| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This storage in rules and set elements is opaque by design, neither
libnftnl nor kernel should deal with its content. Yet nftables enters data
in host byte order which will lead to changing output depending on
host's byte order. Avoid this problem for test suites checking the debug
output by merely printing the number and sum of all the bytes in the
buffer. This likely detects changes in userdata but deliberately ignores
data reordering.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit f20dfa7824860a9ac14425a3f7ca970a6c981597.
This change to payload (interpretation) is problematic with package
updates at run-time: The new version might trip over userdata in the
running ruleset, avoid this.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Avoid deviation of this data in between different byte orders. Assume
that direct callers of nftnl_udata_put() know what they do.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
If sizes array has non-zero field values, interpret byteorder field as
bitfield indicating each compontent's byteorder and print the components
separated by a dot.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Print data from most significant byte to least significant one. Also
print only reg->len bytes of data, not every non-empty u32. Still
separate four byte blocks by whitespace, though.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
These are alternatives to nftnl_{expr,set_elem}_set() which accept
byteorder and concat component size information.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
This will hold the actual size of each component in concatenated data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Expression setters populate it from the passed 'byteorder' parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Prepare for storing data reg byteorder, no functional change intended.
Note the odd case in expr/byteorder.c since there is a local variable
with same name already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Do not append a space to data regs, they may appear at end of line or
followed by a tab. Have callers print the space if needed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
* Do not print a colon if no data part is present
* Include the object's name for objmap elements
* Print flags only if non-zero, but prefixed by 'flags' keyword to avoid
confusion with data values
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Bump libversion, because this release adds new nftnl_tunnel_opt API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Wrap the common parsing of string attributes in a function. Apart from
slightly reducing code size, this unifies callers in conditional freeing
of the field in case it was set before (missing in twelve spots) and
error checking for failing strdup()-calls (missing in four spots).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
The asterisk left in place becomes part of the prefix by accident and is thus
both included when matching interface names as well as dumped back to user
space.
Fixes: f30eae26d813e ("utils: Add helpers for interface name wildcards")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES
identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to
and from the human-readable asterisk-suffix notation.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Register these table udata types here to avoid accidental overlaps.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
In addition, modifies the netlink parsing to loop through the nested
array of NFTA_TUNNEL_KEY_OPTS.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only vxlan gbp can work before this patch because
NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR is off by one in the internal object
flags.
Replace them by NFTNL_OBJ_TUNNEL_OPTS and add two new opaque
nftnl_tunnel_opts and nftnl_tunnel_opt structs to represent tunnel
options.
- nftnl_tunnel_opt_alloc() allocates one tunnel option.
- nftnl_tunnel_opt_set() to sets it up.
- nftnl_tunnel_opt_get() to get the option attribute.
Then, to manage the list of options:
- nftnl_tunnel_opts_alloc() allocates a list of tunnel options.
- nftnl_tunnel_opts_add() adds a option to the list.
Although vxlan and erspan support for a single tunnel option at this
stage, this API prepares for supporting gevene which allows for more
tunnel options.
Joint work with Fernando.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Otherwise includers may face 'errno' undeclared errors.
Fixes: 26c945057d742 ("src: split internal.h is smaller files")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Decode direction/id/state/status information.
This will be used by 'nftables monitor trace' to print a packets
conntrack state.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In case kernel provided the information do include it in debug dump:
nft --debug=netlink list ruleset
family 2 s t 0 backend nft_set_rhash_type
family 2 __set0 t 3 size 3 backend nft_set_hash_fast_type count 3
family 2 __set1 t 3 size 2 backend nft_set_bitmap_type count 2
[..]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The VXLAN options must be nested inside the NFTA_TUNNEL_KEY_OPTS_VXLAN
netlink attribute.
Fixes: ea63a05272f5 ("obj: add tunnel support")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit 80077787f8f2 ("src: remove json support"), these internal
functions are no longer used:
nftnl_str2hooknum
nftnl_str2ntoh
nftnl_str2cmp
str2ctkey
str2ctdir
str2exthdr_op
str2exthdr_type
str2meta_key
nftnl_str2nat
nftnl_str2range
str2rt_key
nftnl_str2hooknum
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Fixes: 005369151ed5 ("include: updated nf_tables.h")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The debug printing of the payload expr shows the tunnel header name as
unknown. Since after the first version we added two new payload bases
inner and tunnel, I prefer to make this change to meet possible future
extensions rather than setting NFT_PAYLOAD_TUN_HEADER as the new bound.
Reproduce:
nft --debug netlink add rule inet t c meta l4proto udp vxlan vni 0x123456
Before patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
...
After patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ]
...
[ Remove defensive check in original patch --pablo ]
Fixes: 3f3909afd76d ("expr: add inner support")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The 'data' arrays in match and target expression tests were undersized
as they did not cover for the terminating NUL-char of the string used to
initialize them. When passing such array to strdup(), the latter reads
until after the defined array boundary.
Fixes: 93483364369d8 ("src: get rid of cached copies of x_tables.h and xt_LOG.h")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Just to cover setter and getter code for that attribute.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assuming max data_len of 16 * 4B and no zero bytes in 'data':
The while loop will increment field_count, use it as index for the
field_len array and afterwards make sure it hasn't increased to
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
the check, get incremented to 16 and used as index to the 16 fields long
array.
Use a less fancy for-loop to avoid the increment vs. check problem.
Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We already have tests for mask-and-xor operations with constant RHS
operands. Add tests for new operations with variable RHS operands.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Deduplicate shift tests: instead of having separate implementations
for left- and right-shifts, have one and pass the operation to it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto, the kernel has only supported boolean operations of the form:
dst = (src & mask) ^ xor
where `src` is held in a register, and `mask` and `xor` are immediate
values. User space has converted AND, OR and XOR operations to this
form, and so one operand has had to be immediate. The kernel now
supports performing AND, OR and XOR operations directly, on one register
and an immediate value or on two registers, so we make that support
available to user space.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In the next patch we add support for doing AND, OR and XOR operations
directly in the kernel, so rename some functions and an enum constant
related to mask-and-xor boolean operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The kernel now has native support for AND, OR and XOR bitwise
operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the copyright notice in header comments by an equivalent
SPDX-License-Identifier string. Drop a following empty line if at the
bottom of the comment. Leave any other header comment content in place.
This also fixes for an incomplete notice in examples/nft-ruleset-get.c
since commit c335442eefcca ("src: incorrect header refers to GPLv2
only").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This data structure holds an array of allocated strings for use in
nftnl_chain and nftnl_flowtable structs. For convenience, implement
functions to clear, populate and iterate over contents.
While at it, extend chain and flowtable tests to cover these attributes,
too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fetch what we have in the kernel tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since commit c759027a526ac, printed rules may or may not end with a
newline depending on whether userdata was present or not. Deal with this
inconsistency by avoiding the trailing newline in all cases.
Fixes: c759027a526ac ("rule, set_elem: remove trailing \n in userdata snprintf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
nftnl_.*_do_parse() are of no use anymore, remove them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This was not handled in the switch statement so far.
Also, use proper max value, SET_MAX is larger than what is needed for
parsing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 99be0e6d066d7 ("table: add userdata support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 76b82c425818e ("chain: add userdata and comment support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
When limit->unit is not a known timespan, use the largest possible unit
and print the value along with it. This enables libnftnl debug output to
correctly print arbitrary quotients, like '3/5 minutes' for instance.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1214
Suggested-by: Cyril <boite.pour.spam@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Coincidentally NFTNL_EXPR_BASE starts at 1 which comes right after
NFTA_*_UNSPEC which is zero. And NFTNL_EXPR_ attribute values were
mapping to NFTA_* attributes.
Use NFTA_* for netlink attribute types instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary. Use it for
memcpy() calls to cover for caller passing data with lower size than the
attribute's storage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
