summaryrefslogtreecommitdiffstats
path: root/src/parser_bison.y
Commit message (Collapse)AuthorAgeFilesLines
* mnl: do not use expr->identifier to fetch device nameHEADmasterPablo Neira Ayuso13 hours1-3/+3
| | | | | | | | | This string might not be nul-terminated, resulting in spurious errors when adding netdev chains. Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: memleak in device parserPablo Neira Ayuso13 hours1-0/+1
| | | | | | | | | | | | | | ==1135425== 9 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==1135425== at 0x483577F: malloc (vg_replace_malloc.c:309) ==1135425== by 0x4BE846A: strdup (strdup.c:42) ==1135425== by 0x48A5EDD: xstrdup (utils.c:75) ==1135425== by 0x48C9A20: nft_lex (scanner.l:640) ==1135425== by 0x48BC1A4: nft_parse (parser_bison.c:5682) ==1135425== by 0x48AC336: nft_parse_bison_buffer (libnftables.c:375) ==1135425== by 0x48AC336: nft_run_cmd_from_buffer (libnftables.c:443) ==1135425== by 0x10A707: main (main.c:384) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: improve error reporting when setting policy on non-base chainPablo Neira Ayuso17 hours1-1/+2
| | | | | | | | | | | When trying to set a policy to non-base chain: # nft add chain x y { policy accept\; } Error: Could not process rule: Operation not supported add chain x y { policy accept; } ^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: incorrect handle locationPablo Neira Ayuso2 days1-6/+6
| | | | | | | Handle location is not correct, this leads to misleading error reporting. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: add parenthesized statement expressions.Jeremy Sowden13 days1-12/+13
| | | | | | | | | Primary and primary RHS expressions support parenthesized basic and basic RHS expressions. However, primary statement expressions do not support parenthesized basic statement expressions. Add them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for concatenated set rangesStefano Brivio13 days1-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After exporting field lengths via NFTNL_SET_DESC_CONCAT attributes, we now need to adjust parsing of user input and generation of netlink key data to complete support for concatenation of set ranges. Instead of using separate elements for start and end of a range, denoting the end element by the NFT_SET_ELEM_INTERVAL_END flag, as it's currently done for ranges without concatenation, we'll use the new attribute NFTNL_SET_ELEM_KEY_END as suggested by Pablo. It behaves in the same way as NFTNL_SET_ELEM_KEY, but it indicates that the included key represents the upper bound of a range. For example, "packets with an IPv4 address between 192.0.2.0 and 192.0.2.42, with destination port between 22 and 25", needs to be expressed as a single element with two keys: NFTA_SET_ELEM_KEY: 192.0.2.0 . 22 NFTA_SET_ELEM_KEY_END: 192.0.2.42 . 25 To achieve this, we need to: - adjust the lexer rules to allow multiton expressions as elements of a concatenation. As wildcards are not allowed (semantics would be ambiguous), exclude wildcards expressions from the set of possible multiton expressions, and allow them directly where needed. Concatenations now admit prefixes and ranges - generate, for each element in a range concatenation, a second key attribute, that includes the upper bound for the range - also expand prefixes and non-ranged values in the concatenation to ranges: given a set with interval and concatenation support, the kernel has no way to tell which elements are ranged, so they all need to be. For example, 192.0.2.0 . 192.0.2.9 : 1024 is sent as: NFTA_SET_ELEM_KEY: 192.0.2.0 . 1024 NFTA_SET_ELEM_KEY_END: 192.0.2.9 . 1024 - aggregate ranges when elements received by the kernel represent concatenated ranges, see concat_range_aggregate() - perform a few minor adjustments where interval expressions are already handled: we have intervals in these sets, but the set specification isn't just an interval, so we can't just aggregate and deaggregate interval ranges linearly v4: No changes v3: - rework to use a separate key for closing element of range instead of a separate element with EXPR_F_INTERVAL_END set (Pablo Neira Ayuso) v2: - reworked netlink_gen_concat_data(), moved loop body to a new function, netlink_gen_concat_data_expr() (Phil Sutter) - dropped repeated pattern in bison file, replaced by a new helper, compound_expr_alloc_or_add() (Phil Sutter) - added set_is_nonconcat_range() helper (Phil Sutter) - in expr_evaluate_set(), we need to set NFT_SET_SUBKEY also on empty sets where the set in the context already has the flag - dropped additional 'end' parameter from netlink_gen_data(), temporarily set EXPR_F_INTERVAL_END on expressions and use that from netlink_gen_concat_data() to figure out we need to add the 'end' element (Phil Sutter) - replace range_mask_len() by a simplified version, as we don't need to actually store the composing masks of a range (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add "typeof" build/parse/print supportFlorian Westphal2019-12-171-0/+7
| | | | | | | | | | | | | | | | | | | | This patch adds two new expression operations to build and to parse the userdata area that describe the set key and data typeof definitions. For maps, the grammar enforces either "type data_type : data_type" or or "typeof expression : expression". Check both key and data for valid user typeof info first. If they check out, flag set->key_typeof_valid as true and use it for printing the key info. This patch comes with initial support for using payload expressions with the 'typeof' keyword, followup patches will add support for other expressions as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: add typeof keyword for declarationsPablo Neira Ayuso2019-12-171-2/+37
| | | | | | | | | | | | | | | | | | Add a typeof keyword to automatically use the correct type in set and map declarations. table filter { set blacklist { typeof ip saddr } chain input { ip saddr @blacklist counter drop } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: store expr, not dtype to track data in setsFlorian Westphal2019-12-161-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will be needed once we add support for the 'typeof' keyword to handle maps that could e.g. store 'ct helper' "type" values. Instead of: set foo { type ipv4_addr . mark; this would allow set foo { typeof(ip saddr) . typeof(ct mark); (exact syntax TBD). This would be needed to allow sets that store variable-sized data types (string, integer and the like) that can't be used at at the moment. Adding special data types for everything is problematic due to the large amount of different types needed. For anonymous sets, e.g. "string" can be used because the needed size can be inferred from the statement, e.g. 'osf name { "Windows", "Linux }', but in case of named sets that won't work because 'type string' lacks the context needed to derive the size information. With 'typeof(osf name)' the context is there, but at the moment it won't help because the expression is discarded instantly and only the data type is retained. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: add a helper for concat expression handlingFlorian Westphal2019-12-161-56/+43
| | | | | | Cull the repeated copy&paste snippets and add/use a helper for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add ability to set/get secmarks to/from connectionChristian Göttsche2019-11-251-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Labeling established and related packets requires the secmark to be stored in the connection. Add the ability to store and retrieve secmarks like: ... chain input { ... # label new incoming packets ct state new meta secmark set tcp dport map @secmapping_in # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... chain output { ... # label new outgoing packets ct state new meta secmark set tcp dport map @secmapping_out # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... This patch also disallow constant value on the right hand side. # nft add rule x y meta secmark 12 Error: Cannot be used with right hand side constant value add rule x y meta secmark 12 ~~~~~~~~~~~~ ^^ # nft add rule x y ct secmark 12 Error: Cannot be used with right hand side constant value add rule x y ct secmark 12 ~~~~~~~~~~ ^^ # nft add rule x y ct secmark set 12 Error: ct secmark must not be set to constant value add rule x y ct secmark set 12 ^^^^^^^^^^^^^^^^^ This patch improves 3bc84e5c1fdd ("src: add support for setting secmark"). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Avoid set references in odd placesPhil Sutter2019-11-181-14/+17
| | | | | | | | | | | | | | | | | | With set references being recognized by symbol_expr and that being part of primary_expr as well as primary_rhs_expr, they could basically occur anywhere while in fact they are allowed only in quite a few spots. Untangle things a bit by introducing set_ref_expr and adding that only in places where it is needed to pass testsuites. Make sure users can define variables as set references, eg. define xyz = @setref And allow to use them from set expressions and statements too. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Store top_scope in struct nft_ctxPhil Sutter2019-11-071-3/+3
| | | | | | | | | | | | | | | | Allow for interactive sessions to make use of defines. Since parser is initialized for each line, top scope defines didn't persist although they are actually useful for stuff like: | # nft -i | define goodports = { 22, 23, 80, 443 } | add rule inet t c tcp dport $goodports accept | add rule inet t c tcp sport $goodports accept While being at it, introduce scope_alloc() and scope_free(). Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flowtable: add support for delete command by handleEric Jallot2019-11-061-3/+14
| | | | | | | Also, display handle when listing with '-a'. Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: flowtable: add support for named flowtable listingEric Jallot2019-10-311-3/+9
| | | | | | | | | | | | | | | | | | | | This patch allows you to dump a named flowtable. # nft list flowtable inet t f table inet t { flowtable f { hook ingress priority filter + 10 devices = { eth0, eth1 } } } Also: libnftables-json.adoc: fix missing quotes. Fixes: db0697ce7f60 ("src: support for flowtable listing") Fixes: 872f373dc50f ("doc: Add JSON schema documentation") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add multidevice support for netdev chainPablo Neira Ayuso2019-10-301-6/+20
| | | | | | | | | | | | | | This patch allows you to specify multiple netdevices to be bound to the netdev basechain, eg. # nft add chain netdev x y { \ type filter hook ingress devices = { eth0, eth1 } priority 0\; } json codebase has been updated to support for one single device with the existing representation, no support for multidevice is included in this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: fix memleak in exit pathEric Jallot2019-10-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add missing loop in table_free(). Free all objects in flowtable_free() and add conditions in case of error recovery in the parser (See commit 4be0a3f922a29). Also, fix memleak in the parser. This fixes the following memleak: # valgrind --leak-check=full nft add flowtable inet raw f '{ hook ingress priority filter; devices = { eth0 }; }' ==15414== Memcheck, a memory error detector ==15414== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==15414== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==15414== Command: nft add flowtable inet raw f {\ hook\ ingress\ priority\ filter;\ devices\ =\ {\ eth0\ };\ } ==15414== ==15414== ==15414== HEAP SUMMARY: ==15414== in use at exit: 266 bytes in 4 blocks ==15414== total heap usage: 55 allocs, 51 frees, 208,105 bytes allocated ==15414== ==15414== 5 bytes in 1 blocks are definitely lost in loss record 2 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x5C64AA9: strdup (strdup.c:42) ==15414== by 0x4E705ED: xstrdup (utils.c:75) ==15414== by 0x4E93F01: nft_lex (scanner.l:648) ==15414== by 0x4E85C1C: nft_parse (parser_bison.c:5577) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) ==15414== ==15414== 261 (128 direct, 133 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 ==15414== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==15414== by 0x4E705AD: xmalloc (utils.c:36) ==15414== by 0x4E705AD: xzalloc (utils.c:65) ==15414== by 0x4E560B6: expr_alloc (expression.c:45) ==15414== by 0x4E56288: symbol_expr_alloc (expression.c:286) ==15414== by 0x4E8A601: nft_parse (parser_bison.y:1842) ==15414== by 0x4E75A07: nft_parse_bison_buffer (libnftables.c:375) ==15414== by 0x4E75A07: nft_run_cmd_from_buffer (libnftables.c:443) ==15414== by 0x40170F: main (main.c:326) Fixes: 92911b362e906 ("src: add support to add flowtables") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: define flowtable device compound as a listPablo Neira Ayuso2019-10-181-1/+1
| | | | | | | | This fixes a memleak when releasing the compound expression via expr_free(). Fixes: 92911b362e90 ("src: add support to add flowtables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: fix memleak in parser_bison.yEric Jallot2019-10-091-56/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Each object (secmark, synproxy, quota, limit, counter) is dynamically allocated by the parser and not freed at exit. However, there is no need to use dynamic allocation here because struct obj already provides the required storage. Update the grammar to ensure that obj_alloc() is called before config occurs. This fixes the following memleak (secmark as example): # valgrind --leak-check=full nft add secmark inet raw ssh \"system_u:object_r:ssh_server_packet_t:s0\" ==14643== Memcheck, a memory error detector ==14643== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14643== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==14643== Command: nft add secmark inet raw ssh "system_u:object_r:ssh_server_packet_t:s0" ==14643== ==14643== ==14643== HEAP SUMMARY: ==14643== in use at exit: 256 bytes in 1 blocks ==14643== total heap usage: 41 allocs, 40 frees, 207,809 bytes allocated ==14643== ==14643== 256 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==14643== at 0x4C29EA3: malloc (vg_replace_malloc.c:309) ==14643== by 0x4E72074: xmalloc (utils.c:36) ==14643== by 0x4E72074: xzalloc (utils.c:65) ==14643== by 0x4E89A31: nft_parse (parser_bison.y:3706) ==14643== by 0x4E778E7: nft_parse_bison_buffer (libnftables.c:375) ==14643== by 0x4E778E7: nft_run_cmd_from_buffer (libnftables.c:443) ==14643== by 0x40170F: main (main.c:326) Fixes: f44ab88b1088e ("src: add synproxy stateful object support") Fixes: 3bc84e5c1fdd1 ("src: add support for setting secmark") Fixes: c0697eabe832d ("src: add stateful object support for limit") Fixes: 4d38878b39be4 ("src: add/create/delete stateful objects") Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Fix 'exists' keyword on Big EndianPhil Sutter2019-09-141-2/+3
| | | | | | | | | | | | | | | | | | Size value passed to constant_expr_alloc() must correspond with actual data size, otherwise wrong portion of data will be taken later when serializing into netlink message. Booleans require really just a bit, but make type of boolean_keys be uint8_t (introducing new 'val8' name for it) and pass the data length using sizeof() to avoid any magic numbers. While being at it, fix len value in parser_json.c as well although it worked before due to the value being rounded up to the next multiple of 8. Fixes: 9fd9baba43c8e ("Introduce boolean datatype and boolean expression") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
* src: add synproxy stateful object supportFernando Fernandez Mancera2019-09-131-3/+121
| | | | | | | | | | | | | | | | | | | | | | | | | | Add support for "synproxy" stateful object. For example (for TCP port 80 and using maps with saddr): table ip foo { synproxy https-synproxy { mss 1460 wscale 7 timestamp sack-perm } synproxy other-synproxy { mss 1460 wscale 5 } chain bar { tcp dport 80 synproxy name "https-synproxy" synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" } } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: Introduce new conditions 'time', 'day' and 'hour'Ander Juaristi2019-09-061-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These keywords introduce new checks for a timestamp, an absolute date (which is converted to a timestamp), an hour in the day (which is converted to the number of seconds since midnight) and a day of week. When converting an ISO date (eg. 2019-06-06 17:00) to a timestamp, we need to substract it the GMT difference in seconds, that is, the value of the 'tm_gmtoff' field in the tm structure. This is because the kernel doesn't know about time zones. And hence the kernel manages different timestamps than those that are advertised in userspace when running, for instance, date +%s. The same conversion needs to be done when converting hours (e.g 17:00) to seconds since midnight as well. The result needs to be computed modulo 86400 in case GMT offset (difference in seconds from UTC) is negative. We also introduce a new command line option (-t, --seconds) to show the actual timestamps when printing the values, rather than the ISO dates, or the hour. Some usage examples: time < "2019-06-06 17:00" drop; time < "2019-06-06 17:20:20" drop; time < 12341234 drop; day "Saturday" drop; day 6 drop; hour >= 17:00 drop; hour >= "17:00:01" drop; hour >= 63000 drop; We need to convert an ISO date to a timestamp without taking into account the time zone offset, since comparison will be done in kernel space and there is no time zone information there. Overwriting TZ is portable, but will cause problems when parsing a ruleset that has 'time' and 'hour' rules. Parsing an 'hour' type must not do time zone conversion, but that will be automatically done if TZ has been overwritten to UTC. Hence, we use timegm() to parse the 'time' type, even though it's not portable. Overwriting TZ seems to be a much worse solution. Finally, be aware that timestamps are converted to nanoseconds when transferring to the kernel (as comparison is done with nanosecond precision), and back to seconds when retrieving them for printing. We swap left and right values in a range to properly handle cross-day hour ranges (e.g. 23:15-03:22). Signed-off-by: Ander Juaristi <a@juaristi.eus> Reviewed-by: Florian Westphal <fw@strlen.de>
* netfilter: support for element deletionAnder Juaristi2019-08-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | | This patch implements element deletion from ruleset. Example: table ip set-test { set testset { type ipv4_addr; flags timeout; } chain outputchain { policy accept; type filter hook output priority filter; delete @testset { ip saddr } } } Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: parser: fix parsing of chain priority and policy on bigendianFlorian Westphal2019-08-141-2/+4
| | | | | | | | | | | | | | | | | | | tests/shell/testcases/flowtable/0001flowtable_0 tests/shell/testcases/nft-f/0008split_tables_0 fail the 'dump compare' on s390x. The priority (10) turns to 0, and accept turned to drop. Problem is that '$1' is a 64bit value -- then we pass the address and import 'int' -- we then get the upper all zero bits. Add a 32bit interger type and use that. v2: add uint32_t type to union, v1 used temporary value instead. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Fixes: dba4a9b4b5fe ("src: allow variable in chain policy") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variable in chain policyFernando Fernandez Mancera2019-08-081-4/+19
| | | | | | | | | | | | This patch allows you to use variables in chain policy definition, e.g. define default_policy = "accept" add table ip foo add chain ip foo bar {type filter hook input priority filter; policy $default_policy} Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow variables in the chain priority specificationFernando Fernandez Mancera2019-08-081-6/+34
| | | | | | | | | | | | | | | | | This patch allows you to use variables in chain priority definitions, e.g. define prio = filter define prionum = 10 define prioffset = "filter - 150" add table ip foo add chain ip foo bar { type filter hook input priority $prio; } add chain ip foo ber { type filter hook input priority $prionum; } add chain ip foo bor { type filter hook input priority $prioffset; } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: Fix for deprecated statementsPhil Sutter2019-07-301-2/+2
| | | | | | | | | | | | | | | | | | | | | Bison-3.3 started to warn about: /home/n0-1/git/nftables/src/parser_bison.y:117.1-19: warning: deprecated directive, use ‘%define api.prefix {nft_}’ [-Wdeprecated] 117 | %name-prefix "nft_" | ^~~~~~~~~~~~~~~~~~~ /home/n0-1/git/nftables/src/parser_bison.y:119.1-12: warning: deprecated directive, use ‘%define api.pure’ [-Wdeprecated] 119 | %pure-parser | ^~~~~~~~~~~~ /home/n0-1/git/nftables/src/parser_bison.y:124.1-14: warning: deprecated directive, use ‘%define parse.error verbose’ [-Wdeprecated] 124 | %error-verbose | ^~~~~~~~~~~~~~ Replace the last two as suggested but leave the first one in place as that causes compilation errors in scanner.l - flex seems not to pick up the changed internal symbol names. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce SYNPROXY matchingFernando Fernandez Mancera2019-07-171-0/+47
| | | | | | | | | | | | | | | | | | | | Add support for "synproxy" statement. For example (for TCP port 8888): table ip x { chain y { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain z { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectations supportStéphane Veyret2019-07-161-1/+61
| | | | | | | This modification allow to directly add/list/delete expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: add pseudo th protocol to match d/sport in generic wayFlorian Westphal2019-07-151-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Problem: Its not possible to easily match both udp and tcp in a single rule. ... input ip protocol { tcp,udp } dport 53 will not work, as bison expects "tcp dport" or "sctp dport", or any other transport protocol name. Its possible to match the sport and dport via raw payload expressions, e.g.: ... input ip protocol { tcp,udp } @th,16,16 53 but its not very readable. Furthermore, its not possible to use this for set definitions: table inet filter { set myset { type ipv4_addr . inet_proto . inet_service } chain forward { type filter hook forward priority filter; policy accept; ip daddr . ip protocol . @th,0,16 @myset } } # nft -f test test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions During the netfilter workshop Pablo suggested to add an alias to do raw sport/dport matching more readable, and make it use the inet_service type automatically. So, this change makes @th,0,16 work for the set definition case by setting the data type to inet_service. A new "th s|dport" syntax is provided as readable alternative: ip protocol { tcp, udp } th dport 53 As "th" is an alias for the raw expression, no dependency is generated -- its the users responsibility to add a suitable test to select the l4 header types that should be matched. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: add support for matching IPv4 optionsStephen Suryaputra2019-07-041-0/+31
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: do not enforce semicolon from ct helper blockPablo Neira Ayuso2019-07-011-1/+1
| | | | | | | Use the statement separator rule, since newline is also valid. Fixes: c7c94802679c ("src: add ct timeout support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: enable set expiration date for set elementsLaura Garcia Liebana2019-06-281-0/+5
| | | | | | | | | | | | | | | | Currently, the expiration of every element in a set or map is a read-only parameter generated at kernel side. This change will permit to set a certain expiration date per element that will be required, for example, during stateful replication among several nodes. This patch will enable the _expires_ input parameter in the parser and propagate NFTNL_SET_ELEM_EXPIRATION in order to send the configured value. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2019-06-211-6/+8
| | | | | | | | | | | | | | | | | These keys are available since kernel >= 4.17. You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta protocol' in first place to provide layer 3 context. Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations. This patch is implicitly fixing these cases. If your kernel is < 4.17, you can still use address matching via explicit meta nfproto: meta nfproto ipv4 ct original saddr 1.2.3.4 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add reference counter for dynamic datatypesPablo Neira Ayuso2019-06-131-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are two datatypes are using runtime datatype allocation: * Concatenations. * Integer, that require byteorder adjustment. From the evaluation / postprocess step, transformations are common, hence expressions may end up fetching (infering) datatypes from an existing one. This patch adds a reference counter to release the dynamic datatype object when it is shared. The API includes the following helper functions: * datatype_set(expr, datatype), to assign a datatype to an expression. This helper already deals with reference counting for dynamic datatypes. This also drops the reference counter of any previous datatype (to deal with the datatype replacement case). * datatype_get(datatype) bumps the reference counter. This function also deals with nul-pointers, that occurs when the datatype is unset. * datatype_free() drops the reference counter, and it also releases the datatype if there are not more clients of it. Rule of thumb is: The reference counter of any newly allocated datatype is set to zero. This patch also updates every spot to use datatype_set() for non-dynamic datatypes, for consistency. In this case, the helper just makes an simple assignment. Note that expr_alloc() has been updated to call datatype_get() on the datatype that is assigned to this new expression. Moreover, expr_free() calls datatype_free(). This fixes valgrind reports like this one: ==28352== 1,350 (440 direct, 910 indirect) bytes in 5 blocks are definitely lost in loss recor 3 of 3 ==28352== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==28352== by 0x4E79558: xmalloc (utils.c:36) ==28352== by 0x4E7963D: xzalloc (utils.c:65) ==28352== by 0x4E6029B: dtype_alloc (datatype.c:1073) ==28352== by 0x4E6029B: concat_type_alloc (datatype.c:1127) ==28352== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578) ==28352== by 0x4E6D68E: list_set_cb (netlink.c:648) ==28352== by 0x5D74023: nftnl_set_list_foreach (set.c:780) ==28352== by 0x4E6D6F3: netlink_list_sets (netlink.c:669) ==28352== by 0x4E5A7A3: cache_init_objects (rule.c:159) ==28352== by 0x4E5A7A3: cache_init (rule.c:216) ==28352== by 0x4E5A7A3: cache_update (rule.c:266) ==28352== by 0x4E7E0EE: nft_evaluate (libnftables.c:388) ==28352== by 0x4E7EADD: nft_run_cmd_from_filename (libnftables.c:479) ==28352== by 0x109A53: main (main.c:310) This patch also removes the DTYPE_F_CLONE flag which is broken and not needed anymore since proper reference counting is in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: free chain name after creating constant expressionPablo Neira Ayuso2019-06-101-0/+1
| | | | | | | | | | | | | | | ==2330== 2 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==2330== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==2330== by 0x583D3B9: strdup (strdup.c:42) ==2330== by 0x4E7966D: xstrdup (utils.c:75) ==2330== by 0x4E9C283: nft_lex (scanner.l:626) ==2330== by 0x4E8E3C2: nft_parse (parser_bison.c:5297) ==2330== by 0x4E7EAB2: nft_parse_bison_filename (libnftables.c:374) ==2330== by 0x4E7EAB2: nft_run_cmd_from_filename (libnftables.c:475) ==2330== by 0x109A53: main (main.c:310) Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: invalid read when importing chain namePablo Neira Ayuso2019-06-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Use strlen(), otherwise mpz_import_data() reads too much beyond the real chain string. Valgrind reports the following error: ==2759== Invalid read of size 1 ==2759== at 0x67D68D6: __gmpz_import (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2) ==2759== by 0x4E79467: mpz_import_data (gmputil.c:133) ==2759== by 0x4E60A12: constant_expr_alloc (expression.c:375) ==2759== by 0x4E8ED65: nft_parse (parser_bison.y:3825) ==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357) ==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424) ==2759== by 0x1095D4: main (in /tmp/a.out) ==2759== Address 0x6ee1b4a is 0 bytes after a block of size 10 alloc'd ==2759== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==2759== by 0x59FD3B9: strdup (strdup.c:42) ==2759== by 0x4E7963D: xstrdup (utils.c:75) ==2759== by 0x4E9C233: nft_lex (scanner.l:626) ==2759== by 0x4E8E382: nft_parse (parser_bison.c:5297) ==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357) ==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424) Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: perform evaluation after parsingPablo Neira Ayuso2019-06-051-25/+2
| | | | | | | | | | | | | | | | | Since 61236968b7a1 ("parser: evaluate commands immediately after parsing"), evaluation is invoked from the parsing phase in order to improve error reporting. However, this approach is problematic from the cache perspective since we don't know if a full or partial netlink dump from the kernel is needed. If the number of objects in the kernel is significant, the netlink dump operation to build the cache may significantly slow down commands. This patch moves the evaluation phase after the parsing phase as a preparation update to allow for a better strategy to build the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: dynamic input_descriptor allocationPablo Neira Ayuso2019-06-051-0/+1
| | | | | | | | | | | | | This patch introduces the input descriptor list, that stores the existing input descriptor objects. These objects are now dynamically allocated and release from scanner_destroy() path. Follow up patches that decouple the parsing and the evaluation phases require this for error reporting as described by b14572f72aac ("erec: Fix input descriptors for included files"), this patch partially reverts such partial. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Allow goto and jump to a variableFernando Fernandez Mancera2019-05-241-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces the use of nft input files variables in 'jump' and 'goto' statements, e.g. define dest = ber add table ip foo add chain ip foo bar {type filter hook input priority 0;} add chain ip foo ber add rule ip foo ber counter add rule ip foo bar jump $dest table ip foo { chain bar { type filter hook input priority filter; policy accept; jump ber } chain ber { counter packets 71 bytes 6664 } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Introduce chain_expr in jump and goto statementsFernando Fernandez Mancera2019-05-241-4/+13
| | | | | | | | | Introduce expressions as a chain in jump and goto statements. This is going to be used to support variables as a chain in the following patches. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for arp sender and target ethernet and IPv4 addressesPablo Neira Ayuso2019-05-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | # nft add table arp x # nft add chain arp x y { type filter hook input priority 0\; } # nft add rule arp x y arp saddr ip 192.168.2.1 counter Testing this: # ip neigh flush dev eth0 # ping 8.8.8.8 # nft list ruleset table arp x { chain y { type filter hook input priority filter; policy accept; arp saddr ip 192.168.2.1 counter packets 1 bytes 46 } } You can also specify hardware sender address, eg. # nft add rule arp x y arp saddr ether aa:bb:cc:aa:bb:cc drop counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use definitions in include/linux/netfilter/nf_tables.hPablo Neira Ayuso2019-05-121-15/+16
| | | | | | | | | | | | | | | Use NFT_LOGLEVEL_* definitions in UAPI. Make an internal definition of NFT_OSF_F_VERSION, this was originally defined in the UAPI header in the initial patch version, however, this is not available anymore. Add a bison rule to deal with the timeout case. Otherwise, compilation breaks. Fixes: d3869cae9d62 ("include: refresh nf_tables.h cached copy") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use UDATA defines from libnftnlPhil Sutter2019-05-031-2/+4
| | | | | | | | | | | | | Userdata attribute names have been added to libnftnl, use them instead of the local copy. While being at it, rename udata_get_comment() in netlink_delinearize.c and the callback it uses since the function is specific to rules. Also integrate the existence check for NFTNL_RULE_USERDATA into it along with the call to nftnl_rule_get_data(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nat support for the inet familyFlorian Westphal2019-04-091-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | consider a simple ip6 nat table: table ip6 nat { chain output { type nat hook output priority 0; policy accept; dnat to dead:2::99 } Now consider same ruleset, but using 'table inet nat': nft now lacks context to determine address family to parse 'to $address'. This adds code to make the following work: table inet nat { [ .. ] # detect af from network protocol context: ip6 daddr dead::2::1 dnat to dead:2::99 # use new dnat ip6 keyword: dnat ip6 to dead:2::99 } On list side, the keyword is only shown in the inet family, else the short version (dnat to ...) is used as the family is redundant when the table already mandates the ip protocol version supported. Address mismatches such as table ip6 { .. dnat ip to 1.2.3.4 are detected/handled during the evaluation phase. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* osf: add version fingerprint supportFernando Fernandez Mancera2019-04-081-2/+6
| | | | | | | | | | | | | | | Add support for version fingerprint in "osf" expression. Example: table ip foo { chain bar { type filter hook input priority filter; policy accept; osf ttl skip name "Linux" osf ttl skip version "Linux:4.20" } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: type_identifier string memleakPablo Neira Ayuso2019-04-051-1/+1
| | | | | | | | | | | | | ==6297== 24 bytes in 3 blocks are definitely lost in loss record 2 of 13 ==6297== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==6297== by 0x56193B9: strdup (strdup.c:42) ==6297== by 0x4E758BD: xstrdup (utils.c:75) ==6297== by 0x4E7F9D3: nft_parse (parser_bison.y:1895) ==6297== by 0x4E7AAE1: nft_parse_bison_filename (libnftables.c:370) ==6297== by 0x4E7AAE1: nft_run_cmd_from_filename (libnftables.c:438) ==6297== by 0x109A33: main (main.c:310) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: missing tproxy syntax with port only for inet familyPablo Neira Ayuso2019-04-041-0/+6
| | | | | | | | | | | | | | | | | # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 Error: syntax error, unexpected colon add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000 ^ Syntax with no protocol for tproxy complains with: # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 Error: Conflicting network layer protocols. add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000 ^^^^^^^^^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use 'flow add' syntaxPablo Neira Ayuso2019-03-201-0/+4
| | | | | | As discussed during NFWS 2018. Old syntax is stilled allowed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser_bison: no need for statement separator for ct object commandsPablo Neira Ayuso2019-03-141-4/+4
| | | | | | | | | | | | | Otherwise, this forces user to place a double semi-colon to skip a parser error in a multi-line commands: # nft add "ct helper ip filter test { type \"ftp\" protocol tcp; };add rule filter test ct helper set \"ftp\"" Error: syntax error, unexpected add, expecting end of file or newline or semicolon add ct helper ip filter test { type "ftp" protocol tcp; };add rule filter test ct helper set "ftp" ^^^ Reported-by: Laura Garcia <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>