[libnftnl PATCH 0/7] A bunch of covscan detected fixes

2016-08-11 Thread Phil Sutter
The following series aims at fixing a number of issues identified by Coverity tool. Due to limited familiarity with the whole code layout, I am not sure all of them are really valid, but I tried my best to verify the concerns are legitimate and worth fixing. Phil Sutter (7): set: prevent

[libnftnl PATCH 7/7] ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set()

2016-08-11 Thread Phil Sutter
The called function otherwise accesses uninitialized data. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/ruleset.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ruleset.c b/src/ruleset.c index 93cf95ab61e15..a2d67cb550179 100644 --- a/src/ruleset.c +++ b/src/ruleset.c @@

[libnftnl PATCH 3/7] expr/ct: prevent array index overrun in ctkey2str()

2016-08-11 Thread Phil Sutter
The array has NFT_CT_MAX fields, so indices must be less than that number. Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers") Cc: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expr/ct.c | 2 +- 1 fil

[libnftnl PATCH 6/7] Avoid returning uninitialized data

2016-08-11 Thread Phil Sutter
Although the 'err' pointer should be interesting for users only if the parser returned non-zero, having it point to uninitialized data is generally a bad thing. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/chain.c | 2 +- src/rule.c | 2 +- src/set.c | 2 +- src/table.c | 2 +- 4

Re: [libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

2016-08-11 Thread Phil Sutter
On Fri, Aug 12, 2016 at 01:42:02AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:33:34AM +0200, Phil Sutter wrote: > > From: Phil Sutter <psut...@redhat.com> > > > > This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains > > a retu

[libnftnl PATCH] utils: Don't return directly from SNPRINTF_BUFFER_SIZE

2016-08-12 Thread Phil Sutter
From: Phil Sutter <psut...@redhat.com> Apart from being a bad idea in general, the return statement contained in that macro in some cases leads to returning from functions without properly cleaning up, thereby causing memory leaks. Instead, just sanitize the value in 'ret' to not harm f

[nft PATCH 1/4] evaluate: Fix datalen checks in expr_evaluate_string()

2016-08-12 Thread Phil Sutter
ake 'datalen' a signed integer instead. Another issue is the check for "data[datalen] != '*'" which will access unallocated memory if 'strlen(data) == 0'. So make sure 'datalen >= 0' before using it as array index. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/evaluate.c | 6

[nft PATCH 2/4] netlink_delinearize: Avoid potential null pointer deref

2016-08-12 Thread Phil Sutter
-off-by: Phil Sutter <p...@nwl.cc> --- src/netlink_delinearize.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 12d0b4a277795..6ac2e9690fd39 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -518,6

[nft PATCH 0/4] A round of covscan indicated fixes

2016-08-12 Thread Phil Sutter
As for libnftnl, this series aims at fixing a number of issues identified by covscan. And again, due to my limited overview of the code-base, some of them might as well be invalid although I tried to verify the issues as best as I can. Phil Sutter (4): evaluate: Fix datalen checks

[nft PATCH 3/4] proto_find_num: Avoid potential null pointer dereference

2016-08-12 Thread Phil Sutter
When being called from stmt_evaluate_reset(), it seems that 'base' might actually be NULL, so better make sure it is not in proto_find_num(). Signed-off-by: Phil Sutter <p...@nwl.cc> --- This might be invalid in that if 'base' is NULL, ctx->pctx.family is always either NFP

[nft PATCH 4/4] evaluate: Avoid undefined behaviour in concat_subtype_id()

2016-08-12 Thread Phil Sutter
ubtype_id() by a value bigger than the number of bits in 'type' (which is 32bit). Signed-off-by: Phil Sutter <p...@nwl.cc> --- This patch is just an ugly sanitization hack and should probably be substituted by an additional error check in expr_evaluate_concat() giving an explanation of what went

[libnftnl PATCH 1/7] set: prevent memleak in nftnl_jansson_parse_set_info()

2016-08-11 Thread Phil Sutter
From: Phil Sutter <psut...@redhat.com> During list populating, in error case the function returns without freeing the newly allocated 'elem' object, thereby losing any references to it. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/set.c | 10 +- 1 file changed, 5 inse

[libnftnl PATCH 2/7] ruleset: Prevent memleak in nftnl_ruleset_snprintf_*() functions

2016-08-11 Thread Phil Sutter
From: Phil Sutter <psut...@redhat.com> This is an ugly aspect of the SNPRINTF_BUFFER_SIZE() macro: it contains a return statement and if that triggers, the function returns without freeing the iterator object. Therefore duplicate the 'ret < 0' check before calling it, freeing the iterato

[libnftnl PATCH 4/7] expr/limit: Drop unreachable code in limit_to_type()

2016-08-11 Thread Phil Sutter
The function returns from inside the switch() in any case, so the final return statement is never reached. Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support") Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expr/limit.c | 1 - 1 file changed, 1 deletion(-) diff

Re: [libnftnl PATCH 0/7] A bunch of covscan detected fixes

2016-08-11 Thread Phil Sutter
On Fri, Aug 12, 2016 at 02:05:54AM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 12, 2016 at 01:58:17AM +0200, Pablo Neira Ayuso wrote: > > On Fri, Aug 12, 2016 at 01:33:32AM +0200, Phil Sutter wrote: > > > The following series aims at fixing a number of issues identified by &

Re: [PATCH nf-next v2,1/2] netfilter: nft_exthdr: Add support for existence check

2017-02-07 Thread Phil Sutter
Hi, On Tue, Feb 07, 2017 at 09:20:27PM +0100, Pablo Neira Ayuso wrote: > From: Phil Sutter <p...@nwl.cc> > > If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field > data into *dest, but instead set it to 1 if the header is found and 0 > otherwise. > >

Re: [PATCH nf-next v2,2/2] netfilter: nft_exthdr: add TCP option matching

2017-02-07 Thread Phil Sutter
<f...@strlen.de> > Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Acked-by: Phil Sutter <p...@nwl.cc> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [nft PATCH 0/3] Boolean comparison and exthdr existence match support

2017-02-06 Thread Phil Sutter
Hi Pablo, On Mon, Jan 23, 2017 at 01:57:47PM +0100, Pablo Neira Ayuso wrote: > On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote: > > The following series adds two distinct features to nftables, though > > since the second one depends on presence of the first one this i

[nf-next PATCH] nftables: exthdr: Allow checking TCP option presence, too

2017-02-20 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- net/netfilter/nft_exthdr.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index c308920b194cd..d212a85d2f333 100644 --- a/net/netfilter/nft_exthdr.c +++

[libnftnl PATCH] exthdr: Add missing exthdr flags cases

2017-02-16 Thread Phil Sutter
Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expr/exthdr.c | 4 1 file changed, 4 insertions(+) diff --git a/src/expr/exthdr.c

[libnftnl PATCH] exthdr: Add support for exthdr flags

2017-01-17 Thread Phil Sutter
Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 6 ++ src/expr/ex

[nf-next PATCH] netfilter: nf_tables: cmp: support boolean operation

2017-01-17 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_cmp.c | 12 +++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/net

[nf-next PATCH] netfilter: nf_tables: exthdr: Add support for existence check

2017-01-17 Thread Phil Sutter
If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field data into *dest, but instead set it to 1 if the header is found and 0 otherwise. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/uapi/linux/netfilter/nf_tables.h | 6 ++ net/netfilter/nft_exthdr.c

[nft PATCH 1/3] Implement boolean comparison in relational expression

2017-01-17 Thread Phil Sutter
This works by introducing OP_BOOL which allows to properly display the boolean statement when listing rules. Apart from that, in kernel space it is this way possible to optimize the comparison instead of having to live with EQ/NEQ zero checks. Signed-off-by: Phil Sutter <p...@nwl.cc> --- i

[nft PATCH 3/3] exthdr: Implement exthdr existence check

2017-01-17 Thread Phil Sutter
This is meant to be used as LHS of a boolean relational expression, like the following example matching on fragment header presence: | exthdr frag exists Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/exthdr.h | 4 src/expression.c | 1 + src/exthdr.c | 6 +

[nft PATCH 0/3] Boolean comparison and exthdr existence match support

2017-01-17 Thread Phil Sutter
on packets without fragmentation header present. Phil Sutter (3): Implement boolean comparison in relational expression exthdr: Add support for exthdr specific flags exthdr: Implement exthdr existence check include/expression.h| 10 + include/exthdr.h

[nft PATCH 2/3] exthdr: Add support for exthdr specific flags

2017-01-17 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/expression.h | 1 + src/exthdr.c | 4 +++- src/netlink_delinearize.c | 4 +++- src/netlink_linearize.c | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/expression.h b/include/expression.h

Re: [nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref

2016-09-06 Thread Phil Sutter
Hi, On Mon, Sep 05, 2016 at 06:52:43PM +0200, Pablo Neira Ayuso wrote: > On Tue, Aug 30, 2016 at 07:39:50PM +0200, Phil Sutter wrote: > > As netlink_get_register() may return NULL, we must not pass the returned > > data unchecked to expr_set_type() as that will derefe

[nft PATCH v2 3/4] stmt_evaluate_reset: Have a generic fix for missing network context

2016-08-30 Thread Phil Sutter
to context. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Found the real cause for the problem after some more code and git history research, so rewrote the patch from scratch. --- src/evaluate.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/

[nft PATCH v2 4/4] evaluate: Avoid undefined behaviour in concat_subtype_id()

2016-08-30 Thread Phil Sutter
ing the expected TYPE_INVALID as argument if off is 0. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Understood (and reproduced) when the situation causing the undefined behaviour happens. - Understood what the code is supposed to do in that situation. - Based on the informatio

[nft PATCH v2 0/4] A round of covscan indicated fixes

2016-08-30 Thread Phil Sutter
. - Reviewed and improved every patch (for details see each patch's changelog). Phil Sutter (4): evaluate: Fix datalen checks in expr_evaluate_string() netlink_delinearize: Avoid potential null pointer deref stmt_evaluate_reset: Have a generic fix for missing network context evaluate: Avoid

[nft PATCH v2 1/4] evaluate: Fix datalen checks in expr_evaluate_string()

2016-08-30 Thread Phil Sutter
- 1 >= 0', which will never fail due to datalen being unsigned. Fix this by incrementing both sides by one, hence checking 'datalen >= 1'. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Based on the assumption that strlen(data) should never be less than 1, just a

[nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref

2016-08-30 Thread Phil Sutter
-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Fix for the same problem in netlink_parse_meta_stmt(), too. - Print error message instead of silently failing. - Align coding style with other post netlink_get_register() checks. --- src/netlink_delinearize.c | 6 ++ 1 file chan

Re: [PATCH nf] netfilter: ebtables: put module reference when an incorrect extension is found

2016-08-23 Thread Phil Sutter
> name, but didn't release the reference on the incorrect module. > > Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with > identical name") > Signed-off-by: Sabrina Dubroca <s...@queasysnail.net> Acked-by: Phil Sutter <p...@nwl.cc> -- T

[iptables PATCH] nft_ipv{4,6}_xlate: Respect prefix lengths

2016-11-25 Thread Phil Sutter
1.2.3.4 counter accept | | $ iptables-translate -A INPUT -s 1.2.3.4/255.255.0.0 -j ACCEPT | nft add rule ip filter INPUT ip saddr 1.2.0.0/16 counter accept Ditto for IPv6. Signed-off-by: Phil Sutter <p...@nwl.cc> --- iptables/nft-ipv4.c | 10 ++ iptables/nft-ipv6.c | 8 +--- 2

[PATCH] extensions: libip6t_ah: Fix translation of plain '-m ah'

2016-11-25 Thread Phil Sutter
rule ip6 filter INPUT meta l4proto ah counter accept Signed-off-by: Phil Sutter <p...@nwl.cc> --- extensions/libip6t_ah.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c index 5c2fe558ec464..f35982f379d76

[PATCH] xtables-translate: Support setting standard chain policy

2016-11-25 Thread Phil Sutter
Looks like this bit was simply forgotten when implementing xlate_chain_set() as everything needed was there to just print the desired policy along with the chain definition. Signed-off-by: Phil Sutter <p...@nwl.cc> --- iptables/xtables-translate.c | 16 +++- 1 file chang

Problem with iptables-translate and tcp flags match

2016-11-25 Thread Phil Sutter
Hi, I have a problem which exposes bugs in both iptables-translate and nft and am a bit at a loss with it. But first things first: | $ iptables-translate -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP | nft add rule ip filter INPUT tcp flags & fin|syn == fin|syn counter drop This

Re: Problem with iptables-translate and tcp flags match

2016-11-28 Thread Phil Sutter
On Mon, Nov 28, 2016 at 12:35:37PM +0100, Pablo Neira Ayuso wrote: > Hi, > > On Fri, Nov 25, 2016 at 10:50:17PM +0100, Phil Sutter wrote: > > Hi, > > > > I have a problem which exposes bugs in both iptables-translate and nft > > and am a bit at a los

[iptables PATCH] xtables-translate: Fix chain type when translating nat table

2016-11-28 Thread Phil Sutter
This makes the type of translated chains in nat table to be of type 'nat' instead of 'filter' which is incorrect. Verified like so: | $ iptables-restore-translate -f /dev/stdin < --- This patch depends upon my previously submitted patch "xtables-translate: Support setting standard chain policy".

[nft PATCH] parser_bison: Allow parens on RHS of relational_expr

2016-11-28 Thread Phil Sutter
places, so this patch is the safest way to allow the above I could come up with. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/parser_bison.y | 4 1 file changed, 4 insertions(+) diff --git a/src/parser_bison.y b/src/parser_bison.y index 91955c187f3f0..73a0eda9a5d87 100644 --- a/s

Re: Filtering invalid MAC addresses

2016-11-27 Thread Phil Sutter
Hi, On Sun, Nov 27, 2016 at 06:09:11PM -0800, jordi guri wrote: > I was wondering if the newer nftables is able to deal with invalid MAC > addresses. iptables I don't think can deal with these. For example I > have the following showing up in my log (from some anonymous proxy port >

RFC: nft.8 review

2016-12-10 Thread Phil Sutter
Hi, I skimmed through nft man page and noted down problems I discovered. While doing so, I got the idea to restructure the whole document for better organization and comprehensibility but wanted to hear your thoughts first before creating a ticket in netfilter BZ: * Use BNF in synopses This is

[nft PATCH] tests: py: Test TCP flags match with parentheses

2016-11-30 Thread Phil Sutter
This should test the fix in commit 7222680eb328b ("parser_bison: Allow parens on RHS of relational_expr"). Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/py/inet/tcp.t| 1 + tests/py/inet/tcp.t.payload.inet | 8 tests/py/inet/tcp.t.pa

[iptables PATCH] tcp_xlate: Enclose LH flag values in parentheses

2016-11-29 Thread Phil Sutter
rent way than expected since binary AND takes precedence over OR. Signed-off-by: Phil Sutter <p...@nwl.cc> --- extensions/libxt_tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 7f68b81288725..58f3c0a0c3

RFC: nftables: Boolean operation, two alternatives

2017-01-10 Thread Phil Sutter
ove). Thanks, Phil >From 9bf08b916f9b6148cf3b61d4a7b6b25fc3dc4add Mon Sep 17 00:00:00 2001 From: Phil Sutter <p...@nwl.cc> Date: Fri, 23 Dec 2016 17:53:03 +0100 Subject: [nft PATCH] implement boolean as simple alias for relational EQ/NEQ 0 Signed-off-by: Phil Sutter <p...@nwl.cc> ---

Re: RFC: nft.8 review

2016-12-20 Thread Phil Sutter
Hi Mark, On Tue, Dec 20, 2016 at 10:27:45AM -0600, mark diener wrote: > Will the V8 NFT have byte level protocol compatibility with current > linux kernel versions? We were talking about nft manpage (which happens to live in section 8, hence why I referred to it as 'nft.8'), not some version 8

Re: libmnl compile failure.

2016-12-19 Thread Phil Sutter
Hi, On Fri, Dec 16, 2016 at 08:54:59AM +0800, maowenan wrote: > There is something wrong when I make libmnl, could you please help check? There is no error message in the output you pasted. Looks like you're calling 'make' in an already built source tree, so nothing needs to be done. Do you see

[nft PATCH] proto: Add some exotic ICMPv6 types

2017-03-15 Thread Phil Sutter
. In addition to the above, "mld-listener-done" is introduced as an alias for "mld-listener-reduction". Signed-off-by: Phil Sutter <p...@nwl.cc> --- This should resolve netfilter BZ#926. --- src/proto.c | 8 1 file changed, 8 insertions(+) diff --git a/src/proto.c b/src/p

[nft PATCH v2 2/2] doc: Describe ICMP(v6) expression and types

2017-03-16 Thread Phil Sutter
This adds a description of the icmp and icmpv6 expressions (to match various ICMP header fields) as well as the icmp and icmpv6 type types (yay) which are used for ICMP(v6) type field. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Added this patch. --- doc/nft.xml

[nft PATCH v2 1/2] proto: Add some exotic ICMPv6 types

2017-03-16 Thread Phil Sutter
. In addition to the above, "mld-listener-done" is introduced as an alias for "mld-listener-reduction". Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Reordered symbols in icmp6_type_tbl: - mld-listener-done is the preferred alias - order new symbols by the n

[nft PATCH 1/2] evaluate: set: Allow for set elems to be sets

2017-03-20 Thread Phil Sutter
-off-by: Phil Sutter <p...@nwl.cc> --- src/evaluate.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 8fb716c062449..86ff8ebd17629 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1132,6 +1132,15 @@ static int expr_evaluate_set(struct ev

[nft PATCH 2/2] evaluate: set: Fix nested set merge size adjustment

2017-03-20 Thread Phil Sutter
which are checked for overlaps. Here's an example of how to trigger it: | add rule ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 } Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/evaluate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c

[nft PATCH 0/2] Some fixes for nested sets

2017-03-20 Thread Phil Sutter
This series fixes a number of issues with nested anonymous sets. Phil Sutter (2): evaluate: set: Allow for set elems to be sets evaluate: set: Fix nested set merge size adjustment src/evaluate.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.11.0 -- To unsubscribe

[nft PATCH 3/3] sets: Fix for missing space after last element

2017-03-21 Thread Phil Sutter
Not having a space between the last element in a set and the closing curly brace looks ugly, so add it here. This also adjusts all shell testcases as they match whitespace in nft output and therefore fail otherwise. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expres

[nft PATCH 2/3] tests: shell: netns/0003many_0: Fix cleanup after error

2017-03-21 Thread Phil Sutter
[TOTAL] 1 | | $ ip netns list | 1_0003many_0 | $ ip netns del 1_0003many_0 | | $ ./run-tests.sh testcases/sets/0015rulesetflush_0 | I: using nft binary ../../src/nft | | I: [OK] testcases/sets/0015rulesetflush_0 | | I: results: [OK] 1 [FAILED] 0 [TOTAL] 1 Signed-off-by: Phil Sutter &l

[nft PATCH 1/3] tests: Add test cases for nested anonymous sets

2017-03-21 Thread Phil Sutter
This makes sure nesting of anonymous sets works regardless of whether defines are used or not. As a side-effect, it also checks that overlap checking when IP address prefixes are used, works. Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/py/ip/sets.t | 4 +++ te

Re: [nft PATCH] proto: Add some exotic ICMPv6 types

2017-03-15 Thread Phil Sutter
On Wed, Mar 15, 2017 at 05:15:14PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 15, 2017 at 04:55:01PM +0100, Phil Sutter wrote: > > This adds support for matching on inverse ND messages as defined by > > RFC3122 (not implemented in Linux) and MLDv2 as defined by RFC3810

[iptables PATCH] xtables-translate: Avoid querying the kernel

2017-03-08 Thread Phil Sutter
is there is no need to check what revision of a given iptables match the kernel supports when it is only to be translated into an nftables equivalent. So just assign a dummy callback returning good for any revision being asked for. Signed-off-by: Phil Sutter <p...@nwl.cc> --- iptables/xtables-trans

[libnftnl PATCH] expr: exthdr: Display NFT_EXTHDR_F_PRESENT in debug output

2017-03-11 Thread Phil Sutter
This allows to assert it in testsuite also. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/expr/exthdr.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c index 9ed4ae1725ac1..d4f166525dc9e 100644 --- a/src/expr/exthdr.c +++

[libnftnl PATCHv2] fib: Add support for NFTA_FIB_F_PRESENT flag

2017-03-11 Thread Phil Sutter
Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Print 'present' keyword if flag is set instead of ignoring it. --- include/linux/netfilter/nf_tables.h | 1 + src/expr/fib.c

[nft PATCH v2 2/3] tests: Adjust for changed exthdr debug output

2017-03-11 Thread Phil Sutter
Debug output from libnftnl has changed to include 'present' keyword if NFT_EXTHDR_F_PRESENT flag is set in expression. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Patch introduced. --- tests/py/inet/tcpopt.t.payload.inet | 4 ++-- tests/py/ip6/exthdr.t.payload.ip6

[nft PATCH v2 3/3] doc: Document boolean type and applications

2017-03-11 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: - Nothing changed, just resubmitting. --- doc/nft.xml | 134 1 file changed, 134 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 990b93684c9c4..de86d2a

[nft PATCH v2 1/3] fib: Support existence check

2017-03-11 Thread Phil Sutter
that a boolean comparison is being done (indicated by boolean type on RHS). In contrast to exthdr existence checks, fib expression can't know this in beforehand because the LHS syntax is absolutely identical to a non-boolean comparison. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes si

[nft PATCH v2 0/3] Follow-up to boolean type and existence checks

2017-03-11 Thread Phil Sutter
This series is a follow-up to the partially applied v1 which takes into account the previously submitted changes to libnftnl debug output format for fib and exthdr ops. Phil Sutter (3): fib: Support existence check tests: Adjust for changed exthdr debug output doc: Document boolean type

[iptables PATCH] extensions: libxt_statistic: Complete nft translator

2017-03-13 Thread Phil Sutter
INPUT numgen random mod 0x4 < 0x3 counter $ iptables-translate -A INPUT -m statistic --mode random --probability 0.33 nft add rule ip filter INPUT numgen random mod 0x2000 < 0xa8f5c29 counter Signed-off-by: Phil Sutter <p...@nwl.cc> --- In general, I don't think the code is

Re: [iptables PATCH] extensions: libxt_statistic: Complete nft translator

2017-03-14 Thread Phil Sutter
On Mon, Mar 13, 2017 at 05:53:53PM +0100, Pablo Neira Ayuso wrote: > On Mon, Mar 13, 2017 at 05:01:53PM +0100, Phil Sutter wrote: > [...] > > The nftables numgen expression works differently: > > Phil, if you think we need a 1:1 mapping so iptables users moving to > nftabl

[nft PATCH 3/5] exthdr: Implement existence check

2017-03-10 Thread Phil Sutter
This allows to check for existence of an IPv6 extension or TCP option header by using the following syntax: | exthdr frag exists | tcpopt window exists Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/exthdr.h| 2 ++ src/evaluate.c | 3 +

[nft PATCH 5/5] doc: Document boolean type and applications

2017-03-10 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- doc/nft.xml | 134 1 file changed, 134 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 990b93684c9c4..de86d2a18258f 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1329,6 +13

[nft PATCH 2/5] exthdr: Add support for exthdr specific flags

2017-03-10 Thread Phil Sutter
This allows to have custom flags in exthdr expression, which is necessary for upcoming existence checks (of both IPv6 extension headers as well as TCP options). Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/expression.h | 1 + include/exthdr.h | 2 +- include/tc

[nft PATCH 4/5] fib: Support existence check

2017-03-10 Thread Phil Sutter
that a boolean comparison is being done (indicated by boolean type on RHS). In contrast to exthdr existence checks, fib expression can't know this in beforehand because the LHS syntax is absolutely identical to a non-boolean comparison. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/expres

[nft PATCH 1/5] Introduce boolean datatype and boolean expression

2017-03-10 Thread Phil Sutter
Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/datatype.h | 2 ++ src/datatype.c | 19 +++ src/parser_bison.y | 20 src/scanner.l | 3 +++ 4 files changed, 44 insertions(+) diff --git a/include/datatype.h b/include/datatype.h

[nft PATCH 0/5] Introduce boolean type and existence checks

2017-03-10 Thread Phil Sutter
The following patch series implements a boolean datatype for use in a boolean expression as right-hand side of a relational. Based upon that, header existence matches are implemented for IPv6 extension and TCP option headers as well as an existence match of a FIB entry. Phil Sutter (5

[libnftnl PATCH] fib: Add support for NFTA_FIB_F_PRESENT flag

2017-03-10 Thread Phil Sutter
Actually it is just to be ignored so it's presence doesn't mess up the op printer. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/linux/netfilter/nf_tables.h | 1 + src/expr/fib.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include

[nf-next PATCH] nftables: fib: Support existence check

2017-03-10 Thread Phil Sutter
Instead of the actual interface index or name, set destination register to just 1 or 0 depending on whether the lookup succeeded or not if NFTA_FIB_F_PRESENT was set in userspace. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/net/netfilter/nft_fib.h | 2 +- include/uapi

Re: [nft PATCH 4/5] fib: Support existence check

2017-03-10 Thread Phil Sutter
Hi, On Fri, Mar 10, 2017 at 07:07:25PM +0100, Pablo Neira Ayuso wrote: > On Fri, Mar 10, 2017 at 06:13:52PM +0100, Phil Sutter wrote: > [...] > > diff --git a/tests/py/inet/fib.t.payload b/tests/py/inet/fib.t.payload > > index f5258165384dc..e928a19649133 100644 >

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-08 Thread Phil Sutter
On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote: > > On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote: > >

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-08 Thread Phil Sutter
On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote: > Oh man, I just found the cause: I was running iptables-translate as > unprivileged user. Calling it with sudo magically makes everything work. > > I'll have a look whether it's possible to communicate the received &

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-08 Thread Phil Sutter
On Wed, Mar 08, 2017 at 02:38:42PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 08, 2017 at 01:31:51PM +0100, Phil Sutter wrote: > > On Wed, Mar 08, 2017 at 11:36:52AM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Mar 07, 2017 at 09:07:45PM +0100, Phil Sutter wrote: > >

[iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-07 Thread Phil Sutter
callback. Fix this by reordering the matches in conntrack_mt_reg so that the highest revision one is found first. Signed-off-by: Phil Sutter <p...@nwl.cc> --- The strange thing here is that I'm pretty sure this has been working once. My logs from playing with iptables-restore-translate from No

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-07 Thread Phil Sutter
On Tue, Mar 07, 2017 at 05:20:55PM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 07, 2017 at 05:17:29PM +0100, Pablo Neira Ayuso wrote: > > On Tue, Mar 07, 2017 at 04:35:07PM +0100, Phil Sutter wrote: > > > While translating a conntrack state match in old syntax, matches a

nft: ah expression doesn't work for IPv6

2017-03-02 Thread Phil Sutter
Hi, There is currently an open issue with nft in that ah expression doesn't work for IPv6 since it creates a payload expression which doesn't find the AH IPv6 extension header. There has been a discussion about this problem off-list in which two alternative "solutions" were named, both involve

Re: nft: ah expression doesn't work for IPv6

2017-03-03 Thread Phil Sutter
On Thu, Mar 02, 2017 at 10:25:22PM +0100, Pablo Neira Ayuso wrote: > On Thu, Mar 02, 2017 at 10:01:29PM +0100, Pablo Neira Ayuso wrote: > > On Thu, Mar 02, 2017 at 08:56:52PM +0100, Phil Sutter wrote: > > > Hi, > > > > > > There is currently an open issue wi

[iptables PATCH] extensions: libxt_addrtype: Add translation to nft

2017-03-07 Thread Phil Sutter
-off-by: Phil Sutter <p...@nwl.cc> --- extensions/libxt_addrtype.c | 69 + 1 file changed, 69 insertions(+) diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c index e5d3033ccc5ca..27485405b3595 100644 --- a/extensions/libxt_addr

Re: [iptables PATCH] extensions: libxt_conntrack: Fix 'state' translation to nft

2017-03-07 Thread Phil Sutter
On Tue, Mar 07, 2017 at 08:31:58PM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 07, 2017 at 05:54:09PM +0100, Phil Sutter wrote: > > On Tue, Mar 07, 2017 at 05:20:55PM +0100, Pablo Neira Ayuso wrote: > > > On Tue, Mar 07, 2017 at 05:17:29PM +0100, Pablo Neira Ayuso wrote: >

[nft PATCH v3 3/4] Implement --echo option

2017-07-28 Thread Phil Sutter
ip t c accept | rule handle 2 In an ideal world, every element and not just rules should have an identifying handle. When these are added, --echo output can simply be adjusted to print that handle instead of the name one has to use at the moment. Signed-off-by: Phil Sutter <p...@nwl.cc> --

[nft PATCH v3 4/4] tests: Add a simple test suite for --echo option

2017-07-28 Thread Phil Sutter
The fancy thing about this is that it uses the actual echo output to undo the changes to the rule set. Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/echo/run-tests.sh | 53 +++ tests/echo/testcases/simple.t | 8 +++ 2 files chang

[nft PATCH v3 0/4] Implement --echo option

2017-07-28 Thread Phil Sutter
with one of nf_tables_msg_types values. Another change since v2 is a minor fix of the added documentation in nft.xml - I used tag which is not known. Phil Sutter (4): mnl: Consolidate mnl_batch_talk() parameters netlink: Pass nlmsg flags from rule.c Implement --echo option tests: Add a simple

[nft PATCH v3 2/4] netlink: Pass nlmsg flags from rule.c

2017-07-28 Thread Phil Sutter
There is no point in checking value of excl in each called function. Just do it in a single spot and pass resulting flags. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/netlink.h | 10 src/netlink.c | 69 ++- src/

[nft PATCH v3 1/4] mnl: Consolidate mnl_batch_talk() parameters

2017-07-28 Thread Phil Sutter
The single caller of this function passes struct netlink_ctx fields as the first two parameters. This can be simplified by passing the context object itself and having mnl_batch_talk() access it's fields instead. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/mnl.h | 4 ++-- src

Re: [nft PATCH v3 2/4] netlink: Pass nlmsg flags from rule.c

2017-08-02 Thread Phil Sutter
On Wed, Aug 02, 2017 at 02:58:57PM +0200, Pablo Neira Ayuso wrote: > On Wed, Aug 02, 2017 at 02:36:40PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 28, 2017 at 01:55:46PM +0200, Phil Sutter wrote: > > > There is no point in checking value of excl in each called funct

nftables: Testcase crashes the kernel

2017-08-03 Thread Phil Sutter
Hi, While running tests/shell testsuite, I notice a kernel crash during execution of ./testcases/maps/0003map_add_many_elements_0. I am running nf-next kernel with head at 4d3a57f23dec59f0a2362e63540b2d01b37afe0a. Here's the crashdump: [ 570.593118] BUG: unable to handle kernel paging request

[nft PATCH 2/4] netlink: Fix segfault when using --echo flag

2017-08-14 Thread Phil Sutter
option") Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/netlink.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/netlink.c b/src/netlink.c index 8aef8d9ab4070..f631c26b2b9ca 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -3075,12 +3075,14 @@ static i

[nft PATCH 4/4] tests: Merge monitor and echo test suites

2017-08-14 Thread Phil Sutter
The two test suites were pretty similar already, and since echo output is supposed to be identical to monitor output apart from delete commands, they can be merged together with litte effort. Signed-off-by: Phil Sutter <p...@nwl.cc> --- tests/echo/run-tests.sh

[nft PATCH 1/4] mnl: Drop --echo support for non-batch calls

2017-08-14 Thread Phil Sutter
lly not feasible, therefore drop this broken attempt at supporting it. Signed-off-by: Phil Sutter <p...@nwl.cc> --- src/mnl.c | 23 +-- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/src/mnl.c b/src/mnl.c index 031b7f39da8f5..5017b81c96e7c 100644 --- a/src/mnl.c

[nft PATCH 3/4] echo: Fix for added delays in rule updates

2017-08-14 Thread Phil Sutter
cache_init() and mnl_batch_talk() would receive unexpected new input. So instead update the cache from do_command_add(), netlink_replace_rule_batch() and do_comand_insert() so it completes before mnl_batch_talk() starts listening. Signed-off-by: Phil Sutter <p...@nwl.cc> --- include/netlink.

[nft PATCH 0/4] A bunch of fixes for echo output

2017-08-14 Thread Phil Sutter
This series addresses the shortcomings of my echo option implementation pointed out by Pablo. In addition to that, I figured that test suites for monitor and echo are pretty similar so I merged both into one. Phil Sutter (4): mnl: Drop --echo support for non-batch calls netlink: Fix segfault

Re: [nft PATCH 1/4] mnl: Drop --echo support for non-batch calls

2017-08-15 Thread Phil Sutter
Hi, On Tue, Aug 15, 2017 at 12:25:00PM +0200, Pablo Neira Ayuso wrote: > On Tue, Aug 15, 2017 at 01:43:02AM +0200, Phil Sutter wrote: [...] > > I didn't notice this because I didn't test for kernels without support > > for transactions. This has been added to nftables in kern

Re: [nft PATCH 3/4] echo: Fix for added delays in rule updates

2017-08-15 Thread Phil Sutter
On Tue, Aug 15, 2017 at 01:27:56PM +0200, Phil Sutter wrote: > On Tue, Aug 15, 2017 at 12:35:30PM +0200, Pablo Neira Ayuso wrote: > > On Tue, Aug 15, 2017 at 01:43:04AM +0200, Phil Sutter wrote: > [...] > > > diff --git a/include/netlink.h b/include/netlink.h >

[nft PATCH v2] echo: Fix for added delays in rule updates

2017-08-15 Thread Phil Sutter
cache_init() and mnl_batch_talk() would receive unexpected new input. So instead update the cache from do_command_add(), netlink_replace_rule_batch() and do_comand_insert() so it completes before mnl_batch_talk() starts listening. Signed-off-by: Phil Sutter <p...@nwl.cc> --- Changes since v1: -

  1   2   3   >