summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parserHEADmasterPhil Sutter4 days1-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()") which fixed array out of bounds access but missed the logic behind it: The nested attribute type values are incremented by one when being transferred between kernel and userspace, the zero type value is reserved for "unspecified". Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the type values in nftnl_obj_ct_timeout_build(). Return path was broken as it overstepped its nlattr array but apart from that worked: Type values were decremented by one in timeout_parse_attr_data(). This patch moves the type value mangling into parse_timeout_attr_policy_cb() (which still overstepped nlattr array). Consequently, when copying values from nlattr array into ct timeout object in timeout_parse_attr_data(), loop is adjusted to start at index 0 and the type value decrement is dropped there. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Validate nftnl_set_elem_set() parametersPhil Sutter5 days3-1/+13
| | | | | | | | | | | | | Copying from nftnl_table_set_data(), validate input to nftnl_set_elem_set() as well. Given that for some attributes the function assumes passed data size, this seems necessary. Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()Phil Sutter6 days2-1/+9
| | | | | | | | | | Array 'tb' has only 'attr_max' elements, the loop overstepped its boundary by one. Copy array_size() macro from include/utils.h in nftables.git to make sure code does the right thing. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Don't bypass checks in nftnl_set_set_u{32,64}()Phil Sutter6 days1-2/+2
| | | | | | | | | By calling nftnl_set_set(), any data size checks are effectively bypassed. Better call nftnl_set_set_data() directly, passing the real size for validation. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/tunnel: Fix for undefined behaviourPhil Sutter6 days1-3/+3
| | | | | | | | | | | | Cppcheck complains: Shifting signed 32-bit value by 31 bits is undefined behaviour. Indeed, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR enum value is 31. Make sure behaviour is as intended by shifting unsigned 1. Fixes: ea63a05272f54 ("obj: add tunnel support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Fix return code of nftnl_set_elem_set()Phil Sutter6 days1-1/+1
| | | | | | | The function returned -1 on success. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: Check return code of mnl_attr_parse_nested()Phil Sutter6 days1-3/+6
| | | | | | | | | Don't ignore nested attribute parsing errors, this may hide bugs in users' code. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Export nftnl_set_list_lookup_byname()Phil Sutter10 days5-20/+42
| | | | | | | | | Rename and optimize internal function nftnl_set_lookup() for external use. Just like with nftnl_chain_list, use a hash table for fast set name lookups. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: synproxy stateful object supportFernando Fernandez Mancera2019-09-106-1/+177
| | | | | | | This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_DYNSET_OP_DELETE knownAnder Juaristi2019-08-272-1/+3
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} knownAnder Juaristi2019-08-272-1/+10
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.4 releaselibnftnl-1.1.4Pablo Neira Ayuso2019-08-191-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_BRI_IIF{VPROTO, PVID} knownwenxu2019-08-141-1/+3
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2019-08-131-38/+82
| | | | | | Get this header in sync with 5.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_{I,O}IFKIND knownPhil Sutter2019-07-182-1/+7
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: fix sigbus crash on sparcFlorian Westphal2019-07-131-2/+4
| | | | | | | | | | | | | | | | Anatoly Pugachev reported crash on 'nft list tables' on sparc and provided following gdb backtrace: Starting program: /opt/nft/sbin/nft list tables Program received signal SIGBUS, Bus error. 0xfff8000100946490 in nftnl_udata_get_u32 (attr=0x10000106e30) at udata.c:127 127 return *data; We can't deref attr->value directly, it causes unaligned access. Reported-by: Anatoly Pugachev <matorola@gmail.com> Tested-by: Anatoly Pugachev <matorola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add synproxy supportFernando Fernandez Mancera2019-07-065-0/+196
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add Requires.private field to libnftnl.pcThomas Petazzoni2019-07-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Static linking userspace programs such as nftables against libnftnl currently doesn't work out of the box, because libnftnl is linked against libmnl, but this isn't expressed in libnftnl pkg-config file: CCLD nft [...]/bfin-buildroot-uclinux-uclibc/sysroot/usr/lib/libnftnl.a(table.o): In function `_nft_table_nlmsg_parse': table.c:(.text+0x480): undefined reference to `_mnl_attr_parse' table.c:(.text+0x492): undefined reference to `_mnl_attr_get_str' table.c:(.text+0x4a8): undefined reference to `_mnl_attr_get_u32' table.c:(.text+0x4ca): undefined reference to `_mnl_attr_get_u32' [...] The Libs.private field is specifically designed for such usage: >From pkg-config documentation: Requires.private: A list of packages required by this package. The difference from Requires is that the packages listed under Requires.private are not taken into account when a flag list is computed for dynamically linked executable (i.e., when --static was not specified). In the situation where each .pc file corresponds to a library, Requires.private shall be used exclusively to specify the dependencies between the libraries. Therefore, this patch adds a reference to libmnl in the Requires.private field of libnftnl pkg-config file. [baruch: use Requires.private; update commit log] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for matching IPv4 optionsStephen Suryaputra2019-07-042-0/+7
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add ct id supportBrett Mastbergen2019-06-212-0/+3
| | | | | | | The 'id' key returns the id of the connection entry Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: enable set expiration date for set elementsLaura Garcia Liebana2019-06-211-0/+5
| | | | | | | | | | | | | | | | Currently, the expiration of every element in a set or map is a read-only parameter generated at kernel side. This change will permit to set a certain expiration date per element that will be required, for example, during stateful replication among several nodes. This patch allows to propagate NFTA_SET_ELEM_EXPIRATION from userspace to the kernel in order to set the configured value. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add ct expectation examplesStéphane Veyret2019-06-195-0/+600
| | | | | | | | | | Add examples for ct expectations. Add, list and delete ct expectation objects from specified table. Add expectation object to rule. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectation supportStéphane Veyret2019-06-196-1/+244
| | | | | | | | Add support for ct expectation objects, used to define specific expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.3 releaselibnftnl-1.1.3Pablo Neira Ayuso2019-05-273-2/+3
| | | | | | Moreover, add missing include/rule.h file to Makefile.am. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove redundant declaration of nftnl_gen_nlmsg_parse()Phil Sutter2019-05-141-1/+0
| | | | | | | | | The duplicated declaration was there since the functions initial introduction as 'nft_gen_nlmsg_parse()'. Fixes: 2e66fb09d6936 ("src: add ruleset generation class") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: osf: add version option supportFernando Fernandez Mancera2019-04-083-0/+20
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: libnftnl: export genid functions againFlorian Westphal2019-03-131-8/+8
| | | | | | | | Can't use them currently: they are exported only under their old names. Fixes: 44d11498479a08 ("src: get rid of _attr_ infix in new nftnl_ definitions") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_* definitionsPablo Neira Ayuso2019-02-121-0/+33
| | | | | | | | Place them in the library, so iptables and nftables do not need to redefine them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* set_elem: close a padding holeFlorian Westphal2019-02-081-1/+1
| | | | | | 224 -> 216 bytes on x86_64. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: rule: Support NFTA_RULE_POSITION_ID attributePhil Sutter2019-01-284-0/+24
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "expr: add map lookups for hash statements"Laura Garcia Liebana2019-01-283-47/+4
| | | | | | | | | A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: bb4b75aea5c0 ("expr: add map lookups for hash statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "expr: add map lookups for numgen statements"Laura Garcia Liebana2019-01-283-47/+4
| | | | | | | | | A better way to implement this from userspace has been found without specific code in the kernel side, revert this. Fixes: b97f45c2ebaa ("expr: add map lookups for numgen statements") Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: chain: Fix nftnl_chain_rule_insert_at()Phil Sutter2019-01-143-0/+8
| | | | | | | | | | Extrapolating from iptables nomenclature, one would expect that "insert" means to prepend the new item to the referenced one, not append. Change nftnl_chain_rule_insert_at() to do just that and introduce nftnl_chain_rule_append_at() to insert a rule after the referenced one. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: chain: Add missing nftnl_chain_rule_del()Phil Sutter2019-01-143-0/+8
| | | | | | | | | | | Although identical to nftnl_rule_list_del(), this function adheres to the common naming style of per chain rule list routines introduced earlier, therefore helps with deprecating the global rule list API at a later point. Fixes: e33798478176f ("chain: Support per chain rules list") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix for reading garbagePhil Sutter2018-12-211-2/+2
| | | | | | | | | nftnl_flowtable_get_data() doesn't assign to passt data_len pointer destination in all cases, so initialize it to 0. Fixes: eb58f53372e74 ("src: add flowtable support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix memleak in nftnl_flowtable_parse_devs()Phil Sutter2018-12-211-3/+7
| | | | | | | | | | Allocated strings in dev_array were not freed. Fix this by freeing them on error path and assigning them to c->dev_array directly in regular path. Fixes: eb58f53372e74 ("src: add flowtable support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix use after free in two spotsPhil Sutter2018-12-211-6/+4
| | | | | | | | | When freeing flowtable devices array, the loop freeing each device string incorrectly included the call to free the device array itself. Fixes: eb58f53372e74 ("src: add flowtable support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Add missing breakPhil Sutter2018-12-211-0/+1
| | | | | | | | | | In nftnl_flowtable_set_data(), when setting flowtable size, the switch() case fell through and the same value was copied into ft_flags field. This can't be right. Fixes: 41fe3d38ba34b ("flowtable: support for flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: Avoid obj_ops array overrunPhil Sutter2018-12-211-1/+1
| | | | | | | | | In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in the future by defining the array size. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Hash chain list by namePhil Sutter2018-12-121-1/+29
| | | | | | | | | | | | | | | | | | | | | | | | Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In theory this could replace the linked list completely but has been left in place so that nftnl_chain_list_add_tail() still does what it's supposed to and iterators return chains in original order. Speed was tested using a simple script which creates a dump file containing a number of custom chains and for each of them two rules in INPUT chain jumping to it. The following table compares run-time of iptables-legacy-restore with iptables-nft-restore before and after this patch: count legacy nft-old nft-new ---------------------------------------------- 10000 26s 38s 31s 50000 137s 339s 149s So while it is still not as quick, it now scales nicely (at least in this very primitive test). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Add lookup functions for chain list and rules in chainPhil Sutter2018-12-073-0/+33
| | | | | | | | | For now, these lookup functions simply iterate over the linked list until they find the right entry. In future, they may make use of more optimized data structures behind the curtains. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Support per chain rules listPhil Sutter2018-12-076-23/+155
| | | | | | | The implementation basically copies expr_list in struct nftnl_rule. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.2 releaselibnftnl-1.1.2Pablo Neira Ayuso2018-11-131-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove nftnl_rule_cmp() and nftnl_expr_cmp()Pablo Neira Ayuso2018-10-2442-751/+5
| | | | | | | | | | | | | | These functions are not very useful, rule comparison from this layer does not work well with implicit set definitions. This infrastructure was added as an attempt to support for deletion by name from this layer, which should be done from higher level libnftables library. Finally, we never had a client for this code in git.netfilter.org. Let's remove it and bump libversion for safety reasons. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use memcpy() to handle potentially unaligned dataMatt Turner2018-10-1949-191/+196
| | | | | | | | | | | | Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails with a SIGBUS on SPARC due to unaligned accesses. This patch resolves that and fixes additional sources of unaligned accesses matching the same pattern. Both nft-expr_quota-test and nft-expr_objref-test generated unaligned accesses on DEC Alpha. Bug: https://bugs.gentoo.org/666448 Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Remove test-script.shMatt Turner2018-10-182-34/+0
| | | | | | | All tests are now run with make check. Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Run regression tests from make checkMatt Turner2018-10-181-0/+2
| | | | | | | | The existing test-script.sh does not check the return values of the tests so it is not very good for automated testing. Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Execute nft-flowtable-test in test-script.shMatt Turner2018-10-181-0/+1
| | | | | | | | Seems to have been forgotten in commit 4d472c225ba0 ("tests: add flowtable regression test") Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: secmark: remove json stubPablo Neira Ayuso2018-10-151-22/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: osf: add ttl option supportFernando Fernandez Mancera2018-10-153-1/+26
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>