| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The scanner rejects IPv4-Mapped IPv6 addresses, eg.
# cat test
#!/usr/sbin/nft -f
flush ruleset
table inet global {
set blackhole_ipv6 {
type ipv6_addr
flags interval
elements = { ::ffff:0.0.0.0/96 }
}
}
# nft -f test
test:8:30-38: Error: syntax error, unexpected string, expecting comma or '}'
elements = { ::ffff:0.0.0.0/96 }
^^^^^^^^^^
According to RFC4291, Sect. 2.5.5.2. IPv4-Mapped IPv6 Address:
| 80 bits | 16 | 32 bits |
+--------------------------------------+--------------------------+
|0000..............................0000|FFFF| IPv4 address |
+--------------------------------------+----+---------------------+
Update scanner bits to parse this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1188
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch the following fails:
# nft add rule ip6 filter x \
set add ip6 saddr . ip6 daddr @test
nft: netlink_linearize.c:648: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.
Aborted
This is was previously fixed for flow statements in fbea4a6f4449
("netlink_linearize: skip set element expression in flow table key"), and
this patch implements the same change for set statements by using the set
element key in netlink_gen_set_stmt().
nft-test.py is updated to support set types with concatenated data types
in order to support testing of this.
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When introducing output_fp, debug output in src/evaluate.c was not
adjusted and therefore broke.
This patch restores eval debug output by applying the following changes:
- Change erec_print() and erec_print_list() to take a struct output_ctx
pointer as first argument and use output_fp field as destination to
print to.
- Drop octx_debug_dummy variable and instead use octx pointer from
struct eval_ctx for debug output.
- Add missing calls to erec_destroy() in eval debug output which should
eliminate another mem leak.
Fixes: 2535ba7006f22 ("src: get rid of printf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Allow to use limit objects from dictionaries.
Fixes: c0697eabe832 ("src: add stateful object support for limit")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Wrong arithmetics with pointer.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1178
Fixes: 0d9d04c31481 ("src: make netlink sequence number non-static")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the rt expression currently always sets NFT_RT_NEXTHOP4 and then
uses the network base to determine if its really supposed to be
NEXTHOP6.
For inet, this will fail because the network base is not known,
so this currently enforces need for "meta nfproto" to dermine the
type.
Allow following syntax instead:
rt ip nexthop
rt ip6 nexthop
There is no need for a dependency anymore, as rt expression
checks the hook protocol, ie. NEXTHOP4 will break if the hook pf
is not NFPROTO_IPV4.
Cc: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
this prints "original saddr|daddr $NFPROTO" to make output
symmetric with the syntax that we now prefer on input side.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
From postprocess point of view meta and ct are logically the same,
except that their storage area overlaps (union type), so if we
extract the relevant fields we can move all of it into a single
helper and support dependency store/kill for both expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft has enough context to determine if a dependeny is needed.
add rule ip filter ct original ip6 saddr
allows nft to generate an error due to conflicting bases (ip vs ip6).
add rule inet filter ct original ip6 saddr
allows nft to inject an ipv6 dependency expression.
add rule inet filter ct original saddr
will print an error and will suggest to add ip/ip6 keyword.
Delinerize and print support will be added in followup patches.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
ct keys can match on network and tranasport header protocol
elements, such as port numbers or ip addresses.
Store this base type so a followup commit can store and kill
dependencies, e.g. if bsae is network header we might be able
to kill an earlier expression because the dependency is implicit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
current syntax is:
ct original saddr $address
problem is that in inet, bridge etc. we lack context to
figure out if this should fetch ipv6 or ipv4 from the conntrack
structure.
$address might not exist, rhs could e.g. be a set reference.
One way to do this is to have users manually specifiy the dependeny:
ct l3proto ipv4 ct original saddr $address
Thats ugly, and, moreover, only needed for table families
other than ip or ipv6.
Pablo suggested to instead specify ip saddr, ip6 saddr:
ct original ip saddr $address
and let nft handle the dependency injection.
This adds the required parts to the scanner and the grammar, next
commit adds code to eval step to make use of this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
This was helpful when testing nft_print() implementation, but breaks
'nft --help' output. Also, with this in place typical printf-debugging
would have to use stderr at all times which is confusing at least.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This adds a missing call to fflush() to nft_gmp_print() just like in
nft_print(). This is strictly not necessary since usually
nft_gmp_print() is followed by a call to nft_print() but better not rely
upon this assumption.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Instead of having two nearly identical printf() calls for netdev and
other chains, print the common parts separately and include the device
bit only for netdev chains.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
It was a bit odd that erec_print() outputs to a given FILE pointer but
then calls netlink_dump_expr() which just prints to stdout. Fix this by
passing the given FILE pointer along so output is guaranteed to go to
the same destination.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This eliminates the need for that temporary buffer.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
'ct event set label' and 'ct event set new or label' work, but
'ct event set new, label' did not:
nft add rule filter input ct event set new,label
Error: syntax error, unexpected label
This changes the definition to also contain keyword symbol expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change all places that expect ct helper tokens (ct helper configuration)
to CT HELPER. ct_obj_kind is removed.
When we add ct timeout support, we will add a new ct_timeout_block,
plus extra rules. We won't extend ct_block, it prevents the parser
from detecting bogus syntax that only makes sense for ct helper but
not for something else for instance.
ct_block should be renamed to ct_helper_block, will be done in
followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
since commit b0c2606ed02fed828ab7c34227e355f5542bc925
("parser_bison: use keywords in ct expression") we no longer
abuse string for this, so there are no users of these helpers
anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently set definitions store a datatype rather than
an expression.
In order to support use of unqualified data types (string in particular),
this prepares implicit set definition helper to expect an expression instead
of plain data type. This also has the advantage that we can use EXPR_CONCAT
to retain the original expressions when key concatentation is used, e.g.
'meta iifname . tcp dport'. The netlink serialization code can use
this info to store individual key lengths independently of data types.
Would also allow later on to store the original names of the
expressions, e.g. "ip daddr", in the kernel to support a future
typeof keyword, e.g. 'type typeof(ip daddr)' instead of 'type ipv4_addr'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The helper keyword clashes with the string rule, make sure we still
accept ct helper object types from the parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Using string give us more chances to hit shift/reduce conflicts when
extending this grammar, more specifically, from the stmt_expr rule, so
add keywords for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend stmt_expr and use it from all of our statement rules. Add more
rules to describe what we take from statement expressions, instead of
reusing rhs_expr which is allowing way more things that we actually need
here. This is causing us problems when extending the grammar.
After this patch, you will hit this:
parser_bison.y: warning: 2 shift/reduce conflicts [-Wconflicts-sr]
However, this is fixed by the follow up patches:
parser_bison: allow helper keyword in ct object kind
parser_bison: use keywords in ct expression
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The field 'debug_mask' of struct netlink_mon_handler was left
uninitialized in do_command_monitor() so it contained garbage from the
stack. Fix this by initializing it with the debug_mask value from struct
netlink_ctx.
While being at it, change the code to make use of C99-style initializer,
which will also avoid things like this in future.
Fixes: be441e1ffdc24 ("src: add debugging mask to context structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If scanner_read_file() failed, the function would return an
uninitialized value.
Fixes: 3db28321b64a6 ("src: add nft_run_cmd_*() functions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This flag is not legal there, it only makes sense for addition requests.
This patch has no impact at all in any of the nf_tables kernel versions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
By adding flags to nft_ctx_new, we will have a minimum capabilities
of changing the way the nft_ctx is created.
For now, this patch uses a simple value that allow the user to specify
that he will handle netlink by himself.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds support for a new type of stateful object: limit.
Creation, deletion and listing operations are supported.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add these two new functions to set up netlink sockets in the global
context structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Just merge this code to netlink_open_sock().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The idea is to provide a simplistic API for non-netlink wise people.
Add a field in struct nft_ctx to store the socket.
The advanced API that we're planning will just simply leave this unset,
since netlink IO will be exposed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr_rt might write data in host byte order, so make sure to
convert if needed.
This makes 'tcp option maxseg size rt mtu' actually work, right now such rules
are no-ops because nft_exthdr never increases the mss.
While at it, extend the example to not bother testing non-syn packets.
Reported-by: Matteo Croce <technoboy85@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The common paradigm here is that all parser rules converting string
tokens into symbols must free the string token if it's not used anymore.
This is unrelated to the %destructor directive, since that will apply
only if the parser discards the token, which is not the case then.
While being at it, simplify error handling in parser rule for listing
conntrack helpers (error() won't return NULL) and drop the unused extra
parameter passed to error() in level_type rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So we don't forget all these caches should be placed into struct
nft_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Release existing caches from nft_ctx_free(). Still, the iface cache
should be good to place it in the nft_ctx structure.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add new function to read nftables command from a file and buffer, that
we can expose as library.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
These new functions allows us to allocate and release the context
structure. This is going to be useful for libnftables.
Joint work with Pablo Neira.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If one of the command is failing we should return an error.
Pablo says: "This is not a real issue since nft_netlink() returns an
error in case the list of errors is not empty. But we can indeed
simplify things by removing that explicit assignment in nft_netlink() so
mnl_batch_talk() consistently reports when if an error has happened.
Signee-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
In case of failing command evaluation, commands need to be freed as
their memory becomes orphaned afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
This combines the calls to yylex_init() and yyset_extra().
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The function takes the scanner as argument, not the state. This wasn't a
real issue since scanner is a void pointer, which means it's only casted
around without need. So this fix is a rather cosmetic one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Debug mask check was done against wrong flag, causing protocol context
debug output being printed when only --debug=netlink was given.
Fixes: be441e1ffdc24 ("src: add debugging mask to context structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Initialize structure stmt with stmt_alloc in netlink_parse_target and
netlink_parse_match functions. This patch fixes the gcc warning:
‘stmt’ may be used uninitialized in this function.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Separator was misspelled as "seperator" in a symbol name.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
So this toggle is not global anymore. Update name that fits better with
the semantics of this variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
