expression: initialize list of expression to silence gcc compile warning
The helper function to translate flagcmp expression to binop expression
results in the following compile warning.
src/expression.c: In function 'list_expr_to_binop':
src/expression.c:1286:16: warning: 'last' may be used uninitialized [-Wmaybe-uninitialized]
1286 | return last;
While at it, add assert() to validate the premises where this function
can be called.
Fixes: 4d5990c92c83 ("src: transform flag match expression to binop expression from parser") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 31 Mar 2025 12:27:47 +0000 (14:27 +0200)]
json: fix error propagation when parsing binop lhs/rhs
Malformed input returns NULL when decoding left/right side of binop.
This causes a NULL dereference in expr_evaluate_binop; left/right must
point to a valid expression.
Fix this in the parser, else would have to sprinkle NULL checks all over
the evaluation code.
After fix, loading the bogon yields:
internal:0:0-0: Error: Malformed object (too many properties): '{}'.
internal:0:0-0: Error: could not decode binop rhs, '<<'.
internal:0:0-0: Error: Invalid mangle statement value
internal:0:0-0: Error: Parsing expr array at index 1 failed.
internal:0:0-0: Error: Parsing command array at index 3 failed.
Fixes: 0ac39384fd9e ("json: Accept more than two operands in binary expressions") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sun, 23 Mar 2025 21:46:18 +0000 (22:46 +0100)]
tests: shell: Fix owner/0002-persist on aarch64
Not sure if arch-specific, but for some reason src/nft wrapper script
would call src/.libs/lt-nft and thus the owner appeared as 'lt-nft'
instead of the expected 'nft'. Cover for that by extracting the expected
program name from /proc.
Fixes: b5205165bd708 ("tests: shell: Extend table persist flag test a bit") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
("src: transform flag match expression to binop expression from parser")
remove it.
This completes the revert of c3d57114f119 ("parser_bison: add shortcut
syntax for matching flags without binary operations"), except the parser
chunk for backwards compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Check if right hand side of relational is a bitmask, ie.
relational
/ \
... or
/ \
value or
/ \
value value
then, if left hand side is a binop expression, compare left and right
hand sides (not only left hand of this binop expression) to check for
redundant matches in consecutive rules, ie.
relational
/ \
and ...
/ \
payload value
before this patch, only payload in the binop expression was compared.
This allows to compact several rules matching tcp flags in a set/map, eg.
expression: add __EXPR_MAX and use it to define EXPR_MAX
EXPR_MAX was never updated to the newest expression, add __EXPR_MAX and
use it to define EXPR_MAX.
Add case to expr_ops() other gcc complains with a warning on the
__EXPR_MAX case is not handled.
Fixes: 347039f64509 ("src: add symbol range expression to further compact intervals") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
After this fix, following errors will be shown:
Error: unqualified type invalid specified in map definition. Try "typeof expression" instead of "type datatype".
map m {
^
map m {
^
Error: map has no mapping data
Fixes: 343a51702656 ("src: store expr, not dtype to track data in sets") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 20 Mar 2025 08:34:45 +0000 (09:34 +0100)]
expression: tolerate named set protocol dependency
Included test will fail with:
/dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
meta l4proto @protos tproxy to :1088
^^^^^^^^^^^^^^^
Tolerate a set reference too. Because the set can be empty (or there
can be removals later), add a fake 0-rhs value.
This will make pctx_update assign proto_unknown as the transport protocol
in use, Thats enough to avoid 'requires transport protocol' error.
v2: restrict it to meta lhs for now (Pablo Neira Ayuso)
Florian Westphal [Sun, 16 Mar 2025 13:10:26 +0000 (14:10 +0100)]
netlink_delinerize: add more restrictions on meta nfproto removal
We can't remove 'meta nfproto' dependencies for all cases.
Its removed for ip/ip6 families, this works fine.
But for others, e.g. inet, removal is not as simple.
For example
meta nfproto ipv4 ct protocol tcp
is listed as 'ct protocol tcp', even when this is uses in the inet
table.
Meta L4PROTO removal checks were correct, but refactor this
into a helper function to split meta/ct checks from the common
calling function.
Ct check was lacking, we need to examine ct keys more closely
to figure out if they need to retain the network protocol depenency
or not. Elide for NFT_CT_SRC/DST and its variants, as those imply
the network protocol to use, all others must keep it as-is.
Florian Westphal [Fri, 14 Mar 2025 06:50:54 +0000 (07:50 +0100)]
netlink: fix stack buffer overrun when emitting ranged expressions
Included bogon input generates following Sanitizer splat:
AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7...
WRITE of size 2 at 0x7fffffffcbe4 thread T0
#0 0x0000003a68b8 in __asan_memset (src/nft+0x3a68b8) (BuildId: 3678ff51a5405c77e3e0492b9a985910efee73b8)
#1 0x0000004eb603 in __mpz_export_data src/gmputil.c:108:2
#2 0x0000004eb603 in netlink_export_pad src/netlink.c:256:2
#3 0x0000004eb603 in netlink_gen_range src/netlink.c:471:2
#4 0x0000004ea250 in __netlink_gen_data src/netlink.c:523:10
#5 0x0000004e8ee3 in alloc_nftnl_setelem src/netlink.c:205:3
#6 0x0000004d4541 in mnl_nft_setelem_batch src/mnl.c:1816:11
Problem is that the range end is emitted to the buffer at the *padded*
location (rounded up to next register size), but buffer sizing is
based of the expression length, not the padded length.
Also extend the test script: Capture stderr and if we see
AddressSanitizer warning, make it fail.
Same bug as the one fixed in 600b84631410 ("netlink: fix stack buffer overflow with sub-reg sized prefixes"),
just in a different function.
Apply same fix: no dynamic array + add a range check.
Florian Westphal [Tue, 11 Mar 2025 13:07:03 +0000 (14:07 +0100)]
evaluate: fix expression data corruption
Sometimes nftables will segfault when doing error-unwind of the included
afl-generated bogon.
The problem is the unconditional write access to expr->set_flags in
expr_evaluate_map():
mappings->set_flags |= NFT_SET_MAP;
... but mappings can point to EXPR_VARIABLE (legal), where this will flip
a bit in unused, but allocated memory (i.e., has no effect).
In case of the bogon, mapping is EXPR_RANGE_SYMBOL, and the store can flip
a bit in identifier_range[1], this causes crash when the pointer is freed.
We can't use expr->set_flags unconditionally, so rework this to pass
set_flags as argument and place all read and write accesses in places where
we've made sure we are dealing with EXPR_SET.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_linearize: reduce register waste with non-constant binop expressions
Register use is not good with bitwise operations that involve three or
more selectors, eg.
mark set ip dscp and 0x3 or ct mark or meta mark
[ payload load 1b @ network header + 1 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
[ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
[ bitwise reg 1 = ( reg 1 & 0x00000003 ) ^ 0x00000000 ]
[ ct load mark => reg 2 ]
[ bitwise reg 1 = ( reg 1 | reg 2 ) ]
[ meta load mark => reg 3 ] <--- this could use register 2 instead!
[ bitwise reg 1 = ( reg 1 | reg 3 ) ]
[ meta set mark with reg 1 ]
register 3 is used to store meta mark, however, register 2 can be
already use since register 1 already stores the partial result of the
bitwise operation for this expression.
Florian Westphal [Mon, 10 Mar 2025 07:29:37 +0000 (08:29 +0100)]
evaluate: don't crash if range has same start and end interval
In this case, evaluation step replaces the range expression with a
single value and we'd crash as range->left/right contain garbage
values.
Simply replace the input expression with the evaluation result.
Also add a test case modeled on the afl reproducer.
Fixes: fe6cc0ad29cd ("evaluate: consolidate evaluation of symbol range expression") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
segtree: incomplete output in get element command with maps
get element command displays an incomplete range.
Using this simple test ruleset:
table ip x {
map y {
typeof ip saddr : meta mark
counter
flags interval,timeout
elements = { 1.1.1.1-1.1.1.10 timeout 10m : 20, 2.2.2.2-2.2.2.5 timeout 10m : 30}
}
then, invoking the get element command:
# nft get element x y { 1.1.1.2 }
results in, before (incomplete output):
table ip x {
map y {
type ipv4_addr : mark
flags interval,timeout
elements = { 1.1.1.1 counter packets 0 bytes 0 timeout 10m expires 1m24s160ms : 0x00000014 }
}
}
Note that it displays 1.1.1.1, instead of 1.1.1.1-1.1.1.10.
After this fix:
table ip x {
map y {
type ipv4_addr : mark
flags interval,timeout
elements = { 1.1.1.1-1.1.1.10 counter packets 0 bytes 0 timeout 10m expires 1m24s160ms : 0x00000014 }
}
}
Fixes: a43cc8d53096 ("src: support for get element command") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: fix reset element support for interval set type
Running reset command yields on an interval (rbtree) set yields:
nft reset element inet filter rbtreeset {1.2.3.4}
BUG: unhandled op 8
This is easy to fix, CMD_RESET doesn't add or remove so it should be
treated like CMD_GET.
Unfortunately, this still doesn't work properly:
nft get element inet filter rbset {1.2.3.4}
returns:
... elements = { 1.2.3.4 }
but its expected that "get" and "reset" also return stateful objects
associated with the element. This works for other set types, but for
rbtree, the list of statements gets lost during segtree processing.
After fix, get/reset returns:
elements = { 1.2.3.4 counter packets 10 ...
netlink_delinearize: support for bitfield payload statement with binary operation
Add a new function to deal with payload statement delinearization with
binop expression.
Infer the payload offset from the mask, then walk the template list to
determine if estimated offset falls within a matching header field. If
so, then validate that this is not a raw expression but an actual
bitfield matching. Finally, trim the payload expression length
accordingly and adjust the payload offset.
instead of:
@nh,8,5 set 0x0
it displays:
ip dscp and 0x1
Update tests/py to cover for this enhancement.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: support for bitfield payload statement with binary operation
Update bitfield payload statement support to allow for bitwise
and/or/xor updates. Adjust payload expression to fetch 16-bits for
mangling while leaving unmodified bits intact.
# nft --debug=netlink add rule x y ip dscp set ip dscp or 0x1
ip x y
[ payload load 2b @ network header + 0 => reg 1 ]
[ bitwise reg 1 = ( reg 1 & 0x0000fbff ) ^ 0x00000400 ]
[ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
Skip expr_evaluate_bits() transformation since these are only useful
for payload matching and set lookups.
Listing still shows a raw expression:
# nft list ruleset
...
@nh,8,5 set 0x0
The follow up patch completes it:
("netlink_delinearize: support for bitfield payload statement with binary operation")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1698 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: reject unsupported expressions in payload statement for bitfields
The payload statement evaluation pretends that it can handle any
expression for bitfields, but the existing evaluation code only knows
how to handle value expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: simplify payload statement evaluation for bitfields
Instead of allocating a lshift expression and relying on the binary
operation transfer propagate this to the mask value, lshift the mask
value immediately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: release existing datatype when evaluating unary expression
Use __datatype_set() to release the existing datatype before assigning
the new one, otherwise ASAN reports the following memleak:
Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x7fbc8a2b89cf in __interceptor_malloc ../../../../src/libsa
#1 0x7fbc898c96c2 in xmalloc src/utils.c:31
#2 0x7fbc8971a182 in datatype_clone src/datatype.c:1406
#3 0x7fbc89737c35 in expr_evaluate_unary src/evaluate.c:1366
#4 0x7fbc89758ae9 in expr_evaluate src/evaluate.c:3057
#5 0x7fbc89726bd9 in byteorder_conversion src/evaluate.c:243
#6 0x7fbc89739ff0 in expr_evaluate_bitwise src/evaluate.c:1491
#7 0x7fbc8973b4f8 in expr_evaluate_binop src/evaluate.c:1600
#8 0x7fbc89758b01 in expr_evaluate src/evaluate.c:3059
#9 0x7fbc8975ae0e in stmt_evaluate_arg src/evaluate.c:3198
#10 0x7fbc8975c51d in stmt_evaluate_payload src/evaluate.c:330
Fixes: faa6908fad60 ("evaluate: clone unary expression datatype to deal with dynamic datatype") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This uses the wrong length. This must re-use the length of the datatype,
not the string length.
The added test cases will fail without the fix due to erroneous
overlap detection, which in itself is due to incorrect sorting of
the elements.
Example error:
netlink: Error: interval overlaps with an existing one
add element inet testifsets simple_wild { "2-1" } failed.
table inet testifsets {
... elements = { "1-1", "abcdef*", "othername", "ppp0" }
... but clearly "2-1" doesn't overlap with any existing members.
The false detection is because of the "acvdef*" wildcard getting sorted
at the beginning of the list which is because its erronously initialised
as a 64bit number instead of 128 bits (16 bytes / IFNAMSIZ).
Florian Westphal [Thu, 27 Feb 2025 14:52:10 +0000 (15:52 +0100)]
expression: expr_build_udata_recurse should recurse
If we see EXPR_BINOP, recurse: ->left can be another EXPR_BINOP.
This is irrelevant for 'typeof' named sets, but for anonymous sets, the
key is derived from the concat expression that builds the lookup key for
the anonymous set.
Florian Westphal [Thu, 27 Feb 2025 14:52:09 +0000 (15:52 +0100)]
netlink_delinearize: also consider exthdr type when trimming binops
This allows trimming the binop for exthdrs, this will make nft render
(tcp option mptcp unknown & 240) >> 4 . ip saddr @s1
as
tcp option mptcp subtype . ip saddr @s1
Also extend the typeof set tests with a set concatenating a
sub-byte-sized exthdr expression with a payload one.
The additional call to expr_postprocess() is needed, without this,
typeof_sets_0.nft fails because
frag frag-off @s4 accept
is shown as
meta nfproto ipv6 frag frag-off @s4 accept
Previouly, EXPR_EXTHDR would cause payload_binop_postprocess()
to return false which will then make the caller invoke
expr_postprocess(), but after handling EXPR_EXTHDR this doesn't happen
anymore.
Florian Westphal [Thu, 27 Feb 2025 14:52:07 +0000 (15:52 +0100)]
tcpopt: add symbol table for mptcp suboptions
nft can be used t match on specific multipath tcp subtypes:
tcp option mptcp subtype 0
However, depending on which subtype to match, users need to look up the
type/value to use in rfc8684. Add support for mnemonics and
"nft describe tcp option mptcp subtype" to get the subtype list.
Because the number of unique 'enum datatypes' is limited by ABI contraints
this adds a new mptcp suboption type as integer alias.
After this patch, nft supports all of the following:
add element t s { mp-capable }
add rule t c tcp option mptcp subtype mp-capable
add rule t c tcp option mptcp subtype { mp-capable, mp-fail }
For the 3rd case, listing will break because unlike for named sets, nft
lacks the type information needed to pretty-print the integer values,
i.e. nft will print the 3rd rule as 'subtype { 0, 6 }'.
This is resolved in a followup patch.
Other problematic constructs are:
set s1 {
typeof tcp option mptcp subtype . ip saddr
elements = { mp-fail . 1.2.3.4 }
}
Followed by:
tcp option mptcp subtype . ip saddr @s1
nft will print this as:
tcp option mptcp unknown & 240) >> 4 . ip saddr @s1
All of these issues are not related to this patch, however, they also occur
with other bit-sized extheader fields.
Add a test that replaces one base chain and check that no
filtered packets make it through, i.e. that the 'old chain'
doesn't disappear before new one is active.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Florian Westphal [Tue, 25 Feb 2025 20:13:33 +0000 (21:13 +0100)]
payload: return early if dependency is not a payload expression
if (dep->left->payload.base != PROTO_BASE_TRANSPORT_HDR)
is legal only after checking that ->left points to an
EXPR_PAYLOAD expression. The dependency store can also contain
EXPR_META, in this case we access a bogus part of the union.
The payload_may_dependency_kill_icmp helper can't handle a META
dep either, so return early.
Fixes: 533565244d88 ("payload: check icmp dependency before removing previous icmp expression") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: add symbol range expression to further compact intervals
Update parser to use a new symbol range expression with smaller memory
footprint than range expression + two symbol expressions.
The evaluation step translates this into EXPR_RANGE_VALUE for interval
sets.
Note that maps or concatenations still use the less compact range
expressions representation, those require more work to use this new
symbol range expression. The parser also uses the classic range
expression if variables are used.
Testing with a 100k intervals, worst case scenario: no prefix or
singleton elements. This shows a reduction from 49.58 Mbytes to
35.47 Mbytes (-29.56% memory footprint for this case).
This follow up work to previous commits:
91dc281a82ea ("src: rework singleton interval transformation to reduce memory consumption") c9ee9032b0ee ("src: add EXPR_RANGE_VALUE expression and use it")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Moreover, unlike "list sets", "list maps" only supported "list maps" and
"list maps inet", without the ability to only list maps of a given table.
Compact this to unify the syntax so it becomes possible to omit the "table"
keyword for either reset or list mode.
flowtables, secmarks and synproxys keywords are updated too. "flow table"
and "meters" are NOT changed since both of these are deprecated in favor
of standard nft sets.
exthdr: incomplete type 2 routing header definition
Add missing type 2 routing header definition.
Listing is not correct because these IPv6 extension header are still
lacking context to properly delinearize the listing, but at least this
does not crash anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 30 Jan 2025 17:47:13 +0000 (18:47 +0100)]
src: add and use payload_expr_trim_force
Previous commit fixed erroneous handling of raw expressions when RHS sets
a zero value.
Input: @ih,58,6 set 0 @ih,86,6 set 0 @ih,170,22 set 0
Output:@ih,48,16 set @ih,48,16 & 0xffc0 @ih,80,16 set \
@ih,80,16 & 0xfc0f @ih,160,32 set @ih,160,32 & 0xffc00000
After this patch, this will instead display:
@ih,58,6 set 0x0 @ih,86,6 set 0x0 @ih,170,22 set 0x0
payload_expr_trim_force() only works when the payload has no known
protocol (template) attached, i.e. will be printed as raw payload syntax.
It performs sanity checks on @mask and then adjusts the payload expression
length and offset according to the mask.
Also add this check in __binop_postprocess() so we can also discard masks
when matching, e.g.
binop_postprocess now returns if it performed an action or not; if this
returns true then arguments might have been freed so callers must no longer
refer to any of the expressions attached to the binop.
Next patch adds test cases for this.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
@ih,58,6 set 0 <- Zero 6 bits, starting with bit 58
Changes to inner header mandate a checksum update, which only works for
even byte counts (except for last byte in the payload).
Thus, we load 2b at offet 6. (16bits, offset 48).
Because we want to zero 6 bits, we need a mask that retains 10 bits and
clears 6: b1111111111000000 (first 8 bit retains 48-57, last 6 bit clear
58-63). The '0xc0ff' is not correct, but thats because debug output comes
from libnftnl which prints values in host byte order, the value will be
interpreted as big endian on kernel side, so this will do the right thing.
Next, same problem:
@ih,86,6 set 0 <- Zero 6 bits, starting with bit 86.
nft needs to round down to even-sized byte offset, 10, then retain first
6 bits (80 + 6 == 86), then clear 6 bits (86-91), then keep 4 more as-is
(92-95).
So mask is 0xfc0f (in big endian) would be correct (b1111110000001111).
Last expression, @ih,170,22 set 0, asks to clear 22 bits starting with bit
170, nft correctly rounds this down to a 32 bit read at offset 160.
Required mask keeps first 10 bits, then clears 22
(b11111111110000000000000000000000). Required mask would be 0xffc00000,
which corresponds to the wrong-endian-printed value in line 8 above.
Now that we convinced ourselves that the input side is correct, fix up
netlink delinearize to undo the mask alterations if we can't find a
template to print a human-readable payload expression.
With this patch, we get this output:
@ih,48,16 set @ih,48,16 & 0xffc0 @ih,80,16 set @ih,80,16 & 0xfc0f @ih,160,32 set @ih,160,32 & 0xffc00000
... which isn't ideal. We should fixup the payload expression to display
the same output as the input, i.e. adjust payload->len and offset as per
mask and discard the mask instead.
Florian Westphal [Wed, 22 Jan 2025 09:18:04 +0000 (10:18 +0100)]
evaluate: allow to re-use existing metered set
Blamed commit translates old meter syntax (which used to allocate an
anonymous set) to dynamic sets.
A side effect of this is that re-adding a meter rule after chain was
flushed results in an error, unlike anonymous sets named sets are not
impacted by the flush.
Refine this: if a set of the same name exists and is compatible, then
re-use it instead of returning an error.
Also pick up the reproducer kindly provided by the reporter and place it
in the shell test directory.
Fixes: b8f8ddfff733 ("evaluate: translate meter into dynamic set") Reported-by: Yi Chen <yiche@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
src: rework singleton interval transformation to reduce memory consumption
set_to_intervals() expands range expressions into a list of singleton
elements before building the netlink message that is sent to userspace.
This is because the kernel expects this list of singleton elements where
EXPR_F_INTERVAL_END denotes a closing interval. This expansion
significantly increases memory consumption in userspace.
This patch updates the logic to transform the range expression up to two
temporary singleton element expressions through setelem_to_interval().
Then, these two elements are used to allocate the nftnl_set_elem objects
through alloc_nftnl_setelem_interval() to build the netlink message,
finally all these temporary objects are released. For anonymous sets,
when adjacent ranges are found, the end element is not added to the set
to pack the set representation as in the original set_to_intervals()
routine.
After this update, set_to_intervals() only deals with adding the
non-matching all zero element to the interval set when it is not there
as the kernel expects.
In combination with the new EXPR_RANGE_VALUE expression, this shrinks
runtime userspace memory consumption from 70.50 Mbytes to 43.38 Mbytes
for a 100k intervals set sample.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mnl: do not send set size when set is constant set
When turning element range into the interval representation based on
singleton elements for the rbtree tree set backend, userspace adjusts
the size to the internal kernel implementation.
For constant sets, this is leaking an internal kernel implementation
detail that is fixed by kernel patch ("netfilter: nf_tables: fix set
size with rbtree backend"). For non-constant sets, set size is just
broken.
This patch is required by the follow up patch ("src: rework singleton
interval transformation to reduce memory consumption").
On top of this, constant sets cannot be updated once they are bound, set
size is not useful in this case. Remove this implicit set size for
constant sets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
set element with range takes 4 instances of struct expr:
EXPR_SET_ELEM -> EXPR_RANGE -> (2) EXPR_VALUE
where EXPR_RANGE represents two references to struct expr with constant
value.
This new EXPR_RANGE_VALUE trims it down to two expressions:
EXPR_SET_ELEM -> EXPR_RANGE_VALUE
with two direct low and high values that represent the range:
struct {
mpz_t low;
mpz_t high;
};
this two new direct values in struct expr do not modify its size.
setelem_expr_to_range() translates EXPR_RANGE to EXPR_RANGE_VALUE, this
conversion happens at a later stage.
constant_range_expr_print() translates this structure to constant values
to reuse the existing datatype_print() which relies in singleton values.
The automerge routine has been updated to use EXPR_RANGE_VALUE.
This requires a follow up patch to rework the conversion from range
expression to singleton element to provide a noticeable memory
consumption reduction.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This is a test case for nft_socket cgroupv2 matching, including
support for matching inside a cgroupv2 mount space added in kernel
commit 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces").
Test is thus run twice, once in the initial namespace and once with
a changed cgroupv2 root.
In case we can't create a cgroup or the 2nd half (unshared re-run)
fails, indicate SKIP.
projects / thirdparty / nftables.git / log
