| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
And pass up an error to the caller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
So the client can bail out of memory allocation errors. Or in case of
daemon, make sure things are left in consistent state before bailing
out.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If this attribute is not supported by the library, we should rise an
assertion so the client knows something is wrong, instead of silently
going through.
The only case I can think may hit this problem is version mismatch
between library and tools. This should not ever really happen, so better
bail out from the library itself in this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix leak of NFTNL_*_USERDATA from unset() functions.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use NFTNL_EXPR_PAYLOAD_SREG instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Convert this example not to use the deprecated aliases anymore.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump Current and Age accordingly, given that we got new interfaces.
This git repository shows these changes in the map file since previous
release:
$ git diff libnftnl-1.0.5..HEAD src/libnftnl.map
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -498,3 +498,33 @@ global:
local: *;
};
+
+LIBNFTNL_4.1 {
+ nftnl_trace_alloc;
+ nftnl_trace_free;
+
+ nftnl_trace_is_set;
+
+ nftnl_trace_get_u16;
+ nftnl_trace_get_u32;
+ nftnl_trace_get_u64;
+ nftnl_trace_get_str;
+ nftnl_trace_get_data;
+
+ nftnl_trace_nlmsg_parse;
+
+ nftnl_udata_buf_alloc;
+ nftnl_udata_buf_free;
+ nftnl_udata_buf_len;
+ nftnl_udata_buf_data;
+ nftnl_udata_buf_put;
+ nftnl_udata_start;
+ nftnl_udata_end;
+ nftnl_udata_put;
+ nftnl_udata_put_strz;
+ nftnl_udata_type;
+ nftnl_udata_len;
+ nftnl_udata_get;
+ nftnl_udata_next;
+ nftnl_udata_parse;
+} LIBNFTNL_4;
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
All attributes are passed by copy, so user data should be copied too.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
User data must be freed.
How to reproduce:
> nft add table t
> nft add set t s {type ipv4_addr\;}
> valgrind nft add element t s {1.1.1.1}
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
If the user allocates a nftnl_udata_buf and then passes the TLV data to
nftnl_rule_set_data, the pointer stored in rule.user.data is not the
begining of the allocated block. In this situation, if it calls to
nftnl_rule_free, it tries to free this pointer and segfault is thrown.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
If a whole directory was ignored, files inside it will not be checked.
Fixes: f3d37ef ("libnftnl: Add to .gitignore all auto-generated files")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Refresh the cached header file.
This includes a small fix to avoid this compilation warning after
refreshing the header:
trace.c: In function 'nftnl_trace_parse_attr_cb':
trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
It ignores files inside test/ and examples/ except all c code (*.c)
and the Makefile.am.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
These functions don't modify the chain object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
They are not used out of the scope of the C file where they are defined,
so we can statify them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
These functions are passed as parameter, so we basically get nothing
with this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
flow table support needs constant object arguments to printing functions
to avoid ugly casts. While at it, also constify object arguments to message
construction, destructor and a few helper functions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Unfortunately libnftnl restricts the set names in the lookup and dynset
expressions to 16 bytes. Remove this restriction so this can work with
the upcoming 4.7 Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Tell the kernel to load the necessary modules by adding
the NLM_F_CREATE flag.
Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Reported by Debian's lintian tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Fix leaks in nftnl_rule_free() and nftnl_rule_set_data().
Reported-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Tests are more effective if different values are set so, use different
values for every expression.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions allow to create a buffer (struct nftnl_udata_buf) of
user data attributes in TLV format (struct nftnl_udata). It is inspired
by libmnl/src/attr.c. It can be used to store several TLVs sequentially
into an object.
Example:
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
const char *str = "Hello World!";
buf = nftnl_udata_buf_alloc(UDATA_SIZE);
if (!buf) {
perror("OOM");
exit(EXIT_FAILURE);
}
if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) {
perror("Can't put attribute \"%s\"", str);
exit(EXIT_FAILURE);
}
nftnl_udata_for_each(buf, attr)
printf("%s\n", (char *)nftnl_udata_attr_value(attr));
nftnl_udata_buf_free(buf);
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Fix duplicated and incorrect assignments.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add forward expression for the netdev family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the limit flags, the first client of this is the
inversion flag that allows us to match overlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
parses trace monitor netlink messages from the kernel and builds
nftnl_trace struct that contains the dissected information.
Provides getters to access these attributes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Future symbols don't need backwards-compat aliases.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When we lookup the family, return "netdev" for NFPROTO_NETDEV instead of
"unknown".
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by valgrind:
[...]
==14065== Process terminating with default action of signal 11 (SIGSEGV)
==14065== Access not within mapped region at address 0x0
==14065== at 0x4C2C022: strlen (vg_replace_strmem.c:454)
==14065== by 0x4E41A93: nftnl_chain_set_str (chain.c:259)
==14065== by 0x4E427F7: nftnl_mxml_chain_parse (chain.c:770)
==14065== by 0x4E48F96: nftnl_ruleset_parse_chains (ruleset.c:314)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_ruleset (ruleset.c:625)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_cmd (ruleset.c:668)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse (ruleset.c:706)
==14065== by 0x4E4959A: nftnl_ruleset_do_parse (ruleset.c:734)
==14065== by 0x4013C9: test_xml (nft-parsing-test.c:166)
==14065== by 0x4016F4: execute_test (nft-parsing-test.c:214)
==14065== by 0x400EBA: main (nft-parsing-test.c:330)
[...]
While at it, fix a bit the coding style.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
examples/nft-table-upd does not work currently since NFT_MSG_NEWTABLE
needs to use batching mode of netlink message delivery.
This patch adds batching to nft-table-upd example.
While here, also add support for netdev family.
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fix missing/incorrect variables.
Also remove unsed variables to avoid warnings.
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Commit libnftnl-1.0.3-31-g5ea54b2 removed a symbol. Such requires a
bumped to n+1:0:0. The symbol groups can be merged again to save time
processing them as the groups are relative to a particular SONAME
(of which we have a new one).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The function names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The constant names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So we get a shorter constant definition for expression attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a shorter name for this, morever this can be used from sets so the _rule_
is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
