| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch:
table ip x {
chain y {
ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 }
}
}
results in:
table ip x {
chain y {
ip saddr { 1.1.1.1 }
}
}
due to incorrect interval merge logic.
If the element 1.1.1.1 is already contained in an existing interval
1.1.1.1-1.1.1.2, release it.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1512
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend c1f0476fd590 ("segtree: copy expr data to closing element") to
use interval_expr_copy() from the linearization path.
Reported-by: Mike Dillinger <miked@softtalker.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend the set element infrastructure to support for several statements.
This patch places the statements right after the key when printing it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops
Due to incorrect structure layout when calling interval_expr_copy().
Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When last expr has no closing element we did not propagate
expr properties such as comment or expire date to the newly
allocated set elem.
Before:
nft create table t
nft 'add set t s { type ipv4_addr; flags interval; timeout 60s; }'
nft add element t s { 224.0.0.0/3 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
nft flush set t s
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0/4 expires 55s152ms, 240.0.0.0-255.255.255.255 }
nft delete set t s
nft 'add set t s { type ipv4_addr; flags interval; auto-merge; timeout 60s; }'
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
After:
elements = { 224.0.0.0-255.255.255.255 expires 58s515ms }
elements = { 224.0.0.0/4 expires 54s622ms, 240.0.0.0-255.255.255.255 expires 54s622ms }
elements = { 224.0.0.0-255.255.255.255 expires 57s92ms }
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1454
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mpz_init_bitmask() overrides the existing memory area:
==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==19179== at 0x483577F: malloc (vg_replace_malloc.c:299)
==19179== by 0x489C718: xmalloc (utils.c:36)
==19179== by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2) f
==19179== by 0x4880239: constant_expr_alloc (expression.c:400)
==19179== by 0x489B8A1: interval_map_decompose (segtree.c:1098)
==19179== by 0x489017D: netlink_list_setelems (netlink.c:1220)
==19179== by 0x48779AC: cache_init_objects (rule.c:170) 5
==19179== by 0x48779AC: cache_init (rule.c:228)
==19179== by 0x48779AC: cache_update (rule.c:279)
==19179== by 0x48A21AE: nft_evaluate (libnftables.c:406)
left-hand side of the interval is leaked when building the range:
==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==25835== at 0x483577F: malloc (vg_replace_malloc.c:299)
==25835== by 0x489B628: xmalloc (utils.c:36)
==25835== by 0x489B6F8: xzalloc (utils.c:65)
==25835== by 0x487E176: expr_alloc (expression.c:45)
==25835== by 0x487F960: mapping_expr_alloc (expression.c:1149)
==25835== by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166)
==25835== by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725)
==25835== by 0x488F0D5: netlink_list_setelems (netlink.c:1215)
==25835== by 0x487695C: cache_init_objects (rule.c:170)
==25835== by 0x487695C: cache_init (rule.c:228)
==25835== by 0x487695C: cache_update (rule.c:279)
==25835== by 0x48A10BE: nft_evaluate (libnftables.c:406)
==25835== by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451)
==25835== by 0x10A8E1: main (main.c:487)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new field to the cmd structure for elements to store a
reference to the set. This saves an extra lookup in the netlink bytecode
generation step.
This patch also allows to incrementally update during the evaluation
phase according to the command actions, which is required by the follow
up ("evaluate: remove table from cache on delete table") bugfix patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Otherwise, interval sets do not display element statement such as
counters.
Fixes: 6d80e0f15492 ("src: support for counter in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
ASAN reports:
segtree.c:387:30: runtime error: variable length array bound evaluates to non-positive value 0
Update array definition to be the set size plus 1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==26693==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 256 byte(s) in 2 object(s) allocated from:
#0 0x7f6ce2189330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f6ce1b1767a in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36
#2 0x7f6ce1b177d3 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65
#3 0x7f6ce1a41760 in expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:45
#4 0x7f6ce1a4dea7 in set_elem_expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1278
#5 0x7f6ce1ac2215 in netlink_delinearize_setelem /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:1094
#6 0x7f6ce1ac3c16 in list_setelem_cb /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:1172
#7 0x7f6ce0198808 in nftnl_set_elem_foreach /home/pablo/devel/scm/git-netfilter/libnftnl/src/set_elem.c:725
Indirect leak of 256 byte(s) in 2 object(s) allocated from:
#0 0x7f6ce2189330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f6ce1b1767a in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36
#2 0x7f6ce1b177d3 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65
#3 0x7f6ce1a41760 in expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:45
#4 0x7f6ce1a4515d in constant_expr_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:388
#5 0x7f6ce1abaf12 in netlink_alloc_value /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:354
#6 0x7f6ce1ac17f5 in netlink_delinearize_setelem /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:1080
#7 0x7f6ce1ac3c16 in list_setelem_cb /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:1172
#8 0x7f6ce0198808 in nftnl_set_elem_foreach /home/pablo/devel/scm/git-netfilter/libnftnl/src/set_elem.c:725
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7f6ce2189720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f6ce1b1778d in xrealloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:55
#2 0x7f6ce1b1756d in gmp_xrealloc /home/pablo/devel/scm/git-netfilter/nftables/src/gmputil.c:202
#3 0x7f6ce1417059 in __gmpz_realloc (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x23059)
Indirect leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f6ce2189330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f6ce1b1767a in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36
#2 0x7f6ce14105c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)
SUMMARY: AddressSanitizer: 536 byte(s) leaked in 6 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code wasn't aware of prefix elements in interval sets. With previous
changes in place, they merely need to be accepted in
get_set_interval_find() - value comparison and expression duplication is
identical to ranges.
Extend sets/0034get_element_0 test to cover prefixes as well. While
being at it, also cover concatenated ranges.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Both functions were very similar already. Under the assumption that they
will always either see a range (or start of) that matches exactly or not
at all, reduce complexity and make get_set_interval_find() accept NULL
(left or) right values. This way it becomes a full replacement for
get_set_interval_end().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Both functions perform interval set lookups with either start and end or
only start values as input. Interestingly, in practice they either see
values which are not contained or which match an existing range exactly.
Make use of the above and just return a clone of the matching entry
instead of creating a new one based on input data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
This probable copy'n'paste bug prevented 'expiration' field from being
populated when turning a range into a prefix in
interval_map_decompose(). Consequently, interval sets with timeout did
print expiry value for ranges (such as 10.0.0.1-10.0.0.5) but not
prefixes (10.0.0.0/8, for instance).
Fixes: bb0e6d8a2851b ("segtree: incorrect handling of comments and timeouts with mapping")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Segfault on error reporting when intervals overlap.
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.1.1-10.0.2.255 : drop
}
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Fixes: 4d6ad0f310d6 ("segtree: check for overlapping elements at insertion")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After exporting field lengths via NFTNL_SET_DESC_CONCAT attributes,
we now need to adjust parsing of user input and generation of
netlink key data to complete support for concatenation of set
ranges.
Instead of using separate elements for start and end of a range,
denoting the end element by the NFT_SET_ELEM_INTERVAL_END flag,
as it's currently done for ranges without concatenation, we'll use
the new attribute NFTNL_SET_ELEM_KEY_END as suggested by Pablo. It
behaves in the same way as NFTNL_SET_ELEM_KEY, but it indicates
that the included key represents the upper bound of a range.
For example, "packets with an IPv4 address between 192.0.2.0 and
192.0.2.42, with destination port between 22 and 25", needs to be
expressed as a single element with two keys:
NFTA_SET_ELEM_KEY: 192.0.2.0 . 22
NFTA_SET_ELEM_KEY_END: 192.0.2.42 . 25
To achieve this, we need to:
- adjust the lexer rules to allow multiton expressions as elements
of a concatenation. As wildcards are not allowed (semantics would
be ambiguous), exclude wildcards expressions from the set of
possible multiton expressions, and allow them directly where
needed. Concatenations now admit prefixes and ranges
- generate, for each element in a range concatenation, a second key
attribute, that includes the upper bound for the range
- also expand prefixes and non-ranged values in the concatenation
to ranges: given a set with interval and concatenation support,
the kernel has no way to tell which elements are ranged, so they
all need to be. For example, 192.0.2.0 . 192.0.2.9 : 1024 is
sent as:
NFTA_SET_ELEM_KEY: 192.0.2.0 . 1024
NFTA_SET_ELEM_KEY_END: 192.0.2.9 . 1024
- aggregate ranges when elements received by the kernel represent
concatenated ranges, see concat_range_aggregate()
- perform a few minor adjustments where interval expressions
are already handled: we have intervals in these sets, but
the set specification isn't just an interval, so we can't
just aggregate and deaggregate interval ranges linearly
v4: No changes
v3:
- rework to use a separate key for closing element of range instead of
a separate element with EXPR_F_INTERVAL_END set (Pablo Neira Ayuso)
v2:
- reworked netlink_gen_concat_data(), moved loop body to a new function,
netlink_gen_concat_data_expr() (Phil Sutter)
- dropped repeated pattern in bison file, replaced by a new helper,
compound_expr_alloc_or_add() (Phil Sutter)
- added set_is_nonconcat_range() helper (Phil Sutter)
- in expr_evaluate_set(), we need to set NFT_SET_SUBKEY also on empty
sets where the set in the context already has the flag
- dropped additional 'end' parameter from netlink_gen_data(),
temporarily set EXPR_F_INTERVAL_END on expressions and use that from
netlink_gen_concat_data() to figure out we need to add the 'end'
element (Phil Sutter)
- replace range_mask_len() by a simplified version, as we don't need
to actually store the composing masks of a range (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will be needed once we add support for the 'typeof' keyword to
handle maps that could e.g. store 'ct helper' "type" values.
Instead of:
set foo {
type ipv4_addr . mark;
this would allow
set foo {
typeof(ip saddr) . typeof(ct mark);
(exact syntax TBD).
This would be needed to allow sets that store variable-sized data types
(string, integer and the like) that can't be used at at the moment.
Adding special data types for everything is problematic due to the
large amount of different types needed.
For anonymous sets, e.g. "string" can be used because the needed size can
be inferred from the statement, e.g. 'osf name { "Windows", "Linux }',
but in case of named sets that won't work because 'type string' lacks the
context needed to derive the size information.
With 'typeof(osf name)' the context is there, but at the moment it won't
help because the expression is discarded instantly and only the data
type is retained.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check from the delinearize set element path if the nul-root element
already exists in the interval set. Hence, the element insertion path
skips the implicit nul-root interval insertion.
Under some circunstances, nft bogusly fails to delete the last element
of the interval set and to create an element in an existing empty
internal set. This patch includes a test that reproduces the issue.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Always close interval in non-anonymous sets unless the auto-merge
feature is set on.
Fixes: a4ec05381261 ("segtree: always close interval in non-anonymous sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes get element command for interval sets with host byte order
data type, like e.g. mark. During serializing of the range (or element)
to query, data was exported in wrong byteorder and consequently not
found in kernel.
The mystery part is that code seemed correct: When calling
constant_expr_alloc() from set_elem_add(), the set key's byteorder was
passed with correct value of BYTEORDER_HOST_ENDIAN.
Comparison with delete/add element code paths though turned out that in
those use-cases, constant_expr_alloc() is called with BYTEORDER_INVALID:
- seg_tree_init() takes byteorder field value of first element in
init->expressions (i.e., the elements requested on command line) and
assigns that to tree->byteorder
- tree->byteorder is passed to constant_expr_alloc() in
set_insert_interval()
- the elements' byteorder happens to be the default value
This patch may not fix the right side, but at least it aligns get with
add/delete element codes.
Fixes: a43cc8d53096d ("src: support for get element command")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure any intervals to delete actually exist, otherwise reject the
command. Without this, it is possible to mess up rbtree contents:
| # nft list ruleset
| table ip t {
| set s {
| type ipv4_addr
| flags interval
| auto-merge
| elements = { 192.168.1.0-192.168.1.254, 192.168.1.255 }
| }
| }
| # nft delete element t s '{ 192.168.1.0/24 }'
| # nft list ruleset
| table ip t {
| set s {
| type ipv4_addr
| flags interval
| auto-merge
| elements = { 192.168.1.255-255.255.255.255 }
| }
| }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Skip this optimization for non-anonymous sets, otherwise, element
deletion breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Userdata attribute names have been added to libnftnl, use them instead
of the local copy.
While being at it, rename udata_get_comment() in netlink_delinearize.c
and the callback it uses since the function is specific to rules. Also
integrate the existence check for NFTNL_RULE_USERDATA into it along with
the call to nftnl_rule_get_data().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not inconditionally hold reference to start interval.
The handling depends on what kind of range expression we need to build,
either no range at all, a prefix or a plain range. Depending on the
case, we need to partially clone what we need from the expression to
avoid use-after-free.
This fixes valgrind reports that look like this, when listing rulesets:
==30018== 2,057,984 (1,028,992 direct, 1,028,992 indirect) bytes in 8,039 blocks are definitely lost in loss record 76 of 83
==30018== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30018== by 0x4E75978: xmalloc (utils.c:36)
==30018== by 0x4E75A5D: xzalloc (utils.c:65)
==30018== by 0x4E5CEC0: expr_alloc (expression.c:45)
==30018== by 0x4E5D610: mapping_expr_alloc (expression.c:985)
==30018== by 0x4E6A068: netlink_delinearize_setelem (netlink.c:810)
==30018== by 0x5B51320: nftnl_set_elem_foreach (set_elem.c:673)
==30018== by 0x4E6A2D5: netlink_list_setelems (netlink.c:864)
==30018== by 0x4E56C76: cache_init_objects (rule.c:166)
==30018== by 0x4E56C76: cache_init (rule.c:216)
==30018== by 0x4E56C76: cache_update (rule.c:243)
==30018== by 0x4E64530: cmd_evaluate_list (evaluate.c:3503)
==30018== by 0x4E64530: cmd_evaluate (evaluate.c:3880)
==30018== by 0x4E7D12F: nft_parse (parser_bison.y:798)
==30018== by 0x4E7AB56: nft_parse_bison_buffer (libnftables.c:349)
==30018== by 0x4E7AB56: nft_run_cmd_from_buffer (libnftables.c:394)
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat test.nft
add set x y { type ipv4_addr; }
add element x y { 10.0.24.0/24 }
# nft -f test.nft
# nft delete element x y { 10.0.24.0/24 }
bogusly returns -ENOENT. The non-matching segment (0.0.0.0 with end-flag
set on) is not added to the set in the example above.
This patch also adds a test to cover this case.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Breaks custom-defined configuration in library mode, ie. user may want
to store output in a file, instead of stderr.
Fixes: 35f6cd327c2e ("src: Pass stateless, numeric, ip2name and handle variables as structure members.")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
We must set output_fp to sensible filep, else crash.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Temporary kludge to remove all the expr->ops->type == ... patterns.
Followup patch will remove expr->ops, and make expr_ops() lookup
the correct expr_ops struct instead to reduce struct expr size.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Currently callers use expr->ops->name, but follouwp patch will remove the
ops pointer from struct expr. So add this helper and use it everywhere.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding new elements result in a confusing "Success" error message.
# nft add element x y { 0-3 }
[...]
Error: Could not process rule: Success
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
after this patch, this reports:
Error: Could not process rule: File exists
add element x y { 0-3 }
^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add range to the list of matching elements.
Fixes: 95629758a5ec ("segtree: bogus range via get set element on existing elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
No need to keep iterating once the range object has been allocated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Release set content on error. Moreover, release input set content in
case we finally manage to decompose it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Check if expression is a mapping to do the right handling.
Fixes: 35fedcf540bf ("segtree: missing comments in range and prefix expressions in sets")
Fixes: be90e03dd1fa ("segtree: add timeout for range and prefix expressions in sets")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add table x
# nft add set x y { type ipv4_addr\; flags timeout,interval\; }
# nft add element x y { 7.4.4.5-8.8.8.8 comment "good guy" timeout 30s}
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags interval,timeout
elements = { 7.4.4.5-8.8.8.8 timeout 30s expires 27s956ms comment "good guy" }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
table inet filter {
set spamhaus {
type ipv4_addr
flags interval
elements = { 1.2.3.8/31 comment "evil people", 3.3.3.16-3.3.3.20 comment "more than evil" }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Store location object in handle to improve error reporting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unclosed interval check at end of interval_map_decompose() missed to
check whether interval start is the last possible element in given set
before creating a range expression. This led to the last element
incorrectly printed as range from itself to itself. Fix this by
comparing the upper boundary against the lower one.
In order to keep indenting level low, invert the entry check and jump to
the end if it matches.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes memory leaks in three places:
* set_overlap():
The allocated intervals have to be freed again before returning to
caller. While being at it, reduce indenting level in said function to
stay below 80 columns boundary.
* range_is_prefix():
* interval_map_decompose():
GMP documentation suggests to call mpz_clear() for all mpz_t type
variables once they are not used anymore to free the space they occupy.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
In case of EXPR_MAPPING, expr->len is 0, we need to use
the length of the key instead.
Without this we can get assertion failure later on:
nft: netlink_delinearize.c:1484: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You need a Linux kernel >= 4.15 to use this feature.
This patch allows us to dump the content of an existing set.
# nft list ruleset
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 3.3.3.3,
5.5.5.5-6.6.6.6 }
}
}
You check if a single element exists in the set:
# nft get element x x { 1.1.1.5 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
Output means '1.1.1.5' belongs to the '1.1.1.1-2.2.2.2' interval.
You can also check for intervals:
# nft get element x x { 1.1.1.1-2.2.2.2 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2 }
}
}
If you try to check for an element that doesn't exist, an error is
displayed.
# nft get element x x { 1.1.1.0 }
Error: Could not receive set elements: No such file or directory
get element x x { 1.1.1.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can also check for multiple elements in one go:
# nft get element x x { 1.1.1.5, 5.5.5.10 }
table ip x {
set x {
type ipv4_addr
flags interval
elements = { 1.1.1.1-2.2.2.2, 5.5.5.5-6.6.6.6 }
}
}
You can also use this to fetch the existing timeout for specific
elements, in case you have a set with timeouts in place:
# nft get element w z { 2.2.2.2 }
table ip w {
set z {
type ipv4_addr
timeout 30s
elements = { 2.2.2.2 expires 17s }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This speeds up element overlap checks quite a bit.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1228
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, when adding multiple ranges to a set they were merged if
overlapping or adjacent. This might cause inconvenience though since it
is afterwards not easily possible anymore to remove one of the merged
ranges again while keeping the others in place.
Since it is not possible to have overlapping ranges, this patch adds a
check for newly added ranges to make sure they don't overlap if merging
is turned off.
Note that it is not possible (yet?) to enable range merging using nft
tool.
Testsuite had to be adjusted as well: One test in tests/py changed avoid
adding overlapping ranges and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|