summaryrefslogtreecommitdiffstats
path: root/tests/shell/testcases
Commit message (Collapse)AuthorAgeFilesLines
* optimize: ignore existing nat mappingHEADmasterPablo Neira Ayuso51 min.2-0/+2
| | | | | | | | | | | | | | | | User might be already using a nat mapping in their ruleset, use the unsupported statement when collecting statements in this case. # nft -c -o -f ruleset.nft nft: optimize.c:443: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. Aborted The -o/--optimize feature only cares about linear rulesets at this stage, but do not hit assert() in this case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1656 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: expand standalone chain that contains rulesPablo Neira Ayuso52 min.2-0/+29
| | | | | | | | | | | | | | | | Otherwise rules that this chain contains are ignored when expressed using the following syntax: chain inet filter input2 { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop } When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN case does not expand it again. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1655 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: select merge criteria based on candidates rulesPablo Neira Ayuso19 hours2-0/+8
| | | | | | | | | | | | | Select the merge criteria based on the statements that are used in the candidate rules, instead of using the list of statements in the given chain. Update tests to include a rule with a verdict, which triggers the bug described in the bugzilla ticket. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1657 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support to command "destroy"Fernando F. Mancera25 hours4-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | "destroy" command performs a deletion as "delete" command but does not fail if the object does not exist. As there is no NLM_F_* flag for ignoring such error, it needs to be ignored directly on error handling. Example of use: # nft list ruleset table ip filter { chain output { } } # nft destroy table ip missingtable # echo $? 0 # nft list ruleset table ip filter { chain output { } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: fix incorrect expansion into concatenation with verdict mapPablo Neira Ayuso5 days2-0/+8
| | | | | | | | | | | | | | | | | | # nft -c -o -f ruleset.nft Merging: ruleset.nft:3:3-53: meta pkttype broadcast udp dport { 67, 547 } accept ruleset.nft:4:17-58: meta pkttype multicast udp dport 1900 drop into: meta pkttype . udp dport vmap { broadcast . { 67, 547 } : accept, multicast . 1900 : drop } ruleset.nft:3:38-39: Error: invalid data type, expected concatenation of (packet type, internet network service) meta pkttype broadcast udp dport { 67, 547 } accept ^^ Similar to 187c6d01d357 ("optimize: expand implicit set element when merging into concatenation") but for verdict maps. Reported-by: Simon G. Trajkovski <neur0armitage@proton.me> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: set eval ctx for add/update statements with integer constantsFlorian Westphal12 days4-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Eric reports that nft asserts when using integer basetype constants with 'typeof' sets. Example: table netdev t { set s { typeof ether saddr . vlan id flags dynamic,timeout } chain c { } } loads fine. But adding a rule with add/update statement fails: nft 'add rule netdev t c set update ether saddr . 0 @s' nft: netlink_linearize.c:867: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. When the 'ether saddr . 0' concat expression is processed, there is no set definition available anymore to deduce the required size of the integer constant. nft eval step then derives the required length using the data types. '0' has integer basetype, so the deduced length is 0. The assertion triggers because serialization step finds that it needs one more register. 2 are needed to store the ethernet address, another register is needed for the vlan id. Update eval step to make the expression context store the set key information when processing the preceeding set reference, then let stmt_evaluate_set() preserve the existing context instead of zeroing it again via stmt_evaluate_arg(). This makes concat expression evaluation compute the total size needed based on the sets key definition. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: extend runtime set element automerge to cover partial deletionsPablo Neira Ayuso14 days1-1/+50
| | | | | | | | | | | | | | Perform partial deletions of an existing interval and check that the set remains in consistent state. Before the follow kernel fixes: netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netfilter: nft_set_rbtree: Switch to node list walk for overlap detection without these patches, this test fails with bogus overlap reports. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Implement 'reset rule' and 'reset rules' commandsPhil Sutter2023-01-182-0/+199
| | | | | | | | Reset rule counters and quotas in kernel, i.e. without having to reload them. Requires respective kernel patch to support NFT_MSG_GETRULE_RESET message type. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: shell: add vxlan set testsPablo Neira Ayuso2023-01-022-0/+43
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct: use inet_service_type for proto-src and proto-dstPablo Neira Ayuso2022-12-222-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of using the invalid type. Problem was uncovered by this ruleset: table ip foo { map pinned { typeof ip daddr . ct original proto-dst : ip daddr . tcp dport size 65535 flags dynamic,timeout timeout 6m } chain pr { meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } } } resulting in the following misleading error: map-broken.nft:10:51-82: Error: datatype mismatch: expected concatenation of (IPv4 address), expression has type concatenation of (IPv4 address, internet network service) meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix shift exponent underflow in concatenation evaluationPablo Neira Ayuso2022-12-222-3/+3
| | | | | | | | | | | | | | There is an underflow of the index that iterates over the concatenation: ../include/datatype.h:292:15: runtime error: shift exponent 4294967290 is too large for 32-bit type 'unsigned int' set the datatype to invalid which is fine to evaluate a concatenation in a set/map statement. Update b8e1940aa190 ("tests: add a test case for map update from packet path with concat") so it does not need a workaround to work. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: treat invalid octal strings as stringsJeremy Sowden2022-12-221-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The action associated with the `{numberstring}` pattern, passes `yytext` to `strtoull` with base 0: errno = 0; yylval->val = strtoull(yytext, NULL, 0); if (errno != 0) { yylval->string = xstrdup(yytext); return STRING; } return NUM; If `yytext` begins with '0', it will be parsed as octal. However, this has unexpected consequences if the token contains non-octal characters. `09` will be parsed as 0; `0308` will be parsed as 24, because `strtoull` and its siblings stop parsing as soon as they reach a character in the input which is not valid for the base. Replace the `{numberstring}` match with separate `{hexstring}` and `{decstring}` matches. For `{decstring}` set the base to 8 if the leading character is '0', and handle an incompletely parsed token in the same way as one that causes `strtoull` to set `errno`. Thus, instead of: $ sudo nft -f - <<<' table x { chain y { ip saddr 0308 continue comment "parsed as 0.0.0.24/32" } } ' $ sudo nft list chain x y table ip x { chain y { ip saddr 0.0.0.24 continue comment "parsed as 0.0.0.24/32" } } We get: $ sudo ./src/nft -f - <<<' > table x { > chain y { > ip saddr 0308 continue comment "error" > } > } > ' /dev/stdin:4:14-17: Error: Could not resolve hostname: Name or service not known ip saddr 0308 continue comment "error" ^^^^ Add a test-case. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932880 Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1363 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add a test case for map update from packet path with concatFlorian Westphal2022-12-122-0/+30
| | | | | | | add a second test case for map updates, this time with both a timeout and a data element that consists of a concatenation. Signed-off-by: Florian Westphal <fw@strlen.de>
* scanner: match full comment line in case of tiePablo Neira Ayuso2022-12-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | add element ip filter public_services { # comment 1 tcp . 80 : jump log_accept, # comment 2 tcp . 443 : jump log_accept, } still fails with the error message: # nft -f filter_sets.ip In file included from filter_sets.ip:63:1-42: filter_sets.ip:4:12-12: Error: syntax error, unexpected newline, expecting comma or '}' # comment 2 ^ flex honors the first rule found in case of tie, place comment_line before comment rule. Fixes: 931737a17198 ("scanner: munch full comment lines") Reported-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: swap byteorder of value component in concatenation of intervalsPablo Neira Ayuso2022-12-082-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations") was incomplete. Switch byteorder of singleton values in a set that contains concatenation of intervals. This singleton value is actually represented as a range in the kernel. After this patch, if the set represents a concatenation of intervals: - EXPR_F_INTERVAL denotes the lhs of the interval. - EXPR_F_INTERVAL_END denotes the rhs of the interval (this flag was already used in this way before this patch). If none of these flags are set on, then the set contains concatenations of singleton values (no interval flag is set on), in such case, no byteorder swap is required. Update tests/shell and tests/py to cover the use-case breakage reported by Eric. Fixes: 1017d323cafa ("src: support for selectors with different byteorder with interval concatenations") Reported-by: Eric Garver <eric@garver.life> Tested-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: munch full comment linesPablo Neira Ayuso2022-12-072-0/+54
| | | | | | | | | | | Munch lines full comment lines, regular expression matches lines that start by space or tab, then # follows, finally anything including one single line break. Call reset_pos() to ensure error reporting location is not puzzled. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1196 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for selectors with different byteorder with interval concatenationsPablo Neira Ayuso2022-11-302-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Assuming the following interval set with concatenation: set test { typeof ip saddr . meta mark flags interval } then, the following rule: ip saddr . meta mark @test requires bytecode that swaps the byteorder for the meta mark selector in case the set contains intervals and concatenations. inet x y [ meta load nfproto => reg 1 ] [ cmp eq reg 1 0x00000002 ] [ payload load 4b @ network header + 12 => reg 1 ] [ meta load mark => reg 9 ] [ byteorder reg 9 = hton(reg 9, 4, 4) ] <----- this is required ! [ lookup reg 1 set test dreg 0 ] This patch updates byteorder_conversion() to add the unary expression that introduces the byteorder expression. Moreover, store the meta mark range component of the element tuple in the set in big endian as it is required for the range comparisons. Undo the byteorder swap in the netlink delinearize path to listing the meta mark values accordingly. Update tests/py to validate that byteorder expression is emitted in the bytecode. Update tests/shell to validate insertion and listing of a named map declaration. A similar commit 806ab081dc9a ("netlink: swap byteorder for host-endian concat data") already exists in the tree to handle this for strings with prefix (e.g. eth*). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: handle prefix and range when merging into set + concatenationPablo Neira Ayuso2022-11-052-1/+3
| | | | | | | | | | | | | | | | The following ruleset fails to be merged using set + concatenation: meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.3.0/24 accept meta iifname eth1 ip saddr 1.1.1.2 ip daddr 2.2.4.0-2.2.4.10 accept hitting the following assertion: nft: optimize.c:585: __merge_concat_stmts: Assertion `0' failed. Abort This patch also updates tests/shell. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: deletion from interval concatenationPablo Neira Ayuso2022-10-182-0/+25
| | | | | | | | Deleting item from concatenated set stops working at least in 5.15.64. Add test to cover this use case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1638 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: do not transfer binary operation to non-anonymous setsPablo Neira Ayuso2022-10-122-0/+37
| | | | | | | | | | | | | | | | Michael Braun says: This results for nft list ruleset in nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed. This is due to binop_adjust_one setting value->len to left->len, which is shorther than right->len. Additionally, it does not seem correct to alter set elements from parsing a rule, so remove that part all together. Reported-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: bogus datatype assertion in binary operation evaluationPablo Neira Ayuso2022-10-062-0/+13
| | | | | | | | | | Use datatype_equal(), otherwise dynamically allocated datatype fails to fulfill the datatype pointer check, triggering the assertion: nft: evaluate.c:1249: expr_evaluate_binop: Assertion `expr_basetype(left) == expr_basetype(right)' failed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1636 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: fix decomposition of unclosed intervals containing address prefixesJeremy Sowden2022-09-212-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code which decomposes unclosed intervals doesn't check for prefixes. This leads to incorrect output for sets which contain these. For example, # nft -f - <<END table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 192.0.0.0/2, 10.0.0.0/8 } drop } } table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { ff00::/8, fe80::/10 } drop } } END # nft list table ip6 t table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop } } # nft list table ip t table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop } } Instead of treating the final unclosed interval as a special case, reuse the code which correctly handles closed intervals. Add a shell test-case. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018156 Fixes: 86b965bdab8d ("segtree: fix decomposition of unclosed intervals") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: un-break rule insert with intervalsFlorian Westphal2022-09-202-0/+5
| | | | | | | | | 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add stateful object comment supportFernando Fernandez Mancera2022-09-162-0/+15
| | | | | | | | | | | | | | | | | | | | | | When listing a stateful object with JSON support, the comment was ignored. Output example: { "counter": { "family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0 } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1611 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add secmark object reference supportFernando Fernandez Mancera2022-09-162-0/+27
| | | | | | | | | The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix json schema version verificationFernando Fernandez Mancera2022-09-034-0/+20
| | | | | | | | | | nft should ignore malformed or missing entries of `json_schema_version` but check the value when it is integer. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add table map statement supportFernando Fernandez Mancera2022-09-032-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a map with statements with JSON support, the statement list were ignored. Output example: { "map": { "family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: check address family in set collapseDerek Hageman2022-09-012-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 498a5f0c219d added collapsing of set operations in different commands. However, the logic is currently too relaxed. It is valid to have a table and set with identical names on different address families. For example: table ip a { set x { type inet_service; } } table ip6 a { set x { type inet_service; } } add element ip a x { 1 } add element ip a x { 2 } add element ip6 a x { 2 } The above currently results in nothing being added to the ip6 family table due to being collapsed into the ip table add. Prior to 498a5f0c219d the set add would work. The fix is simply to check the family in addition to the table and set names before allowing a collapse. [ Add testcase to tests/shell --pablo ] Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Derek Hageman <hageman@inthat.cloud> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add set statement list supportFernando Fernandez Mancera2022-09-012-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a set with statements with JSON support, the statements were ignored. Output example: { "set": { "op": "add", "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, "stmt": [ { "limit": { "rate": 10, "burst": 5, "per": "second" } }, { "counter": { "packets": 0, "bytes": 0 } } ], "set": "@my_ssh_meter" } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: expand implicit set element when merging into concatenationPablo Neira Ayuso2022-08-302-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | Generalize the existing code to deal with implicit sets. When merging a ruleset like the following: udp dport 128 iifname "foo" #1 udp dport { 67, 123 } iifname "bar" #2 into a concatenation of statements, the following expansion need to be done for rule #2: 67 . "bar" 123 . "bar" The expansion logic consists of cloning the existing concatenation being built and then append each element in the implicit set. A list of ongoing concatenations being built is maintained, so further expansions are also supported. Extend test to cover for this use-case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1628 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Don't parse string as verdict in mapXiao Liang2022-08-191-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In verdict map, string values are accidentally treated as verdicts. For example: table t { map foo { type ipv4_addr : verdict elements = { 192.168.0.1 : bar } } chain output { type filter hook output priority mangle; ip daddr vmap @foo } } Though "bar" is not a valid verdict (should be "jump bar" or something), the string is taken as the element value. Then NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by recent kernels. On older ones (e.g. v5.4.x) that don't validate the type, a warning can be seen when the rule is hit, because of the corrupted verdict value: [5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables] Indeed, we don't parse verdicts during evaluation, but only chain names, which is of type string rather than verdict. For example, "jump $var" is a verdict while "$var" is a string. Fixes: c64457cff967 ("src: Allow goto and jump to a variable") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: check for mergeable rulesPablo Neira Ayuso2022-08-112-0/+28
| | | | | | Rules that are equal need to have at least one mergeable statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merging concatenation is unsupportedPablo Neira Ayuso2022-08-112-0/+2
| | | | | | | | | | | Existing concatenation cannot be merge at this stage, skip them otherwise this assertion is hit: nft: optimize.c:434: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed Extend existing test to cover this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* concat with dynamically sized fields like vlan idMichael Braun2022-08-112-0/+18
| | | | | | | | | | | | | | This enables commands like nft set bridge t s4 '{typeof vlan id . ip daddr; elements = { 3567 . 1.2.3.4 }; }' Which would previously fail with Error: can not use variable sized data types (integer) in concat expressions Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: also postprocess OP_AND in set element contextFlorian Westphal2022-08-051-0/+14
| | | | | | | | | | | | | Pablo reports: add rule netdev nt y update @macset { vlan id timeout 5s } listing still shows the raw expression: update @macset { @ll,112,16 & 0xfff timeout 5s } so also cover the 'set element' case. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add a test case for ether and vlan listingFlorian Westphal2022-08-052-0/+20
| | | | | | | | | | before this patch series, test fails dump validation: - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - ether saddr . vlan id @macset + update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0 + @ll,48,48 . @ll,112,16 & 0xfff @macset Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_json: fix device parsing in netdev familyPablo Neira Ayuso2022-08-021-0/+19
| | | | | | | | json_unpack() function is not designed to take a pre-allocated buffer. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1612 Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: crash when uncollapsing command with unexisting table or setPablo Neira Ayuso2022-07-071-0/+12
| | | | | | | | If ruleset update refers to an unexisting table or set, then cmd->elem.set is NULL. Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: report missing interval flag when using prefix/range in concatenationPablo Neira Ayuso2022-07-071-0/+16
| | | | | | | | If set declaration is missing the interval flag, and user specifies an element with either prefix or range, then bail out. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1592 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow prefix in ip6 scopeFlorian Westphal2022-07-072-0/+12
| | | | | | | | | | | 'ip6 prefix' is valid syntax, so make sure scanner recognizes it also in ip6 context. Also add test case. Fixes: a67fce7ffe7e ("scanner: nat: Move to own scope") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1619 Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: fix map listing with interface wildcardPablo Neira Ayuso2022-06-271-0/+11
| | | | | | | | | | | | | | | | | | | | | # nft -f - <<'EOF' table inet filter { chain INPUT { iifname vmap { "eth0" : jump input_lan, "wg*" : jump input_vpn } } chain input_lan {} chain input_vpn {} } EOF # nft list ruleset nft: segtree.c:578: interval_map_decompose: Assertion `low->len / 8 > 0' failed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1617 Fixes: 5e393ea1fc0a ("segtree: add string "range" reversal support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix segfault when adding elements to invalid setPeter Tirsek2022-06-271-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding elements to a set or map with an invalid definition causes nft to segfault. The following nftables.conf triggers the crash: flush ruleset create table inet filter set inet filter foo {} add element inet filter foo { foobar } Simply parsing and checking the config will trigger it: $ nft -c -f nftables.conf.crash Segmentation fault The error in the set/map definition is correctly caught and queued, but because the set is invalid and does not contain a key type, adding to it causes a NULL pointer dereference of set->key within setelem_evaluate(). I don't think it's necessary to queue another error since the underlying problem is correctly detected and reported when parsing the definition of the set. Simply checking the validity of set->key before using it seems to fix it, causing the error in the definition of the set to be reported properly. The element type error isn't caught, but that seems reasonable since the key type is invalid or unknown anyway: $ ./nft -c -f ~/nftables.conf.crash /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key set inet filter foo {} ^ [ Add tests to cover this case --pablo ] Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597 Signed-off-by: Peter Tirsek <peter@tirsek.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: check for EXPR_F_REMOVE in case of element mismatchPablo Neira Ayuso2022-06-231-2/+18
| | | | | | | | If auto-merge is disable and element to be deleted finds no exact matching, then bail out. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: fix crash when trying to remove element in empty setPablo Neira Ayuso2022-06-231-0/+14
| | | | | | | The set deletion routine expects an initialized set, otherwise it crashes. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: release top level scopePablo Neira Ayuso2022-06-231-0/+15
| | | | | | | | | | Otherwise bogus variable redefinition are reported via -o/--optimize: redefinition.conf:5:8-21: Error: redefinition of symbol 'interface_inet' define interface_inet = enp5s0 ^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: assume verdict is same when rules have no verdictPablo Neira Ayuso2022-06-232-0/+17
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: only merge OP_IMPLICIT and OP_EQ relationalPablo Neira Ayuso2022-06-232-0/+18
| | | | | | Add test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: run -c -o on rulesetPablo Neira Ayuso2022-06-231-0/+168
| | | | | | Just run -o/--optimize on a ruleset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: add unsupported statementPablo Neira Ayuso2022-06-232-0/+21
| | | | | | | | | | | | | | | | Do not try to merge rules with unsupported statements. This patch adds a dummy unsupported statement which is included in the statement collection and the rule vs statement matrix. When looking for possible rule mergers, rules using unsupported statements are discarded, otherwise bogus rule mergers might occur. Note that __stmt_type_eq() already returns false for unsupported statements. Add a test using meta mark statement, which is not yet supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: fix reject statementPablo Neira Ayuso2022-06-232-0/+22
| | | | | | | | Add missing code to the statement collection routine. Compare reject expressions when available. Add tests/shell. Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>