summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* expr: no need to nul-terminate buffer from expression ->snprintf indirectionPablo Neira Ayuso2017-10-0429-87/+0
| | | | | | | ->snprintf() is always called via nftnl_expr_snprintf() wrapper, which is already dealing with this corner case for us. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* buffer: use nftnl_expr_snprintf() from nftnl_buf_expr()Pablo Neira Ayuso2017-10-041-2/+3
| | | | | | | | This helper function deals with no ->snprintf() indirection in expression and safe buffer nul-termination, use it. Fixes: 059b9bf6fb31 ("src: Use nftnl_buf to export XML/JSON rules") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-2744-3/+182
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Change parameters of SNPRINTF_BUFFER_SIZE macro.Varsha Rao2017-09-2728-389/+403
| | | | | | | | | SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so that it accepts three arguments ret, remain and offset. Parameters size and len are not required instead parameter remain keeps track of available space in the buffer. Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
* chain: Don't print unset policy value in netlink debugPhil Sutter2017-09-081-5/+13
| | | | | | | | The policy field was printed unconditionally, but if it wasn't set the default value 0 was printed as 'policy drop' which is not correct. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix memory leaks detected by ValgrindShyam Saini2017-09-043-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ==11688== HEAP SUMMARY: ==11688== in use at exit: 40 bytes in 1 blocks ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11688== ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11688== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11688== by 0x40133B: main (nft-chain-add.c:103) ==11688== ==11688== LEAK SUMMARY: ==11688== definitely lost: 40 bytes in 1 blocks ==11688== indirectly lost: 0 bytes in 0 blocks ==11688== possibly lost: 0 bytes in 0 blocks ==11688== still reachable: 0 bytes in 0 blocks ==11688== suppressed: 0 bytes in 0 blocks ==11831== HEAP SUMMARY: ==11831== in use at exit: 40 bytes in 1 blocks ==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11831== ==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11831== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11831== by 0x401154: main (nft-chain-del.c:79) ==11831== ==11831== LEAK SUMMARY: ==11831== definitely lost: 40 bytes in 1 blocks ==11831== indirectly lost: 0 bytes in 0 blocks ==11831== possibly lost: 0 bytes in 0 blocks ==11831== still reachable: 0 bytes in 0 blocks ==11831== suppressed: 0 bytes in 0 blocks Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-046-2/+259
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: tcpmss get supportFlorian Westphal2017-08-212-1/+3
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option set supportFlorian Westphal2017-08-213-6/+38
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: free user dataEric Leblond2017-07-061-0/+2
| | | | | | | | | | | | This was causing a memory leak when using set. Catched by an ASAN run: ==21004==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12 byte(s) in 2 object(s) allocated from: #0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58) #1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
* ct: rename eventmask to eventFlorian Westphal2017-06-071-1/+1
| | | | | | Pablo suggested this for consistency; ct status isn't named statusmask either. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct eventmask supportFlorian Westphal2017-03-162-1/+4
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-166-2/+236
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: extend set/get api for u8/u16 typesFlorian Westphal2017-03-163-0/+34
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: exthdr: Display NFT_EXTHDR_F_PRESENT in debug outputPhil Sutter2017-03-131-2/+4
| | | | | | | This allows to assert it in testsuite also. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Add support for NFTA_FIB_F_PRESENT flagPhil Sutter2017-03-132-2/+7
| | | | | | | Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add nftnl_udata_put_u32() and nftnl_udata_get_u32()Pablo Neira Ayuso2017-03-063-0/+20
| | | | | | | Add new helper function to put and to fetch tlv that comes with u32 payload. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: support of symmetric hashLaura Garcia Liebana2017-03-064-6/+58
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use nftnl_buf to export XML/JSON rulesElise Lennion2017-03-033-75/+86
| | | | | | | | | | This completes the use of nftnl_buf and its auxiliary functions to export XML/JSON rules. Highly based on work from Shivani Bhardwaj <shivanib134@gmail.com>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: fix crash when object ops is nullFlorian Westphal2017-02-271-1/+2
| | | | | | | | | when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-nullFlorian Westphal2017-02-271-1/+4
| | | | | | | | | If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused variable uval8Alexander Alemayhu2017-02-231-1/+0
| | | | | | | | | | | | | Was added but not used in d7b451fe1a45 (src: add TCP option matching requirements, 2017-02-07). Fixes the following warning: expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’: expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable] uint8_t uval8; ^~~~~ Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add zone supportFlorian Westphal2017-02-191-1/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFTA_RULE_ID attributePablo Neira Ayuso2017-02-162-1/+38
| | | | | | This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: return nlmsghdr in nftnl_batch_{begin,end}()Pablo Neira Ayuso2017-02-162-8/+8
| | | | | | Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: get rid of nftnl_batch_build_hdr()Pablo Neira Ayuso2017-02-162-25/+20
| | | | | | | Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Add missing exthdr flags casesPhil Sutter2017-02-161-0/+4
| | | | | | | | | Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr flagsPhil Sutter2017-02-152-0/+18
| | | | | | | | Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2017-02-151-15/+25
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-123-5/+62
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: Remove the use of nftnl_mnl_batch_put()Elise Lennion2017-01-164-92/+60
| | | | | | | | use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples consistent and avoid code duplication. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Add const qualifiers to *2str translation arraysTobias Klauser2017-01-166-6/+6
| | | | | | | | | | | | | | | | Add const qualifiers to the "to string" translation arrays used by various *2str() functions. This fixes GCC warnings such as the following when compiling with -Wwrite-strings: expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] In order to catch these in the future, also add -Wwrite-strings to default CFLAGS. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add average bytes per packet counter supportLiping Zhang2017-01-032-1/+7
| | | | | | | Similar to ct packets/bytes ... Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of aliases and compatPablo Neira Ayuso2016-12-2024-1251/+283
| | | | | | | | | | | This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the upcoming release of 0.7 (and 0.6 which is now 6 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and buggy. So let's get rid of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Missing nf_log.h in Makefilelibnftnl-1.0.7Pablo Neira Ayuso2016-12-191-1/+1
| | | | | | Otherwise, make distcheck breaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update LIBVERSION to prepare a new releasePablo Neira Ayuso2016-12-192-2/+2
| | | | | | | New interfaces has been added (bump revision), and no interfaces were removed (bump age). Update version: 1.0.7. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* quota: support for consumed bytesPablo Neira Ayuso2016-12-092-3/+24
| | | | | | This patch extends the quota support to account for consumed bytes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: objref: add support for stateful object mapsPablo Neira Ayuso2016-12-092-2/+73
| | | | | | | | If the NFT_SET_OBJECT flag is set, then this set stores a mapping between any random user-defined arbitrary key and one stateful object. Very useful for performance lookups. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: add NFTNL_SET_ELEM_OBJREF attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | This new attribute allows us to attach stateful objects to elements for map lookups. This new attribute identifies the object through its name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: add NFTNL_SET_OBJ_TYPE attributePablo Neira Ayuso2016-12-093-0/+29
| | | | | | | | This new attribute specifies the stateful object type this set stores. Similar to data type, but specific to store objects. You must set the NFT_SET_OBJECT flag to use this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add stateful object reference expressionPablo Neira Ayuso2016-12-098-0/+329
| | | | | | | This patch adds a new "objref" expression that you can use to refer to stateful objects from rules. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-0917-0/+1638
| | | | | | | This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: fetch stateful object updates for nf_tables.h cache copyPablo Neira Ayuso2016-12-091-0/+64
| | | | | | This patch includes updates for the stateful objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_nlmsg_build_payload_iter()Pablo Neira Ayuso2016-12-051-0/+4
| | | | | | | Similar to a24e4b21ee33 ("set_elem: don't add NFTA_SET_ELEM_LIST_ELEMENTS attribute if set is empty"). This is required by the set flush support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: add NFTNL_EXPR_PAYLOAD_FLAGSPablo Neira Ayuso2016-12-043-2/+27
| | | | | | So we can include the new NFT_PAYLOAD_L4CSUM_PSEUDOHDR flag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-elem-add: add missing batch logicPablo Neira Ayuso2016-11-301-5/+21
| | | | | | | This example is broken since batch logic in missing. Update it to add element of 2 bytes so this works with nft-set-add. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-add: update it to add a set that stores port numbersPablo Neira Ayuso2016-11-301-2/+3
| | | | | | | | This patch updates the existing example to add a set that stores port numbers. In order to interoperate with the nft tool, we use the datatype numbers defined there. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-map-addPablo Neira Ayuso2016-11-302-0/+161
| | | | | | | Place an example to add a map in the libnftnl tree. Reported-by: Khawar Shehzad <shehzad.khawar@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: call expr->ops->snprintf only if definedPablo Neira Ayuso2016-11-291-0/+3
| | | | | | | The notrack expression comes with no ->ops->snprintf, so skip this from nftnl_expr_snprintf() if not set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-11-241-4/+10
| | | | | | Fetch what we have at 4.9-rc6. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>