| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Relying on chain's hooknum to know whether the chain is a base one or
not is bogus: having 0 as hooknum is a valid number. Thus setting the
right flag and handling it is the way to go, as parser does already.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to specify the type of the base chain, eg.
add table mangle
add chain mangle OUTPUT { type route hook NF_INET_LOCAL_OUT 0; }
The chain type determines the semantics of the chain, we currently
have three types:
* filter, used for plain packet filtering.
* nat, it only sees the first packet of the flow.
* route, which is the equivalent of the iptables mangle table, that
triggers a re-route if there is any change in some of the packet header
fields, eg. IP TOS/DSCP, or the packet metainformation, eg. mark.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In (5075879 datatype: validate port number in inet_service_type_parse),
conversion to network byte order was missing.
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Personally, I like seeing ports and IPs numerically, but prefer protocols
to be shown by name. As such, add a third --numeric level which will
show protocols by number, splitting them out from ports.
-n/--numeric When specified once, show network addresses numerically.
When specified twice, also show Internet services,
user IDs and group IDs numerically.
When specified thrice, also show protocols numerically.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Required since (netfilter: nft_log: group and qthreshold are 2^16)
kernel change.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
nftables does not currently allow specifying protocols by number. Below
patch adds this capability.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, nft accepts out of range port values such as in this example:
nft add rule ip filter input tcp dport 123456 accept
Attached patch adds checks for both integer overflow and 16 bit overflow,
and avoids getaddrinfo call in the (common) case of digit input. Example
above now produces this output:
<cmdline>:1:36-41: Error: Service out of range
add rule ip filter input tcp dport 123456 accept
^^^^^^
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds ICMPv6 support to nftables. It is now possible to
write rules such as:
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eric Leblond reported that this command:
nft add rule ip6 filter input position 4 meta protocol icmpv6 accept
crashes nft. The problem is that 'icmpv6' is wrong there, as
meta protocol is expecting an ethernet protocol, that can be
expressed as an hexadecimal.
Now this command displays the following error:
<cmdline>:1:52-57: Error: This is not a valid Ethernet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
^^^^^^
This closes bugzilla #834:
https://bugzilla.netfilter.org/show_bug.cgi?id=834
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to insert and to add rule using a rule
handle as reference. The rule handle syntax has an new optional
position field which take a handle as argument.
Two examples:
nft add rule filter output position 5 ip daddr 1.2.3.1 drop
nft insert rule filter output position 5 ip daddr 1.2.3.1 drop
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Adapt it to the semantic fix that has been applied to libnftables,
nft_*_list_add now inserts nodes, instead of appending them.
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft list table filter returns garbage here for IP and IPv6 addresses if
no name resolution is available. The output looks good if `-n' is used
in that case.
The problem is that getnameinfo() returns:
EAI_AGAIN -3 /* Temporary failure in name resolution. */
Without working name resolution. To fix this, force a fall back to
numeric resolution in that case.
While at it, fix also possible resolution of services in case of
that /etc/services is missing in the system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
eg. nft add rule filter output ip daddr 192.168.1.0/24 counter
so far, this operation was only possible using sets.
nft add rule filter output ip daddr \{ 192.168.1.0/24 \} counter
While at it, move all binop postprocess code to a new function that
contains this transformation and the existing bitmask to constant
(as used by eg. ct state new,established).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch migrates nft to use the libnftables library, that is used
by the iptables over nftables compat utility as well. Most of the
conversion was pretty straight forward. Some small significant changes
happened in the handling of set element and immediate data abstraction
that libnl provides. libnftables is a bit more granular since it splits
the struct nfnl_nft_data into three attributes: verdict, chain and plain
data (used in maps).
I have added a new file src/mnl.c that contains the low level netlink
communication that now resides in nftables source tree instead of
the library. This should help to implement the batching support using
libmnl in follow up patches.
I also spent some significant amount of time running my tests to make
sure that we don't increase the number of bugs that we already have
(I plan to provide a list of those that I have detected and diagnosed,
so anyone else can help us to fix them).
As a side effect, this change should also prepare the ground for
JSON and XML support anytime soon.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Provide replacements for rtnl_tc_handle2str and rtnl_tc_str2handle,
it removes the dependency with libnl-route.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Instead of having a cache of ifindex based on libnl. Those functions
basically use rtnetlink as well to perform the translation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch fixes these two commands:
nft add rule ip test test ip saddr 1.1.1.1-2.2.2.2
nft add rule ip test test ip saddr < 1.1.1.1
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was not possible to restore a ruleset countaining counter. The
packets and bytes fields were not known from the parser but they
were in the output of the list command.
This patch fixes the issue by restoring correctly the counters if
they are present in the command.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was not possible to restore a ruleset because of missing
hook information. This patch adds hooknum output to list
operation.
[ Mangled this patch to use a string array mapping hook numbers
and name --pablo ]
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eric Leblond reports a crash with the following invalid command:
nft add rule global filter ip daddr . tcp dport { 192.168.0.1 . 22\; 192.168.0.3 . 89 } drop
Note that the semicolon is incorrect in that concatenation,
it should be a comma.
The backtrace shows:
(gdb) bt
#0 0x00007ffff6f39295 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6f3c438 in __GI_abort () at abort.c:90
#2 0x00007ffff6f7486b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7070d28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007ffff6f7eac6 in malloc_printerr (action=3, str=0x7ffff706ccca "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4902
#4 0x00007ffff6f7f843 in _int_free (av=<optimized out>, p=0x428530, have_lock=0) at malloc.c:3758
#5 0x000000000041aae8 in xfree (ptr=0x428540 <invalid_type>) at src/utils.c:29
#6 0x000000000040bc43 in concat_type_destroy (dtype=0x428540 <invalid_type>) at src/datatype.c:690
#7 0x000000000040cebf in concat_expr_destroy (expr=0x643b90) at src/expression.c:571
[...]
It's trying to release 'invalid_type', which was not dynamically
allocated. Note that before the evaluation step, the invalid type
is attached to the expressions.
Since nftables allocates a dynamic datatype for concatenations in
case that needs to be released in the exit path. All datatypes
except this, are allocated in the BSS. Since we have no way to
differenciate between these two, add a flag so we can recognize
dynamically allocated datatypes.
While at it, rename dtype->type from enum to explicit uint32_t, as
it is used to store the concatenation type mask as well.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
The terminal was not correctly resetted when CTRL+d was pressed.
The result was that reset has to be called from shell after exit.
|
| |
|
|
|
|
|
|
|
| |
"nft list table" command was not displaying the elements of named
set. This was thus not possible to restore a ruleset by using the
listing output. This patch modifies the code to display the elements
of set in all cases.
|
|
|
|
|
|
|
|
|
|
|
| |
Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle when the -a/--handle flag is provided.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds missing code to get basic interactive mode
operative via `nft -i', including parsing, evaluation,
command execution via netlink and error reporting.
Autocomplete is not yet implemented.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make error messages point to the entire subexpression.
Before:
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
After:
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
<cmdline>:1:50-66: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, internet network service), expression has type concatenation of (IPv4 address, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh }
^^^^^^^^^^^^^^^^^
# nft -nn filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
<cmdline>:1:76-78: Error: unexpected concat component, expecting concatenation of (IPv4 address, internet network service, internet network service)
filter output ip daddr . tcp dport . tcp dport { 192.168.0.1 . ssh . ssh . ssh}
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
You can use the user/group name or alternatively the uid/gid.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
You can use the symbols ip, ip6, arp and vlan, or alternatively
the ethertype protocol number.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Now it displays:
nft -f wrong_file
internal:0:0-0: Error: Could not open file "wrong_file": No such file or directory
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Improve error reporting by always using a location in netlink operations.
Signed-off-by: Patrick McHardy<kaber@trash.net>
|
|
|
|
|
|
|
| |
The bison parser returns 0 in case of success and it returns 1 in
case of error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch:
nft list chain filter xxx
table filter {
}
After this patch:
nft list chain filter xxx
internal:0:0-0: Error: Could not find chain `xxx' in table `filter: Object not found
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use netlink_list_chains instead of netlink_list_chain (note the final `s')
After "nft list table filter" shows:
table filter {
chain input {
}
}
"nft list chain filter input" shows:
table filter {
}
|
|
|
|
|
|
|
|
| |
You can now specify: nft list tables ip
to obtain the list of all existing tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Dynamically instantiate a data type to represent all types of a concatenation
and use that for type propagation.
|
|
|
|
|
|
|
|
| |
Add a new type for ethernet addresses. This is needed since for concatenations
we need fixed sized data types, the generic link layer address doesn't have
a fixed length.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
Go down the chain of basetypes until we find a ->parse()/->print() callback
or symbol table. Needed to invoke the generic link layer address parsing
function for the etheraddr_type.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Not used anymore, kill it.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
Range expression use a single load and two comparisons. Don't reset the
source register in netlink_delinearize when reading it.
Fixes: "Relational expression has no left hand side" for range (x-y)
expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The callback needs to be set before sending the query since nl_wait_for_ack()
already does message reception.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
The implicit set declaration passes the set's handle to cmd_alloc(), which copies
the pointers to the allocated strings. Later on both the set's handle and the
commands handle are freed, resulting in a use after free.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
When using intervals, the initializers set_flags are set to SET_F_INTERVAL,
however that is not propagated back to the set, so the segtree construction
is not performed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
mpz_scan1() returns ULONG_MAX when no more bits are found. Due to assignment
to an unsigned int, this value was truncated on 64 bit and the loop never
terminated.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Fix reversed order during constant splicing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|