src: interpret the event type from the evaluation step
Postpone the event type interpretation to the evaluation step.
This patch also fixes the combination of event and object types,
which was broken. The export code needed to be adjusted too.
The new and destroy are not tokens that can be recognized by
the scanner anymore, so this also implicitly restores 'ct state'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
With this patch, this function finds the symbol inside the table. If the symbol
doesn't exist we use the basetype to parse it and create the constant
expression. Otherwise, return an error message.
This a refactorization to reuse this code in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 24 Sep 2014 11:49:05 +0000 (13:49 +0200)]
queue: clean up queue statement
- Rename keyword tokens to their actual keyword
- Change the grammar to follow the standard schema for statements and arguments
- Use actual expression for the queue numbers to support using normal range
expressions, symbolic expression and so on.
- restore comma seperation of flag keywords
The result is that its possible to use standard ranges, prefix expressions,
symbolic expressions etc for the queue number. We get checks for overflow,
negative ranges and so on automatically.
The comma seperation of flags is more similar to what we have for other
flag values. It is still possible to use spaces, however this could be
removed since we never had a release supporting that.
mnl: consistency checks across several netlink dumps
Obtain the generation ID before dumping the object lists. Then,
check for generation ID updates when dumping the several lists that
this needs. In case of interference, nft has to remove the stale
objects and retry from scratch.
This is complementary to the NLM_F_DUMP_INTR flag which is local
to one single netlink dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Thu, 18 Sep 2014 10:39:15 +0000 (12:39 +0200)]
tests: Add automated regression testing
Here, the automated regression testing for nftables and some test
files.
This script checks that the rule input and output of nft matches.
More details here below.
A) What is this testing?
This script tests two different paths:
* The rule input from the command-line. This checks the different steps
from the command line to the kernel. This includes the parsing,
evaluation and netlink generation steps.
* The output listing that is obtained from the kernel. This checks the
different steps from the kernel to the command line: The netlink
message parsing, postprocess and textify steps to display the rule
listing.
As a final step, this script compares that the rule that is added can
be listed by nft.
B) What options are available?
The script offers the following options:
* Execute test files:
./nft-test.py # Run all test files
./nft-test.py path/file.t # Run this test file
If there is a problem, it shows the differences between the rule that
is added and the rule that is listed by nft.
In case you hit an error, the script doesn't keep testing for more
families. Unless you specify the --force-family option.
* Execute broken tests:
./nft-test.sh -e
This runs tests for rules that need a fix: This mode runs the lines that
that start with a "-" symbol.
* Debugging:
./nft-test.sh -d
This shows all the commands that the script executes, so you can watch
its internal behaviour.
* Keep testing all families on error.
./nft-test.sh -f
Don't stop testing for more families in case of error.
C) What is the structure of the test file?
A test file contains a set of rules that are added in the system.
Here, an example of a test file:
*ip;test-ipv4 # line 1
*ip6;test-ipv6 # line 2
*inet;test-inet # line 3
!set1 ipv4_addr;ok # line 7
?set1 192.168.3.8 192.168.3.9;ok # line 8
# This is a commented-line. # line 9
Line 1 defines a table. The name of the table is 'test-ip' and the
family is ip. Lines 2 and 3 defines more tables for different families
so the rules in this test file are also tested there.
Line 4 defines the chain. The name of this chain is "input". The type is
"filter", the hook is "input" and the priority is 0.
Line 5 defines the rule, the ";" character is used as separator of several
parts:
* Part 1: "ah hdrlength != 11-23" is the rule to check.
* Part 2: "ok" is the result expected with the execute of this rule.
* Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the expected
output. You can leave this empty if the output is the same as the
input.
Line 6 is a marked line. This means that this rule is tested if
'-e' is passed as argument to nft-test.py.
Line 7 adds a new set. The name of this set is "set1" and the type
of this set is "ipv4_add".
Line 8 adds two elements into the 'set1' set: "192.168.3.8" and
"192.168.3.9". A whitespace separates the elements of the set.
Line 9 uses the "#" symbol that means that this line is commented out.
D) The test folders
The test files are divided in several directories: ip, ip6, inet, arp,
bridge and any.
* "ip" folder contains the test files that are executed in ip and inet
table.
* "ip" folder contains the test files that are executed in ip6 and inet
table.
* "inet" folder contains the test files that are executed in the ip, ip6
and inet table.
* "arp" folder contains the test files that are executed in the arp
table.
* "bridge" folder: Here are the test files are executed in bridge
tables.
* "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
E) Meaning of messages:
* A warning message means the rule input and output of nft mismatches.
* An error message means the nft-tool shows an error when we add it or
the listing is broken after the rule is added.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Some of the existing payload fields rely on BYTEORDER_INVALID. Therefore, if we
try to convert it in evaluation step, we hit this bug.
This patch allows to add a specific byteorder to the struct proto_hdr_template. If
we create a expression with a invalid byteorder, we will use the byteorder
added to the proto_hdr_template structure.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This patch adds the `flush ruleset' operation to nft.
The syntax is:
% nft flush ruleset [family]
To flush all the ruleset (all families):
% nft flush ruleset
To flush the ruleset of a given family:
% nft flush ruleset ip
% nft flush ruleset inet
This flush is a shortcut operation which deletes all rules, sets, tables
and chains.
It's possible since the modifications in the kernel to the NFT_MSG_DELTABLE
API call.
Users can benefit of this operation when doing an atomic replacement of the
entire ruleset, loading a file like this:
Ana Rey [Tue, 2 Sep 2014 18:37:17 +0000 (20:37 +0200)]
src: Add devgroup support in meta expresion
This adds device group support in meta expresion.
The new attributes of meta are "iffgroup" and "oifgroup"
- iffgroup: Match device group of incoming device.
- oifgroup: Match device group of outcoming device.
Example of use:
nft add rule ip test input meta iifgroup 2 counter
nft add rule ip test output meta oifgroup 2 counter
The kernel and libnftnl support were added in these commits:
netfilter: nf_tables: add devgroup support in meta expresion
src: meta: Add devgroup support to meta expresion
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Tue, 5 Aug 2014 18:33:39 +0000 (20:33 +0200)]
src: Add support for pkttype in meta expresion
If you want to match the pkttype field of the skbuff, you have to
use the following syntax:
nft add rule ip filter input meta pkttype PACKET_TYPE
where PACKET_TYPE can be: unicast, broadcast and multicast.
Joint work with Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: don't return error in netlink_linearize_rule()
This function converts the rule from the list of statements to the
netlink message format. The only two possible errors that can make
this function to fail are memory exhaustion and malformed statements
which inmediately stop the execution of nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Mon, 18 Aug 2014 23:21:59 +0000 (00:21 +0100)]
datatype: take endianess into account in symbolic_constant_print()
symbolic_constant_print() uses mpz_cmp_ui() to find the matching symbol.
Since GMP internally treats all values as being in host byte, this
doesn't work when the constant value is non-host byteorder, such as
the ethernet protocol type.
Export the expression's value in its original byteorder for comparison
to fix this.
Patrick McHardy [Mon, 18 Aug 2014 23:21:59 +0000 (00:21 +0100)]
payload: take endianess into account when updating the payload context
payload_expr_pctx_update() uses the numeric protocol value in host byte
order to find the upper layer protocol. This obviously doesn't work for
protocol expressions in other byte orders, such as the ethernet protocol
on little endian.
Export the protocol value in the correct byte order and use that value
to look up the upper layer protocol.
Yanchuan Nian [Mon, 11 Aug 2014 02:24:24 +0000 (10:24 +0800)]
Fix memory leak in nft get operation
Some memories are forgotten to release on the error path in get operation.
Just release them. Also, in netlink_get_chain, it's better to return
immediately when a error is detected.
Signed-off-by: Yanchuan Nian <ycnian@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
You can also specify the snaplen and qthreshold for the nfnetlink_log.
But you cannot mix level and group at the same time, they are mutually
exclusive.
Default values for both snaplen and qthreshold are 0 (just like in
iptables).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mnl: fix crashes when using sets with many elements
nft crashes when adding many elements into a set for two reasons:
1) The overflow of the nla_len field for the NFTA_SET_ELEM_LIST_ELEMENTS
attribute.
2) Out-of-bound memory writes to the reserved area for the netlink
message, which is solved by the patch entitled ("mnl: introduce
NFT_NLMSG_MAXSIZE").
This patch adds the corresponding nla_len overflow check for
NFTA_SET_ELEM_LIST_ELEMENTS and it splits the elements in several
netlink messages. This should be enough when set updates are handled
by the transaction infrastructure.
With this patch, nft should be now capable of adding an unlimited
number of elements to a given set.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=898 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The NFT_NLMSG_MAXSIZE constant defines the maximum nf_tables netlink
message. Currently, the largest is the set element message, which
contains the NFTA_SET_ELEM_LIST_ELEMENTS attribute. This attribute is
a nest that describes the set elements. Given that the netlink attribute
length (nla_len) is 16 bits, the largest message is a bit larger than
64 KBytes. Thus, the proposed value of NFT_NLMSG_MAXSIZE is set to
(1 << 16) + getpagesize().
This new constant is used to calculate the length of:
1) the batch page length, when the batching mode is used.
2) the buffer that stores the netlink message in the send (when no
batching is used) and receive paths.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
# nft add rule ip test input ip hdrlength 3
<cmdline>:1:1-37: Error: Could not process rule: Invalid argument
add rule ip test input ip hdrlength 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# echo $?
0
After:
# nft add rule ip test input ip hdrlength 3
<cmdline>:1:1-37: Error: Could not process rule: Invalid argument
add rule ip test input ip hdrlength 3
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# echo $?
1
Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: rework batching logic to fix possible use of uninitialized pages
This patch reworks the batching logic in several aspects:
1) New batch pages are now always added into the batch page list in
first place. Then, in the send path, if the last batch page is
empty, it is removed from the batch list.
2) nft_batch_page_add() is only called if the current batch page is
full. Therefore, it is guaranteed to find a valid netlink message
in the batch page when moving the tail that didn't fit into a new
batch page.
3) The batch paging is initialized and released from the nft_netlink()
path.
4) No more global struct mnl_nlmsg_batch *batch that points to the
current batch page. Instead, it is retrieved from the tail of the
batch list, which indicates the current batch page.
This patch fixes a crash due to access of uninitialized memory area in
due to calling batch_page_add() with an empty batch in the send path,
and the memleak of the batch page contents. Reported in:
mnl: check for NLM_F_DUMP_INTR when dumping object lists
This flag allows to detect that an update has ocurred while dumping
any of the object lists. In case of interference, nft cancels the
netlink socket to skip processing the remaining stale entries and
it retries to obtain fresh list of objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch reverts Alvaro's 34040b1 ("reject: add ICMP code parameter
for indicating the type of error") and 11b2bb2 ("reject: Use protocol
context for indicating the reject type").
These patches are flawed by two things:
1) IPv6 support is broken, only ICMP codes are considered.
2) If you don't specify any transport context, the utility exits without
adding the rule, eg. nft add rule ip filter input reject.
The kernel is also flawed when it comes to the inet table. Let's revert
this until we can provide decent reject reason support.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
reject: add ICMP code parameter for indicating the type of error
This patch allows to indicate the ICMP code field in case that we
use to reject. Before, we have always sent network unreachable error
as ICMP code, now we can explicitly indicate the ICMP code that
we want to use. Examples:
reject: Use protocol context for indicating the reject type
This patch uses the protocol context to initialize the reject type
considering if the transport protocol is tcp, udp, etc. Before this
patch, this was left unset.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch allows to use a new syntax more compact and break
the current syntax. This new syntax is more similar than the nftables
syntax that we use usually. We can use range like we have used in
other case in nftables. Here, we have some examples:
Before, If we want to declare a queue, we have used a syntax like this:
nft add rule test input queue num 1 total 3 options bypass,fanout
If we want to use the queue number 1 and the two next (total 3),
we use a range in the new syntax, for example:
nft add rule test input queue num 1-3 bypass fanout
Also if we want to use only one queue, the new rules are like:
nft add rule test input queue num 1 # queue 1
or
nft add rule test input queue # queue 0
And if we want to add a specific flags we only need to put
what flags we want to use:
nft add rule test input queue bypass
we don't need to use options and the comma for indicating the
flags.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
cli: fix nft -i command crashes when try to input multi line command
When try to input multiline command in "nft -i", it crashes.
Issue is, function cli_append_multiline() return null in case of
multiline command. But in the calling function cli_complete(),
cli_exit is getting called, which in turn calls
rl_callback_handler_remove() and the handler is getting removed.
netlink: fix crash if kernel doesn't support nfnetlink / nf_tables
When trying to close a descriptor which failed to be opened.
==6231== Process terminating with default action of signal 11 (SIGSEGV)
==6231== Access not within mapped region at address 0x0
==6231== at 0x5503E21: mnl_socket_close (socket.c:248)
==6231== by 0x40517F: netlink_close_sock (netlink.c:68)
==6231== by 0x400EFEE: _dl_fini (dl-fini.c:253)
==6231== by 0x5740AA0: __run_exit_handlers (exit.c:77)
==6231== by 0x5740B24: exit (exit.c:99)
==6231== by 0x40F16F: netlink_open_error (netlink.c:105)
==6231== by 0x405642: netlink_open_sock (netlink.c:54)
==6231== by 0x424E6C: __libc_csu_init (in /usr/sbin/nft)
==6231== by 0x5728924: (below main) (libc-start.c:219)
==6231== If you believe this happened as a result of a stack
==6231== overflow in your program's main thread (unlikely but
==6231== possible), you can try to increase the size of the
==6231== main thread stack using the --main-stacksize= flag.
==6231== The main thread stack size used in this run was 8388608.
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=881 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink: don't add table/chain/set to ctx->list in the event path
The delinearize functions for tables, chains and sets add these objects
to the ctx->list. In the chain case, this is not required. Regarding
tables and sets, those are added to the cache.
This patch implicitly fixes an use chain object after free that result
in random crashes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_delinearize: fix double free in relational_binop_postprocess()
free(expr->right) and free(value) point to the same object, so one
single free() is enough.
This manifests in valgrind with:
==4020== Invalid read of size 4
==4020== at 0x40A429: expr_free (expression.c:65)
==4020== by 0x414032: expr_postprocess (netlink_delinearize.c:747)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020== Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd
==4020== at 0x4C2AF5C: free (vg_replace_malloc.c:446)
==4020== by 0x41402A: expr_postprocess (netlink_delinearize.c:746)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020==
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch moves the netlink set messages to the batch that contains
the rules. This helps to speed up rule-set restoration time by
changing the operational. To achieve this, an internal set ID which
is unique to the batch is allocated as suggested by Patrick.
To retain backward compatibility, nft initially guesses if the
kernel supports set in batches. Otherwise, it falls back to the
previous (slowier) operational.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Mon, 14 Apr 2014 06:18:47 +0000 (08:18 +0200)]
build: fix documentation build
Handle the docbook2x-man mess that is called differently on different distributions.
Also switch to dblatex since db2pdf is unable to handle XML on Fedora (and probably
other distributions).
expression: fix constant expression allocation on big endian
When allocating a constant expression, a pointer to the data is passed
to the allocation function. When the variable used to store the data
is larger than the size of the data type, this fails on big endian since
the most significant bytes (being zero) come first.
Add a helper function to calculate the proper address for the cases
where this is needed.
This currently affects symbolic tables for values < u64 and payload
dependency generation for protocol values < u32.
projects / thirdparty / nftables.git / log
