| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
!= operation should also be covered too.
Fixes: 347a4aa16e64 ("netlink_delinearize: skip flags / mask notation for singleton bitmask")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat x.nft
define interfaces = { eth0, eth1 }
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { lo : accept, $interfaces : drop }
}
}
# nft -f x.nft
# nft list ruleset
table ip x {
chain y {
type filter hook input priority 0; policy accept;
iifname vmap { "lo" : accept, "eth0" : drop, "eth1" : drop }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
# nft add rule x y tcp option 6 exists
# nft list ruleset
nft: tcpopt.c:208: tcpopt_init_raw: Assertion `expr->exthdr.desc != NULL' failed.
Aborted
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1557
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update this command to display the hook datapath for a packet depending
on its family.
This patch also includes:
- Group of existing hooks based on the hook location.
- Order hooks by priority, from INT_MIN to INT_MAX.
- Do not add sign to priority zero.
- Refresh include/linux/netfilter/nfnetlink_hook.h cache copy.
- Use NFNLA_CHAIN_* attributes to print the chain family, table and name.
If NFNLA_CHAIN_* attributes are not available, display the hookfn name.
- Update syntax: remove optional hook parameter, promote the 'device'
argument.
The following example shows the hook datapath for IPv4 packets coming in
from netdevice 'eth0':
# nft list hooks ip device eth0
family ip {
hook ingress {
+0000000010 chain netdev x y [nf_tables]
+0000000300 chain inet m w [nf_tables]
}
hook input {
-0000000100 chain ip a b [nf_tables]
+0000000300 chain inet m z [nf_tables]
}
hook forward {
-0000000225 selinux_ipv4_forward
0000000000 chain ip a c [nf_tables]
}
hook output {
-0000000225 selinux_ipv4_output
}
hook postrouting {
+0000000225 selinux_ipv4_postroute
}
}
Note that the listing above includes the existing netdev and inet
hooks/chains which *might* interfer in the travel of an incoming IPv4
packet. This allows users to debug the pipeline, basically, to
understand in what order the hooks/chains are evaluated for the IPv4
packets.
If the netdevice is not specified, then the ingress hooks are not
shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Do not transform 'tcp flags & flag == flag' to 'flag / flag'.
The parser does not accept this notation yet.
Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The negation was introduced to provide a simple shortcut. Extend
e6c32b2fa0b8 ("src: add negation match on singleton bitmask value") to
disallow negation with binary operations too.
# nft add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) ! syn'
Error: cannot combine negation with binary expression
add rule meh tcp_flags tcp flags & (fin | syn | rst | ack) ! syn
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft generates incorrect bytecode when combining flag datatype and binary
operations:
# nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn'
ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ transport header + 13 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
[ bitwise reg 1 = ( reg 1 & 0x00000002 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000000 ]
Note the double bitwise expression. The last two expressions are not
correct either since it should match on the syn flag, ie. 0x2.
After this patch, netlink bytecode generation looks correct:
# nft --debug=netlink add rule meh tcp_flags 'tcp flags & (fin | syn | rst | ack) syn'
ip
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 1b @ transport header + 13 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000002 ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Missing != when printing the expression.
Fixes: c3d57114f119 ("parser_bison: add shortcut syntax for matching flags without binary operations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assuming this map:
map y {
type ipv4_addr : verdict
}
This patch slightly improves error reporting to refer to the missing
'counter' statement in the map declaration.
# nft 'add element x y { 1.2.3.4 counter packets 1 bytes 1 : accept, * counter : drop }'
Error: missing statement in map declaration
add element x y { 1.2.3.4 counter packets 10 bytes 640 : accept, * counter : drop }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel already assumes that that ICMP type to reject a packet is
destination-unreachable, hence the user specifies the *ICMP code*.
Simplify the syntax to:
... reject with icmp port-unreachable
this removes the 'type' keyword before the ICMP code to reject the
packet with.
IIRC, the original intention is to leave room for future extensions that
allow to specify both the ICMP type and the ICMP code, this is however
not possible with the current inconsistent syntax.
Update manpages which also refer to ICMP type.
Adjust tests/py to the new syntax.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Extend parser to accept a numeric icmp code, instead of bailing out:
# nft add rule inet filter input reject with icmpx type 3
Error: syntax error, unexpected number, expecting string
add rule inet filter input reject with icmpx type 3
^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1555
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Missing parser extension to support for stateful statements in map.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This function might be useful to recycle the existing nft_ctx to use it
with different external variable definitions.
Moreover, reset ctx->num_vars to zero.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
There a typo that prevents exposing the function as API.
Fixes: 16543a0136c0 ("libnftables: export public symbols only")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The policy is optional, make sure this timeout list is initialized.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rule.c:1715:3: runtime error: member access within null pointer of type 'struct timeout_state'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==29500==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5bfd43c2a4 bp 0x7ffcb82f13b0 sp 0x7ffcb82f1360 T0)
==29500==The signal is caused by a READ memory access.
==29500==Hint: address points to the zero page.
#0 0x7f5bfd43c2a3 in obj_free /home/test/nftables/src/rule.c:1715
#1 0x7f5bfd43875d in cmd_free /home/test/nftables/src/rule.c:1447
#2 0x7f5bfd58e6f2 in nft_run_cmd_from_filename /home/test/nftables/src/libnftables.c:628
#3 0x5645c48762b1 in main /home/test/nftables/src/main.c:512
#4 0x7f5bfc0eb09a in __libc_start_main ../csu/libc-start.c:308
#5 0x5645c4873459 in _start (/home/test/nftables/src/.libs/nft+0x9459)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/test/nftables/src/rule.c:1715 in obj_free
==29500==ABORTING
Fixes: 7a0e26723496 ("rule: memleak of list of timeout policies")
Signed-off-by: Pablo Neira Ayuso <test@netfilter.org>
|
| |
|
|
|
|
|
| |
Add nft_ctx_add_var() to libnftables.map symbol map.
Fixes: 9edaa6a51eab ("src: add --define key=value")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently reports:
Error: Could not process rule: Protocol error
add rule inet x y meta l4proto tcp dnat to :80
^^^^
default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
trying to load the conntrack helper.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new option to define variables from the command line.
# cat test.nft
table netdev x {
chain y {
type filter hook ingress devices = $dev priority 0;
counter accept
}
}
# nft --define dev="{ eth0, eth1 }" -f test.nft
You can only combine it with -f/--filename.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to combine concatenation and interval in NAT
mappings, e.g.
add rule x y dnat to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2-10.141.10.5 . 8888-8999 }
This generates the following NAT expression:
[ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
which expects to obtain the following tuple:
IP address (min), source port (min), IP address (max), source port (max)
to be obtained from the map. This representation simplifies the
delinearize path, since the datatype is specified as:
ipv4_addr . inet_service.
A few more notes on this update:
- alloc_nftnl_setelem() needs a variant netlink_gen_data() to deal with
the representation of the range on the rhs of the mapping. In contrast
to interval concatenation in the key side, where the range is expressed
as two netlink attributes, the data side of the set element mapping
stores the interval concatenation in a contiguos memory area, see
__netlink_gen_concat_expand() for reference.
- add range_expr_postprocess() to postprocess the data mapping range.
If either one single IP address or port is used, then the minimum and
maximum value in the range is the same value, e.g. to avoid listing
80-80, this round simplify the range. This also invokes the range
to prefix conversion routine.
- add concat_elem_expr() helper function to consolidate code to build
the concatenation expression on the rhs element data side.
This patch also adds tests/py and tests/shell.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the map is anonymous, infer it from the set elements. Otherwise, the
set definition already have an explicit concatenation definition in the
data side of the mapping.
This update simplifies the NAT mapping syntax with concatenations, e.g.
snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
STMT_NAT_F_INTERVAL is not useful, the keyword interval can be removed
to simplify the syntax, e.g.
snat to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
This patch reworks 9599d9d25a6b ("src: NAT support for intervals in
maps").
Do not remove STMT_NAT_F_INTERVAL yet since this flag is needed for
interval concatenations coming in a follow up patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use stmt_free() and expr_free() to release these objects.
Fixes: 671851617c8d ("netlink_delinearize: Fix resource leaks")
Fixes: 3a8640672978 ("src: hash: support of symmetric hash")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
0065_icmp_postprocessing: line 13: Segmentation fault $NFT insert rule ip x foo index 1 accept
Since no listing is done, cache isn't populated and 'nft insert' will trip over
set->init == NULL during postprocessing of the existing 'icmp id 42' expression.
Fixes: 9a5574e2d4e9 ("netlink_delinearize: add missing icmp id/sequence support")
Reported-by: Eric Garver <eric@garver.life>
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This example ruleset is missing the chain declaration:
add table x
add set x y { typeof ip saddr ; }
add rule x y counter
After this patch, error reporting provides suggestions for the missing
chain:
# nft -f ruleset.nft
ruleset.nft:3:12-12: Error: No such file or directory; did you mean chain ‘INPUT’ in table ip ‘filter’?
add rule x y counter
^
Before this patch, it incorrectly refers to the table:
ruleset.nft:3:10-10: Error: No such file or directory; did you mean table ‘filter’ in family ip?
add rule x y counter
^
This patch invalidates the table that is found via fuzzy lookup if it
exists in the cache.
Fixes: 0276c2fee939 ("cmd: check for table mismatch first in error reporting")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the command refers to an inexisting table, then use the table location.
ruleset.nft:3:12-12: Error: No such file or directory; did you mean table ‘filter’ in family ip?
add rule x x ip saddr @x log prefix "Anti SSH-Bruteforce: " drop
^
before this patch location is not correct:
ruleset.nft:3:12-12: Error: No such file or directory; did you mean table ‘filter’ in family ip?
add rule x x ip saddr @x log prefix "Anti SSH-Bruteforce: " drop
^
Fixes: 0276c2fee939 ("cmd: check for table mismatch first in error reporting")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Missing free() on the timeout state string on object release.
Fixes: 7a0e26723496 ("rule: memleak of list of timeout policies"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x7fb49ad79810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7fb496b8f63a in xstrdup /home/pablo/nftables/src/utils.c:85
#2 0x7fb496c9a79d in nft_lex /home/pablo/nftables/src/scanner.l:740
[...]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release dynamically allocated string by lex from the YYERROR path, e.g.
# cat test.nft
table x {
map test {
type ipv4_addr . foo . inet_service : ipv4_addr . inet_service
}
}
# nft -f test.nft
test.nft:3:20-22: Error: unknown datatype foo
type ipv4_addr . foo . inet_service : ipv4_addr . inet_service
^^^
test.nft:6-9: Error: set definition does not specify key
map test {
^^^^
==29692==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x7f6c869e8810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f6c8637f63a in xstrdup /home/test/nftables/src/utils.c:85
#2 0x7f6c8648a4d3 in nft_lex /home/test/nftables/src/scanner.l:740
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The err->seqnum == batch_seqnum case results in a memleak of mnl_err
objects under some scenarios such as nf_tables kernel support is not
available or user runs the nft executable as non-root.
Fixes: f930cc500318 ("nftables: fix supression of "permission denied" errors")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_evaluate_concat() is overloaded, it deals with two cases:
#1 set key and data definitions, this case uses the special
dynamically created concatenation datatype which is taken
from the context.
#2 set elements, this case iterates over the set key and data
expressions that are components of the concatenation tuple,
to fetch the corresponding datatype.
Add a new function to deal with case #1 specifically.
This patch is implicitly fixing up map that include arbitrary
concatenations. This is failing with a spurious error report such as:
# cat bug.nft
table x {
map test {
type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
}
}
# nft -f bug.nft
bug.nft:3:48-71: Error: datatype mismatch, expected concatenation of (IPv4 address, Internet protocol, internet network service), expression has type concatenation of (IPv4 address, internet network service)
type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This allows to chose a queue number at run time using map statements,
e.g.:
queue flags bypass to ip saddr map { 192.168.7/24 : 0, 192.168.0/24 : 1 }
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
back in 2016 Liping Zhang added support to kernel and libnftnl to
specify a source register containing the queue number to use.
This was never added to nft itself, so allow this.
On linearization side, check if attached expression is a range.
If its not, allocate a new register and set NFTNL_EXPR_QUEUE_SREG_QNUM
attribute after generating the lowlevel expressions for the kernel.
On delinarization we need to check for presence of
NFTNL_EXPR_QUEUE_SREG_QNUM and decode the expression(s) when present.
Also need to do postprocessing for STMT_QUEUE so that the protocol
context is set correctly, without this only raw payload expressions
will be shown (@nh,32,...) instead of 'ip ...'.
Next patch adds test cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename existing rules to _compat to make sure old rules using 'queue'
statement will work.
Next patch adds distinct input format where flags are explicitly
provided:
queue flags name,<nextflag> num 1
Without this, extension of queue expression to handle arbitrary
expression instead of queue number or range results in parser errors.
Example:
queue num jhash ip saddr mod 4 and 1 bypass
will fail because scanner is still in 'ip' state, not 'queue', when
"bypass" is read.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Preparation patch to avoid too much $<stmt>$ references in the parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Else we run into trouble once we allow
queue num symhash mod 4 and 1
and so on. Example problem:
queue num jhash ip saddr mod 4 and 1 bypass
This will fail to parse because the scanner is in the wrong state
(ip, not queue), so 'bypass' is parsed as a string.
Currently, while nft will eat the above just fine (minus 'bypass'),
nft rejects this from the evaluation phase with
Error: queue number is not constant
So seems we are lucky and can restrict the supported expressions
to integer and range.
Furthermore, the line looks wrong because this statement:
queue num jhash ip saddr mod 4 and 1 bypass
doesn't specifiy a number, "queue num 4" does, or "queue num 1-2" do.
For arbitrary expr support it seems sensible to enforce stricter
ordering to avoid any problems with the flags, for example:
queue bypass,futurekeyword to jhash ip saddr mod 42
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
It needs to account for the offset too.
Fixes: 9bee0c86f179 ("src: add offset attribute for hash expression")
Fixes: d4f9a8fb9e9a ("src: add offset attribute for numgen expression")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Release list of ct timeout policy when object is freed.
Direct leak of 160 byte(s) in 2 object(s) allocated from:
#0 0x7fc0273ad330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fc0231377c4 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7fc023137983 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7fc0231f64d6 in nft_parse /home/.../devel/nftables/src/parser_bison.y:4448
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release osf string flag after processing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
listing a ruleset containing:
ct event set new,related,destroy,label
results in memleak:
Direct leak of 3672 byte(s) in 27 object(s) allocated from:
#0 0x7fa5465c0330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fa54233772c in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7fa5423378eb in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7fa5422488c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7fa54224fb91 in binop_expr_alloc /home/.../devel/nftables/src/expression.c:698
#5 0x7fa54224ddf8 in bitmask_expr_to_binops /home/.../devel/nftables/src/expression.c:512
#6 0x7fa5423102ca in expr_postprocess /home/.../devel/nftables/src/netlink_delinearize.c:2448
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Release the array of intervals and the segtree in case of error,
otherwise these structures and objects are never released:
SUMMARY: AddressSanitizer: 2864 byte(s) leaked in 37 allocation(s).
Moreover, improve existing a test coverage of this error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Listing a matching wilcard string results in a memleak: ifname "dummy*"
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f27b9e1d5f3 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7f27b9d2e8c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7f27b9d326e9 in constant_expr_alloc /home/.../devel/nftables/src/expression.c:419
#5 0x7f27b9db9318 in netlink_alloc_value /home/.../devel/nftables/src/netlink.c:390
#6 0x7f27b9de0433 in netlink_parse_cmp /home/.../devel/nftables/src/netlink_delinearize.c:321
#7 0x7f27b9deb025 in netlink_parse_expr /home/.../devel/nftables/src/netlink_delinearize.c:1764
#8 0x7f27b9deb0de in netlink_parse_rule_expr /home/.../devel/nftables/src/netlink_delinearize.c:1776
#9 0x7f27b860af7b in nftnl_expr_foreach /home/.../devel/libnftnl/src/rule.c:690
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f27ba52e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f27b9e1d434 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f27b96975c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove useless reference count grabbing on constant expression that
results in a memleak.
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f4cd54af330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f4cd4d9e489 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f4cd4d9e648 in xzalloc /home/.../devel/nftables/src/utils.c:75
#3 0x7f4cd4caf8c6 in expr_alloc /home/.../devel/nftables/src/expression.c:45
#4 0x7f4cd4cb36e9 in constant_expr_alloc /home/.../devel/nftables/src/expression.c:419
#5 0x7f4cd4ca714c in integer_type_parse /home/.../devel/nftables/src/datatype.c:397
#6 0x7f4cd4ca4bee in symbolic_constant_parse /home/.../devel/nftables/src/datatype.c:165
#7 0x7f4cd4ca4572 in symbol_parse /home/.../devel/nftables/src/datatype.c:135
#8 0x7f4cd4cc333f in expr_evaluate_symbol /home/.../devel/nftables/src/evaluate.c:251
[...]
Indirect leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f4cd54af330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f4cd4d9e489 in xmalloc /home/.../devel/nftables/src/utils.c:36
#2 0x7f4cd46185c5 in __gmpz_init2 (/usr/lib/x86_64-linux-gnu/libgmp.so.10+0x1c5c5)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Verdict maps in combination with interval concatenations are broken, e.g.
# nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept }
Retrieve the concatenation field length and count from the map->map
expressions that represents the key of the implicit map.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Set element keys are of EXPR_SET_ELEM expression type, however, mappings
use the EXPR_MAPPING expression to wrap the EXPR_SET_ELEM key
(mapping->left) and the corresponding data (mapping->right).
This patch adds a wrapper function to fetch the EXPR_SET_ELEM expression
from the key in case of mappings and use it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
"icmp type echo-request icmp id 2" and "icmp id 2" are not the same,
the latter gains an implicit dependency on both echo-request and
echo-reply.
Change payload dependency tracking to not store dependency in case
the value type is ICMP(6)_ECHO(REPLY).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reports following input and output:
in: icmpv6 id 1
out: icmpv6 type { echo-request, echo-reply } icmpv6 parameter-problem 65536/16
Reason is that icmp fields overlap, decoding of the correct name requires
check of the icmpv6 type. This only works for equality tests, for
instance
in: icmpv6 type echo-request icmpv6 id 1
will be listed as "icmpv6 id 1" (which is not correct either, since the
input only matches on echo-request).
with this patch, output of 'icmpv6 id 1' is
icmpv6 type { echo-request, echo-reply } icmpv6 id 1
The second problem, the removal of a single check (request OR reply),
is resolved in the followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Use set_is_anonymous() to check for the NFT_SET_ANONYMOUS set flag
instead.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, assertion to ensure that no colission occur is hit due to
uninitialized hashtable memory area:
nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed.
Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
