| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Just like with struct expr_ops::attr_policy, enable object types to
inform about restrictions on attribute use. This way generic object code
may perform sanity checks before dispatching to object ops.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Just like with struct expr_ops::max_attr, make it hold the maximum
object attribute (NFTNL_OBJ_*) value supported by this object type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Similar to other setters, let callers know if memory allocation fails.
Though return value with all setters, as all of them may be used to set
object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE
was not set before).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
This worked by accident as all callers passed a local variable 'attr' as
parameter '_attr'.
Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Next patch needs NF_LOG_PREFIXLEN define.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove several internal code that have no use these days:
- nftnl_str2family
- nftnl_strtoi
- nftnl_get_value
- enum nftnl_type
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Check for chain name attribute to release chain name, for consistency
with other existing attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions nftnl_chain_parse(), nftnl_chain_parse_file(),
nftnl_set_elems_foreach(), and nftnl_obj_unset() are no longer defined
and removed from the code.
The functions nftnl_chain_parse(), nftnl_chain_parse_file() were removed
with commit 80077787f8f2 ("src: remove json support").
The function nftnl_set_elems_foreach() does not appear to have ever been
defined.
However, libnftnl.map still lists these functions which causes libnftnl
to fail to link with ld.lld as the option --undefined-version is
disabled by default.
Fixes Gentoo bug 914710 (https://bugs.gentoo.org/914710)
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values. Example:
@th,160,1272 gt 0
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]
Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
As with all the other entities (like table or set), the getter functions
for objects now take a `const struct nftnl_obj*` as first parameter.
The getters for all specific object types (like counter or limit), which
are called in the default switch-case, already do.
Signed-off-by: corubba <corubba@gmx.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
libnftnl support for broute meta statement introduced in:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the inner expression which allows you to
match on the inner tunnel headers, eg. VxLAN.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to
clang, the snprintf member of the expr_ops and obj_ops structures will
be incorrectly replaced with __builtin_snprintf_chk() which results in
"error: no member named '__builtin___snprintf_chk'" errors at build
time.
This patch changes the member name from 'snprintf' to 'output' to
prevent the replacement.
This bug can be emulated using GCC by undefining the __va_arg_pack macro
before stdio.h is included.
This patch is based on the notes provided in
https://bugs.gentoo.org/807766.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Update string array to print the "inner" header string, instead of
printing "unknown".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map
elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set
element verdict.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Expose a function to build one single set element netlink message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Honor NFTA_LAST_SET netlink attribute, it tells us if a packet has ever
updated this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
NFTA_LAST_SET is missing, add it.
Fixes: ed7c442c2d04 ("expr: add last match time support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This new expression displays when last matching has happened.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Get header in sync with 5.13.0-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add NFT_SOCKET_CGROUPSV2 key type and NFTA_SOCKET_LEVEL attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Objects don't support any other output type than NFTNL_OUTPUT_DEFAULT,
so just drop the parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The function nftnl_data_reg_snprintf is exclusively called with
NFTNL_OUTPUT_DEFAULT as parameter, others are not supported - just drop
it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
There is but a single supported output type left, so check it in expr.c
and drop all the single option switch statements in individual
expressions.
Since the parameter is now unused (and to ensure code correctness), drop
'type' parameter from struct expr_ops' snprintf callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Elements' data was printed as type DATA_VALUE no matter the actual type.
For verdicts, this meant no printing at all (because reg->len is either
zero or garbage).
To fix this, nftnl_set_elem_snprintf_default() needs type info held in
struct nftnl_set. Pass it via parameter to that function, make it
non-static and call it from nftnl_set_snprintf_default() instead of the
generic nftnl_set_elem_snprintf(). This way no changes have to be done
to exported functions, also the output type is already defined when
nftnl_set_snprintf_default() runs so checking type value again is
pointless.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Add support for NFTA_TABLE_OWNER.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the dynset flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that
an element stores when added from the packet path.
This patch adds support for the set expression list, which generalizes
NFTNL_EXPR_DYNSET_EXPR.
This patch also adds nftnl_expr_add_expr() to add new expressions to
elements and nftnl_set_expr_expr_foreach() to iterate over the list of
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_EXPR defines the stateful expression type that this set stores
in each element. This provides the set definition in terms of stateful
expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must
equal to this set stateful expression type, otherwise the kernel bails
out.
This patch adds support for the set expression list, which generalizes
NFTNL_SET_EXPR.
This patch also adds nftnl_set_add_expr() to add new expressions to a set
and nftnl_set_elem_expr_foreach() to iterate over the list of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_ELEM_EXPR defines the stateful expression type that this
element stores. This is useful to restore runtime set element stateful
expressions (when saving, then reboot and restore).
This patch adds support for the set element expression list, which
generalizes NFTNL_SET_ELEM_EXPR.
This patch also adds nftnl_set_elem_add_expr() to add new expressions to
set elements and nftnl_set_elem_expr_foreach() to iterate over the list
of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Introduce a flag to allow toggling the '0x' prefix when printing data
values, then use the existing routines to print data registers from
set_elem code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Add a function to remove expression from the rule list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This function allows you to build the netlink attributes for
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add missing NFT_SOCKET_WILDCARD definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains.
Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a
comment.
Relies on NFTA_CHAIN_USERDATA.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFTNL_OBJ_USERDATA to support userdata for objects.
Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects,
stored in userdata space.
Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to
enable getting object attributes/data.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to
support for table comments.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Was not exported so far due to a typo. While at it, add const qualifier
to element structure.
Will be used to optionally dump set contents / elements from nft
frontend.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This field is used to store an optional comment of a set.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
his patch allows you to refer to chains via the chain ID. The semantics
are similar to the NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use this field to specify that set element data specifies an interval.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Get header in sync with 5.7.0-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel
support for this new feature might be reworked, keep this back.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the NFTA_SET_EXPR netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for chain flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The kernel supports passing mask and xor values for bitwise boolean
operations via registers. These are mutually exclusive with the
existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and
NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Pick up a couple of new bitwise netlink attributes.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The original intention in eb58f53372e7 ("src: add flowtable support")
was to introduce this helper function. Add helper to set and to get
array of strings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Phil Sutter <phil@nwl.cc>
|