| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Iterate over the ctx->list which is where the table objects are after
calling netlink_list_tables().
Fixes: e4d21958c835 ("rule: add do_list_tables()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Florian Westphal says:
09565a4b1ed4863d44c4509a93c50f44efd12771 ("netlink_delinearize: consolidate
range printing") causes nft to segfault on 32bit machine when printing l4proto
ranges.
The problem is that meta_expr_pctx_update() assumes that right is a value, but
after this change it can also be a range.
Thus, expr->value contents are undefined (its union). On x86_64 this is also
broken but by virtue of struct layout and pointer sizes, value->_mp_size will
almost always be 0 so mpz_get_uint8() returns 0.
But on x86-32 _mp_size will be huge value (contains expr->right pointer of
range), so we crash in libgmp.
Pablo says:
We shouldn't call pctx_update(), before the transformation we had
there a expr->op == { OP_GT, OP_GTE, OP_LT, OP_LTE }. So we never
entered that path as the assert in payload_expr_pctx_update()
indicates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add chain filter input { type filter hook inputt priority 0\; }
<cmdline>:1:43-48: Error: unknown chain hook inputt
add chain filter input { type filter hook inputt priority 0; }
^^^^^^
Before:
# echo $?
0
After:
# echo $?
1
Note that nft_parse() returns 1 on parsing errors and 0 + state->errs on
evaluation problems, so return -1 as other functions do here to pass up the
error to the main routine.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of xfree().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Wrap code to list existing tables in a function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Set human readable hookname chain->hookstr field from delinearize.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
# nft list tables
table ip nat
instead of:
# nft list tables
table nat
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
nft -i --debug=all
nft> add rule ip filter foo mark 42
dies with sigfpe; seems mpz doesn't like len 0:
#1 0x0805f2ee in mpz_export_data (data=0xbfeda588, op=0x9d9fb08, byteorder=BYTEORDER_HOST_ENDIAN, len=0) at gmputil.c:115
After patch this prints 0x0000002a.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
As pointed out by Patrick McHardy the order in the inet switch
in payload_gen_dependency was not consistent.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
# nft --debug=netlink add rule bridge filter input tcp dport 22
bridge filter input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00001600 ]
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
In case we are reading the rules from a file we need to reset the
file descriptor to the original position when calling erec_print.
This was not the case in previous code and was leading to valid
file to be seen as invalid when treated in debug mode.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.
This patch now uses a allocated buffer to avoid the problem.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
h.table stores a pointer to a nftnl table object that is gone just after
assignment. Release this object once its content is not referenced anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Update the grammar to accept a MARK token as datatype.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1012
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Reconstruct the concat expressions in set data by splicing off the
subtype values based on the keytype of the set.
Signed-off-by: Patrick McHardy
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the RHS length differs from the LHS length (which is only the
first expression), both expressions are assumed to be concat expressions.
The LHS concat expression is reconstructed from the available register
values, advancing by the number of registers required by the subexpressions'
register space, until the RHS length has been reached.
The RHS concat expression is reconstructed by splitting the data value
into multiple subexpressions based on the LHS concat expressions types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Introduce a helper function to translate register numbers from the kernel
from the compat values to the NFT_REG32 values.
Internally we use the register numbers 0-16:
* 0 is the verdict register in both old and new addressing modes.
* 1-16 are the 32 bit data registers
The NFT_REG32_00 values are mapped to 1-16, the NFT_REG_1-NFT_REG_4
values are each use up 4 registers starting at 1 (1, 5, 9, 13).
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| | |
Pad all but the last sub-expressions of a concat expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| | |
Use the real length for reserving/releasing registers when generating
concat expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prepare netlink_linearize for 32 bit register usage:
Switch to use 16 data registers of 32 bit each. A helper function takes
care of mapping the registers to the NFT_REG32 values and, if the
register refers to the beginning of an 128 bit area, the old NFT_REG_1-4
values for compatibility.
New register reservation and release helper function take the size into
account and reserve the required amount of registers.
The reservation and release functions will so far still always allocate
128 bit. If no other expression in a rule uses a 32 bit register directly,
these will be mapped to the old register values, meaning everything
continues to work with old kernel versions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| | |
Prepare for taking the expression size into account.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since we need to calculate the length of the entire concat type, we can
not support variable sized types where the length can't be determined
by the type.
This only affects base types since all higher types include a length.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
I think flags should be displayed in hexadecimal and should be handled as a
bitmask.
inet/comp.t: WARNING: line: 15: 'nft add rule ip test-ip4 input comp flags 0x00': 'comp flags 0x00' mismatches 'comp flags 0'
inet/comp.t: WARNING: line: 16: 'nft add rule ip test-ip4 input comp flags != 0x23': 'comp flags != 0x23' mismatches 'comp flags != 35'
inet/comp.t: WARNING: line: 17: 'nft add rule ip test-ip4 input comp flags 0x33-0x45': 'comp flags 0x33-0x45' mismatches 'comp flags 51-69'
inet/comp.t: WARNING: line: 18: 'nft add rule ip test-ip4 input comp flags != 0x33-0x45': 'comp flags != 0x33-0x45' mismatches 'comp flags != 51-69'
inet/comp.t: WARNING: line: 19: 'nft add rule ip test-ip4 input comp flags {0x33, 0x55, 0x67, 0x88}': 'comp flags {0x33, 0x55, 0x67, 0x88}' mismatches 'comp flags { 103, 85, 51, 136}'
inet/comp.t: WARNING: line: 21: 'nft add rule ip test-ip4 input comp flags { 0x33-0x55}': 'comp flags { 0x33-0x55}' mismatches 'comp flags { 51-85}'
rfc3173 says that this is unused for future use though.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of a plain integer.
This updates integer_type_print() to look up some basefmt in the change of
datatype, the first we find will be used to format the output.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
before:
table ip filter {
chain test {
cpu { 67108864, 50331648, 33554432}
}
}
after:
table ip filter {
chain test {
cpu { 4, 3, 2 }
}
}
Related to 525323352904 ("expr: add set_elem_expr as container for set element
attributes").
We'll have to revisit this once we have support to use integer datatypes from
set declarations, see: http://patchwork.ozlabs.org/patch/480068/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |\ \ \
| |_|/
|/| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch adds a routine to the postprocess stage to check if the previous
expression statement and the current actually represent a range, so we can
provide a more compact listing, eg.
# nft -nn list table test
table ip test {
chain test {
tcp dport 22
tcp dport 22-23
tcp dport != 22-23
ct mark != 0x00000016-0x00000017
ct mark 0x00000016-0x00000017
mark 0x00000016-0x00000017
mark != 0x00000016-0x00000017
}
}
To do so, the context state stores a pointer to the current statement. This
pointer needs to be invalidated in case the current statement is replaced.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This function encapsulates the payload expansion logic. This change in required
by the follow up patch to consolidate range printing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch is required by the range postprocess routine that comes in follow up
patches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |/
| |
| |
| |
| |
| | |
Instead of a copy of the context variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The set statement is used to dynamically add or update elements in a set.
Syntax:
# nft filter input set add tcp dport @myset
# nft filter input set add ip saddr timeout 10s @myset
# nft filter input set update ip saddr timeout 10s @myset
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Syntax:
# nft add element filter test { 192.168.0.1 comment "some host" }
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Support specifying per element timeout values and displaying the expiration
time.
If an element should not use the default timeout value of the set, an
element specific value can be specified as follows:
# nft add element filter test { 192.168.0.1, 192.168.0.2 timeout 10m}
For listing of elements that use the default timeout value, just the
expiration time is shown, otherwise the element specific timeout value
is also displayed:
set test {
type ipv4_addr
timeout 1h
elements = { 192.168.0.2 timeout 10m expires 9m59s, 192.168.0.1 expires 59m59s}
}
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Timeout support can be enabled in one of two ways:
1. Using a default timeout value:
set test {
type ipv4_addr;
timeout 1h;
}
2. Using the timeout flag without a default:
set test {
type ipv4_addr;
flags timeout;
}
Optionally a garbage collection interval can be specified using
gc-interval <interval>;
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new expression type "set_elem_expr" that is used as container for
the key in order to attach different attributes, such as timeout values,
to the key.
The expression hierarchy is as follows:
Sets:
elem
|
key
Maps:
mapping
/ \
elem data
|
key
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Set keys are currently defined as a regular expr for pure sets and
map_lhs_expr for maps. map_lhs_expr is what can actually be used for
a single member, namely a concat_expr or a multiton_expr. The reason
why pure sets use expr for the key is to allow recursive set specifications,
which doesn't make sense for maps since every element needs a mapping.
However, the rule is too wide and also allows map expressions as a key,
which obviously doesn't make sense.
Rearrange the rules so we have:
set_lhs_expr: concat or multiton
set_rhs_expr: concat or verdict
and special case the recursive set specifications, as they deserve.
Besides making it a lot easier to understand what is actually supported,
this will be used by the following patch to support timeouts and comments
for keys in a uniform way.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| | |
Seperate relative time parsing and printing from the time_type to make
it usable for set and set element time related parameters.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Don't require hours to be in range 0-23 and minutes/seconds in range 0-59.
The time_type is used for relative times where it is entirely reasonable
to specify 180s instead of 3m.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| | |
Properly detect time strings in the lexer without quotation marks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The FIXME was related to exclusion of string types from cmp length checks.
Since with fixed sized helper names the last case where this could happen
is gone, remove the FIXME and perform length checks on strings as well.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The current kernel restricts ct helper names to 16 bytes length. Specify
this limit in the ct expression table to catch oversized strings in userspace.
Since older versions of nft didn't support larger values, this does not
negatively affect interaction with old kernel versions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| | |
The LHS expression is generated twice and the register not properly released.
Fix by calling netlink_gen_range() before generating the LHS.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
| |
Each batch page has a size of 320 Kbytes, and the limit has been set to 256
KBytes, so the overrun area is 64 KBytes long to accomodate the largest netlink
message (sets).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nftables used to have a cache to speed up interface name <-> index lookup,
restore it using libmnl.
This reduces netlink traffic since if_nametoindex() and if_indextoname() open,
send a request, receive the list of interface and close a netlink socket for
each call. I think this is also good for consistency since nft -f will operate
with the same index number when reloading the ruleset.
The cache is populated by when nft_if_nametoindex() and nft_if_indextoname()
are used for first time. Then, it it released in the output path. In the
interactive mode, it is invalidated after each command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Based on the existing netlink_open_error(), but indicate file and line
where the error happens. This will help us to diagnose what is going
wrong when users can back to us to report problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to change f3ff9e9 ("rule: delete extra space in rule indentation") in
function rule_print(), a missing space happens in monitor.
before this patch:
% nft monitor
add rule ip test-table test-chainip protocol tcp
after this patch:
% nft monitor
add rule ip test-table test-chain ip protocol tcp
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
