| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Userdata attribute names have been added to libnftnl, use them instead
of the local copy.
While being at it, rename udata_get_comment() in netlink_delinearize.c
and the callback it uses since the function is specific to rules. Also
integrate the existence check for NFTNL_RULE_USERDATA into it along with
the call to nftnl_rule_get_data().
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Pass the location via the handle so the error leg in
rule_translate_index() can reference it. Applies to invalid references
to tables, chains, and indexes.
Fixes: 586ad210368b ("libnftables: Implement JSON parser")
Signed-off-by: Eric Garver <eric@garver.life>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
We need to increment the index by one just as the CLI does.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Eric Garver <eric@garver.life>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Upcoming dscp codepoint for background traffic of low precendence
such as bulk data transfers with low priority in time, non time-critical
backups, larger software updates, web search engines while gathering
information from web servers and so on.
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
As per the man page, if the user does not specify the l3proto it should
be derived from the table family.
Fixes: 586ad210368b ("libnftables: Implement JSON parser")
Signed-off-by: Eric Garver <eric@garver.life>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
'nft monitor' dies with:
*** Error in `/sbin/nft': double free or corruption (fasttop): 0x000055f8ba57b750 ***
... when the iptables-nft test suite is running in parallel, because
xfree(stmt->xt.name) gets called twice.
Fixes: 4ac11b890fe870 ("src: missing destroy function in statement definitions")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Wrong callback in json_parse_cmd_list() for "maps" key.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Parser expects an object in policy property and json_is_object() returns
true if given parameter is an object. The check was inverse by accident.
Fixes: c82a26ebf7e9f ("json: Add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
When creating a map, users may either map dtype:dtype or dtype:object.
In the second case, only counter, quota, limit and secmark is allowed by
bison, but JSON parser wasn't as strict, allowing ct helper as well.
Remove that to avoid undefined behaviour.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A segmentation fault is produced when applying an input JSON file
like the following:
{"nftables": [
{ "add":
{"map":
{"family": "ip",
"name": "persistencia",
"table": "nftlb",
"type": "ipv4_addr",
"map": "mark",
"size": 65535,
"flags": ["timeout"],
"timeout": 44
}
}
}
]}
The captured error is:
Program received signal SIGSEGV, Segmentation fault.
#1 0x00007ffff7f734f9 in string_to_nft_object (str=0x55555555f410
"mark") at parser_json.c:2513
2513 if (!strcmp(str, obj_tbl[i]))
The obj_tbl array is allocated with the maximum element index even
if lower indexes are not populated, so it produces null pointer
items.
This patch ensures that the maximum number of possible indexes
but also the element is not comparing a null pointer.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not inconditionally hold reference to start interval.
The handling depends on what kind of range expression we need to build,
either no range at all, a prefix or a plain range. Depending on the
case, we need to partially clone what we need from the expression to
avoid use-after-free.
This fixes valgrind reports that look like this, when listing rulesets:
==30018== 2,057,984 (1,028,992 direct, 1,028,992 indirect) bytes in 8,039 blocks are definitely lost in loss record 76 of 83
==30018== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30018== by 0x4E75978: xmalloc (utils.c:36)
==30018== by 0x4E75A5D: xzalloc (utils.c:65)
==30018== by 0x4E5CEC0: expr_alloc (expression.c:45)
==30018== by 0x4E5D610: mapping_expr_alloc (expression.c:985)
==30018== by 0x4E6A068: netlink_delinearize_setelem (netlink.c:810)
==30018== by 0x5B51320: nftnl_set_elem_foreach (set_elem.c:673)
==30018== by 0x4E6A2D5: netlink_list_setelems (netlink.c:864)
==30018== by 0x4E56C76: cache_init_objects (rule.c:166)
==30018== by 0x4E56C76: cache_init (rule.c:216)
==30018== by 0x4E56C76: cache_update (rule.c:243)
==30018== by 0x4E64530: cmd_evaluate_list (evaluate.c:3503)
==30018== by 0x4E64530: cmd_evaluate (evaluate.c:3880)
==30018== by 0x4E7D12F: nft_parse (parser_bison.y:798)
==30018== by 0x4E7AB56: nft_parse_bison_buffer (libnftables.c:349)
==30018== by 0x4E7AB56: nft_run_cmd_from_buffer (libnftables.c:394)
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fix memleak in set element and hash expressions destroy path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consider a simple ip6 nat table:
table ip6 nat { chain output {
type nat hook output priority 0; policy accept;
dnat to dead:2::99
}
Now consider same ruleset, but using 'table inet nat':
nft now lacks context to determine address family to parse 'to $address'.
This adds code to make the following work:
table inet nat { [ .. ]
# detect af from network protocol context:
ip6 daddr dead::2::1 dnat to dead:2::99
# use new dnat ip6 keyword:
dnat ip6 to dead:2::99
}
On list side, the keyword is only shown in the inet family, else the
short version (dnat to ...) is used as the family is redundant when the
table already mandates the ip protocol version supported.
Address mismatches such as
table ip6 { ..
dnat ip to 1.2.3.4
are detected/handled during the evaluation phase.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for version fingerprint in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
osf ttl skip version "Linux:4.20"
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
==6297== 24 bytes in 3 blocks are definitely lost in loss record 2 of 13
==6297== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==6297== by 0x56193B9: strdup (strdup.c:42)
==6297== by 0x4E758BD: xstrdup (utils.c:75)
==6297== by 0x4E7F9D3: nft_parse (parser_bison.y:1895)
==6297== by 0x4E7AAE1: nft_parse_bison_filename (libnftables.c:370)
==6297== by 0x4E7AAE1: nft_run_cmd_from_filename (libnftables.c:438)
==6297== by 0x109A33: main (main.c:310)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: conflicting protocols specified: ip vs. unknown. You must specify ip or ip6 family in tproxy statement
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
~~~~~~~~ ^^^^^^^^^^^^^^^
instead of:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
Error: syntax error, unexpected colon
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
^
Syntax with no protocol for tproxy complains with:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of guessing which object to update with retrieved handle,
introduce a list containing struct cmd <-> json_t associations. Upon
batch commit, allocated cmd objects are assigned a unique netlink
sequence number. Monitor events contain that number as well, so they may
be associated to the cmd object which triggered them. Using
json_cmd_assoc list the event may in turn be associated to the input's
JSON object which should receive the handle value.
This also fixes incorrect behaviour if JSON input contained "insert"
commands.
Fixes: bb32d8db9a125 ("JSON: Add support for echo option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Set may be empty, content might be yet unknown, we cannot do any
transfer in this case.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1327
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
As discussed during NFWS 2018. Old syntax is stilled allowed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
File that contains the ruleset is never closed, track open files through
the nft_ctx object and close them accordingly.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, this forces user to place a double semi-colon to skip a
parser error in a multi-line commands:
# nft add "ct helper ip filter test { type \"ftp\" protocol tcp; };add rule filter test ct helper set \"ftp\""
Error: syntax error, unexpected add, expecting end of file or newline or semicolon
add ct helper ip filter test { type "ftp" protocol tcp; };add rule filter test ct helper set "ftp"
^^^
Reported-by: Laura Garcia <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to list a map content, if set is used, nft reports:
# nft list set filter group_7933
Error: No such file or directory; did you mean set ‘group_7933’ in table ip ‘filter’?
list set filter group_7933
^^^^^^^^^^
Which is confusing in case user wants to list an existing map:
# nft list map filter group_7933
table ip filter {
map group_7933 {
type ipv4_addr : classid
flags interval
elements = { 10.4.22.0/24 : 1:c7cb }
}
}
Instead, give a hint to user that probably wants to list a map, not a set:
# nft list set filter group_7933
Error: No such file or directory; did you mean map ‘group_7933’ in table ip ‘filter’?
list set filter group_7933
^^^^^^^^^^
Fixes: 285bb67a11ad ("src: introduce simple hints on incorrect set")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat test.nft
add set x y { type ipv4_addr; }
add element x y { 10.0.24.0/24 }
# nft -f test.nft
# nft delete element x y { 10.0.24.0/24 }
bogusly returns -ENOENT. The non-matching segment (0.0.0.0 with end-flag
set on) is not added to the set in the example above.
This patch also adds a test to cover this case.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Breaks custom-defined configuration in library mode, ie. user may want
to store output in a file, instead of stderr.
Fixes: 35f6cd327c2e ("src: Pass stateless, numeric, ip2name and handle variables as structure members.")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We must set output_fp to sensible filep, else crash.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Priority value was parsed but not assigned to allocated chain object.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When extracting netlink message data for populating JSON objects with
handles, allocated nftnl objects were not freed. Though since freeing
these objects also frees retrieved string attributes, copy them using
strdupa() which takes care of memory deallocation upon function return.
This is ideal since these strings are used only to find the right JSON
object to insert the handle into.
Fixes: bb32d8db9a125 ("JSON: Add support for echo option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Use xstrdup() instead of plain strdup() for consistency (and implicit
ENOMEM checking).
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since verdict expression frees the chain name, pass a newly allocated
string to it. Otherwise double free happens because json_decref() frees
the string property value as well.
Fixes: d1057a5feb5fd ("JSON: Simplify verdict statement parsing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Commands may contain data printed by an error record, so make sure
cmd_free() is not called before erec_print_list() has returned.
Fixes: 778de37d82e7b ("libnftables: Keep cmds list outside of parser_state")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: e3f195777ee54 ("src: expr: remove expr_ops from struct expr")
Reported-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
size of struct expr changes from 144 to 128 bytes on x86_64.
This doesn't look like much, but large rulesets can have tens of thousands
of expressions (each set element is represented by an expression).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Temporary kludge to remove all the expr->ops->type == ... patterns.
Followup patch will remove expr->ops, and make expr_ops() lookup
the correct expr_ops struct instead to reduce struct expr size.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This helper will eventually lookup the correct expr_ops
struct, so we can get rid of the expr->ops pointer.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
expr->ops is going away, so export payload cmp and use it directly.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Currently callers use expr->ops->name, but follouwp patch will remove the
ops pointer from struct expr. So add this helper and use it everywhere.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This can be used to match the kind type of iif or oif
interface of the packet. Example:
add rule inet raw prerouting meta iifkind "vrf" accept
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nlt is reallocated, leaking first allocation and also removing
the table name/handle that was set on nlt object.
Add a test case for this as well, the batch is supposed to fail
when trying to delete a non-existant table, rather than wiping
all tables in the same address family.
Fixes: 12c362e2214a0 ("mnl: remove alloc_nftnl_table()")
Reported-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nf_tables can handle payload exprs for sizes <= sizeof(u32) via a direct
operation from the eval loop, rather than a a call to the payload
expression. Two loads for four byte quantities are thus faster than a
single load for an 8 byte load.
ip saddr 1.2.3.4 ip daddr 2.3.4.5
is faster with this applied, even though it involves two payload and two
two compare expressions, just because all can be handled from the main
loop without any calls to expression ops.
Keep merging for linklayer and when at least one of the expressions
already exceeded the 4 byte "limit" anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Should use accept/use quotes, else you can't use this with a device name
that is shared with a key word, e.g. 'device vm'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
'nft list quotas' would not print anything at all anymore.
Fixes: 88456a7ef01172 ("rule: list only the table containing object")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The previous change is bonkers, it fixes build when libxtables isn't
even installed, but broke build when --with-xtables is provided to configure.
Reason is that the include guard comes too early, so xtables.h is never
included, causing build to fail because no libxtables function prototypes
and definitions are available.
Fixes: 9e84f3f083bb ("xt: fix build when libxtables is not installed")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update parser to display this error message:
# nft export json
Error: JSON export is no longer supported, use 'nft -j list ruleset' instead
export json
^^^^^^^^^^^^
Just like:
# nft export vm json
Error: JSON export is no longer supported, use 'nft -j list ruleset' instead
export vm json
^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.
Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.
To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If libxtables is not even installed, build fails due to to missing
include file.
ifdef LIBXTABLES guard fixes the first error, but results in two
followup failures:
1. missing IFNAMSIZ definition
2. dereference of unknown struct.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
