| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Byteorder is not correct as it is expressed in network byteorder. This
uncovered when storing set byteorder in NFTA_USER_DATA.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Update shell/run-tests.sh to remove this new module too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the change causes non-ipv6 addresses to not be printed at all in case
a nfproto was given.
Also add a test case to catch this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117
Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with brackets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
These test for adding counters and quotas, to tables of different
families, and for referencing the objects in rules.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to write pytests using the new stateful objects.
To add an object use the symbol '%', followed by the name, type and
specifications (currently used in quota):
%cnt1 type counter;ok # Adds the counter cnt1 to all tables
%qt1 type quota over 25 mbytes;ok # Adds the quota qt1 to all tables
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the inet, bridge and netdev families, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table inet t {
chain c {
icmpv6 type echo-request
icmp type echo-request
}
}
These rules we obtain can't be added again:
% nft add rule inet t c icmp type echo-request
<cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp
add rule inet t c icmp type echo-request
^^^^^^^^^
% nft add rule inet t c icmpv6 type echo-request
<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6
add rule inet t c icmpv6 type echo-request
^^^^^^^^^^^
Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet
carrying ICMP, if the link layer is inet, the network layer protocol context
can be safely update to 'ip' or 'ip6'.
Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
using icmp or icmp6 in the inet family, and similar in netdev and bridge
families.
While at it, a bit of code factorization is introduced.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add two tests to make sure that set size checks work fine:
1) Check if set size is indeed working, this is a simple one.
2) Check if set size is correct after ENFILE error, there is bug that
adds a new spare slot everytime we hit this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This tests for a bug where elements can't be added after flushing a
full set with the flag NFTNL_SET_DESC_SIZE set.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This tests for a bug where a repeated element is added and the set
elements counter is incorrectly increased.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
To don't trigger false errors because of unrelated traffic on the
tested machine.
Tests, which have rules with counter and 'ok' result, are updated to
avoid new Warnings.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to connbytes extension in iptables, now you can use it to match
average bytes per packet a connection has transferred so far.
For example, match avgpkt in "BOTH" diretion:
# nft add rule x y ct avgpkt \> 100
Match avgpkt in reply direction:
# nft add rule x y ct reply avgpkt \< 900
Or match avgpkt in original direction:
# nft add rule x y ct original avgpkt \> 200
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Test adding elements to simple and interval maps.
Based on original work from Richard Mörbitz and Pablo Neira.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This tests covers 530a82a72d15 ("evaluate: Update cache on flush
ruleset"). Make sure loading twice including an upfront ruleset flush
leaves us with an empty cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Include new consumed field for quota, and check for csum_flags in payload.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following command:
# nft --debug=mnl add rule x y flow table xyz { ip saddr timeout 30s counter }
breaks with EINVAL. The following netlink message is causing the
problem:
...
---------------- ------------------
| 0000000044 | | message length |
| 02572 | R--- | | type | flags |
| 0000000004 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00008|--|00002| |len |flags| type|
| 78 79 7a 00 | | data | x y z
|00008|--|00004| |len |flags| type|
| 00 00 00 01 | | data |
|00006|--|00001| |len |flags| type|
| 78 00 00 00 | | data | x
---------------- ------------------
...
This is incorrect since this describes no elements at all, so it is
useless. Add upfront check before iterating over the list of set
elements so the netlink message is not placed in the batch.
This patch also adds a set so flow tables are minimally covered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
"dalegaard@gmail.com" reports that when inserting an element into a
verdict map, kernel crash will happen. Now add this test case so we
can avoid future regressions fail.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This should test the fix in commit 7222680eb328b ("parser_bison: Allow
parens on RHS of relational_expr").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This testcase add some defines in a nft -f run and then uses
them in different spots (which are not covered in previous testcases).
* defines used to define another one
* different datatypes (numbers, strings, bits, ranges)
* usage in sets, maps, contatenatios
* single rules with single statements, multiple statements
* reuse define in same rule
Perhaps this isn't testing many different code path, but I find this
interesting to have given it will probably be one of the most common
use cases of nftables.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use many defines in a single nft -f run.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Many testcases were masked because of bug #888. This series of patches unmasks
them
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
see: 5afa5a164ff1c066af1ec56d875b91562882bd50
When a malformed set is added, it was added before erroring out, causing a
segfault further down when used. This tests for this case, ensuring that
nftables doesn't segfault but errors correctly
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now NF_LOG_XXX is exposed to the userspace, we can set it explicitly.
Like iptables LOG target, we can log TCP sequence numbers, TCP options,
IP options, UID owning local socket and decode MAC header. Note the
log flags are mutually exclusive with group.
Some examples are listed below:
# nft add rule t c log flags tcp sequence,options
# nft add rule t c log flags ip options
# nft add rule t c log flags skuid
# nft add rule t c log flags ether
# nft add rule t c log flags all
# nft add rule t c log flags all group 1
<cmdline>:1:14-16: Error: flags and group are mutually exclusive
add rule t c log flags all group 1
^^^
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This testcase adds and deletes many elements in a set.
We add and delete 65.536 elements in two different nft -f runs.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This testcase adds and deletes many elements in a set.
We add and delete 65.536 elements in a same batch of netlink messages,
(single nft -f run).
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This testcase adds many elements in a set.
We add 65.356 elements.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Using, for example:
% sudo ./run-tests.sh testcase/mytest_0
Will result in an execution of this single testcase rather than
the complete suite.
This is useful while working with a concrete testcase.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel modules"
Its not needed at the moment, all tests that need a network interface
(meta iif/oif) use the lo interface.
For iifname/oifname the network device doesn't have to exist.
We can revisit this in case we need it in the future.
(seems commit causes issues on kernels built without dummy module).
Reported-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Manuel Messner <mm@skelett.io>
|
| |
|
|
|
|
|
| |
This patch adds the notrack statement, to skip connection tracking for
certain packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use range expression to negate ranges.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove null and zero flags from tests, to reduce the noise when running
tests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds a several testcases for comments in set elements.
This includes the netfilter bug #1090 about comments in set interval elements.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The hash expression requires a seed attribute to call the jhash
operation, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef
With this patch the seed attribute is optional and it's generated by a
random function from userspace, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2
The kernel will take care of generate a random seed.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
There seems to be a bug that prevent loading a ruleset twice in a row
if the ruleset contains sets with intervals. This seems related to the
nft cache.
By the time of this commit, the bug is not fixed yet.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This directory is for testcases related to the nft cache.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This stderr output is expected.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Anders reports that:
# nft add rule ip6 filter postrouting \
flow table acct_out \{ meta iif . ip6 saddr timeout 600s counter \}
while the opposite doesn't work:
# nft add rule ip6 filter postrouting \
flow table acct_out \{ ip6 saddr . meta iif timeout 600s counter \}
netlink_gen_flow_stmt() relies on the flow table key, that is expressed
as a set element. Use the set element key instead to skip the set
element wrap, otherwise get_register() abort execution:
nft: netlink_linearize.c:650: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.
Reported-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The new cover test for:
ct mark set numgen inc mod 2 offset 100
was lacking the payload file chunk.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
with meta nfproto, which generates a bit fewer instructions.
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the 'fib' expression which can be used to
obtain the output interface from the route table based on either
source or destination address of a packet.
This can be used to e.g. add reverse path filtering:
# drop if not coming from the same interface packet
# arrived on
# nft add rule x prerouting fib saddr . iif oif eq 0 drop
# accept only if from eth0
# nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
# accept if from any valid interface
# nft add rule x prerouting fib saddr oif accept
Querying of address type is also supported. This can be used
to e.g. only accept packets to addresses configured in the same
interface:
# fib daddr . iif type local
Its also possible to use mark and verdict map, e.g.:
# nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
blackhole : drop,
prohibit : drop,
unicast : accept
}
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce rt expression for routing related data with support for nexthop
(i.e. the directly connected IP address that an outgoing packet is sent
to), which can be used either for matching or accounting, eg.
# nft add rule filter postrouting \
ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop
This will drop any traffic to 192.168.1.0/24 that is not routed via
192.168.0.1.
# nft add rule filter postrouting \
flow table acct { rt nexthop timeout 600s counter }
# nft add rule ip6 filter postrouting \
flow table acct { rt nexthop timeout 600s counter }
These rules count outgoing traffic per nexthop. Note that the timeout
releases an entry if no traffic is seen for this nexthop within 10 minutes.
# nft add rule inet filter postrouting \
ether type ip \
flow table acct { rt nexthop timeout 600s counter }
# nft add rule inet filter postrouting \
ether type ip6 \
flow table acct { rt nexthop timeout 600s counter }
Same as above, but via the inet family, where the ether type must be
specified explicitly.
"rt classid" is also implemented identical to "meta rtclassid", since it
is more logical to have this match in the routing expression going forward.
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
... and remove those keywords we no longer need.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add support to add an offset to the numgen generated value.
Example:
ct mark set numgen inc mod 2 offset 100
This will generate marks with serie like 100, 101, 100, ...
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
'unicast' doesn't check for unicast packets; it checks for PACKET_HOST,
i.e. a packet coming in for this host.
A unicast address to some other machine (e.g. because nic is
in promisc mode) will have PACKET_OTHER.
So at best this is misleading, so this patch changes it
to 'host'. The unicast entry is retained for compat purpose.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's keep the kernel_cleanup() function updated with latest
kernel changes:
* added nft_quota, nft_queue, nft_numgen, nft_range
* rename nft_hash to nft_set_hash
* keep nft_hash as well
* rename nft_rbtree to nft_set_rbtree
The idea is to run each test in a clean evironment.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using variable definitions from element command doesn't work, eg.
-test.nft-
define whitelist_v4 = { 1.1.1.1 }
table inet filter {
set whitelist_v4 { type ipv4_addr; }
}
add element inet filter whitelist_v4 $whitelist_v4
-EOF-
# nft -f test.nft
test.nft:7:38-38: Error: syntax error, unexpected '$', expecting '{'
add element inet filter whitelist_v4 $whitelist_v4
^
Fix this by using set_block_expr rule for every element command.
This patch also comes with a new regression test.
Reported-by: Leon Merten Lohse <leon@green-side.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Acctually, ct l3proto and ct protocol are unrelated to direction, so
it's unnecessary that we must specify dir if we want to use them.
Now add support that we can match ct l3proto/protocol without direction:
# nft add rule filter input ct l3proto ipv4
# nft add rule filter output ct protocol 17
Note: existing syntax is still preserved, so "ct reply l3proto ipv6"
is still fine.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use new range expression in the kernel to fix wrong bytecode generation.
This patch also adjust tests so we don't hit problems there.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
