This set member is an integer represented in host byte order, which
obviously doesn't match the header field (in network byte order).
Since the integer datatype has no specific byteorder, we have to rely
on the expression byteorder instead when configuring the context,
before we evaluate the list of set members.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add a new ERROR symbol to handle scanning of too large values.
<cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:
ct mark >= 0x00000032 ct mark <= 0x00000045
^^^^^^^^^^
instead of ct mark <= 0x45000000
^^^^^^^^^^
Remove the custom output so this displays a warning. nft should
(at some point) merge the two statements into one single to express
the range from the netlink_delinearize step.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Sat, 29 Nov 2014 16:24:38 +0000 (17:24 +0100)]
scanner: fix reading of really long line
Current code is causing a failure in adding a set containing
a really long list of elements. The failure occurs as soon as
the line is longer than flex read buffer.
When a line is longer than scanner buffer size, the code in YY_INPUT
forces a rewind to the beginning of the string because it does not
find a end of line. The result is that the string is never parsed.
This patch updates the code by rewinding till we found a space.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
datatype: relax datatype check in integer_type_parse()
Otherwise parsing with basetypes doesn't work. Now nft displays
an error when the symbolic constant is not correct:
<cmdline>:1:29-31: Error: Could not parse conntrack state
add rule test test ct state xxx accept
^^^
Use .sym_tbl instead and default on the symbol_constant_parse()
function from the ethertype and pkttype, this simplifies the code and
(more importantly) it avoids a breakage after the change in
integer_type_parse().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 26 Nov 2014 11:07:51 +0000 (12:07 +0100)]
evaluate: reject: fix crash on NULL location with bridge and tcp reset
If we use tcp reset with a network protocol that tcp is not supported,
we display an error. This error use the reject.expr location which is NULL,
therefore we have a crash. This patch replaces it using the reject statement
to display the error like:
Rule:
nft add bridge filter input ether type vlan reject with tcp reset
Output:
<cmdline>:1:46-51: Error: cannot reject this ether type
add rule bridge filter input ether type vlan reject with tcp reset
~~~~~~~~~~~~~~~ ^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
David Kozub [Tue, 25 Nov 2014 17:51:43 +0000 (18:51 +0100)]
build: add missing \ in src/Makefile.am (AM_CPPFLAGS)
The missing \ at the end of the line causes LIBMNL_CFLAGS and LIBNFTNL_CFLAGS
to be ignored. This causes build failure if the libmnl or libnftnl headers are
not in a path that's already searched by the C compiler.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
any/meta.t: ERROR: line 168: nft add rule ip test-ip4 input meta iifgroup {11,33}: This rule should not have failed.
any/meta.t: ERROR: line 178: nft add rule ip test-ip4 input meta oifgroup {11,33}: This rule should not have failed.
ip/masquerade.t: ERROR: line 23: nft add rule ip4 test-ip4 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
ip6/masquerade.t: ERROR: line 23: nft add rule ip6 test-ip6 output tcp dport {1,2,3,4,5,6,7,8,101,202,303,1001,2002,3003} masquerade: This rule should not have failed.
This needs a space before the list of elements in the set, otherwise
bash here misinterprets the set.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
'nft' documentation is originally contained in the XML file 'doc/nft.xml'.
Processing this file with the proper tools we can obtain a PDF document,
'nft.pdf', and a unix man page, 'nft.8'.
To produce the PDF we need the tool 'dblatex' (current release
pypi.python.org/pypi/dblatex/0.3.5).
To produce the man page we use the tool 'docbook2man'; it is part of the
package 'docbook2X' (docbook2x.sourceforge.net). On some linux
distributions the tool can have slightly different names as 'docbook2x-man'
or 'db2x_docbook2man' so we search for all three names and use the first
one found and issue the command:
# ${DB2MAN} --xinclude $<
Signed-off-by: Giorgio Dal Molin <giorgio.nicole@arcor.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Mon, 3 Nov 2014 17:10:51 +0000 (18:10 +0100)]
src: Add cgroup support in meta expresion
The new attribute of meta is "cgroup".
Example of use in nft:
# nft add rule ip test output meta cgroup != 0x100001 counter drop
Moreover, this adds tests to the meta.t test file.
The kernel support is addedin the commit: ce67417 ("netfilter: nft_meta: add cgroup support")
The libnftnl support is add in the commit: 1d4a480 ("expr: meta: Add cgroup support")
More information about the steps to use cgroup:
https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt
More info about cgroup in iptables:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Fri, 7 Nov 2014 11:39:35 +0000 (12:39 +0100)]
parser: allow both nat_flags and port specification in redirect
This patch changes the parser to permit both nat_flags and port specification
in the redirect expression.
The resulting syntax is:
% nft add rule nat prerouting redirect [port] [nat_flags]
The port specification requires a bit of context regardin the transport
protocol. Some examples:
% nft add rule nat prerouting tcp dport 22 redirect :23
% nft add rule add prerouting udp dport 53 redirect :5353
The nat_flags argument is the last argument:
% nft add rule nat prerouting tdp dport 80 redirect :8080 random
The port specification can be a range:
% nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random
While at it, the regression tests files are updated.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Thu, 6 Nov 2014 08:05:28 +0000 (09:05 +0100)]
nft: don't resolve hostnames by default
This patch changes the default behaviour of nft to not translate IP
addresses to hostnames when printing rules if no options are passed.
The options regarding translations after this patch are:
<no -n/-N> show IP addresses numerically (default behaviour)
-n show IP addresses numerically
-nn show Internet services and uid/gid numerically
-nnn show protocols numerically
-N (--reversedns) translate IP addresses to names
The idea is to avoid breaking existing scripts that most likely rely on
'-n' to save the ruleset, so we reduce the impact of this patch and
provide a default behaviour that doesn't generate network traffic when
listing / saving the ruleset.
Joint work with Pablo.
Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Thu, 23 Oct 2014 17:36:57 +0000 (19:36 +0200)]
evaluate: reject: enhance the error support throwing message with more details
If we add a rule like:
nft add rule bridge filter input ether type ip reject with icmpv6 type no-route
We throw an error like:
<cmdline>:1:44-49: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
Now, we are going to show in which part of the rule, we have the conflict:
<cmdline>:1:51-75: Error: conflicting protocols specified: ip vs ip6
add rule bridge filter input ether type ip reject with icmpv6 type no-route
~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
we use icmpx to reject it. But if we have network context, we also use type of
reject. With this patch, we check the network context. If we don't have context,
we still use icmpx. However, if we have rules with network context like:
nft add rule inet meta nfproto ipv4 reject
or
nft add rule bridge ether type ipv6 reject
We are going to use icmp or icmpv6 to reject it taking into account the network
context.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 22 Oct 2014 13:25:53 +0000 (15:25 +0200)]
evaluate: reject: check in bridge and inet the network context in reject
In Inet tables, we have to check the network context in rules that we use
icmp or icmpv6 reason in reject. To be sure that the context is the correct.
However, for icmpx and tcp reject, we don't need to check it.
In Bridge tables, ee have vlan and arp traffic and they are not supported.
For this things, we have to check the network context. For example:
nft add rule bridge test-bridge input \
ether type arp reject with icmp type host-unreachable
or
nft add rule bridge test-bridge input \
ether type vlan reject with tcp reset
In that cases, we have to throw an error. Moreover, we have to accept rules
that the network context is Ipv4 and Ipv6. For example:
nft add rule -nnn bridge test-bridge input \
ip protocol tcp reject with tcp reset
Moreover, this patch refactor the code for check the family for bridge and inet
tables.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 22 Oct 2014 13:25:52 +0000 (15:25 +0200)]
evaluate: reject: accept a reject reason with incorrect network context
nft add rule bridge test-bridge input ether type ip \
reject with icmpv6 type no-route
This rule pass the evaluation step but the network context is incompatible with
the reject reason. In that cases, we have to throw an error like "conflicting
protocols specified: ip vs ip6"
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Steven Barth [Fri, 10 Oct 2014 11:01:41 +0000 (13:01 +0200)]
build: remove unnecessary libintl.h check
configure.ac checks for libintl.h which is not used and
may cause unnecessary trouble with e.g. embedded toolchains.
The only reference to libintl.h can be found in parser.c
as generated by bison however an include does not happen
as parser.h defines YYENABLE_NLS to be 0.
Signed-off-by: Steven Barth <cyrus@openwrt.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink: use switch whenever possible in the monitor code
This is more robust than the current 'else' fallback. If we run a
newer kernel with old nft binaries, unknown messages will be
misinterpreted as deletions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: interpret the event type from the evaluation step
Postpone the event type interpretation to the evaluation step.
This patch also fixes the combination of event and object types,
which was broken. The export code needed to be adjusted too.
The new and destroy are not tokens that can be recognized by
the scanner anymore, so this also implicitly restores 'ct state'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
With this patch, this function finds the symbol inside the table. If the symbol
doesn't exist we use the basetype to parse it and create the constant
expression. Otherwise, return an error message.
This a refactorization to reuse this code in a follow up patch.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 24 Sep 2014 11:49:05 +0000 (13:49 +0200)]
queue: clean up queue statement
- Rename keyword tokens to their actual keyword
- Change the grammar to follow the standard schema for statements and arguments
- Use actual expression for the queue numbers to support using normal range
expressions, symbolic expression and so on.
- restore comma seperation of flag keywords
The result is that its possible to use standard ranges, prefix expressions,
symbolic expressions etc for the queue number. We get checks for overflow,
negative ranges and so on automatically.
The comma seperation of flags is more similar to what we have for other
flag values. It is still possible to use spaces, however this could be
removed since we never had a release supporting that.
mnl: consistency checks across several netlink dumps
Obtain the generation ID before dumping the object lists. Then,
check for generation ID updates when dumping the several lists that
this needs. In case of interference, nft has to remove the stale
objects and retry from scratch.
This is complementary to the NLM_F_DUMP_INTR flag which is local
to one single netlink dump.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Thu, 18 Sep 2014 10:39:15 +0000 (12:39 +0200)]
tests: Add automated regression testing
Here, the automated regression testing for nftables and some test
files.
This script checks that the rule input and output of nft matches.
More details here below.
A) What is this testing?
This script tests two different paths:
* The rule input from the command-line. This checks the different steps
from the command line to the kernel. This includes the parsing,
evaluation and netlink generation steps.
* The output listing that is obtained from the kernel. This checks the
different steps from the kernel to the command line: The netlink
message parsing, postprocess and textify steps to display the rule
listing.
As a final step, this script compares that the rule that is added can
be listed by nft.
B) What options are available?
The script offers the following options:
* Execute test files:
./nft-test.py # Run all test files
./nft-test.py path/file.t # Run this test file
If there is a problem, it shows the differences between the rule that
is added and the rule that is listed by nft.
In case you hit an error, the script doesn't keep testing for more
families. Unless you specify the --force-family option.
* Execute broken tests:
./nft-test.sh -e
This runs tests for rules that need a fix: This mode runs the lines that
that start with a "-" symbol.
* Debugging:
./nft-test.sh -d
This shows all the commands that the script executes, so you can watch
its internal behaviour.
* Keep testing all families on error.
./nft-test.sh -f
Don't stop testing for more families in case of error.
C) What is the structure of the test file?
A test file contains a set of rules that are added in the system.
Here, an example of a test file:
*ip;test-ipv4 # line 1
*ip6;test-ipv6 # line 2
*inet;test-inet # line 3
!set1 ipv4_addr;ok # line 7
?set1 192.168.3.8 192.168.3.9;ok # line 8
# This is a commented-line. # line 9
Line 1 defines a table. The name of the table is 'test-ip' and the
family is ip. Lines 2 and 3 defines more tables for different families
so the rules in this test file are also tested there.
Line 4 defines the chain. The name of this chain is "input". The type is
"filter", the hook is "input" and the priority is 0.
Line 5 defines the rule, the ";" character is used as separator of several
parts:
* Part 1: "ah hdrlength != 11-23" is the rule to check.
* Part 2: "ok" is the result expected with the execute of this rule.
* Part 3: "ah hdrlength < 11 ah hdrlength > 23". This is the expected
output. You can leave this empty if the output is the same as the
input.
Line 6 is a marked line. This means that this rule is tested if
'-e' is passed as argument to nft-test.py.
Line 7 adds a new set. The name of this set is "set1" and the type
of this set is "ipv4_add".
Line 8 adds two elements into the 'set1' set: "192.168.3.8" and
"192.168.3.9". A whitespace separates the elements of the set.
Line 9 uses the "#" symbol that means that this line is commented out.
D) The test folders
The test files are divided in several directories: ip, ip6, inet, arp,
bridge and any.
* "ip" folder contains the test files that are executed in ip and inet
table.
* "ip" folder contains the test files that are executed in ip6 and inet
table.
* "inet" folder contains the test files that are executed in the ip, ip6
and inet table.
* "arp" folder contains the test files that are executed in the arp
table.
* "bridge" folder: Here are the test files are executed in bridge
tables.
* "any" folder: Here are the test files are executed in ip, ip6, inet,
arp and bridge tables.
E) Meaning of messages:
* A warning message means the rule input and output of nft mismatches.
* An error message means the nft-tool shows an error when we add it or
the listing is broken after the rule is added.
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Some of the existing payload fields rely on BYTEORDER_INVALID. Therefore, if we
try to convert it in evaluation step, we hit this bug.
This patch allows to add a specific byteorder to the struct proto_hdr_template. If
we create a expression with a invalid byteorder, we will use the byteorder
added to the proto_hdr_template structure.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This patch adds the `flush ruleset' operation to nft.
The syntax is:
% nft flush ruleset [family]
To flush all the ruleset (all families):
% nft flush ruleset
To flush the ruleset of a given family:
% nft flush ruleset ip
% nft flush ruleset inet
This flush is a shortcut operation which deletes all rules, sets, tables
and chains.
It's possible since the modifications in the kernel to the NFT_MSG_DELTABLE
API call.
Users can benefit of this operation when doing an atomic replacement of the
entire ruleset, loading a file like this:
Ana Rey [Tue, 2 Sep 2014 18:37:17 +0000 (20:37 +0200)]
src: Add devgroup support in meta expresion
This adds device group support in meta expresion.
The new attributes of meta are "iffgroup" and "oifgroup"
- iffgroup: Match device group of incoming device.
- oifgroup: Match device group of outcoming device.
Example of use:
nft add rule ip test input meta iifgroup 2 counter
nft add rule ip test output meta oifgroup 2 counter
The kernel and libnftnl support were added in these commits:
netfilter: nf_tables: add devgroup support in meta expresion
src: meta: Add devgroup support to meta expresion
Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Tue, 5 Aug 2014 18:33:39 +0000 (20:33 +0200)]
src: Add support for pkttype in meta expresion
If you want to match the pkttype field of the skbuff, you have to
use the following syntax:
nft add rule ip filter input meta pkttype PACKET_TYPE
where PACKET_TYPE can be: unicast, broadcast and multicast.
Joint work with Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: don't return error in netlink_linearize_rule()
This function converts the rule from the list of statements to the
netlink message format. The only two possible errors that can make
this function to fail are memory exhaustion and malformed statements
which inmediately stop the execution of nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Mon, 18 Aug 2014 23:21:59 +0000 (00:21 +0100)]
datatype: take endianess into account in symbolic_constant_print()
symbolic_constant_print() uses mpz_cmp_ui() to find the matching symbol.
Since GMP internally treats all values as being in host byte, this
doesn't work when the constant value is non-host byteorder, such as
the ethernet protocol type.
Export the expression's value in its original byteorder for comparison
to fix this.
Patrick McHardy [Mon, 18 Aug 2014 23:21:59 +0000 (00:21 +0100)]
payload: take endianess into account when updating the payload context
payload_expr_pctx_update() uses the numeric protocol value in host byte
order to find the upper layer protocol. This obviously doesn't work for
protocol expressions in other byte orders, such as the ethernet protocol
on little endian.
Export the protocol value in the correct byte order and use that value
to look up the upper layer protocol.