The statement: dnat to 2001:838:35f:1:::80 is very confusing as it is not so easy to identify where address ends and the port starts. This even harder to read with ranges. So this patch adds squared brackets as RFC2732 to enclose the IPv6 address. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add 'to' for snat and dnatPablo Neira Ayuso2016-08-1810-40/+40
| | | | | | | | | | | This is extra syntaxtic sugar to get this consistent with other statements such as redirect, masquerade, dup and fwd that indicates where to go. Existing syntax is still preserved, but the listing shows the one including 'to'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: quote user-defined strings when used from rule selectorsPablo Neira Ayuso2016-08-1827-157/+161
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The following selectors display strings using quotes: * meta iifname * meta oifname * meta ibriport * meta obriport However, the following do not: * meta oif * meta iif * meta skuid * meta skgid * meta iifgroup * meta oifgroup * meta rtclassid * ct label Given they refer to user-defined values, neither keywords nor internal built-in known values, let's quote the output of this. This patch modifies symbolic_constant_print() so we can signal this to indicate if the string needs to be quoted. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: release ct_label table on exitPablo Neira Ayuso2016-08-171-0/+5
| | | | | | | Just like we do with other symbol tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* ct: add missing slash to connlabel pathPablo Neira Ayuso2016-08-171-1/+1
| | | | | | | | | | | | If I configure nftables via: ./configure --prefix=/usr the connlabel path breaks due to missing slash, so append this after DEFAULT_INCLUDE_PATH. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
* tests: tests to include filesPablo Neira Ayuso2016-08-104-0/+107
| | | | | | | | | | | | Four tests to cover file inclusion using: 1) Absolute path. 2) Relative path. 3) Default include directory path. And one more test to cover endless file inclusion loop. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't break line on include error messagePablo Neira Ayuso2016-08-101-1/+1
| | | | | | | For consistency with other error messages in this codebase, don't add a line break. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't fall back on current directory if include is not foundPablo Neira Ayuso2016-08-101-7/+6
| | | | | | | | | This resolves an ambiguity if the same file name is used both under sysconfdir and the current working directory. You can use dot slash ./ to explicitly refer to files in the current working directory. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: honor absolute and relative paths via include filePablo Neira Ayuso2016-08-101-7/+17
| | | | | | | | If the path refers to an absolute or relative path, do not check for the default include paths, eg. /etc/nftables/. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ip payload set support for ecn and dscpFlorian Westphal2016-08-014-0/+123
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: make checksum fixup work with odd-sized header fieldsFlorian Westphal2016-08-011-4/+35
| | | | | | | | | | | | | | | | | | | | | The kernel checksum functions want even-sized lengths except for the last block at the end of the data. This means that nft --debug=netlink add rule filter output ip ecn set 1 must generate a two byte read and a two byte write: [ payload load 2b @ network header + 0 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x0000fcff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 ] Otherwise, while a one-byte write is enough, the kernel will generate invalid checksums (unless checksum is offloaded). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ip6 dscp, flowlabel and ecn test casesFlorian Westphal2016-08-013-0/+140
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: decode payload statmentFlorian Westphal2016-08-011-5/+178
| | | | | | | | This allows nft to display payload set operations if the header isn't byte aligned or has non-byte divisible sizes. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add support to set IPv6 non-byte header fieldsFlorian Westphal2016-08-011-4/+76
| | | | | | | | | | | | | | | | | | | | | | | | | | 'ip6 ecn set 1' will generate a zero-sized write operation. Just like when matching on bit-sized header fields we need to round up to a byte-sized quantity and add a mask to retain those bits outside of the header bits that we want to change. Example: ip6 ecn set ce [ payload load 1b @ network header + 1 => reg 1 ] [ bitwise reg 1 = (reg=1 & 0x000000cf ) ^ 0x00000030 ] [ payload write reg 1 => 1b @ network header + 1 csum_type 0 csum_off 0 ] 1. Load the full byte containing the ecn bits 2. Mask out everything *BUT* the ecn bits 3. Set the CE mark This patch only works if the protocol doesn't need a checksum fixup. Will address this in a followup patch. This also doesn't yet include the needed reverse translation. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add small helper to check if payload expr needs binop adjustmentFlorian Westphal2016-08-011-2/+7
| | | | | | | | | | | kernel can only deal with byte-sized and byte-aligned payload expressions. If the payload expression doesn't fit this requirement userspace has to add explicit binop masks to remove the unwanted part(s). Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: print base and raw values for unknown payloadsFlorian Westphal2016-08-012-1/+14
| | | | | | | | | | | | | | | | | We currently print 'unknown' rather than the raw offset values for unrecognized header values. If its unknown, prefer to print payload @nh,0,16 set payload @nh,0,16 rather than 'unknown'. Also add a helper to check if payload expression has a description assigned to it. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add __binop_adjust helperFlorian Westphal2016-08-011-4/+9
| | | | | | | | | | | | binop_adjust takes an expression whose LHS is expected to be the binop expression that we use to adjust a payload expression based on a mask (to match sub-byte headers like iphdr->version). A followup patch has to pass the binop directly, so add add a helper for it. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: keep map flag around when flags are specifiedPablo Neira Ayuso2016-07-272-1/+22
| | | | | | | | | | | | | | | | | | | | | | | | If you add a map with timeouts, eg. # nft add table x # nft add map x y { type ipv4_addr : ipv4_addr\; flags timeout\; } The listing shows a set instead of a map: # nft list ruleset table ip x { set y { type ipv4_addr flags timeout } } This patch fixes the parser to keep the map flag around when timeout flag (or any other flags) are specified. This patch also comes with a regression test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xt: use struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-5/+15
| | | | | | | Adapt this code to the new interface that introduces struct xt_xlate_{mt,tg}_params. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add ether payload set testFlorian Westphal2016-07-223-0/+11
| | | | | | ... and fix missing line in ip6 test. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add basic payload testsFlorian Westphal2016-07-2112-0/+180
| | | | | | | | | | payload set operations should work at least for byte-sized quantities >= 2 byte. Before adding support for odd-sized writes (ecn, dscp, ip6 flowlabel ...) add a bunch of tests to cover current state. Signed-off-by: Florian Westphal <fw@strlen.de>
* ct: use nftables sysconf location for connlabel configurationFlorian Westphal2016-07-211-2/+5
| | | | | | | | | | | | Instead of using /etc/xtables use the nftables syconfdir. Also update error message to tell which label failed translation and which config file was used for this: nft add filter input ct label foo <cmdline>:1:27-29: Error: /etc/nftables/connlabel.conf: could not parse conntrack label "foo" Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: add tests for meta randomFlorian Westphal2016-07-192-0/+12
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: add random supportFlorian Westphal2016-07-192-0/+5
| | | | | | | | | | | | | "meta random" fills a register with a 32bit pseudo-random number. For instance one can now use meta random <= 2147483647 ... to match every 2nd packet on average. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: make sure split table definition works via nft -fPablo Neira Ayuso2016-07-131-0/+50
| | | | | | Add test to cover split table definition in one single file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fix typo in symbol redefinition error reportingPablo Neira Ayuso2016-07-131-1/+1
| | | | | | "redefinition" instead of "redfinition". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add xt compat supportPablo Neira Ayuso2016-07-139-1/+511
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At compilation time, you have to pass this option. # ./configure --with-xtables And libxtables needs to be installed in your system. This patch allows to list a ruleset containing xt extensions loaded through iptables-compat-restore tool. Example: $ iptables-save > ruleset $ cat ruleset *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT COMMIT $ sudo iptables-compat-restore ruleset $ sudo nft list rulseset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject } chain FORWARD { type filter hook forward priority 0; policy drop; } chain OUTPUT { type filter hook output priority 0; policy accept; } } A translation of the extension is shown if this is available. In other case, match or target definition is preceded by a hash. For example, classify target has not translation: $ sudo nft list chain mangle POSTROUTING table ip mangle { chain POSTROUTING { type filter hook postrouting priority -150; policy accept; ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10 ^^^ } } If the whole ruleset is translatable, the users can (re)load it using "nft -f" and get nft native support for all their rules. This patch is joint work by the authors listed below. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expose delinearize/linearize structures and stmt_error()Pablo Neira2016-07-135-36/+43
| | | | | | | Needed by the follow up xt compatibility layer patch. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.hPablo Neira Ayuso2016-07-1310-1/+976
| | | | | | | | | The xt over nft support that comes in follow up patches need this, and update the corresponding Makefile.am. Based on patch from Arturo Borrero Gonzalez. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: skip NFTNL_EXPR_DYNSET_TIMEOUT attribute if timeout is unsetPablo Neira Ayuso2016-07-121-2/+3
| | | | | | | Otherwise kernel bails out with EINVAL in case that the sets got no timeout flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: restore parsing of dynamic set element updatesPablo Neira Ayuso2016-07-121-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new set_elem_expr_stmt production to handle dynamic set element updates from rules. Quickly tested this here through: # nft add table filter # nft add chain filter input { type filter hook input priority 0\; } # nft add set filter myset { type inet_service\; flags timeout\; } # nft add rule filter input set add tcp sport timeout 60s @myset # nft list ruleset table ip filter { set myset { type inet_service flags timeout elements = { http expires 9s} } chain input { type filter hook input priority 0; policy accept; set add tcp dport timeout 1m @myset } } Fixes: a3e60492a684 ("parser: restrict relational rhs expression recursion") Reported-by: Anders K. Pedersen <akp@akp.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: time_type should send milliseconds to userspacePablo Neira Ayuso2016-07-093-10/+12
| | | | | | | Kernel expects milliseconds, so fix this datatype to use milliseconds instead of seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: configure.ac: Replace magic dblatex dep.Nicholas Vinson2016-07-031-6/+13
| | | | | | | | | Add a configure switch to enable and disable PDF document generation. This switch is to replace the current method of automatically detecting dblatex and building the PDF documentation when present. Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>