This commit adds integration tests to the nftables package to verify
that the Go code correctly programs nftables rules. The tests use
external nftables scripts to define the expected state and compare
it with the state produced by the Go code.
Change-Id: I9c8439ee462b4882b221e6244f53379b822446dc
Signed-off-by: Antonio Ojea <aojea@google.com>
Turns out we cannot make github.com/google/nftables/binaryutil
forward to encoding/binary because it’s not an API-compatible
drop-in replacement: The PutUint* methods allocate in our API,
but do not allocate in encoding/binary.
* fix: resolve deadlock in `Flush` function when handling ENOBUFS error
* Simulate deadlock issue using reduced read/write buffers to verify the fix and ensure no regressions
Note that this will fix support for single expressions on older kernels but multiple expressions on older kernels will remain unsupported as NFT_DYNSET_F_EXPR flag should not be omitted for dynsets with multiple expressions.
* Refactored obj.go to a more generic approach
* Added object support for already implemented expressions
* Added test for limit object
fixes https://github.com/google/nftables/issues/253
`Conn.AddTable` use netlink.Create which will not emit an error
if the table we want to create already existed,
just like the `nft add table ...` command works.
The caller should use netlink.Excl to
get an EEXIST error for that already existed,
So I add another method `Conn.CreateTable`
which works just like `nft create table ...` command.
Related: #245
Signed-off-by: black-desk <me@black-desk.cn>
Related: #242
After 7879d7ecf6, it seems that
any multi-message operation performed without CAP_SYS_ADMIN will
leads to forever block inside nftables.Conn.Flush.
For example:
```go
package main
import "github.com/google/nftables"
func main() {
conn, err := nftables.New()
if err != nil {
panic(err)
}
t := conn.AddTable(&nftables.Table{})
err = conn.AddSet(&nftables.Set{Table: t}, []nftables.SetElement{})
if err != nil {
panic(err)
}
conn.AddSet(&nftables.Set{Table: t}, []nftables.SetElement{})
if err != nil {
panic(err)
}
err = conn.Flush()
if err != nil {
panic(err)
}
return
}
```
That's because that although we send multiple messages on netlink
socket, kernel will only sends one permission error message as reply.
Signed-off-by: black-desk <me@black-desk.cn>
When you flush multiple messages/ops on a connection, and if flush fails
to apply, the netlink connection returns errors per command. Since we
are returning on noticing the first error, the rest of the errors are
buffered and leaks into the result of next flush.
This pull request invokes `conn.Receive()` * number of messages to drain
any buffered errors in the connection.
Fix the marshall of the hash seed to be conditional, only if it is
explicitly set, we need to add it to the kernel as stated on the
libnftl and nftables projects.
Refence: https://git.netfilter.org/nftables/tree/src/netlink_linearize.c?id=25e7b99cc450490c38becb03d8bddd0199cfd3f9#n174
Otherwise, having a hash expression similar to this:
```
ip daddr set jhash tcp sport mod 2 seed 0x0 map { 0 : 192.168.0.1, 1 : 192.168.2.2 }
```
end up setting only the first IP and ignoring the second one.
Signed-off-by: Rafael Campos <methril@gmail.com>
turekt
Antonio Ojea
shiningw
dependabot[bot]
Michael Stapelberg
patryk4815
patryk4815
_|+
Asutorufa
Aleksei Ilin
TheDiveO
Daniel Mack
Lionel Jouin
Francesco Cheinasso
singchia
black-desk
Ronak Jain
Lars Lehtonen
Rafael Campos Las Heras
Rafael Campos
Ronak Jain