Shivani Bhardwaj [Thu, 28 Jan 2016 19:35:37 +0000 (01:05 +0530)]
src: netlink_linearize: Fix bug for redirect target
Before this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 1 0x00006400 ]
[ immediate reg 2 0x0000c800 ]
[ redir proto_min reg 1 proto_max reg 5 ]
<cmdline>:1:1-56: Error: Could not process rule: Invalid argument
add rule ip nat post ip protocol tcp redirect to 100-200
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to 100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ immediate reg 1 0x00006400 ]
[ immediate reg 2 0x0000c800 ]
[ redir proto_min reg 1 proto_max reg 2 ]
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch contains the missing chunk to add support for the netdev
family. Part of the support slipped through in the original patch to
add the dup statement for IPv4 and IPv6.
Florian Westphal [Sun, 24 Jan 2016 12:01:04 +0000 (13:01 +0100)]
netlink: move binop postprocess to extra function
Just move the payload trim part to a separate function.
Next patch will add a second call site to deal with map ops
that use a lookup based on a binop result.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
So far it was only possible to match packet under a rate limit, this
patch allows you to explicitly indicate if you want to match packets
that goes over or until the rate limit, eg.
... limit rate over 3/second counter log prefix "OVERLIMIT: " drop
... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop
... ct state invalid limit rate until 1/second counter log prefix "INVALID: "
Florian Westphal [Sat, 12 Dec 2015 00:10:04 +0000 (01:10 +0100)]
ct: add packet/byte counter support
packets and bytes need special treatment -- we want to be able to get
packet/byte counter in either direction, but also express
'fetch in *BOTH* directions', i.e.
ct packets original + ct packets reply > 1000
This either requires a '+' expression, a new 'both' direction, or
keys where direction is optional, i.e.
ct packets > 12345 ; original + reply
ct original packets > 12345 ; original
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
tests/py: don't test log statement from protocol match
I think this unit tests should be self-contained at some level. The
shell/ directory should be used to catch regressions at ruleset level,
ie. these kind of combinations.
Another motivation is that I want that netdev/ingress gets tested
(coming in a follow up patch), and we don't support log there yet, so I
would need to skip this test for that case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use rhs_expr and list_rhs_expr as possible occurrences of
initializer_expr since we may only find constant expressions on the
right hand side of the assignment.
Fixes: 2a5d44d8b3c (parser: get rid of multiton_expr from lhs relational expression) Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Florian Westphal <fw@strlen.de> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Now the chains should be included before tables. Also, lines defining
tables have a new third part (delimited by semicolon) where the chains
needed by the table are declared. If table needs to include more than
one chain, those must be separated by commas:
- Adjust lines to 80 columns style
- Add two lines of separation between functions
- Remove redundant parentheses and semicolons
- Apply other minor style fixes
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink: don't handle lhs zero-length expression as concat type
expr->len 0 can appear for some data types whose size can be different
based on some external state, e.g. the conntrack src/dst addresses.
The nft type is 'invalid/0-length' in the template definition, the
size is set (on linearization) based on the network base family,
i.e. the type is changed to ip or ipv6 address at a later stage.
For delinarization, skip zero-length expression as concat type
and give expr_postprocess a chance to fix the types.
Without this change the previous patch will result in nft consuming all
available memory when trying to display e.g. a 'ct saddr' rule.
A few keys in the ct expression are directional, i.e.
we need to tell kernel if it should fetch REPLY or ORIGINAL direction.
Split ct_keys into ct_keys & ct_keys_dir, the latter are those keys
that the kernel rejects unless also given a direction.
During postprocessing we also need to invoke ct_expr_update_type,
problem is that e.g. ct saddr can be any family (ip, ipv6) so we need
to update the expected data type based on the network base.
parser: restore bitwise operations from the rhs of relational expressions
Reintroduce bitwise operation on constants that was removed in ("parser:
restrict relational rhs expression recursion") since we support this
since the beginning.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This rule catches occurrences from the constant rhs, rename it for
readability reasons.
Note that this rule is still used from the set lhs definition that is
always constant (as it represents the key to look up for the
corresponding element).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
parser: get rid of multiton_expr from lhs relational expression
The multiton_expr rule matches range, prefix and wildcard expressions
which don't make sense from the non-constant lhs. This rule is there to
handle the nat statement case, whose expression may be composed of
address and port ranges (hence range expressions).
To resolve this, this patch adds the stmt_expr rule to handle the
possible occurrences of map, multiton and primary expressions from
statements.
This results in more rules but it narrows down what we can find from
expressions that are part of action statements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The relational expression allows recursion from both sides, this doesn't
allow us to know what hand side the input is coming from. This patch
adds a new expr_rhs rule that specifies what can be found on the
constant side of the relational.
Besides making it easier to understand what is actually supported, this
allows us to use reserve words both as constant and statements. This is
used by the following patch to allow to use redirect as constant from
the icmp payload match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Fri, 11 Dec 2015 10:10:19 +0000 (11:10 +0100)]
tests/: add shell test-suite
This new test-suite is intended to perform tests of higher level than
the other reggresion test-suite.
It can run arbitrary executables which can perform any test apart of testing
the nft syntax or netlink code (which is what the regression tests does).
To run the test suite (as root):
% cd tests/shell
% ./run-tests.sh
Test files are executables files with the pattern <<name_N>>, where N is the
expected return code of the executable. Since they are located with `find',
test-files can be spreaded in any sub-directories.
You can turn on a verbose execution by calling:
% ./run-tests.sh -v
Before each call to the test-files, `nft flush ruleset' will be called.
Also, test-files will receive the environment variable $NFT which contains the
path to the nftables binary being tested.
You can pass an arbitrary $NFT value as well:
% NFT=../../src/nft ./run-tests.sh
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: add previous statement to rule_pp_ctx
564b0e7c13f9 ("netlink_delinearize: postprocess expression before range
merge") crashes nft when the previous statement is removed via
payload_dependency_kill() as this pointer is not valid anymore.
Move the pointer to the previous statement to rule_pp_ctx and invalidate
it when required.
Reported-by: "Pablo M. Bermudo Garay" <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Reported-by: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Update bitfield definitions to match according to the way they are
expressed in RFC and IEEE specifications.
This required a bit of update for c3f0501 ("src: netlink_linearize:
handle sub-byte lengths").
>From the linearize step, to calculate the shift based on the bitfield
offset, we need to obtain the length of the word in bytes:
len = round_up(expr->len, BITS_PER_BYTE);
Then, we substract the offset bits and the bitfield length.
shift = len - (offset + expr->len);
From the delinearize, payload_expr_trim() needs to obtain the real
offset through:
off = round_up(mask->len, BITS_PER_BYTE) - mask_len;
For vlan id (offset 12), this gets the position of the last bit set in
the mask (ie. 12), then we substract the length we fetch in bytes (16),
so we obtain the real bitfield offset (4).
Then, we add that to the original payload offset that was expressed in
bytes:
payload_offset += off;
Note that payload_expr_trim() now also adjusts the payload expression to
its real length and offset so we don't need to propagate the mask
expression.
Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The tests script suffers a crash when a rule test line is malformed
(e.g. if expected result is missing). This commit fixes these crashes
and now the line is skipped and a warning is printed.
While at it, fix a malformed test line too.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In the test files, some lines defining tables was commented out with a
minus "-" sign, also used to mark broken rules. This commit replaces
these signs with actual comments "#" and removes the code that handled
the situation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
During tests execution, some *.payload.got files may be generated. To
avoid annoyances, this commit adds the pattern to .gitignore. Also, the
file "dup.t.payload.got", that was presumably included by mistake, has
been deleted.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
We have to clone the payload expression before attaching it to the lhs
of the relational expression, this payload expression is located at the
lhs of the binary operation that is released thereafter.
Fixes: 39f15c2 ("nft: support listing expressions that use non-byte header fields") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
tests: regression: allow to run tests from anywhere
Since 357d8cf "tests: use the src/nft binary instead of $PATH one", the
tests script needs to be executed from nftables repository root. Now
the script can be run from any location and also checks the binary
existence.
To run a single test file, the path must be relative from the directory
where you launch the script.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Python interpreter doesn't like mixed indentation. So in order to
prevent future problems, this commit replace some tabs found in the
script with space indentation.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
We need to reallocate the constant expression with the right expression
length when evaluating the string. Otherwise the linearization step
generates a wrong comparison on big endian. We cannot do this any
earlier since we don't know the maximum string length for this datatype
at the parsing stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Contrary to iptables, we use the asterisk character '*' as wildcard.
# nft --debug=netlink add rule test test iifname eth\*
ip test test
[ meta load iifname => reg 1 ]
[ cmp eq reg 1 0x00687465 ]
Note that this generates an optimized comparison without bitwise.
In case you want to match a device that contains an asterisk, you have
to escape the asterisk, ie.
# nft add rule test test iifname eth\\*
The wildcard string handling occurs from the evaluation step, where we
convert from:
relational
/ \
/ \
meta value
oifname eth*
to:
relational
/ \
/ \
meta prefix
ofiname
As Patrick suggested, this not actually a wildcard but a prefix since it
only applies to the string when placed at the end.
More comments:
* This relaxes the left->size > right->size from netlink_parse_cmp()
for strings since the optimization that this patch applies may now
result in bogus errors.
* This patch can be later on extended to apply a similar optimization to
payload expressions when:
expr->len % BITS_PER_BYTE == 0
For meta and ct, the kernel checks for the exact length of the attributes
(it expects integer 32 bits) so we can't do it unless we relax that.
* Wildcard strings are not supported from sets and maps yet. Error
reporting is not very good at this stage since expr_evaluate_prefix()
doesn't have enough context (ctx->set is NULL, the set object is
currently created later after evaluating the lhs and rhs of the
relational). I'll be following up on this later.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: check if table and chain exists when adding rules
Assuming a table 'test' that contains a chain 'test':
# nft add rule test1 test2 counter
<cmdline>:1:1-28: Error: Could not process rule: Table 'test1' does not exist
add rule test1 test2 counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add rule test test2 counter
<cmdline>:1:1-27: Error: Could not process rule: Chain 'test2' does not exist
add rule test test2 counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
rule: `list sets' only displays declaration, not definition
# nft list sets
table ip nat {
set libssh {
type ipv4_addr
}
}
table inet filter {
set set0 {
type inet_service
flags constant
}
set set1 {
type inet_service
flags constant
}
set set2 {
type icmpv6_type
flags constant
}
}
So in case you want to inspect the definition, you have to use `list set'
and the specific set that you want to inspect:
# nft list set inet filter set0
table inet filter {
set set0 {
type inet_service
flags constant
elements = { 2200, ssh}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Several fixes:
* handles are printed last
* simplify space games (an extra space was being printed)
* comments are shown with `nft monitor' as well (missing before this patch)
Before this patch:
% nft list ruleset -a
[...]
chain test {
iifname eth0 # handle 1 comment "test"
}
[...]
% nft list ruleset
[...]
chain test {
iifname eth0 comment "test"
^^
}
[...]
% nft monitor &
% nft add rule test test iifname eth0 comment "test"
add rule test test iifname eth0
After this patch:
% nft list ruleset -a
chain test {
iifname eth0 comment "test" # handle 1
^
}
% nft monitor -a &
% nft add rule test test iifname eth0 comment "test"
add rule test test iifname eth0 comment "test" # handle 1
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink: cmp: shift rhs constant if lhs offset doesn't start on byte boundary
if we have payload(someoffset) == 42, then shift 42 in case someoffset
doesn't start on a byte boundary.
We already insert a mask instruction to only load those bits into
the register that we were interested in, but the cmp will fail without
also adjusting rhs accordingly.
Needs additional patch in reverse direction to undo the shift again
when dumping ruleset.
payload: disable payload merge if offsets are not on byte boundary.
... because it doesn't work, we attempt to merge it into wrong
place, we would have to merge the second value at a specific location.
F.e. vlan hdr 4094 gives us
0xfe0f
Merging in the CFI should yield 0xfe1f, but the constant merging
doesn't know how to achive that; at the moment 'vlan id 4094'
and 'vlan id 4094 vlan cfi 1' give same result -- 0xfe0f.
For now just turn off the optimization step unless everything is
byte divisible (the common case).
nft: allow stacking vlan header on top of ethernet
currently 'vlan id 42' or even 'vlan type ip' doesn't work since
we expect ethernet header but get vlan.
So if we want to add another protocol header to the same base, we
attempt to figure out if the new header can fit on top of the existing
one (i.e. proto_find_num gives a protocol number when asking to find
link between the two).
We also annotate protocol description for eth and vlan with the full
header size and track the offset from the current base.
Otherwise, 'vlan type ip' fetches the protocol field from mac header
offset 0, which is some mac address.
Instead, we must consider full size of ethernet header.
Pablo reported test failures because the order of returned set entries
is not deterministic.
This sorts set elements before comparision.
Patrick suggested to move ordering into libnftnl (since we could f.e.
also get duplicate entries due to how netlink dumps work), but thats a bit
more work. Hence this quick workaround.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
projects / thirdparty / nftables.git / log
