| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
^^^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend c1f0476fd590 ("segtree: copy expr data to closing element") to
use interval_expr_copy() from the linearization path.
Reported-by: Mike Dillinger <miked@softtalker.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
9420423900a2 ("cli: add libedit support") updated HAVE_LIBREADLINE to
HAVE_READLINE by mistake.
Fixes: 9420423900a2 ("cli: add libedit support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of the alternate interface [1].
I spent a bit of time debugging an issue with libedit support
9420423900a2 ("cli: add libedit support") that broke tests/shell.
This is the reproducer:
# nft -i << EOF
list ruleset
EOF
which makes rl_callback_read_char() loop forever on read() as shown by
strace. The rl_line_buffer variable does not accumulate the typed
characters as it should when redirecting the standard input for some
reason.
Given our interactive interface is fairly simple at this stage, switch
to use the readline() interface instead of rl_callback_read_char().
[1] https://docs.freebsd.org/info/readline/readline.info.Alternate_Interface.html
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend cli to support for libedit readline shim code:
./configure --with-cli=editline
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Old kernel reject requests for element with multiple statements because
userspace sets on the flags for multi-statements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Update the byte rate limiter not to print burst 5 (default value).
Update tests/py payloads to print burst 5 instead of zero when the
burst is unspecified.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Extend the set element infrastructure to support for several statements.
This patch places the statements right after the key when printing it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch allows for two statements for dynamic set updates, e.g.
nft rule x y add @y { ip daddr limit rate 1/second counter }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
unshare -n tests/json_echo/run-test.py
[..]
Adding chain c
free(): double free detected in tcache 2
Aborted (core dumped)
The element must be deleted from the hlist prior to freeing it.
Fixes: 389a0e1edc89a ("json: echo: Speedup seqnum_to_json()")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel includes the packet dump once for each base hook.
This means that in case a table contained no matching rule(s),
the packet dump will be included in the base policy dump.
Simply move the packet dump request out of the switch statement
so the debug output shows current packet even with no matched rule.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of:
icmpv6 type packet-too-big icmpv6 mtu 1280
display just
icmpv6 mtu 1280
The dependency added for id/sequence is still kept, its handled
by a anon set instead to cover both the echo 'request' and 'reply' cases.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Extend the earlier commit to also cover icmpv6.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ICMP header has field values that are only exist
for certain types.
Mark the icmp proto 'type' field as a nextheader field
and add a new th description to store the icmp type
dependency. This can later be re-used for other protocol
dependend definitions such as mptcp options -- which are all share the
same tcp option number and have a special 4 bit marker inside the
mptcp option space that tells how the remaining option looks like.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
also, no need for this struct to be in the parser.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
Call close_scope() from chain_block_alloc only.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1485
Fixes: c330152b7f77 ("src: support for implicit chain bindings")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Replace some "if(" introduced in cb7e02f4 by "if ("
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When --echo and --json is specified and native syntax is read, only the
last instruction is printed. This happens because the reference to the
json_echo is reassigned each time netlink_echo_callback is executed for
an instruction to be echoed.
Add an assignment check for json_echo to avoid reassigning it.
Fixes: cb7e02f44d6a (src: enable json echo output when reading native syntax)
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
$ /usr/sbin/nft list ruleset
Operation not permitted (you must be root)
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1372
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Netlink attribute maximum size is 65536 bytes (given nla_len is
16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as
possible that can fit into this netlink attribute.
Netlink messages with NLMSG_ERROR type originating from the kernel
contain the original netlink message as payload, they might be larger
than 65536 bytes.
Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header
coming as (error) reply from the kernel. This estimate is based on the
maximum netlink message size that nft sends from userspace.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Update parser to allow to restore limit per set element in dynamic set.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of json_cmd_assoc_hash missed that by the time the hash
table insert happens, the struct cmd object's 'seqnum' field which is
used as key is not initialized yet. This doesn't happen until
nft_netlink() prepares the batch object which records the lowest seqnum.
Therefore push all json_cmd_assoc objects into a temporary list until
the first lookup happens. At this time, all referenced cmd objects have
their seqnum set and the list entries can be moved into the hash table
for fast lookups.
To expose such problems in the future, make json_events_cb() emit an
error message if the passed message has a handle but no assoc entry is
found for its seqnum.
Fixes: 389a0e1edc89a ("json: echo: Speedup seqnum_to_json()")
Cc: Derek Dai <daiderek@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a bug in which nft did not print any output when
specifying --echo and --json and reading nft native syntax.
This patch respects behavior when input is json, in which the output
would be the identical input plus the handles.
Adds a json_echo member inside struct nft_ctx to build and store the json object
containing the json command objects, the object is built using a mock
monitor to reuse monitor json code. This json object is only used when
we are sure we have not read json from input.
[ added json_alloc_echo() to compile without json support --pablo ]
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1446
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Derek Dai reports:
"If there are a lot of command in JSON node, seqnum_to_json() will slow
down application (eg: firewalld) dramatically since it iterate whole
command list every time."
He sent a patch implementing a lookup table, but we can do better: Speed
this up by introducing a hash table to store the struct json_cmd_assoc
objects in, taking their netlink sequence number as key.
Quickly tested restoring a ruleset containing about 19k rules:
| # time ./before/nft -jeaf large_ruleset.json >/dev/null
| 4.85user 0.47system 0:05.48elapsed 97%CPU (0avgtext+0avgdata 69732maxresident)k
| 0inputs+0outputs (15major+16937minor)pagefaults 0swaps
| # time ./after/nft -jeaf large_ruleset.json >/dev/null
| 0.18user 0.44system 0:00.70elapsed 89%CPU (0avgtext+0avgdata 68484maxresident)k
| 0inputs+0outputs (15major+16645minor)pagefaults 0swaps
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1479
Reported-by: Derek Dai <daiderek@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ARP header, destination ether address sits between source IP and
destination IP addresses. Enum arp_hdr_fields had this wrong, which
in turn caused wrong ordering of entries in proto_arp->templates. When
expanding a combined payload expression, code assumes that template
entries are ordered by header offset, therefore the destination ether
address match was printed as raw if an earlier field was matched as
well:
| arp saddr ip 192.168.1.1 arp daddr ether 3e:d1:3f:d6:12:0b
was printed as:
| arp saddr ip 192.168.1.1 @nh,144,48 69068440080907
Note: Although strictly not necessary, reorder fields in
proto_arp->templates as well to match their actual ordering, just to
avoid confusion.
Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
To similar change as in previous one, this time for the
jason (de)serialization.
Re-uses the raw payload match syntax, i.e. base,offset,length.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
tcp option @42,16,4 (@kind,offset,length).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft currently doesn't allow to check for presence of arbitrary tcp options.
Only known options where nft provides a template can be tested for.
This allows to test for presence of raw protocol values as well.
Example:
tcp option 42 exists
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we're limited to ten template fields in exthdr_desc struct.
Using a single enum for all tpc option fields thus won't work
indefinitely (TCPOPTHDR_FIELD_TSECR is 9) when new option templates get
added.
Fortunately we can just use one enum per tcp option to avoid this.
As a side effect this also allows to simplify the sack offset
calculations. Rather than computing that on-the-fly, just add extra
fields to the SACK template.
expr->exthdr.offset now holds the 'raw' value, filled in from the option
template. This would ease implementation of 'raw option matching'
using offset and length to load from the option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
'nop' is the tcp padding "option". "noop" is retained for compatibility
on parser side.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tcpopt template mapping is asymmetric:
one mapping is to match dumped netlink exthdr expression to the original
tcp option template.
This struct is indexed by the raw, on-write kind/type number.
The other mapping maps parsed options to the tcp option template.
Remove the latter. The parser is changed to translate the textual
option name, e.g. "maxseg" to the on-wire number.
This avoids the second mapping, it will also allow to more easily
support raw option matching in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One was added by the tcp option parsing ocde, the other by synproxy.
So we have:
synproxy ... sack-perm
synproxy ... mss
and
tcp option maxseg
tcp option sack-permitted
This kills the extra tokens on the scanner/parser side,
so sack-perm and sack-permitted can both be used.
Likewise, 'synproxy maxseg' and 'tcp option mss size 42' will work too.
On the output side, the shorter form is now preferred, i.e. sack-perm
and mss.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSON in/output doesn't know about nat_type and thus cannot save/restore
nat mappings involving prefixes or concatenations because the snat
statement lacks the prefix/concat/interval type flags.
Furthermore, bison parser was extended to support netmap.
This is done with an internal 'netmap' flag that is passed to the
kernel. We need to dump/restore that as well.
Also make sure ip/snat.t passes in json mode.
Fixes: 35a6b10c1bc4 ("src: add netmap support")
Fixes: 9599d9d25a6b ("src: NAT support for intervals in maps")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a prefix expression's length is on a byte-boundary, it is sufficient
to just reduce the length passed to "cmp" expression. No need for
explicit bitwise modification of data on LHS. The relevant code is
already there, used for string prefix matches. There is one exception
though, namely zero-length prefixes: Kernel doesn't accept zero-length
"cmp" expressions, so keep them in the old code-path for now.
This patch depends upon the previous one to correctly parse odd-sized
payload matches but has to extend support for non-payload LHS as well.
In practice, this is needed for "ct" expressions as they allow matching
against IP address prefixes, too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When expanding a payload match, don't disregard oversized templates at
the right offset. A more flexible user may extract less bytes from the
packet if only parts of a field are interesting, e.g. only the prefix of
source/destination address. Support that by using the template, but fix
the length. Later when creating a relational expression for it, detect
the unusually small payload expression length and turn the RHS value
into a prefix expression.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Enables not specifying any icmp type and code when using reject inside
netdev.
This patch completely enables using reject for the netdev family.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert 0e258556f7f3 ("monitor: do not print generation ID with --echo").
There is actually a kernel bug which is preventing from displaying
this generation ID message.
Update the tests/shell to remove the last line of the --echo output
which displays the generation ID once the "netfilter: nftables: fix netlink
report logic in flowtable and genid" kernel fix is applied.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This fixes testcases/sets/0036add_set_element_expiration_0
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Turns out json_string() already dups the input, so the temporary dup
passed to it is lost.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
reported by tests/monitor# bash run-tests.sh
...
SUMMARY: AddressSanitizer: heap-use-after-free /home/pablo/devel/scm/git-netfilter/nftables/src/expression.c:1385 in expr_ops
Due to incorrect structure layout when calling interval_expr_copy().
Fixes: c1f0476fd590 ("segtree: copy expr data to closing element")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Kernel provides information regarding expression since
83d9dcba06c5 ("netfilter: nf_tables: extended netlink error reporting for
expressions").
A common mistake is to refer a chain which does not exist, e.g.
# nft add rule x y jump test
Error: Could not process rule: No such file or directory
add rule x y jump test
^^^^
Use the existing netlink extended error reporting infrastructure to
provide better error reporting as in the example above.
Requires Linux kernel patch 83d9dcba06c5 ("netfilter: nf_tables:
extended netlink error reporting for expressions").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Constify pointer to location object to compile check for unintentional
updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Statically store up to 32 locations per command, if the number of
locations is larger than 32, then skip rather than hit assertion.
Revisit this later to dynamically store location per command using a
hashtable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When last expr has no closing element we did not propagate
expr properties such as comment or expire date to the newly
allocated set elem.
Before:
nft create table t
nft 'add set t s { type ipv4_addr; flags interval; timeout 60s; }'
nft add element t s { 224.0.0.0/3 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
nft flush set t s
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0/4 expires 55s152ms, 240.0.0.0-255.255.255.255 }
nft delete set t s
nft 'add set t s { type ipv4_addr; flags interval; auto-merge; timeout 60s; }'
nft add element t s { 224.0.0.0/4, 240.0.0.0/4 }
nft list set t s | grep -o 'elements.*'
elements = { 224.0.0.0-255.255.255.255 }
After:
elements = { 224.0.0.0-255.255.255.255 expires 58s515ms }
elements = { 224.0.0.0/4 expires 54s622ms, 240.0.0.0-255.255.255.255 expires 54s622ms }
elements = { 224.0.0.0-255.255.255.255 expires 57s92ms }
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1454
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
Stateless SCTP header mangling doesn't work reliably.
This tells the kernel to update the checksum field using
the sctp crc32 algorithm.
Note that this needs additional kernel support to work.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for inet ingress chains.
table inet filter {
chain ingress {
type filter hook ingress device "veth0" priority filter; policy accept;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Element counters reside in 'stmt' field as counter statement. Append
them to 'elem' object as additional 'counter' property, generated by
counter_stmt_json().
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for an assertion fail when trying to match against an all-wildcard
interface name:
| % nft add rule t c iifname '"*"'
| nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
| zsh: abort nft add rule t c iifname '"*"'
Fix this by detecting the string in expr_evaluate_string() and returning
an error message:
| % nft add rule t c iifname '"*"'
| Error: All-wildcard strings are not supported
| add rule t c iifname "*"
| ^^^
While being at it, drop the 'datalen >= 1' clause from the following
conditional as together with the added check for 'datalen == 0', all
possible other values have been caught already.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the user to specify a comment when adding a chain.
Relies on kernel space supporting userdata for chains.
> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset
table ip filter {
chain input {
comment "test"
type filter hook input priority filter; policy accept;
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
--terse with --json is ignored, fix this. This patch also includes a test.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|