| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Seperate relative time parsing and printing from the time_type to make
it usable for set and set element time related parameters.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Don't require hours to be in range 0-23 and minutes/seconds in range 0-59.
The time_type is used for relative times where it is entirely reasonable
to specify 180s instead of 3m.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Properly detect time strings in the lexer without quotation marks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
This simplifies the integer parsing logic and restricts it to
functions being part of the mini-gmp subset.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The kernel only stored the id so we need to be able to reconstruct
the datatype from the id only.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The id of concat datatypes is composed of the ids of the individual
datatypes. Add a define for the number of bits for each datatype id
and a mask.
The number of bits is chosen as 6, allowing for 63 datatypes, or twice
as much as we currently have. This allows for concatenations of 5
types using 32 bits.
The value is statically chosen instead of basing it on the current
numbers of datatypes since we don't want the maximum concatenation
size to vary between versions, also new versions are supposed to be
able to propery parse a ruleset generated by an older version.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Using the size is confusing since it usually holds the size of
the data. Add a new "subtypes" member, which holds the number
of datatypes the concat type is made of.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
The name of a concat type is the names of the individual types concatenated
using a '.'.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule filter input iifname { "lo", "eth0" } counter
Now the listing shows:
iifname { "lo", "eth0"}
instead of:
iifname { "", ""}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Free allocated memory for ->desc.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Just setting the .sym_tbl correctly is all we need.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Use constant_data_ptr() to point to the right memory position on
big endian when exporting data that is stored in a larger variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Christophe Leroy <christophe.leroy@c-s.fr>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The name of datatypes can be used in set definition so they should
follow the same logic (and maybe not contain space to avoid problem
with parsing).
This patch adds an underscore to the name of the icmp* code
datatype.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example:
# nft add rule filter input ct state 8 accept
Segmentation fault
leads to a crash because we have the following datatype relation:
ct_state -> bitmask -> integer
The bitmask, which is an intermediate basetype, has no parse()
function, this leads to a crash in symbolic_constant_parse().
Patrick suggested to walk down the chain until we find a parser
function.
Reported-by: leroy christophe <christophe.leroy@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch changes the default behaviour of nft to not translate IP
addresses to hostnames when printing rules if no options are passed.
The options regarding translations after this patch are:
<no -n/-N> show IP addresses numerically (default behaviour)
-n show IP addresses numerically
-nn show Internet services and uid/gid numerically
-nnn show protocols numerically
-N (--reversedns) translate IP addresses to names
The idea is to avoid breaking existing scripts that most likely rely on
'-n' to save the ruleset, so we reduce the impact of this patch and
provide a default behaviour that doesn't generate network traffic when
listing / saving the ruleset.
Joint work with Pablo.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows to use the reject action in rules. For example:
nft add rule filter input udp dport 22 reject
In this rule, we assume that the reason is network unreachable. Also
we can specify the reason with the option "with" and the reason. For example:
nft add rule filter input tcp dport 22 reject with icmp type host-unreachable
In the bridge tables and inet tables, we can use this action too. For example:
nft add rule inet filter input reject with icmp type host-unreachable
In this rule above, this generates a meta nfproto dependency to match
ipv4 traffic because we use a icmpv4 reason to reject.
If the reason is not specified, we infer it from the context.
Moreover, we have the new icmpx datatype. You can use this datatype for
the bridge and the inet tables to simplify your ruleset. For example:
nft add rule inet filter input reject with icmpx type host-unreachable
We have four icmpx reason and the mapping is:
ICMPX reason | ICMPv6 | ICMPv4
| |
admin-prohibited | admin-prohibited | admin-prohibited
port-unreachable | port-unreachable | port-unreachable
no-route | no-route | net-unreachable
host-unreachable | addr-unreachable | host-unreachable
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
With this patch, this function finds the symbol inside the table. If the symbol
doesn't exist we use the basetype to parse it and create the constant
expression. Otherwise, return an error message.
This a refactorization to reuse this code in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The kernel can handle this, nftables should also.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
symbolic_constant_print() uses mpz_cmp_ui() to find the matching symbol.
Since GMP internally treats all values as being in host byte, this
doesn't work when the constant value is non-host byteorder, such as
the ethernet protocol type.
Export the expression's value in its original byteorder for comparison
to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Add some more consistency by using _addr for all address types, _proto
for all protocol types and iface_ for all interface types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When allocating a constant expression, a pointer to the data is passed
to the allocation function. When the variable used to store the data
is larger than the size of the data type, this fails on big endian since
the most significant bytes (being zero) come first.
Add a helper function to calculate the proper address for the cases
where this is needed.
This currently affects symbolic tables for values < u64 and payload
dependency generation for protocol values < u32.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch allows to specify a string to indicate the time, eg.
nft add rule filter output ct expiration \"1d2h3m4s\" counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\|
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/payload.c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is uncommon to represent f.i. port number ranges as prefix expressions.
Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred
representation of a range is a prefix and use it for segtree decomposition
to decide whether to use a range or prefix expression.
The ipaddr, ip6addr, mark and realm datatypes are changed to include the
DTYPE_F_PREFIX flag.
This fixes completely unreadable output in cases where the ranges are
representable as prefixes, f.i. in case of port number:
{ 0/6 => jump chain1, 0/5 => jump chain2, 0/4 => continue}
becomes:
{ 0-1023 => jump chain1, 1024-2047 => jump chain2, 2048-4095 => continue}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| | |
*res has undefined contents, set to NULL before invoking the parse function
to make sure the test for != NULL doesn't falsely return true.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Revert commit a320531e7:
We have generic type checks that handle this case just fine and indeed
the bugzilla entry mentioned in the reverted patch states:
BUG: invalid input descriptor type 538976288
nft: src/erec.c:100: erec_print: Assertion `0' failed.
Abandon
So the problem is not related to datatypes at all and generic type
checking works perfectly fine:
<cmdline>:1:52-57: Error: datatype mismatch, expected Ethernet protocol, expression has type Internet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
| |
Add support for the meta nfproto type, which refers to the AF from the
netfilter hook ops. This is needed to get the actual family of a packet
in the dummy NFPROTO_INET family.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thomas Berger reported that he is seeing garbage after valid string
values, eg.
fwtest01 ~ # nft -i
nft> table filter
nft> add chain filter input
nft> add rule filter input meta iifname "lo" accept
nft> list table filter
table ip filter {
chain input {
meta iifname "lo�.�" accept
}
...
The buffer that is allocated in the stack does not include room to
nul-terminate the string accordingly. This patch fixes bugzilla
report #872:
https://bugzilla.netfilter.org/show_bug.cgi?id=872
Reported-by: Thomas Berger <loki@lokis-chaos.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
src/nft add rule filter output meta oifname eth0
doesn't work on x86. Problem is that nft declares these as
BYTEORDER_INVALID, but when converting the string mpz_import_data
treats INVALID like BIG_ENDIAN.
[ cmp eq reg 1 0x00000000 0x00000000 0x65000000 0x00306874 ]
as kernel nft_cmp_eval basically boils down to
memcmp(reg, skb->dev->name, sizeof(reg) comparision fails.
with patch:
[ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes string mark parsing. Note that /etc/iproute2/rt_marks may
contain mapping between string and mark values.
This fixes here:
add rule filter output meta mark 0 counter
Assumming that:
cat /etc/iproute2/rt_marks
says:
0 test
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
In (5075879 datatype: validate port number in inet_service_type_parse),
conversion to network byte order was missing.
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Personally, I like seeing ports and IPs numerically, but prefer protocols
to be shown by name. As such, add a third --numeric level which will
show protocols by number, splitting them out from ports.
-n/--numeric When specified once, show network addresses numerically.
When specified twice, also show Internet services,
user IDs and group IDs numerically.
When specified thrice, also show protocols numerically.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
nftables does not currently allow specifying protocols by number. Below
patch adds this capability.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, nft accepts out of range port values such as in this example:
nft add rule ip filter input tcp dport 123456 accept
Attached patch adds checks for both integer overflow and 16 bit overflow,
and avoids getaddrinfo call in the (common) case of digit input. Example
above now produces this output:
<cmdline>:1:36-41: Error: Service out of range
add rule ip filter input tcp dport 123456 accept
^^^^^^
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eric Leblond reported that this command:
nft add rule ip6 filter input position 4 meta protocol icmpv6 accept
crashes nft. The problem is that 'icmpv6' is wrong there, as
meta protocol is expecting an ethernet protocol, that can be
expressed as an hexadecimal.
Now this command displays the following error:
<cmdline>:1:52-57: Error: This is not a valid Ethernet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
^^^^^^
This closes bugzilla #834:
https://bugzilla.netfilter.org/show_bug.cgi?id=834
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft list table filter returns garbage here for IP and IPv6 addresses if
no name resolution is available. The output looks good if `-n' is used
in that case.
The problem is that getnameinfo() returns:
EAI_AGAIN -3 /* Temporary failure in name resolution. */
Without working name resolution. To fix this, force a fall back to
numeric resolution in that case.
While at it, fix also possible resolution of services in case of
that /etc/services is missing in the system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eric Leblond reports a crash with the following invalid command:
nft add rule global filter ip daddr . tcp dport { 192.168.0.1 . 22\; 192.168.0.3 . 89 } drop
Note that the semicolon is incorrect in that concatenation,
it should be a comma.
The backtrace shows:
(gdb) bt
#0 0x00007ffff6f39295 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6f3c438 in __GI_abort () at abort.c:90
#2 0x00007ffff6f7486b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7070d28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007ffff6f7eac6 in malloc_printerr (action=3, str=0x7ffff706ccca "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4902
#4 0x00007ffff6f7f843 in _int_free (av=<optimized out>, p=0x428530, have_lock=0) at malloc.c:3758
#5 0x000000000041aae8 in xfree (ptr=0x428540 <invalid_type>) at src/utils.c:29
#6 0x000000000040bc43 in concat_type_destroy (dtype=0x428540 <invalid_type>) at src/datatype.c:690
#7 0x000000000040cebf in concat_expr_destroy (expr=0x643b90) at src/expression.c:571
[...]
It's trying to release 'invalid_type', which was not dynamically
allocated. Note that before the evaluation step, the invalid type
is attached to the expressions.
Since nftables allocates a dynamic datatype for concatenations in
case that needs to be released in the exit path. All datatypes
except this, are allocated in the BSS. Since we have no way to
differenciate between these two, add a flag so we can recognize
dynamically allocated datatypes.
While at it, rename dtype->type from enum to explicit uint32_t, as
it is used to store the concatenation type mask as well.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
<cmdline>:1:50-66: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, internet network service), expression has type concatenation of (IPv4 address, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
^^^^^^^^^^^^^^^^^
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
<cmdline>:1:76-78: Error: unexpected concat component, expecting concatenation of (IPv4 address, internet network service, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Dynamically instantiate a data type to represent all types of a concatenation
and use that for type propagation.
|
| |
|
|
|
|
|
|
| |
Add a new type for ethernet addresses. This is needed since for concatenations
we need fixed sized data types, the generic link layer address doesn't have
a fixed length.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Go down the chain of basetypes until we find a ->parse()/->print() callback
or symbol table. Needed to invoke the generic link layer address parsing
function for the etheraddr_type.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
