summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* doc, src: make some spelling and grammatical improvementsHEADmasterJeremy Sowden3 days6-16/+16
| | | | | | | | | | | | | Fix a couple of spelling mistakes: 'expresion' -> 'expression' and correct some non-native usages: 'allows to' -> 'allows one to' Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: fix decomposition of unclosed intervals containing address prefixesJeremy Sowden4 days3-16/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code which decomposes unclosed intervals doesn't check for prefixes. This leads to incorrect output for sets which contain these. For example, # nft -f - <<END table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 192.0.0.0/2, 10.0.0.0/8 } drop } } table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { ff00::/8, fe80::/10 } drop } } END # nft list table ip6 t table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop } } # nft list table ip t table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop } } Instead of treating the final unclosed interval as a special case, reuse the code which correctly handles closed intervals. Add a shell test-case. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018156 Fixes: 86b965bdab8d ("segtree: fix decomposition of unclosed intervals") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: refactor decomposition of closed intervalsJeremy Sowden4 days1-33/+38
| | | | | | | | | | | Move the code in `interval_map_decompose` which adds a new closed interval to the set into a separate function. In addition to the moving of the code, there is one other change: `compound_expr_add` is called once, after the main conditional, instead of being called in each branch. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: un-break rule insert with intervalsFlorian Westphal5 days3-0/+6
| | | | | | | | | 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docsFernando Fernandez Mancera9 days1-0/+11
| | | | | | | | Add missing documentation for nft_ctx_add_var() and nft_ctx_clear_vars() functions. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: support variables management and fix formattingFernando Fernandez Mancera9 days1-13/+30
| | | | | | | | | | | | | Add nft_ctx_add_var() and nft_ctx_clear_vars() support through add_var() and clear_vars(). Also, fix some functions documentation and drop unnecesary comments. In addition, modify get_dry_run() to return the previous value set. This is needed to be consistent with the rest of the python API. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* py: extend python API to support libnftables APIPeter Collinson9 days1-0/+82
| | | | | | | | | | | Allows py/nftables.py to support full mapping to the libnftables API. The changes allow python code to talk in text to the kernel rather than just using json. The Python API can now also use dry run to test changes. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591 Signed-off-by: Peter Collinson <pc@hillside.co.uk> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add stateful object comment supportFernando Fernandez Mancera9 days4-0/+24
| | | | | | | | | | | | | | | | | | | | | | When listing a stateful object with JSON support, the comment was ignored. Output example: { "counter": { "family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0 } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1611 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add secmark object reference supportFernando Fernandez Mancera9 days3-0/+45
| | | | | | | | | The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso9 days1-1/+27
| | | | | | Get this header in sync with nf-next as of 6.0-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix empty statement list output in sets and mapsFernando Fernandez Mancera2022-09-051-29/+32
| | | | | | | | | | | | JSON output of sets and map should not include the statements list if is empty. The statement output should be stateless also. In addition, removes duplicated code. Fixes: 07958ec53830 ("json: add set statement list support") Fixes: e66f3187d891 ("json: add table map statement support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix json schema version verificationFernando Fernandez Mancera2022-09-035-7/+28
| | | | | | | | | | nft should ignore malformed or missing entries of `json_schema_version` but check the value when it is integer. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add table map statement supportFernando Fernandez Mancera2022-09-034-29/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a map with statements with JSON support, the statement list were ignored. Output example: { "map": { "family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: check address family in set collapseDerek Hageman2022-09-013-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 498a5f0c219d added collapsing of set operations in different commands. However, the logic is currently too relaxed. It is valid to have a table and set with identical names on different address families. For example: table ip a { set x { type inet_service; } } table ip6 a { set x { type inet_service; } } add element ip a x { 1 } add element ip a x { 2 } add element ip6 a x { 2 } The above currently results in nothing being added to the ip6 family table due to being collapsed into the ip table add. Prior to 498a5f0c219d the set add would work. The fix is simply to check the family in addition to the table and set names before allowing a collapse. [ Add testcase to tests/shell --pablo ] Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Derek Hageman <hageman@inthat.cloud> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add set statement list supportFernando Fernandez Mancera2022-09-014-2/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a set with statements with JSON support, the statements were ignored. Output example: { "set": { "op": "add", "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, "stmt": [ { "limit": { "rate": 10, "burst": 5, "per": "second" } }, { "counter": { "packets": 0, "bytes": 0 } } ], "set": "@my_ssh_meter" } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: missing userdata in netlink payloadPablo Neira Ayuso2022-08-311-3/+3
| | | | | | | | Since libnftnl's 212479ad2c92 ("rule, set_elem: fix printing of user data"), userdata is missing in netlink payload printing via --debug. Update tests/py/ip6/srh.t.payload to silence warning. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow burst 0 for byte ratelimit and use it as defaultPablo Neira Ayuso2022-08-317-41/+44
| | | | | | | | | | | | | | | | | Packet-based limit burst is set to 5, as in iptables. However, byte-based limit burst adds to the rate to calculate the bucket size, and this is also sets this to 5 (... bytes in this case). Update it to use zero byte burst by default instead. This patch also updates manpage to describe how the burst value influences the kernel module's token bucket in each of the two modes. This documentation update is based on original text by Phil Sutter. Adjust tests/py to silence warnings due to mismatching byte burst. Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: update EXPR_MAX and add missing commentsFlorian Westphal2022-08-301-1/+6
| | | | | | | | | | | | | | | WHen flagcmp and catchall expressions got added the EXPR_MAX definition wasn't changed. Should have no impact in practice however, this value is only checked to prevent crash when old nft release is used to list a ruleset generated by a newer nft release and a unknown 'typeof' expression. v2: Pablo suggested to add EXPR_MAX into enum so its easier to spot. Adding __EXPR_MAX + define EXPR_MAX (__EXPR_MAX - 1) causes '__EXPR_MAX not handled in switch' warnings, hence the 'EXPR_MAX =' solution. Signed-off-by: Florian Westphal <fw@strlen.de>
* erec: Dump locations' expressions only if setPhil Sutter2022-08-301-0/+2
| | | | | | | | | | | | Calling netlink_dump_expr() with a NULL pointer leads to segfault within libnftnl. Internal ("fake") locations such as 'netlink_location' don't have an expression assigned so expect this and skip the call. Simple reproducer (list ruleset with netlink debugging as non-root): | $ nft -d netlink list ruleset Reported-by: Fran├žois Rigault <frigo@amadeus.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* doc: nft.8: Add missing '-T' in synopsisPhil Sutter2022-08-301-1/+1
| | | | | | | | Originally a typo in fixed commit: It added 't' in lower case, but meanwhile '-t' was added as well. Fixes: f8f32deda31df ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Phil Sutter <phil@nwl.cc>
* optimize: expand implicit set element when merging into concatenationPablo Neira Ayuso2022-08-303-10/+81
| | | | | | | | | | | | | | | | | | | | | | | | Generalize the existing code to deal with implicit sets. When merging a ruleset like the following: udp dport 128 iifname "foo" #1 udp dport { 67, 123 } iifname "bar" #2 into a concatenation of statements, the following expansion need to be done for rule #2: 67 . "bar" 123 . "bar" The expansion logic consists of cloning the existing concatenation being built and then append each element in the implicit set. A list of ongoing concatenations being built is maintained, so further expansions are also supported. Extend test to cover for this use-case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1628 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Don't parse string as verdict in mapXiao Liang2022-08-193-13/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In verdict map, string values are accidentally treated as verdicts. For example: table t { map foo { type ipv4_addr : verdict elements = { 192.168.0.1 : bar } } chain output { type filter hook output priority mangle; ip daddr vmap @foo } } Though "bar" is not a valid verdict (should be "jump bar" or something), the string is taken as the element value. Then NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by recent kernels. On older ones (e.g. v5.4.x) that don't validate the type, a warning can be seen when the rule is hit, because of the corrupted verdict value: [5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables] Indeed, we don't parse verdicts during evaluation, but only chain names, which is of type string rather than verdict. For example, "jump $var" is a verdict while "$var" is a string. Fixes: c64457cff967 ("src: Allow goto and jump to a variable") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: check for mergeable rulesPablo Neira Ayuso2022-08-113-1/+55
| | | | | | Rules that are equal need to have at least one mergeable statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merging concatenation is unsupportedPablo Neira Ayuso2022-08-113-0/+6
| | | | | | | | | | | Existing concatenation cannot be merge at this stage, skip them otherwise this assertion is hit: nft: optimize.c:434: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed Extend existing test to cover this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for a tainted kernelFlorian Westphal2022-08-111-0/+16
| | | | | | | If a test case results in a kernel taint (WARN splat for example), make sure the test script indicates this. Signed-off-by: Florian Westphal <fw@strlen.de>
* concat with dynamically sized fields like vlan idMichael Braun2022-08-112-0/+18
| | | | | | | | | | | | | | This enables commands like nft set bridge t s4 '{typeof vlan id . ip daddr; elements = { 3567 . 1.2.3.4 }; }' Which would previously fail with Error: can not use variable sized data types (integer) in concat expressions Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to 1.0.5v1.0.5Pablo Neira Ayuso2022-08-091-3/+3
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: disable arp family for queue statementPablo Neira Ayuso2022-08-091-1/+0
| | | | | | | | | | | | | | Kernel commit: commit 47f4f510ad586032b85c89a0773fbb011d412425 Author: Florian Westphal <fw@strlen.de> Date: Tue Jul 26 19:49:00 2022 +0200 netfilter: nft_queue: only allow supported familes and hooks restricts supported families, excluding arp. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: don't use non-POSIX formats in strptime()Jo-Philipp Wich2022-08-091-4/+4
| | | | | | | | | | | | | The current strptime() invocations in meta.c use the `%F` format which is not specified by POSIX and thus unimplemented by some libc flavors such as musl libc. Replace all occurrences of `%F` with an equivalent `%Y-%m-%d` format in order to be able to properly parse user supplied dates in such environments. Signed-off-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow anon set concatenation with ether and vlanFlorian Westphal2022-08-056-5/+91
| | | | | | | | | | | | | | | | | | | | | | | vlan id uses integer type (which has a length of 0). Using it was possible, but listing would assert: python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed. There are two reasons for this. First reason is that the udata/typeof information lacks the 'vlan id' part, because internally this is 'payload . binop(payload AND mask)'. binop lacks an udata store. It makes little sense to store it, 'typeof' keyword expects normal match syntax. So, when storing udata, store the left hand side of the binary operation, i.e. the load of the 2-byte key. With that resolved, delinerization could work, but concat_elem_expr() would splice 12 bits off the elements value, but it should be 16 (on a byte boundary). Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: search stacked header list for matching payload depFlorian Westphal2022-08-055-6/+110
| | | | | | | | | | | | | | "ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails: "vlan id 2 ether saddr 0:1:2:3:4:6" will give Error: conflicting protocols specified: vlan vs. ether After "proto: track full stack of seen l2 protocols, not just cumulative offset", we have a list of all l2 headers, so search those to see if we had this proto base in the past before rejecting this. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: also postprocess OP_AND in set element contextFlorian Westphal2022-08-053-1/+19
| | | | | | | | | | | | | Pablo reports: add rule netdev nt y update @macset { vlan id timeout 5s } listing still shows the raw expression: update @macset { @ll,112,16 & 0xfff timeout 5s } so also cover the 'set element' case. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add a test case for ether and vlan listingFlorian Westphal2022-08-052-0/+20
| | | | | | | | | | before this patch series, test fails dump validation: - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - ether saddr . vlan id @macset + update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0 + @ll,48,48 . @ll,112,16 & 0xfff @macset Signed-off-by: Florian Westphal <fw@strlen.de>
* debug: dump the l2 protocol stackFlorian Westphal2022-08-051-0/+6
| | | | | | | Previously we used to print the cumulative size of the headers, update this to print the tracked l2 stack. Signed-off-by: Florian Westphal <fw@strlen.de>
* proto: track full stack of seen l2 protocols, not just cumulative offsetFlorian Westphal2022-08-055-21/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | For input, a cumulative size counter of all pushed l2 headers is enough, because we have the full expression tree available to us. For delinearization we need to track all seen l2 headers, else we lose information that we might need at a later time. Consider: rule netdev nt nc set update ether saddr . vlan id during delinearization, the vlan proto_desc replaces the ethernet one, and by the time we try to split the concatenation apart we will search the ether saddr offset vs. the templates for proto_vlan. This replaces the offset with an array that stores the protocol descriptions seen. Then, if the payload offset is larger than our description, search the l2 stack and adjust the offset until we're within the expected offset boundary. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: postprocess binary ands in concatenationsFlorian Westphal2022-08-052-5/+46
| | | | | | | | | | | | | | | | | | | | | | Input: update ether saddr . vlan id timeout 5s @macset ether saddr . vlan id @macset Before this patch, gets rendered as: update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } @ll,48,48 . @ll,112,16 & 0xfff @macset After this, listing will show: update @macset { @ll,48,48 . vlan id timeout 5s } @ll,48,48 . vlan id @macset The @ll, ... is due to vlan description replacing the ethernet one, so payload decode fails to take the concatenation apart (the ethernet header payload info is matched vs. vlan template). This will be adjusted by a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: allow postprocessing on concatenated elementsFlorian Westphal2022-08-051-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently there is no case where the individual expressions inside a mapped concatenation need to be munged. However, to support proper delinearization for an input like 'rule netdev nt nc set update ether saddr . vlan id timeout 5s @macset' we need to allow this. Right now, this gets listed as: update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } because the ethernet protocol is replaced by vlan beforehand, so we fail to map @ll,48,48 to a vlan protocol. Likewise, we can't map the vlan info either because we cannot cope with the 'and' operation properly, nor is it removed. Prepare for this by deleting and re-adding so that we do not corrupt the linked list. After this, the list can be safely changed and a followup patch can start to delete/reallocate expressions. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_json: fix device parsing in netdev familyPablo Neira Ayuso2022-08-022-2/+20
| | | | | | | | json_unpack() function is not designed to take a pre-allocated buffer. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1612 Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: proto: support DF, LE PHB, VA for DSCPOleksandr Natalenko2022-08-011-0/+3
| | | | | | | | | | | | | | | | | | Add a couple of aliases for well-known DSCP values. As per RFC 4594, add "df" as an alias of "cs0" with 0x00 value. As per RFC 5865, add "va" for VOICE-ADMIT with 0x2c value. As per RFC 8622, add "lephb" for Lower-Effort Per-Hop Behavior with 0x01 value. tc-cake(8) in diffserv8 mode would benefit from having "lephb" defined since it corresponds to "Tin 0". https://www.iana.org/assignments/dscp-registry/dscp-registry.xhtml Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Document limitations of ipsec expression with xfrm_interfacePhil Sutter2022-07-281-0/+4
| | | | | | | | Point at a possible solution to match IPsec info of locally generated traffic routed to an xfrm-type interface. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* cache: report an error message if cache initialization failsPablo Neira Ayuso2022-07-201-0/+4
| | | | | | | cache initialization failure (which should not ever happen) is not reported to the user. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: validate handle string lengthPablo Neira Ayuso2022-07-201-0/+106
| | | | | | | | | | Maximum supported string length for handle is NFT_NAME_MAXLEN, report an error if user is exceeding this limit. By validating from the cache evaluation phase, input is validated for the native and json parsers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: prepare nft_cache_evaluate() to return errorPablo Neira Ayuso2022-07-183-6/+12
| | | | | | | Move flags as parameter reference and add list of error messages to prepare for sanity checks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: crash when uncollapsing command with unexisting table or setPablo Neira Ayuso2022-07-072-1/+15
| | | | | | | | If ruleset update refers to an unexisting table or set, then cmd->elem.set is NULL. Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: release pending rules when chain binding lookup failsPablo Neira Ayuso2022-07-071-1/+10
| | | | | | | | | | If the implicit chain is not in the cache, release pending rules in ctx->list and report EINTR to let the cache core retry to populate a consistent cache. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1402 Fixes: c330152b7f77 ("src: support for implicit chain bindings") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: report missing interval flag when using prefix/range in concatenationPablo Neira Ayuso2022-07-072-5/+36
| | | | | | | | If set declaration is missing the interval flag, and user specifies an element with either prefix or range, then bail out. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1592 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow prefix in ip6 scopeFlorian Westphal2022-07-073-1/+13
| | | | | | | | | | | 'ip6 prefix' is valid syntax, so make sure scanner recognizes it also in ip6 context. Also add test case. Fixes: a67fce7ffe7e ("scanner: nat: Move to own scope") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1619 Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: fix map listing with interface wildcardPablo Neira Ayuso2022-06-272-1/+12
| | | | | | | | | | | | | | | | | | | | | # nft -f - <<'EOF' table inet filter { chain INPUT { iifname vmap { "eth0" : jump input_lan, "wg*" : jump input_vpn } } chain input_lan {} chain input_vpn {} } EOF # nft list ruleset nft: segtree.c:578: interval_map_decompose: Assertion `low->len / 8 > 0' failed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1617 Fixes: 5e393ea1fc0a ("segtree: add string "range" reversal support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: don't pop active flex scanner scopeFlorian Westphal2022-06-272-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently we can pop a flex scope that is still active, i.e. the scanner_pop_start_cond() for the scope has not been done. Example: counter ipsec out ip daddr 192.168.1.2 counter name "ipsec_out" Here, parser fails because 'daddr' is parsed as STRING, not as DADDR token. Bug is as follows: COUNTER changes scope to COUNTER. (COUNTER). Next, IPSEC scope gets pushed, stack is: COUNTER, IPSEC. Then, the 'COUNTER' scope close happens. Because active scope has changed, we cannot pop (we would pop the 'ipsec' scope in flex). The pop operation gets delayed accordingly. Next, IP gets pushed, stack is: COUNTER, IPSEC, IP, plus the information that one scope closure/pop was delayed. Then, the IP scope is closed. Because a pop operation was delayed, we pop again, which brings us back to COUNTER state. This is bogus: The pop operation CANNOT be done yet, because the ipsec scope is still open, but the existing code lacks the information to detect this. After popping the IP scope, we must remain in IPSEC scope until bison parser calls scanner_pop_start_cond(, IPSEC). This adds a counter per flex scope so that we can detect this case. In above case, after the IP scope gets closed, the "new" (previous) scope (IPSEC) will be treated as active and its close is attempted again on the next call to scanner_pop_start_cond(). After this patch, transition in above rule is: push counter (COUNTER) push IPSEC (COUNTER, IPSEC) pop COUNTER (delayed: COUNTER, IPSEC, pending-pop for COUNTER), push IP (COUNTER, IPSEC, IP, pending-pop for COUNTER) pop IP (COUNTER, IPSEC, pending-pop for COUNTER) parse DADDR (we're in IPSEC scope, its valid token) pop IPSEC (pops all remaining scopes). We could also resurrect the commit: "scanner: flags: move to own scope", the test case passes with the new scope closure logic. Fixes: bff106c5b277 ("scanner: add support for scope nesting") Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: add missing synproxy scope closureFlorian Westphal2022-06-271-1/+1
| | | | | Fixes: 232f2c3287fc ("scanner: synproxy: Move to own scope") Signed-off-by: Florian Westphal <fw@strlen.de>