Phil Sutter [Wed, 4 Oct 2017 13:59:32 +0000 (15:59 +0200)]
evaluate: Fix debug output
When introducing output_fp, debug output in src/evaluate.c was not
adjusted and therefore broke.
This patch restores eval debug output by applying the following changes:
- Change erec_print() and erec_print_list() to take a struct output_ctx
pointer as first argument and use output_fp field as destination to
print to.
- Drop octx_debug_dummy variable and instead use octx pointer from
struct eval_ctx for debug output.
- Add missing calls to erec_destroy() in eval debug output which should
eliminate another mem leak.
Fixes: 2535ba7006f22 ("src: get rid of printf") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1178 Fixes: 0d9d04c31481 ("src: make netlink sequence number non-static") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
after previous change nft now culls the dependency chain:
'icmpv6 type echo-request' is shown as-is, and not
'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore.
From postprocess point of view meta and ct are logically the same,
except that their storage area overlaps (union type), so if we
extract the relevant fields we can move all of it into a single
helper and support dependency store/kill for both expressions.
ct keys can match on network and tranasport header protocol
elements, such as port numbers or ip addresses.
Store this base type so a followup commit can store and kill
dependencies, e.g. if bsae is network header we might be able
to kill an earlier expression because the dependency is implicit.
Phil Sutter [Fri, 29 Sep 2017 11:26:22 +0000 (13:26 +0200)]
main: Drop stdout hack to expose nft_print() implementation issues
This was helpful when testing nft_print() implementation, but breaks
'nft --help' output. Also, with this in place typical printf-debugging
would have to use stderr at all times which is confusing at least.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 29 Sep 2017 11:26:21 +0000 (13:26 +0200)]
main: Flush output from nft_gmp_print()
This adds a missing call to fflush() to nft_gmp_print() just like in
nft_print(). This is strictly not necessary since usually
nft_gmp_print() is followed by a call to nft_print() but better not rely
upon this assumption.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:45 +0000 (17:17 +0200)]
src: get rid of printf
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:44 +0000 (17:17 +0200)]
rule: Refactor chain_print_declaration()
Instead of having two nearly identical printf() calls for netdev and
other chains, print the common parts separately and include the device
bit only for netdev chains.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:43 +0000 (17:17 +0200)]
erec_print: Pass output FILE pointer to netlink_dump_expr()
It was a bit odd that erec_print() outputs to a given FILE pointer but
then calls netlink_dump_expr() which just prints to stdout. Fix this by
passing the given FILE pointer along so output is guaranteed to go to
the same destination.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Wed, 24 May 2017 18:05:54 +0000 (20:05 +0200)]
src: prepare for future ct timeout policy support
Change all places that expect ct helper tokens (ct helper configuration)
to CT HELPER. ct_obj_kind is removed.
When we add ct timeout support, we will add a new ct_timeout_block,
plus extra rules. We won't extend ct_block, it prevents the parser
from detecting bogus syntax that only makes sense for ct helper but
not for something else for instance.
ct_block should be renamed to ct_helper_block, will be done in
followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
since commit b0c2606ed02fed828ab7c34227e355f5542bc925
("parser_bison: use keywords in ct expression") we no longer
abuse string for this, so there are no users of these helpers
anymore.
src: store expression as set key instead of data type
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: prepare to store expr key rather than datatype
currently set definitions store a datatype rather than
an expression.
In order to support use of unqualified data types (string in particular),
this prepares implicit set definition helper to expect an expression instead
of plain data type. This also has the advantage that we can use EXPR_CONCAT
to retain the original expressions when key concatentation is used, e.g.
'meta iifname . tcp dport'. The netlink serialization code can use
this info to store individual key lengths independently of data types.
Would also allow later on to store the original names of the
expressions, e.g. "ip daddr", in the kernel to support a future
typeof keyword, e.g. 'type typeof(ip daddr)' instead of 'type ipv4_addr'.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Using string give us more chances to hit shift/reduce conflicts when
extending this grammar, more specifically, from the stmt_expr rule, so
add keywords for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Extend stmt_expr and use it from all of our statement rules. Add more
rules to describe what we take from statement expressions, instead of
reusing rhs_expr which is allowing way more things that we actually need
here. This is causing us problems when extending the grammar.
Phil Sutter [Thu, 21 Sep 2017 18:38:02 +0000 (20:38 +0200)]
monitor: Fix for incorrect debug_mask
The field 'debug_mask' of struct netlink_mon_handler was left
uninitialized in do_command_monitor() so it contained garbage from the
stack. Fix this by initializing it with the debug_mask value from struct
netlink_ctx.
While being at it, change the code to make use of C99-style initializer,
which will also avoid things like this in future.
Fixes: be441e1ffdc24 ("src: add debugging mask to context structure") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 25 Aug 2017 11:17:32 +0000 (13:17 +0200)]
parser: Fix memleaks for STRING token (and derived ones)
The common paradigm here is that all parser rules converting string
tokens into symbols must free the string token if it's not used anymore.
This is unrelated to the %destructor directive, since that will apply
only if the parser discards the token, which is not the case then.
While being at it, simplify error handling in parser rule for listing
conntrack helpers (error() won't return NULL) and drop the unused extra
parameter passed to error() in level_type rule.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Thu, 24 Aug 2017 15:07:37 +0000 (17:07 +0200)]
mnl: fix error handling in mnl_batch_talk
If one of the command is failing we should return an error.
Pablo says: "This is not a real issue since nft_netlink() returns an
error in case the list of errors is not empty. But we can indeed
simplify things by removing that explicit assignment in nft_netlink() so
mnl_batch_talk() consistently reports when if an error has happened.
Signee-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 24 Aug 2017 17:14:11 +0000 (19:14 +0200)]
scanner: Fix for wrong parameter type of scanner_destroy()
The function takes the scanner as argument, not the state. This wasn't a
real issue since scanner is a void pointer, which means it's only casted
around without need. So this fix is a rather cosmetic one.
Phil Sutter [Thu, 24 Aug 2017 17:14:10 +0000 (19:14 +0200)]
scanner: Fix for memleak due to unclosed file pointer
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
Get rid of lots of ifdef DEBUG pollution in the code.
The --debug= option is useful to get feedback from users, so it should
be always there. And we really save nothing from keeping this code away
from the control plane with a compile time option. Just running
tests/shell/ before and after this patch, time shows almost no
difference.
So this patch leaves --enable-debug around to add debugging symbols in
your builds, this is left set on by default.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Wed, 16 Aug 2017 14:18:17 +0000 (19:48 +0530)]
src: mnl: Remove unused functions.
Functions mnl_nft_chain_get(), mnl_nft_rule_add(),
mnl_nft_rule_delete(), mnl_nft_set_get(), mnl_nft_table_get(),
set_get_cb(), table_get_cb() and chain_get_cb() are only defined
but not used, so remove them.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Wed, 16 Aug 2017 14:18:16 +0000 (19:48 +0530)]
src: netlink: Remove unused functions.
Remove netlink_add_rule_list(), netlink_dump_table(),
netlink_get_chain(), netlink_get_set(), netlink_get_table(),
netlink_list_chain() functions definitions as they are not
called anywhere in source code.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Wed, 16 Aug 2017 14:18:13 +0000 (19:48 +0530)]
src: Remove xt_stmt_() functions.
Remove functions xt_stmt_alloc(), xt_stmt_release(), xt_stmt_xlate(),
xt_stmt_print(), xt_stmt_destroy() as they are not used. Similarly,
remove structure xt_stmt_ops.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
While doing so, we did fail to shift the imm value, i.e.
we clear the wrong half of the u16 (protocol) instead of csum.
The correct mask is 0xff00, and $new_value needs to be shifted
so we leave the protocol value (which is next to ttl) alone.
Fixes: f9069cefdf ("netlink: make checksum fixup work with odd-sized header fields") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Place sequence number that is allocated per-command on the struct
netlink_ctx structure. This is allocated from nft_run() to correlate
commands with netlink messages for error reporting. Batch support
probing also shares this sequence numbers with commands.
There is an inpendent cache sequence number though, this routine is
called from a different path, usually from the evaluation phase.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 15 Aug 2017 11:59:12 +0000 (13:59 +0200)]
echo: Fix for added delays in rule updates
The added cache update upon every command dealing with rules was a
bummer. Instead, perform the needed cache update only if echo option was
set.
Initially, I tried to perform the cache update from within
netlink_echo_callback(), but that turned into a mess since the shared
socket between cache_init() and mnl_batch_talk() would receive
unexpected new input. So instead update the cache from do_command_add(),
netlink_replace_rule_batch() and do_comand_insert() so it completes
before mnl_batch_talk() starts listening.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 14 Aug 2017 23:43:05 +0000 (01:43 +0200)]
tests: Merge monitor and echo test suites
The two test suites were pretty similar already, and since echo output
is supposed to be identical to monitor output apart from delete
commands, they can be merged together with litte effort.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 14 Aug 2017 23:43:03 +0000 (01:43 +0200)]
netlink: Fix segfault when using --echo flag
Commit 07b45939972eb ("src: introduce struct nft_cache") added cache
pointer to struct netlink_mon_handler and the code assumes it is never
NULL. Therefore initialize it in the dummy version of
netlink_mon_handler in netlink_echo_callback().
Fixes: b99c4d072d996 ("Implement --echo option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 14 Aug 2017 23:43:02 +0000 (01:43 +0200)]
mnl: Drop --echo support for non-batch calls
Echo support in nft_mnl_talk() was broken: nft_mnl_talk_cb() passed
cbdata->data as second parameter to netlink_echo_callback() which
expected it to be of type struct netlink_ctx while in fact it was
whatever callers of nft_mnl_talk() passed as callback data (in most
cases a NULL pointer).
I didn't notice this because I didn't test for kernels without support
for transactions. This has been added to nftables in kernel version 3.16
back in 2014. Since then, user space which doesn't support it can't even
add a table anymore. So adding this new feature to the old code path is
really not feasible, therefore drop this broken attempt at supporting
it.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
https works for the wiki, and users should prefer it by default,
whether they are logging in (to protect their credentials) or whether
they're reading data (to protect the integrity of the content).
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 10 Aug 2017 17:29:18 +0000 (19:29 +0200)]
nft.8: Add note about supported hooks for bridge family
It is the only address family which lacks a table describing supported
hooks. Since that would be identical to the one for ip/ip6/inet
families, just point there.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 10 Aug 2017 17:29:17 +0000 (19:29 +0200)]
nft.8: Review reject statement description
- Describe 'type' argument datatypes in DATA TYPES section, then remove
value list from reject statement description and refer to that section
instead.
- Fix synopsis: 'with ...' is optional.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 10 Aug 2017 17:29:15 +0000 (19:29 +0200)]
nft.8: Document operations on ruleset
People new to nftables and yet unaware of 'list ruleset' and 'flush
ruleset' commands have a hard time. Therefore put description of those
prominently at the top, even before explaining operations on tables and
chains.
Since 'export ruleset' is closely related, document it here as well and
remove it's sparse description from ADDITIONAL COMMANDS section.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 9 Aug 2017 11:16:42 +0000 (13:16 +0200)]
Implement --echo option
When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.
Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).
Here are some examples of how it works:
| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
| '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
| elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The forward chain isn't supported anymore (on kernel side it only worked
if bridge netfilter 'call-arptables' sysctl is on), so this test now fails
with nf-next kernel.
In nftables one can filter/test arp packets in bridge family directly.
Varsha Rao [Wed, 2 Aug 2017 11:43:08 +0000 (12:43 +0100)]
src: netlink: Subscribe nft monitor and nft monitor trace to respective groups.
Subscribe nft monitor to both NFNLGRP_NFTABLES and NFNLGRP_NFTRACE.
nft monitor trace subscribes only to NFNLGRP_NFTRACE. Other event
reporting options to only NFNLGRP_NFTABLES.
Joint work with Pablo Neira.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 28 Jul 2017 11:55:45 +0000 (13:55 +0200)]
mnl: Consolidate mnl_batch_talk() parameters
The single caller of this function passes struct netlink_ctx fields as
the first two parameters. This can be simplified by passing the context
object itself and having mnl_batch_talk() access it's fields instead.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
