| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
Renames some variables for code readability reasons.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This process adds three new functions:
* nft_rule_expr_log_snprintf_default
* nft_rule_expr_log_snprintf_xml
* nft_rule_expr_log_snprintf_json
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add the set ID (u32) which allows us to uniquely identify the set
in the batch that is sent to kernel-space.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
These calls need to use the new buffer size, instead of the
size that the buffer originally had.
Bugs introduced by myself at dec68741 [data_reg: fix verdict format approach].
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add support for dedicated bridge meta key, related to device names:
- NFT_META_BRI_IIFNAME
- NFT_META_BRI_OIFNAME
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports the following invalid read:
$ sudo valgrind ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json
==26664== Memcheck, a memory error detector
==26664== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==26664== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==26664== Command: ./nft-parsing-test -f ../jsonfiles/30-rule-lookup.json
==26664==
==26664== Invalid read of size 8
==26664== at 0x4E45490: nft_rule_expr_lookup_set (lookup.c:50)
==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73)
==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157)
==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206)
==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606)
==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312)
==26664== by 0x401479: test_json (nft-parsing-test.c:129)
==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26664== by 0x400EBB: main (nft-parsing-test.c:332)
==26664== Address 0x5c34d40 is 0 bytes inside a block of size 5 alloc'd
==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664==
==26664== Invalid read of size 8
==26664== at 0x4E45497: nft_rule_expr_lookup_set (lookup.c:50)
==26664== by 0x4E40B04: nft_rule_expr_set (expr.c:73)
==26664== by 0x4E44FFF: nft_rule_expr_lookup_json_parse (lookup.c:157)
==26664== by 0x4E408CD: nft_jansson_expr_parse (jansson.c:206)
==26664== by 0x4E3B719: nft_jansson_parse_rule (rule.c:606)
==26664== by 0x4E3F005: nft_ruleset_do_parse (ruleset.c:312)
==26664== by 0x401479: test_json (nft-parsing-test.c:129)
==26664== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26664== by 0x400EBB: main (nft-parsing-test.c:332)
==26664== Address 0x5c34d48 is 3 bytes after a block of size 5 alloc'd
==26664== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26664== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26664== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
Signed-off-by: Ana Rey <anarey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Valgrind reports the following invalid read:
$ sudo valgrind --leak-check=full ./nft-parsing-test -f ../jsonfiles/35-rule-target.json
( and similar result with jsonfiles/29-rule-match.json file)
==26018== Invalid read of size 8
==26018== at 0x4E484E3: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a60 is 0 bytes inside a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018== at 0x4E484ED: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a68 is 4 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018== at 0x4E484F5: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a70 is 12 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 4
==26018== at 0x4E484FD: nft_rule_expr_target_set (target.c:46)
==26018== by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018== by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018== by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018== by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018== by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018== by 0x401479: test_json (nft-parsing-test.c:129)
==26018== by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018== by 0x400EBB: main (nft-parsing-test.c:332)
==26018== Address 0x5c34a78 is 20 bytes after a block of size 4 alloc'd
==26018== at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018== by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018== by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It deletes the immediatedata label in the structure of json and xml file.
Example of the old structure of xmlfile:
<nftables>
<rule>
<family>ip</family>
<table>filter</table>
<chain>input</chain>
<handle>32</handle>
<expr type="immediate">
<dreg>0</dreg>
<immediatedata>
<data_reg type="verdict">
<verdict>accept</verdict>
</data_reg>
</immediatedata>
</expr>
</rule>
</nftables>
Example of the new structure of xmlfile:
<nftables>
<rule>
<family>ip</family>
<table>filter</table>
<chain>input</chain>
<handle>32</handle>
<expr type="immediate">
<dreg>0</dreg>
<data_reg type="verdict">
<verdict>accept</verdict>
</data_reg>
</expr>
</rule>
</nftables>
To generate the new testfiles, It use the option -u of nft-parsing-test
script.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It delete the cmpdata label in the structure of json and xml file.
Example of xmlfile:
The old structure of xml file:
[...]
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<cmpdata>
<data_reg type="value">
<len>4</len>
<data0>0x0100a8c0</data0>
</data_reg>
</cmpdata>
</expr>
The new structure of json file:
[...]
<expr type="cmp">
<sreg>1</sreg>
<op>eq</op>
<data_reg type="value">
<len>4</len>
<data0>0x0100a8c0</data0>
</data_reg>
</expr>
[...]
To generate the new testfiles, It use the option -u of nft-parsing-test
script.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
This got lost in 29fd6a1df9 when merging major changes in master
to next-3.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
|
| |
| |
| |
| |
| |
| | |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
CC expr/ct.lo
expr/ct.c:194:12: warning: 'str2ctdir' defined but not used [-Wunused-function]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implements a string to represent directions in the CT expression:
* original (0)
* reply (1)
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Patrick reports that the XML/JSON formats of the data_reg object
are not accuarate.
This patch updates these formats, so they are now as follow:
* <data_reg type=value> with raw data (this doesn't change).
* <data_reg type=verdict> with a concrete verdict (eg drop accept) and an
optional <chain>, with destination.
In XML:
<data_reg type="verdict">
<verdict>goto</verdict>
<chain>output</chain>
</data_reg>
In JSON:
"data_reg" : {
"type" : "verdict",
"verdict" : "goto"
"chain" : "output",
}
The default output format is updated to reflect these changes (minor collateral
thing).
When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN
flag, a basic check for the chain not being NULL is done, instead of evaluating
if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer
used in the data_reg XML/JSON parsing zone.
While at it, I updated the error reporting stuff regarding data_reg/verdict, in
order to leave a consistent state in the library.
A JSON testfile is updated as well.
Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some verdicts have a negative value.
The caller of nft_str2verdict() checking if return was < 0 clash with
enum nft_verdict.
While at it, add error reporting of invalid verdicts.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
It's not used out of the scope of expr/meta.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'dir' attribute is optional as stated in the kernel sources.
Previous to this patch, using XML/JSON to manage this expr produces some
undefined and erroneous behaviours.
While at it, fix also the default output format.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to missing NFT_CT_L3PROTOCOL key in ctkey2str_array, a segfault is
produced when the str2ctkey() loop reaches that position, since strcmp()
will try to compare a NULL value.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
The dreg attribute is optional as stated at:
linux/net/netfilter/nft_lookup.c
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are some cases where a reg is not mandatory, for example:
* dreg in lookup
* dreg/sreg in meta (last version)
So, lets change the function nft_mxml_reg_parse() to add
an optional/mandatory flag.
dreg in lookup is optional as stated at:
net/netfilter/nft_lookup.c:nft_lookup_init()
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the incorrect data type (from uint8_t to uint32_t) in
several private data area of the expressions.
It also cleans up this by translating several unsigned int to uint32_t.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds userspace support for setting properties of tracked connections.
Currently, the connection mark is supported. This can be used to implemented the
same functionality as iptables -j CONNMARK --save-mark.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libnftables should not mask kernel errors. Let user specify any combination of
parameters and leave the error-checking to the kernel. The kernel will return
-EINVAL and users will know that they have to fix their code. This patch also a
removes a redundant variable that was passed to the snprintf-functions (flag).
A second iteration might be needed. I was not sure how to deal with
snprintf_default in the case of both sreg and dreg.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since nftables now uses nft_rule_expr_get_u32(), the internal size must
also be a uint32_t.
Fixes complete breakage of any cmp or meta expression.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a copy of the include/linux/netfilter.h kernel header
that defines NFPROTO_INET, so libnftables compiles with relatively
old kernel headers in the system.
chain.c: In function 'nft_hooknum2str':
chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function)
This required to reorder and remove unneeded headers in src/expr/data_reg.c
to avoid a compilation warning due to redefinition of __visible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds userspace support for the meta expression in the set flavour.
This expression indicates that the packet has to be set with a property,
currently one of mark, priority or nftrace.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
| |
This patch adds a support of the queue target.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
I fixed it by using the correct value.
Signed-off-by: Ana Rey <anarey@gmail.com>
Acked-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test of libnftable, It shows:
ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36
The problem was in nft_rule_expr_target_parse function. With the
attached patch, we use mnl_attr_get_payload_len() in instead of
mnl_attr_get_len().
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test for libnftables, It shows:
"ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches"
a: test
b: test
^^
garbage
The problem was in nft_rule_expr_log_build function. With
the attached patch, we use mnl_attr_put_strz() instead of
mnl_attr_put_str() as in other functions in the library.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Ana Rey reported a leak in the log expression. Fix it by using
the new .free interface added in (3cf788a expr: fix leak in target
and match expressions).
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Expression flags were incorrectly set.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Release internal data area for match and target expressions.
==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1
==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==30104== by 0x400C2F: main (nft-expr_match-test.c:65)
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the reject expression.
Tested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
my fault, spotted by Phil Oester.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
commit 10e0890e ('src: operational limit match') creates huge
array, increasing libnftables binary size. Use switch statement
instead.
Based on patch from Florian Westphal, for nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all the spaces from the JSON output to reduce the size
of the output string, this also provides a consistent output
in table, chain, rule and set.
As Stephen Hemminger suggested, better to squash the output to
consume as less bytes as possible.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use 'len' instead of 'size' since we need the remaining unused bytes
in the buffer, not its total size.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch breaks the ABI to shrink the size parameter from 8
to 4 bytes in x86_64. The maximum length of netlink attributes
is 2 bytes, so 4 bytes as attribute payload length should be
enough.
After this patch, size_t is only used in the nft_*_snprintf
interfaces.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This declaration was missing and is needed in case you compile libnftables
without XML parsing support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch avoid several tree to text to tree conversions in the XML
parsing helpers.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Add an optional/mandatory flag to XML parsing.
In some elements (ie regs), no flag is used because is always mandatory.
DATA_NONE is created to indicate a non-parsed data_reg.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTA_LOG_SNAPLEN is u32 and NFTA_LOG_QTHRESHOLD is u16.
Without this, netlink messages from kernel fail mnl_validate step when
QTHRESH or SNAPLEN was set.
Also, nft_rule_expr_log_get must update data_length, else 'nft list' doesn't
show log arguments (prefix, group ..) because the netlink message
decoding uses nft_rule_expr_get_u16/32 etc. which validate the length, too.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|