summaryrefslogtreecommitdiffstats
path: root/src/expr.c
Commit message (Collapse)AuthorAgeFilesLines
* expr: Enforce attr_policy compliance in nftnl_expr_set()HEADmasterPhil Sutter2024-03-061-0/+7
| | | | | | | | | | | | | Every expression type defines an attr_policy array, so deny setting attributes if not present. Also deny if maxlen field is non-zero and lower than the given data_len. Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero maxlen "nop" is also used for deprecated attributes, just to not silently ignore them. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Call expr_ops::set with legal types onlyPhil Sutter2024-03-061-0/+3
| | | | | | | | | | Having the new expr_ops::nftnl_max_attr field in place, the valid range of attribute type values is known now. Reject illegal ones upfront. Consequently drop the default case from callbacks' switches which handle all supported attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: fix clang+glibc snprintf substitution errorNicholas Vinson2022-06-151-2/+2
| | | | | | | | | | | | | | | | | | | | When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to clang, the snprintf member of the expr_ops and obj_ops structures will be incorrectly replaced with __builtin_snprintf_chk() which results in "error: no member named '__builtin___snprintf_chk'" errors at build time. This patch changes the member name from 'snprintf' to 'output' to prevent the replacement. This bug can be emulated using GCC by undefining the __va_arg_pack macro before stdio.h is included. This patch is based on the notes provided in https://bugs.gentoo.org/807766. Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* Drop pointless local variable in snprintf callbacksPhil Sutter2021-03-151-3/+3
| | | | | | | | | | A common idiom among snprintf callbacks was to copy the unsigned parameter 'size' (or 'len') into a signed variable for further use. Though since snprintf() itself casts it to unsigned and SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not needed. Drop the local variable and rename the parameter accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Check output type once and for allPhil Sutter2021-03-151-2/+2
| | | | | | | | | | | There is but a single supported output type left, so check it in expr.c and drop all the single option switch statements in individual expressions. Since the parameter is now unused (and to ensure code correctness), drop 'type' parameter from struct expr_ops' snprintf callback. Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: add NFTNL_EXPR_DYNSET_EXPRESSIONSPablo Neira Ayuso2020-12-171-0/+3
| | | | | | | | | | | | | | NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that an element stores when added from the packet path. This patch adds support for the set expression list, which generalizes NFTNL_EXPR_DYNSET_EXPR. This patch also adds nftnl_expr_add_expr() to add new expressions to elements and nftnl_set_expr_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: expose nftnl_expr_build_payload()Pablo Neira Ayuso2020-10-161-0/+1
| | | | | | | This function allows you to build the netlink attributes for expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove nftnl_rule_cmp() and nftnl_expr_cmp()Pablo Neira Ayuso2018-10-241-10/+0
| | | | | | | | | | | | | | These functions are not very useful, rule comparison from this layer does not work well with implicit set definitions. This infrastructure was added as an attempt to support for deletion by name from this layer, which should be done from higher level libnftables library. Finally, we never had a client for this code in git.netfilter.org. Let's remove it and bump libversion for safety reasons. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix exporting symbols with clangArmin K2017-12-301-18/+18
| | | | | | | | | | | | | When EXPORT_SYMBOL is located after function definition, clang won't properly export the function, resulting in a library with no symbols when built with clang. Based on libmnl commit dcdb47373a37 ("Move declaration of visibility attributes before definition.") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Introduce nftnl_expr_fprintf()Phil Sutter2017-10-171-0/+14
| | | | | | | | Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-271-0/+3
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Change parameters of SNPRINTF_BUFFER_SIZE macro.Varsha Rao2017-09-271-3/+3
| | | | | | | | | SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so that it accepts three arguments ret, remain and offset. Parameters size and len are not required instead parameter remain keeps track of available space in the buffer. Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
* src: get rid of aliases and compatPablo Neira Ayuso2016-12-201-16/+16
| | | | | | | | | | | This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the upcoming release of 0.7 (and 0.6 which is now 6 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and buggy. So let's get rid of aliases now. Bump LIBVERSION and update map file. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: call expr->ops->snprintf only if definedPablo Neira Ayuso2016-11-291-0/+3
| | | | | | | The notrack expression comes with no ->ops->snprintf, so skip this from nftnl_expr_snprintf() if not set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add notrack expressionPablo Neira Ayuso2016-10-201-2/+5
| | | | | | | | Register this simple expression with no attributes. Make sure libnftnl doesn't crash when no build and parse indirections are defined, as it is the case for this expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Implement rule comparisonCarlos Falgueras García2016-08-171-0/+10
| | | | | | | | | | | | | | | | | | | | This patch implements the function: bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) for rule comparison. Expressions within rules need to be compared, so also has been created the function: bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2); Also includes all expression comparators. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix nftnl_*_get_data() to return the real attribute lengthCarlos Falgueras García2016-07-111-0/+1
| | | | | | | | | | | All getters must set the memory size of the attributes, ie. this includes the nul-termination in strings. For references to opaque objects hidden behind the curtain, report a zero size. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: return value on setters that internally allocate memoryPablo Neira Ayuso2016-06-151-8/+7
| | | | | | | | So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: constify object arguments to various functionsPatrick McHardy2016-05-091-3/+3
| | | | | | | | | flow table support needs constant object arguments to printing functions to avoid ugly casts. While at it, also constify object arguments to message construction, destructor and a few helper functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIASFlorian Westphal2015-11-241-16/+16
| | | | | | | Future symbols don't need backwards-compat aliases. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename NFTNL_RULE_EXPR_ATTR to NFTNL_EXPR_Pablo Neira Ayuso2015-09-071-3/+3
| | | | | | So we get a shorter constant definition for expression attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-071-48/+48
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename existing functions to use the nftnl_ prefixPablo Neira Ayuso2015-09-071-38/+38
| | | | | | | | | So we can use the nft_* prefix anytime soon for our upcoming higher level library. After this patch, the nft_* symbols become an alias of the nftnl_* symbols. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce nftnl_* aliases for all existing functionsPablo Neira Ayuso2015-09-021-16/+16
| | | | | | | | | | | This patch introduces the nftnl_ symbols as aliases for the existing nft_ symbols through the EXPORT_SYMBOL(...) macro. We would like to use the nft_* prefix from our upcoming higher level library, meanwhile with this move we avoid that old binaries break because of missing symbol dependencies. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: seperate expression parsing and building functionsPatrick McHardy2015-04-141-6/+50
| | | | | | | | | | | | The expression build function currently assumes to be only used from rule context and actually builds rule attributes. Fix that and only build the expression. Also it seems to have been exported by accident, undo that. Additionally, move the expression parsing function from rule parsing and also remove any assumptions about being used in rule context. Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: split internal.h is smaller filesPablo Neira Ayuso2015-02-171-3/+0
| | | | | | | | | The internal.h file started being a small file with private definitions. Its size has been increasing over time more and more, so let's split this in small header files that map to the corresponding class where the functions belong to. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rename library to libnftnllibnftnl-1.0.0Pablo Neira Ayuso2014-01-201-1/+1
| | | | | | We plan to use this library name for the higher layer library. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: fix leak in target and match expressionsPablo Neira Ayuso2013-11-181-0/+3
| | | | | | | | | | | Release internal data area for match and target expressions. ==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==30104== by 0x400C2F: main (nft-expr_match-test.c:65) Reported-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace size_t by uint32_t in set/get interfacesPablo Neira Ayuso2013-09-191-7/+7
| | | | | | | | | | | | This patch breaks the ABI to shrink the size parameter from 8 to 4 bytes in x86_64. The maximum length of netlink attributes is 2 bytes, so 4 bytes as attribute payload length should be enough. After this patch, size_t is only used in the nft_*_snprintf interfaces. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_get_u16 and nft_rule_expr_set_u16Pablo Neira Ayuso2013-08-171-0/+23
| | | | | | Now required since log has two u16 fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add xfree and use itPablo Neira Ayuso2013-08-061-1/+1
| | | | | | | | This patch adds xfree, a replacement of free that accepts const pointers. This helps to remove ugly castings that you usually need to calm down gcc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: refactor nft_rule_expr_getPablo Neira Ayuso2013-07-211-8/+6
| | | | | | Merge common checking for attribute set in nft_rule_expr_get. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify getter logicPablo Neira Ayuso2013-07-181-0/+3
| | | | | | | | This patch refactors the getter code to simplify it. The default cases have been removed so gcc will spot a warning if an attribute is not handled appropriately. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nft_rule_expr_snprintfPablo Neira Ayuso2013-06-191-0/+13
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify first parameter of all nft_*_getPablo Neira Ayuso2013-06-171-5/+5
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nft_*_attr_is_setPablo Neira Ayuso2013-06-171-0/+6
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: constify nft_*_attr_set and nft_*_attr_set_strPablo Neira Ayuso2013-04-141-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* initial version of libnftablesPablo Neira Ayuso2012-10-111-0/+189
It adds support for table, chain and rule handling. This also includes expression handling for each rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>