| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduction of the ERROR symbol is an ugly hack. There's no reason
to special case large integer values, the NUM token only exists for
small values that are needed immediately, everything else is passed
as EXPR_SYMBOL to evaluation anyways.
Additionally the error reporting is different from what we'd usually
report, the token is easy to confuse with the bison internal error
token and it even has a name, messing up bison internal diagnostics.
Simply return values to large to be handled by strtoull as STRING.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Add a helper function to dump netlink register numbers in preparation
of concat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Add a helper function to parse netlink register numbers in preparation
of concat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
The netlink parsing code is full of long function calls spawning multiple
lines and in some cases parses netlink attributes multiple times.
Use local variables for the registers and other data required to
reconstruct the expressions and statements and reorder the code in
some cases to move related processing next to each other.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
These are really badly chosen names, use parse_expr and parse_stmt instead.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Improve readability by using local variables for netlink attributes,
ordering variables more logically, don't arbitrarily initialize
some variables in the definition section and in the body and generally
make similar functions look similar.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Remove style discrepancies between different netlink I/O functions:
- we don't use brackets for single line statements
- most functions don't have a newline between error reporting and exit
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
We include an empty line between variable definitions and code.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Waste less space and return the results of the batch/compat
functions directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Fix two memory leaks in netlink event monitor. Also fix a leak related
to all sets, the ->init expression is not freed.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
netlink_delinearize is prepared to deal with malformed expressions from
the kernel that it doesn't understand. However since expressions are now
cloned unconditionally by netlink_get_register(), we crash before such
errors can be detected for invalid inputs.
Fix by only cloning non-NULL expressions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a helper function to evaluate expressions used as arguments for
statements and report datatype mismatches.
Fixes acceptance of mismatching expressions like:
$ nft filter output meta mark set ip daddr
<cmdline>:1:29-36: Error: datatype mismatch: expected packet mark. expression has type IPv4 address
filter output meta mark set ip daddr
~~~~~~~~~~~~~~^^^^^^^^
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
The redir and masq evaluation functions include some useless context
updates and checks.
Refactor the NAT code to have a single instance of address and transport
evaluation functions for simplicity and unified error reporting.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify pr_debug() to use printf so we get debugging traces for
proto-ctx when --with-mini-gmp is enabled.
Add pr_gmp_debug(), this is disabled with --with-mini-gmp since it
relies on the gmp_printf(), which is not available in the mini-gmp
implementation.
Suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CC mini-gmp.o
mini-gmp.c: In function ‘mpn_get_str_bits’:
mini-gmp.c:1176:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_and’:
mini-gmp.c:3650:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_ior’:
mini-gmp.c:3723:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_xor’:
mini-gmp.c:3792:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_set_str’:
mini-gmp.c:4167:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This allows to disable linking the >400 KB big libgmp and replace it
with the builtin mini-gmp which only increases size by ~30KB.
Enabling this selectively decreases debugging verbosity (pr_debug).
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Use stdio's vasprintf instead of gmp_vasprintf which is not part
of the mini-gmp function subset. Furthermore convert the only
gmp-specific user and allow the compiler to verify format-strings.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This simplifies the integer parsing logic and restricts it to
functions being part of the mini-gmp subset.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
A token name of VERSION results in a macro being defined
with the same name. This prevents inclusion of config.h
in commonly used headers.
Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When nft -f is used, ctx->cmd points to the table object, which
contains the corresponding chain, set and rule lists. The reject
statement evaluator relies on ctx->cmd->rule to add the payload
dependencies, which is doesn't point to the rule in that case.
This patch adds the rule context to the eval_ctx structure to update
the rule list of statements when generating dependencies, as the reject
statement needs.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993
Reported-by: Ting-Wei Lan <lantw44@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Instead of segfaulting due to out of bound access access to protocol
context array ctx->protocol[base].location from proto_ctx_update().
# nft add rule filter input ah nexthdr tcp
nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support specification of concat types in set declarations:
add set filter test {
type ipv4_addr . inet_service
}
Netlink delinearization is changed to reconstruct the type from the id.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The kernel only stored the id so we need to be able to reconstruct
the datatype from the id only.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The id of concat datatypes is composed of the ids of the individual
datatypes. Add a define for the number of bits for each datatype id
and a mask.
The number of bits is chosen as 6, allowing for 63 datatypes, or twice
as much as we currently have. This allows for concatenations of 5
types using 32 bits.
The value is statically chosen instead of basing it on the current
numbers of datatypes since we don't want the maximum concatenation
size to vary between versions, also new versions are supposed to be
able to propery parse a ruleset generated by an older version.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
Using the size is confusing since it usually holds the size of
the data. Add a new "subtypes" member, which holds the number
of datatypes the concat type is made of.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The name of a concat type is the names of the individual types concatenated
using a '.'.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft add rule filter input iifname { "lo", "eth0" } counter
Now the listing shows:
iifname { "lo", "eth0"}
instead of:
iifname { "", ""}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fix fallout from the automake conversion. Display after configuration
if it is enabled or not.
Reported-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Small syntax update suggested by Patrick.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Free allocated memory for ->desc.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Don't use arbitrary amounts of spaces. The remaining table is
properly aligned, fix the new types.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Use proper english for full randomization option.
Signed-off-by: Patrick McHardy
|
|
|
|
|
|
| |
Just setting the .sym_tbl correctly is all we need.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft list sets
Segmentation fault
# nft list sets
<cmdline>:1:1-9: Error: Could not receive sets from kernel: Protocol error
list sets
^^^^^^^^^
Fix same bug in `nft list tables'.
Don't cleanup the table object for these commands since it is NULL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We have to switch the byteorder of the element in
netlink_delinearize_setelem() for non-range values only.
This fixes the listing of:
nft add rule filter input ct mark { 0x10-0x20 } counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
integer_type
nft list table filter
...
cpu { 50331648, 33554432, 0, 16777216} counter packets 8 bytes 344
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rules with header fields that rely on the generic integer datatype
from sets are not matching, eg.
nft add rule filter input udp length { 9 } counter
This set member is an integer represented in host byte order, which
obviously doesn't match the header field (in network byte order).
Since the integer datatype has no specific byteorder, we have to rely
on the expression byteorder instead when configuring the context,
before we evaluate the list of set members.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use constant_data_ptr() to point to the right memory position on
big endian when exporting data that is stored in a larger variable.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Christophe Leroy <christophe.leroy@c-s.fr>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The name of datatypes can be used in set definition so they should
follow the same logic (and maybe not contain space to avoid problem
with parsing).
This patch adds an underscore to the name of the icmp* code
datatype.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new ERROR symbol to handle scanning of too large values.
<cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:
BUG: nft: scanner.l:470: nft_lex: Assertion `0' failed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Set missing field on meta expression clone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we add this rule:
nft add rule filter input meta length 33-55
the listing shows:
meta length >= 33 meta length <= 754974720
The two meta statements share the same left-hand side, thus, only the
first one is converted from network byte order to host byte order.
Update netlink_get_register() to return a clone so each left-hand side
has its own left-hand side.
Moreover, release the existing register before overriding it with fresh
expressions in netlink_set_register().
Thefore, if you manipulate a register from any of the existing parse
functions, you have to re-set it again to place fresh modified clone.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current code is causing a failure in adding a set containing
a really long list of elements. The failure occurs as soon as
the line is longer than flex read buffer.
When a line is longer than scanner buffer size, the code in YY_INPUT
forces a rewind to the beginning of the string because it does not
find a end of line. The result is that the string is never parsed.
This patch updates the code by rewinding till we found a space.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following example:
# nft add rule filter input ct state 8 accept
Segmentation fault
leads to a crash because we have the following datatype relation:
ct_state -> bitmask -> integer
The bitmask, which is an intermediate basetype, has no parse()
function, this leads to a crash in symbolic_constant_parse().
Patrick suggested to walk down the chain until we find a parser
function.
Reported-by: leroy christophe <christophe.leroy@c-s.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:
Rule:
nft add bridge filter input ether type vlan reject with tcp reset
Output:
<cmdline>:1:46-51: Error: cannot reject this ether type
add rule bridge filter input ether type vlan reject with tcp reset
~~~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The missing \ at the end of the line causes LIBMNL_CFLAGS and LIBNFTNL_CFLAGS
to be ignored. This causes build failure if the libmnl or libnftnl headers are
not in a path that's already searched by the C compiler.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
nft add map filter my_vmap { type ipv4_addr : verdict\; }
nft add element filter my_vmap { 1.0.0.0 : drop}
nft add rule filter input ip saddr vmap @my_vmap
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|