Do not exercise dependency removal for protocol key network payload
expressions in bridge, netdev and inet families from meta expressions,
more specifically:
* inet: nfproto and ether type.
* netdev and bridge: meta protocol and ether type.
need to be left in place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Payload protocol key expressions at network base are meaningful in the
netdev, bridge and inet families, do not exercise the redundant
dependency removal in those cases since it breaks rule semantics.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This helper function tells us if there is already a protocol key payload
expression, ie. those with EXPR_F_PROTOCOL flag set on, that we might
want to remove since we can infer from another expression in the upper
protocol base, eg.
ip protocol tcp tcp dport 22
'ip protocol tcp' can be removed in the ip family since it is redundant,
but not in the netdev, bridge and inet families, where we cannot make
assumptions on the layer 3 protocol.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This context information is very relevant when deciding if a redundant
dependency needs to be removed or not, specifically for the inet, bridge
and netdev families. This new parameter is used by follow up patch
entitled ("payload: add payload_may_dependency_kill()").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 6 Feb 2018 18:18:47 +0000 (19:18 +0100)]
evaluate: Enable automerge feature for anonymous sets
Automatic merging of adjacent/overlapping ranges upon insertion has
clear benefits performance- and readability-wise. The drawbacks which
led to disabling it by default don't apply to anonymous sets since they
are read-only anyway, so enable this feature for them again.
Cc: Jeff Kletsky <netfilter@allycomm.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ville Skyttä [Wed, 7 Feb 2018 09:40:00 +0000 (11:40 +0200)]
configure: Make missing docbook2man an error if man build requested
Previously, if man page build was enabled but no suitable docbook2man or
the like tool was found, build failed at a later stage with
undescriptive error message. Fail early and explicitly at configure
stage instead.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 13 Feb 2018 14:28:00 +0000 (15:28 +0100)]
tests: add test case for sets updated from packet path
currently kernel may pick a set implementation that doesn't provide
a ->update() function. This causes an error when user attempts to
add the nftables rule that is supposed to add entries to the set.
Baruch Siach [Fri, 9 Feb 2018 12:49:50 +0000 (14:49 +0200)]
src: fix build with older glibc
glibc before 2.19 missed the definition of IPPROTO_MH. This leads to
build failure:
parser_bison.y: In function 'nft_parse':
parser_bison.y:3793:21: error: 'IPPROTO_MH' undeclared (first use in this function)
| MH { $$ = IPPROTO_MH; }
^
Since we have a local definition of IPPROTO_MH in headers.h use that to
fix the build.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This release includes incremental fixes since last release plus meta
secpath support. libnftnl 1.0.9 is still OK as dependency, actually it
just prints meta secpath as unknown with --debug=netlink but I don't
think that is worth a libnftnl library release.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Thu, 25 Jan 2018 15:18:53 +0000 (20:48 +0530)]
configure: Remove macro AC_CHECK_FUNCS
Functions memmove, strchr, strerror and strdup are defined in string.h
header file. Also, strtoull is defined in stdlib.h header file. These
header files are checked by AC_CHECK_HEADERS macro. AC_CHECK_FUNCS macro
is not required, so remove it.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
And later on with Phil Sutter, we decided to disable the automatic merge
feature in sets with intervals. This feature is problematic because it
introduces an inconsistency between what we add and what we later on
get. This is going to get worse with the upcoming timeout support for
intervals. Therefore, we turned off this by default.
However, Jeff Kletsky and folks like this feature, so let's restore this
behaviour on demand with this new 'auto-merge' statement, that you can
place on the set definition, eg.
# nft list ruleset
table ip x {
...
set y {
type ipv4_addr
flags interval
auto-merge
}
}
# nft add element x z { 1.1.1.1-2.2.2.2, 1.1.1.2 }
Regarding implementation details: Given this feature only makes sense
from userspace, let's store this in the set user data area, so nft knows
it has to do automatic merge of adjacent/overlapping elements as per
user request.
# nft add set x z { type ipv4_addr\; auto-merge\; }
Error: auto-merge only works with interval sets
add set x z { type ipv4_addr; auto-merge; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1216 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Mention nftables earlier in the documentation, so users have more context on what
we are talking about.
This is Debian bug #887718, which contains:
<<<
Currently one must read down 100 lines before it is even mentioned.
You might want to make the connection between "nft" and "nftables" as
early as the NAME or DESCRIPTION.
>>>
Requested-by: Dan Jacobson <jidanni@jidanni.org> Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:07 +0000 (17:38 +0100)]
configure: Allow to disable man page building
Aparently there are distributions which come with incompatible docbook
implementations. On those, forced man page creating if required binaries
are found leads to build failure.
Allow them to conveniently disable man page output instead of having to
pass undocumented variables to configure.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:38:06 +0000 (17:38 +0100)]
configure: Fix help text regarding --enable-debug
Debugging symbols are enabled by default, so list '--disable-debug' in
help output rather than '--enable-debug'. This way it is also consistent
with the parameter's description.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 16 Jan 2018 16:19:57 +0000 (17:19 +0100)]
build: Eliminate forgotten traces of libnftables exporting
This removes libnftables pkg-config file along with the few lines of
code to adjust and install it.
Fixes: d572d59788143 ("Make libnftables a local static library") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Fri, 19 Jan 2018 03:00:17 +0000 (08:30 +0530)]
configure: Remove AC_HEADER_STDBOOL, AC_C_ and AC_TYPE_ macros
The following macros check if particular C types in specific header file
exists, these header files defines them and are already included in the
source code. So, remove them.
AC_HEADER_STDBOOL - stdbool.h
AC_TYPE_INT and AC_TYPE_UINT - stdint.h or inttypes.h
AC_TYPE_OFF_T and AC_TYPE_UID_T - sys/types.h
AC_TYPE_SIZE_T - stddef.h, string.h, stdlib.h or stdio.h
Remove AC_C_CONST and AC_C_INLINE as gcc supports inline and const
keywords.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Shyam Saini [Tue, 5 Dec 2017 14:07:35 +0000 (19:37 +0530)]
tests: shell: Add tests for low level json import
Test "nft import vm json".
Basically it loads same set of rules by "nft -f" and "nft import vm json"
and prints differences (if any) in the ruleset listed by "nft list
ruleset" in each case.
For Example:
$ ./run-tests.sh testcases/import/vm_json_import_0
Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 10 Jan 2018 20:32:04 +0000 (21:32 +0100)]
src: Don't merge adjacent/overlapping ranges
Previously, when adding multiple ranges to a set they were merged if
overlapping or adjacent. This might cause inconvenience though since it
is afterwards not easily possible anymore to remove one of the merged
ranges again while keeping the others in place.
Since it is not possible to have overlapping ranges, this patch adds a
check for newly added ranges to make sure they don't overlap if merging
is turned off.
Note that it is not possible (yet?) to enable range merging using nft
tool.
Testsuite had to be adjusted as well: One test in tests/py changed avoid
adding overlapping ranges and the test in tests/shell which explicitly
tests for this feature dropped.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This behaviour is inconsistent and breaks the restoration of saved
rule-sets with "nft -f".
Fixes: c0697eabe832 ("src: add stateful object support for limit") Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sat, 9 Dec 2017 15:52:29 +0000 (16:52 +0100)]
src: fix protocol context update on big-endian systems
There is an obscure bug on big-endian systems when trying to list a rule
containing the expression 'ct helper tftp' which triggers the assert()
call in mpz_get_type().
Florian identified the cause: ct_expr_pctx_update() is called for the
relational expression which calls mpz_get_uint32() to get RHS value
(assuming it is a protocol number). On big-endian systems, the
misinterpreted value exceeds UINT_MAX.
Expressions' pctx_update() callback should only be called for protocol
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags
& EXPR_F_PROTOCOL' like the one already present in
payload_expr_pctx_update().
In order to fix this in a clean way, this patch introduces a wrapper
relational_expr_pctx_update() to be used instead of directly calling
LHS's pctx_update() callback which unifies the necessary checks (and
adds one more assert):
- assert(expr->ops->type == EXPR_RELATIONAL)
-> This is new, just to ensure the wrapper is called properly.
- assert(expr->op == OP_EQ)
-> This was moved from {ct,meta,payload}_expr_pctx_update().
- left->ops->pctx_update != NULL
-> This was taken from expr_evaluate_relational(), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.
Phil Sutter [Thu, 30 Nov 2017 18:36:23 +0000 (19:36 +0100)]
Make libnftables a local static library
This changes Makefiles so that libnftables is built into a static
library which is not installed. This allows for incompatible changes
while still providing a library to link to for testing purposes.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sat, 2 Dec 2017 11:04:43 +0000 (22:04 +1100)]
doc: nft.8 aim for consistent synopses throughout
Single items in braces have the braces removed as per wiki Scripting:
"It is simply overkill to define a set that only stores one single element".
Items that were in braces or square brackets are made consistent, e.g. {family}
expands to single wor Ip, inet &c., but (type) in set spec expands to
"type type_name ;".
The former 'flow table' syntax allows flow tables with no name:
# nft add rule x y flow { ip saddr counter }
However, when listing, it leaks the name that it is autoallocating.
# nft list ruleset
table ip x {
chain y {
flow table __mt0 { ip saddr counter}
}
}
Which is odd since then restoring will use such a name.
Remove anonymous flow table/meters, so everyone needs to specify a name.
There is no way to fix this, given anonymous flag tells us that the set
behind this meter is bound to a rule, hence, released once the rule is
going - the term "anonymous" was not good choice as a flag in first
place. Only possibility is to strcmp for __ft to identify this is a
nameless meter, which is a hack.
Moreover, having no name means you cannot flush the set behind this
meter, which criples this feature for no reason.
On top of it, the wiki only documents named meters, and we have a record
of users complaining on this behaviour.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Florian Westphal <fw@strlen.de>
src: deprecate "flow table" syntax, replace it by "meter"
According to bugzilla 1137: "flow tables" should not be syntactically
unique.
"Flow tables are always named, but they don't conform to the way sets,
maps, and dictionaries work in terms of "add" and "delete" and all that.
They are also "flow tables" instead of one word like "flows" or
"throttle" or something.
It seems weird to just have these break the syntactic expectations."
Personally, I never liked the reference to "table" since we have very
specific semantics in terms of what a "table" is netfilter for long
time.
This patch promotes "meter" as the new keyword. The former syntax is
still accepted for a while, just to reduce chances of breaking things.
At some point the former syntax will just be removed.
utils: fix one compilation error with --with-mini-gmp
Restore some code that is needed, until we have a version of gmp_printf
that takes variable arguments.
In file included from ../include/utils.h:12:0,
from ../include/nftables.h:6,
from ../include/rule.h:5,
from segtree.c:15:
segtree.c: In function ‘ei_insert’:
../include/gmputil.h:12:20: error: too many arguments to function ‘mpz_printf’
#define gmp_printf mpz_printf
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 21 Nov 2017 22:13:39 +0000 (23:13 +0100)]
tests: shell: Prevent lockout in nft-f/0008split_tables_0
Since packets traverse both tables, the accept rule in the first one is
ineffective due to the second table's drop policy. To prevent lockouts
when running the testsuite via SSH connection, set the second chain's
policy to accept as well.
Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via nft -f") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 20 Nov 2017 15:54:04 +0000 (16:54 +0100)]
libnftables: Ensure output_fp is never NULL
Initialize output_fp to 'stdout' upon context creation and check output
stream validity in nft_ctx_set_output(). This allows to drop checks in
nft_{gmp_,}print() and do_command_export(). While doing so for the
latter, simplify it a bit by using nft_print() which takes care of
flushing the output stream.
If applications desire to drop all output, they are supposed to open
/dev/null and assign that.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Sun, 19 Nov 2017 09:51:50 +0000 (20:51 +1100)]
doc: nft.8 document use of -f option to start nft scripts
The man page didn't document nft scripts at all before, so putting that with the
-f option seemed as good a place as any. It does work to start scripts
is also updated.
Phil Sutter [Tue, 14 Nov 2017 20:17:10 +0000 (21:17 +0100)]
libnftables: Split code into frontend and library
This finally creates the libnftables shared object.
For some reason, this causes two compiler warnings to appear:
| parser_bison.y: In function 'nft_parse':
| parser_bison.y:131:3: warning: implicit declaration of function 'nft_set_debug' [-Wimplicit-function-declaration]
| nft_set_debug(1, scanner);
| ^~~~~~~~~~~~~
| parser_bison.c:64:25: warning: implicit declaration of function 'nft_lex' [-Wimplicit-function-declaration]
| #define yylex nft_lex
| ^
| parser_bison.c:4745:16: note: in expansion of macro 'yylex'
| yychar = yylex (&yylval, &yylloc, scanner);
So this patch contains a workaround, namely declaring both functions
in src/parser_bison.y. During linking the objects are found, so this is
rather a matter of cosmetics.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 13 Nov 2017 14:08:16 +0000 (15:08 +0100)]
libnftables: Unexport enum nftables_exit_codes
Apart from SUCCESS/FAILURE, these codes were not used by library
functions simply because NOMEM and NONL conditions lead to calling
exit() instead of propagating the error condition back up the call
stack.
Instead, make nft_run_cmd_from_*() return either 0 or -1 on error.
Usually errno will then contain more details about what happened and/or
there are messages in erec.
Calls to exit()/return in main() are adjusted to stay compatible.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 10 Nov 2017 23:06:17 +0000 (00:06 +0100)]
Eliminate struct mnl_ctx
The issue leading to this patch was that debug output in nft_mnl_talk()
bypasses the application-defined output_fp. While investigating, another
problem was discovered: Most of the ad-hoc defined mnl_ctx objects have
their field 'debug_mask' set to zero regardless of what netlink_ctx
contains (this affects non-batch code path only).
The intuitive solution to both of those issues required to extend
function parameters of all the non-batch functions as well as the common
nft_mnl_talk() one. Instead of complicating them even further, this
patch instead makes them accept a pointer to netlink_ctx as first
parameter to gather both the old (nf_sock, seqnum) and the new values
(debug_mask, octx) from.
Since after the above change struct mnl_ctx was not really used anymore,
so the remaining places were adjusted as well to allow for removing the
struct altogether.
Note that cache routines needed special treatment: Although parameters
of cache_update() make it a candidate for the same change, it can't be
converted since it is called in evaluation phase sometimes in which
there is no netlink context available (but just eval context instead).
Since netlink_genid_get() needs a netlink context though, the ad-hoc
netlink_ctx definition from cache_init() is moved into cache_update() to
have it available there already.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 9 Nov 2017 12:24:57 +0000 (13:24 +0100)]
libnftables: Flush iface cache after command execution
Commit 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes")
was a bit too optimistic in that it missed the remaining need to flush
interface cache after each command in interactive mode - otherwise,
newly added interfaces won't be recognized.
Although cli.c only calls nft_run_cmd_from_buffer(), flush caches in
nft_run_cmd_from_filename() as well for matters of consistency.
Fixes: 94a945ffa81b7 ("libnftables: Get rid of explicit cache flushes") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Thu, 26 Oct 2017 12:26:41 +0000 (14:26 +0200)]
tests: icmpX: fix expected output
both of these rules succeed, but they should fail instead.
nft removes the ip6 nexthdr' clause, but this is not correct, it is an
explicit test for the ipv6 nexthdr value.
Implicit dependencies use meta l4proto to skip extension headers
(if any), ipv6 nexthdr does not.
Phil Sutter [Wed, 25 Oct 2017 11:40:29 +0000 (13:40 +0200)]
libnftables: Get rid of explicit cache flushes
In the past, CLI as a potentially long running process had to make sure
it kept it's cache up to date with kernel's rule set. A simple test case
is this:
| shell a | shell b
| | # nft -i
| # nft add table ip t |
| | nft> list ruleset
| | table ip t {
| | }
| # nft flush ruleset |
| | nft> list ruleset
| | nft>
In order to make sure interactive CLI wouldn't incorrectly list the
table again in the second 'list' command, it immediately flushed it's
cache after every command execution.
This patch eliminates the need for that by making cache updates depend
on kernel's generation ID: A cache update stores the current rule set's
ID in struct nft_cache, consecutive calls to cache_update() compare that
stored value to the current generation ID received from kernel - if the
stored value is zero (i.e. no previous cache update did happen) or if it
doesn't match the kernel's value (i.e. cache is outdated) the cache is
flushed and fully initialized again.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Fri, 20 Oct 2017 11:29:15 +0000 (22:29 +1100)]
doc: nft.8 simplify initial SYNOPSIS line
In the style of tcpdump.8: where options have short and long forms, only show
short form in synopsis but mention long form in description.
Re-order option descriptions to match order in synopsis (move -N to just after -n).
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: add nft_ prefix to everything exposed through include/nftables/nftables.h
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
A more complicated case is include paths handling: In order to keep the
API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate
nft_ctx field include_paths instead. So there is:
* nft_ctx_add_include_path() -> add an include path to the list
* nft_ctx_clear_include_paths() -> flush the list of include paths
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 23 Oct 2017 15:33:18 +0000 (17:33 +0200)]
cli: Use nft_run_cmd_from_buffer()
Make CLI code adhere to intended libnftables API by not open coding what
nft_run_cmd_from_buffer() does. This way, nft_run() has no users outside
of src/libnftables.c anymore and therefore can become static.
Since nft_run_cmd_from_buffer() takes care of scanner initialization and
libmnl socket passed to cli_init() is present as nft_ctx field as well,
signature of cli_init() can be reduced to just take nft_ctx pointer as
single argument.
Note that this change introduces two (possibly unwanted) side-effects:
* Input descriptor passed to scanner_push_buffer() is changed from the
CLI-specific one to the one used by nft_run_cmd_from_buffer().
In practice though, this doesn't make a difference: input descriptor
types INDESC_CLI and INDESC_BUFFER are treated equally by erec_print().
Also, scanner_push_buffer() NULLs input descriptor name, so that is not
used at all in latter code.
* Error messages are printed to stderr instead of cli_nft->output.
This could be fixed by introducing an 'error_output' field in nft_ctx
for nft_run_cmd_from_buffer() to use when printing error messages.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 23 Oct 2017 15:33:17 +0000 (17:33 +0200)]
libnftables: Introduce nft_ctx_flush_cache()
This allows an application to explicitly flush caches associated with a
given nft context, as seen in cli_complete().
Note that this is a bit inconsistent in that it releases the global
interface cache, but nft_ctx_free() does the same so at least it's not a
regression.
Note that there is no need for explicit cache update routine since cache
is populated during command execution depending on whether it is needed
or not.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 19 Oct 2017 08:18:41 +0000 (10:18 +0200)]
main: Fix for wrong argument passed to cache_release in nft_ctx_free
nft_ctx_free() should not refer to the global 'nft' variable, this will
break as soon as the function is moved away from main.c. In order to use
the cache reference from passed argument, the latter must not be const.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Thu, 12 Oct 2017 07:24:11 +0000 (18:24 +1100)]
doc: nft.8 change "Native Address Translation" to "Network Address Translation"
A Google search for "Native Address Translation" found 1 entry
(http://encyclopedia2.thefreedictionary.com/Native+address+translation) which
redirects to .../Network+address+translation. All other matches are to entries
about "Network Address Translation".
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Wed, 11 Oct 2017 04:37:47 +0000 (10:07 +0530)]
tests: files: Remove jump chain tests.
Tests for loop-detect 1, 2 and 3 are already there in tests/shell file.
New test for loop-detect.4 has been added to tests/shell file. So, remove
them.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The scanner rejects IPv4-Mapped IPv6 addresses, eg.
# cat test
#!/usr/sbin/nft -f
flush ruleset
table inet global {
set blackhole_ipv6 {
type ipv6_addr
flags interval
elements = { ::ffff:0.0.0.0/96 }
}
}
# nft -f test
test:8:30-38: Error: syntax error, unexpected string, expecting comma or '}'
elements = { ::ffff:0.0.0.0/96 }
^^^^^^^^^^
According to RFC4291, Sect. 2.5.5.2. IPv4-Mapped IPv6 Address:
projects / thirdparty / nftables.git / log
