This patch adds the create command, that send the NLM_F_EXCL flag so
nf_tables bails out if the element already exists, eg.
# nft add element x y { 1.1.1.1 }
# nft create element x y { 1.1.1.1 }
<cmdline>:1:1-31: Error: Could not process rule: File exists
create element x y { 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This update requires nf_tables kernel patches to honor the NLM_F_EXCL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add support for the 'create' command, we already support this in other
existing objects, so support this for sets too, eg.
# nft add set x y { type ipv4_addr\; }
# nft create set x y { type ipv4_addr\; }
<cmdline>:1:1-35: Error: Could not process rule: File exists
create set x y { type ipv4_addr; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add set x y { type ipv4_addr\; }
#
This command sets the NLM_F_EXCL netlink flag, so if the object already
exists, nf_tables returns -EEXIST.
This is changing the existing behaviour of 'nft add set' which was
setting this flag, this is inconsistent with regards to the way other
objects behave.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch separates the rule identification from the rule localization,
so the logic moves from the evaluator to the parser. This allows to
revert the patch "evaluate: improve rule managment checks"
(4176c7d30c2ff1b3f52468fc9c08b8df83f979a8) and saves a lot of code.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
We should keep existing syntax unchanged, and this was emphasized
in the commit 850f0a56b6ad ("src: add 'to' for snat and dnat")'s
commit log: "Existing syntax is still preserved, but the listing
shows the one including 'to'."
This problem was found by running shell test:
# ./run-tests.sh
[ ... ]
W: [FAILED] ./testcases/maps/anonymous_snat_map_0
I: [OK] ./testcases/maps/map_with_flags_0
W: [FAILED] ./testcases/maps/named_snat_map_0
[ ... ]
Fixes: 850f0a56b6ad ("src: add 'to' for snat and dnat") Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch adds the missing bits to scan and parse the meta priority
handle as expressed by tc classid major:minor syntax.
The :minor syntax is not support for two reason: major is always >= 1
and this clashes with port syntax in nat.
Here below, several example on how to match the packet priority field:
nft add rule filter forward meta priority abcd:0
nft add rule filter forward meta priority abcd:1234
and to set it, you have to:
nft add rule filter forward meta priority set abcd:1234
The priority expression in flex looks ahead to restrict the pattern to
avoid problems with mappings:
{classid}/[ \t\n:\-},]
So the following doesn't break:
... vmap { 25:accept }
^^^^^
The lookahead expression requires a slight change to extend the input
string in one byte.
This patch is conservative as you always have to explicity indicate
major and minor numbers even if zero.
We could consider supporting this shortcut in the future:
abcd:
However, with regards to this:
:abcd
We don't need to support it since major number is assumed to be >= 1.
However, if we ever decide to support this, we'll have problems since
this clashes with our port representation in redirect and mangle.
So let's keep this simple and start with this approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
scanner: allow strings starting by underscores and dots
POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says:
"The set of characters from which portable filenames are constructed.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -"
On top of that it says:
"The <hyphen> character should not be used as the first character of a
portable user name."
This allows a bit more things that NAME_REGEX though, but this still
looks fine to me.
For more info, see:
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_431
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_278
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
scanner: don't fall back on current directory if include is not found
This resolves an ambiguity if the same file name is used both under
sysconfdir and the current working directory. You can use dot slash
./ to explicitly refer to files in the current working directory.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1040 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: add support to set IPv6 non-byte header fields
'ip6 ecn set 1' will generate a zero-sized write operation.
Just like when matching on bit-sized header fields we need to
round up to a byte-sized quantity and add a mask to retain those
bits outside of the header bits that we want to change.
binop_adjust takes an expression whose LHS is expected to be
the binop expression that we use to adjust a payload expression
based on a mask (to match sub-byte headers like iphdr->version).
A followup patch has to pass the binop directly, so add
add a helper for it.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
ct: use nftables sysconf location for connlabel configuration
Instead of using /etc/xtables use the nftables syconfdir.
Also update error message to tell which label failed translation
and which config file was used for this:
nft add filter input ct label foo
<cmdline>:1:27-29: Error: /etc/nftables/connlabel.conf: could not parse conntrack label "foo"
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Nicholas Vinson [Sat, 2 Jul 2016 18:34:20 +0000 (11:34 -0700)]
nft: configure.ac: Replace magic dblatex dep.
Add a configure switch to enable and disable PDF document generation.
This switch is to replace the current method of automatically detecting
dblatex and building the PDF documentation when present.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sat, 11 Jun 2016 05:05:14 +0000 (13:05 +0800)]
tests: shell: make testcases which using tcp/udp port more rubost
In my mechain, port 12345 is mapped to italk in /etc/services:
italk 12345/tcp # Italk Chat System
So when we add nft rule with udp port "12345", nft list ruleset
will displayed it as "italk", that cause the result is not same
with expected, then testcase fail.
Add "-nn" option when dump the rulesets from the kernel, make
testcases which using tcp/udp port more rubost.
payload: don't update protocol context if we can't find a description
Since commit 20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking")
we deref null pointer if we can't find a description for the desired
protocol, so "ip protocol 254" crashes while testing protocols 6 or 17
(tcp, udp) works.
"The user data area available is 256 bytes (NFT_USERDATA_MAXLEN). We plan
to allow storing other useful information such as datatypes in set
elements, so make sure there is room for this."
Example:
> nft add table t
> nft add chain t c
> nft add rule t c ip saddr 1.1.1.1 counter comment "abc...xyz" # len > 128
<cmdline>:1:47-N: Error: Comment too long. 128 characters maximum allowed
add rule t c ip saddr 1.1.1.1 counter comment abc...xyz
^^^^^^^^^
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Liping Zhang [Sun, 29 May 2016 11:25:37 +0000 (19:25 +0800)]
parser: fix crash if we add a chain with an error chain type
If we add a chain and specify the nonexistent chain type, chain_type_name_lookup
will return a NULL pointer, and meet the assert condition in xstrdup.
Fix crash like this:
Liping Zhang [Sun, 29 May 2016 10:08:09 +0000 (18:08 +0800)]
meta: fix a format error display when we set priority to root or none
Also delete the redundant '\n'.
This fixes:
# nft add rule filter test meta priority set root
# nft list chain filter test
table ip filter {
chain test {
meta priority set root
none
ffff:ffff
}
}
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
set_elem: Use libnftnl/udata to store set element comment
The set element comment is stored in nftnl_set_elem->user.data using
libnftnl/udata infrastructure. This allows store multiple variable length
user data into set element.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netlink_linearize: do not duplicate user data when linearizing user data
Otherwise, we memory leak this area since nftnl_rule_set_data() now
makes a copy of the user data which receives. This is happening since
libnftnl's ("rule: Fix segfault due to invalid free of rule user data"),
it is not necessary make a copy before call it.
Note: Carlos originally posted this patch under the name of ("nftables:
Fix memory leak linearizing user data").
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include: constify nlexpr field in location structure
The location shouldn't ever alter the expression.
And this fixes this compilation warning:
netlink_delinearize.c: In function ‘netlink_parse_expr’:
netlink_delinearize.c:1008:10: warning: assignment discards ‘const’ qualifier from pointer target type
loc.nle = nle;
^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.
Note that this limit rate applies globally, so this patch resolves this
ambiguity.
This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 27 Apr 2016 11:29:50 +0000 (12:29 +0100)]
src: add flow statement
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Patrick McHardy [Wed, 27 Apr 2016 11:29:49 +0000 (12:29 +0100)]
stmt: support generating stateful statements outside of rule context
The flow statement contains a stateful per flow statement, which is not
directly part of the rule. Allow generating these statements without adding
them to the rule and mark the supported statements using a new flag
STMT_F_STATEFUL.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Wed, 27 Apr 2016 11:29:45 +0000 (12:29 +0100)]
set: allow non-constant implicit set declarations
Currently all implicitly declared sets are marked as constant. The flow
statement needs to implicitly declare non-constant sets, so instead of
unconditionally marking the set as constant, only do so if the declaring
expression is itself a constant set.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Wed, 11 May 2016 11:30:02 +0000 (13:30 +0200)]
evaluate: check for NULL datatype in rhs in lookup expr
If we are evaluating an EXPR_SET_REF, check if right->dtype is not NULL.
We can hit SEGFAULT if for whatever reason the referenced object does not
exist.
Using this testfile (note the invalid set syntax):
% cat test.nft
flush ruleset
add table t
add chain t c
add set t s {type ipv4_addr\;}
add rule t c ip saddr @s
Without this patch:
% nft -f test.nft
Segmentation fault
With this patch:
% nft -f test.nft
t.nft:4:28-28: Error: syntax error, unexpected junk, expecting newline or semicolon
add set t s {type ipv4_addr\;}
^
t.nft:4:13-29: Error: set definition does not specify key data type
add set t s {type ipv4_addr\;}
^^^^^^^^^^^^^^^^^
t.nft:5:23-24: Error: the referenced set does not exist
add rule t c ip saddr @s
~~~~~~~~ ^^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: handle payload matching split in two bytes
When the bits are split between two bytes and the payload field is
smaller than one byte, we need to extend the expression length on both
sides (payload and constant) of the relational expression.
The existing trimming from the delinerization step handles the listing
for us, so no changes on that front.
This patch allows us to match the IPv6 DSCP field which falls into the
case that is described above.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
