Similar to bbe139fdf5a5 ("evaluate: use-after-free in implicit set").
==12727== Invalid read of size 4
==12727== at 0x72DB515: expr_free (expression.c:86)
==12727== by 0x72D3092: set_free (rule.c:367)
==12727== by 0x72DB555: expr_destroy (expression.c:79)
==12727== by 0x72DB555: expr_free (expression.c:95)
==12727== by 0x72D7A35: meter_stmt_destroy (statement.c:137)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== Address 0x64f14c8 is 56 bytes inside a block of size 128 free'd
==12727== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==12727== by 0x72D7A2C: meter_stmt_destroy (statement.c:136)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== by 0x72F82CE: nft_evaluate (libnftables.c:388)
==12727== by 0x72F8A8B: nft_run_cmd_from_buffer (libnftables.c:428)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 12 Jun 2019 17:27:37 +0000 (19:27 +0200)]
monitor: Accept -j flag
Make 'nft -j monitor' equal to 'nft monitor json' and change
documentation to use only the first variant since that is more intuitive
and also consistent with other commands.
While being at it, drop references to XML from monitor section - it was
never supported.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There are two datatypes are using runtime datatype allocation:
* Concatenations.
* Integer, that require byteorder adjustment.
From the evaluation / postprocess step, transformations are common,
hence expressions may end up fetching (infering) datatypes from an
existing one.
This patch adds a reference counter to release the dynamic datatype
object when it is shared.
The API includes the following helper functions:
* datatype_set(expr, datatype), to assign a datatype to an expression.
This helper already deals with reference counting for dynamic
datatypes. This also drops the reference counter of any previous
datatype (to deal with the datatype replacement case).
* datatype_get(datatype) bumps the reference counter. This function also
deals with nul-pointers, that occurs when the datatype is unset.
* datatype_free() drops the reference counter, and it also releases the
datatype if there are not more clients of it.
Rule of thumb is: The reference counter of any newly allocated datatype
is set to zero.
This patch also updates every spot to use datatype_set() for non-dynamic
datatypes, for consistency. In this case, the helper just makes an
simple assignment.
Note that expr_alloc() has been updated to call datatype_get() on the
datatype that is assigned to this new expression. Moreover, expr_free()
calls datatype_free().
This fixes valgrind reports like this one:
==28352== 1,350 (440 direct, 910 indirect) bytes in 5 blocks are definitely lost in loss recor 3 of 3
==28352== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==28352== by 0x4E79558: xmalloc (utils.c:36)
==28352== by 0x4E7963D: xzalloc (utils.c:65)
==28352== by 0x4E6029B: dtype_alloc (datatype.c:1073)
==28352== by 0x4E6029B: concat_type_alloc (datatype.c:1127)
==28352== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578)
==28352== by 0x4E6D68E: list_set_cb (netlink.c:648)
==28352== by 0x5D74023: nftnl_set_list_foreach (set.c:780)
==28352== by 0x4E6D6F3: netlink_list_sets (netlink.c:669)
==28352== by 0x4E5A7A3: cache_init_objects (rule.c:159)
==28352== by 0x4E5A7A3: cache_init (rule.c:216)
==28352== by 0x4E5A7A3: cache_update (rule.c:266)
==28352== by 0x4E7E0EE: nft_evaluate (libnftables.c:388)
==28352== by 0x4E7EADD: nft_run_cmd_from_filename (libnftables.c:479)
==28352== by 0x109A53: main (main.c:310)
This patch also removes the DTYPE_F_CLONE flag which is broken and not
needed anymore since proper reference counting is in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
parser_bison: free chain name after creating constant expression
==2330== 2 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2330== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2330== by 0x583D3B9: strdup (strdup.c:42)
==2330== by 0x4E7966D: xstrdup (utils.c:75)
==2330== by 0x4E9C283: nft_lex (scanner.l:626)
==2330== by 0x4E8E3C2: nft_parse (parser_bison.c:5297)
==2330== by 0x4E7EAB2: nft_parse_bison_filename (libnftables.c:374)
==2330== by 0x4E7EAB2: nft_run_cmd_from_filename (libnftables.c:475)
==2330== by 0x109A53: main (main.c:310)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: release expression before calling netlink_parse_concat_expr()
netlink_get_register() clones the expression in the register. Release
this expression before calling netlink_parse_concat_expr() to
deconstruct the concatenation.
==15069== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15069== by 0x4E79508: xmalloc (utils.c:36)
==15069== by 0x4E795ED: xzalloc (utils.c:65)
==15069== by 0x4E6029B: dtype_alloc (datatype.c:1073)
==15069== by 0x4E6029B: concat_type_alloc (datatype.c:1127)
==15069== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578)
==15069== by 0x4E6D68E: list_set_cb (netlink.c:648)
==15069== by 0x5F34023: nftnl_set_list_foreach (set.c:780)
==15069== by 0x4E6D6F3: netlink_list_sets (netlink.c:669)
==15069== by 0x4E5A7A3: cache_init_objects (rule.c:159)
==15069== by 0x4E5A7A3: cache_init (rule.c:216)
==15069== by 0x4E5A7A3: cache_update (rule.c:266)
==15069== by 0x4E7E09E: nft_evaluate (libnftables.c:388)
==15069== by 0x4E7E85B: nft_run_cmd_from_buffer (libnftables.c:428)
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: release expressions in context registers
netlink_release_registers() needs to go a bit further to release the
expressions in the register array. This should be safe since
netlink_get_register() clones expressions in the context registers.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expression: use expr_clone() from verdict_expr_clone()
Chains are now expressions, do not assume a constant value is used.
==26302== Process terminating with default action of signal 11 (SIGSEGV)
==26302== Access not within mapped region at address 0x50
==26302== at 0x67D7EE7: __gmpz_init_set (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2)
==26302== by 0x4E61224: expr_clone (expression.c:65)
==26302== by 0x4E7898B: interval_map_decompose (segtree.c:943)
==26302== by 0x4E6DDA0: netlink_list_setelems (netlink.c:882)
==26302== by 0x4E5A806: cache_init_objects (rule.c:166)
==26302== by 0x4E5A806: cache_init (rule.c:216)
==26302== by 0x4E5A806: cache_update (rule.c:266)
==26302== by 0x4E7E0EE: nft_evaluate (libnftables.c:388)
==26302== by 0x4E7E8AB: nft_run_cmd_from_buffer (libnftables.c:428)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use strlen(), otherwise mpz_import_data() reads too much beyond the real
chain string. Valgrind reports the following error:
==2759== Invalid read of size 1
==2759== at 0x67D68D6: __gmpz_import (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2)
==2759== by 0x4E79467: mpz_import_data (gmputil.c:133)
==2759== by 0x4E60A12: constant_expr_alloc (expression.c:375)
==2759== by 0x4E8ED65: nft_parse (parser_bison.y:3825)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
==2759== by 0x1095D4: main (in /tmp/a.out)
==2759== Address 0x6ee1b4a is 0 bytes after a block of size 10 alloc'd
==2759== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2759== by 0x59FD3B9: strdup (strdup.c:42)
==2759== by 0x4E7963D: xstrdup (utils.c:75)
==2759== by 0x4E9C233: nft_lex (scanner.l:626)
==2759== by 0x4E8E382: nft_parse (parser_bison.c:5297)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:26 +0000 (19:25 +0200)]
tests/shell: Fix warning from awk call
Syntax passed to awk in that one testcase caused a warning, fix the
syntax.
Fixes: e0a9aad024809 ("tests: shell: fix tests for deletion via handle attribute") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:25 +0000 (19:25 +0200)]
tests/py: Add missing arp.t JSON equivalents
Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:24 +0000 (19:25 +0200)]
tests/py: Fix JSON equivalents
Recent patch removing single element set use missed to adjust JSON
equivalents accordingly.
Fixes: 27f6a4c68b4fd ("tests: replace single element sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:21:21 +0000 (19:21 +0200)]
src: Support intra-transaction rule references
A rule may be added before or after another one using index keyword. To
support for the other rule being added within the same batch, one has to
make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This
patch does just that among a few more crucial things:
* If cache is complete enough to contain rules, update cache when
evaluating rule commands so later index references resolve correctly.
* Reduce rule_translate_index() to its core code which is the actual
linking of rules and consequently rename the function. The removed
bits are pulled into the calling rule_evaluate() to reduce code
duplication in between cache updates with and without rule reference.
* Pass the current command op to rule_evaluate() as indicator whether to
insert before or after a referenced rule or at beginning or end of
chain in cache. Exploit this from chain_evaluate() to avoid adding
the chain's rules a second time.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:21:17 +0000 (19:21 +0200)]
cache: Fix evaluation for rules with index reference
After parsing input, rule location data (index or handle) is contained
in cmd->handle, not yet in cmd->rule->handle.
Fixes: 7df42800cf89e ("src: single cache_update() call to build cache before evaluation") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# cat example.nft
table inet test {
chain test {
ip daddr { 2.2.2.2, 4.4.4.4} counter accept
}
}
# valgrind nft -f example.nft
valgrind reports:
==2272== Invalid read of size 4
==2272== at 0x4E612A5: expr_free (expression.c:86)
==2272== by 0x4E58EA2: set_free (rule.c:367)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E5D7E7: stmt_free (statement.c:50)
==2272== by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272== by 0x4E590FF: rule_free (rule.c:610)
==2272== by 0x4E5C094: cmd_free (rule.c:1420)
==2272== by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272== by 0x109A53: main (main.c:310)
==2272== Address 0x65d94c8 is 56 bytes inside a block of size 128 free'd
==2272== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==2272== by 0x4E6143C: mapping_expr_destroy (expression.c:966)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E5D7E7: stmt_free (statement.c:50)
==2272== by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272== by 0x4E590FF: rule_free (rule.c:610)
==2272== by 0x4E5C094: cmd_free (rule.c:1420)
==2272== by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272== by 0x109A53: main (main.c:310)
==2272== Block was alloc'd at
==2272== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2272== by 0x4E79248: xmalloc (utils.c:36)
==2272== by 0x4E7932D: xzalloc (utils.c:65)
==2272== by 0x4E60690: expr_alloc (expression.c:45)
==2272== by 0x4E68B1D: payload_expr_alloc (payload.c:159)
==2272== by 0x4E91013: nft_parse (parser_bison.y:4242)
==2272== by 0x4E7E722: nft_parse_bison_filename (libnftables.c:374)
==2272== by 0x4E7E722: nft_run_cmd_from_filename (libnftables.c:471)
==2272== by 0x109A53: main (main.c:310)
Fixes: cc7b37d18a68 ("src: Interpret OP_NEQ against a set as OP_LOOKUP") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update mnl_genid_get() to return 32-bit long generation ID. Add
nft_genid_u16() which allows us to catch ruleset updates from the
netlink dump path via 16-bit long nfnetlink resource ID field.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 4 Jun 2019 17:31:51 +0000 (19:31 +0200)]
libnftables: Drop cache in error case
If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.
The problem is easy to reproduce in an interactive session:
| nft> list ruleset
| table ip t {
| chain c {
| }
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
| ^
| nft> list ruleset
| nft>
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 4 Jun 2019 17:31:49 +0000 (19:31 +0200)]
src: Fix cache_flush() in cache_needs_more() logic
Commit 34a20645d54fa enabled cache updates depending on command causing
it. As a side-effect, this disabled measures in cache_flush() preventing
a later cache update. Re-establish this by setting cache->cmd in
addition to cache->genid after dropping cache entries.
While being at it, set cache->cmd in cache_release() as well. This
shouldn't be necessary since zeroing cache->genid should suffice for
cache_update(), but better be consistent (and future-proof) here.
Fixes: eeda228c2d17 ("src: update cache if cmd is more specific") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: single cache_update() call to build cache before evaluation
This patch allows us to make one single cache_update() call. Thus, there
is not need to rebuild an incomplete cache from the middle of the batch
processing.
Note that nft_run_cmd_from_filename() does not need a full netlink dump
to build the cache anymore, this should speed nft -f with incremental
updates and very large rulesets.
cache_evaluate() calculates the netlink dump to populate the cache that
this batch needs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Display parser and evaluate errors in one shot
This patch restores 61236968b7a1 ("parser: evaluate commands immediately
after parsing") following a different approach.
In this patch, the evaluation phase is done if the parsing phase fails,
hence the user gets parsing and evaluation errors in one shot, which is
the purpose of 61236968b7a1.
Note that evaluation errors are now shown after parser errors, the example
available in 61236968b7a1 displays with this patch the following error:
# nft -f /tmp/bad.nft
/tmp/bad.nft:3:32-32: Error: syntax error, unexpected newline
add rule filter input tcp dport
^
/tmp/bad.nft:5:37-41: Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule filter input tcp dport tcp dport
^^^^^
/tmp/bad.nft:4:33-35: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
add rule filter input tcp dport tcp
~~~~~~~~~ ^^^
So evaluation pointing to line 4 happens after line error reporting
generated by the parser that points to line 3, while 61236968b7a1 was
showing errors per line in order. As a future work, we can sort the
error reporting list to restore exactly the same behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Since 61236968b7a1 ("parser: evaluate commands immediately after
parsing"), evaluation is invoked from the parsing phase in order to
improve error reporting.
However, this approach is problematic from the cache perspective since
we don't know if a full or partial netlink dump from the kernel is
needed. If the number of objects in the kernel is significant, the
netlink dump operation to build the cache may significantly slow down
commands.
This patch moves the evaluation phase after the parsing phase as a
preparation update to allow for a better strategy to build the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch introduces the input descriptor list, that stores the
existing input descriptor objects. These objects are now dynamically
allocated and release from scanner_destroy() path.
Follow up patches that decouple the parsing and the evaluation phases
require this for error reporting as described by b14572f72aac ("erec:
Fix input descriptors for included files"), this patch partially reverts
such partial.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 27 May 2019 11:36:41 +0000 (13:36 +0200)]
py: Implement JSON validation in nftables module
Using jsonschema it is possible to validate any JSON input to make sure
it formally conforms with libnftables JSON API requirements.
Implement a simple validator class for use within a new Nftables class
method 'json_validate' and ship a minimal schema definition along with
the package.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 31 May 2019 14:17:43 +0000 (16:17 +0200)]
mnl: Simplify mnl_batch_talk()
By mimicking mnl_nft_event_listener() code, mnl_batch_talk() may be
simplified quite a bit:
* Turn the conditional loop into an unconditional one.
* Call select() at loop start, which merges the two call sites.
* Check readfds content after select() returned instead of in loop
condition - if fd is not set, break to return error state stored in
'err' variable.
* Old code checked that select() return code is > 0, but that was
redundant: if FD_ISSET() returns true, select return code was 1.
* Move 'nlh' helper variable definition into error handling block, it is
not used outside of it.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 31 May 2019 14:17:42 +0000 (16:17 +0200)]
mnl: Initialize fd_set before select(), not after
Calling FD_SET() in between return of select() and call to FD_ISSET()
effectively renders the whole thing useless: FD_ISSET() will always
return true no matter what select() actually did.
Fixes: a72315d2bad47 ("src: add rule batching support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Set a receiver buffer size based on the number of commands and the
average message size, this is useful for the --echo option in order to
avoid ENOBUFS errors.
On the kernel side, each skbuff consumes truesize from the socket queue
(although it uses NLMSG_GOODSIZE to allocate it), which is approximately
four times the estimated size per message that we get in turn for each
echo message to ensure enough receiver buffer space.
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 27 May 2019 11:37:00 +0000 (13:37 +0200)]
parser_json: Fix and simplify verdict expression parsing
Parsing of the "target" property was flawed in two ways:
* The value was extracted twice. Drop the first unconditional one.
* Expression allocation required since commit f1e8a129ee428 was broken,
The expression was allocated only if the property was not present.
Fixes: f1e8a129ee428 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch introduces the use of nft input files variables in 'jump' and 'goto'
statements, e.g.
define dest = ber
add table ip foo
add chain ip foo bar {type filter hook input priority 0;}
add chain ip foo ber
add rule ip foo ber counter
add rule ip foo bar jump $dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Garver [Wed, 22 May 2019 19:44:04 +0000 (21:44 +0200)]
src: update cache if cmd is more specific
If we've done a partial fetch of the cache and the genid is the same the
cache update will be skipped without fetching the needed items. This
change flushes the cache if the new request is more specific than the
current cache - forcing a cache update which includes the needed items.
Introduces a simple scoring system which reflects how
cache_init_objects() looks at the current command to decide if it is
finished already or not. Then use that in cache_needs_more(): If current
command's score is higher than old command's, cache needs an update.
Fixes: 816d8c7659c1 ("Support 'add/insert rule index <IDX>'") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 17 May 2019 10:46:31 +0000 (12:46 +0200)]
tests: py: remove single-value-anon-set test cases
future change will rewrite all single-element anon sets to a cmp op.
Retain a few test cases to later check that the rewrite is correct, but
remove all others.
src: use definitions in include/linux/netfilter/nf_tables.h
Use NFT_LOGLEVEL_* definitions in UAPI.
Make an internal definition of NFT_OSF_F_VERSION, this was originally
defined in the UAPI header in the initial patch version, however, this
is not available anymore.
Phil Sutter [Thu, 9 May 2019 11:35:45 +0000 (13:35 +0200)]
tests/py: Fix JSON expected output for icmpv6 code values
Reverse translation is happening for values which are known, even if
they are part of a range. In contrast to standard output, this is OK
because in JSON lower and upper bounds are properties and there is no
ambiguity if names contain a dash.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:44 +0000 (13:35 +0200)]
tests/py: Fix JSON expected output after expr merge change
Looks like original patch missed this one.
Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:41 +0000 (13:35 +0200)]
json: Fix tproxy support regarding latest changes
Family may be specified also if no address is given at the same time,
make parser/printer tolerant to that. Also fix for missing/incorrect
JSON equivalents in tests/py.
While being at it, fix two issues in non-JSON tests:
* Ruleset is printed in numeric mode, so use 'l4proto 6' instead of
'l4proto tcp' in rules to avoid having to specify expected output for
that unrelated bit.
* In ip and ip6 family tables, family parameter is not deserialized on
output.
Fixes: 3edb96200690b ("parser_bison: missing tproxy syntax with port only for inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:39 +0000 (13:35 +0200)]
netlink: Fix printing of zero-length prefixes
When delinearizing, an all-zero mask didn't qualify as prefix. Therefore
a statement:
| ip daddr 0.0.0.0/0
would be printed as:
| ip daddr & 0.0.0.0 == 0.0.0.0
To fix this, expr_mask_is_prefix() must return true if the initial 1-bit
search fails (the given value must be zero in this case). Additionally,
a shortcut is needed in conversion algorithm of expr_mask_to_prefix()
to not turn the zero prefix into a 1 by accident.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:37 +0000 (13:35 +0200)]
json: Support nat in inet family
Add the missing bits to JSON parser, printer, man page and testsuite.
Fixes: fbe27464dee45 ("src: add nat support for the inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 7 May 2019 13:23:50 +0000 (15:23 +0200)]
doc: Review man page synopses
Fix use of font typefaces:
- *bold* for terminals
- 'italic' for non-terminals
- plain for meta-characters
Apart from that:
* Variable definitions require an equals sign
* 'auto-merge' option in set spec does not take a parameter
* List header fields in payload expressions instead of unexplained
placeholder
* Introduce non-terminals in some places to avoid repetitions or clarify
syntax
* Fix syntax for ip6 header expresssion example
* Reorganize ct expression synopsis into four parts:
1) direction not allowed
2) direction optional
3) direction mandatory
4) direction and family mandatory
* Add missing 'version' keyword to osf expression
* Clarify verdict statements example topic
* Add synopses for payload and exthdr statements
* Fix typo: differv -> diffserv
* Reorganize reject statement synopsis to point out which code type
is required for which type arg
* Counter statement requires either one of 'packets' or 'bytes' args or
both, none is an invalid variant
* Limit statement accepts a unit in burst, too
* Improve language in limit statement description a bit
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 7 May 2019 13:21:45 +0000 (15:21 +0200)]
py: Fix gitignore of lib/ directory
Pattern is not a PCRE one but merely a shell glob. Hence 'lib.*' matches
only 'lib.' prefix, not also 'lib'.
Fixes: bf9653667a39e ("python: installation of binding via make install") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Thu, 25 Apr 2019 12:56:54 +0000 (14:56 +0200)]
src: use UDATA defines from libnftnl
Userdata attribute names have been added to libnftnl, use them instead
of the local copy.
While being at it, rename udata_get_comment() in netlink_delinearize.c
and the callback it uses since the function is specific to rules. Also
integrate the existence check for NFTNL_RULE_USERDATA into it along with
the call to nftnl_rule_get_data().
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Garver [Wed, 1 May 2019 16:34:45 +0000 (12:34 -0400)]
parser_json: fix crash on add rule to bad references
Pass the location via the handle so the error leg in
rule_translate_index() can reference it. Applies to invalid references
to tables, chains, and indexes.
Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Eric Garver <eric@garver.life> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Upcoming dscp codepoint for background traffic of low precendence
such as bulk data transfers with low priority in time, non time-critical
backups, larger software updates, web search engines while gathering
information from web servers and so on.
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 25 Apr 2019 12:59:41 +0000 (14:59 +0200)]
tests/py: Fix error messages in chain_delete()
Adding string and chain object is an illegal operation in Python.
Instead concatenate with cmd string since that contains all required
information already.
Fixes: 820fd08b5f1d4 ("tests/py: Review print statements in nft-test.py") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 25 Apr 2019 12:59:40 +0000 (14:59 +0200)]
tests: monitor: Adjust to changed events ordering
When replacing a rule, kernel nowadays seems to report rule add event
before rule delete one. Since both events belong to the same
transaction, this is harmless per definition and merely needs adjustment
in expected output.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 11 Apr 2019 10:38:51 +0000 (12:38 +0200)]
parser_json: Disallow ct helper as type to map to
When creating a map, users may either map dtype:dtype or dtype:object.
In the second case, only counter, quota, limit and secmark is allowed by
bison, but JSON parser wasn't as strict, allowing ct helper as well.
Remove that to avoid undefined behaviour.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Program received signal SIGSEGV, Segmentation fault.
#1 0x00007ffff7f734f9 in string_to_nft_object (str=0x55555555f410
"mark") at parser_json.c:2513
2513 if (!strcmp(str, obj_tbl[i]))
The obj_tbl array is allocated with the maximum element index even
if lower indexes are not populated, so it produces null pointer
items.
This patch ensures that the maximum number of possible indexes
but also the element is not comparing a null pointer.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Do not inconditionally hold reference to start interval.
The handling depends on what kind of range expression we need to build,
either no range at all, a prefix or a plain range. Depending on the
case, we need to partially clone what we need from the expression to
avoid use-after-free.
This fixes valgrind reports that look like this, when listing rulesets:
==30018== 2,057,984 (1,028,992 direct, 1,028,992 indirect) bytes in 8,039 blocks are definitely lost in loss record 76 of 83
==30018== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30018== by 0x4E75978: xmalloc (utils.c:36)
==30018== by 0x4E75A5D: xzalloc (utils.c:65)
==30018== by 0x4E5CEC0: expr_alloc (expression.c:45)
==30018== by 0x4E5D610: mapping_expr_alloc (expression.c:985)
==30018== by 0x4E6A068: netlink_delinearize_setelem (netlink.c:810)
==30018== by 0x5B51320: nftnl_set_elem_foreach (set_elem.c:673)
==30018== by 0x4E6A2D5: netlink_list_setelems (netlink.c:864)
==30018== by 0x4E56C76: cache_init_objects (rule.c:166)
==30018== by 0x4E56C76: cache_init (rule.c:216)
==30018== by 0x4E56C76: cache_update (rule.c:243)
==30018== by 0x4E64530: cmd_evaluate_list (evaluate.c:3503)
==30018== by 0x4E64530: cmd_evaluate (evaluate.c:3880)
==30018== by 0x4E7D12F: nft_parse (parser_bison.y:798)
==30018== by 0x4E7AB56: nft_parse_bison_buffer (libnftables.c:349)
==30018== by 0x4E7AB56: nft_run_cmd_from_buffer (libnftables.c:394)
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
table ip6 nat { chain output {
type nat hook output priority 0; policy accept;
dnat to dead:2::99
}
Now consider same ruleset, but using 'table inet nat':
nft now lacks context to determine address family to parse 'to $address'.
This adds code to make the following work:
table inet nat { [ .. ]
# detect af from network protocol context:
ip6 daddr dead::2::1 dnat to dead:2::99
# use new dnat ip6 keyword:
dnat ip6 to dead:2::99
}
On list side, the keyword is only shown in the inet family, else the
short version (dnat to ...) is used as the family is redundant when the
table already mandates the ip protocol version supported.
Address mismatches such as
table ip6 { ..
dnat ip to 1.2.3.4
are detected/handled during the evaluation phase.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fingerprints need to be unique to make this fit into the set/map
infrastructure for exact matches. Having multiples fingerprints with
same signature is a problem, since it forces users to add multiple
rules.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
==6297== 24 bytes in 3 blocks are definitely lost in loss record 2 of 13
==6297== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==6297== by 0x56193B9: strdup (strdup.c:42)
==6297== by 0x4E758BD: xstrdup (utils.c:75)
==6297== by 0x4E7F9D3: nft_parse (parser_bison.y:1895)
==6297== by 0x4E7AAE1: nft_parse_bison_filename (libnftables.c:370)
==6297== by 0x4E7AAE1: nft_run_cmd_from_filename (libnftables.c:438)
==6297== by 0x109A33: main (main.c:310)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: improve error reporting in tproxy with inet family
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: conflicting protocols specified: ip vs. unknown. You must specify ip or ip6 family in tproxy statement
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
~~~~~~~~ ^^^^^^^^^^^^^^^
instead of:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
