summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* json: Order output like nft_cmd_expand()Phil Sutter2024-03-191-3/+5
| | | | | | | | Print empty chain add commands early in list so following verdict maps and rules referring to them won't cause spurious errors when loading the resulting ruleset dump. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: remove utf-8 character in printf linesFlorian Westphal2024-03-132-13/+13
| | | | | | replace "‘" (UTF-8, 0xe280 0x98) with "'" (ASCII 0x27). Signed-off-by: Florian Westphal <fw@strlen.de>
* nftables: do mot merge payloads on negationSriram Rajagopalan2024-03-131-1/+0
| | | | | | | | | | | else, a rule like tcp sport != 22 tcp dport != 23 will match even if the destination is 23 as long as sport is != 22. (or vice versa). Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: translate meter into dynamic setPablo Neira Ayuso2024-03-122-10/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 129f9d153279 ("nft: migrate man page examples with `meter` directive to sets") already replaced meters by dynamic sets. This patch removes NFT_SET_ANONYMOUS flag from the implicit set that is instantiated via meter, so the listing shows a dynamic set instead which is the recommended approach these days. Therefore, a batch like this: add table t add chain t c add rule t c tcp dport 80 meter m size 128 { ip saddr timeout 1s limit rate 10/second } gets translated to a dynamic set: table ip t { set m { type ipv4_addr size 128 flags dynamic,timeout } chain c { tcp dport 80 update @m { ip saddr timeout 1s limit rate 10/second burst 5 packets } } } Check for NFT_SET_ANONYMOUS flag is also relaxed for list and flush meter commands: # nft list meter ip t m table ip t { set m { type ipv4_addr size 128 flags dynamic,timeout } } # nft flush meter ip t m As a side effect the legacy 'list meter' and 'flush meter' commands allow to flush a dynamic set to retain backward compatibility. This patch updates testcases/sets/0022type_selective_flush_0 and testcases/sets/0038meter_list_0 as well as the json output which now uses the dynamic set representation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow to define maps that contain ct helpersFlorian Westphal2024-03-051-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Its currently not possible to use ct helpers in objref maps. Simply adding "CT HELPER" to "map_block_obj_type" does not work due to a conflict with the "ct helper" ct_expr block. map m { type ipv4_addr : ct helper .. ... declares a map storing ip addresses and conntrack helper names (string type). This does not make sense, there is no way to use the associated value (the names) in any sensible way: ct helper "ftp" - this matches if the packet has a conntrack entry that was accepted via the "ftp" conntrack helper. In nft vm terms, this is translated to: [ ct load helper => reg 1 ] [ cmp eq reg 1 0x00707466 0x00000000 0x00000000 0x00000000 ] Or one can query a set, e.g. 'ct helper { "ftp", "sip" }'. "ftp" and "sip" are the kernel-defined names of these connection tracking helpers. ct helper set "ftp" is something else, however: This is used to assign a *userspace defined helper objrect reference*. Nftables will translate this to: [ objref type 3 name ftp ] .. where "ftp" is a arbitrary user-chosen name. ct helper "ftp" { type "ftp" protocol tcp l3proto ip } IOW, "ct helper" is ambiguous. Without the "set" keyword (first case), it places the kernel-defined name of the active connection tracking helper in the chosen register (or it will cancel rule evaluation if no helper was active). With the set keyword (second case), the expected argument is a user-defined object reference which will then tell the connection tracking engine to monitor all further packets of the new flow with the given helper template. This change makes it so that map m { type ipv4_addr : ct helper .. declares a map storing ct helper object references suitable for 'ct helper set'. The better alternative would be to resolve the ambiguity by adding an additional postfix keyword, for example ct helper name (case one) ct helper object (case two). But this needs a kernel change that adds NFT_CT_HELPER_NAME and NFT_CT_HELPER_OBJECT to enum nft_ct_keys. While a new kernel could handle old nftables binaries that still use NFT_CT_HELPER key, new nftables would need to probe support first. Furthermore, ct helper name set "foo" ... would make no sense, as the kernel-defined helper names are readonly. ct helper object "foo" ... would make no sense, unless we extend the kernel to store the nftables userspace-defined name in a well-known location in the kernel. Userdata area cannot work for this, because the nft conntrack expression in the kernel would need to know how to retrieve this info again. Also, I cannot think of a sensible use case for this. So the only remaining, useful commands are: ct helper name "ftp" ct helper object set "foo" ... which is identical to what we already support, just with extra keyword. So a much simpler solution that does not need any kernel changes is make "ct helper" have different meaning depending on wheter it is placed on the key side, i.e.: "typeof ct helper", "typeof ct helper : $value" versus when its on placed on the data (value) side of maps: "typeof $key : ct helper". Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: allow to define maps that contain timeouts and expectationsFlorian Westphal2024-03-051-3/+11
| | | | | | | | | | | | | | Its currently not possible to use ct timeouts/expectations/helpers in objref maps, bison parser lacks the relevant keywords. This change adds support for timeouts and expectations. Ct helpers are more problematic, this will come in a different change. Support is only added for the "typeof" keyword, otherwise we'd need to add pseudo-datatypes as well, but making "ct expectation" available as "type" as well might be confusing. Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: fix ASAN errors in chain priority to textual namesPablo Neira Ayuso2024-03-051-6/+9
| | | | | | | | | | | | | | | | | | | | | ASAN reports several errors when listing this ruleset: table ip x { chain y { type filter hook input priority -2147483648; policy accept; } } src/rule.c:1002:8: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself src/rule.c:1001:11: runtime error: signed integer overflow: -2147483648 - 50 cannot be represented in type 'int' Use int64_t for the offset to avoid an underflow when calculating closest existing priority definition. Use llabs() because abs() is undefined with INT32_MIN. Fixes: c8a0e8c90e2d ("src: Set/print standard chain prios with textual names") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: allow typeof keywords with objref maps during listingFlorian Westphal2024-03-011-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Without this, typeof meta l4proto . ip saddr . tcp sport : limit ... is shown as type inet_proto . ipv4_addr . inet_service : limit The "data" element is a value (the object type number). It doesn't support userinfo data. There is no reason to add it, the value is the object type number that the object-reference map stores. So, if we have an objref map, DO NOT discard the key part, as we do for normal maps. For normal maps, we support either typeof notation, i.e.: typeof meta l4proto . ip saddr . tcp sport : ip saddr or the data type version: type inet_proto . ipv4_addr . inet_service : ipv4_addr ... but not a mix, a hyptothetical typeof meta l4proto . ip saddr . tcp sport : ipv4_addr ... does not work. If nft finds no udata attached to the data element, for normal map case, it has to fall back to the "type" form. But for objref maps this is expected, udata for key but not for data. Hence, for objref case, keep the typeof part if its valid. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: allow typeof in objref mapsFlorian Westphal2024-03-011-0/+9
| | | | | | | | | | | | | | | | | | Its currently not possible to declare a map that stores object references with the "typeof" keyword, e.g. map m { type ipv4_addr : limit will work, but map m { typeof ip saddr : limit will give a syntax error ("unexpected limit"). Followup pach will add support for listing side too. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact type/typeof set rulesFlorian Westphal2024-03-011-15/+9
| | | | | | | | | | | Set/maps keys can be declared either by 'type' or 'typeof' keyword. Compact this to use a common block for both cases. The datatype_set call is redundant, remove it: at this point $3 == $1->key, so this is a no-op. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact interval typeof rulesFlorian Westphal2024-03-011-20/+14
| | | | | | | | | There are two nearly identical blocks for typeof maps: one with INTERVAL keyword present and one without. Compact this into a single block. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: improve error reporting for destroy command谢致邦 (XIE Zhibang)2024-02-281-0/+6
| | | | | | | | | | | | | | | | Example for older kernels (<6.3): nft destroy table ip missingtable Before: Error: Could not process rule: Invalid argument After: Error: "destroy" command is not supported, perhaps kernel support is missing? Fixes: e1dfd5cc4c46 ("src: add support to command "destroy"") Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_json: allow 0 offsets againFlorian Westphal2024-02-261-1/+1
| | | | | | | | | | | | | | | | | Its valid in case of tcp option removal: [ { "reset": { "tcp option": { "base": 123, "len": 0, "offset": 0 } This makes nft-test.py -j pass again. Fixes: e08627257ecf ("parser: reject raw payload expressions with 0 length") Signed-off-by: Florian Westphal <fw@strlen.de>
* expression: missing line in describe command with invalid expressionPablo Neira Ayuso2024-02-131-1/+3
| | | | | | | | | | | | | | | | Before: duh@testbed:~# nft describe blah symbol expression, datatype invalid (invalid)duh@testbed:# After: duh@testbed:~# nft describe blah symbol expression, datatype invalid (invalid) duh@testbed:# Fixes: 48aca2de80a7 ("iptopt: fix crash with invalid field/type combo") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: permit use of host-endian constant values in set lookup keysPablo Neira Ayuso2024-02-132-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | AFL found following crash: table ip filter { map ipsec_in { typeof ipsec in reqid . iif : verdict flags interval } chain INPUT { type filter hook input priority filter; policy drop; ipsec in reqid . 100 @ipsec_in } } Which yields: nft: evaluate.c:1213: expr_evaluate_unary: Assertion `!expr_is_constant(arg)' failed. All existing test cases with constant values use big endian values, but "iif" expects host endian values. As raw values were not supported before, concat byteorder conversion doesn't handle constants. Fix this: 1. Add constant handling so that the number is converted in-place, without unary expression. 2. Add the inverse handling on delinearization for non-interval set types. When dissecting the concat data soup, watch for integer constants where the datatype indicates host endian integer. Last, extend an existing test case with the afl input to cover in/output. A new test case is added to test linearization, delinearization and matching. Based on original patch from Florian Westphal, patch subject and description wrote by him. Fixes: b422b07ab2f9 ("src: permit use of constant values in set lookup keys") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: move concat and value postprocessing to helpersFlorian Westphal2024-02-131-35/+47
| | | | | | No functional changes intended. Signed-off-by: Florian Westphal <fw@strlen.de>
* cache: Always set NFT_CACHE_TERSE for list cmd with --tersePhil Sutter2024-02-131-7/+3
| | | | | | | | | | | | | | This fixes at least 'nft -t list table ...' and 'nft -t list set ...'. Note how --terse handling for 'list sets/maps' remains in place since setting NFT_CACHE_TERSE does not fully undo NFT_CACHE_SETELEM: setting both enables fetching of anonymous sets which is pointless for that command. Reported-by: anton.khazan@gmail.com Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1735 Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* netlink_linearize: add assertion to catch for buggy byteorderPablo Neira Ayuso2024-02-091-0/+2
| | | | | | | Add assertion to catch buggy bytecode where unary expression is present with 1-byte selectors, where no byteorder conversion is required. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: skip byteorder conversion for selector smaller than 2 bytesPablo Neira Ayuso2024-02-091-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add unary expression to trigger byteorder conversion for host byteorder selectors only if selectors length is larger or equal than 2 bytes. # cat test.nft table ip x { set test { type ipv4_addr . ether_addr . inet_proto flags interval } chain y { ip saddr . ether saddr . meta l4proto @test counter } } # nft -f test.nft ip x y [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] [ payload load 4b @ network header + 12 => reg 1 ] [ payload load 6b @ link header + 6 => reg 9 ] [ meta load l4proto => reg 11 ] [ byteorder reg 11 = hton(reg 11, 2, 1) ] <--- should not be here [ lookup reg 1 set test ] [ counter pkts 0 bytes 0 ] Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cache: Optimize caching for 'list tables' commandPhil Sutter2024-02-071-1/+5
| | | | | | | | | | | | | | No point in fetching anything other than existing tables from kernel: 'list tables' merely prints existing table names, no contents. Also populate filter's family field to reduce overhead when listing tables in one family with many tables in another one. It works without further adjustments because nftnl_nlmsg_build_hdr() will use the value for nfgen_family. Reported-by: anton.khazan@gmail.com Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1735 Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: fix check for unknown in cmd_op_to_name谢致邦 (XIE Zhibang)2024-02-071-1/+1
| | | | | | | | | | | | | | | Example: nft --debug=all destroy table ip missingtable Before: Evaluate unknown After: Evaluate destroy Fixes: e1dfd5cc4c46 ("src: add support to command "destroy"") Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* evaluate: don't assert on net/transport header conflictFlorian Westphal2024-02-071-36/+33
| | | | | | | | | | | | | | | | | | | | | | before: nft: evaluate.c:467: conflict_resolution_gen_dependency: Assertion `expr->payload.base == PROTO_BASE_LL_HDR' failed. Aborted (core dumped) conflict_resolution_gen_dependency() can only handle linklayer conflicts, hence the assert. Rename it accordingly. Also rename resolve_protocol_conflict, it doesn't do anything for != PROTO_BASE_LL_HDR and extend the assertion to that function too. Callers now enforce PROTO_BASE_LL_HDR prerequisite. after: Error: conflicting transport layer protocols specified: comp vs. udp ip6 nexthdr comp udp dport 4789 ^^^^^^^^^ Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: display 0s time datatypePablo Neira Ayuso2024-02-071-5/+19
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: Support sets' auto-merge optionPhil Sutter2024-01-312-0/+3
| | | | | | | | If enabled, list the option as additional attribute with boolean value. Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1734 Signed-off-by: Phil Sutter <phil@nwl.cc>
* rule: fix sym refcount assertionFlorian Westphal2024-01-151-1/+5
| | | | | | | | | | | | Scope release must happen last. afl provided a reproducer where policy is a define, because scope is released too early we get: nft: src/rule.c:559: scope_release: Assertion `sym->refcnt == 1' failed. ... because chain->policy is EXPR_SYMBOL. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: error out when store needs more than one 128bit register of align ↵Florian Westphal2024-01-151-0/+5
| | | | | | | | | | | | | | | | | | | | | fixup Else this gives: nft: evaluate.c:2983: stmt_evaluate_payload: Assertion `sizeof(data) * BITS_PER_BYTE >= masklen' failed. For loads, this is already prevented via expr_evaluate_bits() which has: if (masklen > NFT_REG_SIZE * BITS_PER_BYTE) return expr_error(ctx->msgs, expr, "mask length %u exceeds allowed maximum of %u\n", masklen, NFT_REG_SIZE * BITS_PER_BYTE); But for the store path this isn't called. The reproducer asks to store a 128 bit integer at bit offset 1, i.e. 17 bytes would need to be munged, but we can only handle up to 16 bytes (one pseudo-register). Fixes: 78936d50f306 ("evaluate: add support to set IPv6 non-byte header fields") Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: reject raw payload expressions with 0 lengthFlorian Westphal2024-01-122-5/+31
| | | | | | | | Reject this at parser stage. Fix up the json input side too, else reproducer gives: nft: src/netlink.c:243: netlink_gen_raw_data: Assertion `len > 0' failed. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: only assert if l2 header base has no lengthFlorian Westphal2024-01-121-2/+1
| | | | | | | | | | nftables will assert in some cases because the sanity check is done even for network and transport header bases. However, stacked headers are only supported for the link layer. Move the assertion around and add a test case for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: release mpz type in expr_evaluate_list() error pathPablo Neira Ayuso2024-01-121-3/+9
| | | | | | | | | | | | | | Detected when running: # nft -f tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash ==383222==ERROR: LeakSanitizer: detected memory leaks Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7fe7b54a9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fe7b538b9a9 in __gmp_default_allocate (/lib/x86_64-linux-gnu/libgmp.so.10+0xc9a9) Fixes: 3671c4897003 ("evaluate: guard against NULL basetype") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: release key expression in error path of implicit map with unknown ↵Pablo Neira Ayuso2024-01-121-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | datatype Detected when running: # nft -f tests/shell/testcases/bogons/nft-f/mapping_with_invalid_datatype_crash ==382584==ERROR: LeakSanitizer: detected memory leaks Direct leak of 144 byte(s) in 1 object(s) allocated from: #0 0x7fde06ca9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7fde062924af in xmalloc src/utils.c:31 #2 0x7fde0629266c in xzalloc src/utils.c:70 #3 0x7fde06167299 in expr_alloc src/expression.c:46 #4 0x7fde0616b014 in constant_expr_alloc src/expression.c:420 #5 0x7fde06128e43 in expr_evaluate_map src/evaluate.c:2027 #6 0x7fde06137b06 in expr_evaluate src/evaluate.c:2891 #7 0x7fde06132417 in expr_evaluate_relational src/evaluate.c:2497 #8 0x7fde06137b36 in expr_evaluate src/evaluate.c:2895 #9 0x7fde06137d5f in stmt_evaluate_expr src/evaluate.c:2914 #10 0x7fde061524c8 in stmt_evaluate src/evaluate.c:4646 #11 0x7fde0615c9ee in rule_evaluate src/evaluate.c:5202 #12 0x7fde061600c7 in cmd_evaluate_add src/evaluate.c:5422 Fixes: 70054e6e1c87 ("evaluate: catch implicit map expressions without known datatype") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: bail out if anonymous concat set defines a non concat expressionPablo Neira Ayuso2024-01-121-2/+31
| | | | | | | | | | | | | Iterate over the element list in the anonymous set to validate that all expressions are concatenations, otherwise bail out. ruleset.nft:3:46-53: Error: expression is not a concatenation ip protocol . th dport vmap { tcp / 22 : accept, tcp . 80 : drop} ^^^^^^^^ This is based on a patch from Florian Westphal. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: do not fetch next expression on runaway number of concatenation ↵Pablo Neira Ayuso2024-01-121-2/+2
| | | | | | | | | | | | | | components If this is the last expression, then the runaway flag is set on and evaluation bails in the next iteration, do not fetch next list element which refers to the list head. I found this by code inspection, I could not trigger any crash with this one. Fixes: ae1d54d1343f ("evaluate: do not crash on runaway number of concatenation components") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: skip anonymous set optimization for concatenationsPablo Neira Ayuso2024-01-121-9/+11
| | | | | | | | | Concatenation is only supported with sets. Moreover, stripping of the set leads to broken ruleset listing, therefore, skip this optimization for the concatenations. Fixes: fa17b17ea74a ("evaluate: revisit anonymous set with single element optimization") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: add missing range checks for dup,fwd and payload statementsFlorian Westphal2024-01-111-38/+50
| | | | | | | | | | Else we assert with: BUG: unknown expression type range nft: src/netlink_linearize.c:912: netlink_gen_expr: Assertion `0' failed. While at it, condense meta and exthdr to reuse the same helper. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: tproxy: move range error checks after arg evaluationFlorian Westphal2024-01-111-6/+6
| | | | | | | | | | Testing for range before evaluation will still crash us later during netlink linearization, prefixes turn into ranges, symbolic expression might hide a range/prefix. So move this after the argument has been evaluated. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: error out when expression has no datatypeFlorian Westphal2024-01-111-0/+5
| | | | | | | | | | | | | | | | | | add rule ip6 f i rt2 addr . ip6 daddr { dead:: . dead:: } ... will cause a segmentation fault, we assume expr->dtype is always set. rt2 support is incomplete, the template is uninitialised. This could be fixed up, but rt2 (a subset of the deperecated type 0), like all other routing headers, lacks correct dependency tracking. Currently such routing headers are always assumed to be segment routing headers, we would need to add dependency on 'Routing Type' field in the routing header, similar to icmp type/code. Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: do not assert when value exceeds expected widthFlorian Westphal2024-01-081-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Inputs: ip protocol . th dport { tcp / 22, }' or th dport . ip protocol { tcp / 22, }' are not rejected at this time. 'list ruleset' yields: ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed. or th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed. While this should be caught at input too, the print path should be more robust, e.g. when there are direct nfnetlink users. After this patch, the print functions fall back to 'integer_type_print' which can handle large numbers too. Note that the output printed this way cannot be read back by nft; it will dump something like: tcp dport & 18446739675663040512 . ip protocol 0 . 0 but thats better than assert(). v2: same problem exists for service too. Signed-off-by: Florian Westphal <fw@strlen.de>
* datatype: Describe rt symbol tablesPhil Sutter2024-01-024-0/+55
| | | | | | | | | | | | | Implement a symbol_table_print() wrapper for the run-time populated rt_symbol_tables which formats output similar to expr_describe() and includes the data source. Since these tables reside in struct output_ctx there is no implicit connection between data type and therefore providing callbacks for relevant datat types which feed the data into said wrapper is a simpler solution than extending expr_describe() itself. Signed-off-by: Phil Sutter <phil@nwl.cc>
* datatype: Initialize rt_symbol_tables' base fieldPhil Sutter2024-01-021-4/+8
| | | | | | | | | It is unconditionally accessed in symbol_table_print() so make sure it is initialized to either BASE_DECIMAL (arbitrary) for empty or non-existent source files or a proper value depending on entry number format. Signed-off-by: Phil Sutter <phil@nwl.cc>
* datatype: rt_symbol_table_init() to search for iproute2 configsPhil Sutter2024-01-023-6/+36
| | | | | | | | | | | | | | | | | | | There is an ongoing effort among various distributions to tidy up in /etc. The idea is to reduce contents to just what the admin manually inserted to customize the system, anything else shall move out to /usr (or so). The various files in /etc/iproute2 fall in that category as they are seldomly modified. The crux is though that iproute2 project seems not quite sure yet where the files should go. While v6.6.0 installs them into /usr/lib/iproute2, current mast^Wmain branch uses /usr/share/iproute2. Assume this is going to stay as /(usr/)lib does not seem right for such files. Note that rt_symbol_table_init() is not just used for iproute2-maintained configs but also for connlabel.conf - so retain the old behaviour when passed an absolute path. Signed-off-by: Phil Sutter <phil@nwl.cc>
* parser_bison: ensure all timeout policy names are releasedFlorian Westphal2023-12-221-5/+27
| | | | | | | | | | | | | | | | | | | We need to add a custom destructor for this structure, it contains the dynamically allocated names. a:5:55-55: Error: syntax error, unexpected '}', expecting string policy = { estabQisheestablished : 2m3s, cd : 2m3s, } ==562373==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 160 byte(s) in 2 object(s) allocated from: #1 0x5a565b in xmalloc src/utils.c:31:8 #2 0x5a565b in xzalloc src/utils.c:70:8 #3 0x3d9352 in nft_parse_bison_filename src/libnftables.c:520:8 [..] Fixes: c7c94802679c ("src: add ct timeout support") Signed-off-by: Florian Westphal <fw@strlen.de>
* src: do not allow to chain more than 16 binopsFlorian Westphal2023-12-222-4/+42
| | | | | | | | | | | | | | | | | | | | | netlink_linearize.c has never supported more than 16 chained binops. Adding more is possible but overwrites the stack in netlink_gen_bitwise(). Add a recursion counter to catch this at eval stage. Its not enough to just abort once the counter hits NFT_MAX_EXPR_RECURSION. This is because there are valid test cases that exceed this. For example, evaluation of 1 | 2 will merge the constans, so even if there are a dozen recursive eval calls this will not end up with large binop chain post-evaluation. v2: allow more than 16 binops iff the evaluation function did constant-merging. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: fix stack overflow due to erroneous roundingFlorian Westphal2023-12-201-3/+8
| | | | | | | Byteorder switch in this function may undersize the conversion buffer by one byte, this needs to use div_round_up(). Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: don't crash if object map does not refer to a valueFlorian Westphal2023-12-201-0/+5
| | | | | | | | | | | Before: BUG: Value export of 512 bytes would overflownft: src/netlink.c:474: netlink_gen_prefix: Assertion `0' failed. After: 66: Error: Object mapping data should be a value, not prefix synproxy name ip saddr map { 192.168.1.0/24 : "v*" } Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_bison: error out on duplicated type/typeof/element keywordsFlorian Westphal2023-12-191-2/+36
| | | | | | | | | | | Otherwise nft will leak the previous definition (expressions). Also remove the nonsensical datatype_set($1->key, $3->dtype); This is a no-op, at this point: $1->key and $3 are identical. Signed-off-by: Florian Westphal <fw@strlen.de>
* intervals: BUG on prefix expressions without valueFlorian Westphal2023-12-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Its possible to end up with prefix expressions that have a symbolic expression, e.g.: table t { set s { type inet_service flags interval elements = { 172.16.0.0/16 } } set s { type inet_service flags interval elements = { 0-1024, 8080-8082, 10000-40000 } } } Without this change, nft will crash. We end up in setelem_expr_to_range() with prefix "/16" for the symbolic expression "172.16.0.0". We than pass invalid mpz_t pointer into libgmp. This isn't a real fix, but instead of blindly assuming that the attached expression has a gmp value die with at least some info. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: don't create exthdr expression without datatypeFlorian Westphal2023-12-191-1/+1
| | | | | | | | | | | | | The reproducer crashes during concat evaluation, as the exthdr expression lacks a datatype. This should never happen, i->dtype must be set. In this case the culprit is tcp option parsing, it will wire up a non-existent template, because the "nop" option has no length field (1 byte only). Signed-off-by: Florian Westphal <fw@strlen.de>
* intervals: set_to_range can be staticFlorian Westphal2023-12-161-1/+3
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: fix stack overflow with huge priority stringFlorian Westphal2023-12-151-1/+1
| | | | | | | | Alternative would be to refactor this and move this into the parsers (bison, json) instead of this hidden re-parsing. Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink: fix stack buffer overflow with sub-reg sized prefixesFlorian Westphal2023-12-151-2/+5
| | | | | | | | | | | | | | | | | | | | | | | The calculation of the dynamic on-stack array is incorrect, the scratch space can be too low which gives stack corruption: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdb454f064.. #1 0x7fabe92aaac4 in __mpz_export_data src/gmputil.c:108 #2 0x7fabe92d71b1 in netlink_export_pad src/netlink.c:251 #3 0x7fabe92d91d8 in netlink_gen_prefix src/netlink.c:476 div_round_up() cannot be used here, it fails to account for register padding. A 16 bit prefix will need 2 registers (start, end -- 8 bytes in total). Remove the dynamic sizing and add an assertion in case upperlayer ever passes invalid expr sizes down to us. After this fix, the combination is rejected by the kernel because of the maps' wrong data size, before the fix userspace may crash before. Signed-off-by: Florian Westphal <fw@strlen.de>