Phil Sutter [Wed, 24 Oct 2018 10:35:03 +0000 (12:35 +0200)]
json: Fix osf ttl support
Having to use numerical values for ttl property in JSON is not
practical as these values are arbitrary and meaningful only in
netfilter. Instead align JSON output/input with standard API, accepting
names for TTL matching strategy.
Also add missing documentation in libnftables-json man page and fix JSON
equivalent in tests/py.
Fixes: 03eafe098d5ee ("osf: add ttl option support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 22 Oct 2018 13:45:09 +0000 (15:45 +0200)]
tests: shell: Extend get element test
Despite the recent fixes, the test still fails. While trying to address
the remaining issues, I found more potentially problematic inputs so
extend the test by those.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 12 Oct 2018 15:23:24 +0000 (17:23 +0200)]
parser_json: Fix for ineffective family value checks
Since handle->family is unsigned, checking for value < 0 never yields
true. Overcome this by changing parse_family() to return an error code
and write the parsed family value into a pointer passed as parameter.
The above change required a bit more cleanup to avoid passing pointers
to signed variables to the function. Also leverage json_parse_family() a
bit more to reduce code side.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 12 Oct 2018 10:54:09 +0000 (12:54 +0200)]
Fix memleak in netlink_parse_fwd() error path
Make sure allocated 'stmt' is freed before returning to caller.
Fixes: 30d45266bf38b ("expr: extend fwd statement to support address and family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 11 Oct 2018 15:48:59 +0000 (17:48 +0200)]
monitor: Fix printing of ct objects
Monitor output is supposed to be single lined without tabs, but ct
object were printed with newlines and tabs hard-coded. Fixing this
wasn't too hard given that there is 'stmt_separator' to also include
semi-colons where required if newline was removed.
A more obvious mistake was position of object type in monitor output:
Like with other object types, it has to occur between command and table
spec. As a positive side-effect, this aligns ct objects better with
others (see obj_type_name_array for instance).
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 11 Oct 2018 15:48:54 +0000 (17:48 +0200)]
tests/py: Add missing JSON bits for inet/meta.t
Those were forgotten when renaming meta secpath to meta ipsec.
Fixes: 8f55ed41d0070 ("src: rename meta secpath to meta ipsec") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_chain() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The netlink layer sits in between the mnl and the rule layers, remove
it. We can remove alloc_nftnl_table() and consolidate infrastructure in
the src/mnl.c file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 24 Aug 2018 11:26:57 +0000 (13:26 +0200)]
parser_bison: Fix for ECN keyword in LHS of relational
Of all possible TCP flags, 'ecn' is special since it is recognized by
lex as a keyword (there is a a field in IPv4 and IPv6 headers with the
same name). Therefore it is listed in keyword_expr, but that was
sufficient for RHS only. The following statement reproduces the issue:
| tcp flags & (syn | ecn) == (syn | ecn)
The solution is to limit binop expressions to accept an RHS expression
on RHS ("real" LHS expressions don't make much sense there anyway),
which then allows keyword_expr to occur there. In order to maintain the
recursive behaviour if braces are present, allow primary_rhs_expr to
consist of a basic_rhs_expr enclosed in braces. This in turn requires
for braced RHS part in relational_expr to be dropped, otherwise bison
complains about shift/reduce conflict.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This function overrides the left pointer. Instead update this function
to return the range that we found to enclose the left element. Note that
we may not find a closing right element - therefore, it is a standalone
element - in that case this function returns NULL.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
segtree: bogus range via get set element on existing elements
table ip x {
set y {
type inet_service
flags interval
elements = { 10, 20-30, 40, 50-60 }
}
}
# nft get element x y { 20-40 }
table ip x {
set y {
type inet_service
flags interval
elements = { 20-40 }
}
}
20 and 40 exist in the tree, but they are part of different ranges.
This patch adds a new get_set_decompose() function to validate that the
left and the right side of the range.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 25 Sep 2018 12:24:16 +0000 (14:24 +0200)]
tests: shell: Improve performance of 0021prio_0
This test called nft binary 391 times and took about 38s to complete on
my testing VM. Improve this by writing all commands into a temporary
file for processing in a single nft call. Reduces run-time to about 4s.
Interestingly, piping the sub-process's output directly into 'nft -f -'
leads to spurious errors (parser complaining about perfectly fine
syntax). It seems like handling large input this way is not possible.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:15 +0000 (14:24 +0200)]
tests: shell: Improve gen_chains() in 0021prio_0
Enhance the function to accept an optional fourth parameter specifying
the device name, then use it for netdev family. Also remove dubled empty
lines and instead put together what belongs together.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:14 +0000 (14:24 +0200)]
tests: shell: Drop one-time use variables in 0021prio_0
There is really no point in declaring a variable which is used just
once. Also mark function local variables as such to make sure they don't
overwrite global ones.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 25 Sep 2018 12:24:12 +0000 (14:24 +0200)]
parser_bison: Fix for chain prio name 'out'
Since 'out' is defined as a keyword in scanner.l, using it as a chain
priority name without quotes is not possible. Fix this by introducing
'extended_prio_name' in bison which may be either a string (as before)
or OUT, which is then converted into a string.
Fixes: c8a0e8c90e2d1 ("src: Set/print standard chain prios with textual names") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
evaluate: throw distinct error if map exists but contains no objects
nft would throw misleading error in case map exists but doesn't contain
expected objects.
nft add rule filter in ct helper set tcp dport map @foo
Error: Expression is not a map
add rule filter in ct helper set tcp dport map @foo
^^^^
nft list table filter
table ip filter {
map foo {
type inet_service : ifname
}
...
clarify this.
Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Fri, 14 Sep 2018 09:00:23 +0000 (11:00 +0200)]
doc: Review man page building in Makefile.am
Previously, changes to any of the included adoc snippets in nft.txt were
not detected and hence the man page not updated (unless 'make clean' was
called). It seems like the '.txt.8' target only considers foo.txt when
trying to generate foo.8, so get rid of that and introduce a dedicated
target for nft.8.
While doing so, apply a few other minor changes:
* Although nft.8 target has to list all included adoc snippets as a
dependency, it is sufficient to call a2x with the main one (i.e.,
nft.txt) only.
* Keep common a2x parameters in a variable.
* Use ${A2X} everywhere and hide all calls behind ${AM_V_GEN}, not just
the one for nft.8.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 14 Sep 2018 09:00:14 +0000 (11:00 +0200)]
nft.8: Update meta pkt_type value description
Commit 8a7f6de536408 ("meta: fix pkttype name and add 'other' symbol")
deprecated pkt_type value 'unicast' (for it being misleading) and
introduced 'host' and 'other' but it did not update documentation
accordingly. Fix this by replacing 'unicast' with 'host' in
documentation and adding 'other'.
While being at it, make sure these literal values are recognized as
such: Put them in all lower-case (as required by the parser) and in bold
font (to stand out a bit more).
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 11 Sep 2018 20:14:25 +0000 (22:14 +0200)]
json: Make inet_service_type_json() respect literal level
This brings inet_service_type_json() on par with
inet_service_type_print(). Despite datatype_print()'s ability to use the
'print' callback, a dedicated 'json' callback is required to make port
numbers appear as numbers in JSON output instead of strings. Therefore
go with a bit of code duplication here.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 11 Sep 2018 20:14:24 +0000 (22:14 +0200)]
json: Fix datatype_json() for literal level
If a datatype doesn't provide a 'json' callback, datatype_json() uses
fmemopen() to grab the output from 'print' callback. When doing so,
reuse the existing output context instead of creating a dedicated one to
make sure all output-related settings are exactly as expected.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Wed, 29 Aug 2018 14:33:38 +0000 (16:33 +0200)]
tests/py: Check differing rule output for sanity
If an added rule's listing differs from the input (either expected or
not), reinsert that output and check payload again to make sure the
asymmetry doesn't lead to (internal) changes in ruleset.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
yields:
Error: can not use variable sized data types (integer) in concat expressions
icmpv6 type . icmpv6 code @in_icmpv6_types
~~~~~~~~~~~~~~^^^^^^^^^^^
Change 'code' type to the icmp/icmpv6 code type.
Needs minor change to test suite as nft will now display
human-readable names instead of numeric codes.
Phil Sutter [Wed, 29 Aug 2018 14:33:39 +0000 (16:33 +0200)]
tests/py: Make nft-test.py a little more robust
When adding a new test, missing payload file causes nft-test.py to choke
due to accessing undeclared variables. Fix this by making sure relevant
variables are declared outside of try-catch blocks.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Harsha Sharma [Mon, 13 Aug 2018 23:06:56 +0000 (01:06 +0200)]
src: add ct timeout support
This patch adds support for adding, listing and deleting ct timeout
objects which can be assigned via rule to assign connection tracking
timeout policies via objref infrastructure.
Note: Original patch has been rework to use fixed size array for
timeouts and to validate timeout policy from the evaluation phase, once
we have access to the layer 4 protocol number. --pablo
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:25:09 +0000 (16:25 +0200)]
parser_json: Fix crash in error reporting
When trying to add a chain to a non-existing table, error reporting
tries to dereference indesc pointer of the table's location. Hence make
sure the latter is initialized correctly.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:28 +0000 (16:23 +0200)]
JSON: Add metainfo object to all output
Right now this object merely contains the nftables version and release
name as well as a JSON schema version, but it could be extended
arbitrarily. In the future, this will also allow for non-compatible
schema changes should the need for this arise.
Adjust the parser to accept metainfo objects and make it verify
json_schema_version to be less than or equal to the one hard-coded in
the library.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:23 +0000 (16:23 +0200)]
JSON: Review verdict statement and expression
Change jump and goto verdicts to become extensible by dedicating an
object for the target parameter.
While being at it, drop break and queue verdict expressions since they
don't seem to exist, no idea where I got those from in the first place.
For queue, there is a dedicated expression at least.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:22 +0000 (16:23 +0200)]
JSON: Make meta statement/expression extensible
Lessons learned from fwd statement: We must not assume a given
statement/expression may not receive further properties in the future.
Therefore make meta value an object with a property "key" instead of
just a string containing the key name.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:21 +0000 (16:23 +0200)]
doc: Review libnftables-json.adoc
Drop the bits for TABLE from synopsis section - adding the remaining
objects there as well is tedious and tends to become unreadable. Instead
assume that readers will find the objects' descriptions in their
sections.
Also fix JSON syntax in many objects: The properties are enclosed in an
object, of course.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 29 Aug 2018 14:23:20 +0000 (16:23 +0200)]
doc: Improve example in libnftables-json(5)
The introductory example was a bit flawed in that the third command
('list ruleset') wouldn't yield expected results due to all three
commands ending in a single transaction and therefore the changes of the
first two commands were not committed yet at the time ruleset was
listed.
Instead demonstrate adding a chain and a rule to the new table.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 24 Aug 2018 11:35:37 +0000 (13:35 +0200)]
doc: Document implicit dependency creation for icmp/icmpv6
As suggested at NFWS, the implicit nfproto dependencies generated by
icmp/icmpv6 header field matches should be documented along with how to
achieve matching on unusual packets.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Wed, 29 Aug 2018 09:37:40 +0000 (11:37 +0200)]
src: tproxy: relax family restrictions
evaluation step currently prohibits
tproxy ip to 1.2.3.4 in ip family, and
tproxy ip6 to dead::1 in ip6.
This seems an arbitrary limitation, just accept this.
The current restriction would make json output support harder than needed,
as the tproxy expression generated from json path would have to
special-case the table its currently in, rather than just using the
family attribute in the json output.
We obviously still reject the family in case it mismatches
the table family (e.g., can't use ip address in ip6 table).
Phil Sutter [Tue, 28 Aug 2018 20:26:56 +0000 (22:26 +0200)]
json: Fix compile error
Commit 9e45a28ca467f ("src: honor /etc/services") broke compiling with
JSON support enabled: inet_service_type_print() is not suited for
converting inet_service datatype into JSON at all.
In order to avoid having to replicate the port value resolving into
human-readable name in inet_service_type_json(), just return a numeric
value. At least for JSON output, this probably makes most sense either
way since the output is expected to be parsed by scripts which have an
easier time with numers than names anyway.
Fixes: 9e45a28ca467f ("src: honor /etc/services") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table") f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table")
so /etc/services is used to interpret service names, eg.
# nft add rule x y tcp dport \"ssh\"
Then, listing looks like:
# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}
Major changes with regards to the original approach are:
1) Services are displayed in text via `-l' option.
2) Services are user-defined, just like mappings in /etc/iproute2/*
files and connlabel.conf, so they are displayed enclosed in quotes.
Note that original service name code was broken since it parses both udp
and tcp service names but it only displays tcp services names as
literal. This is because NI_DGRAM is missing. This patch makes nft falls
back on udp services if no literal was found in the initial tcp service
name query. Proper way to handle would be to add infrastructure to store
protocol context information in struct output_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Máté Eckl [Thu, 23 Aug 2018 10:51:07 +0000 (12:51 +0200)]
src: Make invalid chain priority error more specific
So far if invalid priority name was specified the error message referred
to the whole chain/flowtable specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
With this patch this reference is made specific to the priority
specification:
nft> add chain ip x h { type filter hook prerouting priority first; }
Error: 'first' is invalid priority in this context.
add chain ip x h { type filter hook prerouting priority first; }
^^^^^^^^^^^^^^
`prio_spec` is also reused to keep naming intuitive. The parser section
formerly named `prio_spec` is renamed to `int_num` as it basically
provides the mathematical set of integer numbers.
Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
