Phil Sutter [Thu, 10 Aug 2017 17:29:18 +0000 (19:29 +0200)]
nft.8: Add note about supported hooks for bridge family
It is the only address family which lacks a table describing supported
hooks. Since that would be identical to the one for ip/ip6/inet
families, just point there.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 10 Aug 2017 17:29:17 +0000 (19:29 +0200)]
nft.8: Review reject statement description
- Describe 'type' argument datatypes in DATA TYPES section, then remove
value list from reject statement description and refer to that section
instead.
- Fix synopsis: 'with ...' is optional.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 10 Aug 2017 17:29:15 +0000 (19:29 +0200)]
nft.8: Document operations on ruleset
People new to nftables and yet unaware of 'list ruleset' and 'flush
ruleset' commands have a hard time. Therefore put description of those
prominently at the top, even before explaining operations on tables and
chains.
Since 'export ruleset' is closely related, document it here as well and
remove it's sparse description from ADDITIONAL COMMANDS section.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 9 Aug 2017 11:16:42 +0000 (13:16 +0200)]
Implement --echo option
When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.
Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).
Here are some examples of how it works:
| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
| '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
| elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The forward chain isn't supported anymore (on kernel side it only worked
if bridge netfilter 'call-arptables' sysctl is on), so this test now fails
with nf-next kernel.
In nftables one can filter/test arp packets in bridge family directly.
Varsha Rao [Wed, 2 Aug 2017 11:43:08 +0000 (12:43 +0100)]
src: netlink: Subscribe nft monitor and nft monitor trace to respective groups.
Subscribe nft monitor to both NFNLGRP_NFTABLES and NFNLGRP_NFTRACE.
nft monitor trace subscribes only to NFNLGRP_NFTRACE. Other event
reporting options to only NFNLGRP_NFTABLES.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 28 Jul 2017 11:55:45 +0000 (13:55 +0200)]
mnl: Consolidate mnl_batch_talk() parameters
The single caller of this function passes struct netlink_ctx fields as
the first two parameters. This can be simplified by passing the context
object itself and having mnl_batch_talk() access it's fields instead.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 25 Jul 2017 18:39:42 +0000 (20:39 +0200)]
monitor: Fix printing of set declarations
The optional attributes 'flags', 'gc-interval' and 'timeout' have to be
delimited by stmt_separator (either newline or semicolon), not 'nl'
which is set to whitespace by set_print_plain().
In order to restore readability, change stmt_separator to include a
single whitespace after the semicolon.
Here's monitor output for the following command:
| # nft add set ip t testset { type inet_service; \
| timeout 60s; gc-interval 120s; }
Before this patch:
| add set ip t testset { type inet_service;timeout 1m gc-interval 2m }
With this patch applied:
| add set ip t testset { type inet_service; timeout 1m; gc-interval 2m; }
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 25 Jul 2017 14:56:24 +0000 (16:56 +0200)]
tests/monitor: Ignore newgen messages in output
Predicting the new ID value is not feasible and neither is implementing
support for regular expressions when matching monitor output, so simply
ignore them.
Also use diff option '-w' instead of '-Z' to ignore all whitespace, not
just at EOL.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 19 Jul 2017 14:32:57 +0000 (16:32 +0200)]
monitor: Print NEWGEN events
Now that they contain process information, they're actually interesting.
For backwards compatibility, print process information only if it was
present in the message.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
monitor: Fix printing of range elements in named sets
If you add set elements to interval sets, the output is wrong.
Fix this by caching first element of the range (first event),
then wait for the second element of the range (second event) to
print them both at the same time.
We also avoid printing the first null element required in the RB tree.
Before this patch:
% nft add element t s {10-20, 30-40}
add element ip t s { 0 }
add element ip t s { 10 }
add element ip t s { ftp }
add element ip t s { 30 }
add element ip t s { 41 }
After this patch:
% nft add element t s {10-20, 30-40}
add element ip t s { 10-20 }
add element ip t s { 30-40 }
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 19 Jul 2017 13:05:27 +0000 (15:05 +0200)]
segtree: Introduce flag for half-open range elements
This flag is required by userspace only, so can live within userdata.
It's sole purpose is for 'nft monitor' to detect half-open ranges (which
are comprised of a single element only).
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Remove variable nf_mon_sock of type structure mnl_socket to avoid
duplicity. Instead variable nf_sock of the same type is passed as
argument to netlink_monitor(). Also remove netlink_open_mon_sock()
function definition, which is no longer required.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 12 Jul 2017 12:14:16 +0000 (14:14 +0200)]
src: Allow passing the parent set to set_expr_alloc()
Usually one wants to at least initialize set_flags from the parent, so
make allocation of a set's set expression more convenient.
The idea to do this came when fixing an issue with output formatting of
larger anonymous sets in nft monitor: Since
netlink_events_cache_addset() didn't initialize set_flags,
calculate_delim() didn't detect it's an anonymous set and therefore
added newlines to the output.
Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Fixes: a9dc3ceabc10f ("expression: print sets and maps in pretty format") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Mon, 10 Jul 2017 22:32:55 +0000 (00:32 +0200)]
cli: fix heap buffer overflow
This patch fixes an invalid read when an empty command was sent.
Found via nft running ASAN and entering an empty command:
nft>
=================================================================
==19540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008c6f at pc 0x55e3b561704d bp 0x7fffe9a33ac0 sp 0x7fffe9a33ab8
READ of size 1 at 0x602000008c6f thread T0
#0 0x55e3b561704c in cli_append_multiline /home/eric/git/netfilter/nftables/src/cli.c:65
#1 0x55e3b561725b in cli_complete /home/eric/git/netfilter/nftables/src/cli.c:109
#2 0x7f6e0c2ccac2 in rl_callback_read_char (/lib/x86_64-linux-gnu/libreadline.so.7+0x2fac2)
#3 0x55e3b5617ba6 in cli_init /home/eric/git/netfilter/nftables/src/cli.c:199
#4 0x55e3b5573b75 in main /home/eric/git/netfilter/nftables/src/main.c:381
#5 0x7f6e0bc9b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x55e3b55725a9 in _start (/usr/local/sbin/nft+0x445a9)
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Mon, 10 Jul 2017 22:32:53 +0000 (00:32 +0200)]
evaluate: fix build with clang
Building with a recent clang was failing due to the following error:
src/evaluate.c|450 col 45| error: initializer element is not constant
|| static const unsigned int max_tcpoptlen = 15 * 4 * BITS_PER_BYTE - tcphdrlen;
|| ^~
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Mon, 10 Jul 2017 22:32:51 +0000 (00:32 +0200)]
parser: fix bison warnings
We had the following warnings
parser_bison.y:1089:10: warning: variable 'cmd' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
if (erec != NULL) {
^~~~~~~~~~~~
parser_bison.y:1095:39: note: uninitialized use occurs here
(yyval.cmd) = cmd_alloc(CMD_LIST, cmd, &(yyvsp[0].handle), &(yyloc), NULL);
^~~
parser_bison.y:1089:6: note: remove the 'if' if its condition is always true
if (erec != NULL) {
^~~~~~~~~~~~~~~~~~
parser_bison.y:1080:12: note: initialize the variable 'cmd' to silence this warning
int cmd;
^
= 0
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0)
#1 0x593cb1 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8
#2 0x5bccb2 in nft_lex /home/eric/git/netfilter/nftables/src/scanner.l:566:22
#3 0x5cb363 in nft_parse /home/eric/git/netfilter/nftables/src/parser_bison.c:4366:16
#4 0x505a37 in nft_run /home/eric/git/netfilter/nftables/src/main.c:246:8
#5 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6
#6 0x7ff7befdb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: 13 byte(s) leaked in 1 allocation(s). Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Mon, 10 Jul 2017 22:32:49 +0000 (00:32 +0200)]
src: fix memory leak when listing rules
When listing rules we were calling strdup on the table name
but variable was just used locally.
Found via `nft list ruleset` run with ASAN:
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x45cca0 in __interceptor_strdup (/usr/local/sbin/nft+0x45cca0)
#1 0x593c71 in xstrdup /home/eric/git/netfilter/nftables/src/utils.c:75:8
#2 0x513b34 in do_list_ruleset /home/eric/git/netfilter/nftables/src/rule.c:1388:23
#3 0x50e178 in do_command_list /home/eric/git/netfilter/nftables/src/rule.c:1500:10
#4 0x50d3ea in do_command /home/eric/git/netfilter/nftables/src/rule.c:1696:10
#5 0x5061ae in nft_netlink /home/eric/git/netfilter/nftables/src/main.c:207:9
#6 0x505b87 in nft_run /home/eric/git/netfilter/nftables/src/main.c:255:8
#7 0x50771f in main /home/eric/git/netfilter/nftables/src/main.c:392:6
#8 0x7fa1f326d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add nft_init and nft_exit functions, which calls _init and _exit
functions in main.c file. Remove __init and __exit macro definitions as
libnftables library will be created soon. Rename realm_table_init() and
realm_table_exit() functions to avoid ambiguity as
realm_table_rt_init(), realm_table_meta_init, realm_table_rt_exit() and
realm_table_meta_exit() in rt.c and meta.c files.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This socket should not be global, it is also hidden in many layers of
code. Expose it as function parameters to decouple the netlink socket
handling logic from the command parsing, evaluation and bytecode
generation.
Joint work with Varsha Rao.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
exthdr.c:41:31: warning: ‘%d’ directive output may be truncated writing between 1 and 8 bytes into a region of size 3 [-Wformat-truncation=]
snprintf(buf, sizeof buf, "%d", offset);
^~
This warning is incorrect, as offset is limited by tcp option ranges,
but gcc doesn't know this. Increase buffer to avoid the warning.
Ismo Puustinen [Tue, 27 Jun 2017 12:14:58 +0000 (15:14 +0300)]
scanner: support for wildcards in include statements.
Use glob() to find paths in include statements. The rules are these:
1. If no files can be found in the pattern with wildcards, do not
return an error.
2. Do not match any files beginning with '.'.
3. Do not handle include directories anymore. For example, the
statement:
include "foo/"
would now need to be rewritten:
include "foo/*"
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Wed, 21 Jun 2017 08:47:45 +0000 (14:17 +0530)]
tests: py: Fail test forcefully when bug is not fixed
When we have "fail" in the test cases then py test doesn't complain
anything, but the test should complain if the fix is not applied.
Before applying 986dea8a4a9d ("evaluate: avoid reference to multiple src
data in statements which set values"), nft throws following error
message and exits with error code 134.
$ nft add rule x y tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
This commit enforces nft-test.py to throw error message when the fix
is not applied.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 23 Jun 2017 12:05:56 +0000 (17:35 +0530)]
tests: shell: Test input descriptors for included files
Before b14572f72aac ("erec: Fix input descriptors for included files"),
nft error message was pointing to wrong file. But after this commit it
points to right file.
This patch adds a new test for this commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 23 Jun 2017 12:05:55 +0000 (17:35 +0530)]
tests: shell: Add test for incomplete set add set command
Before c6cd7c22548a ("src: fix crash when inputting an incomplete set
add command") commit, if we run nft with incomplete "add set" command it
caused segmentation fault and exit with error code 139 and further it
didn't throw any error message.
For example:
$ sudo nft add set t s
But after the aforementioned commit it throws syntax error message and
exits with return value 1.
For example:
$ sudo nft add set t s
<cmdline>:1:12-12: Error: syntax error, unexpected newline, expecting '{'
add set t s
^
This commit tests changes made in such commit.
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: Better error reporting for bad set references
In case you refer to an unexisting set, bail out with:
# nft add table x
# nft add chain x y
# nft add rule x y ip protocol vmap @reject_to_rule2;
<cmdline>:1:31-46: Error: Set 'reject_to_rule2' does not exist
add rule x y ip protocol vmap @reject_to_rule2
^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Fixes: a6b75b837f5e ("evaluate: set: Allow for set elems to be sets") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 16 Jun 2017 19:18:45 +0000 (21:18 +0200)]
evaluate: reject meta nfproto outside of inet family
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 16 Jun 2017 19:52:32 +0000 (21:52 +0200)]
tests: restrict ct saddr test to inet family
any/ct.t: ERROR: line 94: src/nft add rule --debug=netlink ip6
test-ip6 output meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed.
Actually, this failure is "ok; we can't find upper layer protocol
in this case, but even if we'd "fix" this it is still non-sensical,
meta nfproto ipv4, but family is ipv6 --> rule would never match.
First move this to an inet-specific test.
A followup patch will reject meta nfproto for all families except inet.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Fri, 16 Jun 2017 19:35:42 +0000 (01:05 +0530)]
tests: py: Add test for ambiguity while setting the value
This test checks bug identified and fixed in the commit mentioned below
In a statement if there are multiple src data then it would be
totally ambiguous to decide which value to set.
Before the commit was made it returned 134(BUG), but now it returns 1
i.e, an error message.
Following rules tests ambiguity while setting the value:
$ sudo nft add rule ip test-ip4 output ct mark set {0x11333, 0x11}
<cmdline>:1:41-55: Error: you cannot use a set here, unknown value to use
add rule ip test-ip4 output ct mark set {0x11333, 0x11}
~~~~~~~~~~~~^^^^^^^^^^^^^^^
Test: 986dea8 ("evaluate: avoid reference to multiple src data in
statements which set values") Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Fri, 16 Jun 2017 09:24:06 +0000 (14:54 +0530)]
src: Pass stateless, numeric, ip2name and handle variables as structure members.
libnftables library will be created soon. So declare numeric_output,
stateless_output, ip2name_output and handle_output as members of
structure output_ctx, instead of global variables. Rename these
variables as following,
src: error reporting for nested ruleset representation
If you load a file using the nested ruleset representation, ie. the one
you get via `nft list ruleset', error reporting doesn't help you much to
find the problem.
For example, the following ruleset points to an unexisting chain 'x':
table test {
chain test {
type filter hook ingress priority 0; policy drop;
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
}
}
Error reporting is very sparse as it says:
# nft -f /home/test/x
/home/test/x:1:1-2: Error: Could not process rule: No such file or directory
table netdev test{
^^
So it's hard to know what is exactly missing.
This patch enhances the existing logic, so nft points to the rule
causing the problem, ie.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The idea behind this patch is to expand the single table command into a
list of individual commands, one per nested object inside the table.
This expanded list is spliced into the existing list of commands. Thus,
each command gets a sequence number that helps us correlate the error
with the command that triggers it.
This patch also includes reference counting for rules and objects. This
was already in place for table, chain and sets. We need this since now
we hold references to them from both the command and the table object
itself. So the last reference releases the object from memory. Note that
table objects still keep the list of chain, sets, etc. since the
existing cache logic needs this to work.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: display default directory for file inclusion in -h/--help
If no explicit relative or absolute path is enforced by the user, nft
relies on either -I/--includepath or the default include directory that
is set at compile time.
Given most of our users will rely on packaged versions of nft, provide a
way to display the location of this default includepath directory.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
In case of bitmask types (tcp flags, ct eventmask) nft
allows to use comma operator to test multiple values, i.e.
tcp flags syn,ack ct event new,destroy etc.
But currently nft fails to use this when used in a statement, i.e.
... ct eventmask set new,destroy
gives:
syntax error, unexpected comma
This allows makes this work, it is the same as
ct eventmask set new|destroy
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 29 May 2017 17:25:37 +0000 (19:25 +0200)]
meta: permit meta nfproto ip in ip family
works:
add rule ip filter input ct original saddr 1.2.3.4
(family ctx init initialises network base to proto_ip).
fails to parse 1.2.3.4 address:
add rule ip filter input meta nfproto ipv4 ct original saddr 1.2.3.4
... because meta_expr_pctx_update() won't find a dependency
from "ip" to "ip" and then overwrites the correct base with proto_unknown.
"meta nfproto ip" is useless in the ip family, as it will always match,
i.e. a better (but more compliated) fix would be to remove the statement
during evaluation.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 29 May 2017 17:25:38 +0000 (19:25 +0200)]
ct: fix inet/bridge/netdev family handling for saddr/daddr
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6.
For some cases we could infer it from the rhs, but there are cases where we don't have any
information, e.g. when passing ct original saddr to jhash expression.
So do the same thing that we do for "rt nexthop" -- error out and hint to user
they need to specifiy the desired address type with "meta nfproto".
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Tue, 6 Jun 2017 06:25:40 +0000 (11:55 +0530)]
src: Remove expire information from list stateless ruleset.
As expires is stateful information. This patch removes expire
information from list stateless ruleset. With nft -s option, the
ruleset will be as following.
table ip firewall {
set host {
type ipv4_addr
flags timeout
elements = { 10.0.0.2 timeout 10m }
}
}
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ismo Puustinen [Tue, 6 Jun 2017 11:50:10 +0000 (14:50 +0300)]
tests: test include directories
Add tests for:
* including an empty directory
* including directory with one or two files in it
* testing for required trailing slash in directory name
* testing for detecting non-existent directory
* testing for a broken file in included directory
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ismo Puustinen [Tue, 6 Jun 2017 11:50:09 +0000 (14:50 +0300)]
scanner: add support for include directories
If a string after "include" keyword points to a directory instead of a
file, consider the directory to contain only nft rule files and try to
load them all. This helps with a use case where services drop their own
firewall configuration files into a directory and nft needs to include
those without knowing the exact file names.
File loading order from the include directory is not specified, so the
files inside an include directory should not depend on each other.
Fixes(Bug 1154 - Allow include statement to operate on directories and/or wildcards).
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: remove global nftnl_batch structure in mnl layer
The underlying mnl layer uses a global nftnl_batch structure. Instead,
pass pointer as parameter to the functions that need this. The netlink
layer stores a reference to this structure in struct netlink_ctx.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expression: don't trim off unary expression on delinearization
This transformation introduces an unnecessary asymmetry between the
linearization and delinearization steps that prevent rule deletion by
name to work fine.
Moreover, do not print htonl and ntonl from unary expression, this
syntax is not allowed by the parser.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: avoid reference to multiple src data in statements which set values
Prevent this assert:
% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
We can't use a set here because we will not known which value to use.
With this patch, a proper error message is reported to users:
% nft add rule t c tcp dport set {1, 2, 3, 4, 5}
<cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use
add rule t c tcp dport set {1, 2, 3, 4, 5}
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
% nft add rule t c tcp dport set @s
<cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use
add rule t c tcp dport set @s
~~~~~~~~~~~~~~^^
This error is reported to all statements which set values.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 25 May 2017 07:14:58 +0000 (09:14 +0200)]
Merge branch 'meta_l4_dependency'
Currently nft inserts different types of dependencies for l4 protocols,
depending on the family.
For inet, nft inserts 'meta l4proto' to e.g. check for tcp, for
ip, nft uses 'ip protocol'. Both are fine. The ip6 family however
uses 'ip6 nexthdr', and thats a problem because e.g. tcp dport 22 will
not match packets that use ipv6 extension headers.
The series switches both ipv6 and ipv4 to use meta l4 instead
so ipv6 will always check the last transport header value.
We could ignore ip as only ipv6 uses extension headers.
However, switching ipv4 as well makes things a bit simpler because nft
then creates the same l4 dependency for all families.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
Florian Westphal [Wed, 22 Mar 2017 15:38:30 +0000 (16:38 +0100)]
tests: fix up meta l4proto change for ip6 family
After previous commit nft generates meta l4proto for ipv6 dependencies
instead of checking the (first) nexthdr value.
This fixes up all tests cases accordingly except one which fails with
ip6/reject.t: ... 12: 'ip6 nexthdr 6 reject with tcp reset' mismatches 'meta l4proto 6 reject with tcp reset'
This will be fixed by removing the implicit dependency in a followup patch.
Florian Westphal [Thu, 18 May 2017 11:30:54 +0000 (13:30 +0200)]
payload: enforce ip/ip6 protocol depending on icmp or icmpv6
After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.
in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
families only care about the lower layer protocol.
In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
(and ipv4 check in icmp case).
This extends payload_gen_special_dependency() to consider this.
With this patch:
add rule $pf filter input meta l4proto icmpv6
add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
add rule $pf filter input icmpv6 type echo-request
will work in all tables and all families.
For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
of the ip family.
Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
explicit dependency:
add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...
Implicit dependencies won't get removed at the moment, so
bridge ... icmp type echo-request
will be shown as
ether type ip meta l4proto 1 icmp type echo-request
which is: ip6 filter input ip6 nexthdr tcp dport 22
IOW, such a rule won't match if e.g. a fragment header is in place.
This changes ip6_proto to use 'meta l4proto' which is the protocol header
found by exthdr walk.
A side effect is that for bridge we get a shorter dependency chain as it
no longer needs to prepend 'ether proto ipv6' for old 'ip6 nexthdr' dep.
Only problem:
ip6 nexthdr tcp tcp dport 22
will now inject a (useless) meta l4 dependency as ip6 nexthdr is no
longer flagged as EXPR_F_PROTOCOL, to avoid this add a small helper
that skips the unneded meta dependency in that case.
Liping Zhang [Sun, 14 May 2017 07:56:12 +0000 (15:56 +0800)]
src: delete the old cache when dumping is interrupted
When the dumping operation is interrupted, we will restart the
cache_init(), but unfortunatly, we forget to delete the old cache.
So in extreme case, we will leak a huge amount of memory.
Running the following commands can simulate the extreme case:
# nft add table t
# nft add set t s {type inet_service \;}
# for i in $(seq 65000); do
nft add element t s {$i}
done &
# while : ; do
time nft list ruleset -nn
done
After a while, oom killer will be triggered:
[ 2808.243537] Out of memory: Kill process 16975 (nft) score 649 or
sacrifice child
[ 2808.255372] Killed process 16975 (nft) total-vm:1955348kB,
anon-rss:1952120kB, file-rss:0kB, shmem-rss:0kB
[ 2858.353729] nft invoked oom-killer: gfp_mask=0x14201ca(GFP_HIGHUSER_
MOVABLE|__GFP_COLD), nodemask=(null), order=0,
oom_score_adj=0
[ 2858.374521] nft cpuset=/ mems_allowed=0
...
Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Print elements per line instead of all in a single line.
The elements which can be 'short' are printed 5 per line,
and others, like IPv4 addresses are printed 2 per line.
Example:
% nft list ruleset -nnn
table ip t {
set s {
type inet_service
elements = { 1, 2, 3, 4, 10,
432, 433, 434, 435, 436,
437, 438, 439, 440, 441,
442, 443, 444, 445, 446,
447, 448, 449, 450, 12345 }
}
netlink_delink_delinearize: don't store dependency unless relop checks is eq check
'ip protocol ne 6' is not a dependency for nexthdr protocol, and must
not be stored as such.
Fixes: 0b858391781ba308 ("src: annotate follow up dependency just after killing another") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft currently translates
ip protocol tcp meta mark set 1 tcp dport 22
to
mark set 0x00000001 tcp dport 22
This is wrong, the latter form is same as
mark set 0x00000001 ip protocol tcp tcp dport 22
and thats not correct (original rule sets mark for tcp packets only).
We need to clear the dependency stack whenever we see a statement other
than stmt_expr, as these will have side effects (counter, payload
mangling, logging and the like).
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 2 May 2017 17:51:27 +0000 (19:51 +0200)]
nft.8: Enhance NAT documentation
This adds documentation about masquerade and redirect statements, points
out that for any NAT statement both prerouting and postrouting chains
are required and adds a bunch of examples to the section's end.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
