summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Revert "bitwise: add support for passing mask and xor via registers."Pablo Neira Ayuso10 days1-54/+6
| | | | | | | This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel support for this new feature might be reworked, keep this back. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: nat: snprint flags in hexadecimalPablo Neira Ayuso2020-03-201-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: masq: revisit _snprintf()Pablo Neira Ayuso2020-03-201-6/+10
| | | | | | Print combination of registers and flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: support for NFTNL_SET_EXPRPablo Neira Ayuso2020-03-171-0/+27
| | | | | | This patch adds support for the NFTA_SET_EXPR netlink attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: missing set and build for NFTNL_SET_ELEM_EXPRPablo Neira Ayuso2020-03-111-0/+13
| | | | | | | Extend nftnl_set_elem_set() and nftnl_set_elem_nlmsg_build_payload() to support for the NFTNL_SET_ELEM_EXPR attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: add NFTNL_CHAIN_FLAGSPablo Neira Ayuso2020-03-031-0/+21
| | | | | | This patch adds support for chain flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for passing mask and xor via registers.Jeremy Sowden2020-03-021-6/+54
| | | | | | | | | | The kernel supports passing mask and xor values for bitwise boolean operations via registers. These are mutually exclusive with the existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add nftnl_*_{get,set}_array()Pablo Neira Ayuso2020-02-193-0/+40
| | | | | | | | | The original intention in eb58f53372e7 ("src: add flowtable support") was to introduce this helper function. Add helper to set and to get array of strings. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
* src: Fix for reading garbage in nftnl_chain gettersPhil Sutter2020-02-192-0/+2
| | | | | | | | | | | | | | In {s,u}{32,64} type getters nftnl_assert() is called to make sure returned data length matches expectations. Therefore all attributes must set data_len, which NFTNL_CHAIN_DEVICES didn't. While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as well to make code a bit more consistent although the problem was fixed for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading garbage") already (but in the other direction). Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set_elem: Introduce support for NFTNL_SET_ELEM_KEY_ENDStefano Brivio2020-02-051-0/+24
| | | | | | | | | | | The new set element attribute maps to the netlink attribute NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY maps to NFTA_SET_ELEM_KEY, and represents the key data used to express the upper bound of a range, in concatenations. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add support for NFTA_SET_DESC_CONCAT attributesStefano Brivio2020-02-051-19/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel as NFTA_SET_DESC_CONCAT attributes: it describes the length of single concatenated fields, in bytes. Similarly, parse NFTA_SET_DESC_CONCAT attributes if received from the kernel. This is the libnftnl counterpart for nftables patch: src: Add support for NFTNL_SET_DESC_CONCAT v4: - move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr to avoid ABI breakage (Pablo Neira Ayuso) v3: - use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso) - pass field length in bytes instead of bits, fields would get unnecessarily big otherwise v2: - fixed grammar in commit message - removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(), we're simply passing values to htonl() (Phil Sutter) Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for left- and right-shifts.Jeremy Sowden2020-01-181-0/+22
| | | | | | | The kernel supports bitwise shifts. Add support to libnftnl. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add support for new netlink attributes.Jeremy Sowden2020-01-181-1/+46
| | | | | | | | Add code to set and get the new op and data attributes. The existing boolean bitwise expressions will only use the op attribute. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add helper to print boolean expressions.Jeremy Sowden2020-01-181-3/+11
| | | | | | | | Move the code for printing boolean expressions into a separate function. Another function will be added for shifts later. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: fix some incorrect indentation.Jeremy Sowden2020-01-181-6/+6
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove buffer.hBrett Mastbergen2020-01-0510-19/+10
| | | | | | | | | Almost everything in this header is unused. The command defines used in utils.c don't seem to be justified and have just been replaced by their strings Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: add slave device matchingFlorian Westphal2020-01-031-1/+3
| | | | | Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: support for TLV attribute nestingPablo Neira Ayuso2019-12-172-0/+22
| | | | | | | This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end() to build attribute nests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Fix memleak in error path of nftnl_chain_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, dev_array is not freed when it should. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, allocated dev_array is not freed. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: remove NFTA_FLOWTABLE_SIZEPablo Neira Ayuso2019-11-181-6/+0
| | | | | | | | Never defined in upstream Linux kernel uAPI, remove it. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Eric Garver <eric@garver.life>
* flowtable: add support for handle attributeEric Jallot2019-11-062-0/+38
| | | | | | | Add code to implement NFTA_FLOWTABLE_HANDLE Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate untyped data settersPhil Sutter2019-10-317-7/+7
| | | | | | | | | These functions make assumptions on size of passed data pointer and therefore tend to hide programming mistakes. Instead either one of the type-specific setters or the generic *_set_data() setter should be used. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix symbol export for clangManuel Messner2019-10-311-27/+27
| | | | | | | | | | | | | | | | | | | | | | clang does not allow attribute declarations after definitions: flowtable.c:41:1: warning: attribute declaration must precede definition [-Wignored-attributes] EXPORT_SYMBOL(nftnl_flowtable_alloc); ^ ../include/utils.h:13:41: note: expanded from macro 'EXPORT_SYMBOL' # define EXPORT_SYMBOL(x) typeof(x) (x) __visible; ^ ../include/utils.h:12:35: note: expanded from macro '__visible' # define __visible __attribute__((visibility("default"))) ^ flowtable.c:37:25: note: previous definition is here struct nftnl_flowtable *nftnl_flowtable_alloc(void) Move attribute declarations before the symbol definitions just like it's done in other source files Signed-off-by: Marvin Schmidt <marvin_schmidt@gmx.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl.map: Export nftnl_{obj,flowtable}_set_data()Phil Sutter2019-10-311-0/+2
| | | | | | | | In order to deprecate nftnl_{obj,flowtable}_set() functions, these must to be made available. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: multi-device supportPablo Neira Ayuso2019-10-281-1/+108
| | | | | | Add support for NFTA_HOOK_DEVS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: device array dynamic allocationPablo Neira Ayuso2019-10-281-14/+17
| | | | | | Remove artificial upper limit of 8 devices per flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parserPhil Sutter2019-10-171-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()") which fixed array out of bounds access but missed the logic behind it: The nested attribute type values are incremented by one when being transferred between kernel and userspace, the zero type value is reserved for "unspecified". Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the type values in nftnl_obj_ct_timeout_build(). Return path was broken as it overstepped its nlattr array but apart from that worked: Type values were decremented by one in timeout_parse_attr_data(). This patch moves the type value mangling into parse_timeout_attr_policy_cb() (which still overstepped nlattr array). Consequently, when copying values from nlattr array into ct timeout object in timeout_parse_attr_data(), loop is adjusted to start at index 0 and the type value decrement is dropped there. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Validate nftnl_set_elem_set() parametersPhil Sutter2019-10-161-0/+10
| | | | | | | | | | | | | Copying from nftnl_table_set_data(), validate input to nftnl_set_elem_set() as well. Given that for some attributes the function assumes passed data size, this seems necessary. Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()Phil Sutter2019-10-151-1/+1
| | | | | | | | | | Array 'tb' has only 'attr_max' elements, the loop overstepped its boundary by one. Copy array_size() macro from include/utils.h in nftables.git to make sure code does the right thing. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Don't bypass checks in nftnl_set_set_u{32,64}()Phil Sutter2019-10-151-2/+2
| | | | | | | | | By calling nftnl_set_set(), any data size checks are effectively bypassed. Better call nftnl_set_set_data() directly, passing the real size for validation. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/tunnel: Fix for undefined behaviourPhil Sutter2019-10-151-3/+3
| | | | | | | | | | | | Cppcheck complains: Shifting signed 32-bit value by 31 bits is undefined behaviour. Indeed, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR enum value is 31. Make sure behaviour is as intended by shifting unsigned 1. Fixes: ea63a05272f54 ("obj: add tunnel support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Fix return code of nftnl_set_elem_set()Phil Sutter2019-10-151-1/+1
| | | | | | | The function returned -1 on success. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: Check return code of mnl_attr_parse_nested()Phil Sutter2019-10-151-3/+6
| | | | | | | | | Don't ignore nested attribute parsing errors, this may hide bugs in users' code. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Export nftnl_set_list_lookup_byname()Phil Sutter2019-10-102-19/+38
| | | | | | | | | Rename and optimize internal function nftnl_set_lookup() for external use. Just like with nftnl_chain_list, use a hash table for fast set name lookups. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: synproxy stateful object supportFernando Fernandez Mancera2019-09-103-0/+163
| | | | | | | This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_DYNSET_OP_DELETE knownAnder Juaristi2019-08-271-1/+2
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} knownAnder Juaristi2019-08-271-1/+4
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_BRI_IIF{VPROTO, PVID} knownwenxu2019-08-141-1/+3
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_{I,O}IFKIND knownPhil Sutter2019-07-181-1/+3
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: fix sigbus crash on sparcFlorian Westphal2019-07-131-2/+4
| | | | | | | | | | | | | | | | Anatoly Pugachev reported crash on 'nft list tables' on sparc and provided following gdb backtrace: Starting program: /opt/nft/sbin/nft list tables Program received signal SIGBUS, Bus error. 0xfff8000100946490 in nftnl_udata_get_u32 (attr=0x10000106e30) at udata.c:127 127 return *data; We can't deref attr->value directly, it causes unaligned access. Reported-by: Anatoly Pugachev <matorola@gmail.com> Tested-by: Anatoly Pugachev <matorola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add synproxy supportFernando Fernandez Mancera2019-07-063-0/+173
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for matching IPv4 optionsStephen Suryaputra2019-07-041-0/+5
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add ct id supportBrett Mastbergen2019-06-211-0/+1
| | | | | | | The 'id' key returns the id of the connection entry Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: enable set expiration date for set elementsLaura Garcia Liebana2019-06-211-0/+5
| | | | | | | | | | | | | | | | Currently, the expiration of every element in a set or map is a read-only parameter generated at kernel side. This change will permit to set a certain expiration date per element that will be required, for example, during stateful replication among several nodes. This patch allows to propagate NFTA_SET_ELEM_EXPIRATION from userspace to the kernel in order to set the configured value. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectation supportSt├ęphane Veyret2019-06-193-0/+215
| | | | | | | | Add support for ct expectation objects, used to define specific expectations. Signed-off-by: St├ęphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: osf: add version option supportFernando Fernandez Mancera2019-04-081-0/+17
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: libnftnl: export genid functions againFlorian Westphal2019-03-131-8/+8
| | | | | | | | Can't use them currently: they are exported only under their old names. Fixes: 44d11498479a08 ("src: get rid of _attr_ infix in new nftnl_ definitions") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>