summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* expr: add inner supportHEADmasterPablo Neira Ayuso2023-01-024-1/+219
| | | | | | | This patch adds support for the inner expression which allows you to match on the inner tunnel headers, eg. VxLAN. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: replace nftnl_*_nlmsg_build_hdr() by nftnl_nlmsg_build_hdr()Pablo Neira Ayuso2022-11-151-3/+2
| | | | | | Use nftnl_nlmsg_build_hdr() instead of nftnl_*_nlmsg_build_hdr(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: Fix res_id byte orderIan Pilcher2022-10-251-1/+2
| | | | | | | | | | | | | | | | | | | | | The res_id member of struct nfgenmsg is supposed to be in network byte order (big endian). Call htons() in __nftnl_nlmsg_build_hdr() to ensure that this is true on little endian systems. There is a kernel workaround that was introduced in 4.3 to address this issue: commit a9de9777d613500b089a7416f936bf3ae5f070d2 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri Aug 28 21:01:43 2015 +0200 netfilter: nfnetlink: work around wrong endianess in res_id field And current oldest stable kernel branch in 4.9, merge this to fix the incorrect endianness from userspace. Signed-off-by: Ian Pilcher <arequipeno@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: remove unused functionPablo Neira Ayuso2022-09-071-14/+0
| | | | | | nftnl_str2base() not used anymore, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule, set_elem: remove trailing \n in userdata snprintfPablo Neira Ayuso2022-08-312-2/+2
| | | | | | | 212479ad2c92 ("rule, set_elem: fix printing of user data") uncovered another an extra line break in the userdata printing, remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule, set_elem: fix printing of user dataJeremy Sowden2022-08-292-5/+7
| | | | | | | | | | | | Hitherto, alphanumeric characters have been printed as-is, but anything else was replaced by '\0'. However, this effectively truncates the output. Instead, print any printable character as-is and print anything else as a hexadecimal escape sequence: userdata = { \x01\x04\x01\x00\x00\x00 } Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fix clang+glibc snprintf substitution errorNicholas Vinson2022-06-1549-50/+50
| | | | | | | | | | | | | | | | | | | | When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to clang, the snprintf member of the expr_ops and obj_ops structures will be incorrectly replaced with __builtin_snprintf_chk() which results in "error: no member named '__builtin___snprintf_chk'" errors at build time. This patch changes the member name from 'snprintf' to 'output' to prevent the replacement. This bug can be emulated using GCC by undefining the __va_arg_pack macro before stdio.h is included. This patch is based on the notes provided in https://bugs.gentoo.org/807766. Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* set_elem: missing export symbolPablo Neira Ayuso2022-06-031-0/+1
| | | | | | | nftnl_set_elem_nlmsg_build_payload() is already available through .map file and headers, add missing EXPORT_SYMBOL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option reset supportFlorian Westphal2022-03-011-1/+6
| | | | | | Adds print debug support for tcp reset feature. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: payload: print inner header base offsetPablo Neira Ayuso2021-11-171-2/+3
| | | | | | | Update string array to print the "inner" header string, instead of printing "unknown". Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: use NFTNL_SET_ELEM_VERDICT to print verdictPablo Neira Ayuso2021-11-042-7/+8
| | | | | | | | This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set element verdict. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: expose nftnl_set_elem_nlmsg_build()Pablo Neira Ayuso2021-11-042-4/+9
| | | | | | Expose a function to build one single set element netlink message. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: last: add NFTNL_EXPR_LAST_SETPablo Neira Ayuso2021-07-051-1/+21
| | | | | | | Honor NFTA_LAST_SET netlink attribute, it tells us if a packet has ever updated this expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add last match time supportPablo Neira Ayuso2021-06-083-0/+121
| | | | | | This new expression displays when last matching has happened. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: socket: add cgroups v2 supportPablo Neira Ayuso2021-05-031-0/+18
| | | | | | Add NFT_SOCKET_CGROUPSV2 key type and NFTA_SOCKET_LEVEL attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: incorrect header refers to GPLv2 onlyPablo Neira Ayuso2021-04-201-2/+3
| | | | | | | libnftnl is GPLv2+, fix incorrect headers. Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: Eliminate tag and separator helpersPhil Sutter2021-03-151-92/+59
| | | | | | | | | Those were used for JSON and XML output only with the exception of separator helper which at the same time served as conditional nop if no "previous" object as passed. Replace it by a string variable updated at the end of each loop iteration and just drop the other helpers. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Get rid of single option switch statementsPhil Sutter2021-03-159-101/+31
| | | | | | | | | | | | Replace each by a conditional testing the only valid case. There is one odd example, namely src/set.c: When printing a set with type NFTNL_OUTPUT_XML, the relevant function would return 0 instead of -1 like all others. Just drop it assuming nothing depends on that (faulty) behaviour. Cc: Arturo Borrero <arturo.borrero.glez@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop pointless local variable in snprintf callbacksPhil Sutter2021-03-1537-105/+102
| | | | | | | | | | A common idiom among snprintf callbacks was to copy the unsigned parameter 'size' (or 'len') into a signed variable for further use. Though since snprintf() itself casts it to unsigned and SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not needed. Drop the local variable and rename the parameter accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Drop type parameter from snprintf callbackPhil Sutter2021-03-1510-175/+26
| | | | | | | Objects don't support any other output type than NFTNL_OUTPUT_DEFAULT, so just drop the parameter. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/data_reg: Drop output_format parameterPhil Sutter2021-03-156-37/+15
| | | | | | | | The function nftnl_data_reg_snprintf is exclusively called with NFTNL_OUTPUT_DEFAULT as parameter, others are not supported - just drop it. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Check output type once and for allPhil Sutter2021-03-1538-616/+101
| | | | | | | | | | | There is but a single supported output type left, so check it in expr.c and drop all the single option switch statements in individual expressions. Since the parameter is now unused (and to ensure code correctness), drop 'type' parameter from struct expr_ops' snprintf callback. Signed-off-by: Phil Sutter <phil@nwl.cc>
* object: Fix for wrong parameter passed to snprintf callbackPhil Sutter2021-03-151-2/+2
| | | | | | | | Instead of the remaining buffer length, the used buffer length was passed to object's snprintf callback (and the final snprintf call). Fixes: 5573d0146c1ae ("src: support for stateful objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj/ct_timeout: Fix snprintf buffer length updatesPhil Sutter2021-03-151-5/+5
| | | | | | | | Have to pass shrinking 'remain' variable to consecutive snprintf calls instead of the unchanged 'len' parameter. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj/ct_expect: Fix snprintf buffer length updatesPhil Sutter2021-03-151-5/+9
| | | | | | | | Have to pass shrinking 'remain' variable to consecutive snprintf calls instead of the unchanged 'len' parameter. Fixes: c4b6aa09b85d2 ("src: add ct expectation support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Fix snprintf buffer length updatesPhil Sutter2021-03-154-12/+12
| | | | | | | | Subsequent calls to snprintf() sometimes reuse 'len' variable although they should refer to the updated value in 'remain' instead. Fixes: 676ea569bbe5a ("src: Change parameters of SNPRINTF_BUFFER_SIZE macro.") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set_elem: Fix printing of verdict map elementsPhil Sutter2021-03-092-6/+10
| | | | | | | | | | | | | | | | Elements' data was printed as type DATA_VALUE no matter the actual type. For verdicts, this meant no printing at all (because reg->len is either zero or garbage). To fix this, nftnl_set_elem_snprintf_default() needs type info held in struct nftnl_set. Pass it via parameter to that function, make it non-static and call it from nftnl_set_snprintf_default() instead of the generic nftnl_set_elem_snprintf(). This way no changes have to be done to exported functions, also the output type is already defined when nftnl_set_snprintf_default() runs so checking type value again is pointless. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/{masq,nat}: Don't print unused regsPhil Sutter2021-03-092-7/+21
| | | | | | | No point in printing the unset register value (which is zero then). Fixes: af0c182670837 ("expr: masq: Add support for port selection") Signed-off-by: Phil Sutter <phil@nwl.cc>
* rule: Avoid printing trailing spacesPhil Sutter2021-03-091-9/+18
| | | | | | | | Introduce 'sep' variable to track whether something was printed already. While being at it, introduce PRIu64 for 'handle' and 'position' attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/xfrm: Kill dead codePhil Sutter2021-03-091-28/+0
| | | | | | | These functions were used by removed JSON parser only. Fixes: 80077787f8f21 ("src: remove json support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/tunnel: Kill dead codePhil Sutter2021-03-091-13/+0
| | | | | | | Function str2tunnel_key() was never used. Fixes: 42468fb6df61a ("expr: add support for matching tunnel metadata") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/socket: Kill dead codePhil Sutter2021-03-091-13/+0
| | | | | | | Function str2socket_key() was never used. Fixes: 038d226f2e6cc ("src: Add support for native socket matching") Signed-off-by: Phil Sutter <phil@nwl.cc>
* table: add table owner supportPablo Neira Ayuso2021-03-011-1/+13
| | | | | | Add support for NFTA_TABLE_OWNER. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* dynset: add NFTNL_EXPR_DYNSET_FLAGSPablo Neira Ayuso2021-01-131-0/+15
| | | | | | This patch adds support for the dynset flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_EXPR_DYNSET_EXPRESSIONSPablo Neira Ayuso2020-12-173-14/+102
| | | | | | | | | | | | | | NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that an element stores when added from the packet path. This patch adds support for the set expression list, which generalizes NFTNL_EXPR_DYNSET_EXPR. This patch also adds nftnl_expr_add_expr() to add new expressions to elements and nftnl_set_expr_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_SET_EXPRESSIONSPablo Neira Ayuso2020-12-172-16/+97
| | | | | | | | | | | | | | | | NFTNL_SET_EXPR defines the stateful expression type that this set stores in each element. This provides the set definition in terms of stateful expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must equal to this set stateful expression type, otherwise the kernel bails out. This patch adds support for the set expression list, which generalizes NFTNL_SET_EXPR. This patch also adds nftnl_set_add_expr() to add new expressions to a set and nftnl_set_elem_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add NFTNL_SET_ELEM_EXPRESSIONSPablo Neira Ayuso2020-12-172-17/+99
| | | | | | | | | | | | | | | NFTNL_SET_ELEM_EXPR defines the stateful expression type that this element stores. This is useful to restore runtime set element stateful expressions (when saving, then reboot and restore). This patch adds support for the set element expression list, which generalizes NFTNL_SET_ELEM_EXPR. This patch also adds nftnl_set_elem_add_expr() to add new expressions to set elements and nftnl_set_elem_expr_foreach() to iterate over the list of expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Include key_end data reg in print outputPhil Sutter2020-12-151-0/+10
| | | | | | | | Elements of concatenated range sets hold the upper boundary in an extra data_reg, print it using dash as a somewhat intuitive separator. Fixes: 04cc28d8d6923 ("set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set_elem: Use nftnl_data_reg_snprintf()Phil Sutter2020-12-152-9/+13
| | | | | | | | Introduce a flag to allow toggling the '0x' prefix when printing data values, then use the existing routines to print data registers from set_elem code. Signed-off-by: Phil Sutter <phil@nwl.cc>
* bitwise: improve formatting of registers in bitwise dumps.Jeremy Sowden2020-11-161-1/+1
| | | | | | | | | Registers are formatted as 'reg %u' everywhere apart from in bitwise expressions where they are formatted as 'reg=%u'. Change bitwise to match. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add nftnl_rule_del_expr()Pablo Neira Ayuso2020-10-192-0/+7
| | | | | | Add a function to remove expression from the rule list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: expose nftnl_expr_build_payload()Pablo Neira Ayuso2020-10-162-0/+2
| | | | | | | This function allows you to build the netlink attributes for expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: socket: add wildcard supportPablo Neira Ayuso2020-10-121-0/+1
| | | | | | Add missing NFT_SOCKET_WILDCARD definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add userdata and comment supportJose M. Guisado Gomez2020-09-301-0/+31
| | | | | | | | | | | | Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains. Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a comment. Relies on NFTA_CHAIN_USERDATA. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: add userdata and comment supportJose M. Guisado Gomez2020-09-082-0/+30
| | | | | | | | | | | | | This patch adds NFTNL_OBJ_USERDATA to support userdata for objects. Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects, stored in userdata space. Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to enable getting object attributes/data. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: add userdata supportJose M. Guisado Gomez2020-08-281-0/+33
| | | | | | | | This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to support for table comments. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: export nftnl_set_elem_fprintfFlorian Westphal2020-08-202-2/+2
| | | | | | | | | | Was not exported so far due to a typo. While at it, add const qualifier to element structure. Will be used to optionally dump set contents / elements from nft frontend. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add support for chain ID attributePablo Neira Ayuso2020-07-213-0/+32
| | | | | | | his patch allows you to refer to chains via the chain ID. The semantics are similar to the NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: relax logic to build NFTA_FLOWTABLE_HOOKPablo Neira Ayuso2020-05-251-12/+19
| | | | | | | | The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook number and priority to include the devices. Relax this to allow for incremental device updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: dynset: release stateful expression from .free pathPablo Neira Ayuso2020-05-061-0/+2
| | | | | | | | | | | | | | | | ==22778==ERROR: LeakSanitizer: detected memory leaks Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518) #1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37 #2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859 #3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891 #4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441 [...] SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>