Patrick McHardy [Sat, 11 Apr 2015 13:56:16 +0000 (14:56 +0100)]
datatype: less strict time parsing
Don't require hours to be in range 0-23 and minutes/seconds in range 0-59.
The time_type is used for relative times where it is entirely reasonable
to specify 180s instead of 3m.
nftables used to have a cache to speed up interface name <-> index lookup,
restore it using libmnl.
This reduces netlink traffic since if_nametoindex() and if_indextoname() open,
send a request, receive the list of interface and close a netlink socket for
each call. I think this is also good for consistency since nft -f will operate
with the same index number when reloading the ruleset.
The cache is populated by when nft_if_nametoindex() and nft_if_indextoname()
are used for first time. Then, it it released in the output path. In the
interactive mode, it is invalidated after each command.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Based on the existing netlink_open_error(), but indicate file and line
where the error happens. This will help us to diagnose what is going
wrong when users can back to us to report problems.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Tue, 24 Mar 2015 14:20:22 +0000 (14:20 +0000)]
netlink_delinarize: fix payload dependency killing of link layer dependencies
payload_dependency_kill() does not properly handle dependencies for link
layer expressions. Since those dependencies are logically defined on an
even lower layer (device layer), we don't have a payload base for them,
meaning they will use PROTO_BASE_INVALID, which is skipped.
So instead of storing the payload base on which the dependency is defined,
we store the base of the layer for which the dependency applies, meaning
dependencies defined by the device layer will properly work.
This fixes killing the dependency of ether saddr, instead of
The nf_tables kernel API provides a way to disable a table using the
dormant flag. This patch adds the missing code to expose this feature
through nft.
Basically, if you want to disable a table and all its chains from seen
any traffic, you have to type:
nft add table filter { flags dormant\; }
to re-enable the table, you have to:
nft add table filter
this clears the flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The objects need to be loaded in the following order:
#1 tables
#2 chains
#3 sets
#4 rules
We have to make sure that chains are in place by when we add rules with
jumps/gotos. Similarly, we have to make sure that the sets are in place
by when rules reference them.
Without this patch, you may hit ENOENT errors depending on your ruleset
configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Mon, 12 Jan 2015 12:09:17 +0000 (12:09 +0000)]
evaluate: check that map expressions' datatype matches mappings
Catch type errors in map expressions using named maps:
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set tcp dport map @test
<cmdline>:1:38-42: Error: datatype mismatch, map expects IPv4 address, mapping expression has type internet network service
filter output mark set tcp dport map @test
~~~~~~~~~ ^^^^^
Patrick McHardy [Mon, 12 Jan 2015 11:13:44 +0000 (11:13 +0000)]
evaluate: properly set datatype of map expression
The datatype of the map expression is the datatype of the mappings.
# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set ip daddr map @test
Before:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type IPv4 address
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
After:
<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type internet network service
filter output mark set ip daddr map @test
~~~~~~~~~^^^^^^^^^^^^^^^^^^
netlink_delinearize: clone on netlink_get_register(), release previous on _set()
When using a non-verdict mapping, the set ref expression is assigned to the
destination register. The next get_register() will attempt to clone it and
crash because of the missing ->clone() callback.
# nft filter input meta mark set ip daddr map { 192.168.0.1 : 123 }
# nft list table filter
Segmentation fault (core dumped)
Patrick McHardy [Mon, 12 Jan 2015 09:51:05 +0000 (09:51 +0000)]
set: remove unused set_clone() function
The set_clone() function was added by the event monitor patchset and is
unused. It is also broken since it simply initializes the list head to
the list of the original set, so remove it.
Patrick McHardy [Sun, 11 Jan 2015 23:59:10 +0000 (23:59 +0000)]
parser: properly fix handling of large integer values
Introduction of the ERROR symbol is an ugly hack. There's no reason
to special case large integer values, the NUM token only exists for
small values that are needed immediately, everything else is passed
as EXPR_SYMBOL to evaluation anyways.
Additionally the error reporting is different from what we'd usually
report, the token is easy to confuse with the bison internal error
token and it even has a name, messing up bison internal diagnostics.
Simply return values to large to be handled by strtoull as STRING.
Patrick McHardy [Mon, 22 Dec 2014 16:45:48 +0000 (17:45 +0100)]
netlink_delinearize: cleanup hard to read code
The netlink parsing code is full of long function calls spawning multiple
lines and in some cases parses netlink attributes multiple times.
Use local variables for the registers and other data required to
reconstruct the expressions and statements and reorder the code in
some cases to move related processing next to each other.
Patrick McHardy [Mon, 22 Dec 2014 16:45:48 +0000 (17:45 +0100)]
netlink: readability fixes
Improve readability by using local variables for netlink attributes,
ordering variables more logically, don't arbitrarily initialize
some variables in the definition section and in the body and generally
make similar functions look similar.
Patrick McHardy [Fri, 26 Dec 2014 13:55:41 +0000 (14:55 +0100)]
netlink_delinearize: fix error handling for invalid registers
netlink_delinearize is prepared to deal with malformed expressions from
the kernel that it doesn't understand. However since expressions are now
cloned unconditionally by netlink_get_register(), we crash before such
errors can be detected for invalid inputs.
Patrick McHardy [Sat, 10 Jan 2015 09:23:00 +0000 (09:23 +0000)]
evaluate: add missing datatype compat checks for statement arguments
Add a helper function to evaluate expressions used as arguments for
statements and report datatype mismatches.
Fixes acceptance of mismatching expressions like:
$ nft filter output meta mark set ip daddr
<cmdline>:1:29-36: Error: datatype mismatch: expected packet mark. expression has type IPv4 address
filter output meta mark set ip daddr
~~~~~~~~~~~~~~^^^^^^^^
build: use -Wno-sign-compare to avoid compilation warning in mini-gmp.c
CC mini-gmp.o
mini-gmp.c: In function ‘mpn_get_str_bits’:
mini-gmp.c:1176:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_and’:
mini-gmp.c:3650:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_ior’:
mini-gmp.c:3723:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_xor’:
mini-gmp.c:3792:8: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
mini-gmp.c: In function ‘mpz_set_str’:
mini-gmp.c:4167:17: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Steven Barth [Tue, 6 Jan 2015 22:40:24 +0000 (23:40 +0100)]
erec: use stdio vasprintf instead of gmp_vasprintf
Use stdio's vasprintf instead of gmp_vasprintf which is not part
of the mini-gmp function subset. Furthermore convert the only
gmp-specific user and allow the compiler to verify format-strings.
Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: reject: fix dependency generation from nft -f
When nft -f is used, ctx->cmd points to the table object, which
contains the corresponding chain, set and rule lists. The reject
statement evaluator relies on ctx->cmd->rule to add the payload
dependencies, which is doesn't point to the rule in that case.
This patch adds the rule context to the eval_ctx structure to update
the rule list of statements when generating dependencies, as the reject
statement needs.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993 Reported-by: Ting-Wei Lan <lantw44@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Sat, 13 Dec 2014 07:50:35 +0000 (07:50 +0000)]
datatype: add define for maximum number of bits and mask of datatype id
The id of concat datatypes is composed of the ids of the individual
datatypes. Add a define for the number of bits for each datatype id
and a mask.
The number of bits is chosen as 6, allowing for 63 datatypes, or twice
as much as we currently have. This allows for concatenations of 5
types using 32 bits.
The value is statically chosen instead of basing it on the current
numbers of datatypes since we don't want the maximum concatenation
size to vary between versions, also new versions are supposed to be
able to propery parse a ruleset generated by an older version.
Patrick McHardy [Sat, 13 Dec 2014 07:50:34 +0000 (07:50 +0000)]
datatype: add new subtypes field to account number of concat data types
Using the size is confusing since it usually holds the size of
the data. Add a new "subtypes" member, which holds the number
of datatypes the concat type is made of.
This set member is an integer represented in host byte order, which
obviously doesn't match the header field (in network byte order).
Since the integer datatype has no specific byteorder, we have to rely
on the expression byteorder instead when configuring the context,
before we evaluate the list of set members.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add a new ERROR symbol to handle scanning of too large values.
<cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:
ct mark >= 0x00000032 ct mark <= 0x00000045
^^^^^^^^^^
instead of ct mark <= 0x45000000
^^^^^^^^^^
Remove the custom output so this displays a warning. nft should
(at some point) merge the two statements into one single to express
the range from the netlink_delinearize step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Sat, 29 Nov 2014 16:24:38 +0000 (17:24 +0100)]
scanner: fix reading of really long line
Current code is causing a failure in adding a set containing
a really long list of elements. The failure occurs as soon as
the line is longer than flex read buffer.
When a line is longer than scanner buffer size, the code in YY_INPUT
forces a rewind to the beginning of the string because it does not
find a end of line. The result is that the string is never parsed.
This patch updates the code by rewinding till we found a space.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
datatype: relax datatype check in integer_type_parse()
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 26 Nov 2014 11:07:51 +0000 (12:07 +0100)]
evaluate: reject: fix crash on NULL location with bridge and tcp reset
If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:
Rule:
nft add bridge filter input ether type vlan reject with tcp reset
Output:
<cmdline>:1:46-51: Error: cannot reject this ether type
add rule bridge filter input ether type vlan reject with tcp reset
~~~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
David Kozub [Tue, 25 Nov 2014 17:51:43 +0000 (18:51 +0100)]
build: add missing \ in src/Makefile.am (AM_CPPFLAGS)
The missing \ at the end of the line causes LIBMNL_CFLAGS and LIBNFTNL_CFLAGS
to be ignored. This causes build failure if the libmnl or libnftnl headers are
not in a path that's already searched by the C compiler.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed.
any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed.
ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
This needs a space before the list of elements in the set, otherwise
bash here misinterprets the set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
