Florian Westphal [Thu, 26 Oct 2017 12:26:41 +0000 (14:26 +0200)]
tests: icmpX: fix expected output
both of these rules succeed, but they should fail instead.
nft removes the ip6 nexthdr' clause, but this is not correct, it is an
explicit test for the ipv6 nexthdr value.
Implicit dependencies use meta l4proto to skip extension headers
(if any), ipv6 nexthdr does not.
Phil Sutter [Wed, 25 Oct 2017 11:40:29 +0000 (13:40 +0200)]
libnftables: Get rid of explicit cache flushes
In the past, CLI as a potentially long running process had to make sure
it kept it's cache up to date with kernel's rule set. A simple test case
is this:
| shell a | shell b
| | # nft -i
| # nft add table ip t |
| | nft> list ruleset
| | table ip t {
| | }
| # nft flush ruleset |
| | nft> list ruleset
| | nft>
In order to make sure interactive CLI wouldn't incorrectly list the
table again in the second 'list' command, it immediately flushed it's
cache after every command execution.
This patch eliminates the need for that by making cache updates depend
on kernel's generation ID: A cache update stores the current rule set's
ID in struct nft_cache, consecutive calls to cache_update() compare that
stored value to the current generation ID received from kernel - if the
stored value is zero (i.e. no previous cache update did happen) or if it
doesn't match the kernel's value (i.e. cache is outdated) the cache is
flushed and fully initialized again.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Fri, 20 Oct 2017 11:29:15 +0000 (22:29 +1100)]
doc: nft.8 simplify initial SYNOPSIS line
In the style of tcpdump.8: where options have short and long forms, only show
short form in synopsis but mention long form in description.
Re-order option descriptions to match order in synopsis (move -N to just after -n).
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: add nft_ prefix to everything exposed through include/nftables/nftables.h
Prepend nft_ prefix before these are exposed, reduce chances we hit
symbol namespace pollution problems when mixing libnftables with other
existing libraries.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
A more complicated case is include paths handling: In order to keep the
API simple, remove INCLUDE_PATHS_MAX restraint and dynamically allocate
nft_ctx field include_paths instead. So there is:
* nft_ctx_add_include_path() -> add an include path to the list
* nft_ctx_clear_include_paths() -> flush the list of include paths
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 23 Oct 2017 15:33:18 +0000 (17:33 +0200)]
cli: Use nft_run_cmd_from_buffer()
Make CLI code adhere to intended libnftables API by not open coding what
nft_run_cmd_from_buffer() does. This way, nft_run() has no users outside
of src/libnftables.c anymore and therefore can become static.
Since nft_run_cmd_from_buffer() takes care of scanner initialization and
libmnl socket passed to cli_init() is present as nft_ctx field as well,
signature of cli_init() can be reduced to just take nft_ctx pointer as
single argument.
Note that this change introduces two (possibly unwanted) side-effects:
* Input descriptor passed to scanner_push_buffer() is changed from the
CLI-specific one to the one used by nft_run_cmd_from_buffer().
In practice though, this doesn't make a difference: input descriptor
types INDESC_CLI and INDESC_BUFFER are treated equally by erec_print().
Also, scanner_push_buffer() NULLs input descriptor name, so that is not
used at all in latter code.
* Error messages are printed to stderr instead of cli_nft->output.
This could be fixed by introducing an 'error_output' field in nft_ctx
for nft_run_cmd_from_buffer() to use when printing error messages.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 23 Oct 2017 15:33:17 +0000 (17:33 +0200)]
libnftables: Introduce nft_ctx_flush_cache()
This allows an application to explicitly flush caches associated with a
given nft context, as seen in cli_complete().
Note that this is a bit inconsistent in that it releases the global
interface cache, but nft_ctx_free() does the same so at least it's not a
regression.
Note that there is no need for explicit cache update routine since cache
is populated during command execution depending on whether it is needed
or not.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 19 Oct 2017 08:18:41 +0000 (10:18 +0200)]
main: Fix for wrong argument passed to cache_release in nft_ctx_free
nft_ctx_free() should not refer to the global 'nft' variable, this will
break as soon as the function is moved away from main.c. In order to use
the cache reference from passed argument, the latter must not be const.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Duncan Roe [Thu, 12 Oct 2017 07:24:11 +0000 (18:24 +1100)]
doc: nft.8 change "Native Address Translation" to "Network Address Translation"
A Google search for "Native Address Translation" found 1 entry
(http://encyclopedia2.thefreedictionary.com/Native+address+translation) which
redirects to .../Network+address+translation. All other matches are to entries
about "Network Address Translation".
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Varsha Rao [Wed, 11 Oct 2017 04:37:47 +0000 (10:07 +0530)]
tests: files: Remove jump chain tests.
Tests for loop-detect 1, 2 and 3 are already there in tests/shell file.
New test for loop-detect.4 has been added to tests/shell file. So, remove
them.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The scanner rejects IPv4-Mapped IPv6 addresses, eg.
# cat test
#!/usr/sbin/nft -f
flush ruleset
table inet global {
set blackhole_ipv6 {
type ipv6_addr
flags interval
elements = { ::ffff:0.0.0.0/96 }
}
}
# nft -f test
test:8:30-38: Error: syntax error, unexpected string, expecting comma or '}'
elements = { ::ffff:0.0.0.0/96 }
^^^^^^^^^^
According to RFC4291, Sect. 2.5.5.2. IPv4-Mapped IPv6 Address:
This is was previously fixed for flow statements in fbea4a6f4449
("netlink_linearize: skip set element expression in flow table key"), and
this patch implements the same change for set statements by using the set
element key in netlink_gen_set_stmt().
nft-test.py is updated to support set types with concatenated data types
in order to support testing of this.
Signed-off-by: Anders K. Pedersen <akp@cohaesio.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
i.e. the policy tuple should be inside the braces along with type, hook, device
& priority. Also the device & priority tuples each need to be followed by a
semicolon.
Signed-off-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 4 Oct 2017 13:59:32 +0000 (15:59 +0200)]
evaluate: Fix debug output
When introducing output_fp, debug output in src/evaluate.c was not
adjusted and therefore broke.
This patch restores eval debug output by applying the following changes:
- Change erec_print() and erec_print_list() to take a struct output_ctx
pointer as first argument and use output_fp field as destination to
print to.
- Drop octx_debug_dummy variable and instead use octx pointer from
struct eval_ctx for debug output.
- Add missing calls to erec_destroy() in eval debug output which should
eliminate another mem leak.
Fixes: 2535ba7006f22 ("src: get rid of printf") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1178 Fixes: 0d9d04c31481 ("src: make netlink sequence number non-static") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
after previous change nft now culls the dependency chain:
'icmpv6 type echo-request' is shown as-is, and not
'meta nfproto ipv6 meta l4proto 58 icmpv6 type echo-request' anymore.
From postprocess point of view meta and ct are logically the same,
except that their storage area overlaps (union type), so if we
extract the relevant fields we can move all of it into a single
helper and support dependency store/kill for both expressions.
ct keys can match on network and tranasport header protocol
elements, such as port numbers or ip addresses.
Store this base type so a followup commit can store and kill
dependencies, e.g. if bsae is network header we might be able
to kill an earlier expression because the dependency is implicit.
Phil Sutter [Fri, 29 Sep 2017 11:26:22 +0000 (13:26 +0200)]
main: Drop stdout hack to expose nft_print() implementation issues
This was helpful when testing nft_print() implementation, but breaks
'nft --help' output. Also, with this in place typical printf-debugging
would have to use stderr at all times which is confusing at least.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 29 Sep 2017 11:26:21 +0000 (13:26 +0200)]
main: Flush output from nft_gmp_print()
This adds a missing call to fflush() to nft_gmp_print() just like in
nft_print(). This is strictly not necessary since usually
nft_gmp_print() is followed by a call to nft_print() but better not rely
upon this assumption.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:45 +0000 (17:17 +0200)]
src: get rid of printf
This patch introduces nft_print()/nft_gmp_print() functions which have
to be used instead of printf to output information that were previously
send to stdout. These functions print to a FILE pointer defined in
struct output_ctx. It is set by calling:
| old_fp = nft_ctx_set_output(ctx, new_fp);
Having an application-defined FILE pointer is actually quite flexible:
Using fmemopen() or even fopencookie(), an application gains full
control over what is printed and where it should go to.
Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:44 +0000 (17:17 +0200)]
rule: Refactor chain_print_declaration()
Instead of having two nearly identical printf() calls for netdev and
other chains, print the common parts separately and include the device
bit only for netdev chains.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 28 Sep 2017 15:17:43 +0000 (17:17 +0200)]
erec_print: Pass output FILE pointer to netlink_dump_expr()
It was a bit odd that erec_print() outputs to a given FILE pointer but
then calls netlink_dump_expr() which just prints to stdout. Fix this by
passing the given FILE pointer along so output is guaranteed to go to
the same destination.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Wed, 24 May 2017 18:05:54 +0000 (20:05 +0200)]
src: prepare for future ct timeout policy support
Change all places that expect ct helper tokens (ct helper configuration)
to CT HELPER. ct_obj_kind is removed.
When we add ct timeout support, we will add a new ct_timeout_block,
plus extra rules. We won't extend ct_block, it prevents the parser
from detecting bogus syntax that only makes sense for ct helper but
not for something else for instance.
ct_block should be renamed to ct_helper_block, will be done in
followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
since commit b0c2606ed02fed828ab7c34227e355f5542bc925
("parser_bison: use keywords in ct expression") we no longer
abuse string for this, so there are no users of these helpers
anymore.
src: store expression as set key instead of data type
Doing so retains legth information in case of unqualified data types,
e.g. we now have 'meta iifname' expression instead of an (unqualified)
string type.
This allows to eventually use iifnames as set keys without adding yet
another special data type for them.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: prepare to store expr key rather than datatype
currently set definitions store a datatype rather than
an expression.
In order to support use of unqualified data types (string in particular),
this prepares implicit set definition helper to expect an expression instead
of plain data type. This also has the advantage that we can use EXPR_CONCAT
to retain the original expressions when key concatentation is used, e.g.
'meta iifname . tcp dport'. The netlink serialization code can use
this info to store individual key lengths independently of data types.
Would also allow later on to store the original names of the
expressions, e.g. "ip daddr", in the kernel to support a future
typeof keyword, e.g. 'type typeof(ip daddr)' instead of 'type ipv4_addr'.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Using string give us more chances to hit shift/reduce conflicts when
extending this grammar, more specifically, from the stmt_expr rule, so
add keywords for this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Extend stmt_expr and use it from all of our statement rules. Add more
rules to describe what we take from statement expressions, instead of
reusing rhs_expr which is allowing way more things that we actually need
here. This is causing us problems when extending the grammar.
Phil Sutter [Thu, 21 Sep 2017 18:38:02 +0000 (20:38 +0200)]
monitor: Fix for incorrect debug_mask
The field 'debug_mask' of struct netlink_mon_handler was left
uninitialized in do_command_monitor() so it contained garbage from the
stack. Fix this by initializing it with the debug_mask value from struct
netlink_ctx.
While being at it, change the code to make use of C99-style initializer,
which will also avoid things like this in future.
Fixes: be441e1ffdc24 ("src: add debugging mask to context structure") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 25 Aug 2017 11:17:32 +0000 (13:17 +0200)]
parser: Fix memleaks for STRING token (and derived ones)
The common paradigm here is that all parser rules converting string
tokens into symbols must free the string token if it's not used anymore.
This is unrelated to the %destructor directive, since that will apply
only if the parser discards the token, which is not the case then.
While being at it, simplify error handling in parser rule for listing
conntrack helpers (error() won't return NULL) and drop the unused extra
parameter passed to error() in level_type rule.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Leblond [Thu, 24 Aug 2017 15:07:37 +0000 (17:07 +0200)]
mnl: fix error handling in mnl_batch_talk
If one of the command is failing we should return an error.
Pablo says: "This is not a real issue since nft_netlink() returns an
error in case the list of errors is not empty. But we can indeed
simplify things by removing that explicit assignment in nft_netlink() so
mnl_batch_talk() consistently reports when if an error has happened.
Signee-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 24 Aug 2017 17:14:11 +0000 (19:14 +0200)]
scanner: Fix for wrong parameter type of scanner_destroy()
The function takes the scanner as argument, not the state. This wasn't a
real issue since scanner is a void pointer, which means it's only casted
around without need. So this fix is a rather cosmetic one.
Phil Sutter [Thu, 24 Aug 2017 17:14:10 +0000 (19:14 +0200)]
scanner: Fix for memleak due to unclosed file pointer
When including a file, it is opened by fopen() and therefore needs to be
closed after scanning has finished using fclose(), otherwise valgrind
will report a memleak.
This patch changes struct input_descriptor to track the opened FILE
pointer instead of the file descriptor so the pointer is available for
closing in scanner_destroy().
While at it, change erec_print() to work on the open FILE pointer so it
doesn't have to call fileno() in beforehand. And as a little bonus, use
C99 initializer of the buffer to get rid of the call to memset().
Note that it is necessary to call erec_print_list() prior to destroying
the scanner, otherwise it will start manipulating an already freed FILE
pointer (and therefore crash the program).
projects / thirdparty / nftables.git / log
