| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Support for the nft ng expression within libnftnl.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the new quota expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this patch, comparison between rules with distinct number of
expressions indicate that they are equals, however, they are not.
Example:
r1[e1, e2] == r2[e1, e2, e3]
Fix this by checking that the number of expression is the same.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the function:
bool nftnl_rule_cmp(const struct nftnl_rule *r1,
const struct nftnl_rule *r2)
for rule comparison.
Expressions within rules need to be compared, so also has been created the
function:
bool nftnl_expr_cmp(const struct nftnl_expr *e1,
const struct nftnl_expr *e2);
Also includes all expression comparators.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Support for the nft hash expression in libnftnl.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Uses cmp2str() which checks array bounds.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Checks array limits before access it and adds a missed translation.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch accidentally slipped through. The sequence number
(uint32_t)-1 is fine in case time() fails.
So this reverts commit d26feca2c9c19b650b5a7554b5a412ceca990b7a.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The called function otherwise accesses uninitialized data.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Although the 'err' pointer should be interesting for users only if the
parser returned non-zero, having it point to uninitialized data is
generally a bad thing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
time() may return -1 which is then assigned to an unsigned integer type
and used as sequence number. The following code increments that number
multiple times, so it may overflow and get libmnl confused. To avoid
this, fall back to a starting sequence number of zero in case the call
to time() failed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The function returns from inside the switch() in any case, so the final
return statement is never reached.
Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The array has NFT_CT_MAX fields, so indices must be less than that
number.
Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers")
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
During list populating, in error case the function returns without
freeing the newly allocated 'elem' object, thereby losing any references
to it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Deleted wrong braces that cause unwanted behaviour.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
|
|
|
|
|
|
|
| |
Introduce nftnl_expr_iter_init() to allow stack allocated iterators for
internal use.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
|
|
|
|
|
|
|
|
| |
Iterators do not modify objects which they iterate, so input pointer must
be const.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
nft already assumes that passing NULL as data_len is valid, otherwise
it crashes. Fix this by leave data_len unset in this specific case.
Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute length")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Follow same approach as with other objects, print what it is set only.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
All getters must set the memory size of the attributes, ie. this
includes the nul-termination in strings.
For references to opaque objects hidden behind the curtain, report
a zero size.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The string length must be one character longer to include the
nul-termination.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The new structure 'user' holds a pointer to user data and its length. The
kernel must have the flag NFTA_SET_USERDATA to support this feature.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Inverted matching support was included in the kernel, let's give support here
as well.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
They don't set ret to anything, and ret is not initialized, so we return
garbage.
Fixes: 59cb13b ("src: fix missing error checking in parser functions")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bail out on errors in several nftnl_*_nlmsg_parse() functions. We can
overwrite the previous error value, and may execute code which should
not.
Bad way:
int f() {
int ret;
ret = g();
ret = h();
return ret;
}
Good way:
int f() {
int ret;
ret = g();
if (ret < 0)
return ret;
ret = h();
if (ret < 0)
return ret;
return 0;
}
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Fix nftnl_chain_set_data() with NFTNL_CHAIN_DEV.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Just in case we ever support chain with larger names in the future,
this will ensure the library doesn't break. Although I don't expect
allocating more bytes for this anytime soon, but let's be conservative
here.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Now that unsetters don't set pointers to NULL, check if the attribute is
set before trying to release it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If the attribute is set as we already check at the beginning of this
function, then we can release the object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Let the client of this library decide when to display error messages.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
And pass up an error to the caller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
So the client can bail out of memory allocation errors. Or in case of
daemon, make sure things are left in consistent state before bailing
out.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If this attribute is not supported by the library, we should rise an
assertion so the client knows something is wrong, instead of silently
going through.
The only case I can think may hit this problem is version mismatch
between library and tools. This should not ever really happen, so better
bail out from the library itself in this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Fix leak of NFTNL_*_USERDATA from unset() functions.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use NFTNL_EXPR_PAYLOAD_SREG instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
All attributes are passed by copy, so user data should be copied too.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
User data must be freed.
How to reproduce:
> nft add table t
> nft add set t s {type ipv4_addr\;}
> valgrind nft add element t s {1.1.1.1}
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
If the user allocates a nftnl_udata_buf and then passes the TLV data to
nftnl_rule_set_data, the pointer stored in rule.user.data is not the
begining of the allocated block. In this situation, if it calls to
nftnl_rule_free, it tries to free this pointer and segfault is thrown.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refresh the cached header file.
This includes a small fix to avoid this compilation warning after
refreshing the header:
trace.c: In function 'nftnl_trace_parse_attr_cb':
trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
These functions don't modify the chain object.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
They are not used out of the scope of the C file where they are defined,
so we can statify them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
These functions are passed as parameter, so we basically get nothing
with this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
flow table support needs constant object arguments to printing functions
to avoid ugly casts. While at it, also constify object arguments to message
construction, destructor and a few helper functions.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Unfortunately libnftnl restricts the set names in the lookup and dynset
expressions to 16 bytes. Remove this restriction so this can work with
the upcoming 4.7 Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Reported by Debian's lintian tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Fix leaks in nftnl_rule_free() and nftnl_rule_set_data().
Reported-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions allow to create a buffer (struct nftnl_udata_buf) of
user data attributes in TLV format (struct nftnl_udata). It is inspired
by libmnl/src/attr.c. It can be used to store several TLVs sequentially
into an object.
Example:
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
const char *str = "Hello World!";
buf = nftnl_udata_buf_alloc(UDATA_SIZE);
if (!buf) {
perror("OOM");
exit(EXIT_FAILURE);
}
if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) {
perror("Can't put attribute \"%s\"", str);
exit(EXIT_FAILURE);
}
nftnl_udata_for_each(buf, attr)
printf("%s\n", (char *)nftnl_udata_attr_value(attr));
nftnl_udata_buf_free(buf);
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Fix duplicated and incorrect assignments.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|