summaryrefslogtreecommitdiffstats
path: root/src/datatype.c
Commit message (Collapse)AuthorAgeFilesLines
* datatype: Fix size of time_typePhil Sutter2021-11-301-2/+4
| | | | | | | | | Used by 'ct expiration', time_type is supposed to be 32bits. Passing a 64bits variable to constant_expr_alloc() causes the value to be always zero on Big Endian. Fixes: 0974fa84f162a ("datatype: seperate time parsing/printing from time_type") Signed-off-by: Phil Sutter <phil@nwl.cc>
* datatype: add xinteger_type alias to print in hexadecimalPablo Neira Ayuso2021-11-031-0/+16
| | | | | | | | | Add an alias of the integer type to print raw payload expressions in hexadecimal. Update tests/py. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: time_print() ignores -TPablo Neira Ayuso2021-09-061-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | Honor NFT_CTX_OUTPUT_NUMERIC_TIME. # nft list ruleset table ip x { set y { type ipv4_addr flags timeout elements = { 1.1.1.1 timeout 5m expires 1m49s40ms } } } # sudo nft -T list ruleset table ip x { set y { type ipv4_addr flags timeout elements = { 1.1.1.1 timeout 300s expires 108s } } } Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1561 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: skip cgroupv2 rootfs in listingPablo Neira Ayuso2021-05-181-1/+2
| | | | | | | | | | | | | | | | cgroupv2 path is expressed from the /sys/fs/cgroup folder, update listing to skip it. # nft add rule x y socket cgroupv2 level 1 "user.slice" counter # nft list ruleset table ip x { chain y { type filter hook input priority filter; policy accept; socket cgroupv2 level 1 "user.slice" counter } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use PRIu64 formatPablo Neira Ayuso2021-05-181-1/+1
| | | | | | | | | | | | | | | | | | Fix the following compilation warnings on x86_32. datatype.c: In function ‘cgroupv2_type_print’: datatype.c:1387:22: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Wformat=] nft_print(octx, "%lu", id); ~~^ ~~ %llu meta.c: In function ‘date_type_print’: meta.c:411:21: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Wformat=] nft_print(octx, "%lu", tstamp); ~~^ ~~~~~~ %llu Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cgroupsv2 supportPablo Neira Ayuso2021-05-031-0/+91
| | | | | | Add support for matching on the cgroups version 2. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add datatype->describe()Pablo Neira Ayuso2021-03-251-0/+15
| | | | | | | | | | | | As an alternative to print the datatype values when no symbol table is available. Use it to print protocols available via getprotobynumber() which actually refers to /etc/protocols. Not very efficient, getprotobynumber() causes a series of open()/close() calls on /etc/protocols, but this is called from a non-critical path. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1503 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: convert chain name from gmp value to stringPablo Neira Ayuso2020-07-151-8/+13
| | | | | | | Add expr_chain_export() helper function to convert the chain name that is stored in a gmp value variable to string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add frag-needed (ipv4) to reject optionsMichael Braun2020-05-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This enables to send icmp frag-needed messages using reject target. I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). [ pablo: update tests/py ] Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix double-free resulting in use-after-free in datatype_freeMichael Braun2020-05-011-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nft list table bridge t table bridge t { set s4 { typeof ip saddr . ip daddr elements = { 1.0.0.1 . 2.0.0.2 } } } ================================================================= ==24334==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000000a8 at pc 0x7fe0e67df0ad bp 0x7ffff83e88c0 sp 0x7ffff83e88b8 READ of size 4 at 0x6080000000a8 thread T0 #0 0x7fe0e67df0ac in datatype_free nftables/src/datatype.c:1110 #1 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89 #2 0x7fe0e67a855e in set_free nftables/src/rule.c:359 #3 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263 #4 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299 #5 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305 #6 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292 #7 0x55f00fbe0051 in main nftables/src/main.c:469 #8 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308 #9 0x55f00fbdd429 in _start (nftables/src/.libs/nft+0x9429) 0x6080000000a8 is located 8 bytes inside of 96-byte region [0x6080000000a0,0x608000000100) freed by thread T0 here: #0 0x7fe0e6e70fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0) #1 0x7fe0e68b8122 in xfree nftables/src/utils.c:29 #2 0x7fe0e67df2e5 in datatype_free nftables/src/datatype.c:1117 #3 0x7fe0e67e2092 in expr_free nftables/src/expression.c:89 #4 0x7fe0e67a83fe in set_free nftables/src/rule.c:356 #5 0x7fe0e67b2f3e in table_free nftables/src/rule.c:1263 #6 0x7fe0e67a70ce in __cache_flush nftables/src/rule.c:299 #7 0x7fe0e67a71c7 in cache_release nftables/src/rule.c:305 #8 0x7fe0e68dbfa9 in nft_ctx_free nftables/src/libnftables.c:292 #9 0x55f00fbe0051 in main nftables/src/main.c:469 #10 0x7fe0e553309a in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7fe0e6e71330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7fe0e68b813d in xmalloc nftables/src/utils.c:36 #2 0x7fe0e68b8296 in xzalloc nftables/src/utils.c:65 #3 0x7fe0e67de7d5 in dtype_alloc nftables/src/datatype.c:1065 #4 0x7fe0e67df862 in concat_type_alloc nftables/src/datatype.c:1146 #5 0x7fe0e67ea852 in concat_expr_parse_udata nftables/src/expression.c:954 #6 0x7fe0e685dc94 in set_make_key nftables/src/netlink.c:718 #7 0x7fe0e685e177 in netlink_delinearize_set nftables/src/netlink.c:770 #8 0x7fe0e685f667 in list_set_cb nftables/src/netlink.c:895 #9 0x7fe0e4f95a03 in nftnl_set_list_foreach src/set.c:904 SUMMARY: AddressSanitizer: heap-use-after-free nftables/src/datatype.c:1110 in datatype_free Shadow bytes around the buggy address: 0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fff8010: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24334==ABORTING Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: compute mnemonic port name much easierJan Engelhardt2020-02-071-27/+6
| | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: store expr, not dtype to track data in setsFlorian Westphal2019-12-161-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will be needed once we add support for the 'typeof' keyword to handle maps that could e.g. store 'ct helper' "type" values. Instead of: set foo { type ipv4_addr . mark; this would allow set foo { typeof(ip saddr) . typeof(ct mark); (exact syntax TBD). This would be needed to allow sets that store variable-sized data types (string, integer and the like) that can't be used at at the moment. Adding special data types for everything is problematic due to the large amount of different types needed. For anonymous sets, e.g. "string" can be used because the needed size can be inferred from the statement, e.g. 'osf name { "Windows", "Linux }', but in case of named sets that won't work because 'type string' lacks the context needed to derive the size information. With 'typeof(osf name)' the context is there, but at the moment it won't help because the expression is discarded instantly and only the data type is retained. Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: display description for header field < 8 bitsPablo Neira Ayuso2019-10-101-1/+1
| | | | | | | | | | | | # nft describe ip dscp payload expression, datatype dscp (Differentiated Services Code Point) (basetype integer), 6 bits pre-defined symbolic constants (in hexadecimal): nft: datatype.c:209: switch_byteorder: Assertion `len > 0' failed. Aborted Fixes: c89a0801d077 ("datatype: Display pre-defined inet_service values in host byte order") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-061-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* src: fix jumps on bigendian archesFlorian Westphal2019-08-141-9/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | table bla { chain foo { } chain bar { jump foo } } } Fails to restore on big-endian platforms: jump.nft:5:2-9: Error: Could not process rule: No such file or directory jump foo nft passes a 0-length name to the kernel. This is because when we export the value (the string), we provide the size of the destination buffer. In earlier versions, the parser allocated the name with the same fixed size and all was fine. After the fix, the export places the name in the wrong location in the destination buffer. This makes tests/shell/testcases/chains/0001jumps_0 work on s390x. v2: convert one error check to a BUG(), it should not happen unless kernel abi is broken. Fixes: 142350f154c78 ("src: invalid read when importing chain name") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-081-0/+30
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variables in the chain priority specificationFernando Fernandez Mancera2019-08-081-0/+36
| | | | | | | | | | | | | | | | | This patch allows you to use variables in chain priority definitions, e.g. define prio = filter define prionum = 10 define prioffset = "filter - 150" add table ip foo add chain ip foo bar { type filter hook input priority $prio; } add chain ip foo ber { type filter hook input priority $prionum; } add chain ip foo bor { type filter hook input priority $prioffset; } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove global symbol_tablePablo Neira Ayuso2019-08-081-9/+7
| | | | | | | | | Store symbol tables in context object instead. Use the nft_ctx object to store the dynamic symbol table. Pass it on to the parse_ctx object so this can be accessed from the parse routines. This dynamic symbol table is also accesible from the output_ctx object for print routines. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add parse_ctx objectPablo Neira Ayuso2019-08-081-17/+29
| | | | | | | | This object stores the dynamic symbol tables that are loaded from files. Pass this object to datatype parse functions, although this new parameter is not used yet, this is just a preparation patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: fix print of raw numerical symbol valuesFlorian Westphal2019-06-171-11/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The two rules: arp operation 1-2 accept arp operation 256-512 accept are both shown as 256-512: chain in_public { arp operation 256-512 accept arp operation 256-512 accept meta mark "1" tcp flags 2,4 } This is because range expression enforces numeric output, yet nft_print doesn't respect byte order. Behave as if we had no symbol in the first place and call the base type print function instead. This means we now respect format specifier as well: chain in_public { arp operation 1-2 accept arp operation 256-512 accept meta mark 0x00000001 tcp flags 0x2,0x4 } Without fix, added test case will fail: 'add rule arp test-arp input arp operation 1-2': 'arp operation 1-2' mismatches 'arp operation 256-512' v2: in case of -n, also elide quotation marks, just as if we would not have found a symbolic name. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: double datatype_free() with dynamic integer datatypesPablo Neira Ayuso2019-06-141-5/+0
| | | | | | datatype_set() already deals with this case, remove this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: dtype_clone() should clone flags tooPablo Neira Ayuso2019-06-131-1/+1
| | | | | | Clone original flags too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add reference counter for dynamic datatypesPablo Neira Ayuso2019-06-131-10/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are two datatypes are using runtime datatype allocation: * Concatenations. * Integer, that require byteorder adjustment. From the evaluation / postprocess step, transformations are common, hence expressions may end up fetching (infering) datatypes from an existing one. This patch adds a reference counter to release the dynamic datatype object when it is shared. The API includes the following helper functions: * datatype_set(expr, datatype), to assign a datatype to an expression. This helper already deals with reference counting for dynamic datatypes. This also drops the reference counter of any previous datatype (to deal with the datatype replacement case). * datatype_get(datatype) bumps the reference counter. This function also deals with nul-pointers, that occurs when the datatype is unset. * datatype_free() drops the reference counter, and it also releases the datatype if there are not more clients of it. Rule of thumb is: The reference counter of any newly allocated datatype is set to zero. This patch also updates every spot to use datatype_set() for non-dynamic datatypes, for consistency. In this case, the helper just makes an simple assignment. Note that expr_alloc() has been updated to call datatype_get() on the datatype that is assigned to this new expression. Moreover, expr_free() calls datatype_free(). This fixes valgrind reports like this one: ==28352== 1,350 (440 direct, 910 indirect) bytes in 5 blocks are definitely lost in loss recor 3 of 3 ==28352== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==28352== by 0x4E79558: xmalloc (utils.c:36) ==28352== by 0x4E7963D: xzalloc (utils.c:65) ==28352== by 0x4E6029B: dtype_alloc (datatype.c:1073) ==28352== by 0x4E6029B: concat_type_alloc (datatype.c:1127) ==28352== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578) ==28352== by 0x4E6D68E: list_set_cb (netlink.c:648) ==28352== by 0x5D74023: nftnl_set_list_foreach (set.c:780) ==28352== by 0x4E6D6F3: netlink_list_sets (netlink.c:669) ==28352== by 0x4E5A7A3: cache_init_objects (rule.c:159) ==28352== by 0x4E5A7A3: cache_init (rule.c:216) ==28352== by 0x4E5A7A3: cache_update (rule.c:266) ==28352== by 0x4E7E0EE: nft_evaluate (libnftables.c:388) ==28352== by 0x4E7EADD: nft_run_cmd_from_filename (libnftables.c:479) ==28352== by 0x109A53: main (main.c:310) This patch also removes the DTYPE_F_CLONE flag which is broken and not needed anymore since proper reference counting is in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow goto and jump to a variableFernando Fernandez Mancera2019-05-241-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces the use of nft input files variables in 'jump' and 'goto' statements, e.g. define dest = ber add table ip foo add chain ip foo bar {type filter hook input priority 0;} add chain ip foo ber add rule ip foo ber counter add rule ip foo bar jump $dest table ip foo { chain bar { type filter hook input priority filter; policy accept; jump ber } chain ber { counter packets 71 bytes 6664 } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce chain_expr in jump and goto statementsFernando Fernandez Mancera2019-05-241-2/+20
| | | | | | | | | Introduce expressions as a chain in jump and goto statements. This is going to be used to support variables as a chain in the following patches. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: expr: add expression etypeFlorian Westphal2019-02-081-1/+1
| | | | | | | | Temporary kludge to remove all the expr->ops->type == ... patterns. Followup patch will remove expr->ops, and make expr_ops() lookup the correct expr_ops struct instead to reduce struct expr size. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add igmp supportPablo Neira Ayuso2019-01-091-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of nft_ctx_output_{get,set}_numeric()Pablo Neira Ayuso2018-10-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch adds NFT_CTX_OUTPUT_NUMERIC_SYMBOL, which replaces the last client of the numeric level approach. This patch updates `-n' option semantics to display all output numerically. Note that monitor code was still using the -n option to skip printing the process name, this patch updates that path too to print it inconditionally to simplify things. Given the numeric levels have no more clients after this patch, remove that code. Update several tests/shell not to use -nn. This patch adds NFT_CTX_OUTPUT_NUMERIC_ALL which enables all flags to provide a fully numerical output. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFT_CTX_OUTPUT_NUMERIC_PROTOPablo Neira Ayuso2018-10-291-1/+1
| | | | | | | | | | | We keep printing layer 4 protocols as literals since we do not use /etc/protocols. This new flag allows us to print it as a number. libnftables internally uses this to print layer 4 protocol as numbers when part of a range. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Revert --literal, add -S/--servicePablo Neira Ayuso2018-10-291-3/+3
| | | | | | | | | | | | | | | | | | | | | | This is a partial revert of b0f6a45b25dd1 ("src: add --literal option") which was added during the development cycle before 0.9.1 is released. After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that allows to print priority, uid, gid and protocols as numerics, I decided to revisit this to provide individual options to turn on literal printing. What I'm proposing is to provide a good default for everyone, and provide options to turn on literal/numeric printing. This patch adds nft_ctx_output_{set,get}_flags() and define two flags to enable reverse DNS lookups and to print ports as service names. This patch introduces -S/--services, to print service names as per /etc/services. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix literal check for inet_service typePhil Sutter2018-09-101-1/+1
| | | | | | | | | | | | Since literal option is supposed to be a level, matching for equality is not correct here since the level may be higher than NFT_LITERAL_PORT. This fixes for ports being printed numerically if '-l' option was given twice. Fixes: b0f6a45b25dd1 ("src: add --literal option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: honor /etc/servicesPablo Neira Ayuso2018-08-241-14/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This partial patch reverts: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table") so /etc/services is used to interpret service names, eg. # nft add rule x y tcp dport \"ssh\" Then, listing looks like: # nft list ruleset -l table x { chain y { ... tcp dport "ssh" } } Major changes with regards to the original approach are: 1) Services are displayed in text via `-l' option. 2) Services are user-defined, just like mappings in /etc/iproute2/* files and connlabel.conf, so they are displayed enclosed in quotes. Note that original service name code was broken since it parses both udp and tcp service names but it only displays tcp services names as literal. This is because NI_DGRAM is missing. This patch makes nft falls back on udp services if no literal was found in the initial tcp service name query. Proper way to handle would be to add infrastructure to store protocol context information in struct output_ctx. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --literal optionPablo Neira Ayuso2018-07-071-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add stolen verdictFlorian Westphal2018-06-121-1/+5
| | | | | | | | | | | | | | | using fwd statement causes crash when using nft trace: trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue) trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0" BUG: invalid verdict value 2 nft: datatype.c:282: verdict_type_print: Assertion `0' failed. ADd stolen verdict (2) and remove the BUG statement. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1261 Signed-off-by: Florian Westphal <fw@strlen.de>
* libnftables: Implement JSON output supportPhil Sutter2018-05-111-0/+8
| | | | | | | | | | | | Although technically there already is support for JSON output via 'nft export json' command, it is hardly useable since it exports all the gory details of nftables VM. Also, libnftables has no control over what is exported since the content comes directly from libnftnl. Instead, implement JSON format support for regular 'nft list' commands. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Make some arrays globally accessiblePhil Sutter2018-05-111-1/+2
| | | | | | | | | | | | | | | This removes static flag and adds declarations in headers for the following arrays: * ct_templates from src/ct.c * mark_tbl from src/datatype.c * meta_templates and devgroup_tbl from src/meta.c * table_flags_name from src/rule.c * set_stmt_op_names from src/statement.c * tcpopthdr_protocols from src/tcpopt.c Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support timeouts in millisecondsFlorian Westphal2018-05-091-14/+34
| | | | | | | | | | currently the frontend uses seconds everywhere and multiplies/divides by 1000. Pass milliseconds around instead and extend the scanner to accept 'ms' in timestrings. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: datatype: prefer sscanf, avoid strncpyFlorian Westphal2018-03-031-11/+10
| | | | | | similar to previous patch, but replace strncpy+atoi by sscanf. Signed-off-by: Florian Westphal <fw@strlen.de>
* meta: introduce datatype ifname_typeArturo Borrero Gonzalez2018-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | This new datatype is a string subtype. It will allow us to build named maps/sets using meta keys like 'iifname', 'oifname', 'ibriport' or 'obriport'. Example: table inet t { set s { type ifname elements = { "eth0", "eth1" } } chain c { iifname @s accept oifname @s accept } } Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_ prefix to everything exposed through include/nftables/nftables.hPablo Neira Ayuso2017-10-241-3/+3
| | | | | | | | Prepend nft_ prefix before these are exposed, reduce chances we hit symbol namespace pollution problems when mixing libnftables with other existing libraries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of printfPhil Sutter2017-09-291-29/+31
| | | | | | | | | | | | | | | | | This patch introduces nft_print()/nft_gmp_print() functions which have to be used instead of printf to output information that were previously send to stdout. These functions print to a FILE pointer defined in struct output_ctx. It is set by calling: | old_fp = nft_ctx_set_output(ctx, new_fp); Having an application-defined FILE pointer is actually quite flexible: Using fmemopen() or even fopencookie(), an application gains full control over what is printed and where it should go to. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Remove __init and __exit macro definitions.Varsha Rao2017-07-171-2/+2
| | | | | | | | | | | | Add nft_init and nft_exit functions, which calls _init and _exit functions in main.c file. Remove __init and __exit macro definitions as libnftables library will be created soon. Rename realm_table_init() and realm_table_exit() functions to avoid ambiguity as realm_table_rt_init(), realm_table_meta_init, realm_table_rt_exit() and realm_table_meta_exit() in rt.c and meta.c files. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove datatype_register().Varsha Rao2017-06-301-5/+20
| | | | | | | | Remove datatype_register() function and its calling __init functions. Add arguments of datatype_register() function to datatype array. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Pass stateless, numeric, ip2name and handle variables as structure members.Varsha Rao2017-06-181-25/+28
| | | | | | | | | | | | | | | | | libnftables library will be created soon. So declare numeric_output, stateless_output, ip2name_output and handle_output as members of structure output_ctx, instead of global variables. Rename these variables as following, numeric_output -> numeric stateless_output -> stateless ip2name_output -> ip2name handle_output -> handle Also add struct output_ctx *octx as member of struct netlink_ctx. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix build warning on i686Florian Westphal2017-04-081-1/+1
| | | | | | | datatype.c:182:13: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=] printf("%lu", val); Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix crash when inputting an incomplete set add commandLiping Zhang2017-03-131-1/+1
| | | | | | | | | | | | | | | | | | | | | After inputting the following nft command, set->keytype is not initialized but we try to destroy it, so NULL pointer dereference will happen: # nft add set t s Segmentation fault (core dumped) #0 dtype_free (dtype=0x0) at datatype.c:1049 #1 set_datatype_destroy (dtype=0x0) at datatype.c:1051 #2 0x0000000000407f1a in set_free (set=0x838790) at rule.c:213 #3 0x000000000042ff70 in nft_parse (scanner=scanner@entry=0x8386a0, state=state@entry=0x7ffc313ea670) at parser_bison.c:9355 #4 0x000000000040727d in nft_run (scanner=scanner@entry=0x8386a0, state=state@entry=0x7ffc313ea670, msgs=msgs@entry=0x7ffc313ea660) at main.c:237 #5 0x0000000000406e4a in main (argc=<optimized out>, argv=<optimized out>) at main.c:376 Fixes: b9b6092304ae ("evaluate: store byteorder for set keys") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Introduce boolean datatype and boolean expressionPhil Sutter2017-03-101-0/+19
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename set_keytype_alloc() to set_datatype_alloc()Pablo Neira Ayuso2017-02-281-3/+3
| | | | | | | This function can be used either side of the map, so rename it to something generic. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* datatype: add DTYPE_F_CLONE flagPablo Neira Ayuso2017-02-251-2/+3
| | | | | | | | | | | | | | This flag allows us to identify datatypes that are instances from original datatypes. This fixes a possible double free when attaching a concatenation datatype to set->keytype while being also referenced from concatenation expressions. ip6/flowtable.t: ERROR: line 5: src/nft add rule --debug=netlink ip6 test-ip6 input flow table acct_out { meta iif . ip6 saddr timeout 600s counter }: This rule should not have failed. *** Error in `src/nft': double free or corruption (fasttop): 0x000000000117ce70 *** Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: store byteorder for set keysPablo Neira Ayuso2017-02-251-5/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Selectors that rely on the integer type and expect host endian byteorder don't work properly. We need to keep the byteorder around based on the left hand size expression that provides the context, so store the byteorder when evaluating the map. Before this patch. # nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 } __map%d x b __map%d x 0 element 00000000 : 00000001 0 [end] element 01000000 : 00000002 0 [end] ^^^^^^^^ This is expressed in network byteorder, because the invalid byteorder defaults on this. After this patch: # nft --debug=netlink add rule x y meta mark set meta cpu map { 0 : 1, 1 : 2 } __map%d x b __map%d x 0 element 00000000 : 00000001 0 [end] element 00000001 : 00000002 0 [end] ^^^^^^^^ This is in host byteorder, as the key selector in the map mandates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>