We don't need to check asciidoc output with xmllint because the generated XML
is generated by a tool, not by a human. Moreover, xmllint can cause
problems because it will try to download the DTD and that is problematic in
build systems with no network access.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Wed, 14 Aug 2019 11:45:19 +0000 (13:45 +0200)]
src: json: fix constant parsing on bigendian
json restore is broken on big-endian because we errounously
passed uint8_t with 64 bit size indicator.
On bigendian, this causes all values to get shifted by 56 bit,
this will then cause the eval step to bail because all values
are outside of the 8bit 0-255 protocol range.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Aug 2019 20:12:46 +0000 (22:12 +0200)]
src: mnl: retry when we hit -ENOBUFS
tests/shell/testcases/transactions/0049huge_0
still fails with ENOBUFS error after endian fix done in
previous patch. Its enough to increase the scale factor (4)
on s390x, but rather than continue with these "guess the proper
size" game, just increase the buffer size and retry up to 3 times.
This makes above test work on s390x.
So, implement what Pablo suggested in the earlier commit:
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
v2: call setsockopt unconditionally, then increase on error.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Aug 2019 20:12:45 +0000 (22:12 +0200)]
src: parser: fix parsing of chain priority and policy on bigendian
tests/shell/testcases/flowtable/0001flowtable_0
tests/shell/testcases/nft-f/0008split_tables_0
fail the 'dump compare' on s390x.
The priority (10) turns to 0, and accept turned to drop.
Problem is that '$1' is a 64bit value -- then we pass the address
and import 'int' -- we then get the upper all zero bits.
Add a 32bit interger type and use that.
v2: add uint32_t type to union, v1 used temporary value instead.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") Fixes: dba4a9b4b5fe ("src: allow variable in chain policy") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Aug 2019 18:44:08 +0000 (20:44 +0200)]
src: mnl: fix setting rcvbuffer size
Kernel expects socklen_t (int).
Using size_t causes kernel to read upper 0-bits.
This caused tests/shell/testcases/transactions/0049huge_0
to fail on s390x -- it uses 'echo' mode and will quickly
overrun the tiny buffer size set due to this bug.
M. Braun [Sun, 11 Aug 2019 10:16:03 +0000 (12:16 +0200)]
tests: add json test for vlan rule fix
This fixes
ERROR: did not find JSON equivalent for rule 'ether type vlan ip
protocol 1 accept'
when running
./nft-test.py -j bridge/vlan.t
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
add table ip foo
add chain ip foo bar { type filter hook input priority $prio; }
add chain ip foo ber { type filter hook input priority $prionum; }
add chain ip foo bor { type filter hook input priority $prioffset; }
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Store symbol tables in context object instead. Use the nft_ctx object to
store the dynamic symbol table. Pass it on to the parse_ctx object so
this can be accessed from the parse routines. This dynamic symbol table
is also accesible from the output_ctx object for print routines.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This object stores the dynamic symbol tables that are loaded from files.
Pass this object to datatype parse functions, although this new
parameter is not used yet, this is just a preparation patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
After the new cache system, nft raises a table error flushing a chain in
a transaction.
# nft "flush chain ip nftlb filter-newfarm ; \
add rule ip nftlb filter-newfarm update \
@persist-newfarm { ip saddr : ct mark } ; \
flush chain ip nftlb nat-newfarm"
Error: No such file or directory
flush chain ip nftlb filter-newfarm ; add rule ip nftlb (...)
^^^^^
This patch sets the cache flag properly to save this case.
Fixes: 01e5c6f0ed031 ("src: add cache level flags") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 23 Jul 2019 12:30:39 +0000 (14:30 +0200)]
src: Call bison with -Wno-yacc to silence warnings
Bison-3.3 significantly increased warnings for POSIX incompatibilities,
it now complains about missing support for %name-prefix, %define,
%destructor and string literals. The latter applies to parameter of
%name-prefix and all relevant %token statements.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Replace the last two as suggested but leave the first one in place as
that causes compilation errors in scanner.l - flex seems not to pick up
the changed internal symbol names.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
cache: add NFT_CACHE_UPDATE and NFT_CACHE_FLUSHED flags
NFT_CACHE_FLUSHED tells cache_update() to skip the netlink dump to
populate the cache, since the existing ruleset is going to flushed by
this batch.
NFT_CACHE_UPDATE tells rule_evaluate() to perform incremental updates to
the cache based on the existing batch, this is required by the rule
commands that use the index and the position selectors.
This patch removes cache_flush() which is not required anymore. This
cache removal is coming too late, in the evaluation phase, after the
initial cache_update() invocation.
Be careful with NFT_CACHE_UPDATE, this flag needs to be left in place if
NFT_CACHE_FLUSHED is set on.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fedora 30 uses very recent gcc (version 9.1.1 20190503 (Red Hat 9.1.1-1)),
osf produces following warnings:
-Wformat-truncation warning have been introduced in the version 7.1 of gcc.
Also, remove a unneeded address check of "tmp + 1" in nf_osf_strchr().
nfnl_osf.c: In function ‘nfnl_osf_load_fingerprints’:
nfnl_osf.c:292:39: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 128 [-Wformat-truncation=]
292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg);
| ^~
nfnl_osf.c:292:9: note: ‘snprintf’ output between 2 and 1025 bytes into a
destination of size 128
292 | cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:302:46: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
| ^~
nfnl_osf.c:302:10: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
302 | cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:309:49: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg);
| ^~
nfnl_osf.c:309:9: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
309 | cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nfnl_osf.c:317:47: warning: ‘%s’ directive output may be truncated writing
up to 1023 bytes into a region of size 32 [-Wformat-truncation=]
317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
| ^~
nfnl_osf.c:317:7: note: ‘snprintf’ output between 1 and 1024 bytes into a
destination of size 32
317 | snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This assertion is correct -- we can't linearize a prefix because
kernel doesn't know what that is.
For LHS prefixes, they get converted to a binary 'and' such as
'10.0.0.0 & 255.255.255.240'. For RHS, we can do something similar
and convert them into a range.
snat to 10.0.0.0/28 will be converted into:
iifname "ens3" snat to 10.0.0.0-10.0.0.15
statement.c:930:11: error: ‘synproxy_stmt_json’ undeclared here (not in a function); did you mean ‘tproxy_stmt_json’?
.json = synproxy_stmt_json,
^~~~~~~~~~~~~~~~~~
tproxy_stmt_json
Fixes: 1188a69604c3 ("src: introduce SYNPROXY matching") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Forgot to add a json test case for the recently added ct ip addr in map case.
Fix up rawpayload.t for json, it needs to expect new "th dport" when
listing.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
evaluate: missing basic evaluation of expectations
Basic ct expectation object evaluation. This fixes tests/py errors.
Error reporting is very sparse at this stage. I'm intentionally leaving
this as future work to store location objects for each field, so user
gets better indication on what is missing when configuring expectations.
# nft create table testD
# nft create chain testD test6
Error: No such file or directory
create chain testD test6
^^^^^
Handle 'create' command just like 'add' and 'insert'. Check for object
types to dump the tables for more fine grain listing, instead of dumping
the whole ruleset.
Fixes: 7df42800cf89 ("src: single cache_update() call to build cache before evaluation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This is noticeable when displaying mispelling errors, however, there are
also few spots not checking for the object map flag.
Before:
# nft flush set inet filter countermxx
Error: No such file or directory; did you mean set ‘countermap’ in table inet ‘filter’?
flush set inet filter countermxx
^^^^^^^^^^
After:
# nft flush set inet filter countermxx
Error: No such file or directory; did you mean map ‘countermap’ in table inet ‘filter’?
flush set inet filter countermxx
^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
proto: add pseudo th protocol to match d/sport in generic way
Problem: Its not possible to easily match both udp and tcp in a single
rule.
... input ip protocol { tcp,udp } dport 53
will not work, as bison expects "tcp dport" or "sctp dport", or any
other transport protocol name.
Its possible to match the sport and dport via raw payload expressions,
e.g.:
... input ip protocol { tcp,udp } @th,16,16 53
but its not very readable.
Furthermore, its not possible to use this for set definitions:
table inet filter {
set myset {
type ipv4_addr . inet_proto . inet_service
}
chain forward {
type filter hook forward priority filter; policy accept;
ip daddr . ip protocol . @th,0,16 @myset
}
}
# nft -f test
test:7:26-35: Error: can not use variable sized data types (integer) in concat expressions
During the netfilter workshop Pablo suggested to add an alias to do raw
sport/dport matching more readable, and make it use the inet_service
type automatically.
So, this change makes @th,0,16 work for the set definition case by
setting the data type to inet_service.
A new "th s|dport" syntax is provided as readable alternative:
ip protocol { tcp, udp } th dport 53
As "th" is an alias for the raw expression, no dependency is
generated -- its the users responsibility to add a suitable test to
select the l4 header types that should be matched.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/ct: provide fixed data lengh sizes for ip/ip6 keys
nft can load but not list this:
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.
Fixes: 226a0e072d5c ("exthdr: add support for matching IPv4 options") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
On error, the kernel already sends to userspace an acknowledgement for
the table and chain deletion case.
In case of NLM_F_DUMP, the NLM_F_ACK is not required as the kernel
always sends a NLMSG_DONE at the end of the dumping, even if the list of
objects is empty.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 24 Jun 2019 15:12:38 +0000 (17:12 +0200)]
files: Move netdev-ingress.nft to /etc/nftables as well
Commit 13535a3b40b62 ("files: restore base table skeletons") moved
config skeletons back from examples/ to /etc/nftables/ directory, but
ignored the fact that commit 6c9230e79339c ("nftables: rearrange files
and examples") added a new file 'netdev-ingress.nft' which is referenced
from 'all-in-one.nft' as well.
Fixes: 13535a3b40b62 ("files: restore base table skeletons") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Export public symbols (the library API functions) instead of all symbols in
the library.
This patch introduces the required macros to manage the visibility attributes
(mostly copied from libnftnl.git) and also marks each symbol as exported when
they need to be public. Also, introduce a .map file for proper symbol
versioning.
Previous to this patch, libnftables public symbols were:
libnftables: reallocate definition of nft_print() and nft_gmp_print()
They are not part of the libnftables library API, they are not public symbols,
so it doesn't not make sense to have them there. Move the two functions to a
different source file so libnftables.c only has the API functions.
In the current setup, nft (the frontend object) is using the xzalloc() function
from libnftables, which does not makes sense, as this is typically an internal
helper function.
In order to don't use this public libnftables symbol (a later patch just
removes it), let's use calloc() directly in the nft frontend.
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The evaluation step already updates the cache for each command in this
batch. There is no need to update the cache again from the echo path,
otherwise the cache is populated twice with the same object.
Fixes: b99c4d072d99 ("Implement --echo option") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch will enable the _expires_ input parameter in
the parser and propagate NFTNL_SET_ELEM_EXPIRATION in
order to send the configured value.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 18 Jun 2019 18:43:59 +0000 (20:43 +0200)]
src: prefer meta protocol as bridge l3 dependency
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 18 Jun 2019 18:43:58 +0000 (20:43 +0200)]
src: statement: disable reject statement type omission for bridge
add rule bridge test-bridge input reject with icmp type port-unreachable
... will be printed as 'reject', which is fine on ip family, but not on
bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject
does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error).
Add a toggle to supress short-hand versions in this case.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: do not allow to list/flush anonymous sets via list command
Don't allow this:
# nft list set x __set0
table ip x {
set __set0 {
type ipv4_addr
flags constant
elements = { 1.1.1.1 }
}
}
Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.
After this patch:
# nft list set x __set0
Error: No such file or directory
list set x __set0
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: allow get/list/flush dynamic sets and maps via list command
Before:
# nft list set ip filter untracked_unknown
Error: No such file or directory; did you mean set ‘untracked_unknown’ in table ip ‘filter’?
list set ip filter untracked_unknown
^^^^^^^^^^^^^^^^^
After:
# nft list set ip filter untracked_unknown
table ip filter {
set untracked_unknown {
type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto
size 100000
flags dynamic,timeout
}
}
Add a testcase for this too.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objects that
are needed through these new flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 17 Jun 2019 09:55:42 +0000 (11:55 +0200)]
datatype: fix print of raw numerical symbol values
The two rules:
arp operation 1-2 accept
arp operation 256-512 accept
are both shown as 256-512:
chain in_public {
arp operation 256-512 accept
arp operation 256-512 accept
meta mark "1"
tcp flags 2,4
}
This is because range expression enforces numeric output,
yet nft_print doesn't respect byte order.
Behave as if we had no symbol in the first place and call
the base type print function instead.
This means we now respect format specifier as well:
chain in_public {
arp operation 1-2 accept
arp operation 256-512 accept
meta mark 0x00000001
tcp flags 0x2,0x4
}
Without fix, added test case will fail:
'add rule arp test-arp input arp operation 1-2': 'arp operation 1-2' mismatches 'arp operation 256-512'
v2: in case of -n, also elide quotation marks, just as if we would not
have found a symbolic name.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
cache: do not populate the cache in case of flush ruleset command
__CMD_FLUSH_RULESET is a dummy definition that used to skip the netlink
dump to populate the cache. This patch is a workaround until we have a
better infrastructure to track the state of the cache objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Similar to bbe139fdf5a5 ("evaluate: use-after-free in implicit set").
==12727== Invalid read of size 4
==12727== at 0x72DB515: expr_free (expression.c:86)
==12727== by 0x72D3092: set_free (rule.c:367)
==12727== by 0x72DB555: expr_destroy (expression.c:79)
==12727== by 0x72DB555: expr_free (expression.c:95)
==12727== by 0x72D7A35: meter_stmt_destroy (statement.c:137)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== Address 0x64f14c8 is 56 bytes inside a block of size 128 free'd
==12727== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==12727== by 0x72D7A2C: meter_stmt_destroy (statement.c:136)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== by 0x72F82CE: nft_evaluate (libnftables.c:388)
==12727== by 0x72F8A8B: nft_run_cmd_from_buffer (libnftables.c:428)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 12 Jun 2019 17:27:37 +0000 (19:27 +0200)]
monitor: Accept -j flag
Make 'nft -j monitor' equal to 'nft monitor json' and change
documentation to use only the first variant since that is more intuitive
and also consistent with other commands.
While being at it, drop references to XML from monitor section - it was
never supported.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
