Harsha Sharma [Mon, 8 Jan 2018 17:57:07 +0000 (23:27 +0530)]
parser_bison: delete table via table handle
This patch allows deletion of table via unique table handles and table
family which can be listed with '-a' option.
For.eg.
nft delete table [<family>] [handle <handle>]
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch allows us to refer to existing flowtables:
# nft add rule x x flow offload @m
Packets matching this rule create an entry in the flow table 'm', hence,
follow up packets that get to the flowtable at ingress bypass the
classic forwarding path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# nft add table x
# nft add flowtable x m { hook ingress priority 10\; devices = { eth0, wlan0 }\; }
You have to specify hook and priority. So far, only the ingress hook is
supported. The priority represents where this flowtable is placed in the
ingress hook, which is registered to the devices that the user
specifies.
You can also use the 'create' command instead to bail out in case that
there is an existing flowtable with this name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: add variable expression and use it to allow redefinitions
Add new variable expression that we can use to attach symbols in
runtime, this allows us to redefine variables via new keyword, eg.
table ip x {
chain y {
define address = { 1.1.1.1, 2.2.2.2 }
ip saddr $address
redefine address = { 3.3.3.3 }
ip saddr $address
}
}
# nft list ruleset
table ip x {
chain y {
ip saddr { 1.1.1.1, 2.2.2.2 }
ip saddr { 3.3.3.3 }
}
}
Note that redefinition just places a new symbol version before the
existing one, so symbol lookups always find the latest version. The
undefine keyword decrements the reference counter and removes the symbol
from the list, so it cannot be used anymore. Still, previous references
to this symbol via variable expression are still valid.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* AC_PREREQ checks for 2.61, which is not supported any contemporary
distribution.
* AC_COPYRIGHT, autoconf documentation states "in addition to the Free
Software Foundation's copyright on the Autoconf macros, parts of your
configure are covered by the copyright-notice.".
This only refers to the autoconf infrastructure: we are doing simple
and standard usage of autoconf infrastructure, we also don't use this
macro in other existing userspace software available at netfilter.org.
The comment above at the beginning of this file shows text that is
available in many configure.ac templates on the Internet.
* AC_CANONICAL_HOST, we don't need the canonical host-system type to
build this software.
* AC_CONFIG_SRCDIR is not used in other userspace software in the tree.
* AC_DEFINE _GNU_SOURCE, define this where it's needed instead.
* AC_DEFINE _STDC_FORMAT_MACROS is not used in this codebase.
* AC_HEADER_STDC checks for ANSI C89 headers, however, we need more than
just this C standard, so this doesn't guarantee anything at all.
* Remove "Checks for libraries" comment, it's obvious.
* AC_HEADER_ASSERT allows us to disable assertions, this is bad because
this is helping us to diagnose bugs and incomplete features.
* AC_CHECK_HEADERS is checking for an arbitrary list of headers,
this still doesn't even guarantee that we can actually do a successful
compilation in a broken system.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Thu, 1 Mar 2018 14:00:32 +0000 (15:00 +0100)]
netlink_delinearize: Fix resource leaks
Most of the cases are basically the same: Error path fails to free the
previously allocated statement or expression. A few cases received
special treatment though:
- In netlink_parse_payload_stmt(), the leak is easily avoided by code
reordering.
- In netlink_parse_exthdr(), there's no point in introducing a goto
label since there is but a single affected error check.
- In netlink_parse_hash() non-error path leaked as well if sreg
contained a concatenated expression.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 1 Mar 2018 14:00:31 +0000 (15:00 +0100)]
netlink: Complain if setting O_NONBLOCK fails
Assuming that code is not aware that reads from netlink socket may
block, treat inability to set O_NONBLOCK flag as fatal initialization
error aborting program execution.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer
dereference. This is probably a typo, the intention when introducing
this was to avoid the call to expr_cmp() for symmetric hash expressions
which don't use expr->hash.expr. Inverting the existence check should
fix this.
Fixes: 3a86406729782 ("src: hash: support of symmetric hash") Cc: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 1 Mar 2018 14:00:27 +0000 (15:00 +0100)]
cli: Drop pointless check in cli_append_multiline()
The function is called from cli_complete after it has checked for line
to be != NULL. The other part of the conditional, namely multiline being
NULL, is perfectly valid (if the last read line didn't end with
backslash. Hence drop the conditional completely.
Since variable eof is not used anywhere outside of the dropped
conditional, get rid of it completely.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
David Fabian [Mon, 22 Jan 2018 13:02:11 +0000 (14:02 +0100)]
Added undefine/redefine keywords
This is a small patch to nft which adds two new keywords - undefine and
redefine. undefine simply undefines a variable from the current scope.
redefine allows one to change a variable definition. We have a firewall
written in bash (using iptables) that is organized by customer VLANs.
Each VLAN has its own set of bash variables holding things like uplink
iface names, gateway IPs, etc. We want to rewrite the firewall to
nftables but are stuck on the fact that nft variables cannot be
overridden in the same scope. We have each VLAN configuration in a
separate file containing pre/post-routing, input, output and forward
rules,and we include those files to a master firewall configuration. One
solution is to rename all the variables with some VLAN specific
(pre/su)ffix. But that is cumbersome.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sun, 25 Feb 2018 18:46:04 +0000 (19:46 +0100)]
src: make raw payloads work
make syntax consistent between print and parse.
No dependency handling -- once you use raw expression, you need
to make sure the raw expression only sees the packets that you'd
want it to see.
based on an earlier patch from Laurent Fasnacht <l@libres.ch>.
Laurents patch added a different syntax:
@<protocol>,<base>,<data type>,<offset>,<length>
data_type is useful to make nftables not err when
asking for "@payload,32,32 192.168.0.1", this patch still requires
manual convsersion to an integer type (hex or decimal notation).
data_type should probably be added later by adding an explicit
cast expression, independent of the raw payload syntax.
Concatenate all family/hook examples into a single one by means of includes.
Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.
While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sat, 24 Feb 2018 11:28:30 +0000 (12:28 +0100)]
tests: meta.t: fix test case for anonymous set automerge
commit fb16c8b7f795e0d
("evaluate: Enable automerge feature for anonymous sets") re-enabled
merging of adjacent ranges, so 33-55, 56-88 turns into 33-88.
Do not exercise dependency removal for protocol key network payload
expressions in bridge, netdev and inet families from meta expressions,
more specifically:
* inet: nfproto and ether type.
* netdev and bridge: meta protocol and ether type.
need to be left in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Payload protocol key expressions at network base are meaningful in the
netdev, bridge and inet families, do not exercise the redundant
dependency removal in those cases since it breaks rule semantics.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be removed in the ip family since it is redundant,
but not in the netdev, bridge and inet families, where we cannot make
assumptions on the layer 3 protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_may_dependency_kill()").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 6 Feb 2018 18:18:47 +0000 (19:18 +0100)]
evaluate: Enable automerge feature for anonymous sets
Automatic merging of adjacent/overlapping ranges upon insertion has
clear benefits performance- and readability-wise. The drawbacks which
led to disabling it by default don't apply to anonymous sets since they
are read-only anyway, so enable this feature for them again.
Cc: Jeff Kletsky <netfilter@allycomm.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ville Skyttä [Wed, 7 Feb 2018 09:40:00 +0000 (11:40 +0200)]
configure: Make missing docbook2man an error if man build requested
Previously, if man page build was enabled but no suitable docbook2man or
the like tool was found, build failed at a later stage with
undescriptive error message. Fail early and explicitly at configure
stage instead.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Feb 2018 14:28:00 +0000 (15:28 +0100)]
tests: add test case for sets updated from packet path
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Baruch Siach [Fri, 9 Feb 2018 12:49:50 +0000 (14:49 +0200)]
src: fix build with older glibc
glibc before 2.19 missed the definition of IPPROTO_MH. This leads to
build failure:
parser_bison.y: In function 'nft_parse':
parser_bison.y:3793:21: error: 'IPPROTO_MH' undeclared (first use in this function)
| MH { $$ = IPPROTO_MH; }
^
Since we have a local definition of IPPROTO_MH in headers.h use that to
fix the build.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This release includes incremental fixes since last release plus meta
secpath support. libnftnl 1.0.9 is still OK as dependency, actually it
just prints meta secpath as unknown with --debug=netlink but I don't
think that is worth a libnftnl library release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 25 Jan 2018 15:18:53 +0000 (20:48 +0530)]
configure: Remove macro AC_CHECK_FUNCS
Functions memmove, strchr, strerror and strdup are defined in string.h
header file. Also, strtoull is defined in stdlib.h header file. These
header files are checked by AC_CHECK_HEADERS macro. AC_CHECK_FUNCS macro
is not required, so remove it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Mention nftables earlier in the documentation, so users have more context on what
we are talking about.
This is Debian bug #887718, which contains:
<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early as the NAME or DESCRIPTION.
>>>
Requested-by: Dan Jacobson <jidanni@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:07 +0000 (17:38 +0100)]
configure: Allow to disable man page building
Aparently there are distributions which come with incompatible docbook
implementations. On those, forced man page creating if required binaries
are found leads to build failure.
Allow them to conveniently disable man page output instead of having to
pass undocumented variables to configure.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:06 +0000 (17:38 +0100)]
configure: Fix help text regarding --enable-debug
Debugging symbols are enabled by default, so list '--disable-debug' in
help output rather than '--enable-debug'. This way it is also consistent
with the parameter's description.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:19:57 +0000 (17:19 +0100)]
build: Eliminate forgotten traces of libnftables exporting
This removes libnftables pkg-config file along with the few lines of
code to adjust and install it.
Fixes: d572d59788143 ("Make libnftables a local static library") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Fri, 19 Jan 2018 03:00:17 +0000 (08:30 +0530)]
configure: Remove AC_HEADER_STDBOOL, AC_C_ and AC_TYPE_ macros
The following macros check if particular C types in specific header file
exists, these header files defines them and are already included in the
source code. So, remove them.
AC_HEADER_STDBOOL - stdbool.h
AC_TYPE_INT and AC_TYPE_UINT - stdint.h or inttypes.h
AC_TYPE_OFF_T and AC_TYPE_UID_T - sys/types.h
AC_TYPE_SIZE_T - stddef.h, string.h, stdlib.h or stdio.h
Remove AC_C_CONST and AC_C_INLINE as gcc supports inline and const
keywords.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Tue, 5 Dec 2017 14:07:35 +0000 (19:37 +0530)]
tests: shell: Add tests for low level json import
Test "nft import vm json".
Basically it loads same set of rules by "nft -f" and "nft import vm json"
and prints differences (if any) in the ruleset listed by "nft list
ruleset" in each case.
For Example:
$ ./run-tests.sh testcases/import/vm_json_import_0
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 10 Jan 2018 20:32:04 +0000 (21:32 +0100)]
src: Don't merge adjacent/overlapping ranges
Previously, when adding multiple ranges to a set they were merged if
overlapping or adjacent. This might cause inconvenience though since it
is afterwards not easily possible anymore to remove one of the merged
ranges again while keeping the others in place.
Since it is not possible to have overlapping ranges, this patch adds a
check for newly added ranges to make sure they don't overlap if merging
is turned off.
Note that it is not possible (yet?) to enable range merging using nft
tool.
Testsuite had to be adjusted as well: One test in tests/py changed avoid
adding overlapping ranges and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behaviour is inconsistent and breaks the restoration of saved
rule-sets with "nft -f".
Fixes: c0697eabe832 ("src: add stateful object support for limit") Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 9 Dec 2017 15:52:29 +0000 (16:52 +0100)]
src: fix protocol context update on big-endian systems
There is an obscure bug on big-endian systems when trying to list a rule
containing the expression 'ct helper tftp' which triggers the assert()
call in mpz_get_type().
Florian identified the cause: ct_expr_pctx_update() is called for the
relational expression which calls mpz_get_uint32() to get RHS value
(assuming it is a protocol number). On big-endian systems, the
misinterpreted value exceeds UINT_MAX.
Expressions' pctx_update() callback should only be called for protocol
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags
& EXPR_F_PROTOCOL' like the one already present in
payload_expr_pctx_update().
In order to fix this in a clean way, this patch introduces a wrapper
relational_expr_pctx_update() to be used instead of directly calling
LHS's pctx_update() callback which unifies the necessary checks (and
adds one more assert):
- assert(expr->ops->type == EXPR_RELATIONAL)
-> This is new, just to ensure the wrapper is called properly.
- assert(expr->op == OP_EQ)
-> This was moved from {ct,meta,payload}_expr_pctx_update().
- left->ops->pctx_update != NULL
-> This was taken from expr_evaluate_relational(), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.
Phil Sutter [Thu, 30 Nov 2017 18:36:23 +0000 (19:36 +0100)]
Make libnftables a local static library
This changes Makefiles so that libnftables is built into a static
library which is not installed. This allows for incompatible changes
while still providing a library to link to for testing purposes.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
