| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently do parsing and evaluation in two seperate stages. This means
that if any error occurs during parsing, we won't evaluate the syntactical
correct commands and detect possible evaluation errors in them.
In order to improve error reporting, change this to evaluate every command
as soon as it is fully parsed.
With this in place, the ruleset can be fully validated and all errors
reported in one step:
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
^
tests/error.1:7:24-26: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
filter input tcp dport tcp
~~~~~~~~~ ^^^
tests/error.1:8:24-32: Error: Right hand side of relational expression (==) must be constant
filter input tcp dport tcp dport
~~~~~~~~~~^^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move error recovery to the common_block definition to handle errors
in any block. Queue those errors and abort parsing once a threshold
is reached.
With this in place, we can continue parsing when errors occur and
show all of them to the user at once.
tests/error.1:3:8-8: Error: syntax error, unexpected '{', expecting string
filter {
^
tests/error.1:4:13-13: Error: syntax error, unexpected newline
filter input
^
tests/error.1:5:17-17: Error: syntax error, unexpected newline
filter input tcp
^
tests/error.1:6:23-23: Error: syntax error, unexpected newline
filter input tcp dport
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
Close the scopes when destroying a table_block/chain_block. Also add
assertions to open_scope()/close_scope() to catch memory corruption
early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Don't display "In file included from internal:0:0-0:" for errors occuring
in a parsed file.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Currently always has the value 0.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
When reset_pos() is invoked, YY_USER_ACTION() has already advanced the
line offset to the next line. This causes errors for unexpected newlines
to incorrectly show the following line when reading from files.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The symbol for the relational op is shown in the error message. Since
OP_IMPLICIT doesn't have a symbol, (null) is shown. Fix by determining
the implicit op before checking for constants.
Error: Right hand side of relational expression ((null)) must be constant
=>
Error: Right hand side of relational expression (==) must be constant
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the inclusion of the last rule that didn't fit
into a batch page.
When using sets this has manifested with the -EBUSY error when deleting
the table (it was still containing unused sets after the flush).
The following command line works fine here:
nft -f test ; nft flush table filter ; nft delete chain filter output; nft delete table filter
Tested using this kernel patch: http://patchwork.ozlabs.org/patch/314143/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
This reverts commit 2f61f093c3149465f2a68764b25c817adbe87fcd.
Crap, accidentally committed this.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds the following operation:
:~# nft export <xml|json>
The XML/JSON output is provided raw by libnftnl, thus without format.
In case of XML, you can give format with the `xmllint' tool from libxml2-tools:
:~# nft list ruleset xml | xmllint --format -
In case of JSON, you can use `json_pp' from perl standar package:
:~# nft list ruleset json | json_pp
A format field is added in struct cmd, and it will be reused in the import
operation.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We currently always use NLM_F_EXCL for add, which makes adding existing
chains or tables fail. There's usually no reason why you would care about
this, so change "add" to not use NLM_F_EXCL and add a new "create" command
in case you do care.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\| |
|
| |
| |
| |
| |
| |
| | |
Adapt the current code to use the new library name libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Add missing NLM_F_CREATE flag when creating new chains to trigger
module autoloading in the kernel.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This patch allows to specify a string to indicate the time, eg.
nft add rule filter output ct expiration \"1d2h3m4s\" counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a set contains elements, the output is not parsable since the
elements = { ... } is not understood by the parser. Fix this and
also add support for creating constant sets (which only makes sense
when using an initializer).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes two problems:
- the output of "nft list table ..." is not parsable if sets are included
because the parser can't parse the flags.
- set flags can't be specified during set creation.
To fix this, the set output is changed to:
- not print each flag on a single line
- prefix the flags with "flags "
- only show the interval flag since all others are for internal use only
The parser is changed to parse the flags specified in a set declaration.
This allows to parse empty sets. The following patch will take care of
parsing sets that are already populated.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace => by : to make it easier for most shell users, as
> implies a redirection, let's avoid possible confusion that
may result if you forget to escape it.
This works fine if you don't forget to add space between the
key and the value. If you forget to add the space, depending
on the case, the scanner may recognize it correctly or process
it as a string.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
This allows you to dump the netlink message that is send via
libmnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For "meta protocol" and the "meta nfproto" expressions, we need to be
able to parse "ip", "ip6", "vlan" and "arp" as protocol values.
Since the interpretation depends on the LHS of the relaltional expression,
we need to use symbolic expressions instead of constants to defer parsing
to the evaluation phase.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\|
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/payload.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If intervals are directly adjacent or extend to the right end of the dimension,
they are not closed by a EXPR_F_INTERVAL_END entry. This leads to multiple
errors when decomposing the intervals:
- the last unclosed interval is not shown at all.
- if a range is unclosed and the set is a map, the starting point of the
next interval is set to the data, not the key, leading to nonsensical
output.
- if a prefix is unclosed, the interval is assumed to be a prefix as well
and the same starting point is kept. This makes sense for cases like
192.168.0.0/24, 192.168.0.0/16, but leads to hard to understand
results if the next interval is not representable as a prefix.
Fix this by doing two things:
- add an EXPR_F_INTERVAL_END element for each unclosed interval during
preprocessing.
- process the final unclosed interval extending to the right end of the
dimension, if present.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It is uncommon to represent f.i. port number ranges as prefix expressions.
Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred
representation of a range is a prefix and use it for segtree decomposition
to decide whether to use a range or prefix expression.
The ipaddr, ip6addr, mark and realm datatypes are changed to include the
DTYPE_F_PREFIX flag.
This fixes completely unreadable output in cases where the ranges are
representable as prefixes, f.i. in case of port number:
{ 0/6 => jump chain1, 0/5 => jump chain2, 0/4 => continue}
becomes:
{ 0-1023 => jump chain1, 1024-2047 => jump chain2, 2048-4095 => continue}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 0bd59cf4da (parser: fix parsing of ethernet protocol types) broke
compilation:
src/parser.y:26:22: fatal error: if_ether.h: No such file or directory
Should be netinet/if_ether.h.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
% nft list table filter
table ip filter {
...
chain output {
...
ip saddr map { 1.1.1.1 => accept}
}
}
It displays 'map' instead of 'vmap'. Fix it by checking the mapping
type in map_expr_print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
Use ip6 instead of ipv6.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
nft add rule ip filter output meta protocol xyz counter
^^^
This fix is similar to 4097ad7 ("meta: fix crash when parsing
unresolvable mark values").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows us to use the protocol type keyword, eg.
nft add rule ip filter output meta protocol ip6 counter
^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
include/nftables.h
src/main.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch changes the output of relational expressions to not surpress
the '==' when the LHS is a binop, f.i.
... meta mark & 0x00000003 0x00000001
becomes
... meta mark & 0x00000003 == 0x00000001
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\|
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/payload.c
|
| |
| |
| |
| |
| |
| | |
It's "ether" now since we've changed the keyword.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/meta.c
src/parser.y
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Don't require the meta keyword for mark, iif, oif, iifname, oifname,
skuid, skgid, nftrace, rtclassid and secmark.
The protocol and length types still need the meta keyword to avoid
grammar conflicts.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Conflicts:
src/parser.y
|
| |
| |
| |
| |
| |
| | |
The secctx should be used instead of the secmark. Remove for now.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These symbols need to be escaped in bash and if you use them without
escaping then, it can lead to confusion. This patch adds nominal
aliases, eg.
nft add rule filter output meta mark and 0x3 eq 0x1
as an alternative to:
nft add rule filter output meta mark \& 0x3 == 0x1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is a problem with the follow ipv6 address combination:
nft add rule ip6 t_ip61 filter-input ip6 saddr ::1234:1234:1234:1234:1234:1234:1234
1234::1234:1234:1234:1234:1234:1234
1234:1234::1234:1234:1234:1234:1234
1234:1234:1234::1234:1234:1234:1234
1234:1234:1234:1234::1234:1234:1234
1234:1234:1234:1234:1234::1234:1234
::1234:1234:1234:1234:1234:1234
1234::1234:1234:1234:1234:1234
1234:1234::1234:1234:1234:1234
1234:1234:1234::1234:1234:1234
1234:1234:1234:1234::1234:1234
::1234:1234:1234:1234:1234
1234::1234:1234:1234:1234
1234:1234::1234:1234:1234
1234:1234:1234::1234:1234
::1234:1234:1234:1234
1234::1234:1234:1234
1234:1234::1234:1234
::1234:1234:1234
1234::1234:1234
The problem was in the scanner (src/scanner.l). Several brackets were missed
and the result was an incorrect interpretation.
Fix it by adding some brackets in a regular expression in src/scanner.l
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
eth may easily occur when using ifname masks. This could be also
fixed by interpreting 'eth' as a simple string in the parser but
I think this selector also looks more similar to what we use in
tcpdump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Don't require the meta keyword for mark, iif, oif, iifname, oifname,
skuid, skgid, nftrace, rtclassid and secmark.
The protocol and length types still need the meta keyword to avoid
grammar conflicts.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| | |
The secctx should be used instead of the secmark. Remove for now.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\| |
|
| |
| |
| |
| |
| |
| | |
This reverts commit 5e8f8a1807917f92e568437598670b0026462c1c.
I missed that this introduces shift-reduce conflicts. Revert for now.
|
|\| |
|
| |
| |
| |
| |
| |
| | |
Consistently use "map" to express mappings.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|