Phil Sutter [Mon, 28 May 2018 16:51:08 +0000 (18:51 +0200)]
tests/py: Add missing JSON equivalent for inet/sets.t
This adds the missing JSON variant for the two rules which are supposed
to work.
Fixes: 2efbdf7b8fcf7 ("tests: py: allow to specify sets with a timeout") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:51:07 +0000 (18:51 +0200)]
tests/py: Adjust JSON for changes in any/ct.t
Commit 71624f25f22b1 ("tests: py: add expires tests with different time
bases") removed two testcases and added five other ones, adjust JSON
equivalent and recorded output to those changes.
Fixes: 71624f25f22b1 ("tests: py: add expires tests with different time bases") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:51:06 +0000 (18:51 +0200)]
JSON: Simplify immediate value parsing
Since an explicit "immediate" expression doesn't exist in JSON (the
values are represented as plain JSON string/integer/boolean types),
there is no need for json_parse_immediate_expr() to comply to the common
expression parser parameter format.
Apart from that:
* Drop CTX_F_RHS checks - caller assures sane context already.
* Improve error message a bit for denied JSON types.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:51:05 +0000 (18:51 +0200)]
JSON: Fix parsing of meter statement key
The key must be a set elem expression, but if a "regular" expression was
provided (which should be commonly accepted in case no set elem specific
properties are required), the resulting object tree crashed libnftables.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:51:01 +0000 (18:51 +0200)]
JSON: Review set elem expressions
* There is no need to prefix element-specific properties with 'elem_',
they can't conflict.
* In json_parse_set_stmt(), searching for above properties is pointless
since that's already done by called function.
* Fix potential NULL-pointer deref in json_parse_set_elem_expr_stmt():
json_parse_flagged_expr() may return NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:51:00 +0000 (18:51 +0200)]
JSON: Review meter statement support
Meter name being optional seems to come from old flow statement, so
don't support this. Also add size support as was recently added to
standard syntax.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:50:59 +0000 (18:50 +0200)]
JSON: Sort out rule position and handles in general
First of all, don't print the position property when listing rules. This
was there only because libnftnl JSON output has it too, but since the
preferred way to *add* a rule at some location is via 'handle' keyword,
keeping "position" in output would be non-intuitive. Changing "position"
property name to "handle" instead is also a no-go since that would clash
with the real rule handle.
Secondly, turn all handle output on regardless of octx->handle setting.
For a programmatic API like JSON, this should be fine.
Thirdly, fix rule locations when parsing JSON: Respect "handle" property
for CMD_INSERT and CMD_ADD and ignore "pos" at all (actually even a
typo, should have read "position"). Also support "index" property
recently added to standard syntax.
Finally, adjust nft-test.py for the above changes: There is no
"position" property to drop from rule output, and "handle" property will
always be present.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 28 May 2018 16:50:56 +0000 (18:50 +0200)]
objref: Use "ct helper" for NFT_OBJECT_CT_HELPER
Change name of NFT_OBJECT_CT_HELPER in objref_type table to "ct helper"
for consistency. Note that this is not used in regular nft output since
objref_stmt_print() treats this object type separately.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
statement: old kernels are allowing burst zero, don't print it
Don't print limit burst zero which was the default value in old kernels,
this is not allowed in more recent kernels that now operate like
iptables xt_limit which is what users are expecting.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
segtree: incorrect handling of comments and timeouts with mapping
Check if expression is a mapping to do the right handling.
Fixes: 35fedcf540bf ("segtree: missing comments in range and prefix expressions in sets") Fixes: be90e03dd1fa ("segtree: add timeout for range and prefix expressions in sets") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Sabrina Dubroca [Fri, 25 May 2018 13:23:16 +0000 (15:23 +0200)]
fix printing of "tcp flags syn" and "tcp flags == syn" expressions
Commit 6979625686ec ("relational: Eliminate meta OPs") introduced some
bugs when printing bitmask types.
First, during the post-processing phase of delinearization, the
expression for "tcp flags syn" (PAYLOAD & flag != 0) gets converted to
PAYLOAD == flag, which is not equivalent. This should be
PAYLOAD (IMPL) flag.
Then, during output, the "==" sign from "tcp flags == syn" is dropped,
because the bitmask condition in must_print_eq_op() was removed. Let's
restore it, so that "tcp flags == syn" doesn't get printed as
"tcp flags syn". An extra check for value types is added, so that we
don't start printing "==" for sets such as "tcp flags {syn,ack}"
Finally, add a regression test for this particular case.
segtree: add timeout for range and prefix expressions in sets
# nft add table x
# nft add set x y { type ipv4_addr\; flags timeout,interval\; }
# nft add element x y { 7.4.4.5-8.8.8.8 comment "good guy" timeout 30s}
# nft list ruleset
table ip x {
set y {
type ipv4_addr
flags interval,timeout
elements = { 7.4.4.5-8.8.8.8 timeout 30s expires 27s956ms comment "good guy" }
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Máté Eckl [Thu, 17 May 2018 07:36:59 +0000 (09:36 +0200)]
tests: py: print_msg refactor
The errstr attribute was hard-coded to "ERROR:"
errstr has been moved in the parameter list. As print_msg is only
used from the other print_* this is not an issue, and as there is a
print_error function, I don't think that strerr should default to
"ERROR:".
Also this kind of messages now get written to stderr. This can be
beneficial if someone wants to redirect output to a file.
Máté Eckl [Thu, 17 May 2018 07:36:58 +0000 (09:36 +0200)]
tests: py: updated test file structure descripion in README
The order of the table and chain definitions have changed in test files.
Now the name of the chain has to be specified in the definition of the
table, so their order is reverted.
Phil Sutter [Tue, 15 May 2018 09:37:56 +0000 (11:37 +0200)]
libnftables: Move scanner object into struct nft_ctx
The initial approach of keeping as much of lex/yacc-specific data
local to the relevant parsing routines was flawed in that input
descriptors which parsed commands' location information points at were
freed after parsing (in scanner_destroy()) although they were required
later for error reporting in case a command was rejected by the kernel.
To overcome this, keep the scanner pointer in struct nft_ctx so that it
can be kept in place until kernel communication has finished.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 11 May 2018 10:33:46 +0000 (12:33 +0200)]
evaluate: Return ENOENT if rule index is too large
Since EINVAL usually indicates errors from kernel, avoid using it here
too. Instead return ENOENT to indicate there's no entry to append or
prepend the rule to.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 8 May 2018 11:08:45 +0000 (13:08 +0200)]
tests/py: Support testing JSON input and output as well
This extends nft-test.py by optional JSON testing capabilities,
activated via '-j'/'--enable-json' parameter).
JSON testing happens for all rules which are supposed to work: After a
rule has been added and the existing tests (payload, ruleset listing
output) have been performed, basically the same test is done again using
a recorded JSON equivalent and (if necessary) a recorded listing output.
The code tries to ease new test case creation overhead by
auto-generating JSON equivalent input via listing the (non-JSON) rule in
JSON format. Also, differing netlink debug and listing output are stored
in *.got files to assist in analyzing/fixing failing test cases.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 8 May 2018 11:08:43 +0000 (13:08 +0200)]
tests/py: Don't read expected payload for each table
When testing rule adding to different table families, expected payload
was read for each tested family again. Instead, read it just once and
just try to read a family-specific payload for each tested family.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 8 May 2018 11:08:38 +0000 (13:08 +0200)]
libnftables: Implement JSON parser
If JSON output setting is active in current context, try parsing any
input as JSON. If the initial loading of the buffer or filename by
libjansson fails, fall back to regular syntax parser.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 8 May 2018 11:08:37 +0000 (13:08 +0200)]
libnftables: Implement JSON output support
Although technically there already is support for JSON output via 'nft
export json' command, it is hardly useable since it exports all the gory
details of nftables VM. Also, libnftables has no control over what is
exported since the content comes directly from libnftnl.
Instead, implement JSON format support for regular 'nft list' commands.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 8 May 2018 11:08:34 +0000 (13:08 +0200)]
libnftables: Make some arrays globally accessible
This removes static flag and adds declarations in headers for the
following arrays:
* ct_templates from src/ct.c
* mark_tbl from src/datatype.c
* meta_templates and devgroup_tbl from src/meta.c
* table_flags_name from src/rule.c
* set_stmt_op_names from src/statement.c
* tcpopthdr_protocols from src/tcpopt.c
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Combine it with 0002insertposition_0 due to the many similarities,
extend it to test 'handle' and 'index' parameters as well and rename the
testcase accordingly.
Also add a new 0002addinsertlocation_1 which tests that wrong argument
to all of the location parameters fails.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 9 May 2018 14:03:42 +0000 (16:03 +0200)]
Support 'add/insert rule index <IDX>'
Allow to specify an absolute rule position in add/insert commands like
with iptables. The translation to rule handle takes place in userspace,
so no kernel support for this is needed. Possible undesired effects are
pointed out in man page to make users aware that this way of specifying
a rule location might not be ideal.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 9 May 2018 14:03:40 +0000 (16:03 +0200)]
Deprecate add/insert rule 'position' argument
Instead, use 'handle' keyword for the same effect since that is more
consistent with respect to replace/delete commands. The old keyword is
still supported for backwards compatibility and also listed in man page
along with a hint that it shouldn't be used anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 5 May 2018 12:44:53 +0000 (14:44 +0200)]
scanner: Support rfc4291 IPv4-compatible addresses
These are defined in section 2.5.5.1. Although it is stated that they
are deprecated and new implementations are not required to support them,
they occur in ruleset output if an address in the form '::feed:babe' was
given in input. In order to support reinsertion of that rule, we have to
support those deprecated addresses as well.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 5 May 2018 12:44:26 +0000 (14:44 +0200)]
proto: Fix wrong token in proto_icmp6
'token' value of ICMP6HDR_MTU field must be 'mtu', not 'packet-too-big'.
This went unnoticed because rule delinearization for icmp/icmpv6 payload
expressions is problematic anyway in that different fields point to the
same offset and therefore are indistinguishable. In this case, an
expression like e.g. 'icmpv6 mtu 1500' will be printed later as 'icmpv6
parameter-problem 1500'.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Instruct Make to actually install the header to the system, otherwise
users won't see the header in their system after running 'make install'.
Also, export main libnftables header with a proper name, since we have another
private header called 'nftables.h' (i.e, let's be concrete with the naming).
cache_update() needs to accept the full debug mask instead of a boolean of
NFT_DEBUG_NETLINK, because called functions may wish to check other bits
(NFT_DEBUG_MNL in particular).
Phil Sutter [Tue, 24 Apr 2018 09:44:19 +0000 (11:44 +0200)]
rule: Free flowtable in handle_free()
Fixes: db0697ce7f602 ("src: support for flowtable listing") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: simplify netlink_get_setelems() and rename it to netlink_list_setelems()
This is called from cache population path, remove netlink_io_error()
call since this is not needed. Rename it for consistency with similar
netlink_list_*() NLM_F_DUMP functions. Get rid of location parameter.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This error path is never entered since mnl_nft_*_batch_{add,del,replace}
calls never fail, and if they ever do fail it will be because we are
hitting OOM, in such case we can display a more generic non-netlink
error.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Legacy tool name is 'brctl' and so the 'br' prefix is already known. If
we use ibrname and obrname it looks consistent with iifname and oifname.
So let's this instead of ibridgename and obridgename since Florian likes
this too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expression: fix constant expression allocation on big endian with partial bytes
Commit 5259feeb7cda ("expression: fix constant expression allocation on
big endian") improved constant handling on big endian, but didn't handle
the case of partial bytes correctly.
Currently, constant_data_ptr(val, 6) points to the item after val,
instead of the last byte of val.
Thanks to Stefano for providing the correct expression.
Fixes: 5259feeb7cda ("expression: fix constant expression allocation on big endian") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: reset eval context when evaluating set definitions
David reported nft chokes on this:
nft -f /tmp/A
/tmp/A:9:22-45: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, IPv4 address), expression has type concatenation of (IPv4 address, internet network service)
cat /tmp/A
flush ruleset;
table ip filter {
set setA {
type ipv4_addr . inet_service . ipv4_addr
flags timeout
}
set setB {
type ipv4_addr . inet_service
flags timeout
}
}
Problem is we leak set definition details of setA to setB via eval
context, so reset this.
Also add test case for this.
Reported-by: David Fabian <david.fabian@bosson.cz> Signed-off-by: Florian Westphal <fw@strlen.de>
For bridge, iifname is the port name, whereas 'ibrport' is the
logical name of the bridge ("br0") the port ("iifname") is enslaved to.
So, 'ibrport' is a misnomer.
libnftl calls these 'bri_iifname' and 'bri_oifname', which is good
but using 'briiifname' in nft is rather ugly, so use 'ibridgename'
and 'obridgename' instead.
Old names are still recognized, listing shows the new names.
projects / thirdparty / nftables.git / log
