summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* segtree: Fix expr_value_cmp()Phil Sutter2017-07-171-4/+6
| | | | | | | | | Instead of returning the result of mpz_cmp(), this function returned 1 unless both elements were equal and the first one had EXPR_F_INTERVAL_END set. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* monitor: add debug messagesArturo Borrero Gonzalez2017-07-172-0/+46
| | | | | | | | | | Add some debug messages in the monitor/trace code paths to ease development and debugging in case of errors. After this patch, running 'nft monitor --debug=mnl,netlink' is more verbose. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* cli: fix heap buffer overflowEric Leblond2017-07-171-0/+4
| | | | | | | | | | | | | | | | | | | | | | This patch fixes an invalid read when an empty command was sent. Found via nft running ASAN and entering an empty command: nft> ================================================================= ==19540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008c6f at pc 0x55e3b561704d bp 0x7fffe9a33ac0 sp 0x7fffe9a33ab8 READ of size 1 at 0x602000008c6f thread T0 #0 0x55e3b561704c in cli_append_multiline /home/eric/git/netfilter/nftables/src/cli.c:65 #1 0x55e3b561725b in cli_complete /home/eric/git/netfilter/nftables/src/cli.c:109 #2 0x7f6e0c2ccac2 in rl_callback_read_char (/lib/x86_64-linux-gnu/libreadline.so.7+0x2fac2) #3 0x55e3b5617ba6 in cli_init /home/eric/git/netfilter/nftables/src/cli.c:199 #4 0x55e3b5573b75 in main /home/eric/git/netfilter/nftables/src/main.c:381 #5 0x7f6e0bc9b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x55e3b55725a9 in _start (/usr/local/sbin/nft+0x445a9) Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: free filename when destroying scannerEric Leblond2017-07-172-2/+14
| | | | | | | | To be able to do so we duplicate the name in the indesc if it is set. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix build with clangEric Leblond2017-07-171-2/+1
| | | | | | | | | | | Building with a recent clang was failing due to the following error: src/evaluate.c|450 col 45| error: initializer element is not constant || static const unsigned int max_tcpoptlen = 15 * 4 * BITS_PER_BYTE - tcphdrlen; || ^~ Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: error if needed at EOFEric Leblond2017-07-171-0/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: fix bison warningsEric Leblond2017-07-171-1/+2
| | | | | | | | | | | | | | | | | | | | | We had the following warnings parser_bison.y:1089:10: warning: variable 'cmd' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] if (erec != NULL) { ^~~~~~~~~~~~ parser_bison.y:1095:39: note: uninitialized use occurs here (yyval.cmd) = cmd_alloc(CMD_LIST, cmd, &(yyvsp[0].handle), &(yyloc), NULL); ^~~ parser_bison.y:1089:6: note: remove the 'if' if its condition is always true if (erec != NULL) { ^~~~~~~~~~~~~~~~~~ parser_bison.y:1080:12: note: initialize the variable 'cmd' to silence this warning int cmd; ^ = 0 Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: fix memory leak in set creationEric Leblond2017-07-171-0/+2
| | | | | | | | | | | | | | | | | | | | sudo ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.9/bin/llvm-symbolizer nft add set inet filter blacklisddddddddddddddddddddt {type inet_service \;} ================================================================= ==25152==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13 byte(s) in 1 object(s) allocated from: #0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0) #1 0x593cb1 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8 #2 0x5bccb2 in nft_lex /home/eric/git/netfilter/nftables/src/scanner.l:566:22 #3 0x5cb363 in nft_parse /home/eric/git/netfilter/nftables/src/parser_bison.c:4366:16 #4 0x505a37 in nft_run /home/eric/git/netfilter/nftables/src/main.c:246:8 #5 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6 #6 0x7ff7befdb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: 13 byte(s) leaked in 1 allocation(s). Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix memory leak when listing rulesEric Leblond2017-07-171-1/+3
| | | | | | | | | | | | | | | | | | | | | When listing rules we were calling strdup on the table name but variable was just used locally. Found via `nft list ruleset` run with ASAN: Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0) #1 0x593c71 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8 #2 0x513b34 in do_list_ruleset /home/eric/git/netfilter/nftables/src/rule.c:1388:23 #3 0x50e178 in do_command_list /home/eric/git/netfilter/nftables/src/rule.c:1500:10 #4 0x50d3ea in do_command /home/eric/git/netfilter/nftables/src/rule.c:1696:10 #5 0x5061ae in nft_netlink /home/eric/git/netfilter/nftables/src/main.c:207:9 #6 0x505b87 in nft_run /home/eric/git/netfilter/nftables/src/main.c:255:8 #7 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6 #8 0x7fa1f326d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Remove __init and __exit macro definitions.Varsha Rao2017-07-177-12/+36
| | | | | | | | | | | | Add nft_init and nft_exit functions, which calls _init and _exit functions in main.c file. Remove __init and __exit macro definitions as libnftables library will be created soon. Rename realm_table_init() and realm_table_exit() functions to avoid ambiguity as realm_table_rt_init(), realm_table_meta_init, realm_table_rt_exit() and realm_table_meta_exit() in rt.c and meta.c files. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Pass nf_sock where needed as parameterPablo Neira Ayuso2017-07-176-59/+75
| | | | | | | | | | | | This socket should not be global, it is also hidden in many layers of code. Expose it as function parameters to decouple the netlink socket handling logic from the command parsing, evaluation and bytecode generation. Joint work with Varsha Rao. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rename struct ct to ct_helperFlorian Westphal2017-07-163-16/+16
| | | | | | | Its misleading, this structure holds members for ct_helper object infrastructure, rename it. Signed-off-by: Florian Westphal <fw@strlen.de>
* parser: compact list of rhs keyword expressionsFlorian Westphal2017-07-161-56/+16
| | | | | | | | | | Condenses the copy/pastry via a define to avoid repeating this when the list gets extended. Based on earlier patch from Pablo. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* exhtdr: pacify compiler warningFlorian Westphal2017-07-131-1/+1
| | | | | | | | | | | | gcc 7.1.1 complains: exthdr.c:41:31: warning: ā€˜%dā€™ directive output may be truncated writing between 1 and 8 bytes into a region of size 3 [-Wformat-truncation=] snprintf(buf, sizeof buf, "%d", offset); ^~ This warning is incorrect, as offset is limited by tcp option ranges, but gcc doesn't know this. Increase buffer to avoid the warning. Signed-off-by: Florian Westphal <fw@strlen.de>
* tcpopt: make tcptopt structs staticFlorian Westphal2017-07-131-8/+8
| | | | | | | not used outside of tcpopt.c, so unexport from header file and make them static. Signed-off-by: Florian Westphal <fw@strlen.de>
* include: Remove datatype_register().Varsha Rao2017-06-307-90/+37
| | | | | | | | Remove datatype_register() function and its calling __init functions. Add arguments of datatype_register() function to datatype array. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: support for wildcards in include statements.Ismo Puustinen2017-06-271-119/+107
| | | | | | | | | | | | | | | | Use glob() to find paths in include statements. The rules are these: 1. If no files can be found in the pattern with wildcards, do not return an error. 2. Do not match any files beginning with '.'. 3. Do not handle include directories anymore. For example, the statement: include "foo/" would now need to be rewritten: include "foo/*" Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --check option flagPablo M. Bermudo Garay2017-06-261-2/+12
| | | | | | | | | Sometimes it can be useful to test if a command is valid without applying any change to the rule-set. This commit adds a new option flag (-c | --check) that performs a dry run execution of the commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add new generic context structure nft_ctxPablo M. Bermudo Garay2017-06-262-17/+17
| | | | | | | | | | | | | The new structure nft_ctx is meant to be used as a generic container of context information. This is a preparatory patch. So at the moment the struct just carry output_ctx on his path through main.c and cli.c. Based on original idea from Eric Leblond. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: Better error reporting for bad set referencesPablo Neira Ayuso2017-06-191-2/+3
| | | | | | | | | | | | | In case you refer to an unexisting set, bail out with: # nft add table x # nft add chain x y # nft add rule x y ip protocol vmap @reject_to_rule2; <cmdline>:1:31-46: Error: Set 'reject_to_rule2' does not exist add rule x y ip protocol vmap @reject_to_rule2 ^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: merge nested set flagsPablo Neira Ayuso2017-06-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | A set may contain a nested set element definition, merge the nested set flags so we don't hit: BUG: invalid data expression type range nft: netlink.c:400: netlink_gen_data: Assertion `0' failed. Aborted With the following example ruleset: define dnat_ports = { 1234-1567 } define port_allow = { 53, # dns $dnat_ports, # dnat } add rule x y tcp dport $port_allow accept Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Fixes: a6b75b837f5e ("evaluate: set: Allow for set elems to be sets") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reject meta nfproto outside of inet familyFlorian Westphal2017-06-181-1/+14
| | | | | | | | | | | | | | | meta nfproto loads the hook family type of the current rule context in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family, NFPROTO_BRIDGE for bridge and so on. The only case where this is useful is the inet pseudo family, where this is useful to determine the real hook family (NFPROTO_IPV4 or NFPROTO_IPV6). In all other families 'meta nfproto' is either always true or false. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Pass stateless, numeric, ip2name and handle variables as structure members.Varsha Rao2017-06-1818-211/+237
| | | | | | | | | | | | | | | | | libnftables library will be created soon. So declare numeric_output, stateless_output, ip2name_output and handle_output as members of structure output_ctx, instead of global variables. Rename these variables as following, numeric_output -> numeric stateless_output -> stateless ip2name_output -> ip2name handle_output -> handle Also add struct output_ctx *octx as member of struct netlink_ctx. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: error reporting for nested ruleset representationPablo Neira Ayuso2017-06-162-52/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you load a file using the nested ruleset representation, ie. the one you get via `nft list ruleset', error reporting doesn't help you much to find the problem. For example, the following ruleset points to an unexisting chain 'x': table test { chain test { type filter hook ingress priority 0; policy drop; ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x } } Error reporting is very sparse as it says: # nft -f /home/test/x /home/test/x:1:1-2: Error: Could not process rule: No such file or directory table netdev test{ ^^ So it's hard to know what is exactly missing. This patch enhances the existing logic, so nft points to the rule causing the problem, ie. # nft -f /home/test/x /home/test/x:4:17-70: Error: Could not process rule: No such file or directory ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The idea behind this patch is to expand the single table command into a list of individual commands, one per nested object inside the table. This expanded list is spliced into the existing list of commands. Thus, each command gets a sequence number that helps us correlate the error with the command that triggers it. This patch also includes reference counting for rules and objects. This was already in place for table, chain and sets. We need this since now we hold references to them from both the command and the table object itself. So the last reference releases the object from memory. Note that table objects still keep the list of chain, sets, etc. since the existing cache logic needs this to work. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename ct eventmask to eventFlorian Westphal2017-06-071-1/+1
| | | | | | | | ct status isn't named 'statusmask' either. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar'Florian Westphal2017-06-071-1/+6
| | | | | | | | Translates binop representation to a list-based one, so nft prints "ct event destroy,new" instead of 'ct event destroy|new'. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: display default directory for file inclusion in -h/--helpPablo Neira Ayuso2017-06-071-2/+2
| | | | | | | | | | | If no explicit relative or absolute path is enforced by the user, nft relies on either -I/--includepath or the default include directory that is set at compile time. Given most of our users will rely on packaged versions of nft, provide a way to display the location of this default includepath directory. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: add files in include dirs in alphabetical order.Ismo Puustinen2017-06-071-27/+70
| | | | | | | | | | | | | | | | | | This means that if you have a directory structure like this /foo /foo/02_rules.nft /foo/01_rules.nft where *.nft files in directory /foo are nft scripts, then an include statement in another nft script like this include "/foo/" guarantees that "01_rules.nft" is loaded before "02_rules.nft". Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: allow ct eventmask set new,relatedFlorian Westphal2017-06-071-3/+24
| | | | | | | | | | | | | | | | | | In case of bitmask types (tcp flags, ct eventmask) nft allows to use comma operator to test multiple values, i.e. tcp flags syn,ack ct event new,destroy etc. But currently nft fails to use this when used in a statement, i.e. ... ct eventmask set new,destroy gives: syntax error, unexpected comma This allows makes this work, it is the same as ct eventmask set new|destroy Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: permit meta nfproto ip in ip familyFlorian Westphal2017-06-061-2/+9
| | | | | | | | | | | | | | | | | | | works: add rule ip filter input ct original saddr 1.2.3.4 (family ctx init initialises network base to proto_ip). fails to parse 1.2.3.4 address: add rule ip filter input meta nfproto ipv4 ct original saddr 1.2.3.4 ... because meta_expr_pctx_update() won't find a dependency from "ip" to "ip" and then overwrites the correct base with proto_unknown. "meta nfproto ip" is useless in the ip family, as it will always match, i.e. a better (but more compliated) fix would be to remove the statement during evaluation. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: fix inet/bridge/netdev family handling for saddr/daddrFlorian Westphal2017-06-061-7/+20
| | | | | | | | | | | | | "ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6. For some cases we could infer it from the rhs, but there are cases where we don't have any information, e.g. when passing ct original saddr to jhash expression. So do the same thing that we do for "rt nexthop" -- error out and hint to user they need to specifiy the desired address type with "meta nfproto". Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Remove expire information from list stateless ruleset.Varsha Rao2017-06-061-1/+1
| | | | | | | | | | | | | | | | | As expires is stateful information. This patch removes expire information from list stateless ruleset. With nft -s option, the ruleset will be as following. table ip firewall { set host { type ipv4_addr flags timeout elements = { 10.0.0.2 timeout 10m } } } Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: add support for include directoriesIsmo Puustinen2017-06-061-23/+109
| | | | | | | | | | | | | | | | If a string after "include" keyword points to a directory instead of a file, consider the directory to contain only nft rule files and try to load them all. This helps with a use case where services drop their own firewall configuration files into a directory and nft needs to include those without knowing the exact file names. File loading order from the include directory is not specified, so the files inside an include directory should not depend on each other. Fixes(Bug 1154 - Allow include statement to operate on directories and/or wildcards). Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove global nftnl_batch structure in mnl layerPablo Neira Ayuso2017-05-293-83/+95
| | | | | | | | The underlying mnl layer uses a global nftnl_batch structure. Instead, pass pointer as parameter to the functions that need this. The netlink layer stores a reference to this structure in struct netlink_ctx. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: don't trim off unary expression on delinearizationPablo Neira Ayuso2017-05-292-7/+1
| | | | | | | | | | | This transformation introduces an unnecessary asymmetry between the linearization and delinearization steps that prevent rule deletion by name to work fine. Moreover, do not print htonl and ntonl from unary expression, this syntax is not allowed by the parser. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: avoid reference to multiple src data in statements which set valuesArturo Borrero Gonzalez2017-05-291-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent this assert: % nft [..] tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted We can't use a set here because we will not known which value to use. With this patch, a proper error message is reported to users: % nft add rule t c tcp dport set {1, 2, 3, 4, 5} <cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use add rule t c tcp dport set {1, 2, 3, 4, 5} ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ % nft add rule t c tcp dport set @s <cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use add rule t c tcp dport set @s ~~~~~~~~~~~~~~^^ This error is reported to all statements which set values. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: add size description for constant setsPablo Neira Ayuso2017-05-261-0/+2
| | | | | | | | The kernel side can make better decisions with this information when selecting the right backend, so add this information to the set netlink message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: reset element size counter before adding intervals to setPablo Neira Ayuso2017-05-261-0/+2
| | | | | | | Otherwise we get double the real size in terms of set elements during the interval expansion to individual elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: adjust set expression size accordingly with intervalsPablo Neira Ayuso2017-05-261-6/+11
| | | | | | | For implicit sets, we have to call set_to_intervals() before we add the set so we have the net size in elements. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ip: switch implicit dependencies to meta l4proto tooFlorian Westphal2017-05-192-7/+13
| | | | | | | | | | | | | after ip6 nexthdr also switch ip to meta l4proto instead of ip protocol. While its needed for ipv6 (due to extension headers) this isn't needed for ip but it has the advantage that tcp dport 22 produces same expressions for ip/ip6/inet families. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: enforce ip/ip6 protocol depending on icmp or icmpv6Florian Westphal2017-05-191-4/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After some discussion with Pablo we agreed to treat icmp/icmpv6 specially. in the case of a rule like 'tcp dport 22' the inet, bridge and netdev families only care about the lower layer protocol. In the icmpv6 case however we'd like to also enforce an ipv6 protocol check (and ipv4 check in icmp case). This extends payload_gen_special_dependency() to consider this. With this patch: add rule $pf filter input meta l4proto icmpv6 add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request add rule $pf filter input icmpv6 type echo-request will work in all tables and all families. For inet/bridge/netdev, an ipv6 protocol dependency is added; this will not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case of the ip family. Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an explicit dependency: add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ... Implicit dependencies won't get removed at the moment, so bridge ... icmp type echo-request will be shown as ether type ip meta l4proto 1 icmp type echo-request Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ipv6: switch implicit dependencies to meta l4protoFlorian Westphal2017-05-192-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using rule like ip6 filter input tcp dport 22 nft generates: [ payload load 1b @ network header + 6 => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ payload load 2b @ transport header + 2 => reg 1 ] [ cmp eq reg 1 0x00001600 ] which is: ip6 filter input ip6 nexthdr tcp dport 22 IOW, such a rule won't match if e.g. a fragment header is in place. This changes ip6_proto to use 'meta l4proto' which is the protocol header found by exthdr walk. A side effect is that for bridge we get a shorter dependency chain as it no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep. Only problem: ip6 nexthdr tcp tcp dport 22 will now inject a (useless) meta l4 dependency as ip6 nexthdr is no longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper that skips the unneded meta dependency in that case. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow update of net base w. meta l4proto icmpv6Florian Westphal2017-05-191-0/+1
| | | | | | | | | | nft add rule ip6 f i meta l4proto ipv6-icmp icmpv6 type nd-router-advert <cmdline>:1:50-60: Error: conflicting protocols specified: unknown vs. icmpv6 add icmpv6 to nexthdr list so base gets updated correctly. Reported-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: split ll proto dependency into helperFlorian Westphal2017-05-181-11/+18
| | | | | | | will be re-used in folloup patch for icmp/icmpv6 depenency handling. Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: reject: remove dependency for tcp-resetsFlorian Westphal2017-05-181-0/+6
| | | | | | We can remove a l4 dependency in ip/ipv6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add a comment wrt. reject dependency insertionFlorian Westphal2017-05-181-0/+8
| | | | | | | | at first I thought this was a bug but this in fact seems the right thing, add a comment/example why adding dependency as first statement makes sense. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: delete the old cache when dumping is interruptedLiping Zhang2017-05-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the dumping operation is interrupted, we will restart the cache_init(), but unfortunatly, we forget to delete the old cache. So in extreme case, we will leak a huge amount of memory. Running the following commands can simulate the extreme case: # nft add table t # nft add set t s {type inet_service \;} # for i in $(seq 65000); do nft add element t s {$i} done & # while : ; do time nft list ruleset -nn done After a while, oom killer will be triggered: [ 2808.243537] Out of memory: Kill process 16975 (nft) score 649 or sacrifice child [ 2808.255372] Killed process 16975 (nft) total-vm:1955348kB, anon-rss:1952120kB, file-rss:0kB, shmem-rss:0kB [ 2858.353729] nft invoked oom-killer: gfp_mask=0x14201ca(GFP_HIGHUSER_ MOVABLE|__GFP_COLD), nodemask=(null), order=0, oom_score_adj=0 [ 2858.374521] nft cpuset=/ mems_allowed=0 ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: print sets and maps in pretty formatArturo Borrero Gonzalez2017-05-152-1/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Print elements per line instead of all in a single line. The elements which can be 'short' are printed 5 per line, and others, like IPv4 addresses are printed 2 per line. Example: % nft list ruleset -nnn table ip t { set s { type inet_service elements = { 1, 2, 3, 4, 10, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 12345 } } map m { type inet_service . iface_index : verdict elements = { 123 . "lo" : accept, 1234 . "lo" : accept, 12345 . "lo" : accept, 12346 . "lo" : accept, 12347 . "lo" : accept } } set s3 { type ipv4_addr elements = { 1.1.1.1, 2.2.2.2, 3.3.3.3 } } } Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delink_delinearize: don't store dependency unless relop checks is eq ā†µFlorian Westphal2017-05-151-1/+1
| | | | | | | | | | | check 'ip protocol ne 6' is not a dependency for nexthdr protocol, and must not be stored as such. Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: don't kill dependencies accross statementsFlorian Westphal2017-05-082-1/+32
| | | | | | | | | | | | | | | | | | | | nft currently translates ip protocol tcp meta mark set 1 tcp dport 22 to mark set 0x00000001 tcp dport 22 This is wrong, the latter form is same as mark set 0x00000001 ip protocol tcp tcp dport 22 and thats not correct (original rule sets mark for tcp packets only). We need to clear the dependency stack whenever we see a statement other than stmt_expr, as these will have side effects (counter, payload mangling, logging and the like). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>