exthdr.c:41:31: warning: ā%dā directive output may be truncated writing between 1 and 8 bytes into a region of size 3 [-Wformat-truncation=]
snprintf(buf, sizeof buf, "%d", offset);
^~
This warning is incorrect, as offset is limited by tcp option ranges,
but gcc doesn't know this. Increase buffer to avoid the warning.
Ismo Puustinen [Tue, 27 Jun 2017 12:14:58 +0000 (15:14 +0300)]
scanner: support for wildcards in include statements.
Use glob() to find paths in include statements. The rules are these:
1. If no files can be found in the pattern with wildcards, do not
return an error.
2. Do not match any files beginning with '.'.
3. Do not handle include directories anymore. For example, the
statement:
include "foo/"
would now need to be rewritten:
include "foo/*"
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Wed, 21 Jun 2017 08:47:45 +0000 (14:17 +0530)]
tests: py: Fail test forcefully when bug is not fixed
When we have "fail" in the test cases then py test doesn't complain
anything, but the test should complain if the fix is not applied.
Before applying 986dea8a4a9d ("evaluate: avoid reference to multiple src
data in statements which set values"), nft throws following error
message and exits with error code 134.
$ nft add rule x y tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
This commit enforces nft-test.py to throw error message when the fix
is not applied.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 23 Jun 2017 12:05:56 +0000 (17:35 +0530)]
tests: shell: Test input descriptors for included files
Before b14572f72aac ("erec: Fix input descriptors for included files"),
nft error message was pointing to wrong file. But after this commit it
points to right file.
This patch adds a new test for this commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 23 Jun 2017 12:05:55 +0000 (17:35 +0530)]
tests: shell: Add test for incomplete set add set command
Before c6cd7c22548a ("src: fix crash when inputting an incomplete set
add command") commit, if we run nft with incomplete "add set" command it
caused segmentation fault and exit with error code 139 and further it
didn't throw any error message.
For example:
$ sudo nft add set t s
But after the aforementioned commit it throws syntax error message and
exits with return value 1.
For example:
$ sudo nft add set t s
<cmdline>:1:12-12: Error: syntax error, unexpected newline, expecting '{'
add set t s
^
This commit tests changes made in such commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: Better error reporting for bad set references
In case you refer to an unexisting set, bail out with:
# nft add table x
# nft add chain x y
# nft add rule x y ip protocol vmap @reject_to_rule2;
<cmdline>:1:31-46: Error: Set 'reject_to_rule2' does not exist
add rule x y ip protocol vmap @reject_to_rule2
^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Fixes: a6b75b837f5e ("evaluate: set: Allow for set elems to be sets") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 16 Jun 2017 19:18:45 +0000 (21:18 +0200)]
evaluate: reject meta nfproto outside of inet family
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 16 Jun 2017 19:52:32 +0000 (21:52 +0200)]
tests: restrict ct saddr test to inet family
any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6
test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed.
Actually, this failure is "ok; we can't find upper layer protocol
in this case, but even if we'd "fix" this it is still non-sensical,
meta nfproto ipv4, but family is ipv6 --> rule would never match.
First move this to an inet-specific test.
A followup patch will reject meta nfproto for all families except inet.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 16 Jun 2017 19:35:42 +0000 (01:05 +0530)]
tests: py: Add test for ambiguity while setting the value
This test checks bug identified and fixed in the commit mentioned below
In a statement if there are multiple src data then it would be
totally ambiguous to decide which value to set.
Before the commit was made it returned 134(BUG), but now it returns 1
i.e, an error message.
Following rules tests ambiguity while setting the value:
$ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11}
<cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use
add rule ip test-ip4 output ct mark set {0x11333, 0x11}
~~~~~~~~~~~~^^^^^^^^^^^^^^^
Test: 986dea8 ("evaluate: avoid reference to multiple src data in
statements which set values") Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Fri, 16 Jun 2017 09:24:06 +0000 (14:54 +0530)]
src: Pass stateless, numeric, ip2name and handle variables as structure members.
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
src: error reporting for nested ruleset representation
If you load a file using the nested ruleset representation, ie. the one
you get via `nft list ruleset', error reporting doesn't help you much to
find the problem.
For example, the following ruleset points to an unexisting chain 'x':
table test {
chain test {
type filter hook ingress priority 0; policy drop;
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
}
}
Error reporting is very sparse as it says:
# nft -f /home/test/x
/home/test/x:1:1-2: Error: Could not process rule: No such file or directory
table netdev test{
^^
So it's hard to know what is exactly missing.
This patch enhances the existing logic, so nft points to the rule
causing the problem, ie.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The idea behind this patch is to expand the single table command into a
list of individual commands, one per nested object inside the table.
This expanded list is spliced into the existing list of commands. Thus,
each command gets a sequence number that helps us correlate the error
with the command that triggers it.
This patch also includes reference counting for rules and objects. This
was already in place for table, chain and sets. We need this since now
we hold references to them from both the command and the table object
itself. So the last reference releases the object from memory. Note that
table objects still keep the list of chain, sets, etc. since the
existing cache logic needs this to work.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: display default directory for file inclusion in -h/--help
If no explicit relative or absolute path is enforced by the user, nft
relies on either -I/--includepath or the default include directory that
is set at compile time.
Given most of our users will rely on packaged versions of nft, provide a
way to display the location of this default includepath directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In case of bitmask types (tcp flags, ct eventmask) nft
allows to use comma operator to test multiple values, i.e.
tcp flags syn,ack ct event new,destroy etc.
But currently nft fails to use this when used in a statement, i.e.
... ct eventmask set new,destroy
gives:
syntax error, unexpected comma
This allows makes this work, it is the same as
ct eventmask set new|destroy
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 29 May 2017 17:25:37 +0000 (19:25 +0200)]
meta: permit meta nfproto ip in ip family
works:
add rule ip filter input ct original saddr 1.2.3.4
(family ctx init initialises network base to proto_ip).
fails to parse 1.2.3.4 address:
add rule ip filter input meta nfproto ipv4 ct original saddr 1.2.3.4
... because meta_expr_pctx_update() won't find a dependency
from "ip" to "ip" and then overwrites the correct base with proto_unknown.
"meta nfproto ip" is useless in the ip family, as it will always match,
i.e. a better (but more compliated) fix would be to remove the statement
during evaluation.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 29 May 2017 17:25:38 +0000 (19:25 +0200)]
ct: fix inet/bridge/netdev family handling for saddr/daddr
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6.
For some cases we could infer it from the rhs, but there are cases where we don't have any
information, e.g. when passing ct original saddr to jhash expression.
So do the same thing that we do for "rt nexthop" -- error out and hint to user
they need to specifiy the desired address type with "meta nfproto".
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Tue, 6 Jun 2017 06:25:40 +0000 (11:55 +0530)]
src: Remove expire information from list stateless ruleset.
As expires is stateful information. This patch removes expire
information from list stateless ruleset. With nft -s option, the
ruleset will be as following.
table ip firewall {
set host {
type ipv4_addr
flags timeout
elements = { 10.0.0.2 timeout 10m }
}
}
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ismo Puustinen [Tue, 6 Jun 2017 11:50:10 +0000 (14:50 +0300)]
tests: test include directories
Add tests for:
* including an empty directory
* including directory with one or two files in it
* testing for required trailing slash in directory name
* testing for detecting non-existent directory
* testing for a broken file in included directory
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ismo Puustinen [Tue, 6 Jun 2017 11:50:09 +0000 (14:50 +0300)]
scanner: add support for include directories
If a string after "include" keyword points to a directory instead of a
file, consider the directory to contain only nft rule files and try to
load them all. This helps with a use case where services drop their own
firewall configuration files into a directory and nft needs to include
those without knowing the exact file names.
File loading order from the include directory is not specified, so the
files inside an include directory should not depend on each other.
Fixes(Bug 1154 - Allow include statement to operate on directories and/or wildcards).
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: remove global nftnl_batch structure in mnl layer
The underlying mnl layer uses a global nftnl_batch structure. Instead,
pass pointer as parameter to the functions that need this. The netlink
layer stores a reference to this structure in struct netlink_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expression: don't trim off unary expression on delinearization
This transformation introduces an unnecessary asymmetry between the
linearization and delinearization steps that prevent rule deletion by
name to work fine.
Moreover, do not print htonl and ntonl from unary expression, this
syntax is not allowed by the parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: avoid reference to multiple src data in statements which set values
Prevent this assert:
% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
We can't use a set here because we will not known which value to use.
With this patch, a proper error message is reported to users:
% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
<cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
% nft add rule t c tcp dport set @s
<cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
~~~~~~~~~~~~~~^^
This error is reported to all statements which set values.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 25 May 2017 07:14:58 +0000 (09:14 +0200)]
Merge branch 'meta_l4_dependency'
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.
The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.
We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Florian Westphal [Wed, 22 Mar 2017 15:38:30 +0000 (16:38 +0100)]
tests: fix up meta l4proto change for ip6 family
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset'
This will be fixed by removing the implicit dependency in a followup patch.
Florian Westphal [Thu, 18 May 2017 11:30:54 +0000 (13:30 +0200)]
payload: enforce ip/ip6 protocol depending on icmp or icmpv6
After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.
in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
families only care about the lower layer protocol.
In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
(and ipv4 check in icmp case).
This extends payload_gen_special_dependency() to consider this.
With this patch:
add rule $pf filter input meta l4proto icmpv6
add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
add rule $pf filter input icmpv6 type echo-request
will work in all tables and all families.
For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
of the ip family.
Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
explicit dependency:
add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...
Implicit dependencies won't get removed at the moment, so
bridge ... icmp type echo-request
will be shown as
ether type ip meta l4proto 1 icmp type echo-request
which is: ip6 filter input ip6 nexthdr tcp dport 22
IOW, such a rule won't match if e.g. a fragment header is in place.
This changes ip6_proto to use 'meta l4proto' which is the protocol header
found by exthdr walk.
A side effect is that for bridge we get a shorter dependency chain as it
no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep.
Only problem:
ip6 nexthdr tcp tcp dport 22
will now inject a (useless) meta l4 dependency as ip6 nexthdr is no
longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper
that skips the unneded meta dependency in that case.
Liping Zhang [Sun, 14 May 2017 07:56:12 +0000 (15:56 +0800)]
src: delete the old cache when dumping is interrupted
When the dumping operation is interrupted, we will restart the
cache_init(), but unfortunatly, we forget to delete the old cache.
So in extreme case, we will leak a huge amount of memory.
Running the following commands can simulate the extreme case:
# nft add table t
# nft add set t s {type inet_service \;}
# for i in $(seq 65000); do
nft add element t s {$i}
done &
# while : ; do
time nft list ruleset -nn
done
After a while, oom killer will be triggered:
[ 2808.243537] Out of memory: Kill process 16975 (nft) score 649 or
sacrifice child
[ 2808.255372] Killed process 16975 (nft) total-vm:1955348kB,
anon-rss:1952120kB, file-rss:0kB, shmem-rss:0kB
[ 2858.353729] nft invoked oom-killer: gfp_mask=0x14201ca(GFP_HIGHUSER_
MOVABLE|__GFP_COLD), nodemask=(null), order=0,
oom_score_adj=0
[ 2858.374521] nft cpuset=/ mems_allowed=0
...
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
netlink_delink_delinearize: don't store dependency unless relop checks is eq check
'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.
Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft currently translates
ip protocol tcp meta mark set 1 tcp dport 22
to
mark set 0x00000001 tcp dport 22
This is wrong, the latter form is same as
mark set 0x00000001 ip protocol tcp tcp dport 22
and thats not correct (original rule sets mark for tcp packets only).
We need to clear the dependency stack whenever we see a statement other
than stmt_expr, as these will have side effects (counter, payload
mangling, logging and the like).
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 2 May 2017 17:51:27 +0000 (19:51 +0200)]
nft.8: Enhance NAT documentation
This adds documentation about masquerade and redirect statements, points
out that for any NAT statement both prerouting and postrouting chains
are required and adds a bunch of examples to the section's end.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
datatype.c:182:13: warning: format ā%luā expects argument of type ālong unsigned intā, but argument 2 has type āuint64_t {aka long long unsigned int}ā [-Wformat=] printf("%lu", val);
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
if kernel is older it won't understand the EXTHDR_OP attribute, i.e.
the rule gets accepted as a check for ipv6 exthdr.
On dump nft is then presented with a invalid ipv6 exthdr.
So we need to get rid of the assert and output an "invalid" message on
list. Longterm we need a proper vm description or kernel-side check
to reject such messages in first place.
After patch, test suite yields erros of type
ip6/tcpopt.t: WARNING: 'src/nft add rule --debug=netlink ip6 test-ip6 \
input tcp option sack right 1': 'tcp option sack right 1' mismatches
'ip6 nexthdr 6 unknown-exthdr unknown 0x1 [invalid type]'
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
The tests warned about a problem with the seed listing.
/tests/py# ./nft-test.py ip/hash.t
ip/hash.t: WARNING: line: 4: 'src/nft add rule --debug=netlink \
ip test-ip4 pre ct mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef': 'ct mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef' mismatches 'ct mark set jhash ip saddr . ip \
daddr mod 2'
ip/hash.t: WARNING: line: 6: 'src/nft add rule --debug=netlink \
ip test-ip4 pre ct mark set jhash ip saddr . ip daddr mod 2 seed \
0xdeadbeef offset 100': 'ct mark set jhash ip saddr . ip daddr \
mod 2 seed 0xdeadbeef offset 100' mismatches 'ct mark set jhash \
ip saddr . ip daddr mod 2 offset 100'
ip/hash.t: 6 unit tests, 0 error, 2 warning
The expression type is now treated as an unsigned int in the
hash_expr_print() function.
Fixes 3a86406 ("src: hash: support of symmetric hash") Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Elise Lennion [Fri, 24 Mar 2017 15:30:41 +0000 (12:30 -0300)]
src: Make flush command selective of the set structure type
The internal set infrastructure is used for sets, maps and flow tables.
The flush command requires the set type but currently it works for all
of them. E.g. if there is a set named 's' in a table 't' the following
command shouldn't be valid but still executes:
$ nft flush flow table t s
This patch makes the flush command selective so 'flush flow table' only
works in flow tables and so on.
Phil Sutter [Wed, 22 Mar 2017 00:26:34 +0000 (01:26 +0100)]
tests: Add test cases for nested anonymous sets
This makes sure nesting of anonymous sets works regardless of whether
defines are used or not. As a side-effect, it also checks that overlap
checking when IP address prefixes are used, works.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 20 Mar 2017 16:38:56 +0000 (17:38 +0100)]
evaluate: set: Fix nested set merge size adjustment
When merging a nested set into the parent one, we are actually replacing
one item with the items of the nested set. Therefore we have to remove
the replaced item from size.
The respective bug isn't as easy to trigger, since the size field seems
to be relevant only when set elements are ranges which are checked for
overlaps. Here's an example of how to trigger it:
This didn't work because the inline set comes in as EXPR_SET_ELEM with
EXPR_SET as key. This patch handles that case by replacing the former by
a copy of the latter, so the following set list merging can take place.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Elise Lennion [Fri, 17 Mar 2017 15:04:48 +0000 (12:04 -0300)]
doc: Document add / delete element operations of sets and maps
The add / delete operations weren't documented yet. They fit better
in the sets and maps blocks since these operations are used to directly
modify their content.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 16 Mar 2017 12:43:21 +0000 (13:43 +0100)]
doc: Describe ICMP(v6) expression and types
This adds a description of the icmp and icmpv6 expressions (to match
various ICMP header fields) as well as the icmp and icmpv6 type types
(yay) which are used for ICMP(v6) type field.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 11 Mar 2017 13:31:39 +0000 (14:31 +0100)]
fib: Support existence check
This allows to check whether a FIB entry exists for a given packet by
comparing the expression with a boolean keyword like so:
| fib daddr oif exists
The implementation requires introduction of a generic expression flag
EXPR_F_BOOLEAN which allows relational expression to signal it's LHS
that a boolean comparison is being done (indicated by boolean type on
RHS). In contrast to exthdr existence checks, fib expression can't know
this in beforehand because the LHS syntax is absolutely identical to a
non-boolean comparison.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sat, 11 Mar 2017 04:20:11 +0000 (12:20 +0800)]
src: fix crash when inputting an incomplete set add command
After inputting the following nft command, set->keytype is not initialized
but we try to destroy it, so NULL pointer dereference will happen:
# nft add set t s
Segmentation fault (core dumped)
#0 dtype_free (dtype=0x0) at datatype.c:1049
#1 set_datatype_destroy (dtype=0x0) at datatype.c:1051
#2 0x0000000000407f1a in set_free (set=0x838790) at rule.c:213
#3 0x000000000042ff70 in nft_parse (scanner=scanner@entry=0x8386a0,
state=state@entry=0x7ffc313ea670) at parser_bison.c:9355
#4 0x000000000040727d in nft_run (scanner=scanner@entry=0x8386a0,
state=state@entry=0x7ffc313ea670, msgs=msgs@entry=0x7ffc313ea660)
at main.c:237
#5 0x0000000000406e4a in main (argc=<optimized out>, argv=<optimized
out>) at main.c:376
Fixes: b9b6092304ae ("evaluate: store byteorder for set keys") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 10 Mar 2017 17:13:50 +0000 (18:13 +0100)]
exthdr: Add support for exthdr specific flags
This allows to have custom flags in exthdr expression, which is
necessary for upcoming existence checks (of both IPv6 extension headers
as well as TCP options).
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
