summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* rule: replace three conditionals with oneHEADmasterJeremy Sowden6 days1-5/+3
| | | | | | | | When outputting set definitions, merge three consecutive `if (!list_empty(&set->stmt_list))` conditionals. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: fix stateless output after listing sets containing countersJeremy Sowden6 days1-1/+3
| | | | | | | | | | | | | Before outputting counters in set definitions the `NFT_CTX_OUTPUT_STATELESS` flag was set to suppress output of the counter state and unconditionally cleared afterwards, regardless of whether it had been originally set. Record the original set of flags and restore it. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994273 Fixes: 6d80e0f15492 ("src: support for counter in set definition") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove fake stateless output of named countersJeremy Sowden6 days1-7/+6
| | | | | | | | | When `-s` is passed, no state is output for named quotas and counter and quota rules, but fake zero state is output for named counters. Remove the output of named counters to match the remaining stateful objects. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnftables-json: make the example valid libnftables JSON inputŠtěpán Němec6 days1-2/+3
| | | | | | | | | | | - Add missing comma between array elements. - Fix chain 'name' property. - Match 'op' property is mandatory. Fixes: 2e56f533b36a ("doc: Improve example in libnftables-json(5)") Fixes: 90d4ee087171 ("JSON: Make match op mandatory, introduce 'in' operator") Signed-off-by: Štěpán Němec <snemec@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* cache: unset NFT_CACHE_SETELEM with --terse listingPablo Neira Ayuso2021-10-021-3/+12
| | | | | | Skip populating the set element cache in this case to speed up listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: filter out sets and maps that are not requestedPablo Neira Ayuso2021-09-302-2/+20
| | | | | | | Do not fetch set content for list commands that specify a set name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: filter out tables that are not requestedPablo Neira Ayuso2021-09-304-15/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not fetch table content for list commands that specify a table name, e.g. # nft list table filter This speeds up listing of a given table by not populating the cache with tables that are not needed. - Full ruleset (huge with ~100k lines). # sudo nft list ruleset &> /dev/null real 0m3,049s user 0m2,080s sys 0m0,968s - Listing per table is now faster: # nft list table nat &> /dev/null real 0m1,969s user 0m1,412s sys 0m0,556s # nft list table filter &> /dev/null real 0m0,697s user 0m0,478s sys 0m0,220s Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1326 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: finer grain cache population for list commandsPablo Neira Ayuso2021-09-291-2/+23
| | | | | | Skip full cache population for list commands to speed up listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: set on cache flags for nested notationPablo Neira Ayuso2021-09-292-0/+35
| | | | | | | | | Set on the cache flags for the nested notation too, this is fixing nft -f with two files, one that contains the set declaration and another that adds a rule that refers to such set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1474 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check for missing transport protocol match in nat map with ↵Pablo Neira Ayuso2021-09-293-3/+37
| | | | | | | | | | | | | | | | concatenations Restore this error with NAT maps: # nft add rule 'ip ipfoo c dnat to ip daddr map @y' Error: transport protocol mapping is only valid after transport protocol match add rule ip ipfoo c dnat to ip daddr map @y ~~~~ ^^^^^^^^^^^^^^^ Allow for transport protocol match in the map too, which is implicitly pulling in a transport protocol dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: check for concatenation in set data datatypePablo Neira Ayuso2021-09-293-1/+20
| | | | | | | | | | | | | When adding this rule with an existing map: add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th reports a bogus: Error: datatype mismatch: expected IPv4 address, expression has type concatenation of (IPv4 address, internet network service) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: honor NLM_F_EXCL netlink flagPablo Neira Ayuso2021-09-291-1/+7
| | | | | | This allow to report for the create command. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: update insert and replace commandsPablo Neira Ayuso2021-09-291-2/+2
| | | | | | | | | Adjust test after these two kernel fixes: ("netfilter: nf_tables: reverse order in rule replacement expansion") ("netfilter: nf_tables: add position handle in event notification") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: honor NLM_F_APPEND flag for rulesPablo Neira Ayuso2021-09-291-14/+26
| | | | | | Print 'add' or 'insert' according to this netlink flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: display rule position handlePablo Neira Ayuso2021-09-291-1/+4
| | | | | | This allow to locate the incremental update in the ruleset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: dynset: set compound expr dtype based on set key definitionFlorian Westphal2021-09-293-1/+73
| | | | | | | | | | | | | | | | | "nft add rule ... add @t { ip saddr . 22 ..." will be listed as 'ip saddr . 0x16 [ invalid type]". This is a display bug, the compound expression created during netlink deserialization lacks correct datatypes for the value expression. Avoid this by setting the individual expressions' datatype. The set key has the needed information, so walk over the types and set them in the dynset statment. Also add a test case. Reported-by: Paulo Ricardo Bruck <paulobruck1@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: don't adjust offsets of autogenerated dependency expressionsFlorian Westphal2021-09-296-1/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pablo says: user reports that this is broken: nft --debug=netlink add rule bridge filter forward vlan id 100 vlan id set 200 [..] [ payload load 2b @ link header + 14 => reg 1 ] [..] [ payload load 2b @ link header + 28 => reg 1 ] [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x0000c800 ] [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] offset says 28, it is assuming q-in-q, in this case it is mangling the existing header. The problem here is that 'vlan id set 200' needs a read-modify-write cycle because 'vlan id set' has to preserve bits located in the same byte area as the vlan id. The first 'payload load' at offset 14 is generated via 'vlan id 100', this part is ok. The second 'payload load' at offset 28 is the bogus one. Its added as a dependency, but then adjusted because nft evaluation considers this identical to 'vlan id 1 vlan id '2, where nft assumes q-in-q. To fix this, skip offset adjustments for raw expressions and mark the dependency-generated payload instruction as such. This is fine because raw payload operations assume that user specifies base/offset/length manually. Also add a test case for this. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: reset temporary set element stmt list after list splicePablo Neira Ayuso2021-09-163-1/+28
| | | | | | | | Reset temporary stmt list to deal with the key_end case which might result in a jump backward to handle the rhs of the interval. Reported-by: Martin Zatloukal <slezi2@pvfree.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix synopsis of named counter, quota and ct {helper,timeout,expect}Pablo Neira Ayuso2021-09-162-9/+61
| | | | | | Synopsis is not complete. Add examples for counters and quotas. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: update ct expirationPablo Neira Ayuso2021-09-151-3/+3
| | | | | | | | Since 309785674b25 ("datatype: time_print() ignores -T"), time_type honors -T option. Given tests/py run in numeric format, this patch fixes a warning since the ct expiration is now expressed in seconds. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: revert hashtable for expression handlersPablo Neira Ayuso2021-09-153-35/+10
| | | | | | | | | | | | | | | | | | | | | Partially revert 913979f882d1 ("src: add expression handler hashtable") which is causing a crash with two instances of the nftables handler. $ sudo python [sudo] password for echerkashin: Python 3.9.7 (default, Sep 3 2021, 06:18:44) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from nftables import Nftables >>> n1=Nftables() >>> n2=Nftables() >>> <Ctrl-D> double free or corruption (top) Aborted Reported-by: Eugene Crosser <crosser@average.org> Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: nfnetlink_log allows one single process through unicastPablo Neira Ayuso2021-09-091-5/+5
| | | | | | | nfnetlink_log uses netlink unicast to send logs to one single process in userspace. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: rework range_expr_to_prefix()Pablo Neira Ayuso2021-09-094-30/+148
| | | | | | | | | Consolidate prefix calculation in range_expr_is_prefix(). Add tests/py for 9208fb30dc49 ("src: Check range bounds before converting to prefix"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: skip -T for hour and date formatPablo Neira Ayuso2021-09-091-24/+9
| | | | | | | | | | | | | | | | If -T is used: - meta hour displays the hours in seconds based on your timezone. - meta time displays the UNIX time since 1970 in nanoseconds. Better, skip -T for these two datatypes and use the formatted output instead, ie. - meta hour "00:00:20" - meta time "1970-01-01 01:00:01" Fixes: f8f32deda31d ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Check range bounds before converting to prefixXiao Liang2021-09-061-6/+9
| | | | | | | | | | The lower bound must be the first value of the prefix to be coverted. For example, range "10.0.0.15-10.0.0.240" can not be converted to "10.0.0.15/24". Validate it by checking if the lower bound value has enough trailing zeros. Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: refer to ulogd manpagePablo Neira Ayuso2021-09-061-2/+3
| | | | | | Refer to the ulogd daemon in the log statement section. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnflog handles `log group`, not libnfqDuncan Roe2021-09-061-1/+1
| | | | | Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Missing NFT_CTX_OUTPUT_NUMERIC_SYMBOL in libnftables documentationPablo Neira Ayuso2021-09-061-0/+1
| | | | | | | | Add NFT_CTX_OUTPUT_NUMERIC_SYMBOL to libnftables.adoc to keep it in sync with the nftables/libnftables.h header. Fixes: 685a06447ee4 ("doc: libnftables.adoc misc cleanups") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add NFT_CTX_OUTPUT_NUMERIC_TIME to NFT_CTX_OUTPUT_NUMERIC_ALLPablo Neira Ayuso2021-09-061-1/+2
| | | | | | | Therefore, -n honors numeric time in seconds. Fixes: f8f32deda31d ("meta: Introduce new conditions 'time', 'day' and 'hour'") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: time_print() ignores -TPablo Neira Ayuso2021-09-061-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | Honor NFT_CTX_OUTPUT_NUMERIC_TIME. # nft list ruleset table ip x { set y { type ipv4_addr flags timeout elements = { 1.1.1.1 timeout 5m expires 1m49s40ms } } } # sudo nft -T list ruleset table ip x { set y { type ipv4_addr flags timeout elements = { 1.1.1.1 timeout 300s expires 108s } } } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1561 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: remove redundant meta protocol from the evaluation stepPablo Neira Ayuso2021-09-035-29/+56
| | | | | | | | | | | | | 567ea4774e13 ("netlink_delinearize: incorrect meta protocol dependency kill") does not document two cases that are handled in this patch: - 'meta protocol ip' is removed if used in the ip family. - 'meta protocol ip6' is removed if used in the ip6 family. This patch removes this redundancy earlier, from the evaluation step before netlink bytecode generation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: incorrect meta protocol dependency kill againPablo Neira Ayuso2021-09-033-45/+151
| | | | | | | | | | | | | This patch adds __meta_dependency_may_kill() to consolidate inspection of the meta protocol, nfproto and ether type expression to validate dependency removal on listings. Phil reports that 567ea4774e13 includes an update on the ip and ip6 families that is not described in the patch, moreover, it flips the default verdict from true to false. Fixes: 567ea4774e13 ("netlink_delinearize: incorrect meta protocol dependency kill") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_json: Fix error reporting for invalid syntaxPhil Sutter2021-09-011-10/+8
| | | | | | | | | | | | | | | Errors emitted by the JSON parser caused BUG() in erec_print() due to input descriptor values being bogus. Due to lack of 'include' support, JSON parser uses a single input descriptor only and it lived inside the json_ctx object on stack of nft_parse_json_*() functions. By the time errors are printed though, that scope is not valid anymore. Move the static input descriptor object to avoid this. Fixes: 586ad210368b7 ("libnftables: Implement JSON parser") Signed-off-by: Phil Sutter <phil@nwl.cc>
* netlink_delinearize: incorrect meta protocol dependency killPablo Neira Ayuso2021-08-2613-3/+272
| | | | | | | | meta protocol is meaningful in bridge, netdev and inet families, do not remove this. Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: provide a empty list for flowtables and objects when request failsPablo Neira Ayuso2021-08-261-16/+20
| | | | | | | | | Old kernels do not support for dumping the flowtable and object lists, provide an empty list instead to unbreak the cache initialization. Fixes: 560963c4d41e ("cache: add hashtable cache for flowtable") Fixes: 45a84088ecbd ("cache: add hashtable cache for object") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: skip set element netlink dump for add/delete element commandPablo Neira Ayuso2021-08-262-2/+15
| | | | | | | | Add NFT_CACHE_SETELEM_MAYBE to dump the set elements conditionally, only in case that the set interval flag is set on. Reported-by: Cristian Constantin <const.crist@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: monitor: Continue on errorPhil Sutter2021-08-241-10/+23
| | | | | | Just make sure return code reflects the overall result. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: monitor: Print errors to stderrPhil Sutter2021-08-241-10/+17
| | | | | | | While being at it, introduce die() to error and exit. But don't use it everywhere to prepare for continuing on errors. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: json_echo: Print errors to stderrPhil Sutter2021-08-241-7/+7
| | | | | | | | | | | | | | Apart from the obvious, this fixes exit_dump() which tried to dump the wrong variable ('out' instead of 'obj') and missed that json.dumps() doesn't print but just returns a string. Make it call exit_err() to share some code, which changes the prefix from 'FAIL' to 'Error' as a side-effect. While being at it, fix for a syntax warning with newer Python in unrelated code. Fixes: bb32d8db9a125 ("JSON: Add support for echo option") Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: Optimize prefix match only if is big-endianXiao Liang2021-08-234-1/+29
| | | | | | | | | | | A prefix of integer type is big-endian in nature. Prefix match can be optimized to truncated 'cmp' only if it is big-endian. [ Add one tests/py for this use-case --pablo ] Fixes: 25338cdb6c77 ("src: Optimize prefix matches on byte-boundaries") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add nft-f/0022variables_0 dump filePablo Neira Ayuso2021-08-202-5/+14
| | | | | | Dump file was missing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: queue: consolidate queue statement syntaxPablo Neira Ayuso2021-08-207-24/+132
| | | | | | | | | | | | Print queue statement using the 'queue ... to' syntax to consolidate the syntax around Florian's proposal introduced in 6cf0f2c17bfb ("src: queue: allow use of arbitrary queue expressions"). Retain backward compatibility, 'queue num' syntax is still allowed. Update and add new tests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: permit symbolic define for 'queue num' againFlorian Westphal2021-08-203-0/+13
| | | | | | | | | | | | | | | WHen I simplified the parser to restrict 'queue num' I forgot that instead of range and immediate value its also allowed to pass in a variable expression, e.g. define myq = 0 add rule ... 'queue num $myq bypass' Allow those as well and add a test case for this. Fixes: 767f0af82a389 ("parser: restrict queue num expressiveness") Reported-by: Amish <anon.amish@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* build: Bump version to v1.0.0v1.0.0Pablo Neira Ayuso2021-08-172-3/+3
| | | | | | | Update libversion since new API has been added in 9edaa6a51eab ("src: add --define key=value"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: skip flags / mask notation for singleton bitmask againPablo Neira Ayuso2021-08-154-1/+31
| | | | | | | != operation should also be covered too. Fixes: 347a4aa16e64 ("netlink_delinearize: skip flags / mask notation for singleton bitmask") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: expand variable containing set into multiple mappingsPablo Neira Ayuso2021-08-123-0/+46
| | | | | | | | | | | | | | | | | | | | | | # cat x.nft define interfaces = { eth0, eth1 } table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { lo : accept, $interfaces : drop } } } # nft -f x.nft # nft list ruleset table ip x { chain y { type filter hook input priority 0; policy accept; iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop } } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: Make netns spawning more robustPhil Sutter2021-08-111-6/+34
| | | | | | | On systems without unshare Python module, try to call unshare binary with oneself as parameters. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tcpopt: bogus assertion on undefined optionsPablo Neira Ayuso2021-08-114-1/+25
| | | | | | | | | | # nft add rule x y tcp option 6 exists # nft list ruleset nft: tcpopt.c:208: tcpopt_init_raw: Assertion `expr->exthdr.desc != NULL' failed. Aborted Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1557 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* mnl: revisit hook listingPablo Neira Ayuso2021-08-065-120/+261
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update this command to display the hook datapath for a packet depending on its family. This patch also includes: - Group of existing hooks based on the hook location. - Order hooks by priority, from INT_MIN to INT_MAX. - Do not add sign to priority zero. - Refresh include/linux/netfilter/nfnetlink_hook.h cache copy. - Use NFNLA_CHAIN_* attributes to print the chain family, table and name. If NFNLA_CHAIN_* attributes are not available, display the hookfn name. - Update syntax: remove optional hook parameter, promote the 'device' argument. The following example shows the hook datapath for IPv4 packets coming in from netdevice 'eth0': # nft list hooks ip device eth0 family ip { hook ingress { +0000000010 chain netdev x y [nf_tables] +0000000300 chain inet m w [nf_tables] } hook input { -0000000100 chain ip a b [nf_tables] +0000000300 chain inet m z [nf_tables] } hook forward { -0000000225 selinux_ipv4_forward 0000000000 chain ip a c [nf_tables] } hook output { -0000000225 selinux_ipv4_output } hook postrouting { +0000000225 selinux_ipv4_postroute } } Note that the listing above includes the existing netdev and inet hooks/chains which *might* interfer in the travel of an incoming IPv4 packet. This allows users to debug the pipeline, basically, to understand in what order the hooks/chains are evaluated for the IPv4 packets. If the netdevice is not specified, then the ingress hooks are not shown. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: check more flag match transformations to compact syntaxPablo Neira Ayuso2021-07-283-0/+193
| | | | | | Add a few more tests to extend coverage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>