summaryrefslogtreecommitdiffstats
path: root/iptables/nft-ruleparse.c
Commit message (Collapse)AuthorAgeFilesLines
* nft: ruleparse: Add missing braces around ternaryPhil Sutter2024-02-011-1/+1
| | | | | | | | | | | | | | | | The expression evaluated the sum before the ternay, consequently not adding target->size if tgsize was zero. Identified by ASAN for a simple rule using standard target: | # ebtables -A INPUT -s de:ad:be:ef:0:00 -j RETURN | # ebtables -D INPUT -s de:ad:be:ef:0:00 -j RETURN | ================================================================= | ==18925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x7f627a4c75c5 bp 0x7ffe882b5180 sp 0x7ffe882b4928 | READ of size 8 at 0x603000000120 thread T0 | [...] Fixes: 2a6eee89083c8 ("nft-ruleparse: Introduce nft_create_target()") Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Leave interface masks alone when parsing from kernelPhil Sutter2023-11-291-25/+8
| | | | | | | | The mask is entirely unused by nft-variants in general and legacy ones when printing. It is relevant only when inserting a legacy rule into kernel as it doesn't detect the '+'-suffix. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-ruleparse: parse meta mark set as MARK targetFlorian Westphal2023-08-101-12/+28
| | | | | | | | | | | | | | | | | | Mixing nftables and iptables-nft in the same table doesn't work, but some people do this. v1.8.8 ignored rules it could not represent in iptables syntax, v1.8.9 bails in this case. Add parsing of meta mark expressions so iptables-nft can render them as -j MARK rules. This is flawed, nft has features that have no corresponding syntax in iptables, but we can't undo this. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1659 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft-ruleparse: Introduce nft_create_target()Phil Sutter2023-08-101-78/+48
| | | | | | | | | | | | | | | | Like nft_create_match(), this is a small wrapper around the typical target extension lookup and (standard) init code. To use it from nft_parse_target() and nft_parse_log(), introduce an inner variant which accepts the target payload size as parameter. The call to rule_parse_ops::target callback was problematic with standard target, because the callbacks initialized iptables_command_state::jumpto with the target name, "standard" in that case. Perform its tasks in nft_create_target(), keep it only for bridge family's special handling of watcher "targets". Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Extract rule parsing callbacks from nft_family_opsPhil Sutter2023-05-031-12/+12
| | | | | | | Introduce struct nft_ruleparse_ops holding the family-specific expression parsers and integrate it into nft_family_ops for now. Signed-off-by: Phil Sutter <phil@nwl.cc>
* nft: Introduce nft-ruleparse.{c,h}Phil Sutter2023-05-031-0/+1208
Extract all code dealing with parsing from struct nftnl_rule into struct iptables_command_state from nft-shared.c into a separate source file. Basically this is nft_rule_to_iptables_command_state() and the functions it calls, plus family-independent parsers called from family-specific callbacks. Signed-off-by: Phil Sutter <phil@nwl.cc>