| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Skip this optimization for non-anonymous sets, otherwise, element
deletion breaks.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add double quotes to protect newlines when using <<< redirection.
See also commit b878cb7d83855.
Signed-off-by: Eric Jallot <ejallot@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Requires kernel commit acab713177377
("netfilter: nf_tables: allow lookups in dynamic sets"), else the
rule add will fail.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Returns EBUSY on buggy kernels.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
changes
meter f size 1024 { ip saddr limit rate 10/second} accept
to
meter f size 1024 { ip saddr limit rate 10/second } accept
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Minimal reproducer:
```
$ cat nft.ruleset
# filters
table inet filter {
chain prerouting {
type filter hook prerouting priority -50
}
}
# dump new state
list ruleset
$ nft -c -f ./nft.ruleset
table inet filter {
chain prerouting {
Segmentation fault (core dumped)
```
The crash happens in `chain_print_declaration()`:
```
if (chain->flags & CHAIN_F_BASECHAIN) {
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
```
Here `chain->policy` is `NULL` (as textual rule does not mention it).
The change is not to print the policy if it's not set
(similar to `chain_evaluate()` handling).
CC: Florian Westphal <fw@strlen.de>
CC: Pablo Neira Ayuso <pablo@netfilter.org>
CC: netfilter-devel@vger.kernel.org
Bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1365
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Acked-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This is borrowed from one of firewalld's test cases.
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Expand the test case to also check for returned rule handles in the JSON
output.
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Verify that we get the expected number of rules with --echo (i.e. the
reply wasn't truncated).
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Rule that fails to be added while holding a bound set triggers
user-after-free from the abort path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Move new chain tests for variable priority and policy to chain folder.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain policy definition, e.g.
define default_policy = "accept"
add table ip foo
add chain ip foo bar {type filter hook input priority filter; policy $default_policy}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to use variables in chain priority definitions,
e.g.
define prio = filter
define prionum = 10
define prioffset = "filter - 150"
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the new cache system, nft raises a table error flushing a chain in
a transaction.
# nft "flush chain ip nftlb filter-newfarm ; \
add rule ip nftlb filter-newfarm update \
@persist-newfarm { ip saddr : ct mark } ; \
flush chain ip nftlb nat-newfarm"
Error: No such file or directory
flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...)
^^^^^
This patch sets the cache flag properly to save this case.
Fixes: 01e5c6f0ed031 ("src: add cache level flags")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure nft behaves like 0.9.0 -- the ruleset
flush ruleset
table inet filter {
}
table inet filter {
chain test {
counter
}
}
loads again without crashing/generating an error message.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1351
Fixes: e5382c0d08e3c ("src: Support intra-transaction rule references")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This modification allow to directly add/list/delete expectations.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# nft create table testD
# nft create chain testD test6
Error: No such file or directory
create chain testD test6
^^^^^
Handle 'create' command just like 'add' and 'insert'. Check for object
types to dump the tables for more fine grain listing, instead of dumping
the whole ruleset.
Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFT_SET_OBJECT tells there is an object map.
# nft list ruleset
table inet filter {
map countermap {
type ipv4_addr : counter
}
}
The following command fails:
# nft flush set inet filter countermap
This patch checks for NFT_SET_OBJECT from new set_is_literal() and
map_is_literal() functions. This patch also adds tests for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This tests the installed host nft binary, which fails on my test vm.
Using the one from the working tree makes this test pass.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem: Its not possible to easily match both udp and tcp in a single
rule.
... input ip protocol { tcp,udp } dport 53
will not work, as bison expects "tcp dport" or "sctp dport", or any
other transport protocol name.
Its possible to match the sport and dport via raw payload expressions,
e.g.:
... input ip protocol { tcp,udp } @th,16,16 53
but its not very readable.
Furthermore, its not possible to use this for set definitions:
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr . ip protocol . @th,0,16 @myset
}
}
# nft -f test
test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions
During the netfilter workshop Pablo suggested to add an alias to do raw
sport/dport matching more readable, and make it use the inet_service
type automatically.
So, this change makes @th,0,16 work for the set definition case by
setting the data type to inet_service.
A new "th s|dport" syntax is provided as readable alternative:
ip protocol { tcp, udp } th dport 53
As "th" is an alias for the raw expression, no dependency is
generated -- its the users responsibility to add a suitable test to
select the l4 header types that should be matched.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Update tests to invoke the reset command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
table ip filter {
ct timeout agressive-tcp {
...
policy = { established : 100, close_wait : 4, close : 4 }
^ ^ ^ ^ ^ ^
for consistency with map syntax.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
table ip filter {
ct timeout agressive-tcp {
protocol tcp;
^--- remove this semicolon
Not needed, remove it.
Fixes: c7c94802679c ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds a test for 24f33c710e8c ("src: enable set expiration
date for set elements").
This is also implicitly testing for a cache corruption bug that is fixed
by 9b032cd6477b ("monitor: fix double cache update with --echo").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't allow this:
# nft list set x __set0
table ip x {
set __set0 {
type ipv4_addr
flags constant
elements = { 1.1.1.1 }
}
}
Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.
After this patch:
# nft list set x __set0
Error: No such file or directory
list set x __set0
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before:
# nft list set ip filter untracked_unknown
Error: No such file or directory; did you mean set ‘untracked_unknown’ in table ip ‘filter’?
list set ip filter untracked_unknown
^^^^^^^^^^^^^^^^^
After:
# nft list set ip filter untracked_unknown
table ip filter {
set untracked_unknown {
type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto
size 100000
flags dynamic,timeout
}
}
Add a testcase for this too.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Do not guess handle for an unexisting rule in the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Non-unified format is useful only if the expected output is printed as
well, which is not the case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Syntax passed to awk in that one testcase caused a warning, fix the
syntax.
Fixes: e0a9aad024809 ("tests: shell: fix tests for deletion via handle attribute")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A rule may be added before or after another one using index keyword. To
support for the other rule being added within the same batch, one has to
make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This
patch does just that among a few more crucial things:
* If cache is complete enough to contain rules, update cache when
evaluating rule commands so later index references resolve correctly.
* Reduce rule_translate_index() to its core code which is the actual
linking of rules and consequently rename the function. The removed
bits are pulled into the calling rule_evaluate() to reduce code
duplication in between cache updates with and without rule reference.
* Pass the current command op to rule_evaluate() as indicator whether to
insert before or after a referenced rule or at beginning or end of
chain in cache. Exploit this from chain_evaluate() to avoid adding
the chain's rules a second time.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This reliably triggered ENOBUFS condition in mnl_batch_talk(). With the
past changes, it passes even after increasing the number of rules to
300k.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add at least two elements to sets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the use of nft input files variables in 'jump' and 'goto'
statements, e.g.
define dest = ber
add table ip foo
add chain ip foo bar {type filter hook input priority 0;}
add chain ip foo ber
add rule ip foo ber counter
add rule ip foo bar jump $dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we've done a partial fetch of the cache and the genid is the same the
cache update will be skipped without fetching the needed items. This
change flushes the cache if the new request is more specific than the
current cache - forcing a cache update which includes the needed items.
Introduces a simple scoring system which reflects how
cache_init_objects() looks at the current command to decide if it is
finished already or not. Then use that in cache_needs_more(): If current
command's score is higher than old command's, cache needs an update.
Fixes: 816d8c7659c1 ("Support 'add/insert rule index <IDX>'")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
This reverts commit b7459b0c854fc7a0d6cd86151b81035a8edf8e63.
|
| |
|
|
|
|
|
| |
Future change is going to auto-change them to simple compare
ops rather than lookup in set with only one element.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
As discussed during NFWS 2018. Old syntax is stilled allowed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Reported-by: Laura Garcia <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
flush chain ip filter group_7933
Removes all rules, including references to set 'group_7933', however:
delete map ip filter group_7933
results in:
delete.nft:6:1-32: Error: Could not process rule: Device or resource busy
delete map ip filter group_7933
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This triggers kernel crash in 5.0, see
https://bugzilla.netfilter.org/show_bug.cgi?id=1325
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# cat test.nft
add set x y { type ipv4_addr; }
add element x y { 10.0.24.0/24 }
# nft -f test.nft
# nft delete element x y { 10.0.24.0/24 }
bogusly returns -ENOENT. The non-matching segment (0.0.0.0 with end-flag
set on) is not added to the set in the example above.
This patch also adds a test to cover this case.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Flush after rule deletion should hit no ENOENT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
nlt is reallocated, leaking first allocation and also removing
the table name/handle that was set on nlt object.
Add a test case for this as well, the batch is supposed to fail
when trying to delete a non-existant table, rather than wiping
all tables in the same address family.
Fixes: 12c362e2214a0 ("mnl: remove alloc_nftnl_table()")
Reported-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nf_tables can handle payload exprs for sizes <= sizeof(u32) via a direct
operation from the eval loop, rather than a a call to the payload
expression. Two loads for four byte quantities are thus faster than a
single load for an 8 byte load.
ip saddr 1.2.3.4 ip daddr 2.3.4.5
is faster with this applied, even though it involves two payload and two
two compare expressions, just because all can be handled from the main
loop without any calls to expression ops.
Keep merging for linklayer and when at least one of the expressions
already exceeded the 4 byte "limit" anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Should use accept/use quotes, else you can't use this with a device name
that is shared with a key word, e.g. 'device vm'.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
test files are located via find + a pattern search that looks for
_[0-9]. Previous change makes all test scripts return 0 when the
test case is supposed to pass, so the foo_$retval name is no longer
needed.
Update script to look for all executeables in the 'testcases' directory.
This makes it necessary to make two dump-files non-executeable.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
The '$' has to be escaped, else it gets replaced with an empty
value by the shell. As 'set -e' is used, that caused the first
nft command to fail.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
