summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* files: add example secmark configChristian Göttsche2019-11-252-0/+88
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ability to set/get secmarks to/from connectionChristian Göttsche2019-11-254-5/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Labeling established and related packets requires the secmark to be stored in the connection. Add the ability to store and retrieve secmarks like: ... chain input { ... # label new incoming packets ct state new meta secmark set tcp dport map @secmapping_in # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... chain output { ... # label new outgoing packets ct state new meta secmark set tcp dport map @secmapping_out # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... This patch also disallow constant value on the right hand side. # nft add rule x y meta secmark 12 Error: Cannot be used with right hand side constant value add rule x y meta secmark 12 ~~~~~~~~~~~~ ^^ # nft add rule x y ct secmark 12 Error: Cannot be used with right hand side constant value add rule x y ct secmark 12 ~~~~~~~~~~ ^^ # nft add rule x y ct secmark set 12 Error: ct secmark must not be set to constant value add rule x y ct secmark set 12 ^^^^^^^^^^^^^^^^^ This patch improves 3bc84e5c1fdd ("src: add support for setting secmark"). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: Fix -Wimplicit-function-declaration warningsMichal Rostecki2019-11-211-0/+1
| | | | | | | | | | | | | | | | | | | | This change fixes the following warnings: mnl.c: In function ‘mnl_nft_flowtable_add’: mnl.c:1442:14: warning: implicit declaration of function ‘calloc’ [-Wimplicit-function-declaration] dev_array = calloc(len, sizeof(char *)); ^~~~~~ mnl.c:1442:14: warning: incompatible implicit declaration of built-in function ‘calloc’ mnl.c:1442:14: note: include ‘<stdlib.h>’ or provide a declaration of ‘calloc’ mnl.c:1449:2: warning: implicit declaration of function ‘free’ [-Wimplicit-function-declaration] free(dev_array); ^~~~ mnl.c:1449:2: warning: incompatible implicit declaration of built-in function ‘free’ mnl.c:1449:2: note: include ‘<stdlib.h>’ or provide a declaration of ‘free’ Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* statement: make secmark statements idempotentChristian Göttsche2019-11-211-0/+3
| | | | | | | | | | | | | | | | Currently lines like ct state new meta secmark set tcp dport map @secmapping_in becomes ct state new secmark name tcp dport map @secmapping_in which is not correct. Fixes: 3bc84e5c1fdd ("src: add support for setting secmark") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Introduce numberstringPhil Sutter2019-11-191-11/+2
| | | | | | | | | This token combines decstring and hexstring. The latter two had identical action blocks (which were not completely trivial), this allows to merge them. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Drop shebangs from config filesPhil Sutter2019-11-1915-33/+2
| | | | | | | | | | | | | | | These are not meant to be executed as is but instead loaded via 'nft -f' - all-in-one.nft even points this out in header comment. While being at it, drop two spelling mistakes found along the way. Consequently remove executable bits - being registered in automake as dist_pkgsysconf_DATA, they're changed to 644 upon installation anyway. Also there is obviously no need for replacement of nft binary path anymore, drop that bit from Makefile.am. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Install sample scripts from files/examplesPhil Sutter2019-11-193-0/+6
| | | | | | | | | Assuming these are still relevant and useful as a source of inspiration, install them into DATAROOTDIR/doc/nftables/examples. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: set reference from variable definitionPablo Neira Ayuso2019-11-181-0/+21
| | | | | | | | Allow to define variable using set reference, eg. define x = @z Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Avoid set references in odd placesPhil Sutter2019-11-181-14/+17
| | | | | | | | | | | | | | | | | | With set references being recognized by symbol_expr and that being part of primary_expr as well as primary_rhs_expr, they could basically occur anywhere while in fact they are allowed only in quite a few spots. Untangle things a bit by introducing set_ref_expr and adding that only in places where it is needed to pass testsuites. Make sure users can define variables as set references, eg. define xyz = @setref And allow to use them from set expressions and statements too. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add stateful object update operation testFernando Fernandez Mancera2019-11-161-0/+25
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: Reduce caching for get commandPhil Sutter2019-11-151-0/+17
| | | | | | | | | Introduce a function to distinguish which command object was given and request only the necessary bits to have sets and their elements available for 'get element' command. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Fix get element for little endian rangesPhil Sutter2019-11-152-5/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes get element command for interval sets with host byte order data type, like e.g. mark. During serializing of the range (or element) to query, data was exported in wrong byteorder and consequently not found in kernel. The mystery part is that code seemed correct: When calling constant_expr_alloc() from set_elem_add(), the set key's byteorder was passed with correct value of BYTEORDER_HOST_ENDIAN. Comparison with delete/add element code paths though turned out that in those use-cases, constant_expr_alloc() is called with BYTEORDER_INVALID: - seg_tree_init() takes byteorder field value of first element in init->expressions (i.e., the elements requested on command line) and assigns that to tree->byteorder - tree->byteorder is passed to constant_expr_alloc() in set_insert_interval() - the elements' byteorder happens to be the default value This patch may not fix the right side, but at least it aligns get with add/delete element codes. Fixes: a43cc8d53096d ("src: support for get element command") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: Check ranges when deleting elementsPhil Sutter2019-11-142-11/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Make sure any intervals to delete actually exist, otherwise reject the command. Without this, it is possible to mess up rbtree contents: | # nft list ruleset | table ip t { | set s { | type ipv4_addr | flags interval | auto-merge | elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 } | } | } | # nft delete element t s '{ 192.168.1.0/24 }' | # nft list ruleset | table ip t { | set s { | type ipv4_addr | flags interval | auto-merge | elements = { 192.168.1.255-255.255.255.255 } | } | } Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Rewrite hour_type_print()Phil Sutter2019-11-121-30/+19
| | | | | | | | | | | | | | There was no point in this recursively called __hour_type_print_r() at all, it takes only four lines of code to split the number of seconds into hours, minutes and seconds. While being at it, inverse the conditional to reduce indenting for the largest part of the function's body. Also introduce SECONDS_PER_DAY macro to avoid magic numbers. Fixes: f8f32deda31df ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Store top_scope in struct nft_ctxPhil Sutter2019-11-077-7/+50
| | | | | | | | | | | | | | | | Allow for interactive sessions to make use of defines. Since parser is initialized for each line, top scope defines didn't persist although they are actually useful for stuff like: | # nft -i | define goodports = { 22, 23, 80, 443 } | add rule inet t c tcp dport $goodports accept | add rule inet t c tcp sport $goodports accept While being at it, introduce scope_alloc() and scope_free(). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Drop incorrect requirement for nft configsPhil Sutter2019-11-061-2/+1
| | | | | | The shebang is not needed in files to be used with --file parameter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add and use `set_is_meter` helperJeremy Sowden2019-11-066-18/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sets constructed for meters are flagged as anonymous and dynamic. However, in some places there are only checks that they are dynamic, which can lead to normal sets being classified as meters. For example: # nft add table t # nft add set t s { type ipv4_addr; size 256; flags dynamic,timeout; } # nft add chain t c # nft add rule t c tcp dport 80 meter m size 128 { ip saddr limit rate 10/second } # nft list meters table ip t { set s { type ipv4_addr size 256 flags dynamic,timeout } meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t m table ip t { meter m { type ipv4_addr size 128 flags dynamic } } # nft list meter t s Error: No such file or directory list meter t s ^ Add a new helper `set_is_meter` and use it wherever there are checks for meters. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: flowtable: add support for delete command by handleEric Jallot2019-11-069-12/+69
| | | | | | | Also, display handle when listing with '-a'. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix missing family in plural forms list command.Eric Jallot2019-10-311-6/+7
| | | | | | Fixes: 067ac215e93f ("doc: update nft list plural form parameters") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flowtable: add support for named flowtable listingEric Jallot2019-10-3110-19/+157
| | | | | | | | | | | | | | | | | | | | This patch allows you to dump a named flowtable. # nft list flowtable inet t f table inet t { flowtable f { hook ingress priority filter + 10 devices = { eth0, eth1 } } } Also: libnftables-json.adoc: fix missing quotes. Fixes: db0697ce7f60 ("src: support for flowtable listing") Fixes: 872f373dc50f ("doc: Add JSON schema documentation") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: Replace use of untyped nftnl data settersPhil Sutter2019-10-301-6/+10
| | | | | | | | | Setting strings won't make a difference, but passing data length to *_set_data() functions allows for catching accidental changes on either side. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: remove artifical cap on 8 devices per flowtableSven Auhagen2019-10-301-2/+7
| | | | | | | Currently assuming a maximum of 8 devices, remove this artificial cap. Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add multidevice support for netdev chainPablo Neira Ayuso2019-10-307-27/+109
| | | | | | | | | | | | | | This patch allows you to specify multiple netdevices to be bound to the netdev basechain, eg. # nft add chain netdev x y { \ type filter hook ingress devices = { eth0, eth1 } priority 0\; } json codebase has been updated to support for one single device with the existing representation, no support for multidevice is included in this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Fix test script for Python3 tempfilePhil Sutter2019-10-291-4/+4
| | | | | | | | | | | | | When instantiating a temporary file using tempfile's TemporaryFile() constructor, the resulting object's 'name' attribute is of type int. This in turn makes print_msg() puke while trying to concatenate string and int using '+' operator. Fix this by using format strings consequently, thereby cleaning up code a bit. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: add missing output flags.Jeremy Sowden2019-10-241-0/+35
| | | | | | | | `terse` and `numeric_time` are missing from the `output_flags` dict. Add them and getters and setters for them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Phil Sutter <phil@nwl.cc>
* main: remove duplicate output flag assignment.Jeremy Sowden2019-10-231-1/+0
| | | | | | | | | `NFT_CTX_OUTPUT_NUMERIC_TIME` is implicit in `NFT_CTX_OUTPUT_NUMERIC_ALL`: there are is no need explicitly to OR it into output_flags when `--numeric` is passed. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add missing `OPT_NUMERIC_PROTO` long option.Jeremy Sowden2019-10-231-0/+4
| | | | | | | | The `options` array is missing an entry for `OPT_NUMERIC_PROTO`. Add a new option, `--numeric-protocol`, consistent with the documentation. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add missing output flag documentation.Jeremy Sowden2019-10-231-0/+6
| | | | | | | | The documentation for NFT_CTX_OUTPUT_FLAG_NUMERIC_TIME and NFT_CTX_OUTPUT_FLAG_NUMERIC_ALL is incomplete. Add the missing bits. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "main: Fix for misleading error with negative chain priority"Phil Sutter2019-10-232-9/+1
| | | | | | | | | | | This reverts commit 9fc71bc6b602c8706d1214e0100bcd7638c257e3. Given that this change breaks typical commands like 'nft list ruleset -a' while on the other hand escaping of semicolons and (depending on shell) curly braces is still required, decision was made to not go with this solution. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add --terse to suppress output of set elements.Jeremy Sowden2019-10-226-11/+34
| | | | | | | | | | | | Listing an entire ruleset or a table with `nft list` prints the elements of all set definitions within the ruleset or table. Seeing the full set contents is not often necessary especially when requesting to see someone's ruleset for help and support purposes. Add a new option '-t, --terse' options to suppress the output of set contents. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use `-T` as the short option for `--numeric-time`.Jeremy Sowden2019-10-222-4/+4
| | | | | | | | | A new `--terse` option will be introduced in a later patch. Change the short option used for `--numeric-time` from `-t` to `-T` in order to leave `-t` free. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: Fix for misleading error with negative chain priorityPhil Sutter2019-10-212-1/+9
| | | | | | | | | | | | | | | | | getopt_long() would try to parse the negative priority as an option and return -1 as it is not known: | # nft add chain x y { type filter hook input priority -30\; } | nft: invalid option -- '3' Fix this by prefixing optstring with a plus character. This instructs getopt_long() to not collate arguments but just stop after the first non-option, leaving the rest for manual handling. In fact, this is just what nft desires: mixing options with nft syntax leads to confusive command lines anyway. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tproxy: Add missing error checking when parsing from netlinkPhil Sutter2019-10-211-0/+4
| | | | | | | | | | netlink_get_register() may return NULL and every other caller checks that. Assuming this situation is not expected, just jump to 'err' label without queueing an explicit error message. Fixes: 2be1d52644cf7 ("src: Add tproxy support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Fix checking of parse_policy() return codePhil Sutter2019-10-211-1/+1
| | | | | | | | | The function was changed to return an expression or NULL but error checking wasn't adjusted while doing so. Fixes: dba4a9b4b5fe2 ("src: allow variable in chain policy") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: restore --echo with anonymous setsPablo Neira Ayuso2019-10-183-21/+12
| | | | | | | | | | | | If --echo is passed, then the cache already contains the commands that have been sent to the kernel. However, anonymous sets are an exception since the cache needs to be updated in this case. Remove the old cache logic from the monitor code that has been replaced by 01e5c6f0ed03 ("src: add cache level flags"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* flowtable: fix memleak in exit pathEric Jallot2019-10-182-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add missing loop in table_free(). Free all objects in flowtable_free() and add conditions in case of error recovery in the parser (See commit 4be0a3f922a29). Also, fix memleak in the parser. This fixes the following memleak: # valgrind --leak-check=full nft add flowtable inet raw f '{ hook ingress priority filter; devices = { eth0 }; }' ==15414== Memcheck, a memory error detector ==15414== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==15414== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==15414== Command: nft add flowtable inet raw f {\ hook\ ingress\ priority\ filter;\ devices\ =\ {\ eth0\ };\ } ==15414== ==15414== ==15414== HEAP SUMMARY: ==15414== in use at exit: 266 bytes in 4 blocks ==15414== total heap usage: 55 allocs, 51 frees, 208,105 bytes allocated ==15414== ==15414== 5 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x5C64AA9: strdup (strdup.c:42) ==15414== by 0x4E705ED: xstrdup (utils.c:75) ==15414== by 0x4E93F01: nft_lex (scanner.l:648) ==15414== by 0x4E85C1C: nft_parse (parser_bison.c:5577) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) ==15414== ==15414== 261 (128 direct, 133 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x4E705AD: xmalloc (utils.c:36) ==15414== by 0x4E705AD: xzalloc (utils.c:65) ==15414== by 0x4E560B6: expr_alloc (expression.c:45) ==15414== by 0x4E56288: symbol_expr_alloc (expression.c:286) ==15414== by 0x4E8A601: nft_parse (parser_bison.y:1842) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) Fixes: 92911b362e906 ("src: add support to add flowtables") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: define flowtable device compound as a listPablo Neira Ayuso2019-10-182-2/+2
| | | | | | | | This fixes a memleak when releasing the compound expression via expr_free(). Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix for single line ct timeout printingPhil Sutter2019-10-171-1/+1
| | | | | | | | | | | Commit 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") removed an extra semicolon at end of line, but thereby broke single line output. The correct fix is to use opts->stmt_separator which holds either newline or semicolon chars depending on output mode. Fixes: 43ae7a48ae3de ("rule: do not print semicolon in ct timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* tests/monitor: Fix for changed ct timeout formatPhil Sutter2019-10-171-1/+1
| | | | | | | | | | Commit a9b0c385a1d5e ("rule: print space between policy and timeout") changed spacing in ct timeout objects but missed to adjust related test case. Fixes: a9b0c385a1d5e ("rule: print space between policy and timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* monitor: Add missing newline to error messagePhil Sutter2019-10-171-1/+1
| | | | | | | | | These shouldn't happen in practice and printing to stderr is not the right thing either, but fix this anyway. Fixes: f9563c0feb24d ("src: add events reporting") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* mnl: Don't use nftnl_set_set()Phil Sutter2019-10-151-1/+1
| | | | | | | | | The function is unsafe to use as it effectively bypasses data length checks. Instead use nftnl_set_set_str() which at least asserts a const char pointer is passed. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: add linenoise CLI implementation.Jeremy Sowden2019-10-154-15/+70
| | | | | | | | By default, continue to use libreadline, but if `--with-cli=linenoise` is passed to configure, build the linenoise implementation instead. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: extend 'nft describe' to allow listing data typesFlorian Westphal2019-10-143-10/+41
| | | | | | | | | | | | | | | | | nft describe ct_status before: symbol expression, datatype invalid (invalid), 0 bits after: datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits pre-defined symbolic constants (in hexadecimal): expected 0x00000001 seen-reply 0x00000002 [..] Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: display description for header field < 8 bitsPablo Neira Ayuso2019-10-101-1/+1
| | | | | | | | | | | | # nft describe ip dscp payload expression, datatype dscp (Differentiated Services Code Point) (basetype integer), 6 bits pre-defined symbolic constants (in hexadecimal): nft: datatype.c:209: switch_byteorder: Assertion `len > 0' failed. Aborted Fixes: c89a0801d077 ("datatype: Display pre-defined inet_service values in host byte order") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: always close interval in non-anonymous setsPablo Neira Ayuso2019-10-092-1/+34
| | | | | | | Skip this optimization for non-anonymous sets, otherwise, element deletion breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: fix memleak in parser_bison.yEric Jallot2019-10-091-56/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Each object (secmark, synproxy, quota, limit, counter) is dynamically allocated by the parser and not freed at exit. However, there is no need to use dynamic allocation here because struct obj already provides the required storage. Update the grammar to ensure that obj_alloc() is called before config occurs. This fixes the following memleak (secmark as example): # valgrind --leak-check=full nft add secmark inet raw ssh \"system_u:object_r:ssh_server_packet_t:s0\" ==14643== Memcheck, a memory error detector ==14643== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14643== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==14643== Command: nft add secmark inet raw ssh "system_u:object_r:ssh_server_packet_t:s0" ==14643== ==14643== ==14643== HEAP SUMMARY: ==14643== in use at exit: 256 bytes in 1 blocks ==14643== total heap usage: 41 allocs, 40 frees, 207,809 bytes allocated ==14643== ==14643== 256 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==14643== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==14643== by 0x4E72074: xmalloc (utils.c:36) ==14643== by 0x4E72074: xzalloc (utils.c:65) ==14643== by 0x4E89A31: nft_parse (parser_bison.y:3706) ==14643== by 0x4E778E7: nft_parse_bison_buffer (libnftables.c:375) ==14643== by 0x4E778E7: nft_run_cmd_from_buffer (libnftables.c:443) ==14643== by 0x40170F: main (main.c:326) Fixes: f44ab88b1088e ("src: add synproxy stateful object support") Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Fixes: c0697eabe832d ("src: add stateful object support for limit") Fixes: 4d38878b39be4 ("src: add/create/delete stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: fix failed tests due to missing quotesEric Jallot2019-10-0814-19/+18
| | | | | | | | | Add double quotes to protect newlines when using <<< redirection. See also commit b878cb7d83855. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: check we can use "dynamic" set for lookupsFlorian Westphal2019-10-071-0/+2
| | | | | | | | Requires kernel commit acab713177377 ("netfilter: nf_tables: allow lookups in dynamic sets"), else the rule add will fail. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: obj: fix memleak in handle_free()Eric Jallot2019-09-301-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using limit object as example: # valgrind --leak-check=full nft list ruleset ==9937== Memcheck, a memory error detector ==9937== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==9937== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==9937== Command: nft list ruleset ==9937== table inet raw { limit lim1 { rate 1/second } } ==9937== ==9937== HEAP SUMMARY: ==9937== in use at exit: 5 bytes in 1 blocks ==9937== total heap usage: 50 allocs, 49 frees, 212,065 bytes allocated ==9937== ==9937== 5 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==9937== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==9937== by 0x5C65AA9: strdup (strdup.c:42) ==9937== by 0x4E720A3: xstrdup (utils.c:75) ==9937== by 0x4E660FF: netlink_delinearize_obj (netlink.c:972) ==9937== by 0x4E6641C: list_obj_cb (netlink.c:1064) ==9937== by 0x50E8993: nftnl_obj_list_foreach (object.c:494) ==9937== by 0x4E664EA: netlink_list_objs (netlink.c:1085) ==9937== by 0x4E4FE82: cache_init_objects (rule.c:188) ==9937== by 0x4E4FE82: cache_init (rule.c:221) ==9937== by 0x4E4FE82: cache_update (rule.c:271) ==9937== by 0x4E7716E: nft_evaluate (libnftables.c:406) ==9937== by 0x4E778F7: nft_run_cmd_from_buffer (libnftables.c:447) ==9937== by 0x40170F: main (main.c:326) Fixes: 4756d92e517ae ("src: listing of stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: memleak when list of commands is emptyPablo Neira Ayuso2019-09-271-1/+1
| | | | | | | | | | | | | ==9946== 200,807 (40 direct, 200,767 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==9946== at 0x4837B65: calloc (vg_replace_malloc.c:762) ==9946== by 0x4F28216: nftnl_batch_alloc (batch.c:66) ==9946== by 0x48A33E8: mnl_batch_init (mnl.c:164) ==9946== by 0x48A736F: nft_netlink.isra.0 (libnftables.c:29) ==9946== by 0x48A7D03: nft_run_cmd_from_filename (libnftables.c:508) ==9946== by 0x10A621: main (main.c:328) Fixes: fc6d0f8b0cb1 ("libnftables: get rid of repeated initialization of netlink_ctx") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>