Patrick McHardy [Thu, 16 Jan 2014 16:54:18 +0000 (16:54 +0000)]
parser: use symbolic expressions for parsing keywords as protocol values
For "meta protocol" and the "meta nfproto" expressions, we need to be
able to parse "ip", "ip6", "vlan" and "arp" as protocol values.
Since the interpretation depends on the LHS of the relaltional expression,
we need to use symbolic expressions instead of constants to defer parsing
to the evaluation phase.
Patrick McHardy [Thu, 16 Jan 2014 17:11:12 +0000 (17:11 +0000)]
segtree: fix decomposition of unclosed intervals
If intervals are directly adjacent or extend to the right end of the dimension,
they are not closed by a EXPR_F_INTERVAL_END entry. This leads to multiple
errors when decomposing the intervals:
- the last unclosed interval is not shown at all.
- if a range is unclosed and the set is a map, the starting point of the
next interval is set to the data, not the key, leading to nonsensical
output.
- if a prefix is unclosed, the interval is assumed to be a prefix as well
and the same starting point is kept. This makes sense for cases like
192.168.0.0/24, 192.168.0.0/16, but leads to hard to understand
results if the next interval is not representable as a prefix.
Fix this by doing two things:
- add an EXPR_F_INTERVAL_END element for each unclosed interval during
preprocessing.
- process the final unclosed interval extending to the right end of the
dimension, if present.
Patrick McHardy [Thu, 16 Jan 2014 17:11:12 +0000 (17:11 +0000)]
segtree: only use prefix expressions for ranges for selected datatypes
It is uncommon to represent f.i. port number ranges as prefix expressions.
Introduce a datatype DTYPE_F_PREFIX flag to indicate that the preferred
representation of a range is a prefix and use it for segtree decomposition
to decide whether to use a range or prefix expression.
The ipaddr, ip6addr, mark and realm datatypes are changed to include the
DTYPE_F_PREFIX flag.
This fixes completely unreadable output in cases where the ranges are
representable as prefixes, f.i. in case of port number:
Currently, nft displays the debugging information if it's compiled with
--enable-debug (which seems a good idea) and when intervals are used
in maps. Add a new option to enable debugging to segtree, so we only
get this information when explicitly requested.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
scanner: rename address selector from 'eth' to 'ether'
eth may easily occur when using ifname masks. This could be also
fixed by interpreting 'eth' as a simple string in the parser but
I think this selector also looks more similar to what we use in
tcpdump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Many systems (for example Debian) don't recognice `#!nft -f' as a
valid interpreter.
A short way to handle this is to provide the full path to the interpreter
in the shebang.
That is what this patch does: update the shebang's path during installation.
For example, if you are installing under /usr/local, the shebang becomes:
#!/usr/local/sbin/nft -f
If using --prefix=/, then:
#!/sbin/nft -f
NOTE: If the shebang in source files are changed in a future, this sed script
should be updated as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Kevin Fenzi [Mon, 13 Jan 2014 06:36:45 +0000 (06:36 +0000)]
nftables: drop hard coded install using root user owner and group
Packaging systems build as a non priv user, so can't install as root. Users
installing from source can 'sudo make install' or run 'make install' as root
Signed-off-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
So the problem is not related to datatypes at all and generic type
checking works perfectly fine:
<cmdline>:1:52-57: Error: datatype mismatch, expected Ethernet protocol, expression has type Internet protocol
add rule ip6 filter input position 4 meta protocol icmpv6 accept
~~~~~~~~~~~~~ ^^^^^^
Patrick McHardy [Fri, 10 Jan 2014 09:28:37 +0000 (09:28 +0000)]
nftables: shorten "could not process rule in batch" message
Remove the "in batch" part, it makes most messages exceed a single line, the
user doesn't care about this and we process even single rules in "batches".
Patrick McHardy [Thu, 9 Jan 2014 21:59:29 +0000 (21:59 +0000)]
netlink_delinearize: fix compiler warning
src/netlink_delinearize.c: In function ‘meta_match_postprocess’:
src/netlink_delinearize.c:660:3: warning: passing argument 1 of ‘expr->left->ops->pctx_update’ from incompatible pointer type [enabled by default]
src/netlink_delinearize.c:660:3: note: expected ‘struct proto_ctx *’ but argument is of type ‘struct rule_pp_ctx *’
Patrick McHardy [Thu, 9 Jan 2014 18:54:02 +0000 (18:54 +0000)]
nftables: fix supression of "permission denied" errors
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
meta: add l4proto support
Add support for the meta l4proto type. This is used in the inet table to
match on the transport layer protocol without requiring the network layer
protocol to be known, allowing to use transport header matches that apply
to both IPv4 and IPv6.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
meta: add nfproto support
Add support for the meta nfproto type, which refers to the AF from the
netfilter hook ops. This is needed to get the actual family of a packet
in the dummy NFPROTO_INET family.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
proto: add support for meta templates
The following two patches will add two new meta expression types that are
used as dependencies in the inet table. To reuse the existing dependency
generation code, add a slightly hackish way to specify meta expressions
as payload dependencies.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
nftables: add support for the "inet" family
Add support for the mixed IPv4/IPv6 "inet" family. This mainly consist
of adding the "inet" <-> NFPROTO_INET mapping in the parser and netlink
support functions.
Additionally add the definitions for the inet filter table.
Patrick McHardy [Wed, 8 Jan 2014 13:02:16 +0000 (13:02 +0000)]
ct expr: protocol context updates and dynamic typing
Include the protocols defined through relational ct expressions in the
protocol context and use the protocol context to dynamically determine
the types of network and transport layer ct expression types.
Patrick McHardy [Wed, 8 Jan 2014 13:02:15 +0000 (13:02 +0000)]
nftables: generic procotol contexts
Currently the context of higher layer protocols is specific to payload
expressions with some special cases for meta IIFTYPE expressions. This
approach has a few shortcomings, concretely there are more expression
types which define upper layer protocols like the ct expression and two
upcoming new types for the meta expression.
Replace the payload context by a generic protocol context to deal with
this. This patch just splits off the requires parts from the payload
expression without any functional changes, the following patches will
add further functionality for other expressions.
Arturo Borrero added kernel support to set meta keys in
http://patchwork.ozlabs.org/patch/305281/ and the corresponding
library support in http://patchwork.ozlabs.org/patch/305283/.
This patch enhances nft to use this new kernel feature. The
following example shows how to set the packet mark.
% nft add rule ip filter input meta mark set 22
% nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
meta mark set 0x00000016
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink: fix dictionary feature with data mappings
This patch fixes dictionary feature, that allows you to conditionally
set packet fields based on a given selector, eg.
add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
This means that traffic flowing to tcp port 22 is dnatted to address
1.1.1.1 and tcp port 23 is dnatted to address 2.2.2.2.
This feature was partially broken by aae836a ("src: use libnftables")
although it also needs the kernel fix ("netfilter: nf_tables: fix wrong
datatype in nft_validate_data_load()").
This patch also fixes endianness issues when displaying the mark
via `list table' related to list_setelem_cb() since the byteorder
was left unset for the data part of a set element.
meta mark set tcp dport map { telnet => 0x02000000, ssh => 0x01000000}
^ ^
Note the wrong endianness in the example above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mnl: don't set NLM_F_ACK flag in mnl_nft_rule_batch_[add|del]
If the NLM_F_ACK flag is unset, the kernel still explicitly reports
errors. Thus, we can save the handling of many explicit (useless) ack
messages that indicate success.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft is currently retrieving the list of rule from the kernel, then
deleting each rule one by one. This is slow and not safe. Fix it
by sending a deletion command in a batch without specifying the
chain.
This change requires the kernel fix entitled:
netfilter: nf_tables: fix missing rules flushing per table
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Sat, 30 Nov 2013 20:41:21 +0000 (12:41 -0800)]
parser: add 'delete map' syntax
Creating a map is done via "add map". However, to delete a map requires using
"delete set", which is confusing. Add the appropriate synonym to parser.
The downside to this is that one can now delete a set with "delete map", but
this seems a minor issue. It could of course be fixed by adding a new
CMD_OBJ_MAP.
This closes netfilter bugzilla #879.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Sat, 30 Nov 2013 20:15:52 +0000 (12:15 -0800)]
rule: missing set cleanup in do_command_list
When listing a table in interactive mode, the set list is not cleaned up. Thus
the number of displayed sets grows with each successive listing. Attached
patch adds the necessary list cleanup to do_command_list.
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
nft is currently rejecting unknown UID/GID if they don't exist in the
system, relax this as Bjørnar Ness considers this is a valid scenario.
Now this only reports an error if you pass an unknown user (expressed as
string or if the UID/GID goes above 32 bits).
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
add rule filter output meta skuid vmap { 1000 => accept }
list table filter
meta skuid map { 3892510720 => accept}
^--------^
this is 1000 in network byte order
Reported-by: Bjørnar Ness <bjornar.ness@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
With this patch, nft asks the kernel for deleting all rules in a chain.
This replaces the current behaviour that requires to dump all the rules,
then iterate over that list to delete one by one, which is prone to races
and slowier.
After this patch, the following two commands are equivalent:
Eric Leblond [Sun, 17 Nov 2013 23:54:45 +0000 (00:54 +0100)]
verdict: fix delinearize in case of jump
The name of the chain was not handled in case of a jump or a goto.
This patch adds parsing of the chain.
Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Sun, 17 Nov 2013 23:54:44 +0000 (00:54 +0100)]
jump: fix logic in netlink linearize
Logic in the test was inverted. The result was the jump string
not to be set.
Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk> Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Oester [Sat, 5 Oct 2013 16:44:56 +0000 (09:44 -0700)]
src: operational limit match
The nft limit match currently does not work at all. Below patches to nftables,
libnftables, and kernel address the issue. A few notes on the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 2 Oct 2013 23:08:08 +0000 (01:08 +0200)]
netlink: fix nft flush operation
nft_netlink function is already calling mnl_batch_end and
mnl_batch_begin so it is not necessary to do it in the
netlink_flush_rules function. Doing this result in a invalid
netlink message which is discarded by the kernel.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Wed, 2 Oct 2013 23:08:07 +0000 (01:08 +0200)]
netlink: only flush asked table/chain
The flush operation was not limiting the flush to the table or
chain specified on command line. The result was that all the rules
for a given family are flush independantly of the flush command.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tomasz Bursztyka [Mon, 30 Sep 2013 09:22:42 +0000 (12:22 +0300)]
include: cache a copy of nfnetlink.h
If nft is compiled without nftables Linux kernel headers installed, we
hit a compilation error:
src/mnl.c: In function ‘mnl_batch_put’:
src/mnl.c:117:16: error: ‘NFNL_SUBSYS_NFTABLES’ undeclared (first use in
this function)
src/mnl.c:117:16: note: each undeclared identifier is reported only once
for each function it appears in
src/mnl.c: In function ‘mnl_batch_begin’:
src/mnl.c:125:16: error: ‘NFNL_MSG_BATCH_BEGIN’ undeclared (first use in
this function)
src/mnl.c: In function ‘mnl_batch_end’:
src/mnl.c:130:16: error: ‘NFNL_MSG_BATCH_END’ undeclared (first use in
this function)
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch allows nft to put all rule update messages into one
single batch that is sent to the kernel if `-f' option is used.
In order to provide fine grain error reporting, I decided to
to correlate the netlink message sequence number with the
correspoding command sequence number, which is the same. Thus,
nft can identify what rules trigger problems inside a batch
and report them accordingly.
Moreover, to avoid playing buffer size games at batch building
stage, ie. guess what is the final size of the batch for this
ruleset update will be, this patch collects batch pages that
are converted to iovec to ensure linearization when the batch
is sent to the kernel. This reduces the amount of unnecessary
memory usage that is allocated for the batch.
This patch uses the libmnl nlmsg batching infrastructure and it
requires the kernel patch entitled (netfilter: nfnetlink: add batch
support and use it from nf_tables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
doesn't work on x86. Problem is that nft declares these as
BYTEORDER_INVALID, but when converting the string mpz_import_data
treats INVALID like BIG_ENDIAN.
src: Better error reporting if chain type is invalid
This patch verifies at command line parsing that given chain type
is valid. Possibilities are: filter, nat, and route.
nft add chain test test { type cheese hook input priority 0 };
<cmdline>:1:28-33: Error: unknown chain type cheese
add chain test test { type cheese hook input priority 0 };
^^^^^^
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Wrap netfilter hooks around human readable strings
This allows to use unique, human readable, hook names for the command
line and let the user being unaware of the complex netfilter's hook
names and there difference depending on the netfilter family.
So:
add chain foo bar { type route hook NF_INET_LOCAL_IN 0; }
becomes:
add chain foo bar { type route hook input 0; }
It also fixes then the difference in hook values between families.
I.e. ARP family has different values for input, forward and output
compared to IPv4, IPv6 or bridge.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
