The evaluation step already updates the cache for each command in this
batch. There is no need to update the cache again from the echo path,
otherwise the cache is populated twice with the same object.
Fixes: b99c4d072d99 ("Implement --echo option") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch will enable the _expires_ input parameter in
the parser and propagate NFTNL_SET_ELEM_EXPIRATION in
order to send the configured value.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 18 Jun 2019 18:43:59 +0000 (20:43 +0200)]
src: prefer meta protocol as bridge l3 dependency
On families other than 'ip', the rule
ip protocol icmp
needs a dependency on the ip protocol so we do not treat e.g. an ipv6
header as ip.
Bridge currently uses eth_hdr.type for this, but that will cause the
rule above to not match in case the ip packet is within a VLAN tagged
frame -- ether.type will appear as ETH_P_8021Q.
Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer
to use this instead.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 18 Jun 2019 18:43:58 +0000 (20:43 +0200)]
src: statement: disable reject statement type omission for bridge
add rule bridge test-bridge input reject with icmp type port-unreachable
... will be printed as 'reject', which is fine on ip family, but not on
bridge -- 'with icmp type' adds an ipv4 dependency, but simple reject
does not (it will use icmpx to also reject ipv6 packets with an icmpv6 error).
Add a toggle to supress short-hand versions in this case.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: do not allow to list/flush anonymous sets via list command
Don't allow this:
# nft list set x __set0
table ip x {
set __set0 {
type ipv4_addr
flags constant
elements = { 1.1.1.1 }
}
}
Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.
After this patch:
# nft list set x __set0
Error: No such file or directory
list set x __set0
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: allow get/list/flush dynamic sets and maps via list command
Before:
# nft list set ip filter untracked_unknown
Error: No such file or directory; did you mean set ‘untracked_unknown’ in table ip ‘filter’?
list set ip filter untracked_unknown
^^^^^^^^^^^^^^^^^
After:
# nft list set ip filter untracked_unknown
table ip filter {
set untracked_unknown {
type ipv4_addr . inet_service . ipv4_addr . inet_service . inet_proto
size 100000
flags dynamic,timeout
}
}
Add a testcase for this too.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The score approach based on command type is confusing.
This patch introduces cache level flags, each flag specifies what kind
of object type is needed. These flags are set on/off depending on the
list of commands coming in this batch.
cache_is_complete() now checks if the cache contains the objects that
are needed through these new flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 17 Jun 2019 09:55:42 +0000 (11:55 +0200)]
datatype: fix print of raw numerical symbol values
The two rules:
arp operation 1-2 accept
arp operation 256-512 accept
are both shown as 256-512:
chain in_public {
arp operation 256-512 accept
arp operation 256-512 accept
meta mark "1"
tcp flags 2,4
}
This is because range expression enforces numeric output,
yet nft_print doesn't respect byte order.
Behave as if we had no symbol in the first place and call
the base type print function instead.
This means we now respect format specifier as well:
chain in_public {
arp operation 1-2 accept
arp operation 256-512 accept
meta mark 0x00000001
tcp flags 0x2,0x4
}
Without fix, added test case will fail:
'add rule arp test-arp input arp operation 1-2': 'arp operation 1-2' mismatches 'arp operation 256-512'
v2: in case of -n, also elide quotation marks, just as if we would not
have found a symbolic name.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
cache: do not populate the cache in case of flush ruleset command
__CMD_FLUSH_RULESET is a dummy definition that used to skip the netlink
dump to populate the cache. This patch is a workaround until we have a
better infrastructure to track the state of the cache objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Similar to bbe139fdf5a5 ("evaluate: use-after-free in implicit set").
==12727== Invalid read of size 4
==12727== at 0x72DB515: expr_free (expression.c:86)
==12727== by 0x72D3092: set_free (rule.c:367)
==12727== by 0x72DB555: expr_destroy (expression.c:79)
==12727== by 0x72DB555: expr_free (expression.c:95)
==12727== by 0x72D7A35: meter_stmt_destroy (statement.c:137)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== Address 0x64f14c8 is 56 bytes inside a block of size 128 free'd
==12727== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==12727== by 0x72D7A2C: meter_stmt_destroy (statement.c:136)
==12727== by 0x72D7A07: stmt_free (statement.c:50)
==12727== by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727== by 0x72D32EF: rule_free (rule.c:610)
==12727== by 0x72D3834: chain_free (rule.c:827)
==12727== by 0x72D45D4: table_free (rule.c:1184)
==12727== by 0x72D46A7: __cache_flush (rule.c:293)
==12727== by 0x72D472C: cache_release (rule.c:313)
==12727== by 0x72D4A79: cache_update (rule.c:264)
==12727== by 0x72F82CE: nft_evaluate (libnftables.c:388)
==12727== by 0x72F8A8B: nft_run_cmd_from_buffer (libnftables.c:428)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 12 Jun 2019 17:27:37 +0000 (19:27 +0200)]
monitor: Accept -j flag
Make 'nft -j monitor' equal to 'nft monitor json' and change
documentation to use only the first variant since that is more intuitive
and also consistent with other commands.
While being at it, drop references to XML from monitor section - it was
never supported.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
There are two datatypes are using runtime datatype allocation:
* Concatenations.
* Integer, that require byteorder adjustment.
From the evaluation / postprocess step, transformations are common,
hence expressions may end up fetching (infering) datatypes from an
existing one.
This patch adds a reference counter to release the dynamic datatype
object when it is shared.
The API includes the following helper functions:
* datatype_set(expr, datatype), to assign a datatype to an expression.
This helper already deals with reference counting for dynamic
datatypes. This also drops the reference counter of any previous
datatype (to deal with the datatype replacement case).
* datatype_get(datatype) bumps the reference counter. This function also
deals with nul-pointers, that occurs when the datatype is unset.
* datatype_free() drops the reference counter, and it also releases the
datatype if there are not more clients of it.
Rule of thumb is: The reference counter of any newly allocated datatype
is set to zero.
This patch also updates every spot to use datatype_set() for non-dynamic
datatypes, for consistency. In this case, the helper just makes an
simple assignment.
Note that expr_alloc() has been updated to call datatype_get() on the
datatype that is assigned to this new expression. Moreover, expr_free()
calls datatype_free().
This fixes valgrind reports like this one:
==28352== 1,350 (440 direct, 910 indirect) bytes in 5 blocks are definitely lost in loss recor 3 of 3
==28352== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==28352== by 0x4E79558: xmalloc (utils.c:36)
==28352== by 0x4E7963D: xzalloc (utils.c:65)
==28352== by 0x4E6029B: dtype_alloc (datatype.c:1073)
==28352== by 0x4E6029B: concat_type_alloc (datatype.c:1127)
==28352== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578)
==28352== by 0x4E6D68E: list_set_cb (netlink.c:648)
==28352== by 0x5D74023: nftnl_set_list_foreach (set.c:780)
==28352== by 0x4E6D6F3: netlink_list_sets (netlink.c:669)
==28352== by 0x4E5A7A3: cache_init_objects (rule.c:159)
==28352== by 0x4E5A7A3: cache_init (rule.c:216)
==28352== by 0x4E5A7A3: cache_update (rule.c:266)
==28352== by 0x4E7E0EE: nft_evaluate (libnftables.c:388)
==28352== by 0x4E7EADD: nft_run_cmd_from_filename (libnftables.c:479)
==28352== by 0x109A53: main (main.c:310)
This patch also removes the DTYPE_F_CLONE flag which is broken and not
needed anymore since proper reference counting is in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
parser_bison: free chain name after creating constant expression
==2330== 2 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2330== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2330== by 0x583D3B9: strdup (strdup.c:42)
==2330== by 0x4E7966D: xstrdup (utils.c:75)
==2330== by 0x4E9C283: nft_lex (scanner.l:626)
==2330== by 0x4E8E3C2: nft_parse (parser_bison.c:5297)
==2330== by 0x4E7EAB2: nft_parse_bison_filename (libnftables.c:374)
==2330== by 0x4E7EAB2: nft_run_cmd_from_filename (libnftables.c:475)
==2330== by 0x109A53: main (main.c:310)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: release expression before calling netlink_parse_concat_expr()
netlink_get_register() clones the expression in the register. Release
this expression before calling netlink_parse_concat_expr() to
deconstruct the concatenation.
==15069== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15069== by 0x4E79508: xmalloc (utils.c:36)
==15069== by 0x4E795ED: xzalloc (utils.c:65)
==15069== by 0x4E6029B: dtype_alloc (datatype.c:1073)
==15069== by 0x4E6029B: concat_type_alloc (datatype.c:1127)
==15069== by 0x4E6D3B3: netlink_delinearize_set (netlink.c:578)
==15069== by 0x4E6D68E: list_set_cb (netlink.c:648)
==15069== by 0x5F34023: nftnl_set_list_foreach (set.c:780)
==15069== by 0x4E6D6F3: netlink_list_sets (netlink.c:669)
==15069== by 0x4E5A7A3: cache_init_objects (rule.c:159)
==15069== by 0x4E5A7A3: cache_init (rule.c:216)
==15069== by 0x4E5A7A3: cache_update (rule.c:266)
==15069== by 0x4E7E09E: nft_evaluate (libnftables.c:388)
==15069== by 0x4E7E85B: nft_run_cmd_from_buffer (libnftables.c:428)
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: release expressions in context registers
netlink_release_registers() needs to go a bit further to release the
expressions in the register array. This should be safe since
netlink_get_register() clones expressions in the context registers.
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expression: use expr_clone() from verdict_expr_clone()
Chains are now expressions, do not assume a constant value is used.
==26302== Process terminating with default action of signal 11 (SIGSEGV)
==26302== Access not within mapped region at address 0x50
==26302== at 0x67D7EE7: __gmpz_init_set (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2)
==26302== by 0x4E61224: expr_clone (expression.c:65)
==26302== by 0x4E7898B: interval_map_decompose (segtree.c:943)
==26302== by 0x4E6DDA0: netlink_list_setelems (netlink.c:882)
==26302== by 0x4E5A806: cache_init_objects (rule.c:166)
==26302== by 0x4E5A806: cache_init (rule.c:216)
==26302== by 0x4E5A806: cache_update (rule.c:266)
==26302== by 0x4E7E0EE: nft_evaluate (libnftables.c:388)
==26302== by 0x4E7E8AB: nft_run_cmd_from_buffer (libnftables.c:428)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use strlen(), otherwise mpz_import_data() reads too much beyond the real
chain string. Valgrind reports the following error:
==2759== Invalid read of size 1
==2759== at 0x67D68D6: __gmpz_import (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2)
==2759== by 0x4E79467: mpz_import_data (gmputil.c:133)
==2759== by 0x4E60A12: constant_expr_alloc (expression.c:375)
==2759== by 0x4E8ED65: nft_parse (parser_bison.y:3825)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
==2759== by 0x1095D4: main (in /tmp/a.out)
==2759== Address 0x6ee1b4a is 0 bytes after a block of size 10 alloc'd
==2759== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2759== by 0x59FD3B9: strdup (strdup.c:42)
==2759== by 0x4E7963D: xstrdup (utils.c:75)
==2759== by 0x4E9C233: nft_lex (scanner.l:626)
==2759== by 0x4E8E382: nft_parse (parser_bison.c:5297)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:26 +0000 (19:25 +0200)]
tests/shell: Fix warning from awk call
Syntax passed to awk in that one testcase caused a warning, fix the
syntax.
Fixes: e0a9aad024809 ("tests: shell: fix tests for deletion via handle attribute") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:25 +0000 (19:25 +0200)]
tests/py: Add missing arp.t JSON equivalents
Fixes: 4b0f2a712b579 ("src: support for arp sender and target ethernet and IPv4 addresses") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:25:24 +0000 (19:25 +0200)]
tests/py: Fix JSON equivalents
Recent patch removing single element set use missed to adjust JSON
equivalents accordingly.
Fixes: 27f6a4c68b4fd ("tests: replace single element sets") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:21:21 +0000 (19:21 +0200)]
src: Support intra-transaction rule references
A rule may be added before or after another one using index keyword. To
support for the other rule being added within the same batch, one has to
make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This
patch does just that among a few more crucial things:
* If cache is complete enough to contain rules, update cache when
evaluating rule commands so later index references resolve correctly.
* Reduce rule_translate_index() to its core code which is the actual
linking of rules and consequently rename the function. The removed
bits are pulled into the calling rule_evaluate() to reduce code
duplication in between cache updates with and without rule reference.
* Pass the current command op to rule_evaluate() as indicator whether to
insert before or after a referenced rule or at beginning or end of
chain in cache. Exploit this from chain_evaluate() to avoid adding
the chain's rules a second time.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 7 Jun 2019 17:21:17 +0000 (19:21 +0200)]
cache: Fix evaluation for rules with index reference
After parsing input, rule location data (index or handle) is contained
in cmd->handle, not yet in cmd->rule->handle.
Fixes: 7df42800cf89e ("src: single cache_update() call to build cache before evaluation") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# cat example.nft
table inet test {
chain test {
ip daddr { 2.2.2.2, 4.4.4.4} counter accept
}
}
# valgrind nft -f example.nft
valgrind reports:
==2272== Invalid read of size 4
==2272== at 0x4E612A5: expr_free (expression.c:86)
==2272== by 0x4E58EA2: set_free (rule.c:367)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E5D7E7: stmt_free (statement.c:50)
==2272== by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272== by 0x4E590FF: rule_free (rule.c:610)
==2272== by 0x4E5C094: cmd_free (rule.c:1420)
==2272== by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272== by 0x109A53: main (main.c:310)
==2272== Address 0x65d94c8 is 56 bytes inside a block of size 128 free'd
==2272== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==2272== by 0x4E6143C: mapping_expr_destroy (expression.c:966)
==2272== by 0x4E612DA: expr_destroy (expression.c:79)
==2272== by 0x4E612DA: expr_free (expression.c:93)
==2272== by 0x4E5D7E7: stmt_free (statement.c:50)
==2272== by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272== by 0x4E590FF: rule_free (rule.c:610)
==2272== by 0x4E5C094: cmd_free (rule.c:1420)
==2272== by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272== by 0x109A53: main (main.c:310)
==2272== Block was alloc'd at
==2272== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2272== by 0x4E79248: xmalloc (utils.c:36)
==2272== by 0x4E7932D: xzalloc (utils.c:65)
==2272== by 0x4E60690: expr_alloc (expression.c:45)
==2272== by 0x4E68B1D: payload_expr_alloc (payload.c:159)
==2272== by 0x4E91013: nft_parse (parser_bison.y:4242)
==2272== by 0x4E7E722: nft_parse_bison_filename (libnftables.c:374)
==2272== by 0x4E7E722: nft_run_cmd_from_filename (libnftables.c:471)
==2272== by 0x109A53: main (main.c:310)
Fixes: cc7b37d18a68 ("src: Interpret OP_NEQ against a set as OP_LOOKUP") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Update mnl_genid_get() to return 32-bit long generation ID. Add
nft_genid_u16() which allows us to catch ruleset updates from the
netlink dump path via 16-bit long nfnetlink resource ID field.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 4 Jun 2019 17:31:51 +0000 (19:31 +0200)]
libnftables: Drop cache in error case
If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.
The problem is easy to reproduce in an interactive session:
| nft> list ruleset
| table ip t {
| chain c {
| }
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
| ^
| nft> list ruleset
| nft>
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 4 Jun 2019 17:31:49 +0000 (19:31 +0200)]
src: Fix cache_flush() in cache_needs_more() logic
Commit 34a20645d54fa enabled cache updates depending on command causing
it. As a side-effect, this disabled measures in cache_flush() preventing
a later cache update. Re-establish this by setting cache->cmd in
addition to cache->genid after dropping cache entries.
While being at it, set cache->cmd in cache_release() as well. This
shouldn't be necessary since zeroing cache->genid should suffice for
cache_update(), but better be consistent (and future-proof) here.
Fixes: eeda228c2d17 ("src: update cache if cmd is more specific") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: single cache_update() call to build cache before evaluation
This patch allows us to make one single cache_update() call. Thus, there
is not need to rebuild an incomplete cache from the middle of the batch
processing.
Note that nft_run_cmd_from_filename() does not need a full netlink dump
to build the cache anymore, this should speed nft -f with incremental
updates and very large rulesets.
cache_evaluate() calculates the netlink dump to populate the cache that
this batch needs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Display parser and evaluate errors in one shot
This patch restores 61236968b7a1 ("parser: evaluate commands immediately
after parsing") following a different approach.
In this patch, the evaluation phase is done if the parsing phase fails,
hence the user gets parsing and evaluation errors in one shot, which is
the purpose of 61236968b7a1.
Note that evaluation errors are now shown after parser errors, the example
available in 61236968b7a1 displays with this patch the following error:
# nft -f /tmp/bad.nft
/tmp/bad.nft:3:32-32: Error: syntax error, unexpected newline
add rule filter input tcp dport
^
/tmp/bad.nft:5:37-41: Error: syntax error, unexpected dport, expecting end of file or newline or semicolon
add rule filter input tcp dport tcp dport
^^^^^
/tmp/bad.nft:4:33-35: Error: datatype mismatch, expected internet network service, expression has type Internet protocol
add rule filter input tcp dport tcp
~~~~~~~~~ ^^^
So evaluation pointing to line 4 happens after line error reporting
generated by the parser that points to line 3, while 61236968b7a1 was
showing errors per line in order. As a future work, we can sort the
error reporting list to restore exactly the same behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Since 61236968b7a1 ("parser: evaluate commands immediately after
parsing"), evaluation is invoked from the parsing phase in order to
improve error reporting.
However, this approach is problematic from the cache perspective since
we don't know if a full or partial netlink dump from the kernel is
needed. If the number of objects in the kernel is significant, the
netlink dump operation to build the cache may significantly slow down
commands.
This patch moves the evaluation phase after the parsing phase as a
preparation update to allow for a better strategy to build the cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch introduces the input descriptor list, that stores the
existing input descriptor objects. These objects are now dynamically
allocated and release from scanner_destroy() path.
Follow up patches that decouple the parsing and the evaluation phases
require this for error reporting as described by b14572f72aac ("erec:
Fix input descriptors for included files"), this patch partially reverts
such partial.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 27 May 2019 11:36:41 +0000 (13:36 +0200)]
py: Implement JSON validation in nftables module
Using jsonschema it is possible to validate any JSON input to make sure
it formally conforms with libnftables JSON API requirements.
Implement a simple validator class for use within a new Nftables class
method 'json_validate' and ship a minimal schema definition along with
the package.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 31 May 2019 14:17:43 +0000 (16:17 +0200)]
mnl: Simplify mnl_batch_talk()
By mimicking mnl_nft_event_listener() code, mnl_batch_talk() may be
simplified quite a bit:
* Turn the conditional loop into an unconditional one.
* Call select() at loop start, which merges the two call sites.
* Check readfds content after select() returned instead of in loop
condition - if fd is not set, break to return error state stored in
'err' variable.
* Old code checked that select() return code is > 0, but that was
redundant: if FD_ISSET() returns true, select return code was 1.
* Move 'nlh' helper variable definition into error handling block, it is
not used outside of it.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 31 May 2019 14:17:42 +0000 (16:17 +0200)]
mnl: Initialize fd_set before select(), not after
Calling FD_SET() in between return of select() and call to FD_ISSET()
effectively renders the whole thing useless: FD_ISSET() will always
return true no matter what select() actually did.
Fixes: a72315d2bad47 ("src: add rule batching support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Set a receiver buffer size based on the number of commands and the
average message size, this is useful for the --echo option in order to
avoid ENOBUFS errors.
On the kernel side, each skbuff consumes truesize from the socket queue
(although it uses NLMSG_GOODSIZE to allocate it), which is approximately
four times the estimated size per message that we get in turn for each
echo message to ensure enough receiver buffer space.
We could also explore increasing the buffer and retry if
mnl_nft_socket_sendmsg() hits ENOBUFS if we ever hit this problem again.
Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 27 May 2019 11:37:00 +0000 (13:37 +0200)]
parser_json: Fix and simplify verdict expression parsing
Parsing of the "target" property was flawed in two ways:
* The value was extracted twice. Drop the first unconditional one.
* Expression allocation required since commit f1e8a129ee428 was broken,
The expression was allocated only if the property was not present.
Fixes: f1e8a129ee428 ("src: Introduce chain_expr in jump and goto statements") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch introduces the use of nft input files variables in 'jump' and 'goto'
statements, e.g.
define dest = ber
add table ip foo
add chain ip foo bar {type filter hook input priority 0;}
add chain ip foo ber
add rule ip foo ber counter
add rule ip foo bar jump $dest
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
jump ber
}
chain ber {
counter packets 71 bytes 6664
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Garver [Wed, 22 May 2019 19:44:04 +0000 (21:44 +0200)]
src: update cache if cmd is more specific
If we've done a partial fetch of the cache and the genid is the same the
cache update will be skipped without fetching the needed items. This
change flushes the cache if the new request is more specific than the
current cache - forcing a cache update which includes the needed items.
Introduces a simple scoring system which reflects how
cache_init_objects() looks at the current command to decide if it is
finished already or not. Then use that in cache_needs_more(): If current
command's score is higher than old command's, cache needs an update.
Fixes: 816d8c7659c1 ("Support 'add/insert rule index <IDX>'") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Fri, 17 May 2019 10:46:31 +0000 (12:46 +0200)]
tests: py: remove single-value-anon-set test cases
future change will rewrite all single-element anon sets to a cmp op.
Retain a few test cases to later check that the rewrite is correct, but
remove all others.
src: use definitions in include/linux/netfilter/nf_tables.h
Use NFT_LOGLEVEL_* definitions in UAPI.
Make an internal definition of NFT_OSF_F_VERSION, this was originally
defined in the UAPI header in the initial patch version, however, this
is not available anymore.
Phil Sutter [Thu, 9 May 2019 11:35:45 +0000 (13:35 +0200)]
tests/py: Fix JSON expected output for icmpv6 code values
Reverse translation is happening for values which are known, even if
they are part of a range. In contrast to standard output, this is OK
because in JSON lower and upper bounds are properties and there is no
ambiguity if names contain a dash.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:44 +0000 (13:35 +0200)]
tests/py: Fix JSON expected output after expr merge change
Looks like original patch missed this one.
Fixes: 88ba0c92754d8 ("tests: fix up expected payloads after expr merge change") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:41 +0000 (13:35 +0200)]
json: Fix tproxy support regarding latest changes
Family may be specified also if no address is given at the same time,
make parser/printer tolerant to that. Also fix for missing/incorrect
JSON equivalents in tests/py.
While being at it, fix two issues in non-JSON tests:
* Ruleset is printed in numeric mode, so use 'l4proto 6' instead of
'l4proto tcp' in rules to avoid having to specify expected output for
that unrelated bit.
* In ip and ip6 family tables, family parameter is not deserialized on
output.
Fixes: 3edb96200690b ("parser_bison: missing tproxy syntax with port only for inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:39 +0000 (13:35 +0200)]
netlink: Fix printing of zero-length prefixes
When delinearizing, an all-zero mask didn't qualify as prefix. Therefore
a statement:
| ip daddr 0.0.0.0/0
would be printed as:
| ip daddr & 0.0.0.0 == 0.0.0.0
To fix this, expr_mask_is_prefix() must return true if the initial 1-bit
search fails (the given value must be zero in this case). Additionally,
a shortcut is needed in conversion algorithm of expr_mask_to_prefix()
to not turn the zero prefix into a 1 by accident.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 May 2019 11:35:37 +0000 (13:35 +0200)]
json: Support nat in inet family
Add the missing bits to JSON parser, printer, man page and testsuite.
Fixes: fbe27464dee45 ("src: add nat support for the inet family") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 7 May 2019 13:23:50 +0000 (15:23 +0200)]
doc: Review man page synopses
Fix use of font typefaces:
- *bold* for terminals
- 'italic' for non-terminals
- plain for meta-characters
Apart from that:
* Variable definitions require an equals sign
* 'auto-merge' option in set spec does not take a parameter
* List header fields in payload expressions instead of unexplained
placeholder
* Introduce non-terminals in some places to avoid repetitions or clarify
syntax
* Fix syntax for ip6 header expresssion example
* Reorganize ct expression synopsis into four parts:
1) direction not allowed
2) direction optional
3) direction mandatory
4) direction and family mandatory
* Add missing 'version' keyword to osf expression
* Clarify verdict statements example topic
* Add synopses for payload and exthdr statements
* Fix typo: differv -> diffserv
* Reorganize reject statement synopsis to point out which code type
is required for which type arg
* Counter statement requires either one of 'packets' or 'bytes' args or
both, none is an invalid variant
* Limit statement accepts a unit in burst, too
* Improve language in limit statement description a bit
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 7 May 2019 13:21:45 +0000 (15:21 +0200)]
py: Fix gitignore of lib/ directory
Pattern is not a PCRE one but merely a shell glob. Hence 'lib.*' matches
only 'lib.' prefix, not also 'lib'.
Fixes: bf9653667a39e ("python: installation of binding via make install") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
projects / thirdparty / nftables.git / log
