summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* expr: Respect data_len when setting attributesHEADmasterPhil Sutter2024-04-1138-133/+133
| | | | | | | | With attr_policy in place, data_len has an upper boundary but it may be lower than the attribute's storage area in which case memcpy() would read garbage. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Respect data_len when setting attributesPhil Sutter2024-04-117-35/+35
| | | | | | | | With attr_policy in place, data_len has an upper boundary. Use it for memcpy() calls to cover for caller passing data with lower size than the attribute's storage. Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: Introduce and use nftnl_set_str_attr()Phil Sutter2024-04-117-85/+40
| | | | | | | | | | | | | | | The function consolidates the necessary code when assigning to string pointer attributes, namely: * Conditional free of the previous value * Allocation of new value * Checking for memory allocation errors * Setting respective flag bit A new feature previously missing in all call sites is respecting data_len in case the buffer up to that point did not contain a NUL-char. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Enforce attr_policy compliance in nftnl_obj_set_data()Phil Sutter2024-04-111-1/+6
| | | | | | | | Every object type defines an attr_policy array, so deny setting attributes for object types which don't have it present or if it specifies a non-zero maxlen which is lower than the given data_len. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Introduce struct obj_ops::attr_policyPhil Sutter2024-04-1110-0/+83
| | | | | | | | Just like with struct expr_ops::attr_policy, enable object types to inform about restrictions on attribute use. This way generic object code may perform sanity checks before dispatching to object ops. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Call obj_ops::set with legal attributes onlyPhil Sutter2024-04-1110-19/+3
| | | | | | | | | | Refer to obj_ops::nftnl_max_attr field value for the maximum supported attribute value to reject invalid ones upfront. Consequently drop default cases from callbacks' switches which handle all supported attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Repurpose struct obj_ops::max_attr fieldPhil Sutter2024-04-1111-10/+19
| | | | | | | Just like with struct expr_ops::max_attr, make it hold the maximum object attribute (NFTNL_OBJ_*) value supported by this object type. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Return value on settersPhil Sutter2024-04-112-24/+31
| | | | | | | | | Similar to other setters, let callers know if memory allocation fails. Though return value with all setters, as all of them may be used to set object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE was not set before). Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: Fix for wrong variable use in nftnl_assert_validate()Phil Sutter2024-04-111-2/+5
| | | | | | | | This worked by accident as all callers passed a local variable 'attr' as parameter '_attr'. Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: synproxy: Use memcpy() to handle potentially unaligned dataPhil Sutter2024-04-111-3/+3
| | | | | | | | Analogous to commit dc240913458d5 ("src: Use memcpy() to handle potentially unaligned data"). Fixes: 609a13fc2999e ("src: synproxy stateful object support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Do not call nftnl_obj_set_data() with zero data_lenPhil Sutter2024-04-111-1/+1
| | | | | | | | Pass 'strlen() + 1' as length parameter when setting string attributes, just like other string setters do. Fixes: 5573d0146c1ae ("src: support for stateful objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* table: Validate NFTNL_TABLE_OWNER, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 985955fe41f53 ("table: add table owner support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set: Validate NFTNL_SET_ID, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 26298a9ffc2e2 ("set: add set ID support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Validate NFTNL_OBJ_TYPE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 5573d0146c1ae ("src: support for stateful objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* flowtable: Validate NFTNL_FLOWTABLE_SIZE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: cdaea7f1ced05 ("flowtable: allow to specify size") Signed-off-by: Phil Sutter <phil@nwl.cc>
* table: Validate NFTNL_TABLE_USE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") Signed-off-by: Phil Sutter <phil@nwl.cc>
* chain: Validate NFTNL_CHAIN_USE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Enforce attr_policy compliance in nftnl_expr_set()Phil Sutter2024-03-061-0/+7
| | | | | | | | | | | | | Every expression type defines an attr_policy array, so deny setting attributes if not present. Also deny if maxlen field is non-zero and lower than the given data_len. Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero maxlen "nop" is also used for deprecated attributes, just to not silently ignore them. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Introduce struct expr_ops::attr_policyPhil Sutter2024-03-0640-0/+316
| | | | | | | | | | | | | | | | | Similar to kernel's nla_policy, enable expressions to inform about restrictions on attribute use. This allows the generic expression code to perform sanity checks before dispatching to expression ops. For now, this holds only the maximum data len which may be passed to nftnl_expr_set(). While one may debate whether accepting e.g. uint32_t for sreg/dreg attributes is correct, it is necessary to not break nftables. Note that this introduces artificial restrictions on name lengths which were caught by the kernel (if nftables didn't). Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Sync nf_log.h with kernel headersPhil Sutter2024-03-061-0/+3
| | | | | | Next patch needs NF_LOG_PREFIXLEN define. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Call expr_ops::set with legal types onlyPhil Sutter2024-03-0634-66/+3
| | | | | | | | | | Having the new expr_ops::nftnl_max_attr field in place, the valid range of attribute type values is known now. Reject illegal ones upfront. Consequently drop the default case from callbacks' switches which handle all supported attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Repurpose struct expr_ops::max_attr fieldPhil Sutter2024-03-0641-40/+79
| | | | | | | | | Instead of holding the maximum kernel space (NFTA_*) attribute value, use it to hold the maximum expression attribute (NFTNL_EXPR_*) value instead. This will be used for index boundary checks in an attribute policy array later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Fix objref test casePhil Sutter2024-03-061-1/+1
| | | | | | | | Probably a c'n'p bug, the test would allocate a lookup expression instead of the objref one to be tested. Fixes: b4edb4fc558ac ("expr: add stateful object reference expression") Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: remove unused codePablo Neira Ayuso2024-02-262-213/+0
| | | | | | | | | | | Remove several internal code that have no use these days: - nftnl_str2family - nftnl_strtoi - nftnl_get_value - enum nftnl_type Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: incorrect userdata buffer size validationPablo Neira Ayuso2024-02-261-1/+7
| | | | | | | | Use the current remaining space in the buffer to ensure more userdata attributes still fit in, buf->size is the total size of the userdata buffer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: immediate: check for chain attribute to release chain namePablo Neira Ayuso2024-02-263-16/+2
| | | | | | | Check for chain name attribute to release chain name, for consistency with other existing attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: setter checks for timeout array boundariesPablo Neira Ayuso2024-02-201-4/+7
| | | | | | | | Use _MAX definitions for timeout attribute arrays and check that timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes: 0adceeab1597 ("src: add ct timeout support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: use nftnl_data_cpy() in NFTNL_SET_ELEM_{KEY,KEY_END,DATA}Pablo Neira Ayuso2024-01-131-6/+6
| | | | | | | | | | Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg. Follow up for commit: bc2afbde9eae ("expr: fix buffer overflows in data value setters") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: buffer overflow in NFTNL_SET_DESC_CONCAT setterPablo Neira Ayuso2024-01-111-1/+7
| | | | | | | | | Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16 bytes, otherwise, bail out. Ensure s->desc.field_count does not go over the array boundary. Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Removed non-defined functionsNicholas Vinson2024-01-082-8/+0
| | | | | | | | | | | | | | | | | | | | | The functions nftnl_chain_parse(), nftnl_chain_parse_file(), nftnl_set_elems_foreach(), and nftnl_obj_unset() are no longer defined and removed from the code. The functions nftnl_chain_parse(), nftnl_chain_parse_file() were removed with commit 80077787f8f2 ("src: remove json support"). The function nftnl_set_elems_foreach() does not appear to have ever been defined. However, libnftnl.map still lists these functions which causes libnftnl to fail to link with ld.lld as the option --undefined-version is disabled by default. Fixes Gentoo bug 914710 (https://bugs.gentoo.org/914710) Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: define nftnl_obj_unset()Pablo Neira Ayuso2024-01-081-0/+28
| | | | | | | | | For consistency with existing objects, implement this interface. This is already defined in libnftnl.map so the intention was to provide it. Fixes: 5573d0146c1a ("src: support for stateful objects") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix buffer overflows in data value settersFlorian Westphal2023-12-126-21/+23
| | | | | | | | | | | | | | The data value setters memcpy() to a fixed-size buffer, but its very easy to make nft pass too-larger values. Example: @th,160,1272 gt 0 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] Truncate the copy instead of corrupting the heap. This needs additional fixes on nft side to reject such statements with a proper error message. Signed-off-by: Florian Westphal <fw@strlen.de>
* object: getters take const structcorubba2023-12-122-14/+14
| | | | | | | | | | As with all the other entities (like table or set), the getter functions for objects now take a `const struct nftnl_obj*` as first parameter. The getters for all specific object types (like counter or limit), which are called in the default switch-case, already do. Signed-off-by: corubba <corubba@gmx.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Do not leave free'd expr_list elements in placePhil Sutter2023-07-131-4/+12
| | | | | | | | When freeing elements, remove them also to prevent a potential UAF. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685 Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS") Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: libnftnl 1.2.6 releaselibnftnl-1.2.6Pablo Neira Ayuso2023-07-111-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-rule-test: Add test cases to improve code coverageshixuantong2023-06-021-0/+8
| | | | | Signed-off-by: shixuantong <tongxiaoge1001@126.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-table-test: fix typoshixuantong2023-06-021-1/+1
| | | | | Signed-off-by: shixuantong <tongxiaoge1001@126.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: introduce broute meta expressionSriram Yagnaraman2023-03-152-1/+4
| | | | | | | | libnftnl support for broute meta statement introduced in: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/ Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.2.5 releaselibnftnl-1.2.5Pablo Neira Ayuso2023-03-091-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: relax logic to build NFTA_CHAIN_HOOKPablo Neira Ayuso2023-01-031-16/+25
| | | | | | | | The logic to build NFTA_CHAIN_HOOK enforces the presence of the hook number and priority to include the devices. Relax this to allow for incremental device updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add inner supportPablo Neira Ayuso2023-01-026-3/+256
| | | | | | | This patch adds support for the inner expression which allows you to match on the inner tunnel headers, eg. VxLAN. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Makefile: Create LZMA-compressed dist-filesPhil Sutter2022-12-091-1/+1
| | | | | | | | Use a more modern alternative to bzip2. Suggested-by: Jan Engelhardt <jengelh@inai.de> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: replace nftnl_*_nlmsg_build_hdr() by nftnl_nlmsg_build_hdr()Pablo Neira Ayuso2022-11-1553-123/+112
| | | | | | Use nftnl_nlmsg_build_hdr() instead of nftnl_*_nlmsg_build_hdr(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: remove nftnl_batch_is_supported() callPablo Neira Ayuso2022-11-152-30/+9
| | | | | | | | | | | | Linux kernel <= 3.13 needs for this check, remove it from examples. Kernel commit: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") added support for set into the batch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.2.4 releaselibnftnl-1.2.4Pablo Neira Ayuso2022-11-101-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: Fix res_id byte orderIan Pilcher2022-10-251-1/+2
| | | | | | | | | | | | | | | | | | | | | The res_id member of struct nfgenmsg is supposed to be in network byte order (big endian). Call htons() in __nftnl_nlmsg_build_hdr() to ensure that this is true on little endian systems. There is a kernel workaround that was introduced in 4.3 to address this issue: commit a9de9777d613500b089a7416f936bf3ae5f070d2 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri Aug 28 21:01:43 2015 +0200 netfilter: nfnetlink: work around wrong endianess in res_id field And current oldest stable kernel branch in 4.9, merge this to fix the incorrect endianness from userspace. Signed-off-by: Ian Pilcher <arequipeno@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: remove unused functionPablo Neira Ayuso2022-09-071-14/+0
| | | | | | nftnl_str2base() not used anymore, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule, set_elem: remove trailing \n in userdata snprintfPablo Neira Ayuso2022-08-312-2/+2
| | | | | | | 212479ad2c92 ("rule, set_elem: fix printing of user data") uncovered another an extra line break in the userdata printing, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule, set_elem: fix printing of user dataJeremy Sowden2022-08-292-5/+7
| | | | | | | | | | | | Hitherto, alphanumeric characters have been printed as-is, but anything else was replaced by '\0'. However, this effectively truncates the output. Instead, print any printable character as-is and print anything else as a hexadecimal escape sequence: userdata = { \x01\x04\x01\x00\x00\x00 } Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.2.3 releaselibnftnl-1.2.3Pablo Neira Ayuso2022-08-091-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>