summaryrefslogtreecommitdiffstats
path: root/src/parser_bison.y
Commit message (Collapse)AuthorAgeFilesLines
* libnftables: location-based error reporting for chain typePablo Neira Ayuso2021-05-201-1/+2
| | | | | | | | | | | | | | | | | Store the location of the chain type for better error reporting. Several users that compile custom kernels reported that error reporting is misleading when accidentally selecting CONFIG_NFT_NAT=n. After this patch, a better hint is provided: # nft 'add chain x y { type nat hook prerouting priority dstnat; }' Error: Could not process rule: No such file or directory add chain x y { type nat hook prerouting priority dstnat; } ^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Implement SCTP Chunk matchingPhil Sutter2021-05-191-2/+146
| | | | | | | | Extend exthdr expression to support scanning through SCTP packet chunks and matching on fixed fields' values. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* scanner: sctp: Move to own scopePhil Sutter2021-05-191-2/+3
| | | | | | | This isolates only "vtag" token for now. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de>
* parser_bison: add shortcut syntax for matching flags without binary operationsPablo Neira Ayuso2021-05-161-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following shortcut syntax: expression flags / flags instead of: expression and flags == flags For example: tcp flags syn,ack / syn,ack,fin,rst ^^^^^^^ ^^^^^^^^^^^^^^^ value mask instead of: tcp flags and (syn|ack|fin|rst) == syn|ack The second list of comma-separated flags represents the mask which are examined and the first list of comma-separated flags must be set. You can also use the != operator with this syntax: tcp flags != fin,rst / syn,ack,fin,rst This shortcut is based on the prefix notation, but it is also similar to the iptables tcp matching syntax. This patch introduces the flagcmp expression to print the tcp flags in this new notation. The delinearize path transforms the binary expression to this new flagcmp expression whenever possible. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element catch-all supportPablo Neira Ayuso2021-05-111-16/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Add a catchall expression (EXPR_SET_ELEM_CATCHALL). Use the asterisk (*) to represent the catch-all set element, e.g. table x { set y { type ipv4_addr counter elements = { 1.2.3.4 counter packets 0 bytes 0, * counter packets 0 bytes 0 } } } Special handling for segtree: zap the catch-all element from the set element list and re-add it after processing. Remove wildcard_expr deadcode in src/parser_bison.y This patch also adds several tests for the tests/py and tests/shell infrastructures. Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: add set_elem_key_expr rulePablo Neira Ayuso2021-05-111-2/+8
| | | | | | | Add a rule to specify the set key expression in preparation for the catch-all element support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cgroupsv2 supportPablo Neira Ayuso2021-05-031-1/+6
| | | | | | Add support for matching on the cgroups version 2. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing relational operation on flag listPablo Neira Ayuso2021-05-021-0/+4
| | | | | | | | | | | | | | | Complete e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") which was missing comma-separated list of flags. This patch provides a shortcut for: tcp flags and fin,rst == 0 which allows to check for the packet whose fin and rst bits are unset: # nft add rule x y tcp flags not fin,rst counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow to load stateful ct connlimit elements in setsLaura Garcia Liebana2021-05-021-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a syntax error after loading a nft dump with a set including stateful ct connlimit elements. Having a nft dump as per below: table ip nftlb { set connlimit-set { type ipv4_addr size 65535 flags dynamic elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } } } The syntax error is shown when loading the ruleset. root# nft -f connlimit.nft connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}' elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 , ^^ connlimit.nft:16000:9-22: Error: syntax error, unexpected string 173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 } ^^^^^^^^^^^^^^ After applying this patch a kernel panic is raised running nft_rhash_gc() although no packet reaches the set. The following patch [0] should be used as well: 4d8f9065830e5 ("netfilter: nftables: clone set element expression template") Note that the kernel patch will produce the emptying of the connection tracking, so the restore of the conntrack states should be considered. [0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2 Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: simplify flowtable offload flag parserPablo Neira Ayuso2021-03-311-7/+4
| | | | | | Remove ft_flags_spec rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: fix scope closure of COUNTER tokenFlorian Westphal2021-03-251-3/+3
| | | | | | | | | It is closed after allocation, which is too early: this stopped 'packets' and 'bytes' from getting parsed correctly. Also add a test case for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* nftables: add flags offload to flowtableFrank Wunderlich2021-03-251-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | allow flags (currently only offload) in flowtables like it is stated here: https://lwn.net/Articles/804384/ tested on mt7622/Bananapi-R64 table ip filter { flowtable f { hook ingress priority filter + 1 devices = { lan3, lan0, wan } flags offload; } chain forward { type filter hook forward priority filter; policy accept; ip protocol { tcp, udp } flow add @f } } table ip nat { chain post { type nat hook postrouting priority filter; policy accept; oifname "wan" masquerade } } Signed-off-by: Frank Wunderlich <frank-w@public-files.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add missing scope_close annotation for RT keywordFlorian Westphal2021-03-241-1/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: log: move to own scopeFlorian Westphal2021-03-241-1/+3
| | | | | | | GROUP and PREFIX are used by igmp and nat, so they can't be moved out of INITIAL scope yet. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: counter: move to own scopeFlorian Westphal2021-03-241-15/+16
| | | | | | move bytes/packets away from initial state. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: secmark: move to own scopeFlorian Westphal2021-03-161-9/+10
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: quota: move to own scopeFlorian Westphal2021-03-161-10/+11
| | | | | | ... and move "used" keyword to it. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: limit: move to own scopeFlorian Westphal2021-03-161-12/+13
| | | | | | Moves rate and burst out of INITIAL. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: vlan: move to own scopeFlorian Westphal2021-03-161-2/+3
| | | | | | ID needs to remain exposed as its used by ct, icmp, icmp6 and so on. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: arp: move to own scopeFlorian Westphal2021-03-161-3/+4
| | | | | | allows to move the arp specific tokens out of the INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add ether scopeFlorian Westphal2021-03-161-5/+6
| | | | | | | just like previous change: useless as-is, but prepares for removal of saddr/daddr from INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: add fib scopeFlorian Westphal2021-03-161-1/+2
| | | | | | | | | makes no sense as-is because all keywords need to stay in the INITIAL scope. This can be changed after all saddr/daddr users have been scoped. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ip6: move to own scopeFlorian Westphal2021-03-161-10/+11
| | | | | | move flowlabel and hoplimit. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ip: move to own scopeFlorian Westphal2021-03-161-11/+12
| | | | | | Move the ip option names (rr, lsrr, ...) out of INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ct: move to own scopeFlorian Westphal2021-03-161-21/+22
| | | | | | | | | | | | This allows moving multiple ct specific keywords out of INITIAL scope. Next few patches follow same pattern: 1. add a scope_close_XXX rule 2. add a SCANSTATE_XXX & make flex switch to it when encountering XXX keyword 3. make bison leave SCANSTATE_XXXX when it has seen the complete expression. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: socket: move to own scopeFlorian Westphal2021-03-111-1/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: rt: move to own scopeFlorian Westphal2021-03-111-3/+4
| | | | | | | | classid and nexthop can be moved out of INIT scope. Rest are still needed because tehy are used by other expressions as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: ipsec: move to own scopeFlorian Westphal2021-03-111-4/+5
| | | | | | ... and hide the ipsec specific tokens from the INITITAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: queue: move to own scopeFlorian Westphal2021-03-111-2/+3
| | | | | | allows to remove 3 queue specific keywords from INITIAL scope. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: introduce start condition stackFlorian Westphal2021-03-111-4/+7
| | | | | | | | | | | | | | | | | | | | Add a small initial chunk of flex start conditionals. This starts with two low-hanging fruits, numgen and j/symhash. NUMGEN and HASH start conditions are entered from flex when the corresponding expression token is encountered. Flex returns to the INIT condition when the bison parser has seen a complete numgen/hash statement. This intentionally uses a stack rather than BEGIN() to eventually support nested states. The scanner_pop_start_cond() function argument is not used yet, but will need to be used later to deal with nesting. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: remove unused tokensFlorian Westphal2021-03-091-6/+0
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact ct obj list typesFlorian Westphal2021-03-061-11/+8
| | | | | | Add new ct_cmd_type and avoid copypaste of the ct cmd_list rules. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact map RHS typeFlorian Westphal2021-03-061-29/+9
| | | | | | Similar to previous patch, we can avoid duplication. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: squash duplicated spec/specid rulesFlorian Westphal2021-03-061-44/+38
| | | | | | | No need to have duplicate CMD rules for spec and specid: add and use a common rule for those cases. Signed-off-by: Florian Westphal <fw@strlen.de>
* table: support for the table owner flagPablo Neira Ayuso2021-03-021-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | Add new flag to allow userspace process to own tables: Tables that have an owner can only be updated/destroyed by the owner. The table is destroyed either if the owner process calls nft_ctx_free() or owner process is terminated (implicit table release). The ruleset listing includes the program name that owns the table: nft> list ruleset table ip x { # progname nft flags owner chain y { type filter hook input priority filter; policy accept; counter packets 1 bytes 309 } } Original code to pretty print the netlink portID to program name has been extracted from the conntrack userspace utility. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: re-enable support for concatentation on map RHSFlorian Westphal2021-02-231-0/+9
| | | | | | | | | "typeof .... : ip saddr . tcp dport" is legal. This makes 'testcases/maps/nat_addr_port' pass again. Fixes: 4ab1e5e6077918 ("src: allow use of 'verdict' in typeof definitions") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow use of 'verdict' in typeof definitionsFlorian Westphal2021-02-221-3/+26
| | | | | | | | | | | | | | | 'verdict' cannot be used as part of a map typeof-based key definition, its a datatype and not an expression, e.g.: typeof iifname . ip protocol . th dport : verdic ... will fail. Make the parser convert a 'verdict' symbol to a verdict expression and allow to store its presence as part of the typeof key definition. Reported-by: Frank Myhr <fmyhr@fhmtech.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add negation match on singleton bitmask valuePablo Neira Ayuso2021-02-051-0/+1
| | | | | | | | | | | | | | | | | This patch provides a shortcut for: ct status and dnat == 0 which allows to check for the packet whose dnat bit is unset: # nft add rule x y ct status ! dnat counter This operation is only available for expression with a bitmask basetype, eg. # nft describe ct status ct expression, datatype ct_status (conntrack status) (basetype bitmask, integer), 32 bits Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-2/+23
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set element multi-statement supportPablo Neira Ayuso2020-12-181-35/+50
| | | | | | | | Extend the set element infrastructure to support for several statements. This patch places the statements right after the key when printing it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for multi-statement in dynamic sets and mapsPablo Neira Ayuso2020-12-171-6/+21
| | | | | | | | This patch allows for two statements for dynamic set updates, e.g. nft rule x y add @y { ip daddr limit rate 1/second counter } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused proto_key member from structFlorian Westphal2020-12-091-1/+0
| | | | | | also, no need for this struct to be in the parser. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: double close_scope() call for implicit chainsPablo Neira Ayuso2020-12-081-1/+1
| | | | | | | | Call close_scope() from chain_block_alloc only. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1485 Fixes: c330152b7f77 ("src: support for implicit chain bindings") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: allow to restore limit from dynamic setPablo Neira Ayuso2020-12-041-0/+32
| | | | | | | Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tcp: add raw tcp option match supportFlorian Westphal2020-11-091-0/+5
| | | | | | tcp option @42,16,4 (@kind,offset,length). Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: allow to check for presence of any tcp optionFlorian Westphal2020-11-091-0/+7
| | | | | | | | | | | | | nft currently doesn't allow to check for presence of arbitrary tcp options. Only known options where nft provides a template can be tested for. This allows to test for presence of raw protocol values as well. Example: tcp option 42 exists Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: split tcpopt_hdr_fields into per-option enumFlorian Westphal2020-11-091-9/+9
| | | | | | | | | | | | | | | | | | Currently we're limited to ten template fields in exthdr_desc struct. Using a single enum for all tpc option fields thus won't work indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get added. Fortunately we can just use one enum per tcp option to avoid this. As a side effect this also allows to simplify the sack offset calculations. Rather than computing that on-the-fly, just add extra fields to the SACK template. expr->exthdr.offset now holds the 'raw' value, filled in from the option template. This would ease implementation of 'raw option matching' using offset and length to load from the option. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopts: clean up parser -> tcpopt.c plumbingFlorian Westphal2020-11-091-13/+13
| | | | | | | | | | | | | | | | | tcpopt template mapping is asymmetric: one mapping is to match dumped netlink exthdr expression to the original tcp option template. This struct is indexed by the raw, on-write kind/type number. The other mapping maps parsed options to the tcp option template. Remove the latter. The parser is changed to translate the textual option name, e.g. "maxseg" to the on-wire number. This avoids the second mapping, it will also allow to more easily support raw option matching in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: merge sack-perm/sack-permitted and maxseg/mssFlorian Westphal2020-11-091-7/+5
| | | | | | | | | | | | | | | | | | | | | | One was added by the tcp option parsing ocde, the other by synproxy. So we have: synproxy ... sack-perm synproxy ... mss and tcp option maxseg tcp option sack-permitted This kills the extra tokens on the scanner/parser side, so sack-perm and sack-permitted can both be used. Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too. On the output side, the shorter form is now preferred, i.e. sack-perm and mss. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add comment support for chainsJose M. Guisado Gomez2020-09-301-0/+8
| | | | | | | | | | | | | | | | | | | | This patch enables the user to specify a comment when adding a chain. Relies on kernel space supporting userdata for chains. > nft add table ip filter > nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; } > list ruleset table ip filter { chain input { comment "test" type filter hook input priority filter; policy accept; } } Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>