| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Add a function to remove expression from the rule list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This function allows you to build the netlink attributes for
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add missing NFT_SOCKET_WILDCARD definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains.
Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a
comment.
Relies on NFTA_CHAIN_USERDATA.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFTNL_OBJ_USERDATA to support userdata for objects.
Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects,
stored in userdata space.
Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to
enable getting object attributes/data.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to
support for table comments.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Was not exported so far due to a typo. While at it, add const qualifier
to element structure.
Will be used to optionally dump set contents / elements from nft
frontend.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This field is used to store an optional comment of a set.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add missing support for "inet" family for a handful of examples where
applicable.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This code is missing the batch netlink routines. There was another bug,
the set element key size was not correct.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
his patch allows you to refer to chains via the chain ID. The semantics
are similar to the NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
bump libmnl dependency too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==22778==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37
#2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859
#3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891
#4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441
[...]
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==4876==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f4e2c16b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:45
#2 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:35
Direct leak of 16 byte(s) in 2 object(s) allocated from:
#0 0x7f4018aa0810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4016b660af in nftnl_expr_objref_set expr/objref.c:53
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use this field to specify that set element data specifies an interval.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Get header in sync with 5.7.0-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel
support for this new feature might be reworked, keep this back.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Print combination of registers and flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the NFTA_SET_EXPR netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Extend nftnl_set_elem_set() and nftnl_set_elem_nlmsg_build_payload() to
support for the NFTNL_SET_ELEM_EXPR attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for chain flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The kernel supports passing mask and xor values for bitwise boolean
operations via registers. These are mutually exclusive with the
existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and
NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pick up a couple of new bitwise netlink attributes.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In one case, the boolean test was reporting the wrong mismatched
attribute.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The original intention in eb58f53372e7 ("src: add flowtable support")
was to introduce this helper function. Add helper to set and to get
array of strings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In {s,u}{32,64} type getters nftnl_assert() is called to make sure
returned data length matches expectations. Therefore all attributes must
set data_len, which NFTNL_CHAIN_DEVICES didn't.
While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as
well to make code a bit more consistent although the problem was fixed
for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading
garbage") already (but in the other direction).
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
The new set element attribute maps to the netlink attribute
NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY
maps to NFTA_SET_ELEM_KEY, and represents the key data used
to express the upper bound of a range, in concatenations.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
as NFTA_SET_DESC_CONCAT attributes: it describes the length of
single concatenated fields, in bytes.
Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
from the kernel.
This is the libnftnl counterpart for nftables patch:
src: Add support for NFTNL_SET_DESC_CONCAT
v4:
- move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr
to avoid ABI breakage (Pablo Neira Ayuso)
v3:
- use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
- pass field length in bytes instead of bits, fields would get
unnecessarily big otherwise
v2:
- fixed grammar in commit message
- removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
we're simply passing values to htonl() (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Get this header in sync with nf-next as of merge commit
b3a608222336 (5.6-rc1-ish).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The kernel supports bitwise shifts. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add code to set and get the new op and data attributes. The existing
boolean bitwise expressions will only use the op attribute.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The kernel UAPI header includes a couple of new bitwise netlink
attributes and an enum.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Move the code for printing boolean expressions into a separate function.
Another function will be added for shifts later.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add ctags and etags tag files, and Emacs back-up files.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Almost everything in this header is unused. The command defines
used in utils.c don't seem to be justified and have just been
replaced by their strings
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Cc: Martin Willi <martin@strongswan.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end()
to build attribute nests.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
s/__cplusplusg/__cplusplus/
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1389
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not use unqualified setters to avoid the warnings. Pass a (false)
zero length value to nftnl_flowtable_set_data() when assigning to
NFTNL_FLOWTABLE_DEVICES as the length value is unused and not even
usable. Maybe one should introduce a dedicated
nftnl_flowtable_set_devices() at a later point.
Fixes: 7349a70634fa0 ("Deprecate untyped data setters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In error case, dev_array is not freed when it should.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
In error case, allocated dev_array is not freed.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marshalling code around that attribute has been dropped by commit
d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is
lost during the test.
Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a
later point, leave the test code in place but just comment it out.
Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|