diff options
| author | Florian Westphal <fw@strlen.de> | 2025-10-17 13:51:41 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-11-11 13:00:29 +0100 |
| commit | f2813fb53b00d6edde8bc9409712820c45de4c1e (patch) | |
| tree | 39eacd46307645a8129fe45f7d83f9a7d1032435 /Makefile.am | |
| parent | 454f361434522bbeba32e114a14c336e1ebf20a1 (diff) | |
support for afl++ (american fuzzy lop++) fuzzer
afl comes with a compiler frontend that can add instrumentation suitable
for running nftables via the "afl-fuzz" fuzzer.
This change adds a "--with-fuzzer" option to configure script and enables
specific handling in nftables and libnftables to speed up the fuzzing process.
It also adds the "--fuzzer" command line option.
afl-fuzz initialisation gets delayed until after the netlink context is set up
and symbol tables such as (e.g. route marks) have been parsed.
When afl-fuzz restarts the process with a new input round, it will
resume *after* this point (see __AFL_INIT macro in main.c).
With --fuzzer <stage>, nft will perform multiple fuzzing rounds per
invocation: this increases processing rate by an order of magnitude.
The argument to '--fuzzer' specifies the last stage to run:
1: 'parser':
Only run / exercise the flex/bison parser.
2: 'eval': stop after the evaluation phase.
This attempts to build a complete ruleset in memory, does
symbol resolution, adds needed shift/masks to payload instructions
etc.
3: 'netlink-ro':
'netlink-ro' builds the netlink buffer to send to the kernel,
without actually doing so.
4: 'netlink-rw':
Pass generated command/ruleset will be passed to the kernel.
You can combine it with the '--check' option to send data to the kernel
but without actually committing any changes.
This could still end up triggering a kernel crash if there are bugs
in the valiation / transaction / abort phases.
Use 'netlink-ro' if you want to prevent nft from ever submitting any
changes to the kernel or if you are only interested in fuzzing nftables
and its libraries.
In case a kernel splat is detected, the fuzzing process stops and all further
fuzzer attemps are blocked until reboot.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index bf1c3c44..d2cae2a3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -64,6 +64,7 @@ noinst_HEADERS = \ include/linux/netfilter_ipv6.h \ include/linux/netfilter_ipv6/ip6_tables.h \ \ + include/afl++.h \ include/cache.h \ include/cli.h \ include/cmd.h \ @@ -293,6 +294,10 @@ sbin_PROGRAMS += src/nft src_nft_SOURCES = src/main.c +if BUILD_AFL +src_nft_SOURCES += src/afl++.c +endif + if BUILD_CLI src_nft_SOURCES += src/cli.c endif |