[PATCH nft 1/5] netlink_delinearize: clone on netlink_get_register(), release previous on _set()

[PATCH nft 1/5] netlink_delinearize: clone on netlink_get_register(), release previous on _set()

[Pablo Neira Ayuso]

If we add this rule:

  nft add rule filter input meta length 33-55

the listing shows:

  meta length >= 33 meta length <= 754974720

The two meta statements share the same left-hand side, thus, only the
first one is converted from network byte order to host byte order.

Update netlink_get_register() to return a clone so each left-hand side
has its own left-hand side.

Moreover, release the existing register before overriding it with fresh
expressions in netlink_set_register().

Thefore, if you manipulate a register from any of the existing parse
functions, you have to re-set it again to place fresh modified clone.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink_delinearize.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 1be409b..c809bb6 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -57,6 +57,9 @@ static void netlink_set_register(struct netlink_parse_ctx *ctx,
 		return;
 	}
 
+	if (ctx->registers[reg] != NULL)
+		expr_free(ctx->registers[reg]);
+
 	ctx->registers[reg] = expr;
 }
 
@@ -72,7 +75,15 @@ static struct expr *netlink_get_register(struct netlink_parse_ctx *ctx,
 	}
 
 	expr = ctx->registers[reg];
-	return expr;
+	return expr_clone(expr);
+}
+
+static void netlink_release_registers(struct netlink_parse_ctx *ctx)
+{
+	int i;
+
+	for (i = 0; i <= NFT_REG_MAX; i++)
+		expr_free(ctx->registers[i]);
 }
 
 static void netlink_parse_immediate(struct netlink_parse_ctx *ctx,
@@ -1109,5 +1120,6 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
 	nft_rule_expr_foreach((struct nft_rule *)nlr, netlink_parse_expr, pctx);
 
 	rule_parse_postprocess(pctx, pctx->rule);
+	netlink_release_registers(pctx);
 	return pctx->rule;
 }
-- 
1.7.10.4

[PATCH nft 2/5] meta: set base field on clones

[Pablo Neira Ayuso]

Set missing field on meta expression clone.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/meta.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/src/meta.c b/src/meta.c
index 9c1ea58..f33837c 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -439,6 +439,7 @@ static bool meta_expr_cmp(const struct expr *e1, const struct expr *e2)
 static void meta_expr_clone(struct expr *new, const struct expr *expr)
 {
 	new->meta.key = expr->meta.key;
+	new->meta.base = expr->meta.base;
 }
 
 /**
-- 
1.7.10.4

[PATCH nft 3/5] tests: regression: fix "Listing is broken" instead of output mismatch

[Pablo Neira Ayuso]

If the output string doesn't match the input, indicate that the output
mismatches instead of the misleading "Listing is broken".

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/regression/nft-test.py |   15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/tests/regression/nft-test.py b/tests/regression/nft-test.py
index e1aec89..9998ab3 100755
--- a/tests/regression/nft-test.py
+++ b/tests/regression/nft-test.py
@@ -505,15 +505,12 @@ def rule_add(rule, table_list, chain_list, filename, lineno,
                                                         rule_output, cmd)
                                 if not force_all_family_option:
                                     return [ret, warning, error, unit_tests]
-                            if rule[0].find(rule_output.split(" ")[0]) > -1:
-                                warning += 1
-                                print_differences_warning(filename, lineno,
-                                                          rule[0], rule_output,
-                                                          cmd)
-                            else:
-                                error += 1
-                                print_differences_error(filename, lineno,
-                                                        rule_output, cmd)
+
+                            warning += 1
+                            print_differences_warning(filename, lineno,
+                                                      rule[0], rule_output,
+                                                      cmd)
+
                             if not force_all_family_option:
                                 return [ret, warning, error, unit_tests]
 
-- 
1.7.10.4

[PATCH nft 3/5] tests: regression: fix "Listing is broken" instead of output mismatch

[Pablo Neira Ayuso]

If the output string doesn't match the input, indicate that the output
mismatches instead of the misleading "Listing is broken".

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/regression/nft-test.py |   15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/tests/regression/nft-test.py b/tests/regression/nft-test.py
index e1aec89..9998ab3 100755
--- a/tests/regression/nft-test.py
+++ b/tests/regression/nft-test.py
@@ -505,15 +505,12 @@ def rule_add(rule, table_list, chain_list, filename, lineno,
                                                         rule_output, cmd)
                                 if not force_all_family_option:
                                     return [ret, warning, error, unit_tests]
-                            if rule[0].find(rule_output.split(" ")[0]) > -1:
-                                warning += 1
-                                print_differences_warning(filename, lineno,
-                                                          rule[0], rule_output,
-                                                          cmd)
-                            else:
-                                error += 1
-                                print_differences_error(filename, lineno,
-                                                        rule_output, cmd)
+
+                            warning += 1
+                            print_differences_warning(filename, lineno,
+                                                      rule[0], rule_output,
+                                                      cmd)
+
                             if not force_all_family_option:
                                 return [ret, warning, error, unit_tests]
 
-- 
1.7.10.4

[PATCH nft 4/5] tests: regression: any/ct: remove wrong output

[Pablo Neira Ayuso]

ct mark 0x32-0x45

displays:

ct mark >= 0x00000032 ct mark <= 0x00000045
                                 ^^^^^^^^^^
instead of ct mark <= 0x45000000
                      ^^^^^^^^^^

Remove the custom output so this displays a warning. nft should
(at some point) merge the two statements into one single to express
the range from the netlink_delinearize step.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/regression/any/ct.t |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/regression/any/ct.t b/tests/regression/any/ct.t
index 09f72ed..bb26cb8 100644
--- a/tests/regression/any/ct.t
+++ b/tests/regression/any/ct.t
@@ -46,8 +46,8 @@ ct mark xor 0x3 != 0x1;ok;ct mark != 0x00000002
 
 ct mark 0x32;ok;ct mark 0x00000032
 ct mark != 0x32;ok;ct mark != 0x00000032
-ct mark 0x32-0x45;ok;ct mark >= 0x00000032 ct mark <= 0x45000000
-ct mark != 0x32-0x43;ok;ct mark < 0x00000032 ct mark > 0x43000000
+ct mark 0x32-0x45;ok
+ct mark != 0x32-0x43;ok
 ct mark {0x32, 0x2222, 0x42de3};ok;ct mark { 0x00042de3, 0x00002222, 0x00000032}
 - ct mark != {0x32, 0x2222, 0x42de3};ok
 
-- 
1.7.10.4

[PATCH nft 5/5] scanner: don't bug on too large values

[Pablo Neira Ayuso]

Add a new ERROR symbol to handle scanning of too large values.

 <cmdline>:1:36-99: Error: bad value '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 add rule ip test-ip4 input ct mark 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
instead of:

 BUG: nft: scanner.l:470: nft_lex: Assertion `0' failed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y |   15 ++++++++++++++-
 src/scanner.l      |   12 ++++++++----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ad2951a..6c7a036 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -209,7 +209,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token <val> NUM		"number"
 %token <string> STRING		"string"
 %token <string> QUOTED_STRING
-%destructor { xfree($$); }	STRING QUOTED_STRING
+%token <string> ERROR		"error"
+%destructor { xfree($$); }	STRING QUOTED_STRING ERROR
 
 %token LL_HDR			"ll"
 %token NETWORK_HDR		"nh"
@@ -465,6 +466,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %destructor { expr_free($$); }	list_expr
 %type <expr>			concat_expr map_lhs_expr
 %destructor { expr_free($$); }	concat_expr map_lhs_expr
+%type <expr>			error_expr
+%destructor { expr_free($$); }	error_expr
 
 %type <expr>			map_expr
 %destructor { expr_free($$); }	map_expr
@@ -1668,6 +1671,16 @@ expr			:	concat_expr
 			|	set_expr
 			|       map_expr
 			|	multiton_expr
+			|	error_expr
+			;
+
+error_expr		:	ERROR
+			{
+				$$ = NULL;
+				erec_queue(error(&@1, "bad value '%s'", $1),
+					   state->msgs);
+				YYERROR;
+			}
 			;
 
 set_expr		:	'{'	set_list_expr		'}'
diff --git a/src/scanner.l b/src/scanner.l
index f0ed8d4..8f14b0e 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -458,16 +458,20 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 {decstring}		{
 				errno = 0;
 				yylval->val = strtoull(yytext, NULL, 0);
-				if (errno != 0)
-					BUG();
+				if (errno != 0) {
+					yylval->string = xstrdup(yytext);
+					return ERROR;
+				}
 				return NUM;
 			}
 
 {hexstring}		{
 				errno = 0;
 				yylval->val = strtoull(yytext, NULL, 0);
-				if (errno != 0)
-					BUG();
+				if (errno != 0) {
+					yylval->string = xstrdup(yytext);
+					return ERROR;
+				}
 				return NUM;
 			}
 
-- 
1.7.10.4