search

google / nftables

This repository contains a Go module to interact with Linux nftables (the iptables successor).
Apache License 2.0
1.09k stars 130 forks source link

bug: GetRule and log prefix rule is not being parsed #115

Closed greenpau closed 2 years ago

greenpau commented 4 years ago

It appears that log prefix rules are not bring parsed by GetRule()

table ip filter { # handle 443
        chain forward { # handle 1
                type filter hook forward priority filter; policy drop;
                oifname "cni-podman0" ip daddr 10.88.0.7 tcp dport 80 counter packets 0 bytes 0 accept # handle 4
                log prefix "ip4 forward drop: " # handle 2
                counter packets 0 bytes 0 drop # handle 3
        }
}

The following output represents the dump of the above rules.

Issue: Notice the Exprs: ([]expr.Any) <nil> as it relates to log prefix rule.

                oifname "cni-podman0" ip daddr 10.88.0.7 tcp dport 80 counter packets 0 bytes 0 accept # handle 4

is:

(*nftables.Rule)(0xc000267900)({
 Table: (*nftables.Table)(0xc00034a2e0)({
  Name: (string) (len=6) "filter",
  Use: (uint32) 0,
  Flags: (uint32) 0,
  Family: (nftables.TableFamily) 0
 }),
 Chain: (*nftables.Chain)(0xc00032bf80)({
  Name: (string) (len=7) "forward",
  Table: (*nftables.Table)(<nil>),
  Hooknum: (nftables.ChainHook) 0,
  Priority: (nftables.ChainPriority) 0,
  Type: (nftables.ChainType) "",
  Policy: (*nftables.ChainPolicy)(<nil>)
 }),
 Position: (uint64) 0,
 Handle: (uint64) 4,
 Exprs: ([]expr.Any) (len=10 cap=16) {
  (*expr.Meta)(0xc000307b90)({
   Key: (expr.MetaKey) 7,
   SourceRegister: (bool) false,
   Register: (uint32) 1
  }),
  (*expr.Cmp)(0xc00034a3e0)({
   Op: (expr.CmpOp) 0,
   Register: (uint32) 1,
   Data: ([]uint8) (len=16 cap=16) {
    00000000  63 6e 69 2d 70 6f 64 6d  61 6e 30 00 00 00 00 00  |cni-podman0.....|
   }
  }),
  (*expr.Payload)(0xc00034e060)({
   OperationType: (expr.PayloadOperationType) 0,
   DestRegister: (uint32) 1,
   SourceRegister: (uint32) 0,
   Base: (expr.PayloadBase) 1,
   Offset: (uint32) 16,
   Len: (uint32) 4,
   CsumType: (expr.PayloadCsumType) 0,
   CsumOffset: (uint32) 0,
   CsumFlags: (uint32) 0
  }),
  (*expr.Cmp)(0xc00034a500)({
   Op: (expr.CmpOp) 0,
   Register: (uint32) 1,
   Data: ([]uint8) (len=4 cap=4) {
    00000000  0a 58 00 07                                       |.X..|
   }
  }),
  (*expr.Meta)(0xc000307c20)({
   Key: (expr.MetaKey) 16,
   SourceRegister: (bool) false,
   Register: (uint32) 1
  }),
  (*expr.Cmp)(0xc00034a600)({
   Op: (expr.CmpOp) 0,
   Register: (uint32) 1,
   Data: ([]uint8) (len=1 cap=1) {
    00000000  06                                                |.|
   }
  }),
  (*expr.Payload)(0xc00034e090)({
   OperationType: (expr.PayloadOperationType) 0,
   DestRegister: (uint32) 1,
   SourceRegister: (uint32) 0,
   Base: (expr.PayloadBase) 2,
   Offset: (uint32) 2,
   Len: (uint32) 2,
   CsumType: (expr.PayloadCsumType) 0,
   CsumOffset: (uint32) 0,
   CsumFlags: (uint32) 0
  }),
  (*expr.Cmp)(0xc00034a700)({
   Op: (expr.CmpOp) 0,
   Register: (uint32) 1,
   Data: ([]uint8) (len=2 cap=2) {
    00000000  00 50                                             |.P|
   }
  }),
  (*expr.Counter)(0xc000307cb0)({
   Bytes: (uint64) 0,
   Packets: (uint64) 0
  }),
  (*expr.Verdict)(0xc00034a860)({
   Kind: (expr.VerdictKind) 1,
   Chain: (string) ""
  })
 },
 UserData: ([]uint8) <nil>
}),

Next:

                log prefix "ip4 forward drop: " # handle 2

is:

(*nftables.Rule)(0xc000267950)({
 Table: (*nftables.Table)(0xc00034a900)({
  Name: (string) (len=6) "filter",
  Use: (uint32) 0,
  Flags: (uint32) 0,
  Family: (nftables.TableFamily) 0
 }),
 Chain: (*nftables.Chain)(0xc000350d00)({
  Name: (string) (len=7) "forward",
  Table: (*nftables.Table)(<nil>),
  Hooknum: (nftables.ChainHook) 0,
  Priority: (nftables.ChainPriority) 0,
  Type: (nftables.ChainType) "",
  Policy: (*nftables.ChainPolicy)(<nil>)
 }),
 Position: (uint64) 4,
 Handle: (uint64) 2,
 Exprs: ([]expr.Any) <nil>,
 UserData: ([]uint8) <nil>
}),

Next:

                log prefix "ip4 forward drop: " # handle 2

is:

(*nftables.Rule)(0xc0002679a0)({
 Table: (*nftables.Table)(0xc00034a9e0)({
  Name: (string) (len=6) "filter",
  Use: (uint32) 0,
  Flags: (uint32) 0,
  Family: (nftables.TableFamily) 0
 }),
 Chain: (*nftables.Chain)(0xc000350e80)({
  Name: (string) (len=7) "forward",
  Table: (*nftables.Table)(<nil>),
  Hooknum: (nftables.ChainHook) 0,
  Priority: (nftables.ChainPriority) 0,
  Type: (nftables.ChainType) "",
  Policy: (*nftables.ChainPolicy)(<nil>)
 }),
 Position: (uint64) 2,
 Handle: (uint64) 3,
 Exprs: ([]expr.Any) (len=2 cap=2) {
  (*expr.Counter)(0xc000307dd0)({
   Bytes: (uint64) 0,
   Packets: (uint64) 0
  }),
  (*expr.Verdict)(0xc00034ab40)({
   Kind: (expr.VerdictKind) 0,
   Chain: (string) ""
  })
 },
 UserData: ([]uint8) <nil>
})
}
stapelberg commented 4 years ago

Maybe the existing expr.Log just needs to be added to this switch statement? https://github.com/google/nftables/blob/c25e4f69b4251e2e4175e5407a4ced5682099453/rule.go#L224-L230

Can you try and send a PR if so please?

greenpau commented 4 years ago

Can you try and send a PR if so please?

@stapelberg , sure, will do it next week!

greenpau commented 3 years ago

@stapelberg , did not forget about this. got super busy with something else. Will come back to this soon.