summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Revert "monitor: do not print generation ID with --echo"HEADmasterPablo Neira Ayuso21 hours2-2/+2
| | | | | | | | | | | | | Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo"). There is actually a kernel bug which is preventing from displaying this generation ID message. Update the tests/shell to remove the last line of the --echo output which displays the generation ID once the "netfilter: nftables: fix netlink report logic in flowtable and genid" kernel fix is applied. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: do not print generation ID with --echoPablo Neira Ayuso40 hours1-1/+1
| | | | | | This fixes testcases/sets/0036add_set_element_expiration_0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Fix memleak in set_dtype_json()Phil Sutter40 hours1-1/+1
| | | | | | | | | Turns out json_string() already dups the input, so the temporary dup passed to it is lost. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: UAF in interval_map_decompose()Pablo Neira Ayuso4 days1-3/+5
| | | | | | | | | | | reported by tests/monitor# bash run-tests.sh ... SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops Due to incorrect structure layout when calling interval_expr_copy(). Fixes: c1f0476fd590 ("segtree: copy expr data to closing element") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve rule error reportingPablo Neira Ayuso4 days3-62/+201
| | | | | | | | | | | | | | | | | | | | | Kernel provides information regarding expression since 83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for expressions"). A common mistake is to refer a chain which does not exist, e.g. # nft add rule x y jump test Error: Could not process rule: No such file or directory add rule x y jump test ^^^^ Use the existing netlink extended error reporting infrastructure to provide better error reporting as in the example above. Requires Linux kernel patch 83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for expressions"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify location parameter in cmd_add_loc()Pablo Neira Ayuso4 days3-12/+13
| | | | | | | Constify pointer to location object to compile check for unintentional updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: larger number of error locationsPablo Neira Ayuso5 days2-2/+4
| | | | | | | | | | Statically store up to 32 locations per command, if the number of locations is larger than 32, then skip rather than hit assertion. Revisit this later to dynamically store location per command using a hashtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nft.8: describe inet ingress hookPablo Neira Ayuso8 days1-4/+17
| | | | | | Available since Linux kernel >= 5.10. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: copy expr data to closing elementFlorian Westphal9 days1-40/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When last expr has no closing element we did not propagate expr properties such as comment or expire date to the newly allocated set elem. Before: nft create table t nft 'add set t s { type ipv4_addr; flags interval; timeout 60s; }' nft add element t s { 224.0.0.0/3 } nft list set t s | grep -o 'elements.*' elements = { 224.0.0.0-255.255.255.255 } nft flush set t s nft add element t s { 224.0.0.0/4, 240.0.0.0/4 } nft list set t s | grep -o 'elements.*' elements = { 224.0.0.0/4 expires 55s152ms, 240.0.0.0-255.255.255.255 } nft delete set t s nft 'add set t s { type ipv4_addr; flags interval; auto-merge; timeout 60s; }' nft add element t s { 224.0.0.0/4, 240.0.0.0/4 } nft list set t s | grep -o 'elements.*' elements = { 224.0.0.0-255.255.255.255 } After: elements = { 224.0.0.0-255.255.255.255 expires 58s515ms } elements = { 224.0.0.0/4 expires 54s622ms, 240.0.0.0-255.255.255.255 expires 54s622ms } elements = { 224.0.0.0-255.255.255.255 expires 57s92ms } Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1454 Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: add sctp crc32 checksum fixupFlorian Westphal9 days4-1/+12
| | | | | | | | | | Stateless SCTP header mangling doesn't work reliably. This tells the kernel to update the checksum field using the sctp crc32 algorithm. Note that this needs additional kernel support to work. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ingress inet supportPablo Neira Ayuso11 days5-2/+38
| | | | | | | | | | | | | | | | | | Add support for inet ingress chains. table inet filter { chain ingress { type filter hook ingress device "veth0" priority filter; policy accept; } chain input { type filter hook input priority filter; policy accept; } chain forward { type filter hook forward priority filter; policy accept; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing test JSON output for TCP flag tests.Jeremy Sowden12 days2-0/+186
| | | | | | Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: correct order of set elements in test JSON output.Jeremy Sowden12 days1-10/+10
| | | | | | Fixes: 741a06ac15d2 ("mergesort: find base value expression type via recursion") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add missing JSON output for ct test.Jeremy Sowden12 days1-0/+15
| | | | | | Fixes: dcec7d57559a ("ct: Add support for the 'id' key") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Solves Bug 1462 - `nft -j list set` does not show countersGopal Yadav2020-10-081-1/+7
| | | | | | | | | Element counters reside in 'stmt' field as counter statement. Append them to 'elem' object as additional 'counter' property, generated by counter_stmt_json(). Signed-off-by: Gopal Yadav <gopunop@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: Reject quoted strings containing only wildcardPhil Sutter2020-10-061-2/+5
| | | | | | | | | | | | | | | | | | | | | Fix for an assertion fail when trying to match against an all-wildcard interface name: | % nft add rule t c iifname '"*"' | nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed. | zsh: abort nft add rule t c iifname '"*"' Fix this by detecting the string in expr_evaluate_string() and returning an error message: | % nft add rule t c iifname '"*"' | Error: All-wildcard strings are not supported | add rule t c iifname "*" | ^^^ While being at it, drop the 'datalen >= 1' clause from the following conditional as together with the added check for 'datalen == 0', all possible other values have been caught already.
* nft: migrate man page examples with `meter` directive to setsDevin Bayer2020-10-012-15/+26
| | | | | | | this updates the two examples in the man page that use the obsolete `meter` to use sets. I also fixed a bit of formatting for the conntrack expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for chainsJose M. Guisado Gomez2020-09-307-0/+72
| | | | | | | | | | | | | | | | | | | | This patch enables the user to specify a comment when adding a chain. Relies on kernel space supporting userdata for chains. > nft add table ip filter > nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; } > list ruleset table ip filter { chain input { comment "test" type filter hook input priority filter; policy accept; } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Combining --terse with --json has no effectGopal Yadav2020-09-222-1/+13
| | | | | | | | --terse with --json is ignored, fix this. This patch also includes a test. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388 Signed-off-by: Gopal Yadav <gopunop@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: context tracking for multiple transport protocolsPablo Neira Ayuso2020-09-1510-18/+142
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch extends the protocol context infrastructure to track multiple transport protocols when they are specified from sets. This removes errors like: "transport protocol mapping is only valid after transport protocol match" when invoking: # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80 This patch also catches conflicts like: # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ and: # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 Error: conflicting protocols specified: udp vs. tcp add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80 ^^^^^^^^^ Note that: - the singleton protocol context tracker is left in place until the existing users are updated to use this new multiprotocol tracker. Moving forward, it would be good to consolidate things around this new multiprotocol context tracker infrastructure. - link and network layers are not updated to use this infrastructure yet. The code that deals with vlan conflicts relies on forcing protocol context updates to the singleton protocol base. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: remove one indent level in __expr_evaluate_payload()Pablo Neira Ayuso2020-09-141-25/+24
| | | | | | | If there is protocol context for this base, just return from function to remove one level of indentation. This patch is cleanup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: flush log file output before running each commandPablo Neira Ayuso2020-09-141-0/+2
| | | | | | | If nft crashes or hits an assertion, the last command run shows in the /tmp/nftables-test.log file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: avoid repeated command list traversal on errorsJindrich Makovicka2020-09-141-2/+14
| | | | | | | | | Because the command seqnums are monotonic, repeated traversals of the cmds list from the beginning are not necessary as long as the error seqnums are also monotonic. Signed-off-by: Jindrich Makovicka <makovick@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: larger receive socket buffer for netlink errorsPablo Neira Ayuso2020-09-141-16/+5
| | | | | | | | Assume each error in the batch will result in a 1k notification for the non-echo flag set on case as described in 860671662d3f ("mnl: fix --echo buffer size again"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: fail when specifying multiple commentsJose M. Guisado Gomez2020-09-142-0/+160
| | | | | | | | | | | | | | | | | | | | Before this patch grammar supported specifying multiple comments, and only the last value would be assigned. This patch adds a function to test if an attribute is already assigned and, if so, calls erec_queue with this attribute location. Use this function in order to check for duplication (or more) of comments for actions that support it. > nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;} Error: You can only specify this once. This statement is duplicated. add table inet filter { flags dormant; comment test; comment another;} ^^^^^^^^^^^^^^^^ Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for objectsJose M. Guisado Gomez2020-09-087-0/+204
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enables specifying an optional comment when declaring named objects. The comment is to be specified inside the object's block ({} block) Relies on libnftnl exporting nftnl_obj_get_data and kernel space support to store the comments. For consistency, this patch makes the comment be printed first when listing objects. Adds a testcase importing all commented named objects except for secmark, although it's supported. Example: Adding a quota with a comment > add table inet filter > nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; } > list ruleset table inet filter { quota q { comment "test_comment" over 1200 bytes } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mergesort: find base value expression type via recursionPablo Neira Ayuso2020-09-045-30/+82
| | | | | | | | | | | | | | | | Sets that store flags might contain a mixture of values and binary operations. Find the base value type via recursion to compare the expressions. Make sure concatenations are listed in a deterministic way via concat_expr_msort_value() which builds a mpz value with the tuple. Adjust a few tests after this update since listing differs after this update. Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()") Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: allow tests/monitor to use a custom nft executableBalazs Scheidler2020-08-291-1/+1
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: added "socket wildcard" testcasesBalazs Scheidler2020-08-293-0/+62
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: added documentation on "socket wildcard"Balazs Scheidler2020-08-291-3/+8
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src/scanner.l: fix whitespace issue for the TRANSPARENT keywordBalazs Scheidler2020-08-291-1/+1
| | | | | Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* socket: add support for "wildcard" keyBalazs Scheidler2020-08-296-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iptables had a "-m socket --transparent" which didn't match sockets that are bound to all addresses (e.g. 0.0.0.0 for ipv4, and ::0 for ipv6). It was possible to override this behavior by using --nowildcard, in which case it did match zero bound sockets as well. The issue is that nftables never included the wildcard check, so in effect it behaved like "iptables -m socket --transparent --nowildcard" with no means to exclude wildcarded listeners. This is a problem as a user-space process that binds to 0.0.0.0:<port> that enables IP_TRANSPARENT would effectively intercept traffic going in _any_ direction on the specific port, whereas in most cases, transparent proxies would only need this for one specific address. The solution is to add "socket wildcard" key to the nft_socket module, which makes it possible to match on the wildcardness of a socket from one's ruleset. This is how to use it: table inet haproxy { chain prerouting { type filter hook prerouting priority -150; policy accept; socket transparent 1 socket wildcard 0 mark set 0x00000001 } } This patch effectively depends on its counterpart in the kernel. Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support when adding tablesJose M. Guisado Gomez2020-08-287-2/+65
| | | | | | | | | | | | | | | | | | | Adds userdata building logic if a comment is specified when creating a new table. Adds netlink userdata parsing callback function. Relies on kernel supporting userdata for nft_table. Example: > nft add table ip x { comment "test"\; } > nft list ruleset table ip x { comment "test" } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add chain hashtable cachePablo Neira Ayuso2020-08-267-64/+133
| | | | | | | | | | | | | | | | | | | | | | | | This significantly improves ruleset listing time with large rulesets (~50k rules) with _lots_ of non-base chains. # time nft list ruleset &> /dev/null Before this patch: real 0m11,172s user 0m6,810s sys 0m4,220s After this patch: real 0m4,747s user 0m0,802s sys 0m3,912s This patch also removes list_bindings from netlink_ctx since there is no need to keep a temporary list of chains anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add expression handler hashtablePablo Neira Ayuso2020-08-265-10/+52
| | | | | | | netlink_parsers is actually small, but update this code to use a hashtable instead since more expressions may come in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: sets: Check rbtree overlap detection after tree rotationsStefano Brivio2020-08-261-0/+36
| | | | | | | | | | | | | | | | | | | | | Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed an issue with rbtree overlap detection coming from the fact that, after tree rotations performed as part of tree rebalancing, caused by deletions, end elements are not necessarily descendants of their corresponding start elements. Add single-sized elements, delete every second one of them, and re-add them (they will always be full overlaps) in order to check overlap detection after tree rotations. Port indices used in the sets are pseudo-random numbers generated with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen for k-distribution over 16-bit periods, which gives a good statistical randomness and forces 201 rebalancing operations out of 250 deletions with the chosen seed (1). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: dump raw element info from libnftnl when netlink debugging is onFlorian Westphal2020-08-201-2/+38
| | | | | | | | | | | | | | | | Example: nft --debug=netlink list ruleset inet firewall @knock_candidates_ipv4 element 0100007f 00007b00 : 0 [end] element 0200007f 0000f1ff : 0 [end] element 0100007f 00007a00 : 0 [end] inet firewall @__set0 element 00000100 : 0 [end] element 00000200 : 0 [end] inet firewall knock-input 3 [ meta load l4proto => reg 1 ] ... Signed-off-by: Florian Westphal <fw@strlen.de>
* mergesort: unbreak listing with binopsPablo Neira Ayuso2020-08-203-0/+25
| | | | | | | | | | | | | tcp flags == {syn, syn|ack} tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} results in: BUG: Unknown expression binop nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed. Aborted (core dumped) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for map tooPablo Neira Ayuso2020-08-173-5/+14
| | | | | | Extend and slightly rework tests/shell to cover this case too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add comment support for set declarationsJose M. Guisado Gomez2020-08-128-1/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow users to add a comment when declaring a named set. Adds set output handling the comment in both nftables and json format. $ nft add table ip x $ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}} $ nft list ruleset table ip x { set s { type ipv4_addr; comment "some_addrs" elements = { 1.1.1.1, 1.2.3.4 } } } $ nft --json list ruleset { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "table": { "family": "ip", "handle": 4857, "name": "x" } }, { "set": { "comment": "some_addrs", "elem": [ "1.1.1.1", "1.2.3.4" ], "family": "ip", "handle": 1, "name": "s", "table": "x", "type": "ipv4_addr" } } ] } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: cache gets out of sync in interactive modePablo Neira Ayuso2020-08-063-1/+10
| | | | | | | | | | | Since 94a945ffa81b ("libnftables: Get rid of explicit cache flushes"), the cache logic checks for the generation number to refresh the cache. This breaks interactive mode when listing stateful objects though. This patch adds a new flag to force a cache refresh when the user requests a ruleset listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: memleaks in interval_map_decompose()Pablo Neira Ayuso2020-08-051-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mpz_init_bitmask() overrides the existing memory area: ==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==19179== at 0x483577F: malloc (vg_replace_malloc.c:299) ==19179== by 0x489C718: xmalloc (utils.c:36) ==19179== by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2) f ==19179== by 0x4880239: constant_expr_alloc (expression.c:400) ==19179== by 0x489B8A1: interval_map_decompose (segtree.c:1098) ==19179== by 0x489017D: netlink_list_setelems (netlink.c:1220) ==19179== by 0x48779AC: cache_init_objects (rule.c:170) 5 ==19179== by 0x48779AC: cache_init (rule.c:228) ==19179== by 0x48779AC: cache_update (rule.c:279) ==19179== by 0x48A21AE: nft_evaluate (libnftables.c:406) left-hand side of the interval is leaked when building the range: ==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5 ==25835== at 0x483577F: malloc (vg_replace_malloc.c:299) ==25835== by 0x489B628: xmalloc (utils.c:36) ==25835== by 0x489B6F8: xzalloc (utils.c:65) ==25835== by 0x487E176: expr_alloc (expression.c:45) ==25835== by 0x487F960: mapping_expr_alloc (expression.c:1149) ==25835== by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166) ==25835== by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725) ==25835== by 0x488F0D5: netlink_list_setelems (netlink.c:1215) ==25835== by 0x487695C: cache_init_objects (rule.c:170) ==25835== by 0x487695C: cache_init (rule.c:228) ==25835== by 0x487695C: cache_update (rule.c:279) ==25835== by 0x48A10BE: nft_evaluate (libnftables.c:406) ==25835== by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451) ==25835== by 0x10A8E1: main (main.c:487) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0044interval_overlap_0: Repeat insertion tests with timeoutStefano Brivio2020-08-041-19/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mike Dillinger reported issues with insertion of entries into sets supporting intervals that were denied because of false conflicts with elements that were already expired. Partial failures would occur to, leading to the generation of new intervals the user didn't specify, as only the opening or the closing elements wouldn't be inserted. The reproducer provided by Mike looks like this: #!/bin/bash nft list set ip filter blacklist4-ip-1m for ((i=1;i<=10;i++)); do nft add element filter blacklist4-ip-1m {$i.$i.$i.$i} sleep 1 done nft list set ip filter blacklist4-ip-1m which, run in a loop at different intervals, show the different kind of failures. Extend the existing test case for overlapping and non-overlapping intervals to systematically cover sets with a configured timeout. As reported by Pablo, the test would fail if we keep a one-second timeout if it runs on a "slow" kernel (e.g. with KASan), using the libtool wrapper in src/nft as $NFT, because we can't issue 218 commands within one second. To avoid that, introduce an adaptive timeout based on how many times we can list a single entry with a fixed one-second timeout. On a single 2.9GHz AMD Epyc 7351 thread: test run nft commands/s timeout - src/nft libtool wrapper, KASan: 68.4s 10 32s - nft binary, KASan: 5.1s 168 2s - src/nft libtool wrapper, w/o KASan: 18.3s 37 8s - nft binary, w/o KASan: 2.4s 719 1s While at it, fix expectation for insertion of '15-20 . 50-60' (it's expected to succeed, given the list), and the reason why I didn't notice: a simple command preceded by ! won't actually result in the shell exiting, even if it fails. Add some clearer failure reports too. v2: - adjust set timeouts to nft commands/s - fix checks on expected outcome of insertions and reports Reported-by: Mike Dillinger <miked@softtalker.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: 0043concatenated_ranges_0: Fix checks for add/delete failuresStefano Brivio2020-08-041-18/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The test won't stop if we simply precede commands expected to fail by !. POSIX.1-2017 says: -e When this option is on, if a simple command fails for any of the reasons listed in Consequences of Shell Errors or returns an exit status value >0, and is not part of the compound list following a while, until or if keyword, and is not a part of an AND or OR list, and is not a pipeline preceded by the "!" reserved word, then the shell will immediately exit. ...but I didn't care about the last part. Replace those '! nft ...' commands by 'nft ... && exit 1' to actually detect failures. As a result, I didn't notice that now, correctly, inserting elements into a set that contains the same exact element doesn't actually fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop re-insertions from the checks we perform here, overlapping elements are already covered by other tests. Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix obj list output when reset commandJose M. Guisado Gomez2020-08-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables json output when doing a reset command. Previously do_list_obj was called at the end of do_command_reset to list the named object affected by the reset, this function is for nft output only. Listing affected objects using do_command_list ensures output flags will be honored. Eg: For a ruleset like table inet x { counter user123 { packets 12 bytes 1433 } counter user321 { packets 0 bytes 0 } quota user123 { over 2000 bytes } quota user124 { over 2000 bytes } set y { type ipv4_addr } ... } { "nftables": [ { "metainfo": { "json_schema_version": 1, "release_name": "Capital Idea #2", "version": "0.9.6" } }, { "counter": { "bytes": 0, "family": "inet", "handle": 3, "name": "user321", "packets": 0, "table": "x" } }, { "counter": { "bytes": 1433, "family": "inet", "handle": 2, "name": "user123", "packets": 12, "table": "x" } } ] } Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1336 Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: disregard ct address matching without familyPablo Neira Ayuso2020-07-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | The following rule: # nft add rule ip x y ct original daddr @servers breaks with: # nft list ruleset nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed. Aborted Bail out if this syntax is used, instead users should rely on: # nft add rule ip x y ct original ip daddr @servers ~~ which uses NFT_CT_{SRC,DST}_{IP,IP6} in the bytecode generation. This issue is described in 7f742d0a9071 ("ct: support for NFT_CT_{SRC,DST}_{IP,IP6}"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: transform binary operation to prefix only with valuesPablo Neira Ayuso2020-07-291-1/+1
| | | | | | | | | | | | | | | The following rule: nft add rule inet filter input ip6 saddr and ffff:ffff:ffff:ffff:: @allowable counter when listing the ruleset becomes: ip6 saddr @allowable/64 counter packets 3 bytes 212 This transformation is unparseable, allow prefix transformation only for values. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: UAF in hook priority expressionPablo Neira Ayuso2020-07-291-1/+1
| | | | | | | | Release priority expression right before assigning the constant expression that results from the evaluation. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: memleak in invalid default policy definitionPablo Neira Ayuso2020-07-291-1/+3
| | | | | | | Release the clone expression from the exit path. Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak symbol redefinitionPablo Neira Ayuso2020-07-291-0/+1
| | | | | | Missing expr_free() from the error path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>