summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* concat: provide proper dtype when parsing typeof udataFlorian Westphal2020-04-013-5/+21
| | | | | | | | | | | | | | | | Pablo reports following list bug: table ip foo { map whitelist { typeof ip saddr . ip daddr : meta mark elements = { 0x0 [invalid type] . 0x0 [invalid type] : 0x00000001, 0x0 [invalid type] . 0x0 [invalid type] : 0x00000002 } } } Problem is that concat provided 'invalid' dtype. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v0.9.4v0.9.4Pablo Neira Ayuso2020-04-011-3/+3
| | | | | | | | | Update release name based on Jazz series, Jo Jones Trio's "Jive at Five": https://www.youtube.com/watch?v=phFyIKf2h4s&list=PL_i-72Hx6rt7eQ6D_lxoKEUx5Gk7SRfX3&index=13&t=0s Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: Show the handles of unknown rules in "nft monitor trace"Luis Ressel2020-04-011-15/+27
| | | | | | | | | | | | When "nft monitor trace" doesn't know a rule (because it was only added to the ruleset after nft was invoked), that rule is silently omitted in the trace output, which can come as a surprise when debugging issues. Instead, we can at least show the information we got via netlink, i.e. the family, table and chain name, rule handle and verdict. Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: swap json and gmp fields in nft -VPablo Neira Ayuso2020-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | | # ./configure --with-xtable --with-json ... # make ... # make install ... # nft -V nftables v0.9.3 (Topsy) cli: readline json: no minigmp: yes libxtables: yes json: and minigmp: are accidentally swapped. I introduced this bug while mangling Jeremy's original patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: simplify error in chain type and hookPablo Neira Ayuso2020-03-311-3/+3
| | | | | | | | | | | Remove extra string after error, location is sufficient. # nft -f x /tmp/x:3:8-11: Error: unknown chain type type nput hook input device eth0 priority 0 ^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check for device in non-netdev chainsPablo Neira Ayuso2020-03-311-0/+3
| | | | | | | | | # nft -f /tmp/x /tmp/x:3:26-36: Error: This chain type cannot be bound to device type filter hook input device eth0 priority 0 ^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: improve error reporting in netdev ingress chainPablo Neira Ayuso2020-03-311-2/+9
| | | | | | | | | | | | | | # nft -f /tmp/x.nft /tmp/x.nft:3:20-24: Error: The netdev family does not support this hook type filter hook input device eth0 priority 0 ^^^^^ # nft -f /tmp/x.nft /tmp/x.nft:3:3-49: Error: Missing `device' in this chain definition type filter hook ingress device eth0 priority 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: store location of basechain definitionPablo Neira Ayuso2020-03-312-7/+11
| | | | | | | Wrap basechain definition field around structure, add field later. This is useful for error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add hook_specPablo Neira Ayuso2020-03-318-34/+40
| | | | | | Store location of chain hook definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: display error if set statement is missingPablo Neira Ayuso2020-03-271-7/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # cat /tmp/x table x { set y { type ipv4_addr elements = { 1.1.1.1 counter packets 1 bytes 67, } } } # nft -f /tmp/x /tmp/x:5:12-18: Error: missing counter statement in set definition 1.1.1.1 counter packets 1 bytes 67, ^^^^^^^^^^^^^^^^^^^^^^^^^^ Instead, this should be: table x { set y { type ipv4_addr counter <------- elements = { 1.1.1.1 counter packets 1 bytes 67, } } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for flowtable counterPablo Neira Ayuso2020-03-265-0/+14
| | | | | | | | | | | | | | | | | | Allow users to enable flow counters via control plane toggle, e.g. table ip x { flowtable y { hook ingress priority 0; counter; } chain z { type filter hook ingress priority filter; flow add @z } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2020-03-261-0/+25
| | | | | | Fetch recent updates to the kernel header. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: Introduce test for insertion of overlapping and ↵Stefano Brivio2020-03-261-0/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | non-overlapping ranges Insertion of overlapping ranges should return success only if the new elements are identical to existing ones, or, for concatenated ranges, if the new element is less specific (in all its fields) than any existing one. Note that, in case the range is identical to an existing one, insertion won't actually be performed, but no error will be returned either on 'add element'. This was inspired by a failing case reported by Phil Sutter (where concatenated overlapping ranges would fail insertion silently) and is fixed by kernel series with subject: nftables: Consistently report partial and entire set overlaps With that series, these tests now pass also if the call to set_overlap() on insertion is skipped. Partial or entire overlapping was already detected by the kernel for concatenated ranges (nft_set_pipapo) from the beginning, and that series makes the nft_set_rbtree implementation consistent in terms of detection and reporting. Without that, overlap checks are performed by nft but not guaranteed by the kernel. However, we can't just drop set_overlap() now, as we need to preserve compatibility with older kernels. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update nat expressions payload to include proto flagsPablo Neira Ayuso2020-03-208-29/+29
| | | | | | | Update tests according to 6c84577b0d23 ("evaluate: add range specified flag setting (missing NF_NAT_RANGE_PROTO_SPECIFIED)") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for counter in set definitionPablo Neira Ayuso2020-03-206-0/+37
| | | | | | | | | | | | | | | | | | | | | This patch allows you to turn on counter for each element in the set. table ip x { set y { typeof ip saddr counter elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } } chain z { type filter hook output priority filter; policy accept; ip daddr @y } } This example shows how to turn on counters globally in the set 'y'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add range specified flag setting (missing ↵Pablo Neira Ayuso2020-03-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NF_NAT_RANGE_PROTO_SPECIFIED) Sergey reports: With nf_tables it is not possible to use port range for masquerading. Masquerade statement has option "to [:port-port]" which give no effect to translation behavior. But it must change source port of packet to one from ":port-port" range. My network: +-----------------------------+ | ROUTER | | | | Masquerade| | 10.0.0.1 1.1.1.1 | | +------+ +------+ | | | eth1 | | eth2 | | +-+--^---+-----------+---^--+-+ | | | | +----v------+ +------v----+ | | | | | 10.0.0.2 | | 1.1.1.2 | | | | | |PC1 | |PC2 | +-----------+ +-----------+ For testing i used rule like this: rule ip nat POSTROUTING oifname eth2 masquerade to :666 Run netcat for 1.1.1.2 667(UDP) and get dump from PC2: 15:22:25.591567 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.34466 > 1.1.1.2.667: UDP, length 1 Address translation works fine, but source port are not belongs to specified range. I see in similar source code (i.e. nft_redir.c, nft_nat.c) that there is setting NF_NAT_RANGE_PROTO_SPECIFIED flag. After adding this, repeat test for kernel with this patch, and get dump: 16:16:22.324710 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.666 > 1.1.1.2.667: UDP, length 1 Now it is works fine. Reported-by: Sergey Marinkevich <s@marinkevich.ru> Tested-by: Sergey Marinkevich <s@marinkevich.ru> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for restoring element countersPablo Neira Ayuso2020-03-184-2/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows you to restore counters in dynamic sets: table ip test { set test { type ipv4_addr size 65535 flags dynamic,timeout timeout 30d gc-interval 1d elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 } } chain output { type filter hook output priority 0; update @test { ip saddr } } } You can also add counters to elements from the control place, ie. table ip test { set test { type ipv4_addr size 65535 elements = { 192.168.2.1 counter packets 75 bytes 19043 } } chain output { type filter hook output priority filter; policy accept; ip daddr @test } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: remove unused parameter from netlink_gen_stmt_stateful()Pablo Neira Ayuso2020-03-181-23/+13
| | | | | | Remove context from netlink_gen_stmt_stateful(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Move tcpopt.t to any/ directoryPhil Sutter2020-03-1013-1528/+649
| | | | | | | Merge tcpopt.t files in ip, ip6 and inet into a common one, they were just marignally different. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests/py: Add tests involving concatenated rangesPhil Sutter2020-03-105-0/+77
| | | | | | | | | | | | | | | Very basic testing, just a set definition, a rule which references it and another one with an anonymous set. Sadly this is already enough to expose some pending issues: * Payload dependency killing ignores the concatenated IP header expressions on LHS, so rule output is asymmetric. * Anonymous sets don't accept concatenated ranges yet, so the second rule is manually disabled for now. Signed-off-by: Phil Sutter <phil@nwl.cc>
* parser_json: Support ranges in concat expressionsPhil Sutter2020-03-101-22/+29
| | | | | | | | | | Duplicate commit 8ac2f3b2fca38's changes to bison parser into JSON parser by introducing a new context flag signalling we're parsing concatenated expressions. Fixes: 8ac2f3b2fca38 ("src: Add support for concatenated set ranges") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Eric Garver <eric@garver.life>
* tests/py: Fix JSON output for changed timezonePhil Sutter2020-03-101-1/+1
| | | | | | | | When setting a fixed timezone, JSON expected output for one (known) asymmetric rule was left out by accident. Fixes: 7e326d697ecf4 ("tests/py: Set a fixed timezone in nft-test.py") Signed-off-by: Phil Sutter <phil@nwl.cc>
* main: use one data-structure to initialize getopt_long(3) arguments and help.Jeremy Sowden2020-03-101-113/+138
| | | | | | | | By generating the getopt_long(3) optstring and options, and the help from one source, we reduce the chance that they may get out of sync. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: interpolate default include path into help format-string.Jeremy Sowden2020-03-101-2/+2
| | | | | | | | The default include path is a string literal defined as a preprocessor macro by autoconf. We can just interpolate it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '--reversedns' in help.Jeremy Sowden2020-03-101-1/+1
| | | | | | | The long option for '-N' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: include '-d' in help.Jeremy Sowden2020-03-101-20/+20
| | | | | | | The short option for '--debug' was omitted from the help. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fix rshift statement expression.Jeremy Sowden2020-03-091-1/+1
| | | | | | | | | The RHS of RSHIFT statement expressions should be primary_stmt_expr, not primary_rhs_expr. Fixes: dccab4f646b4 ("parser_bison: consolidate stmt_expr rule") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: remove duplicates from option string.Jeremy Sowden2020-03-051-1/+1
| | | | | | | | The string of options passed to getopt_long(3) contains duplicates. Update it to match the opt_vals enum which immediately precedes it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* main: add more information to `nft -V`.Jeremy Sowden2020-03-052-1/+54
| | | | | | | | | | | | | | | | | In addition to the package-version and release-name, output the CLI implementation (if any) and whether mini-gmp was used, e.g.: $ ./src/nft -V nftables v0.9.3 (Topsy) cli: linenoise json: yes minigmp: no libxtables: yes [pablo@netfilter.org: add json and libxtables, use -V ] Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix leaks.Jeremy Sowden2020-03-042-0/+3
| | | | | | | Some bitmask variables are not cleared. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: set shift RHS byte-order.Jeremy Sowden2020-03-041-0/+1
| | | | | | | The RHS operand for bitwise shift is in HBO. Set this explicitly. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: no need to swap byte-order for values of fewer than 16 bits.Jeremy Sowden2020-03-042-5/+1
| | | | | | | | | Endianness is not meaningful for objects smaller than 2 bytes and the byte-order conversions are no-ops in the kernel, so just update the expression as if it were constant. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: convert the byte-order of payload statement arguments.Jeremy Sowden2020-03-041-0/+5
| | | | | | | | | | | Since shift operations require host byte-order, we need to be able to convert the result of the shift back to network byte-order, in a rule like: nft add rule ip t c tcp dport set tcp dport lshift 1 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: don't evaluate payloads twice.Jeremy Sowden2020-03-042-0/+6
| | | | | | | | | Payload munging means that evaluation of payload expressions may not be idempotent. Add a flag to prevent them from being evaluated more than once. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: simplify calculation of payload size.Jeremy Sowden2020-03-041-2/+2
| | | | | | | Use div_round_up and one statement. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: add separate variables for lshift and xor binops.Jeremy Sowden2020-03-041-17/+17
| | | | | | | | stmt_evaluate_payload has distinct variables for some, but not all, the binop expressions it creates. Add variables for the rest. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for offload chain flagPablo Neira Ayuso2020-03-035-0/+17
| | | | | | | | | | | | | | | | | | | | This patch extends the basechain definition to allow users to specify the offload flag. This flag enables hardware offload if your drivers supports it. # cat file.nft table netdev x { chain y { type filter hook ingress device eth0 priority 10; flags offload; } } # nft -f file.nft Note: You have to enable offload via ethtool: # ethtool -K eth0 hw-tc-offload on Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: update nat_addr_port with typeof+concat mapsFlorian Westphal2020-02-262-0/+80
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* expressions: concat: add typeof supportFlorian Westphal2020-02-261-0/+136
| | | | | | | | | | | | | | | | | | | | | Previous patches allow to pass concatenations as the mapped-to data type. This doesn't work with typeof() because the concat expression has no support to store the typeof data in the kernel, leading to: map t2 { typeof numgen inc mod 2 : ip daddr . tcp dport being shown as type 0 : ipv4_addr . inet_service ... which can't be parsed back by nft. This allows the concat expression to store the sub-expressions in set of nested attributes. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: stmt_evaluate_nat_map() only if stmt->nat.ipportmap == truePablo Neira Ayuso2020-02-251-17/+11
| | | | | | | stmt_evaluate_nat_map() is only called when the parser sets on stmt->nat.ipportmap. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: adjust tests to new nat concatenation syntaxPablo Neira Ayuso2020-02-242-16/+16
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: nat concatenation support with anonymous mapsPablo Neira Ayuso2020-02-245-3/+32
| | | | | | | | | This patch extends the parser to define the mapping datatypes, eg. ... dnat ip addr . port to ip saddr map { 1.1.1.1 : 2.2.2.2 . 30 } ... dnat ip addr . port to ip saddr map @y Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nat: add and use maps with both address and serviceFlorian Westphal2020-02-242-0/+160
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow nat maps containing both ip(6) address and portFlorian Westphal2020-02-244-1/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft will now be able to handle map destinations { type ipv4_addr . inet_service : ipv4_addr . inet_service } chain f { dnat to ip daddr . tcp dport map @destinations } Something like this won't work though: meta l4proto tcp dnat ip6 to numgen inc mod 4 map { 0 : dead::f001 . 8080, .. as we lack the type info to properly dissect "dead::f001" as an ipv6 address. For the named map case, this info is available in the map definition, but for the anon case we'd need to resort to guesswork. Support is added by peeking into the map definition when evaluating a nat statement with a map. Right now, when a map is provided as address, we will only check that the mapped-to data type matches the expected size (of an ipv4 or ipv6 address). After this patch, if the mapped-to type is a concatenation, it will take a peek at the individual concat expressions. If its a combination of address and service, nft will translate this so that the kernel nat expression looks at the returned register that would store the inet_service part of the octet soup returned from the lookup expression. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add two new helpersFlorian Westphal2020-02-241-29/+32
| | | | | | | | | | | In order to support 'dnat to ip saddr map @foo', where @foo returns both an address and a inet_service, we will need to peek into the map and process the concatenations sub-expressions. Add two helpers for this, will be used in followup patches. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: handle concatenations on set elements mappingsFlorian Westphal2020-02-241-0/+7
| | | | | | | | | | We can already handle concatenated keys, this extends concat coverage to the data type as well, i.e. this can be dissected: type ipv4_addr : ipv4_addr . inet_service Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: process concat expressions when used as mapped-to exprFlorian Westphal2020-02-241-0/+4
| | | | | | | | | Needed to avoid triggering the 'dtype->size == 0' tests. Evaluation will build a new concatenated type that holds the size of the aggregate. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add initial nat map testFlorian Westphal2020-02-242-0/+96
| | | | | | | | | | | Will be extended to cover upcoming 'dnat to ip saddr . tcp dport map { \ 1.2.3.4 . 80 : 5.6.7.8 : 8080, 2.2.3.4 . 80 : 7.6.7.8 : 1234, ... Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: use common code for expr_ops/expr_ops_by_typeFlorian Westphal2020-02-232-20/+16
| | | | | | | Useless duplication. Also, this avoids bloating expr_ops_by_type() when it needs to cope with more expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: avoid spurious failure when running in host namespaceFlorian Westphal2020-02-222-2/+2
| | | | | | | | | | Dump validation may fail: - tcp dport { 22, 23 } counter packets 0 bytes 0 + tcp dport { 22, 23 } counter packets 9 bytes 3400 ... which is normal on host namespace. Signed-off-by: Florian Westphal <fw@strlen.de>