| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
==4060==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x7f637b64a810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f637b17766d in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75
#2 0x7f637b1ddce9 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==29581==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1034 byte(s) in 152 object(s) allocated from:
#0 0x7f7b55f1b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f7b559597e0 in xstrdup /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:75
#2 0x7f7b55a494a0 in nft_lex /home/pablo/devel/scm/git-netfilter/nftables/src/scanner.l:641
#3 0x7f7b559cec25 in nft_parse /home/pablo/devel/scm/git-netfilter/nftables/src/parser_bison.c:5792
#4 0x7f7b5597e318 in nft_parse_bison_filename /home/pablo/devel/scm/git-netfilter/nftables/src/libnftables.c:392
#5 0x7f7b5597f864 in nft_run_cmd_from_filename /home/pablo/devel/scm/git-netfilter/nftables/src/libnftables.c:495
#6 0x562a25bbce71 in main /home/pablo/devel/scm/git-netfilter/nftables/src/main.c:457
#7 0x7f7b5457509a in __libc_start_main ../csu/libc-start.c:308
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This helper function adds a statement at the end of the rule statement
list and it updates the rule statement counter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This helper function adds a statement at a given position and it updates
the rule statement counter.
This patch fixes this:
flush table bridge test-bridge
add rule bridge test-bridge input vlan id 1 ip saddr 10.0.0.1
rule.c:2870:5: runtime error: index 2 out of bounds for type 'stmt *[*]'
=================================================================
==1043==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdd69c1350 at pc 0x7f1036f53330 bp 0x7ffdd69c1300 sp 0x7ffdd69c12f8
WRITE of size 8 at 0x7ffdd69c1350 thread T0
#0 0x7f1036f5332f in payload_try_merge /home/mbr/nftables/src/rule.c:2870
#1 0x7f1036f534b7 in rule_postprocess /home/mbr/nftables/src/rule.c:2885
#2 0x7f1036fb2785 in rule_evaluate /home/mbr/nftables/src/evaluate.c:3744
#3 0x7f1036fb627b in cmd_evaluate_add /home/mbr/nftables/src/evaluate.c:3982
#4 0x7f1036fbb9e9 in cmd_evaluate /home/mbr/nftables/src/evaluate.c:4462
#5 0x7f10370652d2 in nft_evaluate /home/mbr/nftables/src/libnftables.c:414
#6 0x7f1037065ba1 in nft_run_cmd_from_buffer /home/mbr/nftables/src/libnftables.c:447
Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code wasn't aware of prefix elements in interval sets. With previous
changes in place, they merely need to be accepted in
get_set_interval_find() - value comparison and expression duplication is
identical to ranges.
Extend sets/0034get_element_0 test to cover prefixes as well. While
being at it, also cover concatenated ranges.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Both functions were very similar already. Under the assumption that they
will always either see a range (or start of) that matches exactly or not
at all, reduce complexity and make get_set_interval_find() accept NULL
(left or) right values. This way it becomes a full replacement for
get_set_interval_end().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Both functions perform interval set lookups with either start and end or
only start values as input. Interestingly, in practice they either see
values which are not contained or which match an existing range exactly.
Make use of the above and just return a clone of the matching entry
instead of creating a new one based on input data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
This probable copy'n'paste bug prevented 'expiration' field from being
populated when turning a range into a prefix in
interval_map_decompose(). Consequently, interval sets with timeout did
print expiry value for ranges (such as 10.0.0.1-10.0.0.5) but not
prefixes (10.0.0.0/8, for instance).
Fixes: bb0e6d8a2851b ("segtree: incorrect handling of comments and timeouts with mapping")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, get_optstring returns optstring = +hvVcf:insNSI:d:aejuy.
After this patch, get_optstring returns optstring = +hvVcf:insNSI:d:aejuypTt
This is due to optstring containing up to two chars per option, thus it was too
short.
Fixes: 906facf31d1d ("main: fix ASAN -fsanitize=address error in get_optstring()")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using an (possibly outdated) system nft to generate dumps,
use the newly build tool.
This fixes the dump output being corrupted if the system tool does
not support parsing new features.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft list table bridge t
table bridge t {
set s4 {
typeof ip saddr . ip daddr
elements = { 1.0.0.1 . 2.0.0.2 }
}
}
=================================================================
==24334==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000000a8 at pc 0x7fe0e67df0ad bp 0x7ffff83e88c0 sp 0x7ffff83e88b8
READ of size 4 at 0x6080000000a8 thread T0
#0 0x7fe0e67df0ac in datatype_free nftables/src/datatype.c:1110
#1 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89
#2 0x7fe0e67a855e in set_free nftables/src/rule.c:359
#3 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263
#4 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299
#5 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305
#6 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292
#7 0x55f00fbe0051 in main nftables/src/main.c:469
#8 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308
#9 0x55f00fbdd429 in _start (nftables/src/.libs/nft+0x9429)
0x6080000000a8 is located 8 bytes inside of 96-byte region [0x6080000000a0,0x608000000100)
freed by thread T0 here:
#0 0x7fe0e6e70fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
#1 0x7fe0e68b8122 in xfree nftables/src/utils.c:29
#2 0x7fe0e67df2e5 in datatype_free nftables/src/datatype.c:1117
#3 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89
#4 0x7fe0e67a83fe in set_free nftables/src/rule.c:356
#5 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263
#6 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299
#7 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305
#8 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292
#9 0x55f00fbe0051 in main nftables/src/main.c:469
#10 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7fe0e6e71330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fe0e68b813d in xmalloc nftables/src/utils.c:36
#2 0x7fe0e68b8296 in xzalloc nftables/src/utils.c:65
#3 0x7fe0e67de7d5 in dtype_alloc nftables/src/datatype.c:1065
#4 0x7fe0e67df862 in concat_type_alloc nftables/src/datatype.c:1146
#5 0x7fe0e67ea852 in concat_expr_parse_udata nftables/src/expression.c:954
#6 0x7fe0e685dc94 in set_make_key nftables/src/netlink.c:718
#7 0x7fe0e685e177 in netlink_delinearize_set nftables/src/netlink.c:770
#8 0x7fe0e685f667 in list_set_cb nftables/src/netlink.c:895
#9 0x7fe0e4f95a03 in nftnl_set_list_foreach src/set.c:904
SUMMARY: AddressSanitizer: heap-use-after-free nftables/src/datatype.c:1110 in datatype_free
Shadow bytes around the buggy address:
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fff8010: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24334==ABORTING
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
../include/utils.h:120:5: runtime error: left shift of 1103101952 by 1 places cannot be represented in type 'int'
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft list table bridge t
=================================================================
==28552==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5579c662e816 at pc 0x7fc2803246aa bp 0x7fff495c86f0 sp 0x7fff495c7ea0
WRITE of size 2 at 0x5579c662e816 thread T0
#0 0x7fc2803246a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
#1 0x7fc2803249f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
#2 0x5579c661e7d2 in get_optstring nftables/src/main.c:128
#3 0x5579c66202af in main nftables/src/main.c:315
#4 0x7fc27ea7b09a in __libc_start_main ../csu/libc-start.c:308
#5 0x5579c661e439 in _start (nftables/src/.libs/nft+0x9439)
0x5579c662e816 is located 0 bytes to the right of global variable 'optstring' defined in 'main.c:121:14' (0x5579c662e800) of size 22
0x5579c662e816 is located 42 bytes to the left of global variable 'options' defined in 'main.c:137:23' (0x5579c662e840) of size 672
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf
Shadow bytes around the buggy address:
0x0aafb8cbdcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aafb8cbdcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aafb8cbdcd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aafb8cbdce0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafb8cbdcf0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0aafb8cbdd00: 00 00[06]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aafb8cbdd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafb8cbdd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafb8cbdd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafb8cbdd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aafb8cbdd50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28552==ABORTING
Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.")
Signed-of-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The 'id' key allows for matching on the id of the conntrack entry.
v2: Remove ct_id_type
Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The set->init and expr arguments might actually refer to the same list
of elements. Skip set element cache update introduced by dd44081d91ce
("segtree: Fix add and delete of element in same batch") otherwise
list_splice_tail_init() actually operates with the same list as
arguments. Valgrind reports this problem as a memleak since the result
of this operation was an empty set element list.
Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch invokes interval_map_decompose() with named sets:
==3402== 2,352 (128 direct, 2,224 indirect) bytes in 1 blocks are definitely lost in loss record 9 of 9
==3402== at 0x483577F: malloc (vg_replace_malloc.c:299)
==3402== by 0x48996A8: xmalloc (utils.c:36)
==3402== by 0x4899778: xzalloc (utils.c:65)
==3402== by 0x487CB46: expr_alloc (expression.c:45)
==3402== by 0x487E2A0: mapping_expr_alloc (expression.c:1140)
==3402== by 0x4898AA8: interval_map_decompose (segtree.c:1095)
==3402== by 0x4872BDF: __do_add_setelems (rule.c:1569)
==3402== by 0x4872BDF: __do_add_setelems (rule.c:1559)
==3402== by 0x4877936: do_command (rule.c:2710)
==3402== by 0x489F1CB: nft_netlink.isra.5 (libnftables.c:42)
==3402== by 0x489FB07: nft_run_cmd_from_filename (libnftables.c:508)
==3402== by 0x10A9AA: main (main.c:455)
Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch transform a range of IP addresses to prefix when listing the
ruleset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table bridge t {
set s3 {
typeof meta ibrpvid
elements = { 2, 3, 103 }
}
}
# nft --debug=netlink -f test.nft
s3 t 0
s3 t 0
element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end]
^^^^^^^^
The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly
handled as BYTEORDER_BIG_ENDIAN).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Service names printing are not default these days, using service names
with ranges is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
(null) (null) b size 1
The debugging output displays table and set names as (null). This patch
sets the table and name before displaying the netlink debugging, then
unset them to not break the extended error support.
Fixes: 086ec6f30c96 ("mnl: extended error support for create command")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fix a crash when map is not specified, e.g.
nft add rule x y snat ip addr . port to 1.1.1.1 . 22
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Replace ipportmap boolean field by flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to specify an interval of IP address in maps.
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }
}
}
The example above performs SNAT to packets that comes from
10.141.11.0/24 using the prefix 192.168.2.0/24, e.g. 10.141.11.4 is
mangled to 192.168.2.4.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to specify an interval of IP address in maps.
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
}
}
The example above performs SNAT to packets that comes from 10.141.11.4
to an interval of IP addresses from 192.168.2.2 to 192.168.2.4 (both
included).
You can also combine this with dynamic maps:
table ip x {
map y {
type ipv4_addr : interval ipv4_addr
flags interval
elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4 }
}
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map @y
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The generated files are included in the tarballs already, but
configure.ac was coded to fail if yacc/lex were not found regardless.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most projects ship pre-generated man pages in the distribution tarball
so that builders don't need the documentation tools installed, similar
to how bison-generated sources are included.
To do this, we conditionalize the presence check of a2x on whether nft.8
already exists in the source directory, as it would exist if included in
the distribution tarball.
Secondly, we move the 'if BUILD_MAN' conditional to around the man page
generation rules. This ensures that the man pages are unconditionally
installed. Also only add the man pages to CLEANFILES if their generation
is enabled.
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Initialize list of timeout policies from ct_timeout_block.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1403
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
for concatenated set ranges"), crashes with older kernels (< 5.6)
without support for concatenated set ranges: those sets will be sent
to the kernel, which adds them without notion of the fact that
different concatenated fields are actually included, and nft crashes
while trying to list this kind of malformed concatenation.
Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
sets including concatenated ranges are sent to the kernel, so that
older kernels (with no knowledge of this flag itself) will refuse set
creation.
Note that, in expr_evaluate_set(), we have to check for the presence
of the flag, also on empty sets that might carry it in context data,
and actually set it in the actual set flags.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Get this header in sync with nf.git as of commit ef516e8625dd.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Segfault on error reporting when intervals overlap.
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.1.1-10.0.2.255 : drop
}
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The hashing expressions jhash and symhash are missing in the
nft manual.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports following list bug:
table ip foo {
map whitelist {
typeof ip saddr . ip daddr : meta mark
elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001,
0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 }
}
}
Problem is that concat provided 'invalid' dtype.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
| |
Update release name based on Jazz series,
Jo Jones Trio's "Jive at Five":
https://www.youtube.com/watch?v=phFyIKf2h4s&list=PL_i-72Hx6rt7eQ6D_lxoKEUx5Gk7SRfX3&index=13&t=0s
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When "nft monitor trace" doesn't know a rule (because it was only added
to the ruleset after nft was invoked), that rule is silently omitted in
the trace output, which can come as a surprise when debugging issues.
Instead, we can at least show the information we got via netlink, i.e.
the family, table and chain name, rule handle and verdict.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# ./configure --with-xtable --with-json
...
# make
...
# make install
...
# nft -V
nftables v0.9.3 (Topsy)
cli: readline
json: no
minigmp: yes
libxtables: yes
json: and minigmp: are accidentally swapped.
I introduced this bug while mangling Jeremy's original patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove extra string after error, location is sufficient.
# nft -f x
/tmp/x:3:8-11: Error: unknown chain type
type nput hook input device eth0 priority 0
^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
# nft -f /tmp/x
/tmp/x:3:26-36: Error: This chain type cannot be bound to device
type filter hook input device eth0 priority 0
^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft -f /tmp/x.nft
/tmp/x.nft:3:20-24: Error: The netdev family does not support this hook
type filter hook input device eth0 priority 0
^^^^^
# nft -f /tmp/x.nft
/tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition
type filter hook ingress device eth0 priority 0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Wrap basechain definition field around structure, add field later.
This is useful for error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Store location of chain hook definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat /tmp/x
table x {
set y {
type ipv4_addr
elements = {
1.1.1.1 counter packets 1 bytes 67,
}
}
}
# nft -f /tmp/x
/tmp/x:5:12-18: Error: missing counter statement in set definition
1.1.1.1 counter packets 1 bytes 67,
^^^^^^^^^^^^^^^^^^^^^^^^^^
Instead, this should be:
table x {
set y {
type ipv4_addr
counter <-------
elements = {
1.1.1.1 counter packets 1 bytes 67,
}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to enable flow counters via control plane toggle, e.g.
table ip x {
flowtable y {
hook ingress priority 0;
counter;
}
chain z {
type filter hook ingress priority filter;
flow add @z
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fetch recent updates to the kernel header.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
non-overlapping ranges
Insertion of overlapping ranges should return success only if the new
elements are identical to existing ones, or, for concatenated ranges,
if the new element is less specific (in all its fields) than any
existing one.
Note that, in case the range is identical to an existing one, insertion
won't actually be performed, but no error will be returned either on
'add element'.
This was inspired by a failing case reported by Phil Sutter (where
concatenated overlapping ranges would fail insertion silently) and is
fixed by kernel series with subject:
nftables: Consistently report partial and entire set overlaps
With that series, these tests now pass also if the call to set_overlap()
on insertion is skipped. Partial or entire overlapping was already
detected by the kernel for concatenated ranges (nft_set_pipapo) from
the beginning, and that series makes the nft_set_rbtree implementation
consistent in terms of detection and reporting. Without that, overlap
checks are performed by nft but not guaranteed by the kernel.
However, we can't just drop set_overlap() now, as we need to preserve
compatibility with older kernels.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update tests according to 6c84577b0d23 ("evaluate: add range specified
flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to turn on counter for each element in the set.
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
}
chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
This example shows how to turn on counters globally in the set 'y'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NF_NAT_RANGE_PROTO_SPECIFIED)
Sergey reports:
With nf_tables it is not possible to use port range for masquerading.
Masquerade statement has option "to [:port-port]" which give no effect
to translation behavior. But it must change source port of packet to
one from ":port-port" range.
My network:
+-----------------------------+
| ROUTER |
| |
| Masquerade|
| 10.0.0.1 1.1.1.1 |
| +------+ +------+ |
| | eth1 | | eth2 | |
+-+--^---+-----------+---^--+-+
| |
| |
+----v------+ +------v----+
| | | |
| 10.0.0.2 | | 1.1.1.2 |
| | | |
|PC1 | |PC2 |
+-----------+ +-----------+
For testing i used rule like this:
rule ip nat POSTROUTING oifname eth2 masquerade to :666
Run netcat for 1.1.1.2 667(UDP) and get dump from PC2:
15:22:25.591567 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.34466 > 1.1.1.2.667: UDP, length 1
Address translation works fine, but source port are not belongs to
specified range.
I see in similar source code (i.e. nft_redir.c, nft_nat.c) that
there is setting NF_NAT_RANGE_PROTO_SPECIFIED flag. After adding this,
repeat test for kernel with this patch, and get dump:
16:16:22.324710 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.666 > 1.1.1.2.667: UDP, length 1
Now it is works fine.
Reported-by: Sergey Marinkevich <s@marinkevich.ru>
Tested-by: Sergey Marinkevich <s@marinkevich.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|