summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: libnftnl 1.1.7 releaseHEADlibnftnl-1.1.7masterPablo Neira Ayuso2020-06-051-2/+2
| | | | | | bump libmnl dependency too. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: relax logic to build NFTA_FLOWTABLE_HOOKPablo Neira Ayuso2020-05-251-12/+19
| | | | | | | | The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook number and priority to include the devices. Relax this to allow for incremental device updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: dynset: release stateful expression from .free pathPablo Neira Ayuso2020-05-061-0/+2
| | | | | | | | | | | | | | | | ==22778==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518) #1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37 #2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859 #3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891 #4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441 [...] SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: objref: add nftnl_expr_objref_free() to release object namePablo Neira Ayuso2020-05-051-0/+9
| | | | | | | | | | | | | | | ==4876==ERROR: LeakSanitizer: detected memory leaks Direct leak of 9 byte(s) in 1 object(s) allocated from: #0 0x7f4e2c16b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:45 #2 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:35 Direct leak of 16 byte(s) in 2 object(s) allocated from: #0 0x7f4018aa0810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810) #1 0x7f4016b660af in nftnl_expr_objref_set expr/objref.c:53 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_SET_DATA_INTERVALPablo Neira Ayuso2020-04-281-0/+1
| | | | | | Use this field to specify that set element data specifies an interval. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.6 releaselibnftnl-1.1.6Pablo Neira Ayuso2020-03-312-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Pablo Neira Ayuso2020-03-311-4/+23
| | | | | | Get header in sync with 5.7.0-rc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "bitwise: add support for passing mask and xor via registers."Pablo Neira Ayuso2020-03-313-102/+30
| | | | | | | This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel support for this new feature might be reworked, keep this back. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: snprint flags in hexadecimalPablo Neira Ayuso2020-03-201-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: revisit _snprintf()Pablo Neira Ayuso2020-03-201-6/+10
| | | | | | Print combination of registers and flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: support for NFTNL_SET_EXPRPablo Neira Ayuso2020-03-175-0/+32
| | | | | | This patch adds support for the NFTA_SET_EXPR netlink attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: missing set and build for NFTNL_SET_ELEM_EXPRPablo Neira Ayuso2020-03-111-0/+13
| | | | | | | Extend nftnl_set_elem_set() and nftnl_set_elem_nlmsg_build_payload() to support for the NFTNL_SET_ELEM_EXPR attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add NFTNL_CHAIN_FLAGSPablo Neira Ayuso2020-03-032-0/+22
| | | | | | This patch adds support for chain flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for passing mask and xor via registers.Jeremy Sowden2020-03-023-30/+102
| | | | | | | | | | The kernel supports passing mask and xor values for bitwise boolean operations via registers. These are mutually exclusive with the existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Jeremy Sowden2020-03-021-0/+4
| | | | | | | Pick up a couple of new bitwise netlink attributes. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: bitwise: fix error message.Jeremy Sowden2020-03-021-1/+1
| | | | | | | | In one case, the boolean test was reporting the wrong mismatched attribute. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nftnl_*_{get,set}_array()Pablo Neira Ayuso2020-02-195-2/+44
| | | | | | | | | The original intention in eb58f53372e7 ("src: add flowtable support") was to introduce this helper function. Add helper to set and to get array of strings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* src: Fix for reading garbage in nftnl_chain gettersPhil Sutter2020-02-192-0/+2
| | | | | | | | | | | | | | In {s,u}{32,64} type getters nftnl_assert() is called to make sure returned data length matches expectations. Therefore all attributes must set data_len, which NFTNL_CHAIN_DEVICES didn't. While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as well to make code a bit more consistent although the problem was fixed for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading garbage") already (but in the other direction). Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set_elem: Introduce support for NFTNL_SET_ELEM_KEY_ENDStefano Brivio2020-02-053-0/+26
| | | | | | | | | | | The new set element attribute maps to the netlink attribute NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY maps to NFTA_SET_ELEM_KEY, and represents the key data used to express the upper bound of a range, in concatenations. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add support for NFTA_SET_DESC_CONCAT attributesStefano Brivio2020-02-053-19/+95
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel as NFTA_SET_DESC_CONCAT attributes: it describes the length of single concatenated fields, in bytes. Similarly, parse NFTA_SET_DESC_CONCAT attributes if received from the kernel. This is the libnftnl counterpart for nftables patch: src: Add support for NFTNL_SET_DESC_CONCAT v4: - move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr to avoid ABI breakage (Pablo Neira Ayuso) v3: - use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso) - pass field length in bytes instead of bits, fields would get unnecessarily big otherwise v2: - fixed grammar in commit message - removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(), we're simply passing values to htonl() (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyStefano Brivio2020-02-051-0/+17
| | | | | | | | Get this header in sync with nf-next as of merge commit b3a608222336 (5.6-rc1-ish). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for left- and right-shifts.Jeremy Sowden2020-01-182-18/+206
| | | | | | | The kernel supports bitwise shifts. Add support to libnftnl. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for new netlink attributes.Jeremy Sowden2020-01-182-1/+50
| | | | | | | | Add code to set and get the new op and data attributes. The existing boolean bitwise expressions will only use the op attribute. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Jeremy Sowden2020-01-182-3/+25
| | | | | | | | The kernel UAPI header includes a couple of new bitwise netlink attributes and an enum. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add helper to print boolean expressions.Jeremy Sowden2020-01-181-3/+11
| | | | | | | | Move the code for printing boolean expressions into a separate function. Another function will be added for shifts later. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: fix some incorrect indentation.Jeremy Sowden2020-01-182-8/+8
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update gitignore.Jeremy Sowden2020-01-181-0/+9
| | | | | | | Add ctags and etags tag files, and Emacs back-up files. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove buffer.hBrett Mastbergen2020-01-0513-130/+10
| | | | | | | | | Almost everything in this header is unused. The command defines used in utils.c don't seem to be justified and have just been replaced by their strings Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: add slave device matchingFlorian Westphal2020-01-032-1/+7
| | | | | Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: support for TLV attribute nestingPablo Neira Ayuso2019-12-173-0/+27
| | | | | | | This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end() to build attribute nests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_SET_*TYPEOF* definitionsPablo Neira Ayuso2019-12-161-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: typo in object.h C++ wrapperPablo Neira Ayuso2019-12-111-1/+1
| | | | | | | s/__cplusplusg/__cplusplus/ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1389 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Replace use of deprecated symbolsPhil Sutter2019-12-0421-43/+44
| | | | | | | | | | | | | Do not use unqualified setters to avoid the warnings. Pass a (false) zero length value to nftnl_flowtable_set_data() when assigning to NFTNL_FLOWTABLE_DEVICES as the length value is unused and not even usable. Maybe one should introduce a dedicated nftnl_flowtable_set_devices() at a later point. Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* chain: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Fix memleak in error path of nftnl_chain_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, dev_array is not freed when it should. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, allocated dev_array is not freed. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZEPhil Sutter2019-12-021-0/+2
| | | | | | | | | | | | | Marshalling code around that attribute has been dropped by commit d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is lost during the test. Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a later point, leave the test code in place but just comment it out. Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.5 releaselibnftnl-1.1.5Pablo Neira Ayuso2019-12-021-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Define __visible even if not supported by compilerPhil Sutter2019-11-211-0/+1
| | | | | | | | | Since __visible is now used directly, provide a fallback empty definition if HAVE_VISIBILITY_HIDDEN is not defined. Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: remove NFTA_FLOWTABLE_SIZEPablo Neira Ayuso2019-11-182-8/+0
| | | | | | | | Never defined in upstream Linux kernel uAPI, remove it. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Eric Garver <eric@garver.life>
* flowtable: add support for handle attributeEric Jallot2019-11-064-8/+53
| | | | | | | Add code to implement NFTA_FLOWTABLE_HANDLE Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate untyped data settersPhil Sutter2019-10-3114-14/+14
| | | | | | | | | These functions make assumptions on size of passed data pointer and therefore tend to hide programming mistakes. Instead either one of the type-specific setters or the generic *_set_data() setter should be used. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix symbol export for clangManuel Messner2019-10-311-27/+27
| | | | | | | | | | | | | | | | | | | | | | clang does not allow attribute declarations after definitions: flowtable.c:41:1: warning: attribute declaration must precede definition [-Wignored-attributes] EXPORT_SYMBOL(nftnl_flowtable_alloc); ^ ../include/utils.h:13:41: note: expanded from macro 'EXPORT_SYMBOL' # define EXPORT_SYMBOL(x) typeof(x) (x) __visible; ^ ../include/utils.h:12:35: note: expanded from macro '__visible' # define __visible __attribute__((visibility("default"))) ^ flowtable.c:37:25: note: previous definition is here struct nftnl_flowtable *nftnl_flowtable_alloc(void) Move attribute declarations before the symbol definitions just like it's done in other source files Signed-off-by: Marvin Schmidt <marvin_schmidt@gmx.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl.map: Export nftnl_{obj,flowtable}_set_data()Phil Sutter2019-10-311-0/+2
| | | | | | | | In order to deprecate nftnl_{obj,flowtable}_set() functions, these must to be made available. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: multi-device supportPablo Neira Ayuso2019-10-283-1/+111
| | | | | | Add support for NFTA_HOOK_DEVS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: device array dynamic allocationPablo Neira Ayuso2019-10-281-14/+17
| | | | | | Remove artificial upper limit of 8 devices per flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parserPhil Sutter2019-10-171-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()") which fixed array out of bounds access but missed the logic behind it: The nested attribute type values are incremented by one when being transferred between kernel and userspace, the zero type value is reserved for "unspecified". Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the type values in nftnl_obj_ct_timeout_build(). Return path was broken as it overstepped its nlattr array but apart from that worked: Type values were decremented by one in timeout_parse_attr_data(). This patch moves the type value mangling into parse_timeout_attr_policy_cb() (which still overstepped nlattr array). Consequently, when copying values from nlattr array into ct timeout object in timeout_parse_attr_data(), loop is adjusted to start at index 0 and the type value decrement is dropped there. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Validate nftnl_set_elem_set() parametersPhil Sutter2019-10-163-1/+13
| | | | | | | | | | | | | Copying from nftnl_table_set_data(), validate input to nftnl_set_elem_set() as well. Given that for some attributes the function assumes passed data size, this seems necessary. Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()Phil Sutter2019-10-152-1/+9
| | | | | | | | | | Array 'tb' has only 'attr_max' elements, the loop overstepped its boundary by one. Copy array_size() macro from include/utils.h in nftables.git to make sure code does the right thing. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>