| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Instead of returning the result of mpz_cmp(), this function returned 1
unless both elements were equal and the first one had
EXPR_F_INTERVAL_END set.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add some debug messages in the monitor/trace code paths to ease development
and debugging in case of errors.
After this patch, running 'nft monitor --debug=mnl,netlink' is more verbose.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an invalid read when an empty command was sent.
Found via nft running ASAN and entering an empty command:
nft>
=================================================================
==19540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008c6f at pc 0x55e3b561704d bp 0x7fffe9a33ac0 sp 0x7fffe9a33ab8
READ of size 1 at 0x602000008c6f thread T0
#0 0x55e3b561704c in cli_append_multiline /home/eric/git/netfilter/nftables/src/cli.c:65
#1 0x55e3b561725b in cli_complete /home/eric/git/netfilter/nftables/src/cli.c:109
#2 0x7f6e0c2ccac2 in rl_callback_read_char (/lib/x86_64-linux-gnu/libreadline.so.7+0x2fac2)
#3 0x55e3b5617ba6 in cli_init /home/eric/git/netfilter/nftables/src/cli.c:199
#4 0x55e3b5573b75 in main /home/eric/git/netfilter/nftables/src/main.c:381
#5 0x7f6e0bc9b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x55e3b55725a9 in _start (/usr/local/sbin/nft+0x445a9)
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
To be able to do so we duplicate the name in the indesc if it is
set.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Building with a recent clang was failing due to the following error:
src/evaluate.c|450 col 45| error: initializer element is not constant
|| static const unsigned int max_tcpoptlen = 15 * 4 * BITS_PER_BYTE - tcphdrlen;
|| ^~
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had the following warnings
parser_bison.y:1089:10: warning: variable 'cmd' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
if (erec != NULL) {
^~~~~~~~~~~~
parser_bison.y:1095:39: note: uninitialized use occurs here
(yyval.cmd) = cmd_alloc(CMD_LIST, cmd, &(yyvsp[0].handle), &(yyloc), NULL);
^~~
parser_bison.y:1089:6: note: remove the 'if' if its condition is always true
if (erec != NULL) {
^~~~~~~~~~~~~~~~~~
parser_bison.y:1080:12: note: initialize the variable 'cmd' to silence this warning
int cmd;
^
= 0
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.9/bin/llvm-symbolizer nft add set inet filter blacklisddddddddddddddddddddt {type inet_service \;}
=================================================================
==25152==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0)
#1 0x593cb1 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8
#2 0x5bccb2 in nft_lex /home/eric/git/netfilter/nftables/src/scanner.l:566:22
#3 0x5cb363 in nft_parse /home/eric/git/netfilter/nftables/src/parser_bison.c:4366:16
#4 0x505a37 in nft_run /home/eric/git/netfilter/nftables/src/main.c:246:8
#5 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6
#6 0x7ff7befdb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: 13 byte(s) leaked in 1 allocation(s).
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When listing rules we were calling strdup on the table name
but variable was just used locally.
Found via `nft list ruleset` run with ASAN:
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0)
#1 0x593c71 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8
#2 0x513b34 in do_list_ruleset /home/eric/git/netfilter/nftables/src/rule.c:1388:23
#3 0x50e178 in do_command_list /home/eric/git/netfilter/nftables/src/rule.c:1500:10
#4 0x50d3ea in do_command /home/eric/git/netfilter/nftables/src/rule.c:1696:10
#5 0x5061ae in nft_netlink /home/eric/git/netfilter/nftables/src/main.c:207:9
#6 0x505b87 in nft_run /home/eric/git/netfilter/nftables/src/main.c:255:8
#7 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6
#8 0x7fa1f326d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add nft_init and nft_exit functions, which calls _init and _exit
functions in main.c file. Remove __init and __exit macro definitions as
libnftables library will be created soon. Rename realm_table_init() and
realm_table_exit() functions to avoid ambiguity as
realm_table_rt_init(), realm_table_meta_init, realm_table_rt_exit() and
realm_table_meta_exit() in rt.c and meta.c files.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This socket should not be global, it is also hidden in many layers of
code. Expose it as function parameters to decouple the netlink socket
handling logic from the command parsing, evaluation and bytecode
generation.
Joint work with Varsha Rao.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Its misleading, this structure holds members for ct_helper object
infrastructure, rename it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Condenses the copy/pastry via a define to avoid repeating this
when the list gets extended.
Based on earlier patch from Pablo.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
gcc 7.1.1 complains:
exthdr.c:41:31: warning: ā%dā directive output may be truncated writing between 1 and 8 bytes into a region of size 3 [-Wformat-truncation=]
snprintf(buf, sizeof buf, "%d", offset);
^~
This warning is incorrect, as offset is limited by tcp option ranges,
but gcc doesn't know this. Increase buffer to avoid the warning.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
not used outside of tcpopt.c, so unexport from header file and
make them static.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Remove datatype_register() function and its calling __init functions.
Add arguments of datatype_register() function to datatype array.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use glob() to find paths in include statements. The rules are these:
1. If no files can be found in the pattern with wildcards, do not
return an error.
2. Do not match any files beginning with '.'.
3. Do not handle include directories anymore. For example, the
statement:
include "foo/"
would now need to be rewritten:
include "foo/*"
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new structure nft_ctx is meant to be used as a generic container of
context information.
This is a preparatory patch. So at the moment the struct just carry
output_ctx on his path through main.c and cli.c.
Based on original idea from Eric Leblond.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In case you refer to an unexisting set, bail out with:
# nft add table x
# nft add chain x y
# nft add rule x y ip protocol vmap @reject_to_rule2;
<cmdline>:1:31-46: Error: Set 'reject_to_rule2' does not exist
add rule x y ip protocol vmap @reject_to_rule2
^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A set may contain a nested set element definition, merge the nested set
flags so we don't hit:
BUG: invalid data expression type range
nft: netlink.c:400: netlink_gen_data: Assertion `0' failed.
Aborted
With the following example ruleset:
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
add rule x y tcp dport $port_allow accept
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1145
Fixes: a6b75b837f5e ("evaluate: set: Allow for set elems to be sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
numeric_output -> numeric
stateless_output -> stateless
ip2name_output -> ip2name
handle_output -> handle
Also add struct output_ctx *octx as member of struct netlink_ctx.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you load a file using the nested ruleset representation, ie. the one
you get via `nft list ruleset', error reporting doesn't help you much to
find the problem.
For example, the following ruleset points to an unexisting chain 'x':
table test {
chain test {
type filter hook ingress priority 0; policy drop;
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
}
}
Error reporting is very sparse as it says:
# nft -f /home/test/x
/home/test/x:1:1-2: Error: Could not process rule: No such file or directory
table netdev test{
^^
So it's hard to know what is exactly missing.
This patch enhances the existing logic, so nft points to the rule
causing the problem, ie.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The idea behind this patch is to expand the single table command into a
list of individual commands, one per nested object inside the table.
This expanded list is spliced into the existing list of commands. Thus,
each command gets a sequence number that helps us correlate the error
with the command that triggers it.
This patch also includes reference counting for rules and objects. This
was already in place for table, chain and sets. We need this since now
we hold references to them from both the command and the table object
itself. So the last reference releases the object from memory. Note that
table objects still keep the list of chain, sets, etc. since the
existing cache logic needs this to work.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
ct status isn't named 'statusmask' either.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Translates binop representation to a list-based one, so nft prints
"ct event destroy,new" instead of 'ct event destroy|new'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If no explicit relative or absolute path is enforced by the user, nft
relies on either -I/--includepath or the default include directory that
is set at compile time.
Given most of our users will rely on packaged versions of nft, provide a
way to display the location of this default includepath directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This means that if you have a directory structure like this
/foo
/foo/02_rules.nft
/foo/01_rules.nft
where *.nft files in directory /foo are nft scripts, then an include
statement in another nft script like this
include "/foo/"
guarantees that "01_rules.nft" is loaded before "02_rules.nft".
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of bitmask types (tcp flags, ct eventmask) nft
allows to use comma operator to test multiple values, i.e.
tcp flags syn,ack ct event new,destroy etc.
But currently nft fails to use this when used in a statement, i.e.
... ct eventmask set new,destroy
gives:
syntax error, unexpected comma
This allows makes this work, it is the same as
ct eventmask set new|destroy
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
works:
add rule ip filter input ct original saddr 1.2.3.4
(family ctx init initialises network base to proto_ip).
fails to parse 1.2.3.4 address:
add rule ip filter input meta nfproto ipv4 ct original saddr 1.2.3.4
... because meta_expr_pctx_update() won't find a dependency
from "ip" to "ip" and then overwrites the correct base with proto_unknown.
"meta nfproto ip" is useless in the ip family, as it will always match,
i.e. a better (but more compliated) fix would be to remove the statement
during evaluation.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6.
For some cases we could infer it from the rhs, but there are cases where we don't have any
information, e.g. when passing ct original saddr to jhash expression.
So do the same thing that we do for "rt nexthop" -- error out and hint to user
they need to specifiy the desired address type with "meta nfproto".
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As expires is stateful information. This patch removes expire
information from list stateless ruleset. With nft -s option, the
ruleset will be as following.
table ip firewall {
set host {
type ipv4_addr
flags timeout
elements = { 10.0.0.2 timeout 10m }
}
}
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a string after "include" keyword points to a directory instead of a
file, consider the directory to contain only nft rule files and try to
load them all. This helps with a use case where services drop their own
firewall configuration files into a directory and nft needs to include
those without knowing the exact file names.
File loading order from the include directory is not specified, so the
files inside an include directory should not depend on each other.
Fixes(Bug 1154 - Allow include statement to operate on directories and/or wildcards).
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The underlying mnl layer uses a global nftnl_batch structure. Instead,
pass pointer as parameter to the functions that need this. The netlink
layer stores a reference to this structure in struct netlink_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This transformation introduces an unnecessary asymmetry between the
linearization and delinearization steps that prevent rule deletion by
name to work fine.
Moreover, do not print htonl and ntonl from unary expression, this
syntax is not allowed by the parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent this assert:
% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
We can't use a set here because we will not known which value to use.
With this patch, a proper error message is reported to users:
% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
<cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
% nft add rule t c tcp dport set @s
<cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
~~~~~~~~~~~~~~^^
This error is reported to all statements which set values.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The kernel side can make better decisions with this information when
selecting the right backend, so add this information to the set netlink
message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Otherwise we get double the real size in terms of set elements during
the interval expansion to individual elements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
For implicit sets, we have to call set_to_intervals() before we add the
set so we have the net size in elements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
after ip6 nexthdr also switch ip to meta l4proto instead of ip protocol.
While its needed for ipv6 (due to extension headers) this isn't needed
for ip but it has the advantage that
tcp dport 22
produces same expressions for ip/ip6/inet families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.
in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
families only care about the lower layer protocol.
In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
(and ipv4 check in icmp case).
This extends payload_gen_special_dependency() to consider this.
With this patch:
add rule $pf filter input meta l4proto icmpv6
add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
add rule $pf filter input icmpv6 type echo-request
will work in all tables and all families.
For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
of the ip family.
Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
explicit dependency:
add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...
Implicit dependencies won't get removed at the moment, so
bridge ... icmp type echo-request
will be shown as
ether type ip meta l4proto 1 icmp type echo-request
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using rule like
ip6 filter input tcp dport 22
nft generates:
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
which is: ip6 filter input ip6 nexthdr tcp dport 22
IOW, such a rule won't match if e.g. a fragment header is in place.
This changes ip6_proto to use 'meta l4proto' which is the protocol header
found by exthdr walk.
A side effect is that for bridge we get a shorter dependency chain as it
no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep.
Only problem:
ip6 nexthdr tcp tcp dport 22
will now inject a (useless) meta l4 dependency as ip6 nexthdr is no
longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper
that skips the unneded meta dependency in that case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert
<cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6
add icmpv6 to nexthdr list so base gets updated correctly.
Reported-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
will be re-used in folloup patch for icmp/icmpv6 depenency
handling.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
We can remove a l4 dependency in ip/ipv6 families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
at first I thought this was a bug but this in fact seems the right
thing, add a comment/example why adding dependency as first statement makes
sense.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the dumping operation is interrupted, we will restart the
cache_init(), but unfortunatly, we forget to delete the old cache.
So in extreme case, we will leak a huge amount of memory.
Running the following commands can simulate the extreme case:
# nft add table t
# nft add set t s {type inet_service \;}
# for i in $(seq 65000); do
nft add element t s {$i}
done &
# while : ; do
time nft list ruleset -nn
done
After a while, oom killer will be triggered:
[ 2808.243537] Out of memory: Kill process 16975 (nft) score 649 or
sacrifice child
[ 2808.255372] Killed process 16975 (nft) total-vm:1955348kB,
anon-rss:1952120kB, file-rss:0kB, shmem-rss:0kB
[ 2858.353729] nft invoked oom-killer: gfp_mask=0x14201ca(GFP_HIGHUSER_
MOVABLE|__GFP_COLD), nodemask=(null), order=0,
oom_score_adj=0
[ 2858.374521] nft cpuset=/ mems_allowed=0
...
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
map m {
type inet_service . iface_index : verdict
elements = { 123 . "lo" : accept,
1234 . "lo" : accept,
12345 . "lo" : accept,
12346 . "lo" : accept,
12347 . "lo" : accept }
}
set s3 {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2,
3.3.3.3 }
}
}
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
check
'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.
Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently translates
ip protocol tcp meta mark set 1 tcp dport 22
to
mark set 0x00000001 tcp dport 22
This is wrong, the latter form is same as
mark set 0x00000001 ip protocol tcp tcp dport 22
and thats not correct (original rule sets mark for tcp packets only).
We need to clear the dependency stack whenever we see a statement other
than stmt_expr, as these will have side effects (counter, payload
mangling, logging and the like).
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
