| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Future symbols don't need backwards-compat aliases.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
When we lookup the family, return "netdev" for NFPROTO_NETDEV instead of
"unknown".
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by valgrind:
[...]
==14065== Process terminating with default action of signal 11 (SIGSEGV)
==14065== Access not within mapped region at address 0x0
==14065== at 0x4C2C022: strlen (vg_replace_strmem.c:454)
==14065== by 0x4E41A93: nftnl_chain_set_str (chain.c:259)
==14065== by 0x4E427F7: nftnl_mxml_chain_parse (chain.c:770)
==14065== by 0x4E48F96: nftnl_ruleset_parse_chains (ruleset.c:314)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_ruleset (ruleset.c:625)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_cmd (ruleset.c:668)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse (ruleset.c:706)
==14065== by 0x4E4959A: nftnl_ruleset_do_parse (ruleset.c:734)
==14065== by 0x4013C9: test_xml (nft-parsing-test.c:166)
==14065== by 0x4016F4: execute_test (nft-parsing-test.c:214)
==14065== by 0x400EBA: main (nft-parsing-test.c:330)
[...]
While at it, fix a bit the coding style.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fix missing/incorrect variables.
Also remove unsed variables to avoid warnings.
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Commit libnftnl-1.0.3-31-g5ea54b2 removed a symbol. Such requires a
bumped to n+1:0:0. The symbol groups can be merged again to save time
processing them as the groups are relative to a particular SONAME
(of which we have a new one).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The function names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The constant names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
So we get a shorter constant definition for expression attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Use a shorter name for this, morever this can be used from sets so the _rule_
is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
So we can use the nft_* prefix anytime soon for our upcoming higher level
library.
After this patch, the nft_* symbols become an alias of the nftnl_* symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces the nftnl_ symbols as aliases for the existing nft_
symbols through the EXPORT_SYMBOL(...) macro.
We would like to use the nft_* prefix from our upcoming higher level library,
meanwhile with this move we avoid that old binaries break because of missing
symbol dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The verdict can be a chain string, make sure we release it when the expression
is destroyed. This patch adds a new nft_free_data() for this purpose and use it
from the immediate expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Free object attributes before overwrite it. Fix 'nlmsg_parse' methods of
following objects: 'table', 'chain', 'rule', 'set' and 'set_element'.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This fixes --debug netlink output when a redir target is included.
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the
basechain is attached to a net_device.
This partially reworks 1dd9ba1ea23c ("table: add netdev family support").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This adds support for the new 'netdev' family tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new batch class to libnftnl, it basically generalizes what we
already have.
A batch is composed of one or more page objects. Every page may contain one or
more netlink messages.
batch
* .------. .------. .------.
| | | | | | |
`----> | page |-->| page |-->...-->| page |
| | | | | |
`------' `------' `------'
You can create a batch via:
batch = nft_batch_alloc(...);
This batch initially comes with one initial page.
You can fetch a pointer to the next spare area in the current page to add a new
netlink message to the batch.
void *nft_batch_buffer(struct nft_batch *batch);
Once you have added a netlink message, you have to call:
nft_batch_update(batch);
this internally updates the pointer to the next spare data area in the page.
Every page has a limit threshold after which you start using the overrun area.
page .------.
| |
| |
. . page area
| |
| |
|------|<--- limit
| |
| | overrun area
| |
'______'<--- real page size
If we write over the limit, then the next call to nft_batch_update() results in
a new empty page added to the batch. With careful page size and limit
selection, we ensure that a netlink message always fit into the page, so we
avoid the overhead of canceling the netlink message that doesn't fit in.
Once your batch is complete, if you want to send it out to kernel-space, you
can convert them to iovec via:
nft_batch_iovec(batch, iov, iov_len);
Then, after having sent the batch, you can release it via:
nft_batch_free(batch);
This class relies on the libmnl batching infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Support expression templates for the dynset expression for dynamic
expression instantiation.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
This patch supports attaching a struct nft_rule_expr to a set element
and adds netlink attribute encoding and decoding.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The expression build function currently assumes to be only used from
rule context and actually builds rule attributes. Fix that and only
build the expression. Also it seems to have been exported by accident,
undo that.
Additionally, move the expression parsing function from rule parsing
and also remove any assumptions about being used in rule context.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr/dynset.c: In function 'nft_rule_expr_dynset_json_parse':
expr/dynset.c:194:3: warning: implicit declaration of function 'nft_rule_expr_dynset_str' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: note: each undeclared identifier is reported only once for each function it appears in
expr/dynset.c:197:3: warning: implicit declaration of function 'nft_rule_expr_dynset_u32' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:197:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:200:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^
expr/dynset.c: In function 'nft_rule_expr_dynset_xml_parse':
expr/dynset.c:220:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:224:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:228:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We cannot use __attribute__((constructor)) to register the supported
expressions in runtime when the library is statically linked. This lead
us to some explicit libnftnl_init() function that needs to be called
from the main() function of the client program.
This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to
register expression").
Reported-by: Laurent Bercot <ska-devel@skarnet.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If we try to import a ruleset in json or xml and the library was not
compile with support for those, this shows a misleading error.
To resolve this problem, this patch sets up EOPNOTSUPP by default when
we create the nft_parse_err structure.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This function releases the ruleset objects attached in the parse context
structure, ie. struct nft_parse_ctx.
Moreover, this patch updates the nft_parse_ruleset_file to use it.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
If the root node name is missing, we have a crash.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Fix crash when we try to release a tree that is not initialized.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we parse a ruleset which has a rule using a set. First step is to
parse the set, set up an ID and add it to a set list. Later, we use this
set list to find the set associated to the rule and we set up the set ID
to the expression (lookup expression) of the rule.
The problem is that if we return this set to the callback function
nft_ruleset_parse_file_cb() and we free this set, we have a crash when
we try to iterate in the set list.
This patch solves it, cloning the set and adding the new set to the set
list.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Remove reference to the former internal.h under src/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
The internal.h file started being a small file with private definitions.
Its size has been increasing over time more and more, so let's split
this in small header files that map to the corresponding class where the
functions belong to.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Shouldn't happen though, since you need to introduce an unsupported
markup language.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==18632== 285 (16 direct, 269 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==18632== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==18632== by 0x5043822: nft_set_list_alloc (set.c:977)
==18632== by 0x5045483: nft_ruleset_json_parse (ruleset.c:442)
==18632== by 0x50458BE: nft_ruleset_do_parse (ruleset.c:696)
==18632== by 0x408AEC: do_command (rule.c:1317)
==18632== by 0x406B05: nft_run (main.c:194)
==18632== by 0x40667C: main (main.c:360)
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
We release the tree that we receive from the parameter in
nft_jansson_parse_rule. With this patch, we're going to release the tree
where we create it. Therefore, we will have a code more traceable and
readable.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to parse the new command tag in XML/JSON. This
patch adds two new functions:
* nft_ruleset_parse_file_cb
* nft_ruleset_parse_buffer_cb
The idea is to invoke the callback function that is passed as parameter is
called for each object that is parsed from the corresponding input. Each
callback has access to the nft_parse_ctx structure that provides the necessary
context such as the command, the object type and the object itself.
This change also adds support to update the content of a set incrementally.
{"nftables":[{"add":[{"element":{"name":"blackhole","table":"filter",
"family":"ip","key_type":7,"key_len":4,"set_elem":[{"key":{
"reg":{"type":"value","len":4,"data0":"0x0403a8c0"}}}]}}]}]}
This also patch consolidates the xml/json ruleset import path.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we can't do incremental updates via JSON/XML.
This patch enriches the existing output to indicate the kind of
update that you want to perform.
So, if we have a ruleset like:
table ip filter {
chain input {
type filter hook input priority 0;
}
}
The new output looks like:
{"nftables":[{"add":[{"table":{"name":"filter",...}}]}]}
^^^^^
Where we explicitly indicate that we want to add a table.
We support all the actions that we can do with nft, they are:
- Add, delete and flush tables and chains.
- Add, delete, replace and insert rules.
- Add and delete sets.
- Add and delete set elements.
- Flush ruleset.
You only need to add the command tag:
{"nftables":[{"delete":[{...}, {...},...}]}]}
^^^^^^^^
The possible command tags that you can use are "add", "delete", "insert",
"replace" and "flush".
- Flush table or chain, eg.:
{"nftables":[{"flush":[{"table":{"name":...}}]}]}
- Delete table, chain, set or rule:
{"nftables":[{"delete":[{"chain":{"name":...}]}]}
- Replace a rule (you have to specify the handle):
{"nftables":[{"replace":[{"rule":{...}}]}]}
- Insert a rule:
{"nftables":[{"insert":[{"rule":{...}}]}]}
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch refactors code to parse the set in two functions
nft_jansson_parse_set_info and nft_jansson_parse_set. These changes are
used in follow up patches.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Refactor the parsing ruleset element functions calls in xml/json to do
that calls in the functions nft_ruleset_*_parse_ruleset. This patch is
used in follow up patches.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Currently, we create iterator without test if the list is empty. If the
list is empty, we have a crash when we set up the current element. With
this patch, we test if the list is empty before to create the iterator.
If the list is empty the iterator return NULL.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Rename variables to use more intuitive name like table, chain, rule or set.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|