| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for inet ingress chains.
table inet filter {
chain ingress {
type filter hook ingress device "veth0" priority filter; policy accept;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: 741a06ac15d2 ("mergesort: find base value expression type via recursion")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Fixes: dcec7d57559a ("ct: Add support for the 'id' key")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables the user to specify a comment when adding a chain.
Relies on kernel space supporting userdata for chains.
> nft add table ip filter
> nft add chain ip filter input { comment "test"\; type filter hook input priority 0\; policy accept\; }
> list ruleset
table ip filter {
chain input {
comment "test"
type filter hook input priority filter; policy accept;
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
--terse with --json is ignored, fix this. This patch also includes a test.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.
This removes errors like:
"transport protocol mapping is only valid after transport protocol match"
when invoking:
# nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80
This patch also catches conflicts like:
# nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
and:
# nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
Note that:
- the singleton protocol context tracker is left in place until the
existing users are updated to use this new multiprotocol tracker.
Moving forward, it would be good to consolidate things around this new
multiprotocol context tracker infrastructure.
- link and network layers are not updated to use this infrastructure
yet. The code that deals with vlan conflicts relies on forcing
protocol context updates to the singleton protocol base.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If nft crashes or hits an assertion, the last command run shows in the
/tmp/nftables-test.log file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch grammar supported specifying multiple comments, and
only the last value would be assigned.
This patch adds a function to test if an attribute is already assigned
and, if so, calls erec_queue with this attribute location.
Use this function in order to check for duplication (or more) of comments
for actions that support it.
> nft add table inet filter { flags "dormant"\; comment "test"\; comment "another"\;}
Error: You can only specify this once. This statement is duplicated.
add table inet filter { flags dormant; comment test; comment another;}
^^^^^^^^^^^^^^^^
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables specifying an optional comment when declaring named objects. The
comment is to be specified inside the object's block ({} block)
Relies on libnftnl exporting nftnl_obj_get_data and kernel space support
to store the comments.
For consistency, this patch makes the comment be printed first when
listing objects.
Adds a testcase importing all commented named objects except for secmark,
although it's supported.
Example: Adding a quota with a comment
> add table inet filter
> nft add quota inet filter q { over 1200 bytes \; comment "test_comment"\; }
> list ruleset
table inet filter {
quota q {
comment "test_comment"
over 1200 bytes
}
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sets that store flags might contain a mixture of values and binary
operations. Find the base value type via recursion to compare the
expressions.
Make sure concatenations are listed in a deterministic way via
concat_expr_msort_value() which builds a mpz value with the tuple.
Adjust a few tests after this update since listing differs after this
update.
Fixes: 14ee0a979b62 ("src: sort set elements in netlink_get_setelems()")
Fixes: 3926a3369bb5 ("mergesort: unbreak listing with binops")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds userdata building logic if a comment is specified when creating a
new table. Adds netlink userdata parsing callback function.
Relies on kernel supporting userdata for nft_table.
Example:
> nft add table ip x { comment "test"\; }
> nft list ruleset
table ip x {
comment "test"
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket https://bugzilla.netfilter.org/show_bug.cgi?id=1449 showed
an issue with rbtree overlap detection coming from the fact that,
after tree rotations performed as part of tree rebalancing, caused
by deletions, end elements are not necessarily descendants of their
corresponding start elements.
Add single-sized elements, delete every second one of them, and
re-add them (they will always be full overlaps) in order to check
overlap detection after tree rotations.
Port indices used in the sets are pseudo-random numbers generated
with Marsaglia's Xorshift algorithm with triplet (5, 3, 1), chosen
for k-distribution over 16-bit periods, which gives a good
statistical randomness and forces 201 rebalancing operations out of
250 deletions with the chosen seed (1).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tcp flags == {syn, syn|ack}
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack}
results in:
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Extend and slightly rework tests/shell to cover this case too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to add a comment when declaring a named set.
Adds set output handling the comment in both nftables and json
format.
$ nft add table ip x
$ nft add set ip x s {type ipv4_addr\; comment "some_addrs"\; elements = {1.1.1.1, 1.2.3.4}}
$ nft list ruleset
table ip x {
set s {
type ipv4_addr;
comment "some_addrs"
elements = { 1.1.1.1, 1.2.3.4 }
}
}
$ nft --json list ruleset
{
"nftables": [
{
"metainfo": {
"json_schema_version": 1,
"release_name": "Capital Idea #2",
"version": "0.9.6"
}
},
{
"table": {
"family": "ip",
"handle": 4857,
"name": "x"
}
},
{
"set": {
"comment": "some_addrs",
"elem": [
"1.1.1.1",
"1.2.3.4"
],
"family": "ip",
"handle": 1,
"name": "s",
"table": "x",
"type": "ipv4_addr"
}
}
]
}
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mike Dillinger reported issues with insertion of entries into sets
supporting intervals that were denied because of false conflicts with
elements that were already expired. Partial failures would occur to,
leading to the generation of new intervals the user didn't specify,
as only the opening or the closing elements wouldn't be inserted.
The reproducer provided by Mike looks like this:
#!/bin/bash
nft list set ip filter blacklist4-ip-1m
for ((i=1;i<=10;i++)); do
nft add element filter blacklist4-ip-1m {$i.$i.$i.$i}
sleep 1
done
nft list set ip filter blacklist4-ip-1m
which, run in a loop at different intervals, show the different kind
of failures.
Extend the existing test case for overlapping and non-overlapping
intervals to systematically cover sets with a configured timeout.
As reported by Pablo, the test would fail if we keep a one-second
timeout if it runs on a "slow" kernel (e.g. with KASan), using the
libtool wrapper in src/nft as $NFT, because we can't issue 218
commands within one second. To avoid that, introduce an adaptive
timeout based on how many times we can list a single entry with a
fixed one-second timeout.
On a single 2.9GHz AMD Epyc 7351 thread:
test run nft commands/s timeout
- src/nft libtool wrapper, KASan: 68.4s 10 32s
- nft binary, KASan: 5.1s 168 2s
- src/nft libtool wrapper, w/o KASan: 18.3s 37 8s
- nft binary, w/o KASan: 2.4s 719 1s
While at it, fix expectation for insertion of '15-20 . 50-60' (it's
expected to succeed, given the list), and the reason why I didn't
notice: a simple command preceded by ! won't actually result in
the shell exiting, even if it fails. Add some clearer failure reports
too.
v2:
- adjust set timeouts to nft commands/s
- fix checks on expected outcome of insertions and reports
Reported-by: Mike Dillinger <miked@softtalker.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test won't stop if we simply precede commands expected to fail
by !. POSIX.1-2017 says:
-e
When this option is on, if a simple command fails for any of
the reasons listed in Consequences of Shell Errors or returns
an exit status value >0, and is not part of the compound list
following a while, until or if keyword, and is not a part of
an AND or OR list, and is not a pipeline preceded by the "!"
reserved word, then the shell will immediately exit.
...but I didn't care about the last part.
Replace those '! nft ...' commands by 'nft ... && exit 1' to actually
detect failures.
As a result, I didn't notice that now, correctly, inserting elements
into a set that contains the same exact element doesn't actually
fail, because nft doesn't pass NLM_F_EXCL on a simple 'add'. Drop
re-insertions from the checks we perform here, overlapping elements
are already covered by other tests.
Fixes: 618393c6b3f2 ("tests: Introduce test for set with concatenated ranges")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following ruleset crashes nft if loaded twice, via nft -ef:
add table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { "eth0" } counter accept
}
}
If the table contains anonymous sets, such as __set0, then delete + add
table might result in nft reusing the existing stale __set0 in the cache.
The problem is that nft gets confused and it reuses the existing stale
__set0 instead of the new anonymous set __set0 with the same name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Extend test to cover for negative value in chain priority definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Flush the set cache before adding the flush command to the netlink batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
It reports a failure with the following kernel patch:
commit f53b9b0bdc59c0823679f2e3214e0d538f5951b9
Author: Laura Garcia Liebana <nevola@gmail.com>
Date: Sun May 31 22:26:23 2020 +0200
netfilter: introduce support for reject at prerouting stage
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for using variables for devices in the chain and
flowtable definitions, eg.
define if_main = lo
table netdev filter1 {
chain Main_Ingress1 {
type filter hook ingress device $if_main priority -500; policy accept;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Update permissions in this test script.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is a test case for the kernel bug fixed by:
netfilter: nf_tables: fix nat hook table deletion
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
define test = "state"
define foo = "match"
table x {
chain y {
ct state invalid log prefix "invalid $test $foo:"
}
}
This patch scans for variables in the log prefix string. The log prefix
expression is a list of constant and variable expression that are
converted into a constant expression from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Otherwise, interval sets do not display element statement such as
counters.
Fixes: 6d80e0f15492 ("src: support for counter in set definition")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow for empty set definition in variables if they are merged to
non-empty set definition:
define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
}
}
However, disallow this:
define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
}
}
# nft -f x.nft
/tmp/x.nft:6:18-52: Error: Set is empty
tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current check on $NFT only allows to directly pass an executable,
so I've been commenting it out locally for a while to run tests with
valgrind.
Instead of using the -x test, run nft without arguments and check the
exit status. POSIX.1-2017, Shell and Utilities volume, par. 2.8.2
("Exit Status for Commands") states:
If a command is not found, the exit status shall be 127. If the
command name is found, but it is not an executable utility, the
exit status shall be 126. Applications that invoke utilities
without using the shell should use these exit status values to
report similar errors.
While this script isn't POSIX-compliant, it requires bash, and any
modern version of bash complies with those exit status requirements.
Also valgrind complies with this.
We need to quote the NFT variable passed to execute the commands in
the main loop and adjust error and informational messages, too.
This way, for example, export NFT="valgrind nft" can be issued to
run tests with valgrind.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It might be convenient to run tests from a development branch that
resides on another host, and if we break connectivity on the test
host as tests are executed, we can't run them this way.
If kernel implementation (CONFIG_NET_NS), unshare(1), or Python
bindings for unshare() are not available, warn and continue.
Suggested-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Missing .nft extension in dump file.
Fixes: 54eb1e16cc47 ("evaluate: missing datatype definition in implicit_set_declaration()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
netlink_parse_set_expr() creates a dummy rule object to reuse the
existing netlink parser. Release the rule object to fix a memleak.
Zap the statement list to avoid a use-after-free since the statement
needs to remain in place after releasing the rule.
==21601==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 2016 byte(s) in 4 object(s) allocated from:
#0 0x7f7824b26330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f78245fcebd in xmalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:36
#2 0x7f78245fd016 in xzalloc /home/pablo/devel/scm/git-netfilter/nftables/src/utils.c:65
#3 0x7f782456f0b5 in rule_alloc /home/pablo/devel/scm/git-netfilter/nftables/src/rule.c:623
Add a test to check for set counters.
SUMMARY: AddressSanitizer: 2016 byte(s) leaked in 4 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set->data from implicit_set_declaration(), otherwise, set_evaluation()
bails out with:
# nft -f /etc/nftables/inet-filter.nft
/etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify
mapping data type
tcp dport vmap { 22 : jump ssh_input }
^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify
mapping data type
iif vmap { "eth0" : jump wan_input }
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Add a test to cover this case.
Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The listing shows no devices:
# nft list ruleset
table ip x {
flowtable y {
hook ingress priority filter
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 64b9aa3803dd ("tests/py: Add tests involving concatenated
ranges") introduced a rule, commented out, adding an anonymous set
including concatenated ranges. Now that they are properly handled,
we can enable it.
Note that this introduces a new warning. In the output below, '\'
marks newlines I introduced to keep lines short:
inet/sets.t: WARNING: line 24: \
'add rule inet test-inet input ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept': \
'ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept' \
mismatches 'meta nfproto ipv4 ip daddr . tcp dport \
{ 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443} accept'
which is similar to the existing warning, also introduced by
commit 64b9aa3803dd:
inet/sets.t: WARNING: line 23: \
'add rule inet test-inet input \
ip saddr . ip daddr . tcp dport @set3 accept': \
'ip saddr . ip daddr . tcp dport @set3 accept' mismatches \
'meta nfproto ipv4 ip saddr . ip daddr . tcp dport @set3 accept'
This is mentioned in the commit message for 64b9aa3803dd itself:
* Payload dependency killing ignores the concatenated IP header
expressions on LHS, so rule output is asymmetric.
which means that for family inet, 'meta nfproto ipv4' is added to
the output of the rule, on top of what was passed as input, but not
for families bridge and netdev.
For this reason, it's not possible in this case to specify a single
expected output, differing from the input, and, also,
'meta nfproto ipv4' can only be passed as input for family inet as
it's not relevant for the other families.
As an alternative, we could split the rules from this test into
tests for the corresponding families, as this test case itself
is under the 'inet' directory, but I consider this beyond the scope
of this patchset.
v2: Enable rule in py/inet/sets.t instead of adding a new test in
shell/sets (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables to send icmp frag-needed messages using reject target.
I have a bridge with connects an gretap tunnel with some ethernet lan.
On the gretap device I use ignore-df to avoid packets being lost without
icmp reject to the sender of the bridged packet.
Still I want to avoid packet fragmentation with the gretap packets.
So I though about adding an nftables rule like this:
nft insert rule bridge filter FORWARD \
ip protocol tcp \
ip length > 1400 \
ip frag-off & 0x4000 != 0 \
reject with icmp type frag-needed
This would reject all tcp packets with ip dont-fragment bit set that are
bigger than some threshold (here 1400 bytes). The sender would then receive
ICMP unreachable - fragmentation needed and reduce its packet size (as
defined with PMTU).
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Despite being explicitly mentioned as available, prerouting and
postrouting hooks are not used, filter-pre and filter-post chains
are both built to hook on input.
Fixes: 25851df85e85 ("tests: regression: revisit chain tests")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Code wasn't aware of prefix elements in interval sets. With previous
changes in place, they merely need to be accepted in
get_set_interval_find() - value comparison and expression duplication is
identical to ranges.
Extend sets/0034get_element_0 test to cover prefixes as well. While
being at it, also cover concatenated ranges.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using an (possibly outdated) system nft to generate dumps,
use the newly build tool.
This fixes the dump output being corrupted if the system tool does
not support parsing new features.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The 'id' key allows for matching on the id of the conntrack entry.
v2: Remove ct_id_type
Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch transform a range of IP addresses to prefix when listing the
ruleset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table bridge t {
set s3 {
typeof meta ibrpvid
elements = { 2, 3, 103 }
}
}
# nft --debug=netlink -f test.nft
s3 t 0
s3 t 0
element 00000100 : 0 [end] element 00000200 : 0 [end] element 00000300 : 0 [end]
^^^^^^^^
The integer_type uses BYTEORDER_INVALID byteorder (which is implicitly
handled as BYTEORDER_BIG_ENDIAN).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Service names printing are not default these days, using service names
with ranges is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|