summaryrefslogtreecommitdiffstats
path: root/tests/shell
Commit message (Collapse)AuthorAgeFilesLines
* segtree: fix decomposition of unclosed intervals containing address prefixesJeremy Sowden11 days2-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code which decomposes unclosed intervals doesn't check for prefixes. This leads to incorrect output for sets which contain these. For example, # nft -f - <<END table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 192.0.0.0/2, 10.0.0.0/8 } drop } } table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { ff00::/8, fe80::/10 } drop } } END # nft list table ip6 t table ip6 t { chain c { ip6 saddr ff00::/8 drop ip6 saddr fe80::/10 drop ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop } } # nft list table ip t table ip t { chain c { ip saddr 192.0.0.0/2 drop ip saddr 10.0.0.0/8 drop ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop } } Instead of treating the final unclosed interval as a special case, reuse the code which correctly handles closed intervals. Add a shell test-case. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018156 Fixes: 86b965bdab8d ("segtree: fix decomposition of unclosed intervals") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: un-break rule insert with intervalsFlorian Westphal12 days2-0/+5
| | | | | | | | | 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add stateful object comment supportFernando Fernandez Mancera2022-09-162-0/+15
| | | | | | | | | | | | | | | | | | | | | | When listing a stateful object with JSON support, the comment was ignored. Output example: { "counter": { "family": "inet", "name": "mycounter", "table": "t", "handle": 1, "comment": "my comment in counter", "packets": 0, "bytes": 0 } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1611 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add secmark object reference supportFernando Fernandez Mancera2022-09-162-0/+27
| | | | | | | | | The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: fix json schema version verificationFernando Fernandez Mancera2022-09-034-0/+20
| | | | | | | | | | nft should ignore malformed or missing entries of `json_schema_version` but check the value when it is integer. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add table map statement supportFernando Fernandez Mancera2022-09-032-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a map with statements with JSON support, the statement list were ignored. Output example: { "map": { "family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [ { "counter": { "packets": 0, "bytes": 0 } } ] } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: check address family in set collapseDerek Hageman2022-09-012-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 498a5f0c219d added collapsing of set operations in different commands. However, the logic is currently too relaxed. It is valid to have a table and set with identical names on different address families. For example: table ip a { set x { type inet_service; } } table ip6 a { set x { type inet_service; } } add element ip a x { 1 } add element ip a x { 2 } add element ip6 a x { 2 } The above currently results in nothing being added to the ip6 family table due to being collapsed into the ip table add. Prior to 498a5f0c219d the set add would work. The fix is simply to check the family in addition to the table and set names before allowing a collapse. [ Add testcase to tests/shell --pablo ] Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Derek Hageman <hageman@inthat.cloud> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* json: add set statement list supportFernando Fernandez Mancera2022-09-012-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When listing a set with statements with JSON support, the statements were ignored. Output example: { "set": { "op": "add", "elem": { "payload": { "protocol": "ip", "field": "saddr" } }, "stmt": [ { "limit": { "rate": 10, "burst": 5, "per": "second" } }, { "counter": { "packets": 0, "bytes": 0 } } ], "set": "@my_ssh_meter" } } Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: expand implicit set element when merging into concatenationPablo Neira Ayuso2022-08-302-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | Generalize the existing code to deal with implicit sets. When merging a ruleset like the following: udp dport 128 iifname "foo" #1 udp dport { 67, 123 } iifname "bar" #2 into a concatenation of statements, the following expansion need to be done for rule #2: 67 . "bar" 123 . "bar" The expansion logic consists of cloning the existing concatenation being built and then append each element in the implicit set. A list of ongoing concatenations being built is maintained, so further expansions are also supported. Extend test to cover for this use-case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1628 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Don't parse string as verdict in mapXiao Liang2022-08-191-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In verdict map, string values are accidentally treated as verdicts. For example: table t { map foo { type ipv4_addr : verdict elements = { 192.168.0.1 : bar } } chain output { type filter hook output priority mangle; ip daddr vmap @foo } } Though "bar" is not a valid verdict (should be "jump bar" or something), the string is taken as the element value. Then NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by recent kernels. On older ones (e.g. v5.4.x) that don't validate the type, a warning can be seen when the rule is hit, because of the corrupted verdict value: [5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables] Indeed, we don't parse verdicts during evaluation, but only chain names, which is of type string rather than verdict. For example, "jump $var" is a verdict while "$var" is a string. Fixes: c64457cff967 ("src: Allow goto and jump to a variable") Signed-off-by: Xiao Liang <shaw.leon@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: check for mergeable rulesPablo Neira Ayuso2022-08-112-0/+28
| | | | | | Rules that are equal need to have at least one mergeable statement. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: merging concatenation is unsupportedPablo Neira Ayuso2022-08-112-0/+2
| | | | | | | | | | | Existing concatenation cannot be merge at this stage, skip them otherwise this assertion is hit: nft: optimize.c:434: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed Extend existing test to cover this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: check for a tainted kernelFlorian Westphal2022-08-111-0/+16
| | | | | | | If a test case results in a kernel taint (WARN splat for example), make sure the test script indicates this. Signed-off-by: Florian Westphal <fw@strlen.de>
* concat with dynamically sized fields like vlan idMichael Braun2022-08-112-0/+18
| | | | | | | | | | | | | | This enables commands like nft set bridge t s4 '{typeof vlan id . ip daddr; elements = { 3567 . 1.2.3.4 }; }' Which would previously fail with Error: can not use variable sized data types (integer) in concat expressions Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: also postprocess OP_AND in set element contextFlorian Westphal2022-08-051-0/+14
| | | | | | | | | | | | | Pablo reports: add rule netdev nt y update @macset { vlan id timeout 5s } listing still shows the raw expression: update @macset { @ll,112,16 & 0xfff timeout 5s } so also cover the 'set element' case. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add a test case for ether and vlan listingFlorian Westphal2022-08-052-0/+20
| | | | | | | | | | before this patch series, test fails dump validation: - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - ether saddr . vlan id @macset + update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0 + @ll,48,48 . @ll,112,16 & 0xfff @macset Signed-off-by: Florian Westphal <fw@strlen.de>
* parser_json: fix device parsing in netdev familyPablo Neira Ayuso2022-08-021-0/+19
| | | | | | | | json_unpack() function is not designed to take a pre-allocated buffer. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1612 Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: crash when uncollapsing command with unexisting table or setPablo Neira Ayuso2022-07-071-0/+12
| | | | | | | | If ruleset update refers to an unexisting table or set, then cmd->elem.set is NULL. Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: report missing interval flag when using prefix/range in concatenationPablo Neira Ayuso2022-07-071-0/+16
| | | | | | | | If set declaration is missing the interval flag, and user specifies an element with either prefix or range, then bail out. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1592 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: allow prefix in ip6 scopeFlorian Westphal2022-07-072-0/+12
| | | | | | | | | | | 'ip6 prefix' is valid syntax, so make sure scanner recognizes it also in ip6 context. Also add test case. Fixes: a67fce7ffe7e ("scanner: nat: Move to own scope") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1619 Signed-off-by: Florian Westphal <fw@strlen.de>
* segtree: fix map listing with interface wildcardPablo Neira Ayuso2022-06-271-0/+11
| | | | | | | | | | | | | | | | | | | | | # nft -f - <<'EOF' table inet filter { chain INPUT { iifname vmap { "eth0" : jump input_lan, "wg*" : jump input_vpn } } chain input_lan {} chain input_vpn {} } EOF # nft list ruleset nft: segtree.c:578: interval_map_decompose: Assertion `low->len / 8 > 0' failed. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1617 Fixes: 5e393ea1fc0a ("segtree: add string "range" reversal support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: fix segfault when adding elements to invalid setPeter Tirsek2022-06-271-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding elements to a set or map with an invalid definition causes nft to segfault. The following nftables.conf triggers the crash: flush ruleset create table inet filter set inet filter foo {} add element inet filter foo { foobar } Simply parsing and checking the config will trigger it: $ nft -c -f nftables.conf.crash Segmentation fault The error in the set/map definition is correctly caught and queued, but because the set is invalid and does not contain a key type, adding to it causes a NULL pointer dereference of set->key within setelem_evaluate(). I don't think it's necessary to queue another error since the underlying problem is correctly detected and reported when parsing the definition of the set. Simply checking the validity of set->key before using it seems to fix it, causing the error in the definition of the set to be reported properly. The element type error isn't caught, but that seems reasonable since the key type is invalid or unknown anyway: $ ./nft -c -f ~/nftables.conf.crash /home/pti/nftables.conf.crash:3:21-21: Error: set definition does not specify key set inet filter foo {} ^ [ Add tests to cover this case --pablo ] Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1597 Signed-off-by: Peter Tirsek <peter@tirsek.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: check for EXPR_F_REMOVE in case of element mismatchPablo Neira Ayuso2022-06-231-2/+18
| | | | | | | | If auto-merge is disable and element to be deleted finds no exact matching, then bail out. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: fix crash when trying to remove element in empty setPablo Neira Ayuso2022-06-231-0/+14
| | | | | | | The set deletion routine expects an initialized set, otherwise it crashes. Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: release top level scopePablo Neira Ayuso2022-06-231-0/+15
| | | | | | | | | | Otherwise bogus variable redefinition are reported via -o/--optimize: redefinition.conf:5:8-21: Error: redefinition of symbol 'interface_inet' define interface_inet = enp5s0 ^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: assume verdict is same when rules have no verdictPablo Neira Ayuso2022-06-232-0/+17
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: only merge OP_IMPLICIT and OP_EQ relationalPablo Neira Ayuso2022-06-232-0/+18
| | | | | | Add test to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: run -c -o on rulesetPablo Neira Ayuso2022-06-231-0/+168
| | | | | | Just run -o/--optimize on a ruleset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: add unsupported statementPablo Neira Ayuso2022-06-232-0/+21
| | | | | | | | | | | | | | | | Do not try to merge rules with unsupported statements. This patch adds a dummy unsupported statement which is included in the statement collection and the rule vs statement matrix. When looking for possible rule mergers, rules using unsupported statements are discarded, otherwise bogus rule mergers might occur. Note that __stmt_type_eq() already returns false for unsupported statements. Add a test using meta mark statement, which is not yet supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: fix reject statementPablo Neira Ayuso2022-06-232-0/+22
| | | | | | | | Add missing code to the statement collection routine. Compare reject expressions when available. Add tests/shell. Fixes: fb298877ece2 ("src: add ruleset optimization infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: remove comment after mergingPablo Neira Ayuso2022-06-231-3/+3
| | | | | | | | | Remove rule comment after merging rules, let the user decide if they want to reintroduce the comment in the ruleset file. Update optimizations/merge_stmt test. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: do not merge rules with set reference in rhsPablo Neira Ayuso2022-06-232-0/+57
| | | | | | | Otherwise set reference ends up included in an anonymous set, as an element, which is not supported. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* intervals: do not report exact overlaps for new elementsPablo Neira Ayuso2022-06-191-0/+22
| | | | | | | | | | | | | | | | | | | | Two new elements that represent an exact overlap should not trigger an error. add table t add set t s { type ipv4_addr; flags interval; } add element t s { 1.0.1.0/24 } ... add element t s { 1.0.1.0/24 } result in a bogus error. # nft -f set.nft set.nft:1002:19-28: Error: conflicting intervals specified add element t s { 1.0.1.0/24 } ^^^^^^^^^^ Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: runtime set element automergePablo Neira Ayuso2022-06-131-0/+64
| | | | | | Add a test to cover runtime set element automerge. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "scanner: flags: move to own scope"Florian Westphal2022-06-101-0/+10
| | | | | | | | | | | | | | | | | | | | | | | Excess nesting of scanner scopes is very fragile and error prone: rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop` fails with `Error: No symbol type information` hinting at `prefix` Problem is that we nest via: counter limit log flags By the time 'prefix' is scanned, state is still stuck in 'counter' due to this nesting. Working around "prefix" isn't enough, any other keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too. So, revert this. Fixes: a16697097e2b ("scanner: flags: move to own scope") Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: remove leftover modules on cleanupPablo Neira Ayuso2022-06-021-0/+1
| | | | | | After ./run-tests.sh no nf_tables modules are left in place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: reset ctx->set after set interval evaluationPablo Neira Ayuso2022-06-012-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise bogus error reports on set datatype mismatch might occur, such as: Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 ~~~~~~~~~~~~ ^^^^^^^^^^^^ with an unrelated set declaration. table ip test { set set_with_interval { type ipv4_addr flags interval } chain prerouting { type nat hook prerouting priority dstnat; policy accept; meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 } } This bug has been introduced in the evaluation step. Reported-by: Roman Petrov <nwhisper@gmail.com> Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)" Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: sets_with_ifnames release netns on exitPablo Neira Ayuso2022-06-011-0/+1
| | | | | | | Missing ip netns del call from cleanup() Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: segfault when releasing unsupported statementPablo Neira Ayuso2022-06-012-0/+12
| | | | | | | | | Call xfree() instead since stmt_alloc() does not initialize the statement type fields. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* sets_with_ifnames: add test case for concatenated rangeFlorian Westphal2022-05-092-24/+94
| | | | | | | Refactor existing test case for simple interace name ranges (without concatenations) to also cover "addr . ifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* optimize: merge nat rules with same selectors into mapPablo Neira Ayuso2022-05-032-0/+59
| | | | | | | | | | | | | | | | | | | | | | | Verdict and nat are mutually exclusive, no need to support for this combination. # cat ruleset.nft table ip x { chain y { type nat hook postrouting priority srcnat; policy drop; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 } } # nft -o -c -f ruleset.nft Merging: ruleset.nft:4:3-52: ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 into: snat to ip saddr . tcp dport map { 1.1.1.1 . 8000 : 4.4.4.4 . 80, 2.2.2.2 . 8001 : 5.5.5.5 . 90 } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: incorrect logic in verdict comparisonPablo Neira Ayuso2022-05-031-1/+1
| | | | | | | | Keep inspecting rule verdicts before assuming they are equal. Update existing test to catch this bug. Fixes: 1542082e259b ("optimize: merge same selector with different verdict into verdict map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add concat test case with integer base type subkeyFlorian Westphal2022-04-184-0/+30
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* intervals: add support to automerge with kernel elementsPablo Neira Ayuso2022-04-132-0/+37
| | | | | | | | | | | | | | | | | | Extend the interval codebase to support for merging elements in the kernel with userspace element updates. Add a list of elements to be purged to cmd and set objects. These elements representing outdated intervals are deleted before adding the updated ranges. This routine splices the list of userspace and kernel elements, then it mergesorts to identify overlapping and contiguous ranges. This splice operation is undone so the set userspace cache remains consistent. Incrementally update the elements in the cache, this allows to remove dd44081d91ce ("segtree: Fix add and delete of element in same batch"). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* segtree: add support for get element with sets that contain ifnamesFlorian Westphal2022-04-131-1/+20
| | | | | | | | | | | | | | | | nft get element inet filter s { bla, prefixfoo } table inet filter { set s { type ifname flags interval elements = { "prefixfoo*", "bla" } } Also add test cases for this. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add testcases for interface names in setsFlorian Westphal2022-04-132-0/+111
| | | | | | | | | | | | | Add initial test case, sets with names and interfaces, anonymous and named ones. Check match+no-match. netns with ppp1 and ppq veth, send packets via both interfaces. Rule counters should have incremented on the three rules. (that match on set that have "abcdef1" or "abcdef*" strings in them). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* optimize: Restore optimization for raw payload expressionsPablo Neira Ayuso2022-03-292-0/+63
| | | | | | | | This patch reverts d0f14b5337e7 ("optimize: do not merge raw payload expressions") after adding support for concatenation with variable length TYPE_INTEGER. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use integer type header fields via typeof set declarationPablo Neira Ayuso2022-03-292-0/+47
| | | | | | | | | | | | | | | Header fields such as udp length cannot be used in concatenations because it is using the generic integer_type: test.nft:3:10-19: Error: can not use variable sized data types (integer) in concat expressions typeof udp length . @th,32,32 ^^^^^^^^^^~~~~~~~~~~~~ This patch slightly extends ("src: allow to use typeof of raw expressions in set declaration") to set on NFTNL_UDATA_SET_KEY_PAYLOAD_LEN in userdata if TYPE_INTEGER is used. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: allow to use typeof of raw expressions in set declarationPablo Neira Ayuso2022-03-294-0/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the dynamic datatype to allocate an instance of TYPE_INTEGER and set length and byteorder. Add missing information to the set userdata area for raw payload expressions which allows to rebuild the set typeof from the listing path. A few examples: - With anonymous sets: nft add rule x y ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e } - With named sets: table x { set y { typeof ip saddr . @ih,32,32 elements = { 1.1.1.1 . 0x14 } } } Incremental updates are also supported, eg. nft add element x y { 3.3.3.3 . 0x28 } expr_evaluate_concat() is used to evaluate both set key definitions and set key values, using two different function might help to simplify this code in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expression: typeof verdict needs verdict datatypePablo Neira Ayuso2022-03-292-0/+6
| | | | | | | | | | | | | | | | | Otherwise listing breaks showing [invalid type] notice. # nft list ruleset table inet x { map y { typeof ip saddr : verdict elements = { 1.1.1.1 : 0x1010101 [invalid type] } } } Update tests to cover this usecase. Fixes: 4ab1e5e60779 ("src: allow use of 'verdict' in typeof definitions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>