| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Fixes: bridge/vlan.t: WARNING: line 56: ...
Fixes: 8b9ae77598b4 ("tests: never merge across non-expression statements redux 2")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Turns out I also love to forget about nft-test.py -j.
Fixes: 99ab1b8feb16 ("rule: never merge across non-expression statements")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The existing logic can merge across non-expression statements,
if there is only one payload expression.
Example:
ether saddr 00:11:22:33:44:55 counter ether type 8021q
is turned into
counter ether saddr 00:11:22:33:44:55 ether type 8021q
which isn't the same thing.
Fix this up and add test cases for adjacent vlan and ip header
fields. 'Counter' serves as a non-merge fence.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Can be used in bridge prerouting hook to divert a packet
to the ip stack for routing.
This is a replacement for "ebtables -t broute" functionality.
Link: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vlan id uses integer type (which has a length of 0).
Using it was possible, but listing would assert:
python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed.
There are two reasons for this.
First reason is that the udata/typeof information lacks the 'vlan id'
part, because internally this is 'payload . binop(payload AND mask)'.
binop lacks an udata store. It makes little sense to store it,
'typeof' keyword expects normal match syntax.
So, when storing udata, store the left hand side of the binary
operation, i.e. the load of the 2-byte key.
With that resolved, delinerization could work, but concat_elem_expr()
would splice 12 bits off the elements value, but it should be 16 (on
a byte boundary).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
"ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails:
"vlan id 2 ether saddr 0:1:2:3:4:6" will give
Error: conflicting protocols specified: vlan vs. ether
After "proto: track full stack of seen l2 protocols, not just cumulative offset",
we have a list of all l2 headers, so search those to see if we had this
proto base in the past before rejecting this.
Reported-by: Eric Garver <eric@garver.life>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Add userspace support for the netdev egress hook which is queued up for
v5.16-rc1, complete with documentation and tests. Usage is identical to
the ingress hook.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo says:
user reports that this is broken:
nft --debug=netlink add rule bridge filter forward vlan id 100 vlan id set 200
[..]
[ payload load 2b @ link header + 14 => reg 1 ]
[..]
[ payload load 2b @ link header + 28 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x0000c800 ]
[ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ]
offset says 28, it is assuming q-in-q, in this case it is mangling the
existing header.
The problem here is that 'vlan id set 200' needs a read-modify-write
cycle because 'vlan id set' has to preserve bits located in the same byte area
as the vlan id.
The first 'payload load' at offset 14 is generated via 'vlan id 100',
this part is ok.
The second 'payload load' at offset 28 is the bogus one.
Its added as a dependency, but then adjusted because nft evaluation
considers this identical to 'vlan id 1 vlan id '2, where nft assumes
q-in-q.
To fix this, skip offset adjustments for raw expressions and mark the
dependency-generated payload instruction as such.
This is fine because raw payload operations assume that user specifies
base/offset/length manually.
Also add a test case for this.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
meta protocol is meaningful in bridge, netdev and inet families, do
not remove this.
Fixes: 056aaa3e6dc6 ("netlink_delinearize: Refactor meta_may_dependency_kill()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernel already assumes that that ICMP type to reject a packet is
destination-unreachable, hence the user specifies the *ICMP code*.
Simplify the syntax to:
... reject with icmp port-unreachable
this removes the 'type' keyword before the ICMP code to reject the
packet with.
IIRC, the original intention is to leave room for future extensions that
allow to specify both the ICMP type and the ICMP code, this is however
not possible with the current inconsistent syntax.
Update manpages which also refer to ICMP type.
Adjust tests/py to the new syntax.
Fixes: 5fdd0b6a0600 ("nft: complete reject support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The test case exists twice, once with new dei, once with old 'cfi',
so we need to retain the cfi one in the json file too.
Else we get:
WARNING: line 2: Wrote JSON equivalent for rule vlan id 4094 vlan dei 1
Fixes: d2fba515ff94 ("src: add vlan dei")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
the CFI bit has been repurposed as DEI "Drop Eligible Indicator"
since 802.1Q-2011.
The vlan cfi field is still retained for compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1516
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previous patches added "8021ad" mnemonic for IEEE 802.1AD frame type.
This adds the 8021q shorthand for the existing 'vlan' frame type.
nft will continue to recognize 'ether type vlan', but listing
will now print 8021q.
Adjust all test cases accordingly.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Check nft doesn't remove the explicit '8021ad' type check and that
the expected dependency chains are generated.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
No need to reduce output size, also this way output is more predictable.
While being at it, drop some pointless chunks from
tests/py/bridge/reject.t.json.output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
libnftnl has been changed to bring the format of registers in bitwise
dumps in line with those in other types of expression. Update the
expected output of Python test-cases.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix warnings and errors when running nf-test.py -j due to missing json test case updates.
This also makes bridge/reject.t pass in json mode.
No code changes.
Fixes: 8615ed93f6e4c4 ("evaluate: enable reject with 802.1q")
Fixes: fae0a0972d7a71 ("tests: py: Enable anonymous set rule with concatenated ranges in inet/sets.t")
Fixes: 2a20b5bdbde8a1 ("datatype: add frag-needed (ipv4) to reject options")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Despite being explicitly mentioned as available, prerouting and
postrouting hooks are not used, filter-pre and filter-post chains
are both built to hook on input.
Fixes: 25851df85e85 ("tests: regression: revisit chain tests")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows you to match the bridge pvid and vlan protocol, for
instance:
nft add rule bridge firewall zones meta ibrvproto vlan
nft add rule bridge firewall zones meta ibrpvid 100
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes
ERROR: did not find JSON equivalent for rule 'ether type vlan ip
protocol 1 accept'
when running
./nft-test.py -j bridge/vlan.t
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Given the following bridge rules:
1. ip protocol icmp accept
2. ether type vlan vlan type ip ip protocol icmp accept
The are currently both dumped by "nft list ruleset" as
1. ip protocol icmp accept
2. ip protocol icmp accept
Though, the netlink code actually is different
bridge filter FORWARD 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
bridge filter FORWARD 5 4
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
[ payload load 2b @ link header + 16 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
[ immediate reg 0 accept ]
What happens here is that:
1. vlan type ip kills ether type vlan
2. ip protocol icmp kills vlan type ip
Fix this by avoiding the removal of all vlan statements
in the given example.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bridge family
add rule bridge test-bridge input reject with icmp type ...
is shown as
ether type ip reject type ...
i.e., the dependency is not removed.
Allow dependency removal -- this adds a problem where some icmp types
will be shortened to 'reject', losing the icmp ipv4 dependency.
Next patch resolves this problem by disabling short-hand abbreviations
for bridge reject statements.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This special operator is required for cases where missing operator does
not lead to same results as equal operator, i.e. with bitmasks on RHS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of the generic "left" and "right", use "key" and "value".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
For raw payloads, property "name" is not needed, it's clearly identified
by base/offset/len properties.
In non-raw payload expressions, rename property "name" to "protocol" as
suggested during NFWS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Lessons learned from fwd statement: We must not assume a given
statement/expression may not receive further properties in the future.
Therefore make meta value an object with a property "key" instead of
just a string containing the key name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
got following bug report:
nft add ... ct mark set mark and 0x10
... always sets 0.
What reporter meant to write instead was 'ct mark', not 'mark'.
We can't just remove support for 'mark' and force
'meta mark', but we can start to discourage it by printing meta prefix too.
Later on, we could start to print deprecation warning if needed.
Followup patch can also change
"iifname" etc. to "meta iifname".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extends nft-test.py by optional JSON testing capabilities,
activated via '-j'/'--enable-json' parameter).
JSON testing happens for all rules which are supposed to work: After a
rule has been added and the existing tests (payload, ruleset listing
output) have been performed, basically the same test is done again using
a recorded JSON equivalent and (if necessary) a recorded listing output.
The code tries to ease new test case creation overhead by
auto-generating JSON equivalent input via listing the (non-JSON) rule in
JSON format. Also, differing netlink debug and listing output are stored
in *.got files to assist in analyzing/fixing failing test cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The first expression in that rule is not eliminated in evaluation phase,
so there is no reason why it should be while delinearizing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Legacy tool name is 'brctl' and so the 'br' prefix is already known. If
we use ibrname and obrname it looks consistent with iifname and oifname.
So let's this instead of ibridgename and obridgename since Florian likes
this too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For bridge, iifname is the port name, whereas 'ibrport' is the
logical name of the bridge ("br0") the port ("iifname") is enslaved to.
So, 'ibrport' is a misnomer.
libnftl calls these 'bri_iifname' and 'bri_oifname', which is good
but using 'briiifname' in nft is rather ugly, so use 'ibridgename'
and 'obridgename' instead.
Old names are still recognized, listing shows the new names.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
both of these rules succeed, but they should fail instead.
nft removes the ip6 nexthdr' clause, but this is not correct, it is an
explicit test for the ipv6 nexthdr value.
Implicit dependencies use meta l4proto to skip extension headers
(if any), ipv6 nexthdr does not.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
after previous change nft now culls the dependency chain:
'icmpv6 type echo-request' is shown as-is, and not
'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test checks bug identified and fixed in the commit mentioned below
In a statement if there are multiple src data then it would be
totally ambiguous to decide which value to set.
Before the commit was made it returned 134(BUG), but now it returns 1
i.e, an error message.
Following rules tests ambiguity while setting the value:
$ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11}
<cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use
add rule ip test-ip4 output ct mark set {0x11333, 0x11}
~~~~~~~~~~~~^^^^^^^^^^^^^^^
Test: 986dea8 ("evaluate: avoid reference to multiple src data in
statements which set values")
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
We can delete some of the payload files now as ip/ip6/inet produce
same implicit meta l4proto dep.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset'
This will be fixed by removing the implicit dependency in a followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
... to avoid resetting e.g. the ssh session to the vm that runs
nft-test.py.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the inet, bridge and netdev families, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table inet t {
chain c {
icmpv6 type echo-request
icmp type echo-request
}
}
These rules we obtain can't be added again:
% nft add rule inet t c icmp type echo-request
<cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp
add rule inet t c icmp type echo-request
^^^^^^^^^
% nft add rule inet t c icmpv6 type echo-request
<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6
add rule inet t c icmpv6 type echo-request
^^^^^^^^^^^
Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet
carrying ICMP, if the link layer is inet, the network layer protocol context
can be safely update to 'ip' or 'ip6'.
Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
using icmp or icmp6 in the inet family, and similar in netdev and bridge
families.
While at it, a bit of code factorization is introduced.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Include new consumed field for quota, and check for csum_flags in payload.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before previous commit, ether set (payload statement) was reversed on
output:
ether daddr set 00:03:2d:2b:74:ec
would be shown as 'ec:74:2b:2d:03:00'.
With ff:ff:ff ... such bug doesn't appear so use something
where it will show up.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
... and fix missing line in ip6 test.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Original patch posted in the mailing list from Patrick, I have refreshed
this so it applies on top of current HEAD.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
... else rule like vlan pcp 1-3 won't work and will be displayed
as 0-0 (reverse direction already works since range is represented
as two lte/gte compare expressions).
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This generates the same code as bridge does, but it includes this check
in first place.
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The test files have been adapted to the syntax defined in the previous
commit "tests/py: modify supported test file syntax"
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
Rearrange the directory to obtain a better organization of files and
tests-suites.
We end with a tree like this:
tests
|
.--- py
.--- shell
.--- files
This was suggested by Pablo.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
