Florian Westphal [Wed, 20 Aug 2025 12:44:43 +0000 (14:44 +0200)]
mnl: silence compiler warning
gcc 14.3.0 reports this:
src/mnl.c: In function 'mnl_nft_chain_add':
src/mnl.c:916:25: warning: 'nest' may be used uninitialized [-Wmaybe-uninitialized]
916 | mnl_attr_nest_end(nlh, nest);
I guess its because compiler can't know that the conditions cannot change
in-between and assumes nest_end() can be called without nest_start().
Fixes: 01277922fede ("src: ensure chain policy evaluation when specified") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
fib: restore JSON output for relational expressions
JSON output for the fib expression changed:
- "result": "check"
+ "result": "oif"
This breaks third party JSON parsers, revert this change for relational
expressions only via workaround until there are clear rules on how to
proceed with JSON schema updates.
As for set and map statements, keep this new "check" result type since
it is not possible to peek on rhs in such case to guess if the
NFT_FIB_F_PRESENT flag needs to be set on.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806 Fixes: f4b646032acf ("fib: allow to check if route exists in maps") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jan Engelhardt [Thu, 17 Apr 2025 14:48:33 +0000 (16:48 +0200)]
tools: add a systemd unit for static rulesets
There is a customer request (bugreport) for wanting to trivially load a ruleset
from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
service unit is hereby added to provide that functionality. This is based on
various distributions attempting to do same, for example,
https://src.fedoraproject.org/rpms/nftables/tree/rawhide
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
https://gitlab.archlinux.org/archlinux/packaging/packages/nftables Acked-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
chain_stmt_destroy is called from bison destructor, but it turns out
this function won't free the associated chain.
There is no memory leak when bison can parse the input because the chain
statement evaluation step queues the embedded anon chain via cmd_alloc.
Then, a later cmd_free() releases the chain and the embedded statements.
In case of a parser error, the evaluation step is never reached and the
chain object leaks, e.g. in
foo bar jump { return }
Bison calls the right destructor but the anonon chain and all
statements/expressions in it are not released:
HEAP SUMMARY:
in use at exit: 1,136 bytes in 4 blocks
total heap usage: 98 allocs, 94 frees, 840,255 bytes allocated
1,136 (568 direct, 568 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
at: calloc (vg_replace_malloc.c:1675)
by: xzalloc (in libnftables.so.1.1.0)
by: chain_alloc (in libnftables.so.1.1.0)
by: nft_parse (in libnftables.so.1.1.0)
by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0)
by: nft_run_cmd_from_filename (in libnftables.so.1.1.0)
To resolve this, make chain_stmt_destroy also release the embedded
chain. This in turn requires chain refcount increases whenever a chain
is assocated with a chain statement, else we get double-free of the
chain.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 12 Aug 2025 15:31:47 +0000 (17:31 +0200)]
json: Do not reduce single-item arrays on output
This is a partial revert of commit a740f2036ad0d ("json: Introduce
json_add_array_new()"), keeping the function but eliminating its primary
task which is to replace arrays of size 1 by their only item. While
support for this on input is convenient for users, it means extra casing
in JSON output parsers to cover for it. The minor reduction in output
size does not justify that.
Fixes: a740f2036ad0d ("json: Introduce json_add_array_new()") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1806 Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 14:14:08 +0000 (16:14 +0200)]
tests: py: Fix tests added for 'icmpv6 taddr' support
There was a duplicate test, also stored JSON equivalents should match
input as much as possible. The expected deviation in output (just like
with standard syntax) is stored in the .json.output file instead.
Fixes: 2e86f45d0260a ("icmpv6: Allow matching target address in NS/NA, redirect and MLD") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 14:06:46 +0000 (16:06 +0200)]
tests: py: Drop stale entry from ip/snat.t.payload
This payload actually belongs to ip/dnat.t.payload, fixed commit added
it to the wrong file.
Fixes: 8f3048954d40d ("evaluate: postpone transport protocol match check after nat expression evaluation") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 13:50:54 +0000 (15:50 +0200)]
tests: py: Drop stale entries from ip6/{ct,meta}.t.json
Looks like these were added by accident, fixed commit did not add these
test cases.
Fixes: 8221d86e616bd ("tests: py: add test-cases for ct and packet mark payload expressions") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 12:51:39 +0000 (14:51 +0200)]
tests: py: Drop redundant payloads for ip/ip.t
Each was present multiple times, introduced probably by copying from a
respective .got file.
Fixes: 77def2d43466e ("netlink_delinearize: support for bitfield payload statement with binary operation") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 12:32:11 +0000 (14:32 +0200)]
tests: py: Drop stale entry from inet/tcp.t.json
The test was changed but JSON equivalents not updated. Commit c0b685951fabb ("json: fix parse of flagcmp expression") then added an
equivalent matching the changed test, so just drop the old one.
Fixes: c3d57114f119b ("parser_bison: add shortcut syntax for matching flags without binary operations") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 12:17:46 +0000 (14:17 +0200)]
tests: py: Drop stale payload from any/rawpayload.t.payload
There never was a test corresponding to this payload.
Fixes: 857904bdfaf7a ("tests: py: extend raw payload match tests") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 13 Aug 2025 12:12:06 +0000 (14:12 +0200)]
tests: py: Drop duplicate test in any/meta.t
The expected invalid meta hour argument of 24:00 is tested already.
Fixes: a6717ae094db2 ("evaluate: Fix for 'meta hour' ranges spanning date boundaries") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
While this is likely a bug in socat, working around it is simple so
let's tackle it on this side, too.
Note: The second chunk is sufficient to resolve the issue, probably
because the initial ruleset's rate limiter does not trigger during TCP
handshake. Adjust it anyway to keep things consistent.
Suggested-by: Florian Westphal <fw@strlen.de> Fixes: 9352fa7fb0a31 ("test: shell: Add rate_limit test case for 'limit statement'.") Cc: Yi Chen <yiche@redhat.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Thu, 31 Jul 2025 10:40:11 +0000 (12:40 +0200)]
doc: nft.8: Minor NAT STATEMENTS section review
Synopsis insinuates an IP address argument is mandatory in snat/dnat
statements although specifying ports alone is perfectly fine. Adjust it
accordingly and add a paragraph briefly describing the behaviour.
While at it, update the redirect statement description with more
relevant examples, the current one is wrong: To *only* alter the
destination port, dnat statement must be used, not redirect.
Fixes: 6908a677ba04c ("nft.8: Enhance NAT documentation") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 25 Jul 2025 15:28:29 +0000 (17:28 +0200)]
evaluate: Fix for 'meta hour' ranges spanning date boundaries
Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing
of meta hour ranges where the lower boundary has a higher value than the
upper boundary. This may happen outside of user control due to the fact
that given ranges are converted to UTC which is the kernel's native
timezone.
Perform the conditional match and op inversion with the new RHS
expression type as well after expanding it so values are comparable.
Since this replaces the whole range expression, make it replace the
relational's RHS entirely.
While at it extend testsuites to cover these corner-cases.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1805 Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 29 Jul 2025 15:55:17 +0000 (17:55 +0200)]
parser_json: Parse into symbol range expression if possible
Apply the bison parser changes in commit 347039f64509e ("src: add symbol
range expression to further compact intervals") to JSON parser as well.
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Annotate and combine the 'etype' and 'symtype' checks done in bison
parser for readability and because JSON parser will start doing the same
in a follow-up patch.
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
parser_bison: fix memory leak when parsing flowtable hook declaration
When the hook location is invalid we error out but we do leak both
the priority expression and the flowtable name. Example:
valgrind --leak-check=full nft -f flowtable-parser-err-memleak
[..] Error: unknown chain hook
hook enoent priority filter + 10
^^^^^^
[..]
2 bytes in 1 blocks are definitely lost in loss record 1 of 3
at: malloc (vg_replace_malloc.c:446)
by: strdup (in libc.so.6)
by: xstrdup (in libnftables.so.1.1.0)
by: nft_lex (in libnftables.so.1.1.0)
by: nft_parse (in libnftables.so.1.1.0)
by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0)
by: nft_run_cmd_from_filename (in libnftables.so.1.1.0)
First two reports are due to the priority expression: this needs to call
expr_free(). Third report is due to the flowtable name, the destructor
was missing so add one.
After fix:
All heap blocks were freed -- no leaks are possible
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate: maps: check element data mapping matches set data definition
This change is similar to 7f4d7fef31bd ("evaluate: check element key vs. set definition")
but this time for data mappings.
The included bogon asserts with:
BUG: invalid data expression type catch-all set element
nft: src/netlink.c:596: __netlink_gen_data: Assertion `0' failed.
after:
internal:0:0-0: Error: Element mapping mismatches map definition, expected packet mark, not 'invalid'
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
json: BASECHAIN flag no longer implies presence of priority expression
This is a followup to 44ea19364637 ("src: BASECHAIN flag no longer implies presence of priority expression"):
feeding the same bogon file into nft -j we get a very similar crash.
When the json is parsed without returning an error the test
fails. Its supposed to log the name of the failed input which
it does for -f but not for -j -f.
Resolve this by validating that the set element key matches the set key
definition.
After this, loading the bogon file gives:
Error: Element mismatches set definition, expected concatenation of (IPv4 address, integer), not 'ICMP type'
elements = {redirect }
^^^^^^^^
Update test to enclose flowtable device names in quotes, otherwise,
it reports a spurious issue:
@@ -1,2 +1,3 @@
add table ip t
-add flowtable ip t ft { hook ingress priority 0; devices = { lo }; }
+add flowtable ip t ft { hook ingress priority 0; devices = { "lo" }; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This should help catch subtle bugs due to type confusion.
assert() could be later enabled only in debugging builds to run tests,
keep it by now.
compound_expr_*() still works and it needs the same initial layout for
all of these expressions:
struct list_head expressions;
unsigned int size;
This is implicitly reducing the size of one of the largest structs
in the union area of struct expr, still EXPR_SET_ELEM remains the
largest so no gain is achieved in this iteration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: add conntrack information to trace monitor mode
Upcoming kernel change provides the packets conntrack state in the
trace message data.
This allows to see if packet is seen as original or reply, the conntrack
state (new, establieshed, related) and the status bits which show if e.g.
NAT was applied. Alsoi include conntrack ID so users can use conntrack
tool to query the kernel for more information via ctnetlink.
This improves debugging when e.g. packets do not pick up the expected
NAT mapping, which could e.g. also happen because of expectations
following the NAT binding of the owning conntrack entry.
Example output ("conntrack: " lines are new):
trace id 32 t PRE_RAW packet: iif "enp0s3" ether saddr [..]
trace id 32 t PRE_RAW rule tcp flags syn meta nftrace set 1 (verdict continue)
trace id 32 t PRE_RAW policy accept
trace id 32 t PRE_MANGLE conntrack: ct direction original ct state new ct id 2641368242
trace id 32 t PRE_MANGLE packet: iif "enp0s3" ether saddr [..]
trace id 32 t ct_new_pre rule jump rpfilter (verdict jump rpfilter)
trace id 32 t PRE_MANGLE policy accept
trace id 32 t INPUT conntrack: ct direction original ct state new ct status dnat-done ct id 2641368242
trace id 32 t INPUT packet: iif "enp0s3" [..]
trace id 32 t public_in rule tcp dport 443 accept (verdict accept)
v3: remove clash bit again, kernel won't expose it anymore.
v2: add more status bits: helper, clash, offload, hw-offload.
add flag explanation to documentation.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
tests: py: re-enables nft-test.py to load the local nftables.py
This is a needed follow-up of commit ce443afc21455 ("py: move
package source into src directory") from 2023. Since that change,
nft-test.py started using the host's nftables.py instead of the local
one. But since nft-test.py passes the local src/.libs/libnftables.so.1
as parameter when instantiating the Nftables class, we did nevertheless
use the local libnftables.
Fixes: ce443afc21455 ("py: move package source into src directory") Reviewed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Michal Koutný [Mon, 30 Jun 2025 14:15:26 +0000 (16:15 +0200)]
doc: Clarify cgroup meta variable
The documentation mentions control group id where the meaning is a class
id associated to the cgroup of a socket. This used to be fine until
there came cgroup v2 that use similar terminolgy (cgroup id) for very
different thing -- a numeric identifier of a particular (v2) cgroup.
This contemporary cgroup id isn't exposed by netfilter (v2 matching is
based on paths externally). Fix the docs and decrease confusion by more
precise description of the metavariable.
[ Added comment in description to refer to socket cgroupv2 --pablo ]
Signed-off-by: Michal Koutný <mkoutny@suse.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
f686a17eafa0 ("fib: Support existence check") adds EXPR_F_BOOLEAN as a
workaround to infer from the rhs of the relational expression if the fib
lookup wants to check for a specific output interface or, instead,
simply check for existence. This, however, does not work with maps.
The NFT_FIB_F_PRESENT flag can be used both with NFT_FIB_RESULT_OIF and
NFT_FIB_RESULT_OFINAME, my understanding is that they serve the same
purpose which is to check if a route exists, so they are redundant.
Add a 'check' fib result to check for routes while still keeping the
inference workaround for backward compatibility, but prefer the new
syntax in the listing.
Update man nft(8) and tests/py.
Fixes: f686a17eafa0 ("fib: Support existence check") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The test was technically incorrect: Instead of detecting whether
interface hooks are name-based or not, it actually tested whether
netdev-family chains are removed along with their last hook.
Since the latter behaviour is established in kernel commit fc0133428e7a
("netfilter: nf_tables: Tolerate chains with no remaining hooks") and
thus independent from the name-based hooks change, treating both as the
same kernel feature is not acceptable.
Fix this by detecting whether a netdev-family chain may be added despite
specifying a non-existent interface to hook into. Keep the old check
around with a better name, although unused for now.
Reported-by: Florian Westphal <fw@strlen.de> Fixes: f27e5abd81f29 ("tests: shell: Adjust to ifname-based hooks") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Florian Westphal [Thu, 26 Jun 2025 00:52:48 +0000 (02:52 +0200)]
evaluate: prevent merge of sets with incompatible keys
Its not enough to check for interval flag, this would assert in interval
code due to concat being passed to the interval code:
BUG: unhandled key type 13
After fix:
same_set_name_but_different_keys_assert:8:6-7: Error: set already exists with
different datatype (concatenation of (IPv4 address, network interface index) vs
network interface index)
set s4 {
^^
This also improves error verbosity when mixing datamap and objref maps:
invalid_transcation_merge_map_and_objref_map:9:13-13:
Error: map already exists with different datatype (IPv4 address vs string)
.. instead of 'Cannot merge map with incompatible existing map of same name'.
The 'Cannot merge map with incompatible existing map of same name' check
is kept in place to catch when ruleset contains a set and map with same name
and same key definition.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Mon, 23 Jun 2025 19:37:31 +0000 (21:37 +0200)]
evaluate: check that set type is identical before merging
Reject maps and sets of the same name:
BUG: invalid range expression type catch-all set element
nft: src/expression.c:1704: range_expr_value_low: Assertion `0' failed.
After:
Error: Cannot merge set with existing datamap of same name
set z {
^
v2:
Pablo points out that we shouldn't merge datamaps (plain value) and objref
maps either, catch this too and add another test:
nft --check -f invalid_transcation_merge_map_and_objref_map
invalid_transcation_merge_map_and_objref_map:9:13-13: Error: Cannot merge map with incompatible existing map of same name
We should also make sure that both data (for map case) and
set keys are identical, this is added in a followup patch.
Florian Westphal [Tue, 24 Jun 2025 21:20:58 +0000 (23:20 +0200)]
evaluate: avoid double-free on error handling of bogus objref maps
commit 98c51aaac42b ("evaluate: bail out if anonymous concat set defines a non concat expression")
clears set->init to avoid a double-free.
Extend this to also handle object maps.
The included bogon triggers a double-free of set->init expression:
Error: unqualified type invalid specified in map definition. Try "typeof expression" instead of "type datatype".
ct helper set ct saddr map { 1c3:: : "p", dead::beef : "myftp" }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This might not crash, depending on libc/malloc, but ASAN reports this:
==17728==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b0000005e8 at ..
READ of size 4 at 0x50b0000005e8 thread T0
#0 0x7f1be3cb7526 in expr_free src/expression.c:87
#1 0x7f1be3cbdf29 in map_expr_destroy src/expression.c:1488
#2 0x7f1be3cb74d5 in expr_destroy src/expression.c:80
#3 0x7f1be3cb75c6 in expr_free src/expression.c:96
#4 0x7f1be3d5925e in objref_stmt_destroy src/statement.c:331
#5 0x7f1be3d5831f in stmt_free src/statement.c:56
#6 0x7f1be3d583c2 in stmt_list_free src/statement.c:66
#7 0x7f1be3d42805 in rule_free src/rule.c:495
#8 0x7f1be3d48329 in cmd_free src/rule.c:1417
#9 0x7f1be3cd2c7c in __nft_run_cmd_from_filename src/libnftables.c:759
#10 0x7f1be3cd340c in nft_run_cmd_from_filename src/libnftables.c:847
#11 0x55dcde0440be in main src/main.c:535
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
There is no guarantee that chain[] is null terminated, so snprintf
can read past chain[] array. ASAN report is:
AddressSanitizer: stack-buffer-overflow on address 0x7ffff5f00520 at ..
READ of size 257 at 0x7ffff5f00520 thread T0
#0 0x00000032ffb6 in printf_common(void*, char const*, __va_list_tag*) (src/nft+0x32ffb6)
#1 0x00000033055d in vsnprintf (src/nft+0x33055d)
#2 0x000000332071 in snprintf (src/nft+0x332071)
#3 0x0000004eef03 in netlink_gen_chain src/netlink.c:454:2
#4 0x0000004eef03 in netlink_gen_verdict src/netlink.c:467:4
Reject chain jumps that exceed 255 characters, which matches the netlink
policy on the kernel side.
The included reproducer fails without asan too because the kernel will
reject the too-long chain name. But that happens after the asan detected
bogus read.
Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Tue, 24 Jun 2025 19:39:46 +0000 (21:39 +0200)]
tests/py: clean up set backend support fallout
Pablo reports failing py tests woth recent kernel and userland:
any/objects.t: OK
WARNING: line 3: 'add rule ip6 test-ip6 input ..
mismatches 'family 2 __set0 test-ip4 3 backend nft_set_bitmap_type [nf_tables] count 7'
When nf_tables is built as a module, the set backend name coming
from kernel contains the module name ([nf_tables]), this makes the
test script treat it as part of the pseudo instructions.
Skip this line explicitly to avoid these warnings.
Fixes: 7cec20e45a75 ("tests/py: prepare for set debug change") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
src: use constant range expression for interval+concatenation sets
Expand 347039f64509 ("src: add symbol range expression to further
compact intervals") to use constant range expression for elements with
concatenation of intervals.
Ruleset with 100k elements of this type:
table inet x {
set y {
typeof ip saddr . tcp dport
flags interval
elements = {
0.1.2.0-0.1.2.240 . 0-1,
...
}
}
}
tests: shell: add feature check for count output change
New kernels with latest nft release will print the number
of set elements allocated on the kernel side.
This causes shell test dump validation to fail in several
places. We can't just update the affected dump files
because the test cases are also supposed to pass on current
-stable releases.
Add a feature check for this. Dump failure can then use
sed to postprocess the stored dump file and can then call
Next patch will make initial set dump from kernel emit set debug
information, so the obtained netlink debug file won't match what is
recorded in tests/py.
Furthermore, as the python add rules for each of the family the test is
for, subsequent dump will include debug information of the other/previous
families.
Change the script to skip all unrelated information to only compare the
relevant set element information and the generated expressions.
This change still finds changes in [ expr ... ] and set elem debug output.
evaluate: restrict allowed subtypes of concatenations
We need to restrict this, included bogon asserts with:
BUG: unknown expression type prefix
nft: src/netlink_linearize.c:940: netlink_gen_expr: Assertion `0' failed.
Prefix expressions are only allowed if the concatenation is used within
a set element, not when specifying the lookup key.
For the former, anything that represents a value is allowed.
For the latter, only what will generate data (fill a register) is
permitted.
At this time we do not have an annotation that tells if the expression
is on the left hand side (lookup key) or right hand side (set element).
Add a new list recursion counter for this. If its 0 then we're building
the lookup key, if its the latter the concatenation is the RHS part
of a relational expression and prefix, ranges and so on are allowed.
IOW, we don't really need a recursion counter, another type of annotation
that would tell if the expression is placed on the left or right hand side
of another expression would work too.
v2: explicitly list all 'illegal' expression types instead of
using a default label for them.
This will raise a compiler warning to remind us to adjust the case
labels in case a new expression type gets added in the future.
evaluate: rename recursion counter to recursion.binop
The existing recursion counter is used by the binop expression to detect
if we've completely followed all the binops.
We can only chain up to NFT_MAX_EXPR_RECURSION binops, but the evaluation
step can perform constant-folding, so we must recurse until we found the
rightmost (last) binop in the chain.
Then we can check the post-eval chain to see if it is something that can
be serialized later (i.e., if we are within the NFT_MAX_EXPR_RECURSION
after constant folding) or not.
Thus we can't reuse the existing ctx->recursion counter for other
expressions; entering the initial expr_evaluate_binop with
ctx->recursion > 0 would break things.
Therefore rename this to an embedded structure.
This allows us to add a new recursion counter in a followup patch.
Yi Chen [Sun, 22 Jun 2025 12:55:51 +0000 (20:55 +0800)]
test: shell: Don't use system nft binary
Use the defined $NFT variable instead of calling the system nft binary directly.
Add a nat_ftp.nodump file to avoid the following check-tree.sh error:
ERR: "tests/shell/testcases/packetpath/nat_ftp" has no "tests/shell/testcases/packetpath/dumps/nat_ftp.{nft,nodump}" file.
Signed-off-by: Yi Chen <yiche@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Thu, 12 Jun 2025 10:59:29 +0000 (12:59 +0200)]
tests: py: Properly fix JSON equivalents for netdev/reject.t
Revert commit d1a7b9e19fe65 ("tests: py: update netdev reject test
file"), the stored JSON equivalents were correct in that they matched
the standard syntax input.
In fact, we missed a .json.output file recording the expected deviation
in JSON output.
Fixes: d1a7b9e19fe65 ("tests: py: update netdev reject test file") Fixes: 7ca3368cd7575 ("reject: Unify inet, netdev and bridge delinearization") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / log
