| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Add a test to cover table T1 containing the definition of chain C1, and
table T1' (actually the same definition as T1) that contains a (jump)
reference to chain C1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Extend existing test to add a ct count expression in the set definition.
This test cover the upstream kernel fix ad9f151e560b ("netfilter:
nf_tables: initialize set before expression setup").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use set_is_anonymous() to check for the NFT_SET_ANONYMOUS set flag
instead.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, assertion to ensure that no colission occur is hit due to
uninitialized hashtable memory area:
nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed.
Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
67d3969a7244 ("evaluate: add set to the cache") re-adds the set into the
cache again.
This bug was hidden behind 5ec5c706d993 ("cache: add hashtable cache for
table") which broke set_evaluate() for anonymous sets.
Phil reported a gcc compilation warning which uncovered this problem.
Reported-by: Phil Sutter <phil@nwl.cc>
Fixes: 67d3969a7244 ("evaluate: add set to the cache")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Fix
ERROR: did not find JSON equivalent for rule 'ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }'
when running nft-test.py -j
Fixes: bbcc5eda7e58 ("evaluate: restore interval + concatenation in anonymous set")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
The test case exists twice, once with new dei, once with old 'cfi',
so we need to retain the cfi one in the json file too.
Else we get:
WARNING: line 2: Wrote JSON equivalent for rule vlan id 4094 vlan dei 1
Fixes: d2fba515ff94 ("src: add vlan dei")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Using num_attrs as index means it must be at max one less than the
array's size at function start.
Fixes: 27362a5bfa433 ("rule: larger number of error locations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Parameter passed to sizeof() was wrong. While being at it, replace the
whole call with xmalloc_array() which takes care of error checking.
Fixes: 913979f882d13 ("src: add expression handler hashtable")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
If parsing udata fails, 'obj' has to be freed before returning to
caller.
Fixes: 293c9b114faef ("src: add comment support for objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
If parsing udata fails, 'table' has to be freed before returning to
caller.
Fixes: c156232a530b3 ("src: add comment support when adding tables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
If parsing udata fails, 'chain' has to be freed before returning to
caller.
Fixes: 702ac2b72c0e8 ("src: add comment support for chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Duplicate string 'comment' later when the function does not fail
anymore.
Fixes: 0864c2d49ee8a ("src: add comment support for set declarations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
The updated value of 'is_exists' is no longer read at this point.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
It is certainly intentional, so just mark it as such.
Fixes: b4775dec9f80b ("src: ingress inet support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
If 'kind' value is invalid, the function returned without freeing 'expr'
first. Fix this by performing the check before allocation.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Have to include ctype.h to make it known.
Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform the table and set lookup only for non-anonymous sets, where the
incremental cache update is required.
The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on
implicitly declared (anonymous) sets") resurrected after the cache
rework.
# nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept }
BUG: invalid range expression type concat
nft: expression.c:1422: range_expr_value_low: Assertion `0' failed.
Abort
Add a test case to make sure this does not happen again.
Fixes: 5ec5c706d993 ("cache: add hashtable cache for table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
the CFI bit has been repurposed as DEI "Drop Eligible Indicator"
since 802.1Q-2011.
The vlan cfi field is still retained for compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
mention various 'nft list' options, such as secmarks, flow tables, and
so on.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Example output:
$ nft list hook ip input
family ip hook input {
+0000000000 nft_do_chain_inet [nf_tables] # nft table ip filter chain input
+0000000010 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain filter_INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}
$ nft list hooks netdev type ingress device lo
family netdev hook ingress device lo {
+0000000000 nft_do_chain_netdev [nf_tables]
}
$ nft list hooks inet
family ip hook prerouting {
-0000000400 ipv4_conntrack_defrag [nf_defrag_ipv4]
-0000000300 iptable_raw_hook [iptable_raw]
-0000000290 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain raw_PREROUTING
-0000000200 ipv4_conntrack_in [nf_conntrack]
-0000000140 nft_do_chain_inet [nf_tables] # nft table ip firewalld chain mangle_PREROUTING
-0000000100 nf_nat_ipv4_pre_routing [nf_nat]
}
...
'nft list hooks' will display everyting except the netdev family
via successive dump request for all family:hook combinations.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Followup patch will add new 'hooks' keyword for
nft list hooks
Add a scope for list to avoid exposure of the new keyword in nft
rulesets.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.
With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Unsurprisingly, printing warnings to stdout results in malformed JSON.
Signed-off-by: Kerin Millar <kfm@plushkava.net>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1511
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Provide an ordered list of devices for (netdev) chain and flowtable.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1525
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the fuzzy lookup provides a table, check if it is an inexact
matching, in that case, report that the table does not exist and provide
a mispelling suggestion for the non-existing table.
Initialize table to NULL since the fuzzy lookup might return no table
at all.
This patch fixes misleading error reporting:
# nft delete chain xxx yyy
Error: No such file or directory; did you mean chain ‘B’ in table ip ‘A’?
delete chain xxx yyy
^^^
This refers to table 'xxx' but the suggestion refers to the chain instead.
Therefore, if the fuzzy lookup provides an exact matching table, then do
the fuzzy lookup for the next non-existing object (either chain, set,
...).
Fixes: 3a0e07106f66 ("src: combine extended netlink error reporting with mispelling support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not clone the set and zap the elements during the set and map
expansion to the CMD_OBJ_SETELEMS command.
Instead, update the CMD_OBJ_SET command to add the set to the kernel
(without elements) and let CMD_OBJ_SETELEMS add the elements. The
CMD_OBJ_SET command calls set_to_intervals() to update set->init->size
(NFTNL_SET_DESC_SIZE) before adding the set to the kernel. Updating the
set size from do_add_setelems() comes too late, it might result in
spurious ENFILE errors for interval sets.
Moreover, skip CMD_OBJ_SETELEMS if the set definition specifies no
elements.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1500
Fixes: c9eae091983a ("src: add CMD_OBJ_SETELEMS")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also add a few examples that should not be changed:
- anon set with 2 elements
- anon map with 1 element
- anon set with a concatenation
The latter could be done with cmp but this currently triggers
'Error: Use concatenations with sets and maps, not singleton values'
after removing the anon set.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Auto-replace lookups in single-element anon sets with a standard compare.
'add rule foo bar meta iif { "lo" }' gets replaced with
'add rule foo bar meta iif "lo"'.
The former is a set lookup, the latter is a comparision.
Comparisions are faster for the one-element case.
Only prefixes, ranges and values are handled at this time.
Anonymous maps are left alone, same for concatenations.
Concatenations could be handled, but it would require more work:
the concatenation would have to be replaced with a singleton value.
Evaluation step rejects concat RHS on a relational expression.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check for
... 23-42 ...
... { 23-42 } ...
and remove the latter. Followup patch will translate the former to the
latter during evaluation step to avoid the unneded anon set.
A separate test case will be added that checks for such rewrites.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Followup patch will replace the { 1.2.3.4 } with single
cmp, so this will cause an error when the netlink dump gets
compared.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
set_elem_catchall_expr_json undeclared here (not in a function); did you mean 'set_elem_catchall_expr_ops'?
1344 | .json = set_elem_catchall_expr_json,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
| set_elem_catchall_expr_ops
https://bugzilla.netfilter.org/show_bug.cgi?id=1542
Fixes: 5c2c6b092860 json: catchall element support
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
netdev/reject.t throws a couple of WARNINGs. For some reason this file
wasn't updated after the reject statement json output was changed to
keep the icmp type/protocol.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
This is a singleton ct key, move it to where it belongs to.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of:
ct count 2 accept
^^
simply print:
ct count 2 accept
While at it, add incomplete reference 'ct count' to manpage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Treat '*' as catchall element, not as a symbol.
Also add missing json test cases for wildcard set support.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This should say "should have failed" only if the set add operation
was supposed to fail, not when its supposed to work.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The json test case for the flagcmp notation ('tcp flags syn,fin / syn,fin') fails with:
command: {"nftables": [{"add": {"rule": {"family": "ip", "table": "test-ip4", "chain": "input", "expr": [{"match": {"left": {"&": [{"payload": {"field": "flags", "protocol": "tcp"}}, ["fin", "syn"]]}, "op": "==", "right": ["fin", "syn"]}}]}}}]}
internal:0:0-0: Error: List expression only allowed on RHS or in statement expression.
internal:0:0-0: Error: Failed to parse RHS of binop expression.
internal:0:0-0: Error: Invalid LHS of relational.
internal:0:0-0: Error: Parsing expr array at index 0 failed.
internal:0:0-0: Error: Parsing command array at index 0 failed.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
nft-test.py -j fails with
python: json.c:243: chain_print_json: Assertion `__out' failed.
The member was changed from char * to a struct, pass the name again.
Fixes: 5008798157e2114f ("libnftables: location-based error reporting for chain type")
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit cabe8992b3ee4eb0001a07075b317d966df6bcbd)
|
|
|
|
|
|
|
|
| |
Update release name based on the Fearless Fosdick series: Prudence Pimpleton.
Bump dependencies on libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Quoting Duncan Roe:
Tiny nit: suggest "by a unique" instead of "by an unique".
"a" reads better to this native en-GB speaker at least.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Fix make distcheck.
Fixes: 0e3871cfd9a1 ("exthdr: Implement SCTP Chunk matching")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
# nft describe foo
datatype foo is invalid
Fixes: 21cbab5b6ffe ("expression: extend 'nft describe' to allow listing data types")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flags / mask syntax only allows for ==, != and the implicit
operation (which is == in this case).
# nft add rule x y tcp flags ! syn / syn,ack
Error: either == or != is allowed
add rule x y tcp flags ! syn / syn,ack
^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
use proper priorities to ensure that ct works properly
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Parsing a range expression, the switch case fell through to prefix
expression case, thereby recursing once more for expr->left. This seems
not to have caused harm, but is certainly not intended.
Fixes: ee4391d0ac1e7 ("nat: transform range to prefix expression when possible")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The fuzzy lookup is exercised from the error path, when no object is
found. Remove branch that checks for exact matching since that should
not ever happen.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refer to chain, not table.
Error: No such file or directory; did you mean table ‘z’ in family ip?
add chain x y { type filter nat prerouting priority dstnat; }
^
It should say instead:
Error: No such file or directory; did you mean chain ‘z’ in table ip ‘x’?
[ Florian added args check for fmt to the netlink_io_error() prototype. ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Store the location of the chain type for better error reporting.
Several users that compile custom kernels reported that error
reporting is misleading when accidentally selecting
CONFIG_NFT_NAT=n.
After this patch, a better hint is provided:
# nft 'add chain x y { type nat hook prerouting priority dstnat; }'
Error: Could not process rule: No such file or directory
add chain x y { type nat hook prerouting priority dstnat; }
^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Briefly describe 'nft monitor trace' command functionality.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|