summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: shell: add a new testcase for ruleset loading bugArturo Borrero Gonzalez2016-11-091-0/+27
| | | | | | | | | | | There seems to be a bug that prevent loading a ruleset twice in a row if the ruleset contains sets with intervals. This seems related to the nft cache. By the time of this commit, the bug is not fixed yet. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: introduce the cache testcases directoryArturo Borrero Gonzalez2016-11-091-0/+0
| | | | | | | This directory is for testcases related to the nft cache. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: delete useless stderr output in testcaseArturo Borrero Gonzalez2016-11-091-1/+1
| | | | | | | This stderr output is expected. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xt: update Arturo Borrero Gonzalez email addressArturo Borrero Gonzalez2016-11-091-1/+1
| | | | | | | Update email address to a new one in the copyright notice. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_linearize: skip set element expression in flow table keyPablo Neira Ayuso2016-10-313-3/+25
| | | | | | | | | | | | | | | | | | | | | Anders reports that: # nft add rule ip6 filter postrouting \ flow table acct_out \{ meta iif . ip6 saddr timeout 600s counter \} while the opposite doesn't work: # nft add rule ip6 filter postrouting \ flow table acct_out \{ ip6 saddr . meta iif timeout 600s counter \} netlink_gen_flow_stmt() relies on the flow table key, that is expressed as a set element. Use the set element key instead to skip the set element wrap, otherwise get_register() abort execution: nft: netlink_linearize.c:650: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. Reported-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix synopsis for ct expressionAnders K. Pedersen2016-10-311-10/+15
| | | | | | | | | | | | | | | | | | | The nft man page command synopsis for the ct expression is currently: ct {state | direction | status | mark | expiration | helper | label | bytes | packets} {original | reply | {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets}} which is not correct for the arguments that should be prefixed with "original" or "reply". Change this to ct {state | direction | status | mark | expiration | helper | label | l3proto | protocol | bytes | packets} ct {original | reply} {l3proto | protocol | saddr | daddr | proto-src | proto-dst | bytes | packets} Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Allow concatenation of rt nexthop etc.Anders K. Pedersen2016-10-311-7/+7
| | | | | | | | | | | | | | | | | | | Concatenations of rt nexthop or ct {orignal | reply} {saddr | daddr} fail due to # nft add rule ip filter postrouting flow table acct \{ ip saddr . rt nexthop counter \} <cmdline>:1:61-70: Error: can not use variable sized data types (invalid) in concat expressions add rule ip filter postrouting flow table acct { ip saddr . rt nexthop counter } ~~~~~~~~~~~^^^^^^^^^^ Fix this by reordering the check for variable size data types in expr_evaluate_concat() to happen after expr_evaluate() has been called (via list_member_evaluate()) for the sub expression. This allows expr_evaluate_[cr]t() to call [cr]t_expr_update_type() and set the data type before the check. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: add missing payload test for numgen offsetPablo Neira Ayuso2016-10-311-0/+5
| | | | | | | | | | The new cover test for: ct mark set numgen inc mod 2 offset 100 was lacking the payload file chunk. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* log: rename the log level "warning" to "warn"Liping Zhang2016-10-311-1/+1
| | | | | | | | | This is to keep compatibility. The original keyword in grammer is "warn" instead of "warning". Fixes: 0423caa91ad2 ("src: don't need keyword for log level") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix "ct l3proto/protocol" syntax brokenLiping Zhang2016-10-301-1/+3
| | | | | | | | | | | | | | | "l3proto" and "protocol" are still keywords in our grammer, they are not STRING, so if the user input the following rule, nft will complain that the syntax is error: # nft add t c ct l3proto ipv4 <cmdline>:1:12-18: Error: syntax error, unexpected l3proto, expecting string or mark or packets or bytes add t c ct l3proto ipv4 ^^^^^^^ Fixes: c992153402c7 ("ct: allow resolving ct keys at run time") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* Correct description of -n/--numeric optionJon Jensen2016-10-292-10/+7
| | | | | | | | | | | | "When used twice" was used twice in the manpage. :) And as Florian Westphal pointed out, it was also incorrect for the -nn case. Update the manpage and built-in help in main.c to match actual behavior. Signed-off-by: Jon Jensen <jon@endpoint.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* Replace tests/files/expr-rt with Python based tests, and replace ether typeAnders K. Pedersen2016-10-2911-26/+61
| | | | | | | with meta nfproto, which generates a bit fewer instructions. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add fib expressionFlorian Westphal2016-10-2814-0/+395
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the 'fib' expression which can be used to obtain the output interface from the route table based on either source or destination address of a packet. This can be used to e.g. add reverse path filtering: # drop if not coming from the same interface packet # arrived on # nft add rule x prerouting fib saddr . iif oif eq 0 drop # accept only if from eth0 # nft add rule x prerouting fib saddr . iif oif eq "eth0" accept # accept if from any valid interface # nft add rule x prerouting fib saddr oif accept Querying of address type is also supported. This can be used to e.g. only accept packets to addresses configured in the same interface: # fib daddr . iif type local Its also possible to use mark and verdict map, e.g.: # nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : drop, unicast : accept } Signed-off-by: Florian Westphal <fw@strlen.de>
* rt: introduce routing expressionAnders K. Pedersen2016-10-2813-1/+401
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter postrouting \ ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop This will drop any traffic to 192.168.1.0/24 that is not routed via 192.168.0.1. # nft add rule filter postrouting \ flow table acct { rt nexthop timeout 600s counter } # nft add rule ip6 filter postrouting \ flow table acct { rt nexthop timeout 600s counter } These rules count outgoing traffic per nexthop. Note that the timeout releases an entry if no traffic is seen for this nexthop within 10 minutes. # nft add rule inet filter postrouting \ ether type ip \ flow table acct { rt nexthop timeout 600s counter } # nft add rule inet filter postrouting \ ether type ip6 \ flow table acct { rt nexthop timeout 600s counter } Same as above, but via the inet family, where the ether type must be specified explicitly. "rt classid" is also implemented identical to "meta rtclassid", since it is more logical to have this match in the routing expression going forward. Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: allow resolving meta keys at run timeFlorian Westphal2016-10-274-7/+66
| | | | | | | | | use the meta template to translate the textual token to the enum value. This allows to remove two keywords from the scanner and also means we do not need to introduce new keywords when more meta keys get added. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: allow resolving ct keys at run timeFlorian Westphal2016-10-275-15/+69
| | | | | | | ... and remove those keywords we no longer need. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: provide snprintf helper macroFlorian Westphal2016-10-271-0/+10
| | | | | | | lifted from libnftnl, except that we will abort on snprintf errors. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add offset keyword and parser rulePablo Neira Ayuso2016-10-272-1/+7
| | | | | | This is required by the numgen and jhash expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix linearize numgen typeLaura Garcia Liebana2016-10-271-1/+1
| | | | | | | | Avoid to treat numgen type attribute as a register. Fixes: 345236211715 ("src: add hash expression") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add offset attribute for numgen expressionLaura Garcia Liebana2016-10-278-7/+20
| | | | | | | | | | | | | Add support to add an offset to the numgen generated value. Example: ct mark set numgen inc mod 2 offset 100 This will generate marks with serie like 100, 101, 100, ... Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix pkttype name and add 'other' symbolFlorian Westphal2016-10-273-5/+7
| | | | | | | | | | | | | | 'unicast' doesn't check for unicast packets; it checks for PACKET_HOST, i.e. a packet coming in for this host. A unicast address to some other machine (e.g. because nic is in promisc mode) will have PACKET_OTHER. So at best this is misleading, so this patch changes it to 'host'. The unicast entry is retained for compat purpose. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't need keyword for log levelPablo Neira Ayuso2016-10-212-16/+24
| | | | | | | We can handle log levels without keywords in our grammar, use string instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: update kernel modules to cleanArturo Borrero Gonzalez2016-10-211-2/+4
| | | | | | | | | | | | | | | Let's keep the kernel_cleanup() function updated with latest kernel changes: * added nft_quota, nft_queue, nft_numgen, nft_range * rename nft_hash to nft_set_hash * keep nft_hash as well * rename nft_rbtree to nft_set_rbtree The idea is to run each test in a clean evironment. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to use variable to add/create/delete elementsPablo Neira Ayuso2016-10-212-3/+25
| | | | | | | | | | | | | | | | | | | | | | | Using variable definitions from element command doesn't work, eg. -test.nft- define whitelist_v4 = { 1.1.1.1 } table inet filter { set whitelist_v4 { type ipv4_addr; } } add element inet filter whitelist_v4 $whitelist_v4 -EOF- # nft -f test.nft test.nft:7:38-38: Error: syntax error, unexpected '$', expecting '{' add element inet filter whitelist_v4 $whitelist_v4 ^ Fix this by using set_block_expr rule for every element command. This patch also comes with a new regression test. Reported-by: Leon Merten Lohse <leon@green-side.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: fix monitor trace crash with netdev familyFlorian Westphal2016-10-211-2/+5
| | | | | | | | | | | | | | | | | nft monitor trace crashes on first packet with: table netdev filter { chain foobar { type filter hook ingress device eth0 priority 0; udp sport 53 meta nftrace set 1 } } We did not handle netdev family and thus generated bogus payload statements without data types. Netfilter Bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=1092 Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support ct l3proto/protocol without direction syntaxLiping Zhang2016-10-173-8/+10
| | | | | | | | | | | | | | | Acctually, ct l3proto and ct protocol are unrelated to direction, so it's unnecessary that we must specify dir if we want to use them. Now add support that we can match ct l3proto/protocol without direction: # nft add rule filter input ct l3proto ipv4 # nft add rule filter output ct protocol 17 Note: existing syntax is still preserved, so "ct reply l3proto ipv6" is still fine. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use new range expression for != [a,b] intervalsPablo Neira Ayuso2016-10-1758-421/+293
| | | | | | | Use new range expression in the kernel to fix wrong bytecode generation. This patch also adjust tests so we don't hit problems there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: permit numeric interface typeFlorian Westphal2016-10-171-2/+13
| | | | | | | | | | | | | | If we can't translate an interface index back to a name we just print the number. This change allows using a number instead of an interface index to make this symmetric. If we can't find an interface with the given name check if its a numeric string and then use it instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: fix numgen case failed due to changes in libnftnlLiping Zhang2016-09-231-3/+3
| | | | | | | | | | | | In nftnl_expr_ng_snprintf_default, format "(%u)" was changed to "mod %u", so numgen test case failed: ... '[ numgen reg 1 = inc(2) ]' mismatches '[ numgen reg 1 = inc mod 2 ]' ... ip/numgen.t: 3 unit tests, 3 error, 0 warning Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add more test cases for queue exprLiping Zhang2016-09-232-6/+17
| | | | | | | | | | | It's necessary to cover more test cases, for example, large queue range 1-65535, error queue number 65536. Also add a space before tailing square brackets, this is updated to keep consistent with other expr. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix compile error due to _UNTIL renamed to _MODULUS in libnftnlLiping Zhang2016-09-123-4/+4
| | | | | | | | | | | | | In the latest libnftnl, NFTNL_EXPR_NG_UNTIL was renamed to NFTNL_EXPR_NG_MODULUS, so compile error happened: netlink_linearize.c: In function ‘netlink_gen_numgen’: netlink_linearize.c:184:26: error: ‘NFTNL_EXPR_NG_UNTIL’ undeclared (first use in this function) Also update NFTA_NG_UNTIL to NFTA_NG_MODULUS. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: replace "eth0" with "lo" in dup expr testsLiping Zhang2016-09-124-12/+12
| | | | | | | | | | | | | | This patch follow up on Manuel's commit a8871ba6daa0 ("tests: py: any: Make tests more generic by using other interfaces"). The ifindex of "eth0" is not always 1, furthermore, "eth0" maybe not exist on some systems. So replace it with "lo" will make tests more rubost. In other test cases, "eth0" is used by iifname or oifname, so there's no need to convert it to "lo". Even if "eth0" is not exist, test will never fail. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: remove byteorder conversionFlorian Westphal2016-09-091-2/+0
| | | | | | | | | This is what made ether addresses get formatted correctly with plain payload expression (ether saddr 00:11 ...) when listing rules. Not needed anymore since etheraddr_type is now BIG_ENDIAN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: catch ordering issue w. ether setFlorian Westphal2016-09-092-3/+3
| | | | | | | | | | | | | | | Before previous commit, ether set (payload statement) was reversed on output: ether daddr set 00:03:2d:2b:74:ec would be shown as 'ec:74:2b:2d:03:00'. With ff:ff:ff ... such bug doesn't appear so use something where it will show up. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: ll: use big endian byte orderingFlorian Westphal2016-09-092-5/+6
| | | | | | | | | | | | | | | | | | | | ether daddr set 00:03:2d:2b:74:ec is listed as: ether daddr set ec:74:2b:2d:03:00 (it was fine without 'set' keyword). Reason is that ether address was listed as being HOST endian. The payload expression (unlike statement) path contains a few conversion call sites for this, i.e.: if (tmp->byteorder == BYTEORDER_HOST_ENDIAN) mpz_switch_byteorder(tmp->value, tmp->len / BITS_PER_BYTE); ... it might make sense to remove those in a followup patch. Reported-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: payload and conntrack statementFlorian Westphal2016-09-091-1/+81
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update meta expressionFlorian Westphal2016-09-091-0/+6
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: document log, reject, counter, meta, limit, nat and queue statementsPablo Neira Ayuso2016-09-081-3/+457
| | | | | | | | | This patch adds the missing documentation for the aforementioned statements. This is based on original work from Shivani Bhardwaj. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft: add my copyright statement to the manpagePablo Neira Ayuso2016-09-081-4/+17
| | | | | | | Update the manpage to include my copyright statement and credit me as author of this software. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: Avoid potential null pointer derefPablo Neira Ayuso2016-09-071-0/+13
| | | | | | | | | | | | | Phil Sutter says: As netlink_get_register() may return NULL, we must not pass the returned data unchecked to expr_set_type() as that will dereference it. Since the parser has failed at that point anyway, by returning early we can skip the useless statement allocation that follows in netlink_parse_ct_stmt(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* tests: py: any: Remove duplicate testsManuel Johannes Messner2016-09-062-15/+0
| | | | | | | This commit removes some duplicated tests. Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: any: Make tests more generic by using other interfacesManuel Johannes Messner2016-09-062-71/+71
| | | | | | | | | | | Some tests use hard coded interface names and interface indexes. This commit removes these cases by exchanging "eth0" with "dummy0" and "lo" (depending on the test) in all ifname tests and by using "lo" instead of "eth0" in all interface index tests (because we can assume "lo" ifindex is 1). Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: nft-tests.py: Add function for loading and removing kernel modulesManuel Johannes Messner2016-09-061-0/+32
| | | | | | | | Some tests use the dummy kernel module. This commit adds a function to automatically load that module and remove it afterwards. Signed-off-by: Manuel Johannes Messner <manuel.johannes.messner@hs-furtwangen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: display expression, statement and command name on debugPablo Neira Ayuso2016-09-051-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extend debugging knob for evaluation to display the command, the expression and statement names. # nft --debug=eval add rule x y ip saddr 1.1.1.1 counter <cmdline>:1:1-37: Evaluate add add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <cmdline>:1:14-29: Evaluate expression add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^ ip saddr $1.1.1.1 <cmdline>:1:14-29: Evaluate relational add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^^^^^^^^^ ip saddr $1.1.1.1 <cmdline>:1:14-21: Evaluate payload add rule x y ip saddr 1.1.1.1 counter ^^^^^^^^ ip saddr <cmdline>:1:23-29: Evaluate symbol add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ <cmdline>:1:23-29: Evaluate value add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ 1.1.1.1 <cmdline>:1:31-37: Evaluate counter add rule x y ip saddr 1.1.1.1 counter ^^^^^^^ counter packets 0 bytes 0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Avoid undefined behaviour in concat_subtype_id()Phil Sutter2016-09-051-1/+4
| | | | | | | | | | | | | For the left side of a concat expression, dtype is NULL and therefore off is 0. In that case the code expects to get a datatype of TYPE_INVALID, but this is fragile as the output of concat_subtype_id() is undefined for n > 32 / TYPE_BITS. To fix this, call datatype_lookup() directly passing the expected TYPE_INVALID as argument if off is 0. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject: Have a generic fix for missing network contextPhil Sutter2016-09-051-3/+1
| | | | | | | | | | | | | | | | | | Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport protocol conflict from inet") took care of a crash when using inet or bridge families, but since then netdev family has been added which also does not implicitly define the network context. Therefore the crash can be reproduced again using the following example: nft add rule netdev filter e1000-ingress \ meta l4proto udp reject with tcp reset In order to fix this in a more generic way, have stmt_evaluate_reset() fall back to the generic proto_inet_service irrespective of the actual proto context. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Fix datalen checks in expr_evaluate_string()Phil Sutter2016-09-051-1/+2
| | | | | | | | | | | | | | I have been told that the flex scanner won't return empty strings, so strlen(data) should always be greater 0. To avoid a hard to debug issue though, add an assert() to make sure this is always the case before risking an unsigned variable underrun. A real issue though is the check for 'datalen - 1 >= 0', which will never fail due to datalen being unsigned. Fix this by incrementing both sides by one, hence checking 'datalen >= 1'. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: fix memory leak in tc classid parserLiping Zhang2016-08-301-1/+2
| | | | | | | | We forgot to free the str which was allocated by xstrdup, so memory leak will happen. Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: adapt netlink bytecode output of numgen and hashPablo Neira Ayuso2016-08-302-5/+5
| | | | | | Adapt them to the revisited output string now in libnftnl. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow variable references in set elements definitionPablo Neira Ayuso2016-08-292-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Andreas reports that he cannot use variables in set definitions: define s-ext-2-int = 10.10.10.10 . 25, 10.10.10.10 . 143 set s-ext-2-int { type ipv4_addr . inet_service elements = { $s-ext-2-int } } This syntax is not correct though, since the curly braces should be placed in the variable definition itself, so we have context to handle this variable as a list of set elements. The correct syntax that works after this patch is: define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 } table inet forward { set s-ext-2-int { type ipv4_addr . inet_service elements = $s-ext-2-int } } Reported-by: Andreas Hainke <andreas.hainke@foteviken.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>