diff options
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 1209 |
1 files changed, 928 insertions, 281 deletions
diff --git a/src/netlink.c b/src/netlink.c index a9ccebaf..0088b742 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -9,12 +9,12 @@ * Development of this code funded by Astaro AG (http://www.astaro.com/) */ -#include <string.h> +#include <nft.h> + #include <errno.h> #include <libmnl/libmnl.h> #include <netinet/in.h> #include <arpa/inet.h> -#include <stdlib.h> #include <inttypes.h> #include <libnftnl/table.h> @@ -59,7 +59,7 @@ void __noreturn __netlink_abi_error(const char *file, int line, { fprintf(stderr, "E: Contact urgently your Linux kernel vendor. " "Netlink ABI is broken: %s:%d %s\n", file, line, reason); - exit(NFT_EXIT_FAILURE); + abort(); } int netlink_io_error(struct netlink_ctx *ctx, const struct location *loc, @@ -96,14 +96,22 @@ struct nftnl_expr *alloc_nft_expr(const char *name) return nle; } +static void netlink_gen_key(const struct expr *expr, + struct nft_data_linearize *data); +static void __netlink_gen_data(const struct expr *expr, + struct nft_data_linearize *data, bool expand); -static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, - const struct expr *expr) +struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, + const struct expr *expr) { - const struct expr *elem, *key, *data; + const struct expr *elem, *data; struct nftnl_set_elem *nlse; struct nft_data_linearize nld; struct nftnl_udata_buf *udbuf = NULL; + uint32_t flags = 0; + int num_exprs = 0; + struct stmt *stmt; + struct expr *key; nlse = nftnl_set_elem_alloc(); if (nlse == NULL) @@ -117,16 +125,56 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, } else { elem = expr; } + if (elem->etype != EXPR_SET_ELEM) + BUG("Unexpected expression type: got %d\n", elem->etype); + key = elem->key; - netlink_gen_data(key, &nld); - nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY, &nld.value, nld.len); + switch (key->etype) { + case EXPR_SET_ELEM_CATCHALL: + break; + default: + if (set->set_flags & NFT_SET_INTERVAL && + key->etype == EXPR_CONCAT && key->field_count > 1) { + key->flags |= EXPR_F_INTERVAL; + netlink_gen_key(key, &nld); + key->flags &= ~EXPR_F_INTERVAL; + + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY, &nld.value, nld.len); + + key->flags |= EXPR_F_INTERVAL_END; + netlink_gen_key(key, &nld); + key->flags &= ~EXPR_F_INTERVAL_END; + + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY_END, + &nld.value, nld.len); + } else { + netlink_gen_key(key, &nld); + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY, &nld.value, nld.len); + } + break; + } + if (elem->timeout) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_TIMEOUT, elem->timeout); if (elem->expiration) nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, elem->expiration); + list_for_each_entry(stmt, &elem->stmt_list, list) + num_exprs++; + + if (num_exprs == 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, + netlink_gen_stmt_stateful(stmt), 0); + } + } else if (num_exprs > 1) { + list_for_each_entry(stmt, &elem->stmt_list, list) { + nftnl_set_elem_add_expr(nlse, + netlink_gen_stmt_stateful(stmt)); + } + } if (elem->comment || expr->elem_flags) { udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); if (!udbuf) @@ -149,7 +197,7 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, nftnl_udata_buf_free(udbuf); } if (set_is_datamap(set->set_flags) && data != NULL) { - netlink_gen_data(data, &nld); + __netlink_gen_data(data, &nld, !(data->flags & EXPR_F_SINGLETON)); switch (data->etype) { case EXPR_VERDICT: nftnl_set_elem_set_u32(nlse, NFTNL_SET_ELEM_VERDICT, @@ -158,7 +206,12 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_CHAIN, nld.chain, strlen(nld.chain)); break; + case EXPR_CONCAT: + assert(nld.len > 0); + /* fallthrough */ case EXPR_VALUE: + case EXPR_RANGE: + case EXPR_PREFIX: nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_DATA, nld.value, nld.len); break; @@ -174,8 +227,12 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, } if (expr->flags & EXPR_F_INTERVAL_END) - nftnl_set_elem_set_u32(nlse, NFTNL_SET_ELEM_FLAGS, - NFT_SET_ELEM_INTERVAL_END); + flags |= NFT_SET_ELEM_INTERVAL_END; + if (key->etype == EXPR_SET_ELEM_CATCHALL) + flags |= NFT_SET_ELEM_CATCHALL; + + if (flags) + nftnl_set_elem_set_u32(nlse, NFTNL_SET_ELEM_FLAGS, flags); return nlse; } @@ -188,28 +245,166 @@ void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder, data->len = len; } -static void netlink_gen_concat_data(const struct expr *expr, +static int netlink_export_pad(unsigned char *data, const mpz_t v, + const struct expr *i) +{ + mpz_export_data(data, v, i->byteorder, + div_round_up(i->len, BITS_PER_BYTE)); + + return netlink_padded_len(i->len) / BITS_PER_BYTE; +} + +static void byteorder_switch_expr_value(mpz_t v, const struct expr *e) +{ + mpz_switch_byteorder(v, div_round_up(e->len, BITS_PER_BYTE)); +} + +static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, + unsigned char *data) +{ + struct expr *expr; + + switch (i->etype) { + case EXPR_RANGE: + if (flags & EXPR_F_INTERVAL_END) + expr = i->right; + else + expr = i->left; + + if (expr_basetype(expr)->type == TYPE_INTEGER && + expr->byteorder == BYTEORDER_HOST_ENDIAN) + byteorder_switch_expr_value(expr->value, expr); + + i = expr; + break; + case EXPR_PREFIX: + if (flags & EXPR_F_INTERVAL_END) { + int count; + mpz_t v; + + mpz_init_bitmask(v, i->len - i->prefix_len); + + if (i->byteorder == BYTEORDER_HOST_ENDIAN) + byteorder_switch_expr_value(v, i); + + mpz_add(v, i->prefix->value, v); + count = netlink_export_pad(data, v, i); + mpz_clear(v); + return count; + } + return netlink_export_pad(data, i->prefix->value, i); + case EXPR_VALUE: + /* Switch byteorder only once for singleton values when the set + * contains concatenation of intervals. + */ + if (!(flags & EXPR_F_INTERVAL)) + break; + + expr = (struct expr *)i; + if (expr_basetype(expr)->type == TYPE_INTEGER && + expr->byteorder == BYTEORDER_HOST_ENDIAN) + byteorder_switch_expr_value(expr->value, expr); + break; + default: + BUG("invalid expression type '%s' in set", expr_ops(i)->name); + } + + return netlink_export_pad(data, i->value, i); +} + +static void nft_data_memcpy(struct nft_data_linearize *nld, + const void *src, unsigned int len) +{ + if (len > sizeof(nld->value)) + BUG("nld buffer overflow: want to copy %u, max %u\n", len, (unsigned int)sizeof(nld->value)); + + memcpy(nld->value, src, len); + nld->len = len; +} + +static void netlink_gen_concat_key(const struct expr *expr, struct nft_data_linearize *nld) { + unsigned int len = expr->len / BITS_PER_BYTE, offset = 0; + unsigned char data[len]; const struct expr *i; - unsigned int len, offset; - - len = expr->len / BITS_PER_BYTE; - if (1) { - unsigned char data[len]; - - memset(data, 0, sizeof(data)); - offset = 0; - list_for_each_entry(i, &expr->expressions, list) { - assert(i->etype == EXPR_VALUE); - mpz_export_data(data + offset, i->value, i->byteorder, - div_round_up(i->len, BITS_PER_BYTE)); - offset += netlink_padded_len(i->len) / BITS_PER_BYTE; - } - memcpy(nld->value, data, len); - nld->len = len; + memset(data, 0, len); + + list_for_each_entry(i, &expr->expressions, list) + offset += __netlink_gen_concat_key(expr->flags, i, data + offset); + + nft_data_memcpy(nld, data, len); +} + +static int __netlink_gen_concat_data(int end, const struct expr *i, + unsigned char *data) +{ + switch (i->etype) { + case EXPR_RANGE: + i = end ? i->right : i->left; + break; + case EXPR_PREFIX: + if (end) { + int count; + mpz_t v; + + mpz_init_bitmask(v, i->len - i->prefix_len); + mpz_add(v, i->prefix->value, v); + count = netlink_export_pad(data, v, i); + mpz_clear(v); + return count; + } + return netlink_export_pad(data, i->prefix->value, i); + case EXPR_VALUE: + break; + default: + BUG("invalid expression type '%s' in set", expr_ops(i)->name); } + + return netlink_export_pad(data, i->value, i); +} + +static void __netlink_gen_concat_expand(const struct expr *expr, + struct nft_data_linearize *nld) +{ + unsigned int len = div_round_up(expr->len, BITS_PER_BYTE) * 2, offset = 0; + unsigned char data[len]; + const struct expr *i; + + memset(data, 0, len); + + list_for_each_entry(i, &expr->expressions, list) + offset += __netlink_gen_concat_data(false, i, data + offset); + + list_for_each_entry(i, &expr->expressions, list) + offset += __netlink_gen_concat_data(true, i, data + offset); + + nft_data_memcpy(nld, data, len); +} + +static void __netlink_gen_concat(const struct expr *expr, + struct nft_data_linearize *nld) +{ + unsigned int len = expr->len / BITS_PER_BYTE, offset = 0; + unsigned char data[len]; + const struct expr *i; + + memset(data, 0, len); + + list_for_each_entry(i, &expr->expressions, list) + offset += __netlink_gen_concat_data(expr->flags, i, data + offset); + + nft_data_memcpy(nld, data, len); +} + +static void netlink_gen_concat_data(const struct expr *expr, + struct nft_data_linearize *nld, bool expand) +{ + if (expand) + __netlink_gen_concat_expand(expr, nld); + else + __netlink_gen_concat(expr, nld); } static void netlink_gen_constant_data(const struct expr *expr, @@ -220,49 +415,119 @@ static void netlink_gen_constant_data(const struct expr *expr, div_round_up(expr->len, BITS_PER_BYTE), data); } -static void netlink_gen_verdict(const struct expr *expr, - struct nft_data_linearize *data) +static void netlink_gen_chain(const struct expr *expr, + struct nft_data_linearize *data) { char chain[NFT_CHAIN_MAXNAMELEN]; unsigned int len; + len = expr->chain->len / BITS_PER_BYTE; + + if (!len) + BUG("chain length is 0"); + + if (len > sizeof(chain)) + BUG("chain is too large (%u, %u max)", + len, (unsigned int)sizeof(chain)); + + memset(chain, 0, sizeof(chain)); + + mpz_export_data(chain, expr->chain->value, + BYTEORDER_HOST_ENDIAN, len); + snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain); +} + +static void netlink_gen_verdict(const struct expr *expr, + struct nft_data_linearize *data) +{ + data->verdict = expr->verdict; switch (expr->verdict) { case NFT_JUMP: case NFT_GOTO: - len = expr->chain->len / BITS_PER_BYTE; + if (expr->chain) + netlink_gen_chain(expr, data); + else + data->chain_id = expr->chain_id; + break; + } +} - if (!len) - BUG("chain length is 0"); +static void netlink_gen_range(const struct expr *expr, + struct nft_data_linearize *nld) +{ + unsigned int len = div_round_up(expr->left->len, BITS_PER_BYTE) * 2; + unsigned char data[len]; + unsigned int offset = 0; + + memset(data, 0, len); + offset = netlink_export_pad(data, expr->left->value, expr->left); + netlink_export_pad(data + offset, expr->right->value, expr->right); + nft_data_memcpy(nld, data, len); +} - if (len > sizeof(chain)) - BUG("chain is too large (%u, %u max)", - len, (unsigned int)sizeof(chain)); +static void netlink_gen_prefix(const struct expr *expr, + struct nft_data_linearize *nld) +{ + unsigned int len = (netlink_padded_len(expr->len) / BITS_PER_BYTE) * 2; + unsigned char data[NFT_MAX_EXPR_LEN_BYTES]; + int offset; + mpz_t v; - memset(chain, 0, sizeof(chain)); + if (len > sizeof(data)) + BUG("Value export of %u bytes would overflow", len); - mpz_export_data(chain, expr->chain->value, - BYTEORDER_HOST_ENDIAN, len); - snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain); - break; + offset = netlink_export_pad(data, expr->prefix->value, expr); + mpz_init_bitmask(v, expr->len - expr->prefix_len); + mpz_add(v, expr->prefix->value, v); + netlink_export_pad(data + offset, v, expr->prefix); + mpz_clear(v); + + nft_data_memcpy(nld, data, len); +} + +static void netlink_gen_key(const struct expr *expr, + struct nft_data_linearize *data) +{ + switch (expr->etype) { + case EXPR_VALUE: + return netlink_gen_constant_data(expr, data); + case EXPR_CONCAT: + return netlink_gen_concat_key(expr, data); + case EXPR_RANGE: + return netlink_gen_range(expr, data); + case EXPR_PREFIX: + return netlink_gen_prefix(expr, data); + default: + BUG("invalid data expression type %s\n", expr_name(expr)); } } -void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data) +static void __netlink_gen_data(const struct expr *expr, + struct nft_data_linearize *data, bool expand) { switch (expr->etype) { case EXPR_VALUE: return netlink_gen_constant_data(expr, data); case EXPR_CONCAT: - return netlink_gen_concat_data(expr, data); + return netlink_gen_concat_data(expr, data, expand); case EXPR_VERDICT: return netlink_gen_verdict(expr, data); + case EXPR_RANGE: + return netlink_gen_range(expr, data); + case EXPR_PREFIX: + return netlink_gen_prefix(expr, data); default: BUG("invalid data expression type %s\n", expr_name(expr)); } } +void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data) +{ + __netlink_gen_data(expr, data, false); +} + struct expr *netlink_alloc_value(const struct location *loc, const struct nft_data_delinearize *nld) { @@ -324,82 +589,74 @@ void netlink_dump_expr(const struct nftnl_expr *nle, fprintf(fp, "\n"); } -static int list_rule_cb(struct nftnl_rule *nlr, void *arg) +void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx) { - struct netlink_ctx *ctx = arg; - const struct handle *h = ctx->data; - struct rule *rule; - const char *table, *chain; - uint32_t family; - - family = nftnl_rule_get_u32(nlr, NFTNL_RULE_FAMILY); - table = nftnl_rule_get_str(nlr, NFTNL_RULE_TABLE); - chain = nftnl_rule_get_str(nlr, NFTNL_RULE_CHAIN); - - if (h->family != family || - strcmp(table, h->table.name) != 0 || - (h->chain.name && strcmp(chain, h->chain.name) != 0)) - return 0; + FILE *fp = ctx->nft->output.output_fp; - netlink_dump_rule(nlr, ctx); - rule = netlink_delinearize_rule(ctx, nlr); - list_add_tail(&rule->list, &ctx->list); + if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp) + return; - return 0; + nftnl_chain_fprintf(fp, nlc, 0, 0); + fprintf(fp, "\n"); } -int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h) +static int chain_parse_udata_cb(const struct nftnl_udata *attr, void *data) { - struct nftnl_rule_list *rule_cache; - - rule_cache = mnl_nft_rule_dump(ctx, h->family); - if (rule_cache == NULL) { - if (errno == EINTR) - return -1; + unsigned char *value = nftnl_udata_get(attr); + uint8_t type = nftnl_udata_type(attr); + const struct nftnl_udata **tb = data; + uint8_t len = nftnl_udata_len(attr); - return 0; + switch (type) { + case NFTNL_UDATA_CHAIN_COMMENT: + if (value[len - 1] != '\0') + return -1; + break; + default: + return 0; } - - ctx->data = h; - nftnl_rule_list_foreach(rule_cache, list_rule_cb, ctx); - nftnl_rule_list_free(rule_cache); + tb[type] = attr; return 0; } -void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx) +static int qsort_device_cmp(const void *a, const void *b) { - FILE *fp = ctx->nft->output.output_fp; - - if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp) - return; + const char **x = (const char **)a; + const char **y = (const char **)b; - nftnl_chain_fprintf(fp, nlc, 0, 0); - fprintf(fp, "\n"); + return strcmp(*x, *y); } struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc) { + const struct nftnl_udata *ud[NFTNL_UDATA_CHAIN_MAX + 1] = {}; int priority, policy, len = 0, i; const char * const *dev_array; struct chain *chain; + const char *udata; + uint32_t ulen; - chain = chain_alloc(nftnl_chain_get_str(nlc, NFTNL_CHAIN_NAME)); + chain = chain_alloc(); chain->handle.family = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_FAMILY); chain->handle.table.name = xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_TABLE)); + chain->handle.chain.name = + xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_NAME)); chain->handle.handle.id = nftnl_chain_get_u64(nlc, NFTNL_CHAIN_HANDLE); + if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_FLAGS)) + chain->flags = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_FLAGS); if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_HOOKNUM) && nftnl_chain_is_set(nlc, NFTNL_CHAIN_PRIO) && nftnl_chain_is_set(nlc, NFTNL_CHAIN_TYPE) && nftnl_chain_is_set(nlc, NFTNL_CHAIN_POLICY)) { - chain->hooknum = + chain->hook.num = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_HOOKNUM); - chain->hookstr = - hooknum2str(chain->handle.family, chain->hooknum); + chain->hook.name = + hooknum2str(chain->handle.family, chain->hook.num); priority = nftnl_chain_get_s32(nlc, NFTNL_CHAIN_PRIO); chain->priority.expr = constant_expr_alloc(&netlink_location, @@ -407,7 +664,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, BYTEORDER_HOST_ENDIAN, sizeof(int) * BITS_PER_BYTE, &priority); - chain->type = + chain->type.str = xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_TYPE)); policy = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_POLICY); chain->policy = constant_expr_alloc(&netlink_location, @@ -435,64 +692,71 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, chain->dev_array_len = len; } chain->flags |= CHAIN_F_BASECHAIN; - } - return chain; -} - -static int list_chain_cb(struct nftnl_chain *nlc, void *arg) -{ - struct netlink_ctx *ctx = arg; - const struct handle *h = ctx->data; - const char *table; - const char *name; - struct chain *chain; - uint32_t family; - - table = nftnl_chain_get_str(nlc, NFTNL_CHAIN_TABLE); - name = nftnl_chain_get_str(nlc, NFTNL_CHAIN_NAME); - family = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_FAMILY); - - if (h->family != family || strcmp(table, h->table.name) != 0) - return 0; - if (h->chain.name && strcmp(name, h->chain.name) != 0) - return 0; + if (chain->dev_array_len) { + qsort(chain->dev_array, chain->dev_array_len, + sizeof(char *), qsort_device_cmp); + } + } - chain = netlink_delinearize_chain(ctx, nlc); - list_add_tail(&chain->list, &ctx->list); + if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_USERDATA)) { + udata = nftnl_chain_get_data(nlc, NFTNL_CHAIN_USERDATA, &ulen); + if (nftnl_udata_parse(udata, ulen, chain_parse_udata_cb, ud) < 0) { + netlink_io_error(ctx, NULL, "Cannot parse userdata"); + chain_free(chain); + return NULL; + } + if (ud[NFTNL_UDATA_CHAIN_COMMENT]) + chain->comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_CHAIN_COMMENT])); + } - return 0; + return chain; } -int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h) +static int table_parse_udata_cb(const struct nftnl_udata *attr, void *data) { - struct nftnl_chain_list *chain_cache; - - chain_cache = mnl_nft_chain_dump(ctx, h->family); - if (chain_cache == NULL) { - if (errno == EINTR) - return -1; + unsigned char *value = nftnl_udata_get(attr); + const struct nftnl_udata **tb = data; + uint8_t type = nftnl_udata_type(attr); + uint8_t len = nftnl_udata_len(attr); - return 0; + switch (type) { + case NFTNL_UDATA_TABLE_COMMENT: + if (value[len - 1] != '\0') + return -1; + break; + default: + return 0; } - - ctx->data = h; - nftnl_chain_list_foreach(chain_cache, list_chain_cb, ctx); - nftnl_chain_list_free(chain_cache); - + tb[type] = attr; return 0; } struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt) { + const struct nftnl_udata *ud[NFTNL_UDATA_TABLE_MAX + 1] = {}; struct table *table; + const char *udata; + uint32_t ulen; table = table_alloc(); table->handle.family = nftnl_table_get_u32(nlt, NFTNL_TABLE_FAMILY); table->handle.table.name = xstrdup(nftnl_table_get_str(nlt, NFTNL_TABLE_NAME)); table->flags = nftnl_table_get_u32(nlt, NFTNL_TABLE_FLAGS); table->handle.handle.id = nftnl_table_get_u64(nlt, NFTNL_TABLE_HANDLE); + table->owner = nftnl_table_get_u32(nlt, NFTNL_TABLE_OWNER); + + if (nftnl_table_is_set(nlt, NFTNL_TABLE_USERDATA)) { + udata = nftnl_table_get_data(nlt, NFTNL_TABLE_USERDATA, &ulen); + if (nftnl_udata_parse(udata, ulen, table_parse_udata_cb, ud) < 0) { + netlink_io_error(ctx, NULL, "Cannot parse userdata"); + table_free(table); + return NULL; + } + if (ud[NFTNL_UDATA_TABLE_COMMENT]) + table->comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_TABLE_COMMENT])); + } return table; } @@ -508,16 +772,24 @@ static int list_table_cb(struct nftnl_table *nlt, void *arg) return 0; } -int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h) +int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, + const struct nft_cache_filter *filter) { struct nftnl_table_list *table_cache; + uint32_t family = h->family; + const char *table = NULL; + + if (filter) { + family = filter->list.family; + table = filter->list.table; + } - table_cache = mnl_nft_table_dump(ctx, h->family); + table_cache = mnl_nft_table_dump(ctx, family, table); if (table_cache == NULL) { if (errno == EINTR) return -1; - return 0; + return -1; } ctx->data = h; @@ -538,13 +810,17 @@ enum nft_data_types dtype_map_to_kernel(const struct datatype *dtype) static const struct datatype *dtype_map_from_kernel(enum nft_data_types type) { + /* The function always returns ownership of a reference. But for + * &verdict_Type and datatype_lookup(), those are static instances, + * we can omit the datatype_get() call. + */ switch (type) { case NFT_DATA_VERDICT: return &verdict_type; default: if (type & ~TYPE_MASK) return concat_type_alloc(type); - return datatype_lookup(type); + return datatype_lookup((enum datatypes) type); } } @@ -561,6 +837,7 @@ void netlink_dump_set(const struct nftnl_set *nls, struct netlink_ctx *ctx) static int set_parse_udata_cb(const struct nftnl_udata *attr, void *data) { + unsigned char *value = nftnl_udata_get(attr); const struct nftnl_udata **tb = data; uint8_t type = nftnl_udata_type(attr); uint8_t len = nftnl_udata_len(attr); @@ -569,6 +846,7 @@ static int set_parse_udata_cb(const struct nftnl_udata *attr, void *data) case NFTNL_UDATA_SET_KEYBYTEORDER: case NFTNL_UDATA_SET_DATABYTEORDER: case NFTNL_UDATA_SET_MERGE_ELEMENTS: + case NFTNL_UDATA_SET_DATA_INTERVAL: if (len != sizeof(uint32_t)) return -1; break; @@ -577,6 +855,10 @@ static int set_parse_udata_cb(const struct nftnl_udata *attr, void *data) if (len < 3) return -1; break; + case NFTNL_UDATA_SET_COMMENT: + if (value[len - 1] != '\0') + return -1; + break; default: return 0; } @@ -608,8 +890,8 @@ static struct expr *set_make_key(const struct nftnl_udata *attr) { const struct nftnl_udata *ud[NFTNL_UDATA_SET_TYPEOF_MAX + 1] = {}; const struct expr_ops *ops; - enum expr_types etype; struct expr *expr; + uint32_t etype; int err; if (!attr) @@ -625,7 +907,9 @@ static struct expr *set_make_key(const struct nftnl_udata *attr) return NULL; etype = nftnl_udata_get_u32(ud[NFTNL_UDATA_SET_TYPEOF_EXPR]); - ops = expr_ops_by_type(etype); + ops = expr_ops_by_type_u32(etype); + if (!ops) + return NULL; expr = ops->parse_udata(ud[NFTNL_UDATA_SET_TYPEOF_DATA]); if (!expr) @@ -634,7 +918,7 @@ static struct expr *set_make_key(const struct nftnl_udata *attr) return expr; } -static bool set_udata_key_valid(const struct expr *e, const struct datatype *d, uint32_t len) +static bool set_udata_key_valid(const struct expr *e, uint32_t len) { if (!e) return false; @@ -642,25 +926,46 @@ static bool set_udata_key_valid(const struct expr *e, const struct datatype *d, return div_round_up(e->len, BITS_PER_BYTE) == len / BITS_PER_BYTE; } +struct setelem_parse_ctx { + struct set *set; + struct nft_cache *cache; + struct list_head stmt_list; +}; + +static int set_elem_parse_expressions(struct nftnl_expr *e, void *data) +{ + struct setelem_parse_ctx *setelem_parse_ctx = data; + struct nft_cache *cache = setelem_parse_ctx->cache; + struct set *set = setelem_parse_ctx->set; + struct stmt *stmt; + + stmt = netlink_parse_set_expr(set, cache, e); + list_add_tail(&stmt->list, &setelem_parse_ctx->stmt_list); + + return 0; +} + struct set *netlink_delinearize_set(struct netlink_ctx *ctx, const struct nftnl_set *nls) { const struct nftnl_udata *ud[NFTNL_UDATA_SET_MAX + 1] = {}; enum byteorder keybyteorder = BYTEORDER_INVALID; enum byteorder databyteorder = BYTEORDER_INVALID; - const struct datatype *keytype, *datatype = NULL; - struct expr *typeof_expr_key, *typeof_expr_data; + struct setelem_parse_ctx set_parse_ctx; + const struct datatype *datatype = NULL; + const struct datatype *keytype = NULL; + const struct datatype *dtype2 = NULL; + const struct datatype *dtype = NULL; + struct expr *typeof_expr_data = NULL; + struct expr *typeof_expr_key = NULL; + const char *udata, *comment = NULL; uint32_t flags, key, objtype = 0; - const struct datatype *dtype; + uint32_t data_interval = 0; bool automerge = false; - const char *udata; struct set *set; uint32_t ulen; uint32_t klen; - typeof_expr_key = NULL; - typeof_expr_data = NULL; - if (nftnl_set_is_set(nls, NFTNL_SET_USERDATA)) { udata = nftnl_set_get_data(nls, NFTNL_SET_USERDATA, &ulen); if (nftnl_udata_parse(udata, ulen, set_parse_udata_cb, ud) < 0) { @@ -675,11 +980,14 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, GET_U32_UDATA(keybyteorder, NFTNL_UDATA_SET_KEYBYTEORDER); GET_U32_UDATA(databyteorder, NFTNL_UDATA_SET_DATABYTEORDER); GET_U32_UDATA(automerge, NFTNL_UDATA_SET_MERGE_ELEMENTS); + GET_U32_UDATA(data_interval, NFTNL_UDATA_SET_DATA_INTERVAL); #undef GET_U32_UDATA typeof_expr_key = set_make_key(ud[NFTNL_UDATA_SET_KEY_TYPEOF]); if (ud[NFTNL_UDATA_SET_DATA_TYPEOF]) typeof_expr_data = set_make_key(ud[NFTNL_UDATA_SET_DATA_TYPEOF]); + if (ud[NFTNL_UDATA_SET_COMMENT]) + comment = nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]); } key = nftnl_set_get_u32(nls, NFTNL_SET_KEY_TYPE); @@ -700,8 +1008,8 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, netlink_io_error(ctx, NULL, "Unknown data type in set key %u", data); - datatype_free(keytype); - return NULL; + set = NULL; + goto out; } } @@ -716,18 +1024,48 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, set->handle.table.name = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_TABLE)); set->handle.set.name = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_NAME)); set->automerge = automerge; + if (comment) + set->comment = xstrdup(comment); + + init_list_head(&set_parse_ctx.stmt_list); + + if (nftnl_set_is_set(nls, NFTNL_SET_EXPR)) { + const struct nftnl_expr *nle; + struct stmt *stmt; + + nle = nftnl_set_get(nls, NFTNL_SET_EXPR); + stmt = netlink_parse_set_expr(set, &ctx->nft->cache, nle); + list_add_tail(&stmt->list, &set_parse_ctx.stmt_list); + } else if (nftnl_set_is_set(nls, NFTNL_SET_EXPRESSIONS)) { + set_parse_ctx.cache = &ctx->nft->cache; + set_parse_ctx.set = set; + nftnl_set_expr_foreach(nls, set_elem_parse_expressions, + &set_parse_ctx); + } + list_splice_tail(&set_parse_ctx.stmt_list, &set->stmt_list); + + set->flags = nftnl_set_get_u32(nls, NFTNL_SET_FLAGS); if (datatype) { - dtype = set_datatype_alloc(datatype, databyteorder); + uint32_t dlen; + + dtype2 = set_datatype_alloc(datatype, databyteorder); klen = nftnl_set_get_u32(nls, NFTNL_SET_DATA_LEN) * BITS_PER_BYTE; - if (set_udata_key_valid(typeof_expr_data, dtype, klen)) { - datatype_free(datatype_get(dtype)); + dlen = data_interval ? klen / 2 : klen; + + if (set_udata_key_valid(typeof_expr_data, dlen)) { + typeof_expr_data->len = klen; set->data = typeof_expr_data; + typeof_expr_data = NULL; + } else if (set->flags & NFT_SET_OBJECT) { + set->data = constant_expr_alloc(&netlink_location, + dtype2, + databyteorder, klen, + NULL); } else { - expr_free(typeof_expr_data); set->data = constant_expr_alloc(&netlink_location, - dtype, + dtype2, databyteorder, klen, NULL); @@ -736,28 +1074,23 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, typeof_expr_key = NULL; } - if (dtype != datatype) - datatype_free(datatype); + if (data_interval) + set->data->flags |= EXPR_F_INTERVAL; } dtype = set_datatype_alloc(keytype, keybyteorder); klen = nftnl_set_get_u32(nls, NFTNL_SET_KEY_LEN) * BITS_PER_BYTE; - if (set_udata_key_valid(typeof_expr_key, dtype, klen)) { - datatype_free(datatype_get(dtype)); + if (set_udata_key_valid(typeof_expr_key, klen)) { set->key = typeof_expr_key; + typeof_expr_key = NULL; set->key_typeof_valid = true; } else { - expr_free(typeof_expr_key); set->key = constant_expr_alloc(&netlink_location, dtype, keybyteorder, klen, NULL); } - if (dtype != keytype) - datatype_free(keytype); - - set->flags = nftnl_set_get_u32(nls, NFTNL_SET_FLAGS); set->handle.handle.id = nftnl_set_get_u64(nls, NFTNL_SET_HANDLE); set->objtype = objtype; @@ -773,76 +1106,225 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx, if (nftnl_set_is_set(nls, NFTNL_SET_DESC_SIZE)) set->desc.size = nftnl_set_get_u32(nls, NFTNL_SET_DESC_SIZE); + if (nftnl_set_is_set(nls, NFTNL_SET_DESC_CONCAT)) { + uint32_t len = NFT_REG32_COUNT; + const uint8_t *data; + + data = nftnl_set_get_data(nls, NFTNL_SET_DESC_CONCAT, &len); + if (data) { + memcpy(set->desc.field_len, data, len); + set->desc.field_count = len; + } + } + +out: + expr_free(typeof_expr_data); + expr_free(typeof_expr_key); + datatype_free(datatype); + datatype_free(keytype); + datatype_free(dtype2); + datatype_free(dtype); return set; } -static int list_set_cb(struct nftnl_set *nls, void *arg) +void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls) { - struct netlink_ctx *ctx = arg; - struct set *set; + struct nftnl_set_elem *nlse; + const struct expr *expr; - set = netlink_delinearize_set(ctx, nls); - if (set == NULL) - return -1; - list_add_tail(&set->list, &ctx->list); - return 0; + list_for_each_entry(expr, &set->expressions, list) { + nlse = alloc_nftnl_setelem(set, expr); + nftnl_set_elem_add(nls, nlse); + } } -int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h) +static bool range_expr_is_prefix(const struct expr *range, uint32_t *prefix_len) { - struct nftnl_set_list *set_cache; - int err; + const struct expr *right = range->right; + const struct expr *left = range->left; + uint32_t len = left->len; + unsigned long n1, n2; + uint32_t plen; + mpz_t bitmask; - set_cache = mnl_nft_set_dump(ctx, h->family, h->table.name); - if (set_cache == NULL) { - if (errno == EINTR) - return -1; + mpz_init2(bitmask, left->len); + mpz_xor(bitmask, left->value, right->value); - return 0; + n1 = mpz_scan0(bitmask, 0); + if (n1 == ULONG_MAX) + goto not_a_prefix; + + n2 = mpz_scan1(bitmask, n1 + 1); + if (n2 < len) + goto not_a_prefix; + + plen = len - n1; + + if (mpz_scan1(left->value, 0) < len - plen) + goto not_a_prefix; + + mpz_clear(bitmask); + *prefix_len = plen; + + return true; + +not_a_prefix: + mpz_clear(bitmask); + + return false; +} + +struct expr *range_expr_to_prefix(struct expr *range) +{ + struct expr *prefix; + uint32_t prefix_len; + + if (range_expr_is_prefix(range, &prefix_len)) { + prefix = prefix_expr_alloc(&range->location, + expr_get(range->left), + prefix_len); + expr_free(range); + return prefix; } - ctx->data = h; - err = nftnl_set_list_foreach(set_cache, list_set_cb, ctx); - nftnl_set_list_free(set_cache); - return err; + return range; } -void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls) +static struct expr *range_expr_reduce(struct expr *range) { - struct nftnl_set_elem *nlse; - const struct expr *expr; + struct expr *expr; - list_for_each_entry(expr, &set->expressions, list) { - nlse = alloc_nftnl_setelem(set, expr); - nftnl_set_elem_add(nls, nlse); + if (!mpz_cmp(range->left->value, range->right->value)) { + expr = expr_get(range->left); + expr_free(range); + return expr; } + + if (range->left->dtype->type != TYPE_IPADDR && + range->left->dtype->type != TYPE_IP6ADDR) + return range; + + return range_expr_to_prefix(range); } -static struct expr *netlink_parse_concat_elem(const struct datatype *dtype, - struct expr *data) +static struct expr *netlink_parse_interval_elem(const struct set *set, + struct expr *expr) +{ + unsigned int len = div_round_up(expr->len, BITS_PER_BYTE); + const struct datatype *dtype = set->data->dtype; + struct expr *range, *left, *right; + char data[len]; + + mpz_export_data(data, expr->value, dtype->byteorder, len); + left = constant_expr_alloc(&internal_location, dtype, + dtype->byteorder, + (len / 2) * BITS_PER_BYTE, &data[0]); + right = constant_expr_alloc(&internal_location, dtype, + dtype->byteorder, + (len / 2) * BITS_PER_BYTE, &data[len / 2]); + range = range_expr_alloc(&expr->location, left, right); + expr_free(expr); + + return range_expr_to_prefix(range); +} + +static struct expr *concat_elem_expr(const struct set *set, struct expr *key, + const struct datatype *dtype, + struct expr *data, int *off) { const struct datatype *subtype; - struct expr *concat, *expr; + unsigned int sub_length; + struct expr *expr; + + if (key) { + (*off)--; + sub_length = round_up(key->len, BITS_PER_BYTE); + + expr = constant_expr_splice(data, sub_length); + expr->dtype = datatype_get(key->dtype); + expr->byteorder = key->byteorder; + expr->len = key->len; + } else { + subtype = concat_subtype_lookup(dtype->type, --(*off)); + sub_length = round_up(subtype->size, BITS_PER_BYTE); + expr = constant_expr_splice(data, sub_length); + expr->dtype = subtype; + expr->byteorder = subtype->byteorder; + } + + if (expr_basetype(expr)->type == TYPE_STRING || + (!(set->flags & NFT_SET_INTERVAL) && + expr->byteorder == BYTEORDER_HOST_ENDIAN)) + mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE); + + if (expr->dtype->basetype != NULL && + expr->dtype->basetype->type == TYPE_BITMASK) + expr = bitmask_expr_to_binops(expr); + + data->len -= netlink_padding_len(sub_length); + + return expr; +} + +static struct expr *netlink_parse_concat_elem_key(const struct set *set, + struct expr *data) +{ + const struct datatype *dtype = set->key->dtype; + struct expr *concat, *expr, *n = NULL; int off = dtype->subtypes; + if (set->key->etype == EXPR_CONCAT) + n = list_first_entry(&set->key->expressions, struct expr, list); + concat = concat_expr_alloc(&data->location); while (off > 0) { - subtype = concat_subtype_lookup(dtype->type, --off); + expr = concat_elem_expr(set, n, dtype, data, &off); + compound_expr_add(concat, expr); + if (set->key->etype == EXPR_CONCAT) + n = list_next_entry(n, list); + } - expr = constant_expr_splice(data, subtype->size); - expr->dtype = subtype; - expr->byteorder = subtype->byteorder; + expr_free(data); - if (expr->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE); + return concat; +} + +static struct expr *netlink_parse_concat_elem(const struct set *set, + struct expr *data) +{ + const struct datatype *dtype = set->data->dtype; + struct expr *concat, *expr, *left, *range; + struct list_head expressions; + int off = dtype->subtypes; - if (expr->dtype->basetype != NULL && - expr->dtype->basetype->type == TYPE_BITMASK) - expr = bitmask_expr_to_binops(expr); + init_list_head(&expressions); - compound_expr_add(concat, expr); - data->len -= netlink_padding_len(expr->len); + concat = concat_expr_alloc(&data->location); + while (off > 0) { + expr = concat_elem_expr(set, NULL, dtype, data, &off); + list_add_tail(&expr->list, &expressions); + } + + if (set->data->flags & EXPR_F_INTERVAL) { + assert(!list_empty(&expressions)); + + off = dtype->subtypes; + + while (off > 0) { + left = list_first_entry(&expressions, struct expr, list); + + expr = concat_elem_expr(set, NULL, dtype, data, &off); + list_del(&left->list); + + range = range_expr_alloc(&data->location, left, expr); + range = range_expr_reduce(range); + compound_expr_add(concat, range); + } + assert(list_empty(&expressions)); + } else { + list_splice_tail(&expressions, &concat->expressions); } + expr_free(data); return concat; @@ -893,30 +1375,48 @@ static void set_elem_parse_udata(struct nftnl_set_elem *nlse, int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, struct set *set, struct nft_cache *cache) { + struct setelem_parse_ctx setelem_parse_ctx = { + .set = set, + .cache = cache, + }; struct nft_data_delinearize nld; struct expr *expr, *key, *data; uint32_t flags = 0; - nld.value = - nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY, &nld.len); + init_list_head(&setelem_parse_ctx.stmt_list); + + if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_KEY)) + nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY, &nld.len); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_FLAGS)) flags = nftnl_set_elem_get_u32(nlse, NFTNL_SET_ELEM_FLAGS); - key = netlink_alloc_value(&netlink_location, &nld); - datatype_set(key, set->key->dtype); - key->byteorder = set->key->byteorder; - if (set->key->dtype->subtypes) - key = netlink_parse_concat_elem(set->key->dtype, key); - - if (!(set->flags & NFT_SET_INTERVAL) && - key->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(key->value, key->len / BITS_PER_BYTE); - - if (key->dtype->basetype != NULL && - key->dtype->basetype->type == TYPE_BITMASK) - key = bitmask_expr_to_binops(key); +key_end: + if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_KEY)) { + key = netlink_alloc_value(&netlink_location, &nld); + datatype_set(key, set->key->dtype); + key->byteorder = set->key->byteorder; + if (set->key->dtype->subtypes) + key = netlink_parse_concat_elem_key(set, key); + + if (!(set->flags & NFT_SET_INTERVAL) && + key->byteorder == BYTEORDER_HOST_ENDIAN) + mpz_switch_byteorder(key->value, key->len / BITS_PER_BYTE); + + if (key->dtype->basetype != NULL && + key->dtype->basetype->type == TYPE_BITMASK) + key = bitmask_expr_to_binops(key); + } else if (flags & NFT_SET_ELEM_CATCHALL) { + key = set_elem_catchall_expr_alloc(&netlink_location); + datatype_set(key, set->key->dtype); + key->byteorder = set->key->byteorder; + key->len = set->key->len; + } else { + BUG("Unexpected set element with no key\n"); + } expr = set_elem_expr_alloc(&netlink_location, key); + expr->flags |= EXPR_F_KERNEL; + if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_TIMEOUT)) expr->timeout = nftnl_set_elem_get_u64(nlse, NFTNL_SET_ELEM_TIMEOUT); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPIRATION)) @@ -925,10 +1425,17 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, set_elem_parse_udata(nlse, expr); if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPR)) { const struct nftnl_expr *nle; + struct stmt *stmt; nle = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_EXPR, NULL); - expr->stmt = netlink_parse_set_expr(set, cache, nle); + stmt = netlink_parse_set_expr(set, cache, nle); + list_add_tail(&stmt->list, &setelem_parse_ctx.stmt_list); + } else if (nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_EXPRESSIONS)) { + nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions, + &setelem_parse_ctx); } + list_splice_tail_init(&setelem_parse_ctx.stmt_list, &expr->stmt_list); + if (flags & NFT_SET_ELEM_INTERVAL_END) { expr->flags |= EXPR_F_INTERVAL_END; if (mpz_cmp_ui(set->key->value, 0) == 0) @@ -952,6 +1459,12 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, NFT_REG_VERDICT : NFT_REG_1); datatype_set(data, set->data->dtype); data->byteorder = set->data->byteorder; + + if (set->data->dtype->subtypes) { + data = netlink_parse_concat_elem(set, data); + } else if (set->data->flags & EXPR_F_INTERVAL) + data = netlink_parse_interval_elem(set, data); + if (data->byteorder == BYTEORDER_HOST_ENDIAN) mpz_switch_byteorder(data->value, data->len / BITS_PER_BYTE); @@ -973,6 +1486,15 @@ int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, } out: compound_expr_add(set->init, expr); + + if (!(flags & NFT_SET_ELEM_INTERVAL_END) && + nftnl_set_elem_is_set(nlse, NFTNL_SET_ELEM_KEY_END)) { + flags |= NFT_SET_ELEM_INTERVAL_END; + nld.value = nftnl_set_elem_get(nlse, NFTNL_SET_ELEM_KEY_END, + &nld.len); + goto key_end; + } + return 0; } @@ -982,8 +1504,44 @@ static int list_setelem_cb(struct nftnl_set_elem *nlse, void *arg) return netlink_delinearize_setelem(nlse, ctx->set, &ctx->nft->cache); } +static int list_setelem_debug_cb(struct nftnl_set_elem *nlse, void *arg) +{ + int r; + + r = list_setelem_cb(nlse, arg); + if (r == 0) { + struct netlink_ctx *ctx = arg; + FILE *fp = ctx->nft->output.output_fp; + + fprintf(fp, "\t"); + nftnl_set_elem_fprintf(fp, nlse, 0, 0); + fprintf(fp, "\n"); + } + + return r; +} + +static int list_setelements(struct nftnl_set *s, struct netlink_ctx *ctx) +{ + FILE *fp = ctx->nft->output.output_fp; + + if (fp && (ctx->nft->debug_mask & NFT_DEBUG_NETLINK)) { + const char *table, *name; + uint32_t family = nftnl_set_get_u32(s, NFTNL_SET_FAMILY); + + table = nftnl_set_get_str(s, NFTNL_SET_TABLE); + name = nftnl_set_get_str(s, NFTNL_SET_NAME); + + fprintf(fp, "%s %s @%s\n", family2str(family), table, name); + + return nftnl_set_elem_foreach(s, list_setelem_debug_cb, ctx); + } + + return nftnl_set_elem_foreach(s, list_setelem_cb, ctx); +} + int netlink_list_setelems(struct netlink_ctx *ctx, const struct handle *h, - struct set *set) + struct set *set, bool reset) { struct nftnl_set *nls; int err; @@ -998,7 +1556,7 @@ int netlink_list_setelems(struct netlink_ctx *ctx, const struct handle *h, if (h->handle.id) nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id); - err = mnl_nft_setelem_get(ctx, nls); + err = mnl_nft_setelem_get(ctx, nls, reset); if (err < 0) { nftnl_set_free(nls); if (errno == EINTR) @@ -1009,25 +1567,27 @@ int netlink_list_setelems(struct netlink_ctx *ctx, const struct handle *h, ctx->set = set; set->init = set_expr_alloc(&internal_location, set); - nftnl_set_elem_foreach(nls, list_setelem_cb, ctx); + list_setelements(nls, ctx); - if (!(set->flags & NFT_SET_INTERVAL)) + if (set->flags & NFT_SET_INTERVAL && set->desc.field_count > 1) + concat_range_aggregate(set->init); + else if (set->flags & NFT_SET_INTERVAL) + interval_map_decompose(set->init); + else list_expr_sort(&ctx->set->init->expressions); nftnl_set_free(nls); ctx->set = NULL; - if (set->flags & NFT_SET_INTERVAL) - interval_map_decompose(set->init); - return 0; } int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc, struct table *table, - struct set *set, struct expr *init) + const struct location *loc, struct set *cache_set, + struct set *set, struct expr *init, bool reset) { struct nftnl_set *nls, *nls_out = NULL; + int err = 0; nls = nftnl_set_alloc(); if (nls == NULL) @@ -1043,26 +1603,28 @@ int netlink_get_setelem(struct netlink_ctx *ctx, const struct handle *h, netlink_dump_set(nls, ctx); - nls_out = mnl_nft_setelem_get_one(ctx, nls); - if (!nls_out) + nls_out = mnl_nft_setelem_get_one(ctx, nls, reset); + if (!nls_out) { + nftnl_set_free(nls); return -1; + } ctx->set = set; set->init = set_expr_alloc(loc, set); - nftnl_set_elem_foreach(nls_out, list_setelem_cb, ctx); + list_setelements(nls_out, ctx); - if (!(set->flags & NFT_SET_INTERVAL)) + if (set->flags & NFT_SET_INTERVAL && set->desc.field_count > 1) + concat_range_aggregate(set->init); + else if (set->flags & NFT_SET_INTERVAL) + err = get_set_decompose(cache_set, set); + else list_expr_sort(&ctx->set->init->expressions); nftnl_set_free(nls); nftnl_set_free(nls_out); ctx->set = NULL; - if (set->flags & NFT_SET_INTERVAL && - get_set_decompose(table, set) < 0) - return -1; - - return 0; + return err; } void netlink_dump_obj(struct nftnl_obj *nln, struct netlink_ctx *ctx) @@ -1076,11 +1638,33 @@ void netlink_dump_obj(struct nftnl_obj *nln, struct netlink_ctx *ctx) fprintf(fp, "\n"); } +static int obj_parse_udata_cb(const struct nftnl_udata *attr, void *data) +{ + unsigned char *value = nftnl_udata_get(attr); + uint8_t type = nftnl_udata_type(attr); + const struct nftnl_udata **tb = data; + uint8_t len = nftnl_udata_len(attr); + + switch (type) { + case NFTNL_UDATA_OBJ_COMMENT: + if (value[len - 1] != '\0') + return -1; + break; + default: + return 0; + } + tb[type] = attr; + return 0; +} + struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, struct nftnl_obj *nlo) { + const struct nftnl_udata *ud[NFTNL_UDATA_OBJ_MAX + 1] = {}; + const char *udata; struct obj *obj; uint32_t type; + uint32_t ulen; obj = obj_alloc(&netlink_location); obj->handle.family = nftnl_obj_get_u32(nlo, NFTNL_OBJ_FAMILY); @@ -1090,6 +1674,16 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, xstrdup(nftnl_obj_get_str(nlo, NFTNL_OBJ_NAME)); obj->handle.handle.id = nftnl_obj_get_u64(nlo, NFTNL_OBJ_HANDLE); + if (nftnl_obj_is_set(nlo, NFTNL_OBJ_USERDATA)) { + udata = nftnl_obj_get_data(nlo, NFTNL_OBJ_USERDATA, &ulen); + if (nftnl_udata_parse(udata, ulen, obj_parse_udata_cb, ud) < 0) { + netlink_io_error(ctx, NULL, "Cannot parse userdata"); + obj_free(obj); + return NULL; + } + if (ud[NFTNL_UDATA_OBJ_COMMENT]) + obj->comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_OBJ_COMMENT])); + } type = nftnl_obj_get_u32(nlo, NFTNL_OBJ_TYPE); switch (type) { @@ -1118,6 +1712,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, obj->ct_helper.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO); break; case NFT_OBJECT_CT_TIMEOUT: + init_list_head(&obj->ct_timeout.timeout_list); obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO); obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO); memcpy(obj->ct_timeout.timeout, @@ -1186,25 +1781,6 @@ static int list_obj_cb(struct nftnl_obj *nls, void *arg) return 0; } -int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h) -{ - struct nftnl_obj_list *obj_cache; - int err; - - obj_cache = mnl_nft_obj_dump(ctx, h->family, - h->table.name, NULL, 0, true, false); - if (obj_cache == NULL) { - if (errno == EINTR) - return -1; - - return 0; - } - - err = nftnl_obj_list_foreach(obj_cache, list_obj_cb, ctx); - nftnl_obj_list_free(obj_cache); - return err; -} - int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd, uint32_t type, bool dump) { @@ -1222,7 +1798,56 @@ int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd, return err; } -static struct flowtable * +int netlink_reset_rules(struct netlink_ctx *ctx, const struct cmd *cmd, + bool dump) +{ + const struct handle *h = &cmd->handle; + struct nft_cache_filter f = { + .list.table = h->table.name, + .list.chain = h->chain.name, + .list.rule_handle = h->handle.id, + }; + struct rule *rule, *next, *crule, *cnext; + struct table *table; + struct chain *chain; + int ret; + + ret = rule_cache_dump(ctx, h, &f, dump, true); + + list_for_each_entry_safe(rule, next, &ctx->list, list) { + table = table_cache_find(&ctx->nft->cache.table_cache, + rule->handle.table.name, + rule->handle.family); + if (!table) + continue; + + chain = chain_cache_find(table, rule->handle.chain.name); + if (!chain) + continue; + + list_del(&rule->list); + list_for_each_entry_safe(crule, cnext, &chain->rules, list) { + if (crule->handle.handle.id != rule->handle.handle.id) + continue; + + list_replace(&crule->list, &rule->list); + rule_free(crule); + rule = NULL; + break; + } + if (rule) { + list_add_tail(&rule->list, &chain->rules); + } + } + list_for_each_entry_safe(rule, next, &ctx->list, list) { + list_del(&rule->list); + rule_free(rule); + } + + return ret; +} + +struct flowtable * netlink_delinearize_flowtable(struct netlink_ctx *ctx, struct nftnl_flowtable *nlo) { @@ -1239,16 +1864,24 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, xstrdup(nftnl_flowtable_get_str(nlo, NFTNL_FLOWTABLE_NAME)); flowtable->handle.handle.id = nftnl_flowtable_get_u64(nlo, NFTNL_FLOWTABLE_HANDLE); + if (nftnl_flowtable_is_set(nlo, NFTNL_FLOWTABLE_FLAGS)) + flowtable->flags = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS); dev_array = nftnl_flowtable_get(nlo, NFTNL_FLOWTABLE_DEVICES); while (dev_array[len]) len++; - flowtable->dev_array = calloc(1, len * sizeof(char *)); + if (len) + flowtable->dev_array = xmalloc(len * sizeof(char *)); for (i = 0; i < len; i++) flowtable->dev_array[i] = xstrdup(dev_array[i]); flowtable->dev_array_len = len; + if (flowtable->dev_array_len) { + qsort(flowtable->dev_array, flowtable->dev_array_len, + sizeof(char *), qsort_device_cmp); + } + priority = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_PRIO); flowtable->priority.expr = constant_expr_alloc(&netlink_location, @@ -1257,8 +1890,10 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, sizeof(int) * BITS_PER_BYTE, &priority); - flowtable->hooknum = + flowtable->hook.num = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_HOOKNUM); + flowtable->flags = + nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS); return flowtable; } @@ -1280,7 +1915,8 @@ int netlink_list_flowtables(struct netlink_ctx *ctx, const struct handle *h) struct nftnl_flowtable_list *flowtable_cache; int err; - flowtable_cache = mnl_nft_flowtable_dump(ctx, h->family, h->table.name); + flowtable_cache = mnl_nft_flowtable_dump(ctx, h->family, + h->table.name, NULL); if (flowtable_cache == NULL) { if (errno == EINTR) return -1; @@ -1364,38 +2000,50 @@ static void trace_print_policy(const struct nftnl_trace *nlt, expr_free(expr); } -static void trace_print_rule(const struct nftnl_trace *nlt, - struct output_ctx *octx, struct nft_cache *cache) +static struct rule *trace_lookup_rule(const struct nftnl_trace *nlt, + uint64_t rule_handle, + struct nft_cache *cache) { - const struct table *table; - uint64_t rule_handle; struct chain *chain; - struct rule *rule; + struct table *table; struct handle h; h.family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY); - h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE); - h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN); + h.table.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE); + h.chain.name = nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN); if (!h.table.name) - return; + return NULL; - table = table_lookup(&h, cache); + table = table_cache_find(&cache->table_cache, h.table.name, h.family); if (!table) - return; + return NULL; - chain = chain_lookup(table, &h); + chain = chain_cache_find(table, h.chain.name); if (!chain) - return; + return NULL; + + return rule_lookup(chain, rule_handle); +} + +static void trace_print_rule(const struct nftnl_trace *nlt, + struct output_ctx *octx, struct nft_cache *cache) +{ + uint64_t rule_handle; + struct rule *rule; rule_handle = nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE); - rule = rule_lookup(chain, rule_handle); - if (!rule) - return; + rule = trace_lookup_rule(nlt, rule_handle, cache); trace_print_hdr(nlt, octx); - nft_print(octx, "rule "); - rule_print(rule, octx); + + if (rule) { + nft_print(octx, "rule "); + rule_print(rule, octx); + } else { + nft_print(octx, "unknown rule handle %" PRIu64, rule_handle); + } + nft_print(octx, " ("); trace_print_verdict(nlt, octx); nft_print(octx, ")\n"); @@ -1414,7 +2062,6 @@ static void trace_gen_stmts(struct list_head *stmts, const void *hdr; uint32_t hlen; unsigned int n; - bool stacked; if (!nftnl_trace_is_set(nlt, attr)) return; @@ -1469,6 +2116,8 @@ restart: n = 0; next: list_for_each_entry(stmt, &unordered, list) { + enum proto_bases b = base; + rel = stmt->expr; lhs = rel->left; @@ -1481,16 +2130,14 @@ next: list_move_tail(&stmt->list, stmts); n++; - stacked = payload_is_stacked(desc, rel); + if (payload_is_stacked(desc, rel)) + b--; - if (lhs->flags & EXPR_F_PROTOCOL && - pctx->pbase == PROTO_BASE_INVALID) { - payload_dependency_store(pctx, stmt, base - stacked); - } else { + /* Don't strip 'icmp type' from payload dump. */ + if (pctx->icmp_type == 0) payload_dependency_kill(pctx, lhs, ctx->family); - if (lhs->flags & EXPR_F_PROTOCOL) - payload_dependency_store(pctx, stmt, base - stacked); - } + if (lhs->flags & EXPR_F_PROTOCOL) + payload_dependency_store(pctx, stmt, b); goto next; } @@ -1519,7 +2166,7 @@ static void trace_print_packet(const struct nftnl_trace *nlt, meta_expr_alloc(&netlink_location, NFT_META_OIF), octx); - proto_ctx_init(&ctx, nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY), 0); + proto_ctx_init(&ctx, nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY), 0, false); ll_desc = ctx.protocol[PROTO_BASE_LL_HDR].desc; if ((ll_desc == &proto_inet || ll_desc == &proto_netdev) && nftnl_trace_is_set(nlt, NFTNL_TRACE_NFPROTO)) { @@ -1565,12 +2212,12 @@ int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, if (nftnl_trace_nlmsg_parse(nlh, nlt) < 0) netlink_abi_error(); + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_LL_HEADER) || + nftnl_trace_is_set(nlt, NFTNL_TRACE_NETWORK_HEADER)) + trace_print_packet(nlt, &monh->ctx->nft->output); + switch (nftnl_trace_get_u32(nlt, NFTNL_TRACE_TYPE)) { case NFT_TRACETYPE_RULE: - if (nftnl_trace_is_set(nlt, NFTNL_TRACE_LL_HEADER) || - nftnl_trace_is_set(nlt, NFTNL_TRACE_NETWORK_HEADER)) - trace_print_packet(nlt, &monh->ctx->nft->output); - if (nftnl_trace_is_set(nlt, NFTNL_TRACE_RULE_HANDLE)) trace_print_rule(nlt, &monh->ctx->nft->output, &monh->ctx->nft->cache); |