summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* rule: add chain reference counterPablo Neira Ayuso2015-08-181-0/+9
| | | | | | | When adding declared chains to the cache, we may hold more than one single reference from struct cmd and the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: early allocation of the set IDPablo Neira Ayuso2015-08-182-4/+4
| | | | | | | By when the set is created, so element in the batch use this set ID as reference. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add set declaration to cachePablo Neira Ayuso2015-08-181-0/+9
| | | | | | | This patch adds set objects to the cache if they don't exist in the kernel, so they can be referenced from this batch. This occurs from the evaluation step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: use cache infrastructure for set objectsPablo Neira Ayuso2015-08-182-86/+79
| | | | | | | | | | | | | | | | This patch populates the cache only once through netlink_list_sets() during evaluation. As a result, there is a single call to netlink_list_sets(). After this change, we can rid of get_set(). This function was fine by the time we had no transaction support, but this doesn't work for set objects that are declared in this batch, so inquiring the kernel doesn't help since they are not yet available. As a result from this update, the monitor code gets simplified quite a lot since it can rely of the set cache. Moreover, we can now validate that the table and set exists from evaluation path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add table declaration to cachePablo Neira Ayuso2015-08-182-15/+15
| | | | | | | | | | Add declared table objects to the cache, thus we can refer to objects that come in this batch but that are not yet available in the kernel. This happens from the evaluation step. Get rid of code that is doing this from the later do_command_*() stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add reference counter to the table objectPablo Neira Ayuso2015-08-181-0/+10
| | | | | | | We may hold multiple references to table objects in follow up patches when adding object declarations to the cache. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cmd_evaluate_list()Pablo Neira Ayuso2015-08-181-0/+23
| | | | | | | | | | This function validates that the table that we want to list already exists by looking it up from the cache. This also adds cmd_error() to display an error from the evaluation step, when the objects that the rule indicates do not exist. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add cache infrastructure and use it for table objectsPablo Neira Ayuso2015-08-184-28/+84
| | | | | | | | | | This patch introduces the generic object cache that is populated during the evaluation phase. The first client of this infrastructure are table objects. As a result, there is a single call to netlink_list_tables(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'next-4.2'Pablo Neira Ayuso2015-08-187-3/+71
|\ | | | | | | | | | | | | | | | | | | This branch adds support for the new 'netdev' family. This also resolves a simple conflict with the default chain policy printing. Conflicts: src/rule.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * src: add netdev family supportPablo Neira Ayuso2015-06-167-4/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for the new 'netdev' table. So far, this table allows you to create filter chains from ingress. The following example shows a very simple base configuration with one table that contains a basechain that is attached to the 'eth0': # nft list table netdev filter table netdev filter { chain eth0-ingress { type filter hook ingress device eth0 priority 0; policy accept; } } You can test that this works by adding a simple rule with counters: # nft add rule netdev filter eth0-ingress counter Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: restore nft list tablesPablo Neira Ayuso2015-08-031-1/+1
| | | | | | | | | | | | | | | | Iterate over the ctx->list which is where the table objects are after calling netlink_list_tables(). Fixes: e4d21958c835 ("rule: add do_list_tables()") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink_delinearize: meta l4proto range printing broken on 32bitPablo Neira Ayuso2015-07-171-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Florian Westphal says: 09565a4b1ed4863d44c4509a93c50f44efd12771 ("netlink_delinearize: consolidate range printing") causes nft to segfault on 32bit machine when printing l4proto ranges. The problem is that meta_expr_pctx_update() assumes that right is a value, but after this change it can also be a range. Thus, expr->value contents are undefined (its union). On x86_64 this is also broken but by virtue of struct layout and pointer sizes, value->_mp_size will almost always be 0 so mpz_get_uint8() returns 0. But on x86-32 _mp_size will be huge value (contains expr->right pointer of range), so we crash in libgmp. Pablo says: We shouldn't call pctx_update(), before the transformation we had there a expr->op == { OP_GT, OP_GTE, OP_LT, OP_LTE }. So we never entered that path as the assert in payload_expr_pctx_update() indicates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Florian Westphal <fw@strlen.de>
* | main: return error to shell on evaluation problemsPablo Neira Ayuso2015-07-141-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | # nft add chain filter input { type filter hook inputt priority 0\; } <cmdline>:1:43-48: Error: unknown chain hook inputt add chain filter input { type filter hook inputt priority 0; } ^^^^^^ Before: # echo $? 0 After: # echo $? 1 Note that nft_parse() returns 1 on parsing errors and 0 + state->errs on evaluation problems, so return -1 as other functions do here to pass up the error to the main routine. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink: release table object via table_free() in netlink_get_table()Pablo Neira Ayuso2015-07-141-1/+1
| | | | | | | | | | | | Instead of xfree(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | rule: add do_list_tables()Pablo Neira Ayuso2015-07-141-15/+17
| | | | | | | | | | | | Wrap code to list existing tables in a function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | src: set chain->hookstr from delinearizationPablo Neira Ayuso2015-07-062-5/+5
| | | | | | | | | | | | Set human readable hookname chain->hookstr field from delinearize. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | rule: missing family when listing of tablesPablo Neira Ayuso2015-07-031-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | # nft list tables table ip nat instead of: # nft list tables table nat Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | datatype: avoid crash in debug mode when printing integersFlorian Westphal2015-06-301-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | nft -i --debug=all nft> add rule ip filter foo mark 42 dies with sigfpe; seems mpz doesn't like len 0: #1 0x0805f2ee in mpz_export_data (data=0xbfeda588, op=0x9d9fb08, byteorder=BYTEORDER_HOST_ENDIAN, len=0) at gmputil.c:115 After patch this prints 0x0000002a. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | payload: reorder case in a switch for consistencyEric Leblond2015-06-301-3/+3
| | | | | | | | | | | | | | | | As pointed out by Patrick McHardy the order in the inet switch in payload_gen_dependency was not consistent. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | payload: fix transport matching with no network layer info in bridge familyPablo Neira Ayuso2015-06-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | # nft --debug=netlink add rule bridge filter input tcp dport 22 bridge filter input [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00001600 ] Reported-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | erec: fix logic when reading from fileEric Leblond2015-06-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | In case we are reading the rules from a file we need to reset the file descriptor to the original position when calling erec_print. This was not the case in previous code and was leading to valid file to be seen as invalid when treated in debug mode. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | erec: fix buffer overflowEric Leblond2015-06-301-5/+12
| | | | | | | | | | | | | | | | | | | | | | A static array was used to read data and to write information in it without checking the limit of the array. The result was a buffer overflow when the line was longer than 1024. This patch now uses a allocated buffer to avoid the problem. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | netlink: fix use-after-free netlink_events_cache_deltable()Pablo Neira Ayuso2015-06-161-2/+3
| | | | | | | | | | | | | | h.table stores a pointer to a nftnl table object that is gone just after assignment. Release this object once its content is not referenced anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | parser_bison: allow to use mark as datatype for maps and setsPablo Neira Ayuso2015-06-161-6/+10
|/ | | | | | | Update the grammar to accept a MARK token as datatype. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1012 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinarize: fix merge conflictPatrick McHardy2015-06-131-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge remote-tracking branch 'origin/next-4.1'Patrick McHardy2015-06-135-53/+240
|\
| * netlink: handle concat expressions in set dataPatrick McHardy2015-06-022-1/+33
| | | | | | | | | | | | | | Reconstruct the concat expressions in set data by splicing off the subtype values based on the keytype of the set. Signed-off-by: Patrick McHardy
| * netlink_delinearize: handle relational and lookup concat expressionsPatrick McHardy2015-06-021-9/+104
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When the RHS length differs from the LHS length (which is only the first expression), both expressions are assumed to be concat expressions. The LHS concat expression is reconstructed from the available register values, advancing by the number of registers required by the subexpressions' register space, until the RHS length has been reached. The RHS concat expression is reconstructed by splitting the data value into multiple subexpressions based on the LHS concat expressions types. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink_delinearize: introduce register translation helperPatrick McHardy2015-06-021-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce a helper function to translate register numbers from the kernel from the compat values to the NFT_REG32 values. Internally we use the register numbers 0-16: * 0 is the verdict register in both old and new addressing modes. * 1-16 are the 32 bit data registers The NFT_REG32_00 values are mapped to 1-16, the NFT_REG_1-NFT_REG_4 values are each use up 4 registers starting at 1 (1, 5, 9, 13). Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink: pad constant concat sub-expressionsPatrick McHardy2015-06-022-9/+8
| | | | | | | | | | | | Pad all but the last sub-expressions of a concat expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink_linearize: generate concat expressionsPatrick McHardy2015-06-021-3/+11
| | | | | | | | | | | | | | Use the real length for reserving/releasing registers when generating concat expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink_linearize: use NFT_REG32 values internallyPatrick McHardy2015-06-021-4/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prepare netlink_linearize for 32 bit register usage: Switch to use 16 data registers of 32 bit each. A helper function takes care of mapping the registers to the NFT_REG32 values and, if the register refers to the beginning of an 128 bit area, the old NFT_REG_1-4 values for compatibility. New register reservation and release helper function take the size into account and reserve the required amount of registers. The reservation and release functions will so far still always allocate 128 bit. If no other expression in a rule uses a 32 bit register directly, these will be mapped to the old register values, meaning everything continues to work with old kernel versions. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netlink: pass expression to register allocation/release functionsPatrick McHardy2015-06-021-26/+28
| | | | | | | | | | | | Prepare for taking the expression size into account. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * eval: prohibit variable sized types in concat expressionsPatrick McHardy2015-06-021-0/+7
| | | | | | | | | | | | | | | | | | | | Since we need to calculate the length of the entire concat type, we can not support variable sized types where the length can't be determined by the type. This only affects base types since all higher types include a length. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * Merge remote-tracking branch 'origin/master' into next-4.1Patrick McHardy2015-06-024-97/+43
| |\
* | | proto: use bitmask_type for comp flagsPablo Neira Ayuso2015-06-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I think flags should be displayed in hexadecimal and should be handled as a bitmask. inet/comp.t: WARNING: line: 15: 'nft add rule ip test-ip4 input comp flags 0x00': 'comp flags 0x00' mismatches 'comp flags 0' inet/comp.t: WARNING: line: 16: 'nft add rule ip test-ip4 input comp flags != 0x23': 'comp flags != 0x23' mismatches 'comp flags != 35' inet/comp.t: WARNING: line: 17: 'nft add rule ip test-ip4 input comp flags 0x33-0x45': 'comp flags 0x33-0x45' mismatches 'comp flags 51-69' inet/comp.t: WARNING: line: 18: 'nft add rule ip test-ip4 input comp flags != 0x33-0x45': 'comp flags != 0x33-0x45' mismatches 'comp flags != 51-69' inet/comp.t: WARNING: line: 19: 'nft add rule ip test-ip4 input comp flags {0x33, 0x55, 0x67, 0x88}': 'comp flags {0x33, 0x55, 0x67, 0x88}' mismatches 'comp flags { 103, 85, 51, 136}' inet/comp.t: WARNING: line: 21: 'nft add rule ip test-ip4 input comp flags { 0x33-0x55}': 'comp flags { 0x33-0x55}' mismatches 'comp flags { 51-85}' rfc3173 says that this is unused for future use though. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | datatype: default to display bitmask in hexadecimalPablo Neira Ayuso2015-06-051-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of a plain integer. This updates integer_type_print() to look up some basefmt in the change of datatype, the first we find will be used to format the output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | netlink_delinearize: restore listing of host byteorder set elementsPablo Neira2015-06-051-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | before: table ip filter { chain test { cpu { 67108864, 50331648, 33554432} } } after: table ip filter { chain test { cpu { 4, 3, 2 } } } Related to 525323352904 ("expr: add set_elem_expr as container for set element attributes"). We'll have to revisit this once we have support to use integer datatypes from set declarations, see: http://patchwork.ozlabs.org/patch/480068/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | Merge branch 'next-4.1'Pablo Neira Ayuso2015-06-0411-148/+564
|\ \ \ | |_|/ |/| |
| * | netlink_delinearize: consolidate range printingPablo Neira Ayuso2015-06-021-4/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a routine to the postprocess stage to check if the previous expression statement and the current actually represent a range, so we can provide a more compact listing, eg. # nft -nn list table test table ip test { chain test { tcp dport 22 tcp dport 22-23 tcp dport != 22-23 ct mark != 0x00000016-0x00000017 ct mark 0x00000016-0x00000017 mark 0x00000016-0x00000017 mark != 0x00000016-0x00000017 } } To do so, the context state stores a pointer to the current statement. This pointer needs to be invalidated in case the current statement is replaced. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | netlink_delinearize: add payload_match_expand()Pablo Neira Ayuso2015-06-021-32/+37
| | | | | | | | | | | | | | | | | | | | | This function encapsulates the payload expansion logic. This change in required by the follow up patch to consolidate range printing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | netlink_delinearize: keep pointer to current statement from rule_pp_ctxPablo Neira Ayuso2015-06-021-34/+37
| | | | | | | | | | | | | | | | | | | | | This patch is required by the range postprocess routine that comes in follow up patches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | netlink_delinearize: pass ctx pointer to stmt_reject_postprocess()Pablo Neira Ayuso2015-05-301-9/+9
| |/ | | | | | | | | | | Instead of a copy of the context variable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * nftables: add set statemetPatrick McHardy2015-04-126-1/+139
| | | | | | | | | | | | | | | | | | | | | | | | The set statement is used to dynamically add or update elements in a set. Syntax: # nft filter input set add tcp dport @myset # nft filter input set add ip saddr timeout 10s @myset # nft filter input set update ip saddr timeout 10s @myset Signed-off-by: Patrick McHardy <kaber@trash.net>
| * setelem: add support for attaching comments to set elementsPatrick McHardy2015-04-123-0/+18
| | | | | | | | | | | | | | | | Syntax: # nft add element filter test { 192.168.0.1 comment "some host" } Signed-off-by: Patrick McHardy <kaber@trash.net>
| * setelem: add timeout support for set elementsPatrick McHardy2015-04-123-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support specifying per element timeout values and displaying the expiration time. If an element should not use the default timeout value of the set, an element specific value can be specified as follows: # nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m} For listing of elements that use the default timeout value, just the expiration time is shown, otherwise the element specific timeout value is also displayed: set test { type ipv4_addr timeout 1h elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s} } Signed-off-by: Patrick McHardy <kaber@trash.net>
| * set: add timeout support for setsPatrick McHardy2015-04-125-1/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Timeout support can be enabled in one of two ways: 1. Using a default timeout value: set test { type ipv4_addr; timeout 1h; } 2. Using the timeout flag without a default: set test { type ipv4_addr; flags timeout; } Optionally a garbage collection interval can be specified using gc-interval <interval>; Signed-off-by: Patrick McHardy <kaber@trash.net>
| * expr: add set_elem_expr as container for set element attributesPatrick McHardy2015-04-127-30/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new expression type "set_elem_expr" that is used as container for the key in order to attach different attributes, such as timeout values, to the key. The expression hierarchy is as follows: Sets: elem | key Maps: mapping / \ elem data | key Signed-off-by: Patrick McHardy <kaber@trash.net>
| * parser: fix inconsistencies in set expression rulesPatrick McHardy2015-04-121-13/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Set keys are currently defined as a regular expr for pure sets and map_lhs_expr for maps. map_lhs_expr is what can actually be used for a single member, namely a concat_expr or a multiton_expr. The reason why pure sets use expr for the key is to allow recursive set specifications, which doesn't make sense for maps since every element needs a mapping. However, the rule is too wide and also allows map expressions as a key, which obviously doesn't make sense. Rearrange the rules so we have: set_lhs_expr: concat or multiton set_rhs_expr: concat or verdict and special case the recursive set specifications, as they deserve. Besides making it a lot easier to understand what is actually supported, this will be used by the following patch to support timeouts and comments for keys in a uniform way. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * parser: add a time_spec rulePatrick McHardy2015-04-121-0/+16
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>