| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Fixes: 1188a69604c3 ("src: introduce SYNPROXY matching")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for "synproxy" statement. For example (for TCP port 8888):
table ip x {
chain y {
type filter hook prerouting priority raw; policy accept;
tcp dport 8888 tcp flags syn notrack
}
chain z {
type filter hook input priority filter; policy accept;
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
ct state invalid drop
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Forgot to add a json test case for the recently added ct ip addr in map case.
Fix up rawpayload.t for json, it needs to expect new "th dport" when
listing.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft can load but not list this:
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These keys are available since kernel >= 4.17.
You can still use NFT_CT_{SRC,DST}, however, you need to specify 'meta
protocol' in first place to provide layer 3 context.
Note that NFT_CT_{SRC,DST} are broken with set, maps and concatenations.
This patch is implicitly fixing these cases.
If your kernel is < 4.17, you can still use address matching via
explicit meta nfproto:
meta nfproto ipv4 ct original saddr 1.2.3.4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
This reverts commit d03bcb669c0c645190df9bd166f53380bcac7862.
|
| |
|
|
|
|
|
|
| |
future change will rewrite all single-element anon sets to a cmp op.
Retain a few test cases to later check that the rewrite is correct, but
remove all others.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Looks like original patch missed this one.
Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Family may be specified also if no address is given at the same time,
make parser/printer tolerant to that. Also fix for missing/incorrect
JSON equivalents in tests/py.
While being at it, fix two issues in non-JSON tests:
* Ruleset is printed in numeric mode, so use 'l4proto 6' instead of
'l4proto tcp' in rules to avoid having to specify expected output for
that unrelated bit.
* In ip and ip6 family tables, family parameter is not deserialized on
output.
Fixes: 3edb96200690b ("parser_bison: missing tproxy syntax with port only for inet family")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fixes: 12adf747a3f62 ("tests: py: add osf tests with versions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Add the missing bits to JSON parser, printer, man page and testsuite.
Fixes: fbe27464dee45 ("src: add nat support for the inet family")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consider a simple ip6 nat table:
table ip6 nat { chain output {
type nat hook output priority 0; policy accept;
dnat to dead:2::99
}
Now consider same ruleset, but using 'table inet nat':
nft now lacks context to determine address family to parse 'to $address'.
This adds code to make the following work:
table inet nat { [ .. ]
# detect af from network protocol context:
ip6 daddr dead::2::1 dnat to dead:2::99
# use new dnat ip6 keyword:
dnat ip6 to dead:2::99
}
On list side, the keyword is only shown in the inet family, else the
short version (dnat to ...) is used as the family is redundant when the
table already mandates the ip protocol version supported.
Address mismatches such as
table ip6 { ..
dnat ip to 1.2.3.4
are detected/handled during the evaluation phase.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
Error: syntax error, unexpected colon
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
^
Syntax with no protocol for tproxy complains with:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
nft currently doesn't do payload merging anymore in some cases,
so fix up the expected output.
Fixes: ce2651222911 ("payload: refine payload expr merging")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having to use numerical values for ttl property in JSON is not
practical as these values are arbitrary and meaningful only in
netfilter. Instead align JSON output/input with standard API, accepting
names for TTL matching strategy.
Also add missing documentation in libnftables-json man page and fix JSON
equivalent in tests/py.
Fixes: 03eafe098d5ee ("osf: add ttl option support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Those were forgotten when renaming meta secpath to meta ipsec.
Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Of all possible TCP flags, 'ecn' is special since it is recognized by
lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
same name). Therefore it is listed in keyword_expr, but that was
sufficient for RHS only. The following statement reproduces the issue:
| tcp flags & (syn | ecn) == (syn | ecn)
The solution is to limit binop expressions to accept an RHS expression
on RHS ("real" LHS expressions don't make much sense there anyway),
which then allows keyword_expr to occur there. In order to maintain the
recursive behaviour if braces are present, allow primary_rhs_expr to
consist of a basic_rhs_expr enclosed in braces. This in turn requires
for braced RHS part in relational_expr to be dropped, otherwise bison
complains about shift/reduce conflict.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.
Examples:
ipsec in ip saddr 192.168.1.0/24
ipsec out ip6 daddr @endpoints
ipsec in spi 1-65536
Joint work with Florian Westphal.
Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
for symmetry with 'rt ipsec'. "meta secpath" still works.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This special operator is required for cases where missing operator does
not lead to same results as equal operator, i.e. with bitmasks on RHS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Instead of the generic "left" and "right", use "key" and "value".
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Change the rather generic "left" and "right" into "key" and "data" as
suggested at NFWS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
For raw payloads, property "name" is not needed, it's clearly identified
by base/offset/len properties.
In non-raw payload expressions, rename property "name" to "protocol" as
suggested during NFWS.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Lessons learned from fwd statement: We must not assume a given
statement/expression may not receive further properties in the future.
Therefore make meta value an object with a property "key" instead of
just a string containing the key name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.
Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.
Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.
Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
So the following rule to set the conntrack mark based on the OS passive
recognition works:
# nft add rule x y ct mark set osf name map { "Windows" : 1, "MacOs" : 2 }
Fixes: 9f28b685b473 ("src: introduce passive OS fingerprint matching")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This can be used like ct mark or meta mark except it cannot be set. doc
and tests are included.
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
got following bug report:
nft add ... ct mark set mark and 0x10
... always sets 0.
What reporter meant to write instead was 'ct mark', not 'mark'.
We can't just remove support for 'mark' and force
'meta mark', but we can start to discourage it by printing meta prefix too.
Later on, we could start to print deprecation warning if needed.
Followup patch can also change
"iifname" etc. to "meta iifname".
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intent was to fix a bug: The following rule in inet table:
| meta nfproto ipv4 icmpv6 type echo-reply
Was added correctly but when printing the meta match was falsely
removed. The fix is to deny dependency killing if RHS family of nfproto
match doesn't match RHS family of l4proto match. Adding this to the
already large conditional led to even more unreadable code, therefore
this patch tries to clean that up (and also removes the partial code
duplication.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This way JSON format is more consistent with the standard one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Sometimes we may hit this because script is too slow to remove the
element with timeout from the set.
inet/sets.t: ERROR: line 18: I cannot delete element dead::beef timeout 1s from the set set2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6979625686ec ("relational: Eliminate meta OPs") introduced some
bugs when printing bitmask types.
First, during the post-processing phase of delinearization, the
expression for "tcp flags syn" (PAYLOAD & flag != 0) gets converted to
PAYLOAD == flag, which is not equivalent. This should be
PAYLOAD (IMPL) flag.
Then, during output, the "==" sign from "tcp flags == syn" is dropped,
because the bitmask condition in must_print_eq_op() was removed. Let's
restore it, so that "tcp flags == syn" doesn't get printed as
"tcp flags syn". An extra check for value types is added, so that we
don't start printing "==" for sets such as "tcp flags {syn,ack}"
Finally, add a regression test for this particular case.
Fixes: 6979625686ec ("relational: Eliminate meta OPs")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extends nft-test.py by optional JSON testing capabilities,
activated via '-j'/'--enable-json' parameter).
JSON testing happens for all rules which are supposed to work: After a
rule has been added and the existing tests (payload, ruleset listing
output) have been performed, basically the same test is done again using
a recorded JSON equivalent and (if necessary) a recorded listing output.
The code tries to ease new test case creation overhead by
auto-generating JSON equivalent input via listing the (non-JSON) rule in
JSON format. Also, differing netlink debug and listing output are stored
in *.got files to assist in analyzing/fixing failing test cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Not usable yet, as the set timeout netlink output isn't captured so far,
but it adds groundwork to add this as a follow-up.
Set definition syntax changes a little, if you want to
add multiple elements they now have to be separated by "," just
like in nftables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The first expression in that rule is not eliminated in evaluation phase,
so there is no reason why it should be while delinearizing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
