diff options
151 files changed, 1930 insertions, 2086 deletions
diff --git a/configure.ac b/configure.ac index dc14392..d5d7b8e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,13 +1,13 @@ dnl Process this file with autoconf to create configure. -AC_INIT([libnftnl], [1.2.2]) +AC_INIT([libnftnl], [1.2.9]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h]) m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) -AM_INIT_AUTOMAKE([-Wall foreign tar-pax no-dist-gzip dist-bzip2 +AM_INIT_AUTOMAKE([-Wall foreign tar-pax no-dist-gzip dist-xz 1.6 subdir-objects]) dnl kernel style compile messages diff --git a/examples/nft-chain-add.c b/examples/nft-chain-add.c index f711e09..29a5b08 100644 --- a/examples/nft-chain-add.c +++ b/examples/nft-chain-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -101,9 +97,9 @@ int main(int argc, char *argv[]) mnl_nlmsg_batch_next(batch); chain_seq = seq; - nlh = nftnl_chain_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWCHAIN, family, - NLM_F_CREATE|NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWCHAIN, family, + NLM_F_CREATE | NLM_F_ACK, seq++); nftnl_chain_nlmsg_build_payload(nlh, t); nftnl_chain_free(t); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-chain-del.c b/examples/nft-chain-del.c index bcc714e..3d333b7 100644 --- a/examples/nft-chain-del.c +++ b/examples/nft-chain-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -78,9 +74,8 @@ int main(int argc, char *argv[]) mnl_nlmsg_batch_next(batch); chain_seq = seq; - nlh = nftnl_chain_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELCHAIN, family, - NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELCHAIN, family, NLM_F_ACK, seq++); nftnl_chain_nlmsg_build_payload(nlh, t); nftnl_chain_free(t); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-chain-get.c b/examples/nft-chain-get.c index 8a6ef91..764ffc3 100644 --- a/examples/nft-chain-get.c +++ b/examples/nft-chain-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -86,15 +82,15 @@ int main(int argc, char *argv[]) perror("OOM"); exit(EXIT_FAILURE); } - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, - NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_ACK, seq); nftnl_chain_set_str(t, NFTNL_CHAIN_TABLE, argv[2]); nftnl_chain_set_str(t, NFTNL_CHAIN_NAME, argv[3]); nftnl_chain_nlmsg_build_payload(nlh, t); nftnl_chain_free(t); } else if (argc >= 2) { - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_DUMP, seq); } nl = mnl_socket_open(NETLINK_NETFILTER); diff --git a/examples/nft-compat-get.c b/examples/nft-compat-get.c index 8f00cbf..fd308db 100644 --- a/examples/nft-compat-get.c +++ b/examples/nft-compat-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-ct-expectation-add.c b/examples/nft-ct-expectation-add.c index d9b9cdb..8608a6b 100644 --- a/examples/nft-ct-expectation-add.c +++ b/examples/nft-ct-expectation-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <time.h> diff --git a/examples/nft-ct-expectation-del.c b/examples/nft-ct-expectation-del.c index 67dbd47..54b6ab6 100644 --- a/examples/nft-ct-expectation-del.c +++ b/examples/nft-ct-expectation-del.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> diff --git a/examples/nft-ct-expectation-get.c b/examples/nft-ct-expectation-get.c index 12c1350..2ae6003 100644 --- a/examples/nft-ct-expectation-get.c +++ b/examples/nft-ct-expectation-get.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> diff --git a/examples/nft-ct-helper-add.c b/examples/nft-ct-helper-add.c index 397443b..4d18279 100644 --- a/examples/nft-ct-helper-add.c +++ b/examples/nft-ct-helper-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> diff --git a/examples/nft-ct-helper-del.c b/examples/nft-ct-helper-del.c index fda3026..ce8a2a0 100644 --- a/examples/nft-ct-helper-del.c +++ b/examples/nft-ct-helper-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-ct-helper-get.c b/examples/nft-ct-helper-get.c index 34134af..84b2fac 100644 --- a/examples/nft-ct-helper-get.c +++ b/examples/nft-ct-helper-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-ct-timeout-add.c b/examples/nft-ct-timeout-add.c index 4c2052e..e0e10ee 100644 --- a/examples/nft-ct-timeout-add.c +++ b/examples/nft-ct-timeout-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> diff --git a/examples/nft-ct-timeout-del.c b/examples/nft-ct-timeout-del.c index 4581c39..9b31d58 100644 --- a/examples/nft-ct-timeout-del.c +++ b/examples/nft-ct-timeout-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-ct-timeout-get.c b/examples/nft-ct-timeout-get.c index 18aed52..f87efac 100644 --- a/examples/nft-ct-timeout-get.c +++ b/examples/nft-ct-timeout-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-events.c b/examples/nft-events.c index 8aab90a..bd4618d 100644 --- a/examples/nft-events.c +++ b/examples/nft-events.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-flowtable-add.c b/examples/nft-flowtable-add.c index 5ca62be..f509f23 100644 --- a/examples/nft-flowtable-add.c +++ b/examples/nft-flowtable-add.c @@ -47,7 +47,6 @@ int main(int argc, char *argv[]) int ret, family; struct nftnl_flowtable *t; struct mnl_nlmsg_batch *batch; - int batching; if (argc != 6) { fprintf(stderr, "Usage: %s <family> <table> <name> <hook> <prio>\n", @@ -74,32 +73,22 @@ int main(int argc, char *argv[]) if (t == NULL) exit(EXIT_FAILURE); - batching = nftnl_batch_is_supported(); - if (batching < 0) { - perror("cannot talk to nfnetlink"); - exit(EXIT_FAILURE); - } - seq = time(NULL); batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); - if (batching) { - nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); - mnl_nlmsg_batch_next(batch); - } + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); flowtable_seq = seq; - nlh = nftnl_flowtable_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWFLOWTABLE, family, - NLM_F_CREATE|NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWFLOWTABLE, family, + NLM_F_CREATE | NLM_F_ACK, seq++); nftnl_flowtable_nlmsg_build_payload(nlh, t); nftnl_flowtable_free(t); mnl_nlmsg_batch_next(batch); - if (batching) { - nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); - mnl_nlmsg_batch_next(batch); - } + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-flowtable-del.c b/examples/nft-flowtable-del.c index 91e5d3a..c5ce339 100644 --- a/examples/nft-flowtable-del.c +++ b/examples/nft-flowtable-del.c @@ -33,7 +33,7 @@ int main(int argc, char *argv[]) struct nlmsghdr *nlh; uint32_t portid, seq, flowtable_seq; struct nftnl_flowtable *t; - int ret, family, batching; + int ret, family; if (argc != 4) { fprintf(stderr, "Usage: %s <family> <table> <flowtable>\n", @@ -60,32 +60,22 @@ int main(int argc, char *argv[]) if (t == NULL) exit(EXIT_FAILURE); - batching = nftnl_batch_is_supported(); - if (batching < 0) { - perror("cannot talk to nfnetlink"); - exit(EXIT_FAILURE); - } - seq = time(NULL); batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); - if (batching) { - nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); - mnl_nlmsg_batch_next(batch); - } + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); flowtable_seq = seq; - nlh = nftnl_flowtable_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELFLOWTABLE, family, - NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELFLOWTABLE, family, + NLM_F_ACK, seq++); nftnl_flowtable_nlmsg_build_payload(nlh, t); nftnl_flowtable_free(t); mnl_nlmsg_batch_next(batch); - if (batching) { - nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); - mnl_nlmsg_batch_next(batch); - } + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); nl = mnl_socket_open(NETLINK_NETFILTER); if (nl == NULL) { diff --git a/examples/nft-flowtable-get.c b/examples/nft-flowtable-get.c index 38929f3..1d10cc8 100644 --- a/examples/nft-flowtable-get.c +++ b/examples/nft-flowtable-get.c @@ -75,15 +75,15 @@ int main(int argc, char *argv[]) perror("OOM"); exit(EXIT_FAILURE); } - nlh = nftnl_flowtable_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, - NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, + NLM_F_ACK, seq); nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_TABLE, argv[2]); nftnl_flowtable_set_str(t, NFTNL_FLOWTABLE_NAME, argv[3]); nftnl_flowtable_nlmsg_build_payload(nlh, t); nftnl_flowtable_free(t); } else if (argc >= 2) { - nlh = nftnl_flowtable_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETFLOWTABLE, family, + NLM_F_DUMP, seq); } nl = mnl_socket_open(NETLINK_NETFILTER); diff --git a/examples/nft-map-add.c b/examples/nft-map-add.c index 7c6eeb9..6caf42f 100644 --- a/examples/nft-map-add.c +++ b/examples/nft-map-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> @@ -103,9 +99,9 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWSET, family, - NLM_F_CREATE|NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); nftnl_set_nlmsg_build_payload(nlh, s); nftnl_set_free(s); diff --git a/examples/nft-obj-add.c b/examples/nft-obj-add.c index f526b3c..9b123b9 100644 --- a/examples/nft-obj-add.c +++ b/examples/nft-obj-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> diff --git a/examples/nft-obj-del.c b/examples/nft-obj-del.c index ae4f703..a23d522 100644 --- a/examples/nft-obj-del.c +++ b/examples/nft-obj-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-obj-get.c b/examples/nft-obj-get.c index e560ed0..c0ddbed 100644 --- a/examples/nft-obj-get.c +++ b/examples/nft-obj-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-rule-add.c b/examples/nft-rule-add.c index 77ee480..937b436 100644 --- a/examples/nft-rule-add.c +++ b/examples/nft-rule-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -165,11 +161,11 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWRULE, - nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), - NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++); - + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); nftnl_rule_nlmsg_build_payload(nlh, r); nftnl_rule_free(r); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-rule-ct-expectation-add.c b/examples/nft-rule-ct-expectation-add.c index 2012b3c..31f674a 100644 --- a/examples/nft-rule-ct-expectation-add.c +++ b/examples/nft-rule-ct-expectation-add.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> @@ -123,12 +119,11 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWRULE, - nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), - NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, - seq++); - + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); nftnl_rule_nlmsg_build_payload(nlh, r); nftnl_rule_free(r); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-rule-ct-helper-add.c b/examples/nft-rule-ct-helper-add.c index e0338a8..eceb1cb 100644 --- a/examples/nft-rule-ct-helper-add.c +++ b/examples/nft-rule-ct-helper-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -117,11 +113,11 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWRULE, - nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), - NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++); - + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); nftnl_rule_nlmsg_build_payload(nlh, r); nftnl_rule_free(r); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-rule-ct-timeout-add.c b/examples/nft-rule-ct-timeout-add.c index d93cde1..4fb4be8 100644 --- a/examples/nft-rule-ct-timeout-add.c +++ b/examples/nft-rule-ct-timeout-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -117,11 +113,11 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWRULE, - nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), - NLM_F_APPEND|NLM_F_CREATE|NLM_F_ACK, seq++); - + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWRULE, + nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY), + NLM_F_APPEND | NLM_F_CREATE | NLM_F_ACK, + seq++); nftnl_rule_nlmsg_build_payload(nlh, r); nftnl_rule_free(r); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-rule-del.c b/examples/nft-rule-del.c index 035aaa2..f0e5948 100644 --- a/examples/nft-rule-del.c +++ b/examples/nft-rule-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -72,11 +68,8 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELRULE, - family, - NLM_F_ACK, seq++); - + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELRULE, family, NLM_F_ACK, seq++); nftnl_rule_nlmsg_build_payload(nlh, r); nftnl_rule_free(r); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-rule-get.c b/examples/nft-rule-get.c index 8fb654f..865bad5 100644 --- a/examples/nft-rule-get.c +++ b/examples/nft-rule-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -111,8 +107,8 @@ int main(int argc, char *argv[]) } seq = time(NULL); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, + NLM_F_DUMP, seq); r = setup_rule(family, table, chain, NULL); if (!r) { diff --git a/examples/nft-ruleset-get.c b/examples/nft-ruleset-get.c index cba9b09..c530847 100644 --- a/examples/nft-ruleset-get.c +++ b/examples/nft-ruleset-get.c @@ -1,14 +1,10 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2013 Arturo Borrero Gonzalez <arturo@debian.org> * * based on previous code from: * * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org> - * - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdlib.h> @@ -97,8 +93,8 @@ static struct nftnl_rule_list *mnl_rule_dump(struct mnl_socket *nf_sock, if (nlr_list == NULL) memory_allocation_error(); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, + NLM_F_DUMP, seq); ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, rule_cb, nlr_list); if (ret < 0) @@ -145,8 +141,8 @@ static struct nftnl_chain_list *mnl_chain_dump(struct mnl_socket *nf_sock, if (nlc_list == NULL) memory_allocation_error(); - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family, + NLM_F_DUMP, seq); ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, chain_cb, nlc_list); if (ret < 0) @@ -193,8 +189,8 @@ static struct nftnl_table_list *mnl_table_dump(struct mnl_socket *nf_sock, if (nlt_list == NULL) memory_allocation_error(); - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_DUMP, seq); ret = mnl_talk(nf_sock, nlh, nlh->nlmsg_len, table_cb, nlt_list); if (ret < 0) @@ -221,8 +217,8 @@ static int mnl_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls) struct nlmsghdr *nlh; uint32_t family = nftnl_set_get_u32(nls, NFTNL_SET_FAMILY); - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, - NLM_F_DUMP|NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, + NLM_F_DUMP | NLM_F_ACK, seq); nftnl_set_nlmsg_build_payload(nlh, nls); return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, set_elem_cb, nls); @@ -266,8 +262,8 @@ mnl_set_dump(struct mnl_socket *nf_sock, int family) if (s == NULL) memory_allocation_error(); - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, - NLM_F_DUMP|NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); nftnl_set_nlmsg_build_payload(nlh, s); nftnl_set_free(s); diff --git a/examples/nft-set-add.c b/examples/nft-set-add.c index c9e249d..7447b40 100644 --- a/examples/nft-set-add.c +++ b/examples/nft-set-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -99,9 +95,9 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWSET, family, - NLM_F_CREATE|NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); nftnl_set_nlmsg_build_payload(nlh, s); nftnl_set_free(s); diff --git a/examples/nft-set-del.c b/examples/nft-set-del.c index eafd5d7..4ff9e04 100644 --- a/examples/nft-set-del.c +++ b/examples/nft-set-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -62,9 +58,8 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELSET, family, - NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELSET, family, NLM_F_ACK, seq); nftnl_set_set_str(t, NFTNL_SET_TABLE, argv[2]); nftnl_set_set_str(t, NFTNL_SET_NAME, argv[3]); diff --git a/examples/nft-set-elem-add.c b/examples/nft-set-elem-add.c index 4b8b37c..09b8f02 100644 --- a/examples/nft-set-elem-add.c +++ b/examples/nft-set-elem-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ diff --git a/examples/nft-set-elem-del.c b/examples/nft-set-elem-del.c index b569fea..2382f4f 100644 --- a/examples/nft-set-elem-del.c +++ b/examples/nft-set-elem-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -87,9 +83,8 @@ int main(int argc, char *argv[]) nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); mnl_nlmsg_batch_next(batch); - nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELSETELEM, family, - NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELSETELEM, family, NLM_F_ACK, seq); nftnl_set_elems_nlmsg_build_payload(nlh, s); nftnl_set_free(s); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-set-elem-get.c b/examples/nft-set-elem-get.c index 52cdd51..1863f72 100644 --- a/examples/nft-set-elem-get.c +++ b/examples/nft-set-elem-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -81,8 +77,8 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, - NLM_F_DUMP|NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, family, + NLM_F_DUMP | NLM_F_ACK, seq); nftnl_set_set_str(t, NFTNL_SET_NAME, argv[3]); nftnl_set_set_str(t, NFTNL_SET_TABLE, argv[2]); nftnl_set_elems_nlmsg_build_payload(nlh, t); diff --git a/examples/nft-set-get.c b/examples/nft-set-get.c index cbe3f85..5848165 100644 --- a/examples/nft-set-get.c +++ b/examples/nft-set-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -83,8 +79,8 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, - NLM_F_DUMP|NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); /* Use this below if you want to obtain sets per table */ /* nftnl_set_set(t, NFT_SET_TABLE, argv[2]); */ nftnl_set_nlmsg_build_payload(nlh, t); diff --git a/examples/nft-table-add.c b/examples/nft-table-add.c index 5b5c1dd..0079e09 100644 --- a/examples/nft-table-add.c +++ b/examples/nft-table-add.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -79,9 +75,9 @@ int main(int argc, char *argv[]) table_seq = seq; family = nftnl_table_get_u32(t, NFTNL_TABLE_FAMILY); - nlh = nftnl_table_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWTABLE, family, - NLM_F_CREATE|NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWTABLE, family, + NLM_F_CREATE | NLM_F_ACK, seq++); nftnl_table_nlmsg_build_payload(nlh, t); nftnl_table_free(t); mnl_nlmsg_batch_next(batch); diff --git a/examples/nft-table-del.c b/examples/nft-table-del.c index 3d78fd4..b04bd75 100644 --- a/examples/nft-table-del.c +++ b/examples/nft-table-del.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -79,9 +75,9 @@ int main(int argc, char *argv[]) table_seq = seq; family = nftnl_table_get_u32(t, NFTNL_TABLE_FAMILY); - nlh = nftnl_table_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_DELTABLE, family, - NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_DELTABLE, family, + NLM_F_ACK, seq++); nftnl_table_nlmsg_build_payload(nlh, t); mnl_nlmsg_batch_next(batch); nftnl_table_free(t); diff --git a/examples/nft-table-get.c b/examples/nft-table-get.c index 64fd66c..3e76747 100644 --- a/examples/nft-table-get.c +++ b/examples/nft-table-get.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -88,11 +84,11 @@ int main(int argc, char *argv[]) seq = time(NULL); if (t == NULL) { - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, - NLM_F_DUMP, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_DUMP, seq); } else { - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, - NLM_F_ACK, seq); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family, + NLM_F_ACK, seq); nftnl_table_set_str(t, NFTNL_TABLE_NAME, argv[2]); nftnl_table_nlmsg_build_payload(nlh, t); nftnl_table_free(t); diff --git a/examples/nft-table-upd.c b/examples/nft-table-upd.c index 663d09f..247af5d 100644 --- a/examples/nft-table-upd.c +++ b/examples/nft-table-upd.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This software has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -78,9 +74,8 @@ int main(int argc, char *argv[]) nftnl_table_set_u32(t, NFTNL_TABLE_FLAGS, flags); table_seq = seq; - nlh = nftnl_table_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), - NFT_MSG_NEWTABLE, family, - NLM_F_ACK, seq++); + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWTABLE, family, NLM_F_ACK, seq++); nftnl_table_nlmsg_build_payload(nlh, t); nftnl_table_free(t); mnl_nlmsg_batch_next(batch); diff --git a/include/Makefile.am b/include/Makefile.am index 738f807..665532a 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -11,5 +11,6 @@ noinst_HEADERS = internal.h \ expr.h \ rule.h \ set_elem.h \ + str_array.h \ udata.h \ utils.h diff --git a/include/data_reg.h b/include/data_reg.h index 6d2dc66..946354d 100644 --- a/include/data_reg.h +++ b/include/data_reg.h @@ -35,6 +35,6 @@ int nftnl_data_reg_snprintf(char *buf, size_t size, struct nlattr; int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type); -void nftnl_free_verdict(const union nftnl_data_reg *data); +int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len); #endif diff --git a/include/expr_ops.h b/include/expr_ops.h index a7d747a..6cfb3b5 100644 --- a/include/expr_ops.h +++ b/include/expr_ops.h @@ -8,10 +8,15 @@ struct nlattr; struct nlmsghdr; struct nftnl_expr; +struct attr_policy { + uint32_t maxlen; +}; + struct expr_ops { const char *name; uint32_t alloc_len; - int max_attr; + int nftnl_max_attr; + struct attr_policy *attr_policy; void (*init)(const struct nftnl_expr *e); void (*free)(const struct nftnl_expr *e); int (*set)(struct nftnl_expr *e, uint16_t type, const void *data, uint32_t data_len); diff --git a/include/internal.h b/include/internal.h index 1f96731..b8fc7f1 100644 --- a/include/internal.h +++ b/include/internal.h @@ -12,5 +12,6 @@ #include "expr.h" #include "expr_ops.h" #include "rule.h" +#include "str_array.h" #endif /* _LIBNFTNL_INTERNAL_H_ */ diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h index f56e581..bac1f5f 100644 --- a/include/libnftnl/chain.h +++ b/include/libnftnl/chain.h @@ -71,10 +71,6 @@ struct nlmsghdr; void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t); -int nftnl_chain_parse(struct nftnl_chain *c, enum nftnl_parse_type type, - const char *data, struct nftnl_parse_err *err); -int nftnl_chain_parse_file(struct nftnl_chain *c, enum nftnl_parse_type type, - FILE *fp, struct nftnl_parse_err *err); int nftnl_chain_snprintf(char *buf, size_t size, const struct nftnl_chain *t, uint32_t type, uint32_t flags); int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, uint32_t flags); diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h index 00c63ab..1c07b54 100644 --- a/include/libnftnl/expr.h +++ b/include/libnftnl/expr.h @@ -56,6 +56,7 @@ enum { NFTNL_EXPR_PAYLOAD_CSUM_TYPE, NFTNL_EXPR_PAYLOAD_CSUM_OFFSET, NFTNL_EXPR_PAYLOAD_FLAGS, + __NFTNL_EXPR_PAYLOAD_MAX }; enum { @@ -65,34 +66,40 @@ enum { NFTNL_EXPR_NG_OFFSET, NFTNL_EXPR_NG_SET_NAME, /* deprecated */ NFTNL_EXPR_NG_SET_ID, /* deprecated */ + __NFTNL_EXPR_NG_MAX }; enum { NFTNL_EXPR_META_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_META_DREG, NFTNL_EXPR_META_SREG, + __NFTNL_EXPR_META_MAX }; enum { NFTNL_EXPR_RT_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_RT_DREG, + __NFTNL_EXPR_RT_MAX }; enum { NFTNL_EXPR_SOCKET_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_SOCKET_DREG, NFTNL_EXPR_SOCKET_LEVEL, + __NFTNL_EXPR_SOCKET_MAX }; enum { NFTNL_EXPR_TUNNEL_KEY = NFTNL_EXPR_BASE, NFTNL_EXPR_TUNNEL_DREG, + __NFTNL_EXPR_TUNNEL_MAX }; enum { NFTNL_EXPR_CMP_SREG = NFTNL_EXPR_BASE, NFTNL_EXPR_CMP_OP, NFTNL_EXPR_CMP_DATA, + __NFTNL_EXPR_CMP_MAX }; enum { @@ -100,6 +107,7 @@ enum { NFTNL_EXPR_RANGE_OP, NFTNL_EXPR_RANGE_FROM_DATA, NFTNL_EXPR_RANGE_TO_DATA, + __NFTNL_EXPR_RANGE_MAX }; enum { @@ -108,16 +116,19 @@ enum { NFTNL_EXPR_IMM_VERDICT, NFTNL_EXPR_IMM_CHAIN, NFTNL_EXPR_IMM_CHAIN_ID, + __NFTNL_EXPR_IMM_MAX }; enum { NFTNL_EXPR_CTR_PACKETS = NFTNL_EXPR_BASE, NFTNL_EXPR_CTR_BYTES, + __NFTNL_EXPR_CTR_MAX }; enum { NFTNL_EXPR_CONNLIMIT_COUNT = NFTNL_EXPR_BASE, NFTNL_EXPR_CONNLIMIT_FLAGS, + __NFTNL_EXPR_CONNLIMIT_MAX }; enum { @@ -128,18 +139,22 @@ enum { NFTNL_EXPR_BITWISE_XOR, NFTNL_EXPR_BITWISE_OP, NFTNL_EXPR_BITWISE_DATA, + NFTNL_EXPR_BITWISE_SREG2, + __NFTNL_EXPR_BITWISE_MAX }; enum { NFTNL_EXPR_TG_NAME = NFTNL_EXPR_BASE, NFTNL_EXPR_TG_REV, NFTNL_EXPR_TG_INFO, + __NFTNL_EXPR_TG_MAX }; enum { NFTNL_EXPR_MT_NAME = NFTNL_EXPR_BASE, NFTNL_EXPR_MT_REV, NFTNL_EXPR_MT_INFO, + __NFTNL_EXPR_MT_MAX }; enum { @@ -150,12 +165,14 @@ enum { NFTNL_EXPR_NAT_REG_PROTO_MIN, NFTNL_EXPR_NAT_REG_PROTO_MAX, NFTNL_EXPR_NAT_FLAGS, + __NFTNL_EXPR_NAT_MAX }; enum { NFTNL_EXPR_TPROXY_FAMILY = NFTNL_EXPR_BASE, NFTNL_EXPR_TPROXY_REG_ADDR, NFTNL_EXPR_TPROXY_REG_PORT, + __NFTNL_EXPR_TPROXY_MAX }; enum { @@ -164,6 +181,7 @@ enum { NFTNL_EXPR_LOOKUP_SET, NFTNL_EXPR_LOOKUP_SET_ID, NFTNL_EXPR_LOOKUP_FLAGS, + __NFTNL_EXPR_LOOKUP_MAX }; enum { @@ -176,6 +194,7 @@ enum { NFTNL_EXPR_DYNSET_EXPR, NFTNL_EXPR_DYNSET_EXPRESSIONS, NFTNL_EXPR_DYNSET_FLAGS, + __NFTNL_EXPR_DYNSET_MAX }; enum { @@ -185,6 +204,7 @@ enum { NFTNL_EXPR_LOG_QTHRESHOLD, NFTNL_EXPR_LOG_LEVEL, NFTNL_EXPR_LOG_FLAGS, + __NFTNL_EXPR_LOG_MAX }; enum { @@ -195,6 +215,7 @@ enum { NFTNL_EXPR_EXTHDR_FLAGS, NFTNL_EXPR_EXTHDR_OP, NFTNL_EXPR_EXTHDR_SREG, + __NFTNL_EXPR_EXTHDR_MAX }; enum { @@ -202,6 +223,7 @@ enum { NFTNL_EXPR_CT_KEY, NFTNL_EXPR_CT_DIR, NFTNL_EXPR_CT_SREG, + __NFTNL_EXPR_CT_MAX }; enum { @@ -210,6 +232,7 @@ enum { NFTNL_EXPR_BYTEORDER_OP, NFTNL_EXPR_BYTEORDER_LEN, NFTNL_EXPR_BYTEORDER_SIZE, + __NFTNL_EXPR_BYTEORDER_MAX }; enum { @@ -218,11 +241,13 @@ enum { NFTNL_EXPR_LIMIT_BURST, NFTNL_EXPR_LIMIT_TYPE, NFTNL_EXPR_LIMIT_FLAGS, + __NFTNL_EXPR_LIMIT_MAX }; enum { NFTNL_EXPR_REJECT_TYPE = NFTNL_EXPR_BASE, NFTNL_EXPR_REJECT_CODE, + __NFTNL_EXPR_REJECT_MAX }; enum { @@ -230,39 +255,46 @@ enum { NFTNL_EXPR_QUEUE_TOTAL, NFTNL_EXPR_QUEUE_FLAGS, NFTNL_EXPR_QUEUE_SREG_QNUM, + __NFTNL_EXPR_QUEUE_MAX }; enum { NFTNL_EXPR_QUOTA_BYTES = NFTNL_EXPR_BASE, NFTNL_EXPR_QUOTA_FLAGS, NFTNL_EXPR_QUOTA_CONSUMED, + __NFTNL_EXPR_QUOTA_MAX }; enum { NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE, NFTNL_EXPR_MASQ_REG_PROTO_MIN, NFTNL_EXPR_MASQ_REG_PROTO_MAX, + __NFTNL_EXPR_MASQ_MAX }; enum { NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE, NFTNL_EXPR_REDIR_REG_PROTO_MAX, NFTNL_EXPR_REDIR_FLAGS, + __NFTNL_EXPR_REDIR_MAX }; enum { NFTNL_EXPR_DUP_SREG_ADDR = NFTNL_EXPR_BASE, NFTNL_EXPR_DUP_SREG_DEV, + __NFTNL_EXPR_DUP_MAX }; enum { NFTNL_EXPR_FLOW_TABLE_NAME = NFTNL_EXPR_BASE, + __NFTNL_EXPR_FLOW_MAX }; enum { NFTNL_EXPR_FWD_SREG_DEV = NFTNL_EXPR_BASE, NFTNL_EXPR_FWD_SREG_ADDR, NFTNL_EXPR_FWD_NFPROTO, + __NFTNL_EXPR_FWD_MAX }; enum { @@ -275,12 +307,14 @@ enum { NFTNL_EXPR_HASH_TYPE, NFTNL_EXPR_HASH_SET_NAME, /* deprecated */ NFTNL_EXPR_HASH_SET_ID, /* deprecated */ + __NFTNL_EXPR_HASH_MAX }; enum { NFTNL_EXPR_FIB_DREG = NFTNL_EXPR_BASE, NFTNL_EXPR_FIB_RESULT, NFTNL_EXPR_FIB_FLAGS, + __NFTNL_EXPR_FIB_MAX }; enum { @@ -289,12 +323,14 @@ enum { NFTNL_EXPR_OBJREF_SET_SREG, NFTNL_EXPR_OBJREF_SET_NAME, NFTNL_EXPR_OBJREF_SET_ID, + __NFTNL_EXPR_OBJREF_MAX }; enum { NFTNL_EXPR_OSF_DREG = NFTNL_EXPR_BASE, NFTNL_EXPR_OSF_TTL, NFTNL_EXPR_OSF_FLAGS, + __NFTNL_EXPR_OSF_MAX }; enum { @@ -303,17 +339,28 @@ enum { NFTNL_EXPR_XFRM_KEY, NFTNL_EXPR_XFRM_DIR, NFTNL_EXPR_XFRM_SPNUM, + __NFTNL_EXPR_XFRM_MAX }; enum { NFTNL_EXPR_SYNPROXY_MSS = NFTNL_EXPR_BASE, NFTNL_EXPR_SYNPROXY_WSCALE, NFTNL_EXPR_SYNPROXY_FLAGS, + __NFTNL_EXPR_SYNPROXY_MAX }; enum { NFTNL_EXPR_LAST_MSECS = NFTNL_EXPR_BASE, NFTNL_EXPR_LAST_SET, + __NFTNL_EXPR_LAST_MAX +}; + +enum { + NFTNL_EXPR_INNER_TYPE = NFTNL_EXPR_BASE, + NFTNL_EXPR_INNER_FLAGS, + NFTNL_EXPR_INNER_HDRSIZE, + NFTNL_EXPR_INNER_EXPR, + __NFTNL_EXPR_INNER_MAX }; #ifdef __cplusplus diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index 9bd83a5..9930355 100644 --- a/include/libnftnl/object.h +++ b/include/libnftnl/object.h @@ -28,18 +28,21 @@ enum { enum { NFTNL_OBJ_CTR_PKTS = NFTNL_OBJ_BASE, NFTNL_OBJ_CTR_BYTES, + __NFTNL_OBJ_CTR_MAX, }; enum { NFTNL_OBJ_QUOTA_BYTES = NFTNL_OBJ_BASE, NFTNL_OBJ_QUOTA_CONSUMED, NFTNL_OBJ_QUOTA_FLAGS, + __NFTNL_OBJ_QUOTA_MAX, }; enum { NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE, NFTNL_OBJ_CT_HELPER_L3PROTO, NFTNL_OBJ_CT_HELPER_L4PROTO, + __NFTNL_OBJ_CT_HELPER_MAX, }; enum nftnl_cttimeout_array_tcp { @@ -69,6 +72,7 @@ enum { NFTNL_OBJ_CT_TIMEOUT_L3PROTO = NFTNL_OBJ_BASE, NFTNL_OBJ_CT_TIMEOUT_L4PROTO, NFTNL_OBJ_CT_TIMEOUT_ARRAY, + __NFTNL_OBJ_CT_TIMEOUT_MAX, }; enum { @@ -77,6 +81,7 @@ enum { NFTNL_OBJ_CT_EXPECT_DPORT, NFTNL_OBJ_CT_EXPECT_TIMEOUT, NFTNL_OBJ_CT_EXPECT_SIZE, + __NFTNL_OBJ_CT_EXPECT_MAX, }; enum { @@ -85,12 +90,14 @@ enum { NFTNL_OBJ_LIMIT_BURST, NFTNL_OBJ_LIMIT_TYPE, NFTNL_OBJ_LIMIT_FLAGS, + __NFTNL_OBJ_LIMIT_MAX, }; enum { NFTNL_OBJ_SYNPROXY_MSS = NFTNL_OBJ_BASE, NFTNL_OBJ_SYNPROXY_WSCALE, NFTNL_OBJ_SYNPROXY_FLAGS, + __NFTNL_OBJ_SYNPROXY_MAX, }; enum { @@ -110,10 +117,12 @@ enum { NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX, NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR, + __NFTNL_OBJ_TUNNEL_MAX, }; enum { NFTNL_OBJ_SECMARK_CTX = NFTNL_OBJ_BASE, + __NFTNL_OBJ_SECMARK_MAX, }; struct nftnl_obj; @@ -123,22 +132,22 @@ void nftnl_obj_free(const struct nftnl_obj *ne); bool nftnl_obj_is_set(const struct nftnl_obj *ne, uint16_t attr); void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr); -void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, - uint32_t data_len); +int nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data, + uint32_t data_len); void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data) __attribute__((deprecated)); -void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); -void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); -void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); -void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); -void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); -const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr, +int nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val); +int nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val); +int nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val); +int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val); +int nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str); +const void *nftnl_obj_get_data(const struct nftnl_obj *ne, uint16_t attr, uint32_t *data_len); -const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr); -uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr); -uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr); -uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr); -uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr); -const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr); +const void *nftnl_obj_get(const struct nftnl_obj *ne, uint16_t attr); +uint8_t nftnl_obj_get_u8(const struct nftnl_obj *ne, uint16_t attr); +uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr); +uint32_t nftnl_obj_get_u32(const struct nftnl_obj *ne, uint16_t attr); +uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr); +const char *nftnl_obj_get_str(const struct nftnl_obj *ne, uint16_t attr); void nftnl_obj_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_obj *ne); diff --git a/include/linux/netfilter/nf_log.h b/include/linux/netfilter/nf_log.h index 8be21e0..2ae0093 100644 --- a/include/linux/netfilter/nf_log.h +++ b/include/linux/netfilter/nf_log.h @@ -1,3 +1,4 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _NETFILTER_NF_LOG_H #define _NETFILTER_NF_LOG_H @@ -9,4 +10,6 @@ #define NF_LOG_MACDECODE 0x20 /* Decode MAC header */ #define NF_LOG_MASK 0x2f +#define NF_LOG_PREFIXLEN 128 + #endif /* _NETFILTER_NF_LOG_H */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 0ae9120..49c944e 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -97,6 +97,15 @@ enum nft_verdicts { * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes) * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes) * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes) + * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes) + * @NFT_MSG_DESTROYTABLE: destroy a table (enum nft_table_attributes) + * @NFT_MSG_DESTROYCHAIN: destroy a chain (enum nft_chain_attributes) + * @NFT_MSG_DESTROYRULE: destroy a rule (enum nft_rule_attributes) + * @NFT_MSG_DESTROYSET: destroy a set (enum nft_set_attributes) + * @NFT_MSG_DESTROYSETELEM: destroy a set element (enum nft_set_elem_attributes) + * @NFT_MSG_DESTROYOBJ: destroy a stateful object (enum nft_object_attributes) + * @NFT_MSG_DESTROYFLOWTABLE: destroy flow table (enum nft_flowtable_attributes) + * @NFT_MSG_GETSETELEM_RESET: get set elements and reset attached stateful expressions (enum nft_set_elem_attributes) */ enum nf_tables_msg_types { NFT_MSG_NEWTABLE, @@ -124,6 +133,15 @@ enum nf_tables_msg_types { NFT_MSG_NEWFLOWTABLE, NFT_MSG_GETFLOWTABLE, NFT_MSG_DELFLOWTABLE, + NFT_MSG_GETRULE_RESET, + NFT_MSG_DESTROYTABLE, + NFT_MSG_DESTROYCHAIN, + NFT_MSG_DESTROYRULE, + NFT_MSG_DESTROYSET, + NFT_MSG_DESTROYSETELEM, + NFT_MSG_DESTROYOBJ, + NFT_MSG_DESTROYFLOWTABLE, + NFT_MSG_GETSETELEM_RESET, NFT_MSG_MAX, }; @@ -161,13 +179,17 @@ enum nft_hook_attributes { * enum nft_table_flags - nf_tables table flags * * @NFT_TABLE_F_DORMANT: this table is not active + * @NFT_TABLE_F_OWNER: this table is owned by a process + * @NFT_TABLE_F_PERSIST: this table shall outlive its owner */ enum nft_table_flags { NFT_TABLE_F_DORMANT = 0x1, NFT_TABLE_F_OWNER = 0x2, + NFT_TABLE_F_PERSIST = 0x4, }; #define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \ - NFT_TABLE_F_OWNER) + NFT_TABLE_F_OWNER | \ + NFT_TABLE_F_PERSIST) /** * enum nft_table_attributes - nf_tables table netlink attributes @@ -245,6 +267,7 @@ enum nft_chain_attributes { * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32) + * @NFTA_RULE_CHAIN_ID: add the rule to chain by ID, alternative to @NFTA_RULE_CHAIN (NLA_U32) */ enum nft_rule_attributes { NFTA_RULE_UNSPEC, @@ -266,9 +289,11 @@ enum nft_rule_attributes { /** * enum nft_rule_compat_flags - nf_tables rule compat flags * + * @NFT_RULE_COMPAT_F_UNUSED: unused * @NFT_RULE_COMPAT_F_INV: invert the check result */ enum nft_rule_compat_flags { + NFT_RULE_COMPAT_F_UNUSED = (1 << 0), NFT_RULE_COMPAT_F_INV = (1 << 1), NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, }; @@ -411,7 +436,7 @@ enum nft_set_elem_flags { * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data) * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes) * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32) - * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64) + * @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64) * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64) * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) @@ -539,16 +564,26 @@ enum nft_immediate_attributes { /** * enum nft_bitwise_ops - nf_tables bitwise operations * - * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and - * XOR boolean operations + * @NFT_BITWISE_MASK_XOR: mask-and-xor operation used to implement NOT, AND, OR + * and XOR boolean operations * @NFT_BITWISE_LSHIFT: left-shift operation * @NFT_BITWISE_RSHIFT: right-shift operation + * @NFT_BITWISE_AND: and operation + * @NFT_BITWISE_OR: or operation + * @NFT_BITWISE_XOR: xor operation */ enum nft_bitwise_ops { - NFT_BITWISE_BOOL, + NFT_BITWISE_MASK_XOR, NFT_BITWISE_LSHIFT, NFT_BITWISE_RSHIFT, + NFT_BITWISE_AND, + NFT_BITWISE_OR, + NFT_BITWISE_XOR, }; +/* + * Old name for NFT_BITWISE_MASK_XOR. Retained for backwards-compatibility. + */ +#define NFT_BITWISE_BOOL NFT_BITWISE_MASK_XOR /** * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes @@ -561,6 +596,7 @@ enum nft_bitwise_ops { * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) * @NFTA_BITWISE_DATA: argument for non-boolean operations * (NLA_NESTED: nft_data_attributes) + * @NFTA_BITWISE_SREG2: second source register (NLA_U32: nft_registers) * * The bitwise expression supports boolean and shift operations. It implements * the boolean operations by performing the following operation: @@ -584,6 +620,7 @@ enum nft_bitwise_attributes { NFTA_BITWISE_XOR, NFTA_BITWISE_OP, NFTA_BITWISE_DATA, + NFTA_BITWISE_SREG2, __NFTA_BITWISE_MAX }; #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) @@ -669,7 +706,7 @@ enum nft_range_ops { * enum nft_range_attributes - nf_tables range expression netlink attributes * * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers) - * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops) + * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_range_ops) * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes) * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes) */ @@ -753,13 +790,14 @@ enum nft_dynset_attributes { * @NFT_PAYLOAD_LL_HEADER: link layer header * @NFT_PAYLOAD_NETWORK_HEADER: network header * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header - * @NFT_PAYLOAD_INNER_HEADER: inner header + * @NFT_PAYLOAD_INNER_HEADER: inner header / payload */ enum nft_payload_bases { NFT_PAYLOAD_LL_HEADER, NFT_PAYLOAD_NETWORK_HEADER, NFT_PAYLOAD_TRANSPORT_HEADER, NFT_PAYLOAD_INNER_HEADER, + NFT_PAYLOAD_TUN_HEADER, }; /** @@ -779,6 +817,32 @@ enum nft_payload_csum_flags { NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0), }; +enum nft_inner_type { + NFT_INNER_UNSPEC = 0, + NFT_INNER_VXLAN, + NFT_INNER_GENEVE, +}; + +enum nft_inner_flags { + NFT_INNER_HDRSIZE = (1 << 0), + NFT_INNER_LL = (1 << 1), + NFT_INNER_NH = (1 << 2), + NFT_INNER_TH = (1 << 3), +}; +#define NFT_INNER_MASK (NFT_INNER_HDRSIZE | NFT_INNER_LL | \ + NFT_INNER_NH | NFT_INNER_TH) + +enum nft_inner_attributes { + NFTA_INNER_UNSPEC, + NFTA_INNER_NUM, + NFTA_INNER_TYPE, + NFTA_INNER_FLAGS, + NFTA_INNER_HDRSIZE, + NFTA_INNER_EXPR, + __NFTA_INNER_MAX +}; +#define NFTA_INNER_MAX (__NFTA_INNER_MAX - 1) + /** * enum nft_payload_attributes - nf_tables payload expression netlink attributes * @@ -816,12 +880,14 @@ enum nft_exthdr_flags { * @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options * @NFT_EXTHDR_OP_SCTP: match against sctp chunks + * @NFT_EXTHDR_OP_DCCP: match against dccp otions */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_IPV4, NFT_EXTHDR_OP_SCTP, + NFT_EXTHDR_OP_DCCP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) @@ -835,7 +901,7 @@ enum nft_exthdr_op { * @NFTA_EXTHDR_LEN: extension header length (NLA_U32) * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32) * @NFTA_EXTHDR_OP: option match type (NLA_U32) - * @NFTA_EXTHDR_SREG: option match type (NLA_U32) + * @NFTA_EXTHDR_SREG: source register (NLA_U32: nft_registers) */ enum nft_exthdr_attributes { NFTA_EXTHDR_UNSPEC, @@ -888,6 +954,7 @@ enum nft_exthdr_attributes { * @NFT_META_TIME_HOUR: hour of day (in seconds) * @NFT_META_SDIF: slave device interface index * @NFT_META_SDIFNAME: slave device interface name + * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit */ enum nft_meta_keys { NFT_META_LEN, @@ -898,7 +965,8 @@ enum nft_meta_keys { NFT_META_OIF, NFT_META_IIFNAME, NFT_META_OIFNAME, - NFT_META_IIFTYPE, + NFT_META_IFTYPE, +#define NFT_META_IIFTYPE NFT_META_IFTYPE NFT_META_OIFTYPE, NFT_META_SKUID, NFT_META_SKGID, @@ -925,6 +993,8 @@ enum nft_meta_keys { NFT_META_TIME_HOUR, NFT_META_SDIF, NFT_META_SDIFNAME, + NFT_META_BRI_BROUTE, + __NFT_META_IIFTYPE, }; /** @@ -1215,10 +1285,10 @@ enum nft_last_attributes { /** * enum nft_log_attributes - nf_tables log expression netlink attributes * - * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32) + * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U16) * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING) * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32) - * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32) + * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U16) * @NFTA_LOG_LEVEL: log level (NLA_U32) * @NFTA_LOG_FLAGS: logging flags (NLA_U32) */ @@ -1318,7 +1388,7 @@ enum nft_secmark_attributes { #define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) /* Max security context length */ -#define NFT_SECMARK_CTX_MAXLEN 256 +#define NFT_SECMARK_CTX_MAXLEN 4096 /** * enum nft_reject_types - nf_tables reject expression reject types @@ -1636,7 +1706,7 @@ enum nft_flowtable_flags { * * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING) * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING) - * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) + * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED) * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) diff --git a/include/obj.h b/include/obj.h index d848ac9..d217737 100644 --- a/include/obj.h +++ b/include/obj.h @@ -104,7 +104,8 @@ struct obj_ops { const char *name; uint32_t type; size_t alloc_len; - int max_attr; + int nftnl_max_attr; + struct attr_policy *attr_policy; int (*set)(struct nftnl_obj *e, uint16_t type, const void *data, uint32_t data_len); const void *(*get)(const struct nftnl_obj *e, uint16_t type, uint32_t *data_len); int (*parse)(struct nftnl_obj *e, struct nlattr *attr); diff --git a/include/str_array.h b/include/str_array.h new file mode 100644 index 0000000..98c9b4f --- /dev/null +++ b/include/str_array.h @@ -0,0 +1,22 @@ +#ifndef LIBNFTNL_STR_ARRAY_H +#define LIBNFTNL_STR_ARRAY_H 1 + +#include <stdint.h> + +struct nlattr; + +struct nftnl_str_array { + char **array; + uint32_t len; +}; + +void nftnl_str_array_clear(struct nftnl_str_array *sa); +int nftnl_str_array_set(struct nftnl_str_array *sa, const char * const *array); +int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest); + +#define nftnl_str_array_foreach(ptr, sa, idx) \ + for (idx = 0, ptr = (sa)->array[idx]; \ + idx < (sa)->len; \ + ptr = (sa)->array[++idx]) + +#endif /* LIBNFTNL_STR_ARRAY_H */ diff --git a/include/utils.h b/include/utils.h index 8af5a8e..eed6127 100644 --- a/include/utils.h +++ b/include/utils.h @@ -37,9 +37,9 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line); #define nftnl_assert_validate(data, _validate_array, _attr, _data_len) \ ({ \ if (!data) \ - __nftnl_assert_fail(attr, __FILE__, __LINE__); \ + __nftnl_assert_fail(_attr, __FILE__, __LINE__); \ if (_validate_array[_attr]) \ - nftnl_assert(data, attr, _validate_array[_attr] == _data_len); \ + nftnl_assert(data, _attr, _validate_array[_attr] == _data_len); \ }) void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, @@ -68,27 +68,8 @@ void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max, #define array_size(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) const char *nftnl_family2str(uint32_t family); -int nftnl_str2family(const char *family); - -enum nftnl_type { - NFTNL_TYPE_U8, - NFTNL_TYPE_U16, - NFTNL_TYPE_U32, - NFTNL_TYPE_U64, - NFTNL_TYPE_S8, - NFTNL_TYPE_S16, - NFTNL_TYPE_S32, - NFTNL_TYPE_S64, -}; - -int nftnl_strtoi(const char *string, int base, void *number, enum nftnl_type type); -int nftnl_get_value(enum nftnl_type type, void *val, void *out); const char *nftnl_verdict2str(uint32_t verdict); -int nftnl_str2verdict(const char *verdict, int *verdict_num); - -const char *nftnl_cmd2tag(enum nftnl_cmd_type cmd); -uint32_t nftnl_str2cmd(const char *cmd); enum nftnl_cmd_type nftnl_flag2cmd(uint32_t flags); @@ -98,4 +79,7 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type, uint32_t cmd, uint32_t type, uint32_t flags)); +int nftnl_set_str_attr(const char **dptr, uint32_t *flags, + uint16_t attr, const void *data, uint32_t data_len); + #endif diff --git a/src/Makefile.am b/src/Makefile.am index c3b0ab9..1c38d00 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -17,6 +17,7 @@ libnftnl_la_SOURCES = utils.c \ rule.c \ set.c \ set_elem.c \ + str_array.c \ ruleset.c \ udata.c \ expr.c \ @@ -40,6 +41,7 @@ libnftnl_la_SOURCES = utils.c \ expr/lookup.c \ expr/dynset.c \ expr/immediate.c \ + expr/inner.c \ expr/match.c \ expr/meta.c \ expr/numgen.c \ diff --git a/src/batch.c b/src/batch.c index 8a9c6f9..2fca5fc 100644 --- a/src/batch.c +++ b/src/batch.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2013-2015 Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" diff --git a/src/chain.c b/src/chain.c index cb5ec6b..895108c 100644 --- a/src/chain.c +++ b/src/chain.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -37,8 +33,7 @@ struct nftnl_chain { const char *type; const char *table; const char *dev; - const char **dev_array; - int dev_array_len; + struct nftnl_str_array dev_array; uint32_t family; uint32_t policy; uint32_t hooknum; @@ -117,7 +112,6 @@ EXPORT_SYMBOL(nftnl_chain_free); void nftnl_chain_free(const struct nftnl_chain *c) { struct nftnl_rule *r, *tmp; - int i; list_for_each_entry_safe(r, tmp, &c->rule_list, head) nftnl_rule_free(r); @@ -132,12 +126,8 @@ void nftnl_chain_free(const struct nftnl_chain *c) xfree(c->dev); if (c->flags & (1 << NFTNL_CHAIN_USERDATA)) xfree(c->user.data); - if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) { - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - - xfree(c->dev_array); - } + if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) + nftnl_str_array_clear((struct nftnl_str_array *)&c->dev_array); xfree(c); } @@ -150,8 +140,6 @@ bool nftnl_chain_is_set(const struct nftnl_chain *c, uint16_t attr) EXPORT_SYMBOL(nftnl_chain_unset); void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) { - int i; - if (!(c->flags & (1 << attr))) return; @@ -181,9 +169,10 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr) xfree(c->dev); break; case NFTNL_CHAIN_DEVICES: - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - xfree(c->dev_array); + nftnl_str_array_clear(&c->dev_array); + break; + case NFTNL_CHAIN_USERDATA: + xfree(c->user.data); break; default: return; @@ -196,6 +185,7 @@ static uint32_t nftnl_chain_validate[NFTNL_CHAIN_MAX + 1] = { [NFTNL_CHAIN_HOOKNUM] = sizeof(uint32_t), [NFTNL_CHAIN_PRIO] = sizeof(int32_t), [NFTNL_CHAIN_POLICY] = sizeof(uint32_t), + [NFTNL_CHAIN_USE] = sizeof(uint32_t), [NFTNL_CHAIN_BYTES] = sizeof(uint64_t), [NFTNL_CHAIN_PACKETS] = sizeof(uint64_t), [NFTNL_CHAIN_HANDLE] = sizeof(uint64_t), @@ -208,29 +198,16 @@ EXPORT_SYMBOL(nftnl_chain_set_data); int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, const void *data, uint32_t data_len) { - const char **dev_array; - int len = 0, i; - nftnl_assert_attr_exists(attr, NFTNL_CHAIN_MAX); nftnl_assert_validate(data, nftnl_chain_validate, attr, data_len); switch(attr) { case NFTNL_CHAIN_NAME: - if (c->flags & (1 << NFTNL_CHAIN_NAME)) - xfree(c->name); - - c->name = strdup(data); - if (!c->name) - return -1; - break; + return nftnl_set_str_attr(&c->name, &c->flags, + attr, data, data_len); case NFTNL_CHAIN_TABLE: - if (c->flags & (1 << NFTNL_CHAIN_TABLE)) - xfree(c->table); - - c->table = strdup(data); - if (!c->table) - return -1; - break; + return nftnl_set_str_attr(&c->table, &c->flags, + attr, data, data_len); case NFTNL_CHAIN_HOOKNUM: memcpy(&c->hooknum, data, sizeof(c->hooknum)); break; @@ -256,40 +233,14 @@ int nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr, memcpy(&c->family, data, sizeof(c->family)); break; case NFTNL_CHAIN_TYPE: - if (c->flags & (1 << NFTNL_CHAIN_TYPE)) - xfree(c->type); - - c->type = strdup(data); - if (!c->type) - return -1; - break; + return nftnl_set_str_attr(&c->type, &c->flags, + attr, data, data_len); case NFTNL_CHAIN_DEV: - if (c->flags & (1 << NFTNL_CHAIN_DEV)) - xfree(c->dev); - - c->dev = strdup(data); - if (!c->dev) - return -1; - break; + return nftnl_set_str_attr(&c->dev, &c->flags, + attr, data, data_len); case NFTNL_CHAIN_DEVICES: - dev_array = (const char **)data; - while (dev_array[len] != NULL) - len++; - - if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) { - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - xfree(c->dev_array); - } - - c->dev_array = calloc(len + 1, sizeof(char *)); - if (!c->dev_array) + if (nftnl_str_array_set(&c->dev_array, data) < 0) return -1; - - for (i = 0; i < len; i++) - c->dev_array[i] = strdup(dev_array[i]); - - c->dev_array_len = len; break; case NFTNL_CHAIN_FLAGS: memcpy(&c->chain_flags, data, sizeof(c->chain_flags)); @@ -401,7 +352,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr, return c->dev; case NFTNL_CHAIN_DEVICES: *data_len = 0; - return &c->dev_array[0]; + return c->dev_array.array; case NFTNL_CHAIN_FLAGS: *data_len = sizeof(uint32_t); return &c->chain_flags; @@ -486,40 +437,49 @@ const char *const *nftnl_chain_get_array(const struct nftnl_chain *c, uint16_t a EXPORT_SYMBOL(nftnl_chain_nlmsg_build_payload); void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *c) { + struct nlattr *nest = NULL; int i; if (c->flags & (1 << NFTNL_CHAIN_TABLE)) mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, c->table); if (c->flags & (1 << NFTNL_CHAIN_NAME)) mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, c->name); - if ((c->flags & (1 << NFTNL_CHAIN_HOOKNUM)) && - (c->flags & (1 << NFTNL_CHAIN_PRIO))) { - struct nlattr *nest; + if ((c->flags & (1 << NFTNL_CHAIN_HOOKNUM)) || + (c->flags & (1 << NFTNL_CHAIN_PRIO)) || + (c->flags & (1 << NFTNL_CHAIN_DEV)) || + (c->flags & (1 << NFTNL_CHAIN_DEVICES))) nest = mnl_attr_nest_start(nlh, NFTA_CHAIN_HOOK); + + if ((c->flags & (1 << NFTNL_CHAIN_HOOKNUM))) mnl_attr_put_u32(nlh, NFTA_HOOK_HOOKNUM, htonl(c->hooknum)); + if ((c->flags & (1 << NFTNL_CHAIN_PRIO))) mnl_attr_put_u32(nlh, NFTA_HOOK_PRIORITY, htonl(c->prio)); - if (c->flags & (1 << NFTNL_CHAIN_DEV)) - mnl_attr_put_strz(nlh, NFTA_HOOK_DEV, c->dev); - else if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) { - struct nlattr *nest_dev; - - nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS); - for (i = 0; i < c->dev_array_len; i++) - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, - c->dev_array[i]); - mnl_attr_nest_end(nlh, nest_dev); - } - mnl_attr_nest_end(nlh, nest); + + if (c->flags & (1 << NFTNL_CHAIN_DEV)) + mnl_attr_put_strz(nlh, NFTA_HOOK_DEV, c->dev); + else if (c->flags & (1 << NFTNL_CHAIN_DEVICES)) { + struct nlattr *nest_dev; + const char *dev; + + nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS); + nftnl_str_array_foreach(dev, &c->dev_array, i) + mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev); + mnl_attr_nest_end(nlh, nest_dev); } + + if ((c->flags & (1 << NFTNL_CHAIN_HOOKNUM)) || + (c->flags & (1 << NFTNL_CHAIN_PRIO)) || + (c->flags & (1 << NFTNL_CHAIN_DEV)) || + (c->flags & (1 << NFTNL_CHAIN_DEVICES))) + mnl_attr_nest_end(nlh, nest); + if (c->flags & (1 << NFTNL_CHAIN_POLICY)) mnl_attr_put_u32(nlh, NFTA_CHAIN_POLICY, htonl(c->policy)); if (c->flags & (1 << NFTNL_CHAIN_USE)) mnl_attr_put_u32(nlh, NFTA_CHAIN_USE, htonl(c->use)); if ((c->flags & (1 << NFTNL_CHAIN_PACKETS)) && (c->flags & (1 << NFTNL_CHAIN_BYTES))) { - struct nlattr *nest; - nest = mnl_attr_nest_start(nlh, NFTA_CHAIN_COUNTERS); mnl_attr_put_u64(nlh, NFTA_COUNTER_PACKETS, be64toh(c->packets)); mnl_attr_put_u64(nlh, NFTA_COUNTER_BYTES, be64toh(c->bytes)); @@ -671,42 +631,6 @@ static int nftnl_chain_parse_hook_cb(const struct nlattr *attr, void *data) return MNL_CB_OK; } -static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c) -{ - const char **dev_array, **tmp; - int len = 0, size = 8; - struct nlattr *attr; - - dev_array = calloc(8, sizeof(char *)); - if (!dev_array) - return -1; - - mnl_attr_for_each_nested(attr, nest) { - if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME) - goto err; - dev_array[len++] = strdup(mnl_attr_get_str(attr)); - if (len >= size) { - tmp = realloc(dev_array, size * 2 * sizeof(char *)); - if (!tmp) - goto err; - - size *= 2; - memset(&tmp[len], 0, (size - len) * sizeof(char *)); - dev_array = tmp; - } - } - - c->dev_array = dev_array; - c->dev_array_len = len; - - return 0; -err: - while (len--) - xfree(dev_array[len]); - xfree(dev_array); - return -1; -} - static int nftnl_chain_parse_hook(struct nlattr *attr, struct nftnl_chain *c) { struct nlattr *tb[NFTA_HOOK_MAX+1] = {}; @@ -730,7 +654,7 @@ static int nftnl_chain_parse_hook(struct nlattr *attr, struct nftnl_chain *c) c->flags |= (1 << NFTNL_CHAIN_DEV); } if (tb[NFTA_HOOK_DEVS]) { - ret = nftnl_chain_parse_devs(tb[NFTA_HOOK_DEVS], c); + ret = nftnl_parse_devs(&c->dev_array, tb[NFTA_HOOK_DEVS]); if (ret < 0) return -1; c->flags |= (1 << NFTNL_CHAIN_DEVICES); @@ -815,21 +739,11 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c) return ret; } -static inline int nftnl_str2hooknum(int family, const char *hook) -{ - int hooknum; - - for (hooknum = 0; hooknum < NF_INET_NUMHOOKS; hooknum++) { - if (strcmp(hook, nftnl_hooknum2str(family, hooknum)) == 0) - return hooknum; - } - return -1; -} - static int nftnl_chain_snprintf_default(char *buf, size_t remain, const struct nftnl_chain *c) { int ret, offset = 0, i; + const char *dev; ret = snprintf(buf, remain, "%s %s %s use %u", nftnl_family2str(c->family), c->table, c->name, c->use); @@ -861,9 +775,9 @@ static int nftnl_chain_snprintf_default(char *buf, size_t remain, ret = snprintf(buf + offset, remain, " dev { "); SNPRINTF_BUFFER_SIZE(ret, remain, offset); - for (i = 0; i < c->dev_array_len; i++) { + nftnl_str_array_foreach(dev, &c->dev_array, i) { ret = snprintf(buf + offset, remain, " %s ", - c->dev_array[i]); + dev); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } ret = snprintf(buf + offset, remain, " } "); diff --git a/src/common.c b/src/common.c index 2d83c12..e661227 100644 --- a/src/common.c +++ b/src/common.c @@ -1,15 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdlib.h> #include <sys/socket.h> #include <time.h> +#include <arpa/inet.h> #include <linux/netlink.h> #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> @@ -37,7 +34,7 @@ static struct nlmsghdr *__nftnl_nlmsg_build_hdr(char *buf, uint16_t type, nfh = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg)); nfh->nfgen_family = family; nfh->version = NFNETLINK_V0; - nfh->res_id = res_id; + nfh->res_id = htons(res_id); return nlh; } @@ -126,9 +123,8 @@ int nftnl_batch_is_supported(void) mnl_nlmsg_batch_next(b); req_seq = seq; - nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(b), - NFT_MSG_NEWSET, AF_INET, - NLM_F_ACK, seq++); + nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(b), NFT_MSG_NEWSET, + AF_INET, NLM_F_ACK, seq++); mnl_nlmsg_batch_next(b); nftnl_batch_end(mnl_nlmsg_batch_current(b), seq++); @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -71,6 +67,16 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, case NFTNL_EXPR_NAME: /* cannot be modified */ return 0; default: + if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) + return -1; + + if (!expr->ops->attr_policy) + return -1; + + if (expr->ops->attr_policy[type].maxlen && + expr->ops->attr_policy[type].maxlen < data_len) + return -1; + if (expr->ops->set(expr, type, data, data_len) < 0) return -1; } diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c index 2d27233..cac47a5 100644 --- a/src/expr/bitwise.c +++ b/src/expr/bitwise.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -23,6 +19,7 @@ struct nftnl_expr_bitwise { enum nft_registers sreg; + enum nft_registers sreg2; enum nft_registers dreg; enum nft_bitwise_ops op; unsigned int len; @@ -39,31 +36,26 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_BITWISE_SREG: - memcpy(&bitwise->sreg, data, sizeof(bitwise->sreg)); + memcpy(&bitwise->sreg, data, data_len); + break; + case NFTNL_EXPR_BITWISE_SREG2: + memcpy(&bitwise->sreg2, data, sizeof(bitwise->sreg2)); break; case NFTNL_EXPR_BITWISE_DREG: - memcpy(&bitwise->dreg, data, sizeof(bitwise->dreg)); + memcpy(&bitwise->dreg, data, data_len); break; case NFTNL_EXPR_BITWISE_OP: - memcpy(&bitwise->op, data, sizeof(bitwise->op)); + memcpy(&bitwise->op, data, data_len); break; case NFTNL_EXPR_BITWISE_LEN: - memcpy(&bitwise->len, data, sizeof(bitwise->len)); + memcpy(&bitwise->len, data, data_len); break; case NFTNL_EXPR_BITWISE_MASK: - memcpy(&bitwise->mask.val, data, data_len); - bitwise->mask.len = data_len; - break; + return nftnl_data_cpy(&bitwise->mask, data, data_len); case NFTNL_EXPR_BITWISE_XOR: - memcpy(&bitwise->xor.val, data, data_len); - bitwise->xor.len = data_len; - break; + return nftnl_data_cpy(&bitwise->xor, data, data_len); case NFTNL_EXPR_BITWISE_DATA: - memcpy(&bitwise->data.val, data, data_len); - bitwise->data.len = data_len; - break; - default: - return -1; + return nftnl_data_cpy(&bitwise->data, data, data_len); } return 0; } @@ -78,6 +70,9 @@ nftnl_expr_bitwise_get(const struct nftnl_expr *e, uint16_t type, case NFTNL_EXPR_BITWISE_SREG: *data_len = sizeof(bitwise->sreg); return &bitwise->sreg; + case NFTNL_EXPR_BITWISE_SREG2: + *data_len = sizeof(bitwise->sreg2); + return &bitwise->sreg2; case NFTNL_EXPR_BITWISE_DREG: *data_len = sizeof(bitwise->dreg); return &bitwise->dreg; @@ -110,6 +105,7 @@ static int nftnl_expr_bitwise_cb(const struct nlattr *attr, void *data) switch(type) { case NFTA_BITWISE_SREG: + case NFTA_BITWISE_SREG2: case NFTA_BITWISE_DREG: case NFTA_BITWISE_OP: case NFTA_BITWISE_LEN: @@ -135,6 +131,8 @@ nftnl_expr_bitwise_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG)) mnl_attr_put_u32(nlh, NFTA_BITWISE_SREG, htonl(bitwise->sreg)); + if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG2)) + mnl_attr_put_u32(nlh, NFTA_BITWISE_SREG2, htonl(bitwise->sreg2)); if (e->flags & (1 << NFTNL_EXPR_BITWISE_DREG)) mnl_attr_put_u32(nlh, NFTA_BITWISE_DREG, htonl(bitwise->dreg)); if (e->flags & (1 << NFTNL_EXPR_BITWISE_OP)) @@ -181,6 +179,10 @@ nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr) bitwise->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_SREG])); e->flags |= (1 << NFTNL_EXPR_BITWISE_SREG); } + if (tb[NFTA_BITWISE_SREG2]) { + bitwise->sreg2 = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_SREG2])); + e->flags |= (1 << NFTNL_EXPR_BITWISE_SREG2); + } if (tb[NFTA_BITWISE_DREG]) { bitwise->dreg = ntohl(mnl_attr_get_u32(tb[NFTA_BITWISE_DREG])); e->flags |= (1 << NFTNL_EXPR_BITWISE_DREG); @@ -210,8 +212,8 @@ nftnl_expr_bitwise_parse(struct nftnl_expr *e, struct nlattr *attr) } static int -nftnl_expr_bitwise_snprintf_bool(char *buf, size_t remain, - const struct nftnl_expr_bitwise *bitwise) +nftnl_expr_bitwise_snprintf_mask_xor(char *buf, size_t remain, + const struct nftnl_expr_bitwise *bitwise) { int offset = 0, ret; @@ -253,6 +255,31 @@ nftnl_expr_bitwise_snprintf_shift(char *buf, size_t remain, const char *op, } static int +nftnl_expr_bitwise_snprintf_bool(char *buf, size_t remain, const char *op, + const struct nftnl_expr *e, + const struct nftnl_expr_bitwise *bitwise) +{ + int offset = 0, ret; + + ret = snprintf(buf, remain, "reg %u = ( reg %u %s ", + bitwise->dreg, bitwise->sreg, op); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + if (e->flags & (1 << NFTNL_EXPR_BITWISE_SREG2)) + ret = snprintf(buf + offset, remain, "reg %u ", bitwise->sreg2); + else + ret = nftnl_data_reg_snprintf(buf + offset, remain, + &bitwise->data, + 0, DATA_VALUE); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + ret = snprintf(buf + offset, remain, ") "); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + return offset; +} + +static int nftnl_expr_bitwise_snprintf(char *buf, size_t size, uint32_t flags, const struct nftnl_expr *e) { @@ -260,24 +287,49 @@ nftnl_expr_bitwise_snprintf(char *buf, size_t size, int err = -1; switch (bitwise->op) { - case NFT_BITWISE_BOOL: - err = nftnl_expr_bitwise_snprintf_bool(buf, size, bitwise); + case NFT_BITWISE_MASK_XOR: + err = nftnl_expr_bitwise_snprintf_mask_xor(buf, size, bitwise); break; case NFT_BITWISE_LSHIFT: - err = nftnl_expr_bitwise_snprintf_shift(buf, size, "<<", bitwise); + err = nftnl_expr_bitwise_snprintf_shift(buf, size, "<<", + bitwise); break; case NFT_BITWISE_RSHIFT: - err = nftnl_expr_bitwise_snprintf_shift(buf, size, ">>", bitwise); + err = nftnl_expr_bitwise_snprintf_shift(buf, size, ">>", + bitwise); + break; + case NFT_BITWISE_AND: + err = nftnl_expr_bitwise_snprintf_bool(buf, size, "&", e, + bitwise); + break; + case NFT_BITWISE_OR: + err = nftnl_expr_bitwise_snprintf_bool(buf, size, "|", e, + bitwise); + break; + case NFT_BITWISE_XOR: + err = nftnl_expr_bitwise_snprintf_bool(buf, size, "^", e, + bitwise); break; } return err; } +static struct attr_policy bitwise_attr_policy[__NFTNL_EXPR_BITWISE_MAX] = { + [NFTNL_EXPR_BITWISE_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BITWISE_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BITWISE_LEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BITWISE_MASK] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, + [NFTNL_EXPR_BITWISE_XOR] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, + [NFTNL_EXPR_BITWISE_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BITWISE_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, +}; + struct expr_ops expr_ops_bitwise = { .name = "bitwise", .alloc_len = sizeof(struct nftnl_expr_bitwise), - .max_attr = NFTA_BITWISE_MAX, + .nftnl_max_attr = __NFTNL_EXPR_BITWISE_MAX - 1, + .attr_policy = bitwise_attr_policy, .set = nftnl_expr_bitwise_set, .get = nftnl_expr_bitwise_get, .parse = nftnl_expr_bitwise_parse, diff --git a/src/expr/byteorder.c b/src/expr/byteorder.c index 89ed0a8..4171d06 100644 --- a/src/expr/byteorder.c +++ b/src/expr/byteorder.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -37,22 +33,20 @@ nftnl_expr_byteorder_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_BYTEORDER_SREG: - memcpy(&byteorder->sreg, data, sizeof(byteorder->sreg)); + memcpy(&byteorder->sreg, data, data_len); break; case NFTNL_EXPR_BYTEORDER_DREG: - memcpy(&byteorder->dreg, data, sizeof(byteorder->dreg)); + memcpy(&byteorder->dreg, data, data_len); break; case NFTNL_EXPR_BYTEORDER_OP: - memcpy(&byteorder->op, data, sizeof(byteorder->op)); + memcpy(&byteorder->op, data, data_len); break; case NFTNL_EXPR_BYTEORDER_LEN: - memcpy(&byteorder->len, data, sizeof(byteorder->len)); + memcpy(&byteorder->len, data, data_len); break; case NFTNL_EXPR_BYTEORDER_SIZE: - memcpy(&byteorder->size, data, sizeof(byteorder->size)); + memcpy(&byteorder->size, data, data_len); break; - default: - return -1; } return 0; } @@ -185,18 +179,6 @@ static const char *bo2str(uint32_t type) return expr_byteorder_str[type]; } -static inline int nftnl_str2ntoh(const char *op) -{ - if (strcmp(op, "ntoh") == 0) - return NFT_BYTEORDER_NTOH; - else if (strcmp(op, "hton") == 0) - return NFT_BYTEORDER_HTON; - else { - errno = EINVAL; - return -1; - } -} - static int nftnl_expr_byteorder_snprintf(char *buf, size_t remain, uint32_t flags, const struct nftnl_expr *e) @@ -212,10 +194,19 @@ nftnl_expr_byteorder_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy byteorder_attr_policy[__NFTNL_EXPR_BYTEORDER_MAX] = { + [NFTNL_EXPR_BYTEORDER_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BYTEORDER_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BYTEORDER_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BYTEORDER_LEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_BYTEORDER_SIZE] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_byteorder = { .name = "byteorder", .alloc_len = sizeof(struct nftnl_expr_byteorder), - .max_attr = NFTA_BYTEORDER_MAX, + .nftnl_max_attr = __NFTNL_EXPR_BYTEORDER_MAX - 1, + .attr_policy = byteorder_attr_policy, .set = nftnl_expr_byteorder_set, .get = nftnl_expr_byteorder_get, .parse = nftnl_expr_byteorder_parse, diff --git a/src/expr/cmp.c b/src/expr/cmp.c index f9d15bb..2908f56 100644 --- a/src/expr/cmp.c +++ b/src/expr/cmp.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -36,17 +32,13 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_CMP_SREG: - memcpy(&cmp->sreg, data, sizeof(cmp->sreg)); + memcpy(&cmp->sreg, data, data_len); break; case NFTNL_EXPR_CMP_OP: - memcpy(&cmp->op, data, sizeof(cmp->op)); + memcpy(&cmp->op, data, data_len); break; case NFTNL_EXPR_CMP_DATA: - memcpy(&cmp->data.val, data, data_len); - cmp->data.len = data_len; - break; - default: - return -1; + return nftnl_data_cpy(&cmp->data, data, data_len); } return 0; } @@ -156,26 +148,6 @@ static const char *cmp2str(uint32_t op) return expr_cmp_str[op]; } -static inline int nftnl_str2cmp(const char *op) -{ - if (strcmp(op, "eq") == 0) - return NFT_CMP_EQ; - else if (strcmp(op, "neq") == 0) - return NFT_CMP_NEQ; - else if (strcmp(op, "lt") == 0) - return NFT_CMP_LT; - else if (strcmp(op, "lte") == 0) - return NFT_CMP_LTE; - else if (strcmp(op, "gt") == 0) - return NFT_CMP_GT; - else if (strcmp(op, "gte") == 0) - return NFT_CMP_GTE; - else { - errno = EINVAL; - return -1; - } -} - static int nftnl_expr_cmp_snprintf(char *buf, size_t remain, uint32_t flags, const struct nftnl_expr *e) @@ -194,10 +166,17 @@ nftnl_expr_cmp_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy cmp_attr_policy[__NFTNL_EXPR_CMP_MAX] = { + [NFTNL_EXPR_CMP_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_CMP_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_CMP_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN } +}; + struct expr_ops expr_ops_cmp = { .name = "cmp", .alloc_len = sizeof(struct nftnl_expr_cmp), - .max_attr = NFTA_CMP_MAX, + .nftnl_max_attr = __NFTNL_EXPR_CMP_MAX - 1, + .attr_policy = cmp_attr_policy, .set = nftnl_expr_cmp_set, .get = nftnl_expr_cmp_get, .parse = nftnl_expr_cmp_parse, diff --git a/src/expr/connlimit.c b/src/expr/connlimit.c index 549417b..02b9ecc 100644 --- a/src/expr/connlimit.c +++ b/src/expr/connlimit.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2018 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -33,13 +29,11 @@ nftnl_expr_connlimit_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_CONNLIMIT_COUNT: - memcpy(&connlimit->count, data, sizeof(connlimit->count)); + memcpy(&connlimit->count, data, data_len); break; case NFTNL_EXPR_CONNLIMIT_FLAGS: - memcpy(&connlimit->flags, data, sizeof(connlimit->flags)); + memcpy(&connlimit->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -127,10 +121,16 @@ static int nftnl_expr_connlimit_snprintf(char *buf, size_t len, connlimit->count, connlimit->flags); } +static struct attr_policy connlimit_attr_policy[__NFTNL_EXPR_CONNLIMIT_MAX] = { + [NFTNL_EXPR_CONNLIMIT_COUNT] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_CONNLIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_connlimit = { .name = "connlimit", .alloc_len = sizeof(struct nftnl_expr_connlimit), - .max_attr = NFTA_CONNLIMIT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_CONNLIMIT_MAX - 1, + .attr_policy = connlimit_attr_policy, .set = nftnl_expr_connlimit_set, .get = nftnl_expr_connlimit_get, .parse = nftnl_expr_connlimit_parse, diff --git a/src/expr/counter.c b/src/expr/counter.c index d139a5f..80f21d7 100644 --- a/src/expr/counter.c +++ b/src/expr/counter.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -35,13 +31,11 @@ nftnl_expr_counter_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_CTR_BYTES: - memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); + memcpy(&ctr->bytes, data, data_len); break; case NFTNL_EXPR_CTR_PACKETS: - memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); + memcpy(&ctr->pkts, data, data_len); break; - default: - return -1; } return 0; } @@ -125,10 +119,16 @@ static int nftnl_expr_counter_snprintf(char *buf, size_t len, ctr->pkts, ctr->bytes); } +static struct attr_policy counter_attr_policy[__NFTNL_EXPR_CTR_MAX] = { + [NFTNL_EXPR_CTR_PACKETS] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, +}; + struct expr_ops expr_ops_counter = { .name = "counter", .alloc_len = sizeof(struct nftnl_expr_counter), - .max_attr = NFTA_COUNTER_MAX, + .nftnl_max_attr = __NFTNL_EXPR_CTR_MAX - 1, + .attr_policy = counter_attr_policy, .set = nftnl_expr_counter_set, .get = nftnl_expr_counter_get, .parse = nftnl_expr_counter_parse, diff --git a/src/expr/ct.c b/src/expr/ct.c index f4a2aea..8f8c2a6 100644 --- a/src/expr/ct.c +++ b/src/expr/ct.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -39,19 +35,17 @@ nftnl_expr_ct_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_CT_KEY: - memcpy(&ct->key, data, sizeof(ct->key)); + memcpy(&ct->key, data, data_len); break; case NFTNL_EXPR_CT_DIR: - memcpy(&ct->dir, data, sizeof(ct->dir)); + memcpy(&ct->dir, data, data_len); break; case NFTNL_EXPR_CT_DREG: - memcpy(&ct->dreg, data, sizeof(ct->dreg)); + memcpy(&ct->dreg, data, data_len); break; case NFTNL_EXPR_CT_SREG: - memcpy(&ct->sreg, data, sizeof(ct->sreg)); + memcpy(&ct->sreg, data, data_len); break; - default: - return -1; } return 0; } @@ -177,24 +171,12 @@ static const char *ctkey2str_array[NFT_CT_MAX + 1] = { static const char *ctkey2str(uint32_t ctkey) { - if (ctkey >= NFT_CT_MAX) + if (ctkey > NFT_CT_MAX) return "unknown"; return ctkey2str_array[ctkey]; } -static inline int str2ctkey(const char *ctkey) -{ - int i; - - for (i = 0; i < NFT_CT_MAX; i++) { - if (strcmp(ctkey2str_array[i], ctkey) == 0) - return i; - } - - return -1; -} - static const char *ctdir2str(uint8_t ctdir) { switch (ctdir) { @@ -207,21 +189,6 @@ static const char *ctdir2str(uint8_t ctdir) } } -static inline int str2ctdir(const char *str, uint8_t *ctdir) -{ - if (strcmp(str, "original") == 0) { - *ctdir = IP_CT_DIR_ORIGINAL; - return 0; - } - - if (strcmp(str, "reply") == 0) { - *ctdir = IP_CT_DIR_REPLY; - return 0; - } - - return -1; -} - static int nftnl_expr_ct_snprintf(char *buf, size_t remain, uint32_t flags, const struct nftnl_expr *e) @@ -250,10 +217,18 @@ nftnl_expr_ct_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy ct_attr_policy[__NFTNL_EXPR_CT_MAX] = { + [NFTNL_EXPR_CT_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_CT_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_CT_DIR] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_EXPR_CT_SREG] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_ct = { .name = "ct", .alloc_len = sizeof(struct nftnl_expr_ct), - .max_attr = NFTA_CT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_CT_MAX - 1, + .attr_policy = ct_attr_policy, .set = nftnl_expr_ct_set, .get = nftnl_expr_ct_get, .parse = nftnl_expr_ct_parse, diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 2633a77..fd5e0d6 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -206,14 +202,16 @@ int nftnl_parse_data(union nftnl_data_reg *data, struct nlattr *attr, int *type) return ret; } -void nftnl_free_verdict(const union nftnl_data_reg *data) +int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len) { - switch(data->verdict) { - case NFT_JUMP: - case NFT_GOTO: - xfree(data->chain); - break; - default: - break; + int ret = 0; + + if (len > sizeof(dreg->val)) { + len = sizeof(dreg->val); + ret = -1; } + + memcpy(dreg->val, src, len); + dreg->len = len; + return ret; } diff --git a/src/expr/dup.c b/src/expr/dup.c index a239ff3..d49cdb7 100644 --- a/src/expr/dup.c +++ b/src/expr/dup.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2015 Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -32,13 +28,11 @@ static int nftnl_expr_dup_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_DUP_SREG_ADDR: - memcpy(&dup->sreg_addr, data, sizeof(dup->sreg_addr)); + memcpy(&dup->sreg_addr, data, data_len); break; case NFTNL_EXPR_DUP_SREG_DEV: - memcpy(&dup->sreg_dev, data, sizeof(dup->sreg_dev)); + memcpy(&dup->sreg_dev, data, data_len); break; - default: - return -1; } return 0; } @@ -130,10 +124,16 @@ static int nftnl_expr_dup_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy dup_attr_policy[__NFTNL_EXPR_DUP_MAX] = { + [NFTNL_EXPR_DUP_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_DUP_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_dup = { .name = "dup", .alloc_len = sizeof(struct nftnl_expr_dup), - .max_attr = NFTA_DUP_MAX, + .nftnl_max_attr = __NFTNL_EXPR_DUP_MAX - 1, + .attr_policy = dup_attr_policy, .set = nftnl_expr_dup_set, .get = nftnl_expr_dup_get, .parse = nftnl_expr_dup_parse, diff --git a/src/expr/dynset.c b/src/expr/dynset.c index 5bcf1c6..40f9136 100644 --- a/src/expr/dynset.c +++ b/src/expr/dynset.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2014, 2015 Patrick McHardy <kaber@trash.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" @@ -41,16 +37,16 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_DYNSET_SREG_KEY: - memcpy(&dynset->sreg_key, data, sizeof(dynset->sreg_key)); + memcpy(&dynset->sreg_key, data, data_len); break; case NFTNL_EXPR_DYNSET_SREG_DATA: - memcpy(&dynset->sreg_data, data, sizeof(dynset->sreg_data)); + memcpy(&dynset->sreg_data, data, data_len); break; case NFTNL_EXPR_DYNSET_OP: - memcpy(&dynset->op, data, sizeof(dynset->op)); + memcpy(&dynset->op, data, data_len); break; case NFTNL_EXPR_DYNSET_TIMEOUT: - memcpy(&dynset->timeout, data, sizeof(dynset->timeout)); + memcpy(&dynset->timeout, data, data_len); break; case NFTNL_EXPR_DYNSET_SET_NAME: dynset->set_name = strdup((const char *)data); @@ -58,7 +54,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_DYNSET_SET_ID: - memcpy(&dynset->set_id, data, sizeof(dynset->set_id)); + memcpy(&dynset->set_id, data, data_len); break; case NFTNL_EXPR_DYNSET_EXPR: list_for_each_entry_safe(expr, next, &dynset->expr_list, head) @@ -68,7 +64,7 @@ nftnl_expr_dynset_set(struct nftnl_expr *e, uint16_t type, list_add(&expr->head, &dynset->expr_list); break; case NFTNL_EXPR_DYNSET_FLAGS: - memcpy(&dynset->dynset_flags, data, sizeof(dynset->dynset_flags)); + memcpy(&dynset->dynset_flags, data, data_len); break; default: return -1; @@ -118,7 +114,7 @@ static int nftnl_expr_dynset_cb(const struct nlattr *attr, void *data) const struct nlattr **tb = data; int type = mnl_attr_get_type(attr); - if (mnl_attr_type_valid(attr, NFTA_SET_MAX) < 0) + if (mnl_attr_type_valid(attr, NFTA_DYNSET_MAX) < 0) return MNL_CB_OK; switch (type) { @@ -139,6 +135,7 @@ static int nftnl_expr_dynset_cb(const struct nlattr *attr, void *data) abi_breakage(); break; case NFTA_DYNSET_EXPR: + case NFTA_DYNSET_EXPRESSIONS: if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) abi_breakage(); break; @@ -225,7 +222,7 @@ static int nftnl_expr_dynset_parse(struct nftnl_expr *e, struct nlattr *attr) { struct nftnl_expr_dynset *dynset = nftnl_expr_data(e); - struct nlattr *tb[NFTA_SET_MAX+1] = {}; + struct nlattr *tb[NFTA_DYNSET_MAX+1] = {}; struct nftnl_expr *expr, *next; int ret = 0; @@ -363,10 +360,23 @@ static void nftnl_expr_dynset_free(const struct nftnl_expr *e) nftnl_expr_free(expr); } +static struct attr_policy dynset_attr_policy[__NFTNL_EXPR_DYNSET_MAX] = { + [NFTNL_EXPR_DYNSET_SREG_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_DYNSET_SREG_DATA] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_DYNSET_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_DYNSET_TIMEOUT] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_DYNSET_SET_NAME] = { .maxlen = NFT_SET_MAXNAMELEN }, + [NFTNL_EXPR_DYNSET_SET_ID] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_DYNSET_EXPR] = { .maxlen = 0 }, + [NFTNL_EXPR_DYNSET_EXPRESSIONS] = { .maxlen = 0 }, + [NFTNL_EXPR_DYNSET_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_dynset = { .name = "dynset", .alloc_len = sizeof(struct nftnl_expr_dynset), - .max_attr = NFTA_DYNSET_MAX, + .nftnl_max_attr = __NFTNL_EXPR_DYNSET_MAX - 1, + .attr_policy = dynset_attr_policy, .init = nftnl_expr_dynset_init, .free = nftnl_expr_dynset_free, .set = nftnl_expr_dynset_set, diff --git a/src/expr/exthdr.c b/src/expr/exthdr.c index 739c7ff..ddebe43 100644 --- a/src/expr/exthdr.c +++ b/src/expr/exthdr.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -46,28 +42,26 @@ nftnl_expr_exthdr_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_EXTHDR_DREG: - memcpy(&exthdr->dreg, data, sizeof(exthdr->dreg)); + memcpy(&exthdr->dreg, data, data_len); break; case NFTNL_EXPR_EXTHDR_TYPE: - memcpy(&exthdr->type, data, sizeof(exthdr->type)); + memcpy(&exthdr->type, data, data_len); break; case NFTNL_EXPR_EXTHDR_OFFSET: - memcpy(&exthdr->offset, data, sizeof(exthdr->offset)); + memcpy(&exthdr->offset, data, data_len); break; case NFTNL_EXPR_EXTHDR_LEN: - memcpy(&exthdr->len, data, sizeof(exthdr->len)); + memcpy(&exthdr->len, data, data_len); break; case NFTNL_EXPR_EXTHDR_OP: - memcpy(&exthdr->op, data, sizeof(exthdr->op)); + memcpy(&exthdr->op, data, data_len); break; case NFTNL_EXPR_EXTHDR_FLAGS: - memcpy(&exthdr->flags, data, sizeof(exthdr->flags)); + memcpy(&exthdr->flags, data, data_len); break; case NFTNL_EXPR_EXTHDR_SREG: - memcpy(&exthdr->sreg, data, sizeof(exthdr->sreg)); + memcpy(&exthdr->sreg, data, data_len); break; - default: - return -1; } return 0; } @@ -208,33 +202,6 @@ static const char *op2str(uint8_t op) } } -static inline int str2exthdr_op(const char* str) -{ - if (!strcmp(str, "tcpopt")) - return NFT_EXTHDR_OP_TCPOPT; - if (!strcmp(str, "ipv4")) - return NFT_EXTHDR_OP_IPV4; - - /* if str == "ipv6" or anything else */ - return NFT_EXTHDR_OP_IPV6; -} - -static inline int str2exthdr_type(const char *str) -{ - if (strcmp(str, "hopopts") == 0) - return IPPROTO_HOPOPTS; - else if (strcmp(str, "routing") == 0) - return IPPROTO_ROUTING; - else if (strcmp(str, "fragment") == 0) - return IPPROTO_FRAGMENT; - else if (strcmp(str, "dstopts") == 0) - return IPPROTO_DSTOPTS; - else if (strcmp(str, "mh") == 0) - return IPPROTO_MH; - - return -1; -} - static int nftnl_expr_exthdr_snprintf(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e) @@ -259,10 +226,21 @@ nftnl_expr_exthdr_snprintf(char *buf, size_t len, } +static struct attr_policy exthdr_attr_policy[__NFTNL_EXPR_EXTHDR_MAX] = { + [NFTNL_EXPR_EXTHDR_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_EXTHDR_TYPE] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_EXPR_EXTHDR_OFFSET] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_EXTHDR_LEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_EXTHDR_FLAGS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_EXTHDR_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_EXTHDR_SREG] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_exthdr = { .name = "exthdr", .alloc_len = sizeof(struct nftnl_expr_exthdr), - .max_attr = NFTA_EXTHDR_MAX, + .nftnl_max_attr = __NFTNL_EXPR_EXTHDR_MAX - 1, + .attr_policy = exthdr_attr_policy, .set = nftnl_expr_exthdr_set, .get = nftnl_expr_exthdr_get, .parse = nftnl_expr_exthdr_parse, diff --git a/src/expr/fib.c b/src/expr/fib.c index 957f929..c378f4f 100644 --- a/src/expr/fib.c +++ b/src/expr/fib.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 Red Hat GmbH * Author: Florian Westphal <fw@strlen.de> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -35,16 +31,14 @@ nftnl_expr_fib_set(struct nftnl_expr *e, uint16_t result, switch (result) { case NFTNL_EXPR_FIB_RESULT: - memcpy(&fib->result, data, sizeof(fib->result)); + memcpy(&fib->result, data, data_len); break; case NFTNL_EXPR_FIB_DREG: - memcpy(&fib->dreg, data, sizeof(fib->dreg)); + memcpy(&fib->dreg, data, data_len); break; case NFTNL_EXPR_FIB_FLAGS: - memcpy(&fib->flags, data, sizeof(fib->flags)); + memcpy(&fib->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -190,10 +184,17 @@ nftnl_expr_fib_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy fib_attr_policy[__NFTNL_EXPR_FIB_MAX] = { + [NFTNL_EXPR_FIB_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_FIB_RESULT] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_FIB_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_fib = { .name = "fib", .alloc_len = sizeof(struct nftnl_expr_fib), - .max_attr = NFTA_FIB_MAX, + .nftnl_max_attr = __NFTNL_EXPR_FIB_MAX - 1, + .attr_policy = fib_attr_policy, .set = nftnl_expr_fib_set, .get = nftnl_expr_fib_get, .parse = nftnl_expr_fib_parse, diff --git a/src/expr/flow_offload.c b/src/expr/flow_offload.c index 4fc0563..5f209a6 100644 --- a/src/expr/flow_offload.c +++ b/src/expr/flow_offload.c @@ -25,8 +25,6 @@ static int nftnl_expr_flow_set(struct nftnl_expr *e, uint16_t type, if (!flow->table_name) return -1; break; - default: - return -1; } return 0; } @@ -111,10 +109,15 @@ static void nftnl_expr_flow_free(const struct nftnl_expr *e) xfree(flow->table_name); } +static struct attr_policy flow_offload_attr_policy[__NFTNL_EXPR_FLOW_MAX] = { + [NFTNL_EXPR_FLOW_TABLE_NAME] = { .maxlen = NFT_NAME_MAXLEN }, +}; + struct expr_ops expr_ops_flow = { .name = "flow_offload", .alloc_len = sizeof(struct nftnl_expr_flow), - .max_attr = NFTA_FLOW_MAX, + .nftnl_max_attr = __NFTNL_EXPR_FLOW_MAX - 1, + .attr_policy = flow_offload_attr_policy, .free = nftnl_expr_flow_free, .set = nftnl_expr_flow_set, .get = nftnl_expr_flow_get, diff --git a/src/expr/fwd.c b/src/expr/fwd.c index 51f6612..d543e22 100644 --- a/src/expr/fwd.c +++ b/src/expr/fwd.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2015 Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -33,16 +29,14 @@ static int nftnl_expr_fwd_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_FWD_SREG_DEV: - memcpy(&fwd->sreg_dev, data, sizeof(fwd->sreg_dev)); + memcpy(&fwd->sreg_dev, data, data_len); break; case NFTNL_EXPR_FWD_SREG_ADDR: - memcpy(&fwd->sreg_addr, data, sizeof(fwd->sreg_addr)); + memcpy(&fwd->sreg_addr, data, data_len); break; case NFTNL_EXPR_FWD_NFPROTO: - memcpy(&fwd->nfproto, data, sizeof(fwd->nfproto)); + memcpy(&fwd->nfproto, data, data_len); break; - default: - return -1; } return 0; } @@ -150,10 +144,17 @@ static int nftnl_expr_fwd_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy fwd_attr_policy[__NFTNL_EXPR_FWD_MAX] = { + [NFTNL_EXPR_FWD_SREG_DEV] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_FWD_SREG_ADDR] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_FWD_NFPROTO] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_fwd = { .name = "fwd", .alloc_len = sizeof(struct nftnl_expr_fwd), - .max_attr = NFTA_FWD_MAX, + .nftnl_max_attr = __NFTNL_EXPR_FWD_MAX - 1, + .attr_policy = fwd_attr_policy, .set = nftnl_expr_fwd_set, .get = nftnl_expr_fwd_get, .parse = nftnl_expr_fwd_parse, diff --git a/src/expr/hash.c b/src/expr/hash.c index 6e2dd19..050e4b9 100644 --- a/src/expr/hash.c +++ b/src/expr/hash.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Laura Garcia <nevola@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -37,25 +32,25 @@ nftnl_expr_hash_set(struct nftnl_expr *e, uint16_t type, struct nftnl_expr_hash *hash = nftnl_expr_data(e); switch (type) { case NFTNL_EXPR_HASH_SREG: - memcpy(&hash->sreg, data, sizeof(hash->sreg)); + memcpy(&hash->sreg, data, data_len); break; case NFTNL_EXPR_HASH_DREG: - memcpy(&hash->dreg, data, sizeof(hash->dreg)); + memcpy(&hash->dreg, data, data_len); break; case NFTNL_EXPR_HASH_LEN: - memcpy(&hash->len, data, sizeof(hash->len)); + memcpy(&hash->len, data, data_len); break; case NFTNL_EXPR_HASH_MODULUS: - memcpy(&hash->modulus, data, sizeof(hash->modulus)); + memcpy(&hash->modulus, data, data_len); break; case NFTNL_EXPR_HASH_SEED: - memcpy(&hash->seed, data, sizeof(hash->seed)); + memcpy(&hash->seed, data, data_len); break; case NFTNL_EXPR_HASH_OFFSET: - memcpy(&hash->offset, data, sizeof(hash->offset)); + memcpy(&hash->offset, data, data_len); break; case NFTNL_EXPR_HASH_TYPE: - memcpy(&hash->type, data, sizeof(hash->type)); + memcpy(&hash->type, data, data_len); break; default: return -1; @@ -218,10 +213,21 @@ nftnl_expr_hash_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy hash_attr_policy[__NFTNL_EXPR_HASH_MAX] = { + [NFTNL_EXPR_HASH_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_LEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_MODULUS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_SEED] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_OFFSET] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_HASH_TYPE] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_hash = { .name = "hash", .alloc_len = sizeof(struct nftnl_expr_hash), - .max_attr = NFTA_HASH_MAX, + .nftnl_max_attr = __NFTNL_EXPR_HASH_MAX - 1, + .attr_policy = hash_attr_policy, .set = nftnl_expr_hash_set, .get = nftnl_expr_hash_get, .parse = nftnl_expr_hash_parse, diff --git a/src/expr/immediate.c b/src/expr/immediate.c index 5d477a8..f0e0a78 100644 --- a/src/expr/immediate.c +++ b/src/expr/immediate.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -33,14 +29,12 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_IMM_DREG: - memcpy(&imm->dreg, data, sizeof(imm->dreg)); + memcpy(&imm->dreg, data, data_len); break; case NFTNL_EXPR_IMM_DATA: - memcpy(&imm->data.val, data, data_len); - imm->data.len = data_len; - break; + return nftnl_data_cpy(&imm->data, data, data_len); case NFTNL_EXPR_IMM_VERDICT: - memcpy(&imm->data.verdict, data, sizeof(imm->data.verdict)); + memcpy(&imm->data.verdict, data, data_len); break; case NFTNL_EXPR_IMM_CHAIN: if (e->flags & (1 << NFTNL_EXPR_IMM_CHAIN)) @@ -51,10 +45,8 @@ nftnl_expr_immediate_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_IMM_CHAIN_ID: - memcpy(&imm->data.chain_id, data, sizeof(uint32_t)); + memcpy(&imm->data.chain_id, data, data_len); break; - default: - return -1; } return 0; } @@ -216,14 +208,23 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) { struct nftnl_expr_immediate *imm = nftnl_expr_data(e); - if (e->flags & (1 << NFTNL_EXPR_IMM_VERDICT)) - nftnl_free_verdict(&imm->data); + if (e->flags & (1 << NFTNL_EXPR_IMM_CHAIN)) + xfree(imm->data.chain); } +static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = { + [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, + [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN }, + [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_immediate = { .name = "immediate", .alloc_len = sizeof(struct nftnl_expr_immediate), - .max_attr = NFTA_IMMEDIATE_MAX, + .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, + .attr_policy = immediate_attr_policy, .free = nftnl_expr_immediate_free, .set = nftnl_expr_immediate_set, .get = nftnl_expr_immediate_get, diff --git a/src/expr/inner.c b/src/expr/inner.c new file mode 100644 index 0000000..8a56bb3 --- /dev/null +++ b/src/expr/inner.c @@ -0,0 +1,216 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * (C) 2012-2022 by Pablo Neira Ayuso <pablo@netfilter.org> + */ + +#include "internal.h" + +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <limits.h> +#include <arpa/inet.h> +#include <errno.h> +#include <libmnl/libmnl.h> + +#include <linux/netfilter/nf_tables.h> + +#include <libnftnl/expr.h> +#include <libnftnl/rule.h> + +struct nftnl_expr_inner { + uint32_t type; + uint32_t flags; + uint32_t hdrsize; + struct nftnl_expr *expr; +}; + +static void nftnl_expr_inner_free(const struct nftnl_expr *e) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + + if (inner->expr) + nftnl_expr_free(inner->expr); +} + +static int +nftnl_expr_inner_set(struct nftnl_expr *e, uint16_t type, + const void *data, uint32_t data_len) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + + switch(type) { + case NFTNL_EXPR_INNER_TYPE: + memcpy(&inner->type, data, data_len); + break; + case NFTNL_EXPR_INNER_FLAGS: + memcpy(&inner->flags, data, data_len); + break; + case NFTNL_EXPR_INNER_HDRSIZE: + memcpy(&inner->hdrsize, data, data_len); + break; + case NFTNL_EXPR_INNER_EXPR: + if (inner->expr) + nftnl_expr_free(inner->expr); + + inner->expr = (void *)data; + break; + } + return 0; +} + +static const void * +nftnl_expr_inner_get(const struct nftnl_expr *e, uint16_t type, + uint32_t *data_len) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + + switch(type) { + case NFTNL_EXPR_INNER_FLAGS: + *data_len = sizeof(inner->flags); + return &inner->flags; + case NFTNL_EXPR_INNER_TYPE: + *data_len = sizeof(inner->type); + return &inner->type; + case NFTNL_EXPR_INNER_HDRSIZE: + *data_len = sizeof(inner->hdrsize); + return &inner->hdrsize; + case NFTNL_EXPR_INNER_EXPR: + return inner->expr; + } + return NULL; +} + +static void +nftnl_expr_inner_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + struct nlattr *nest; + + mnl_attr_put_u32(nlh, NFTA_INNER_NUM, htonl(0)); + if (e->flags & (1 << NFTNL_EXPR_INNER_TYPE)) + mnl_attr_put_u32(nlh, NFTA_INNER_TYPE, htonl(inner->type)); + if (e->flags & (1 << NFTNL_EXPR_INNER_FLAGS)) + mnl_attr_put_u32(nlh, NFTA_INNER_FLAGS, htonl(inner->flags)); + if (e->flags & (1 << NFTNL_EXPR_INNER_HDRSIZE)) + mnl_attr_put_u32(nlh, NFTA_INNER_HDRSIZE, htonl(inner->hdrsize)); + if (e->flags & (1 << NFTNL_EXPR_INNER_EXPR)) { + nest = mnl_attr_nest_start(nlh, NFTA_INNER_EXPR); + nftnl_expr_build_payload(nlh, inner->expr); + mnl_attr_nest_end(nlh, nest); + } +} + +static int nftnl_inner_parse_cb(const struct nlattr *attr, void *data) +{ + const struct nlattr **tb = data; + int type = mnl_attr_get_type(attr); + + if (mnl_attr_type_valid(attr, NFTA_INNER_MAX) < 0) + return MNL_CB_OK; + + switch(type) { + case NFTA_INNER_NUM: + case NFTA_INNER_TYPE: + case NFTA_INNER_HDRSIZE: + case NFTA_INNER_FLAGS: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); + break; + case NFTA_INNER_EXPR: + if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) + abi_breakage(); + break; + } + + tb[type] = attr; + + return MNL_CB_OK; +} + +static int +nftnl_expr_inner_parse(struct nftnl_expr *e, struct nlattr *attr) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + struct nlattr *tb[NFTA_INNER_MAX + 1] = {}; + struct nftnl_expr *expr; + int err; + + err = mnl_attr_parse_nested(attr, nftnl_inner_parse_cb, tb); + if (err < 0) + return err; + + if (tb[NFTA_INNER_HDRSIZE]) { + inner->hdrsize = + ntohl(mnl_attr_get_u32(tb[NFTA_INNER_HDRSIZE])); + e->flags |= (1 << NFTNL_EXPR_INNER_HDRSIZE); + } + if (tb[NFTA_INNER_FLAGS]) { + inner->flags = + ntohl(mnl_attr_get_u32(tb[NFTA_INNER_FLAGS])); + e->flags |= (1 << NFTNL_EXPR_INNER_FLAGS); + } + if (tb[NFTA_INNER_TYPE]) { + inner->type = + ntohl(mnl_attr_get_u32(tb[NFTA_INNER_TYPE])); + e->flags |= (1 << NFTNL_EXPR_INNER_TYPE); + } + if (tb[NFTA_INNER_EXPR]) { + expr = nftnl_expr_parse(tb[NFTA_INNER_EXPR]); + if (!expr) + return -1; + + if (inner->expr) + nftnl_expr_free(inner->expr); + + inner->expr = expr; + e->flags |= (1 << NFTNL_EXPR_INNER_EXPR); + } + + return 0; +} + +static int +nftnl_expr_inner_snprintf(char *buf, size_t remain, uint32_t flags, + const struct nftnl_expr *e) +{ + struct nftnl_expr_inner *inner = nftnl_expr_data(e); + uint32_t offset = 0; + int ret; + + ret = snprintf(buf, remain, "type %u hdrsize %u flags %x [", + inner->type, inner->hdrsize, inner->flags); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + ret = snprintf(buf + offset, remain, " %s ", inner->expr->ops->name); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + ret = nftnl_expr_snprintf(buf + offset, remain, inner->expr, + NFTNL_OUTPUT_DEFAULT, 0); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + ret = snprintf(buf + offset, remain, "] "); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); + + return offset; +} + +static struct attr_policy inner_attr_policy[__NFTNL_EXPR_INNER_MAX] = { + [NFTNL_EXPR_INNER_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_INNER_FLAGS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_INNER_HDRSIZE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_INNER_EXPR] = { .maxlen = 0 }, +}; + +struct expr_ops expr_ops_inner = { + .name = "inner", + .alloc_len = sizeof(struct nftnl_expr_inner), + .nftnl_max_attr = __NFTNL_EXPR_INNER_MAX - 1, + .attr_policy = inner_attr_policy, + .free = nftnl_expr_inner_free, + .set = nftnl_expr_inner_set, + .get = nftnl_expr_inner_get, + .parse = nftnl_expr_inner_parse, + .build = nftnl_expr_inner_build, + .output = nftnl_expr_inner_snprintf, +}; diff --git a/src/expr/last.c b/src/expr/last.c index 641b713..427d4b5 100644 --- a/src/expr/last.c +++ b/src/expr/last.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -32,13 +28,11 @@ static int nftnl_expr_last_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_LAST_MSECS: - memcpy(&last->msecs, data, sizeof(last->msecs)); + memcpy(&last->msecs, data, data_len); break; case NFTNL_EXPR_LAST_SET: - memcpy(&last->set, data, sizeof(last->set)); + memcpy(&last->set, data, data_len); break; - default: - return -1; } return 0; } @@ -126,10 +120,16 @@ static int nftnl_expr_last_snprintf(char *buf, size_t len, return snprintf(buf, len, "%"PRIu64" ", last->msecs); } +static struct attr_policy last_attr_policy[__NFTNL_EXPR_LAST_MAX] = { + [NFTNL_EXPR_LAST_MSECS] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_LAST_SET] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_last = { .name = "last", .alloc_len = sizeof(struct nftnl_expr_last), - .max_attr = NFTA_LAST_MAX, + .nftnl_max_attr = __NFTNL_EXPR_LAST_MAX - 1, + .attr_policy = last_attr_policy, .set = nftnl_expr_last_set, .get = nftnl_expr_last_get, .parse = nftnl_expr_last_parse, diff --git a/src/expr/limit.c b/src/expr/limit.c index 1870e0e..b77b27e 100644 --- a/src/expr/limit.c +++ b/src/expr/limit.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -38,22 +34,20 @@ nftnl_expr_limit_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_LIMIT_RATE: - memcpy(&limit->rate, data, sizeof(limit->rate)); + memcpy(&limit->rate, data, data_len); break; case NFTNL_EXPR_LIMIT_UNIT: - memcpy(&limit->unit, data, sizeof(limit->unit)); + memcpy(&limit->unit, data, data_len); break; case NFTNL_EXPR_LIMIT_BURST: - memcpy(&limit->burst, data, sizeof(limit->burst)); + memcpy(&limit->burst, data, data_len); break; case NFTNL_EXPR_LIMIT_TYPE: - memcpy(&limit->type, data, sizeof(limit->type)); + memcpy(&limit->type, data, data_len); break; case NFTNL_EXPR_LIMIT_FLAGS: - memcpy(&limit->flags, data, sizeof(limit->flags)); + memcpy(&limit->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -160,16 +154,28 @@ nftnl_expr_limit_parse(struct nftnl_expr *e, struct nlattr *attr) return 0; } -static const char *get_unit(uint64_t u) +static const char *get_time(uint64_t seconds, uint64_t *val) { - switch (u) { - case 1: return "second"; - case 60: return "minute"; - case 60 * 60: return "hour"; - case 60 * 60 * 24: return "day"; - case 60 * 60 * 24 * 7: return "week"; + static const struct { + unsigned int size; + const char *name; + } units[] = { + { 0, "second" }, + { 60, "minute" }, + { 60, "hour" }, + { 24, "day" }, + { 7, "week" } + }; + int i; + + for (i = 1; i < array_size(units); i++) { + if (seconds % units[i].size) + break; + seconds /= units[i].size; } - return "error"; + if (val) + *val = seconds; + return units[i - 1].name; } static const char *limit_to_type(enum nft_limit_type type) @@ -188,16 +194,41 @@ nftnl_expr_limit_snprintf(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e) { struct nftnl_expr_limit *limit = nftnl_expr_data(e); + unsigned int offset = 0; + const char *time_unit; + uint64_t time_val; + int ret; + + ret = snprintf(buf, len, "rate %"PRIu64"/", limit->rate); + SNPRINTF_BUFFER_SIZE(ret, len, offset); + + time_unit = get_time(limit->unit, &time_val); + if (time_val > 1) { + ret = snprintf(buf + offset, len, "%"PRIu64" ", time_val); + SNPRINTF_BUFFER_SIZE(ret, len, offset); + } - return snprintf(buf, len, "rate %"PRIu64"/%s burst %u type %s flags 0x%x ", - limit->rate, get_unit(limit->unit), limit->burst, - limit_to_type(limit->type), limit->flags); + ret = snprintf(buf + offset, len, "%s burst %u type %s flags 0x%x ", + time_unit, limit->burst, limit_to_type(limit->type), + limit->flags); + SNPRINTF_BUFFER_SIZE(ret, len, offset); + + return offset; } +static struct attr_policy limit_attr_policy[__NFTNL_EXPR_LIMIT_MAX] = { + [NFTNL_EXPR_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_limit = { .name = "limit", .alloc_len = sizeof(struct nftnl_expr_limit), - .max_attr = NFTA_LIMIT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_LIMIT_MAX - 1, + .attr_policy = limit_attr_policy, .set = nftnl_expr_limit_set, .get = nftnl_expr_limit_get, .parse = nftnl_expr_limit_parse, diff --git a/src/expr/log.c b/src/expr/log.c index 180d839..d4b53e6 100644 --- a/src/expr/log.c +++ b/src/expr/log.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -46,22 +42,20 @@ static int nftnl_expr_log_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_LOG_GROUP: - memcpy(&log->group, data, sizeof(log->group)); + memcpy(&log->group, data, data_len); break; case NFTNL_EXPR_LOG_SNAPLEN: - memcpy(&log->snaplen, data, sizeof(log->snaplen)); + memcpy(&log->snaplen, data, data_len); break; case NFTNL_EXPR_LOG_QTHRESHOLD: - memcpy(&log->qthreshold, data, sizeof(log->qthreshold)); + memcpy(&log->qthreshold, data, data_len); break; case NFTNL_EXPR_LOG_LEVEL: - memcpy(&log->level, data, sizeof(log->level)); + memcpy(&log->level, data, data_len); break; case NFTNL_EXPR_LOG_FLAGS: - memcpy(&log->flags, data, sizeof(log->flags)); + memcpy(&log->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -244,10 +238,20 @@ static void nftnl_expr_log_free(const struct nftnl_expr *e) xfree(log->prefix); } +static struct attr_policy log_attr_policy[__NFTNL_EXPR_LOG_MAX] = { + [NFTNL_EXPR_LOG_PREFIX] = { .maxlen = NF_LOG_PREFIXLEN }, + [NFTNL_EXPR_LOG_GROUP] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_LOG_SNAPLEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LOG_QTHRESHOLD] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_LOG_LEVEL] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LOG_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_log = { .name = "log", .alloc_len = sizeof(struct nftnl_expr_log), - .max_attr = NFTA_LOG_MAX, + .nftnl_max_attr = __NFTNL_EXPR_LOG_MAX - 1, + .attr_policy = log_attr_policy, .free = nftnl_expr_log_free, .set = nftnl_expr_log_set, .get = nftnl_expr_log_get, diff --git a/src/expr/lookup.c b/src/expr/lookup.c index a06c338..7f85ecc 100644 --- a/src/expr/lookup.c +++ b/src/expr/lookup.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -37,10 +33,10 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_LOOKUP_SREG: - memcpy(&lookup->sreg, data, sizeof(lookup->sreg)); + memcpy(&lookup->sreg, data, data_len); break; case NFTNL_EXPR_LOOKUP_DREG: - memcpy(&lookup->dreg, data, sizeof(lookup->dreg)); + memcpy(&lookup->dreg, data, data_len); break; case NFTNL_EXPR_LOOKUP_SET: lookup->set_name = strdup((const char *)data); @@ -48,13 +44,11 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_LOOKUP_SET_ID: - memcpy(&lookup->set_id, data, sizeof(lookup->set_id)); + memcpy(&lookup->set_id, data, data_len); break; case NFTNL_EXPR_LOOKUP_FLAGS: - memcpy(&lookup->flags, data, sizeof(lookup->flags)); + memcpy(&lookup->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -197,10 +191,19 @@ static void nftnl_expr_lookup_free(const struct nftnl_expr *e) xfree(lookup->set_name); } +static struct attr_policy lookup_attr_policy[__NFTNL_EXPR_LOOKUP_MAX] = { + [NFTNL_EXPR_LOOKUP_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LOOKUP_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LOOKUP_SET] = { .maxlen = NFT_SET_MAXNAMELEN }, + [NFTNL_EXPR_LOOKUP_SET_ID] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_LOOKUP_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_lookup = { .name = "lookup", .alloc_len = sizeof(struct nftnl_expr_lookup), - .max_attr = NFTA_LOOKUP_MAX, + .nftnl_max_attr = __NFTNL_EXPR_LOOKUP_MAX - 1, + .attr_policy = lookup_attr_policy, .free = nftnl_expr_lookup_free, .set = nftnl_expr_lookup_set, .get = nftnl_expr_lookup_get, diff --git a/src/expr/masq.c b/src/expr/masq.c index e6e528d..da4f437 100644 --- a/src/expr/masq.c +++ b/src/expr/masq.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2014 by Arturo Borrero Gonzalez <arturo@debian.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -34,16 +30,14 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_MASQ_FLAGS: - memcpy(&masq->flags, data, sizeof(masq->flags)); + memcpy(&masq->flags, data, data_len); break; case NFTNL_EXPR_MASQ_REG_PROTO_MIN: - memcpy(&masq->sreg_proto_min, data, sizeof(masq->sreg_proto_min)); + memcpy(&masq->sreg_proto_min, data, data_len); break; case NFTNL_EXPR_MASQ_REG_PROTO_MAX: - memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max)); + memcpy(&masq->sreg_proto_max, data, data_len); break; - default: - return -1; } return 0; } @@ -155,10 +149,17 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy masq_attr_policy[__NFTNL_EXPR_MASQ_MAX] = { + [NFTNL_EXPR_MASQ_FLAGS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_MASQ_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_MASQ_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_masq = { .name = "masq", .alloc_len = sizeof(struct nftnl_expr_masq), - .max_attr = NFTA_MASQ_MAX, + .nftnl_max_attr = __NFTNL_EXPR_MASQ_MAX - 1, + .attr_policy = masq_attr_policy, .set = nftnl_expr_masq_set, .get = nftnl_expr_masq_get, .parse = nftnl_expr_masq_parse, diff --git a/src/expr/match.c b/src/expr/match.c index f472add..2c5bd6b 100644 --- a/src/expr/match.c +++ b/src/expr/match.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -46,7 +42,7 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, (const char *)data); break; case NFTNL_EXPR_MT_REV: - memcpy(&mt->rev, data, sizeof(mt->rev)); + memcpy(&mt->rev, data, data_len); break; case NFTNL_EXPR_MT_INFO: if (e->flags & (1 << NFTNL_EXPR_MT_INFO)) @@ -55,8 +51,6 @@ nftnl_expr_match_set(struct nftnl_expr *e, uint16_t type, mt->data = data; mt->data_len = data_len; break; - default: - return -1; } return 0; } @@ -180,10 +174,17 @@ static void nftnl_expr_match_free(const struct nftnl_expr *e) xfree(match->data); } +static struct attr_policy match_attr_policy[__NFTNL_EXPR_MT_MAX] = { + [NFTNL_EXPR_MT_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, + [NFTNL_EXPR_MT_REV] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_MT_INFO] = { .maxlen = 0 }, +}; + struct expr_ops expr_ops_match = { .name = "match", .alloc_len = sizeof(struct nftnl_expr_match), - .max_attr = NFTA_MATCH_MAX, + .nftnl_max_attr = __NFTNL_EXPR_MT_MAX - 1, + .attr_policy = match_attr_policy, .free = nftnl_expr_match_free, .set = nftnl_expr_match_set, .get = nftnl_expr_match_get, diff --git a/src/expr/meta.c b/src/expr/meta.c index 96544a4..d1ff6c4 100644 --- a/src/expr/meta.c +++ b/src/expr/meta.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -22,7 +18,7 @@ #include <libnftnl/rule.h> #ifndef NFT_META_MAX -#define NFT_META_MAX (NFT_META_SDIFNAME + 1) +#define NFT_META_MAX (NFT_META_BRI_BROUTE + 1) #endif struct nftnl_expr_meta { @@ -39,16 +35,14 @@ nftnl_expr_meta_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_META_KEY: - memcpy(&meta->key, data, sizeof(meta->key)); + memcpy(&meta->key, data, data_len); break; case NFTNL_EXPR_META_DREG: - memcpy(&meta->dreg, data, sizeof(meta->dreg)); + memcpy(&meta->dreg, data, data_len); break; case NFTNL_EXPR_META_SREG: - memcpy(&meta->sreg, data, sizeof(meta->sreg)); + memcpy(&meta->sreg, data, data_len); break; - default: - return -1; } return 0; } @@ -168,6 +162,7 @@ static const char *meta_key2str_array[NFT_META_MAX] = { [NFT_META_TIME_HOUR] = "hour", [NFT_META_SDIF] = "sdif", [NFT_META_SDIFNAME] = "sdifname", + [NFT_META_BRI_BROUTE] = "broute", }; static const char *meta_key2str(uint8_t key) @@ -178,19 +173,6 @@ static const char *meta_key2str(uint8_t key) return "unknown"; } -static inline int str2meta_key(const char *str) -{ - int i; - - for (i = 0; i < NFT_META_MAX; i++) { - if (strcmp(str, meta_key2str_array[i]) == 0) - return i; - } - - errno = EINVAL; - return -1; -} - static int nftnl_expr_meta_snprintf(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e) @@ -208,10 +190,17 @@ nftnl_expr_meta_snprintf(char *buf, size_t len, return 0; } +static struct attr_policy meta_attr_policy[__NFTNL_EXPR_META_MAX] = { + [NFTNL_EXPR_META_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_META_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_META_SREG] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_meta = { .name = "meta", .alloc_len = sizeof(struct nftnl_expr_meta), - .max_attr = NFTA_META_MAX, + .nftnl_max_attr = __NFTNL_EXPR_META_MAX - 1, + .attr_policy = meta_attr_policy, .set = nftnl_expr_meta_set, .get = nftnl_expr_meta_get, .parse = nftnl_expr_meta_parse, diff --git a/src/expr/nat.c b/src/expr/nat.c index ca727be..f7e24cb 100644 --- a/src/expr/nat.c +++ b/src/expr/nat.c @@ -1,12 +1,8 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2014 Pablo Neira Ayuso <pablo@netfilter.org> * (C) 2012 Intel Corporation * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * Authors: * Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> */ @@ -42,28 +38,26 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_NAT_TYPE: - memcpy(&nat->type, data, sizeof(nat->type)); + memcpy(&nat->type, data, data_len); break; case NFTNL_EXPR_NAT_FAMILY: - memcpy(&nat->family, data, sizeof(nat->family)); + memcpy(&nat->family, data, data_len); break; case NFTNL_EXPR_NAT_REG_ADDR_MIN: - memcpy(&nat->sreg_addr_min, data, sizeof(nat->sreg_addr_min)); + memcpy(&nat->sreg_addr_min, data, data_len); break; case NFTNL_EXPR_NAT_REG_ADDR_MAX: - memcpy(&nat->sreg_addr_max, data, sizeof(nat->sreg_addr_max)); + memcpy(&nat->sreg_addr_max, data, data_len); break; case NFTNL_EXPR_NAT_REG_PROTO_MIN: - memcpy(&nat->sreg_proto_min, data, sizeof(nat->sreg_proto_min)); + memcpy(&nat->sreg_proto_min, data, data_len); break; case NFTNL_EXPR_NAT_REG_PROTO_MAX: - memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max)); + memcpy(&nat->sreg_proto_max, data, data_len); break; case NFTNL_EXPR_NAT_FLAGS: - memcpy(&nat->flags, data, sizeof(nat->flags)); + memcpy(&nat->flags, data, data_len); break; - default: - return -1; } return 0; @@ -208,18 +202,6 @@ static inline const char *nat2str(uint16_t nat) } } -static inline int nftnl_str2nat(const char *nat) -{ - if (strcmp(nat, "snat") == 0) - return NFT_NAT_SNAT; - else if (strcmp(nat, "dnat") == 0) - return NFT_NAT_DNAT; - else { - errno = EINVAL; - return -1; - } -} - static int nftnl_expr_nat_snprintf(char *buf, size_t remain, uint32_t flags, const struct nftnl_expr *e) @@ -266,10 +248,21 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy nat_attr_policy[__NFTNL_EXPR_NAT_MAX] = { + [NFTNL_EXPR_NAT_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_FAMILY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_REG_ADDR_MIN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_REG_ADDR_MAX] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NAT_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_nat = { .name = "nat", .alloc_len = sizeof(struct nftnl_expr_nat), - .max_attr = NFTA_NAT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_NAT_MAX - 1, + .attr_policy = nat_attr_policy, .set = nftnl_expr_nat_set, .get = nftnl_expr_nat_get, .parse = nftnl_expr_nat_parse, diff --git a/src/expr/numgen.c b/src/expr/numgen.c index d4020a6..e3af372 100644 --- a/src/expr/numgen.c +++ b/src/expr/numgen.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Laura Garcia <nevola@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -35,16 +30,16 @@ nftnl_expr_ng_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_NG_DREG: - memcpy(&ng->dreg, data, sizeof(ng->dreg)); + memcpy(&ng->dreg, data, data_len); break; case NFTNL_EXPR_NG_MODULUS: - memcpy(&ng->modulus, data, sizeof(ng->modulus)); + memcpy(&ng->modulus, data, data_len); break; case NFTNL_EXPR_NG_TYPE: - memcpy(&ng->type, data, sizeof(ng->type)); + memcpy(&ng->type, data, data_len); break; case NFTNL_EXPR_NG_OFFSET: - memcpy(&ng->offset, data, sizeof(ng->offset)); + memcpy(&ng->offset, data, data_len); break; default: return -1; @@ -172,10 +167,18 @@ nftnl_expr_ng_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy numgen_attr_policy[__NFTNL_EXPR_NG_MAX] = { + [NFTNL_EXPR_NG_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NG_MODULUS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NG_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_NG_OFFSET] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_ng = { .name = "numgen", .alloc_len = sizeof(struct nftnl_expr_ng), - .max_attr = NFTA_NG_MAX, + .nftnl_max_attr = __NFTNL_EXPR_NG_MAX - 1, + .attr_policy = numgen_attr_policy, .set = nftnl_expr_ng_set, .get = nftnl_expr_ng_get, .parse = nftnl_expr_ng_parse, diff --git a/src/expr/objref.c b/src/expr/objref.c index ad0688f..5fe09c2 100644 --- a/src/expr/objref.c +++ b/src/expr/objref.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -39,7 +35,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_OBJREF_IMM_TYPE: - memcpy(&objref->imm.type, data, sizeof(objref->imm.type)); + memcpy(&objref->imm.type, data, data_len); break; case NFTNL_EXPR_OBJREF_IMM_NAME: objref->imm.name = strdup(data); @@ -47,7 +43,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_OBJREF_SET_SREG: - memcpy(&objref->set.sreg, data, sizeof(objref->set.sreg)); + memcpy(&objref->set.sreg, data, data_len); break; case NFTNL_EXPR_OBJREF_SET_NAME: objref->set.name = strdup(data); @@ -55,10 +51,8 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type, return -1; break; case NFTNL_EXPR_OBJREF_SET_ID: - memcpy(&objref->set.id, data, sizeof(objref->set.id)); + memcpy(&objref->set.id, data, data_len); break; - default: - return -1; } return 0; } @@ -196,10 +190,19 @@ static void nftnl_expr_objref_free(const struct nftnl_expr *e) xfree(objref->set.name); } +static struct attr_policy objref_attr_policy[__NFTNL_EXPR_OBJREF_MAX] = { + [NFTNL_EXPR_OBJREF_IMM_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_OBJREF_IMM_NAME] = { .maxlen = NFT_NAME_MAXLEN }, + [NFTNL_EXPR_OBJREF_SET_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_OBJREF_SET_NAME] = { .maxlen = NFT_NAME_MAXLEN }, + [NFTNL_EXPR_OBJREF_SET_ID] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_objref = { .name = "objref", .alloc_len = sizeof(struct nftnl_expr_objref), - .max_attr = NFTA_OBJREF_MAX, + .nftnl_max_attr = __NFTNL_EXPR_OBJREF_MAX - 1, + .attr_policy = objref_attr_policy, .free = nftnl_expr_objref_free, .set = nftnl_expr_objref_set, .get = nftnl_expr_objref_get, diff --git a/src/expr/osf.c b/src/expr/osf.c index f15a722..293a814 100644 --- a/src/expr/osf.c +++ b/src/expr/osf.c @@ -25,13 +25,13 @@ static int nftnl_expr_osf_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_OSF_DREG: - memcpy(&osf->dreg, data, sizeof(osf->dreg)); + memcpy(&osf->dreg, data, data_len); break; case NFTNL_EXPR_OSF_TTL: - memcpy(&osf->ttl, data, sizeof(osf->ttl)); + memcpy(&osf->ttl, data, data_len); break; case NFTNL_EXPR_OSF_FLAGS: - memcpy(&osf->flags, data, sizeof(osf->flags)); + memcpy(&osf->flags, data, data_len); break; } return 0; @@ -89,12 +89,12 @@ nftnl_expr_osf_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) struct nftnl_expr_osf *osf = nftnl_expr_data(e); if (e->flags & (1 << NFTNL_EXPR_OSF_DREG)) - mnl_attr_put_u32(nlh, NFTNL_EXPR_OSF_DREG, htonl(osf->dreg)); + mnl_attr_put_u32(nlh, NFTA_OSF_DREG, htonl(osf->dreg)); if (e->flags & (1 << NFTNL_EXPR_OSF_TTL)) - mnl_attr_put_u8(nlh, NFTNL_EXPR_OSF_TTL, osf->ttl); + mnl_attr_put_u8(nlh, NFTA_OSF_TTL, osf->ttl); if (e->flags & (1 << NFTNL_EXPR_OSF_FLAGS)) if (osf->flags) - mnl_attr_put_u32(nlh, NFTNL_EXPR_OSF_FLAGS, htonl(osf->flags)); + mnl_attr_put_u32(nlh, NFTA_OSF_FLAGS, htonl(osf->flags)); } static int @@ -139,10 +139,17 @@ nftnl_expr_osf_snprintf(char *buf, size_t len, return offset; } +static struct attr_policy osf_attr_policy[__NFTNL_EXPR_OSF_MAX] = { + [NFTNL_EXPR_OSF_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_OSF_TTL] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_EXPR_OSF_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_osf = { .name = "osf", .alloc_len = sizeof(struct nftnl_expr_osf), - .max_attr = NFTA_OSF_MAX, + .nftnl_max_attr = __NFTNL_EXPR_OSF_MAX - 1, + .attr_policy = osf_attr_policy, .set = nftnl_expr_osf_set, .get = nftnl_expr_osf_get, .parse = nftnl_expr_osf_parse, diff --git a/src/expr/payload.c b/src/expr/payload.c index a0402c8..593b842 100644 --- a/src/expr/payload.c +++ b/src/expr/payload.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -43,31 +39,29 @@ nftnl_expr_payload_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_PAYLOAD_SREG: - memcpy(&payload->sreg, data, sizeof(payload->sreg)); + memcpy(&payload->sreg, data, data_len); break; case NFTNL_EXPR_PAYLOAD_DREG: - memcpy(&payload->dreg, data, sizeof(payload->dreg)); + memcpy(&payload->dreg, data, data_len); break; case NFTNL_EXPR_PAYLOAD_BASE: - memcpy(&payload->base, data, sizeof(payload->base)); + memcpy(&payload->base, data, data_len); break; case NFTNL_EXPR_PAYLOAD_OFFSET: - memcpy(&payload->offset, data, sizeof(payload->offset)); + memcpy(&payload->offset, data, data_len); break; case NFTNL_EXPR_PAYLOAD_LEN: - memcpy(&payload->len, data, sizeof(payload->len)); + memcpy(&payload->len, data, data_len); break; case NFTNL_EXPR_PAYLOAD_CSUM_TYPE: - memcpy(&payload->csum_type, data, sizeof(payload->csum_type)); + memcpy(&payload->csum_type, data, data_len); break; case NFTNL_EXPR_PAYLOAD_CSUM_OFFSET: - memcpy(&payload->csum_offset, data, sizeof(payload->csum_offset)); + memcpy(&payload->csum_offset, data, data_len); break; case NFTNL_EXPR_PAYLOAD_FLAGS: - memcpy(&payload->csum_flags, data, sizeof(payload->csum_flags)); + memcpy(&payload->csum_flags, data, data_len); break; - default: - return -1; } return 0; } @@ -203,35 +197,22 @@ nftnl_expr_payload_parse(struct nftnl_expr *e, struct nlattr *attr) return 0; } -static const char *base2str_array[NFT_PAYLOAD_INNER_HEADER + 1] = { +static const char *base2str_array[NFT_PAYLOAD_TUN_HEADER + 1] = { [NFT_PAYLOAD_LL_HEADER] = "link", [NFT_PAYLOAD_NETWORK_HEADER] = "network", [NFT_PAYLOAD_TRANSPORT_HEADER] = "transport", [NFT_PAYLOAD_INNER_HEADER] = "inner", + [NFT_PAYLOAD_TUN_HEADER] = "tunnel", }; static const char *base2str(enum nft_payload_bases base) { - if (base > NFT_PAYLOAD_INNER_HEADER) + if (base >= array_size(base2str_array)) return "unknown"; return base2str_array[base]; } -static inline int nftnl_str2base(const char *base) -{ - if (strcmp(base, "link") == 0) - return NFT_PAYLOAD_LL_HEADER; - else if (strcmp(base, "network") == 0) - return NFT_PAYLOAD_NETWORK_HEADER; - else if (strcmp(base, "transport") == 0) - return NFT_PAYLOAD_TRANSPORT_HEADER; - else { - errno = EINVAL; - return -1; - } -} - static int nftnl_expr_payload_snprintf(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e) @@ -251,10 +232,22 @@ nftnl_expr_payload_snprintf(char *buf, size_t len, payload->offset, payload->dreg); } +static struct attr_policy payload_attr_policy[__NFTNL_EXPR_PAYLOAD_MAX] = { + [NFTNL_EXPR_PAYLOAD_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_BASE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_OFFSET] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_LEN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_CSUM_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_CSUM_OFFSET] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_PAYLOAD_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_payload = { .name = "payload", .alloc_len = sizeof(struct nftnl_expr_payload), - .max_attr = NFTA_PAYLOAD_MAX, + .nftnl_max_attr = __NFTNL_EXPR_PAYLOAD_MAX - 1, + .attr_policy = payload_attr_policy, .set = nftnl_expr_payload_set, .get = nftnl_expr_payload_get, .parse = nftnl_expr_payload_parse, diff --git a/src/expr/queue.c b/src/expr/queue.c index de287f2..0160d5e 100644 --- a/src/expr/queue.c +++ b/src/expr/queue.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Eric Leblond <eric@regit.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -34,19 +29,17 @@ static int nftnl_expr_queue_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_QUEUE_NUM: - memcpy(&queue->queuenum, data, sizeof(queue->queuenum)); + memcpy(&queue->queuenum, data, data_len); break; case NFTNL_EXPR_QUEUE_TOTAL: - memcpy(&queue->queues_total, data, sizeof(queue->queues_total)); + memcpy(&queue->queues_total, data, data_len); break; case NFTNL_EXPR_QUEUE_FLAGS: - memcpy(&queue->flags, data, sizeof(queue->flags)); + memcpy(&queue->flags, data, data_len); break; case NFTNL_EXPR_QUEUE_SREG_QNUM: - memcpy(&queue->sreg_qnum, data, sizeof(queue->sreg_qnum)); + memcpy(&queue->sreg_qnum, data, data_len); break; - default: - return -1; } return 0; } @@ -185,10 +178,18 @@ nftnl_expr_queue_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy queue_attr_policy[__NFTNL_EXPR_QUEUE_MAX] = { + [NFTNL_EXPR_QUEUE_NUM] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_QUEUE_TOTAL] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_QUEUE_FLAGS] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_QUEUE_SREG_QNUM] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_queue = { .name = "queue", .alloc_len = sizeof(struct nftnl_expr_queue), - .max_attr = NFTA_QUEUE_MAX, + .nftnl_max_attr = __NFTNL_EXPR_QUEUE_MAX - 1, + .attr_policy = queue_attr_policy, .set = nftnl_expr_queue_set, .get = nftnl_expr_queue_get, .parse = nftnl_expr_queue_parse, diff --git a/src/expr/quota.c b/src/expr/quota.c index 835729c..108c87c 100644 --- a/src/expr/quota.c +++ b/src/expr/quota.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -33,16 +29,14 @@ static int nftnl_expr_quota_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_QUOTA_BYTES: - memcpy("a->bytes, data, sizeof(quota->bytes)); + memcpy("a->bytes, data, data_len); break; case NFTNL_EXPR_QUOTA_CONSUMED: - memcpy("a->consumed, data, sizeof(quota->consumed)); + memcpy("a->consumed, data, data_len); break; case NFTNL_EXPR_QUOTA_FLAGS: - memcpy("a->flags, data, sizeof(quota->flags)); + memcpy("a->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -139,10 +133,17 @@ static int nftnl_expr_quota_snprintf(char *buf, size_t len, quota->bytes, quota->consumed, quota->flags); } +static struct attr_policy quota_attr_policy[__NFTNL_EXPR_QUOTA_MAX] = { + [NFTNL_EXPR_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_EXPR_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, +}; + struct expr_ops expr_ops_quota = { .name = "quota", .alloc_len = sizeof(struct nftnl_expr_quota), - .max_attr = NFTA_QUOTA_MAX, + .nftnl_max_attr = __NFTNL_EXPR_QUOTA_MAX - 1, + .attr_policy = quota_attr_policy, .set = nftnl_expr_quota_set, .get = nftnl_expr_quota_get, .parse = nftnl_expr_quota_parse, diff --git a/src/expr/range.c b/src/expr/range.c index 473add8..50a8ed0 100644 --- a/src/expr/range.c +++ b/src/expr/range.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" @@ -34,21 +30,15 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_RANGE_SREG: - memcpy(&range->sreg, data, sizeof(range->sreg)); + memcpy(&range->sreg, data, data_len); break; case NFTNL_EXPR_RANGE_OP: - memcpy(&range->op, data, sizeof(range->op)); + memcpy(&range->op, data, data_len); break; case NFTNL_EXPR_RANGE_FROM_DATA: - memcpy(&range->data_from.val, data, data_len); - range->data_from.len = data_len; - break; + return nftnl_data_cpy(&range->data_from, data, data_len); case NFTNL_EXPR_RANGE_TO_DATA: - memcpy(&range->data_to.val, data, data_len); - range->data_to.len = data_len; - break; - default: - return -1; + return nftnl_data_cpy(&range->data_to, data, data_len); } return 0; } @@ -172,18 +162,6 @@ static const char *range2str(uint32_t op) return expr_range_str[op]; } -static inline int nftnl_str2range(const char *op) -{ - if (strcmp(op, "eq") == 0) - return NFT_RANGE_EQ; - else if (strcmp(op, "neq") == 0) - return NFT_RANGE_NEQ; - else { - errno = EINVAL; - return -1; - } -} - static int nftnl_expr_range_snprintf(char *buf, size_t remain, uint32_t flags, const struct nftnl_expr *e) { @@ -205,10 +183,18 @@ static int nftnl_expr_range_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy range_attr_policy[__NFTNL_EXPR_RANGE_MAX] = { + [NFTNL_EXPR_RANGE_SREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_RANGE_OP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_RANGE_FROM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, + [NFTNL_EXPR_RANGE_TO_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, +}; + struct expr_ops expr_ops_range = { .name = "range", .alloc_len = sizeof(struct nftnl_expr_range), - .max_attr = NFTA_RANGE_MAX, + .nftnl_max_attr = __NFTNL_EXPR_RANGE_MAX - 1, + .attr_policy = range_attr_policy, .set = nftnl_expr_range_set, .get = nftnl_expr_range_get, .parse = nftnl_expr_range_parse, diff --git a/src/expr/redir.c b/src/expr/redir.c index 87c2acc..be38f62 100644 --- a/src/expr/redir.c +++ b/src/expr/redir.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2014 by Arturo Borrero Gonzalez <arturo@debian.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -34,16 +30,14 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_REDIR_REG_PROTO_MIN: - memcpy(&redir->sreg_proto_min, data, sizeof(redir->sreg_proto_min)); + memcpy(&redir->sreg_proto_min, data, data_len); break; case NFTNL_EXPR_REDIR_REG_PROTO_MAX: - memcpy(&redir->sreg_proto_max, data, sizeof(redir->sreg_proto_max)); + memcpy(&redir->sreg_proto_max, data, data_len); break; case NFTNL_EXPR_REDIR_FLAGS: - memcpy(&redir->flags, data, sizeof(redir->flags)); + memcpy(&redir->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -159,10 +153,17 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy redir_attr_policy[__NFTNL_EXPR_REDIR_MAX] = { + [NFTNL_EXPR_REDIR_REG_PROTO_MIN] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_REDIR_REG_PROTO_MAX] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_REDIR_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_redir = { .name = "redir", .alloc_len = sizeof(struct nftnl_expr_redir), - .max_attr = NFTA_REDIR_MAX, + .nftnl_max_attr = __NFTNL_EXPR_REDIR_MAX - 1, + .attr_policy = redir_attr_policy, .set = nftnl_expr_redir_set, .get = nftnl_expr_redir_get, .parse = nftnl_expr_redir_parse, diff --git a/src/expr/reject.c b/src/expr/reject.c index c7c9441..5d8763e 100644 --- a/src/expr/reject.c +++ b/src/expr/reject.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -33,13 +29,11 @@ static int nftnl_expr_reject_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_REJECT_TYPE: - memcpy(&reject->type, data, sizeof(reject->type)); + memcpy(&reject->type, data, data_len); break; case NFTNL_EXPR_REJECT_CODE: - memcpy(&reject->icmp_code, data, sizeof(reject->icmp_code)); + memcpy(&reject->icmp_code, data, data_len); break; - default: - return -1; } return 0; } @@ -126,10 +120,16 @@ nftnl_expr_reject_snprintf(char *buf, size_t len, reject->type, reject->icmp_code); } +static struct attr_policy reject_attr_policy[__NFTNL_EXPR_REJECT_MAX] = { + [NFTNL_EXPR_REJECT_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_REJECT_CODE] = { .maxlen = sizeof(uint8_t) }, +}; + struct expr_ops expr_ops_reject = { .name = "reject", .alloc_len = sizeof(struct nftnl_expr_reject), - .max_attr = NFTA_REJECT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_REJECT_MAX - 1, + .attr_policy = reject_attr_policy, .set = nftnl_expr_reject_set, .get = nftnl_expr_reject_get, .parse = nftnl_expr_reject_parse, diff --git a/src/expr/rt.c b/src/expr/rt.c index 695a658..4f2e96b 100644 --- a/src/expr/rt.c +++ b/src/expr/rt.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2016 Anders K. Pedersen <akp@cohaesio.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -32,13 +28,11 @@ nftnl_expr_rt_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_RT_KEY: - memcpy(&rt->key, data, sizeof(rt->key)); + memcpy(&rt->key, data, data_len); break; case NFTNL_EXPR_RT_DREG: - memcpy(&rt->dreg, data, sizeof(rt->dreg)); + memcpy(&rt->dreg, data, data_len); break; - default: - return -1; } return 0; } @@ -128,19 +122,6 @@ static const char *rt_key2str(uint8_t key) return "unknown"; } -static inline int str2rt_key(const char *str) -{ - int i; - - for (i = 0; i < NFT_RT_MAX; i++) { - if (strcmp(str, rt_key2str_array[i]) == 0) - return i; - } - - errno = EINVAL; - return -1; -} - static int nftnl_expr_rt_snprintf(char *buf, size_t len, uint32_t flags, const struct nftnl_expr *e) @@ -154,10 +135,16 @@ nftnl_expr_rt_snprintf(char *buf, size_t len, return 0; } +static struct attr_policy rt_attr_policy[__NFTNL_EXPR_RT_MAX] = { + [NFTNL_EXPR_RT_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_RT_DREG] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_rt = { .name = "rt", .alloc_len = sizeof(struct nftnl_expr_rt), - .max_attr = NFTA_RT_MAX, + .nftnl_max_attr = __NFTNL_EXPR_RT_MAX - 1, + .attr_policy = rt_attr_policy, .set = nftnl_expr_rt_set, .get = nftnl_expr_rt_get, .parse = nftnl_expr_rt_parse, diff --git a/src/expr/socket.c b/src/expr/socket.c index 83045c0..822ee8b 100644 --- a/src/expr/socket.c +++ b/src/expr/socket.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2018 Máté Eckl <ecklm94@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -33,16 +29,14 @@ nftnl_expr_socket_set(struct nftnl_expr *e, uint16_t type, switch (type) { case NFTNL_EXPR_SOCKET_KEY: - memcpy(&socket->key, data, sizeof(socket->key)); + memcpy(&socket->key, data, data_len); break; case NFTNL_EXPR_SOCKET_DREG: - memcpy(&socket->dreg, data, sizeof(socket->dreg)); + memcpy(&socket->dreg, data, data_len); break; case NFTNL_EXPR_SOCKET_LEVEL: - memcpy(&socket->level, data, sizeof(socket->level)); + memcpy(&socket->level, data, data_len); break; - default: - return -1; } return 0; } @@ -157,10 +151,17 @@ nftnl_expr_socket_snprintf(char *buf, size_t len, return 0; } +static struct attr_policy socket_attr_policy[__NFTNL_EXPR_SOCKET_MAX] = { + [NFTNL_EXPR_SOCKET_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_SOCKET_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_SOCKET_LEVEL] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_socket = { .name = "socket", .alloc_len = sizeof(struct nftnl_expr_socket), - .max_attr = NFTA_SOCKET_MAX, + .nftnl_max_attr = __NFTNL_EXPR_SOCKET_MAX - 1, + .attr_policy = socket_attr_policy, .set = nftnl_expr_socket_set, .get = nftnl_expr_socket_get, .parse = nftnl_expr_socket_parse, diff --git a/src/expr/synproxy.c b/src/expr/synproxy.c index 47fcaef..b5a1fef 100644 --- a/src/expr/synproxy.c +++ b/src/expr/synproxy.c @@ -23,13 +23,13 @@ static int nftnl_expr_synproxy_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_SYNPROXY_MSS: - memcpy(&synproxy->mss, data, sizeof(synproxy->mss)); + memcpy(&synproxy->mss, data, data_len); break; case NFTNL_EXPR_SYNPROXY_WSCALE: - memcpy(&synproxy->wscale, data, sizeof(synproxy->wscale)); + memcpy(&synproxy->wscale, data, data_len); break; case NFTNL_EXPR_SYNPROXY_FLAGS: - memcpy(&synproxy->flags, data, sizeof(synproxy->flags)); + memcpy(&synproxy->flags, data, data_len); break; } return 0; @@ -90,13 +90,13 @@ nftnl_expr_synproxy_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) struct nftnl_expr_synproxy *synproxy = nftnl_expr_data(e); if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_MSS)) - mnl_attr_put_u16(nlh, NFTNL_EXPR_SYNPROXY_MSS, + mnl_attr_put_u16(nlh, NFTA_SYNPROXY_MSS, htons(synproxy->mss)); if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_WSCALE)) - mnl_attr_put_u8(nlh, NFTNL_EXPR_SYNPROXY_WSCALE, + mnl_attr_put_u8(nlh, NFTA_SYNPROXY_WSCALE, synproxy->wscale); if (e->flags & (1 << NFTNL_EXPR_SYNPROXY_FLAGS)) - mnl_attr_put_u32(nlh, NFTNL_EXPR_SYNPROXY_FLAGS, + mnl_attr_put_u32(nlh, NFTA_SYNPROXY_FLAGS, htonl(synproxy->flags)); } @@ -144,10 +144,17 @@ nftnl_expr_synproxy_snprintf(char *buf, size_t len, return offset; } +static struct attr_policy synproxy_attr_policy[__NFTNL_EXPR_SYNPROXY_MAX] = { + [NFTNL_EXPR_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_EXPR_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_EXPR_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_synproxy = { .name = "synproxy", .alloc_len = sizeof(struct nftnl_expr_synproxy), - .max_attr = NFTA_SYNPROXY_MAX, + .nftnl_max_attr = __NFTNL_EXPR_SYNPROXY_MAX - 1, + .attr_policy = synproxy_attr_policy, .set = nftnl_expr_synproxy_set, .get = nftnl_expr_synproxy_get, .parse = nftnl_expr_synproxy_parse, diff --git a/src/expr/target.c b/src/expr/target.c index 2a3fe8a..3549456 100644 --- a/src/expr/target.c +++ b/src/expr/target.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -46,7 +42,7 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, (const char *) data); break; case NFTNL_EXPR_TG_REV: - memcpy(&tg->rev, data, sizeof(tg->rev)); + memcpy(&tg->rev, data, data_len); break; case NFTNL_EXPR_TG_INFO: if (e->flags & (1 << NFTNL_EXPR_TG_INFO)) @@ -55,8 +51,6 @@ nftnl_expr_target_set(struct nftnl_expr *e, uint16_t type, tg->data = data; tg->data_len = data_len; break; - default: - return -1; } return 0; } @@ -180,10 +174,17 @@ static void nftnl_expr_target_free(const struct nftnl_expr *e) xfree(target->data); } +static struct attr_policy target_attr_policy[__NFTNL_EXPR_TG_MAX] = { + [NFTNL_EXPR_TG_NAME] = { .maxlen = XT_EXTENSION_MAXNAMELEN }, + [NFTNL_EXPR_TG_REV] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_TG_INFO] = { .maxlen = 0 }, +}; + struct expr_ops expr_ops_target = { .name = "target", .alloc_len = sizeof(struct nftnl_expr_target), - .max_attr = NFTA_TARGET_MAX, + .nftnl_max_attr = __NFTNL_EXPR_TG_MAX - 1, + .attr_policy = target_attr_policy, .free = nftnl_expr_target_free, .set = nftnl_expr_target_set, .get = nftnl_expr_target_get, diff --git a/src/expr/tproxy.c b/src/expr/tproxy.c index bd5ffbf..4cc9125 100644 --- a/src/expr/tproxy.c +++ b/src/expr/tproxy.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2018 Máté Eckl <ecklm94@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" @@ -34,16 +30,14 @@ nftnl_expr_tproxy_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_TPROXY_FAMILY: - memcpy(&tproxy->family, data, sizeof(tproxy->family)); + memcpy(&tproxy->family, data, data_len); break; case NFTNL_EXPR_TPROXY_REG_ADDR: - memcpy(&tproxy->sreg_addr, data, sizeof(tproxy->sreg_addr)); + memcpy(&tproxy->sreg_addr, data, data_len); break; case NFTNL_EXPR_TPROXY_REG_PORT: - memcpy(&tproxy->sreg_port, data, sizeof(tproxy->sreg_port)); + memcpy(&tproxy->sreg_port, data, data_len); break; - default: - return -1; } return 0; @@ -162,10 +156,17 @@ nftnl_expr_tproxy_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy tproxy_attr_policy[__NFTNL_EXPR_TPROXY_MAX] = { + [NFTNL_EXPR_TPROXY_FAMILY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_TPROXY_REG_ADDR] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_TPROXY_REG_PORT] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_tproxy = { .name = "tproxy", .alloc_len = sizeof(struct nftnl_expr_tproxy), - .max_attr = NFTA_TPROXY_MAX, + .nftnl_max_attr = __NFTNL_EXPR_TPROXY_MAX - 1, + .attr_policy = tproxy_attr_policy, .set = nftnl_expr_tproxy_set, .get = nftnl_expr_tproxy_get, .parse = nftnl_expr_tproxy_parse, diff --git a/src/expr/tunnel.c b/src/expr/tunnel.c index a00f620..b51b6c7 100644 --- a/src/expr/tunnel.c +++ b/src/expr/tunnel.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2018 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -31,13 +27,11 @@ static int nftnl_expr_tunnel_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_TUNNEL_KEY: - memcpy(&tunnel->key, data, sizeof(tunnel->key)); + memcpy(&tunnel->key, data, data_len); break; case NFTNL_EXPR_TUNNEL_DREG: - memcpy(&tunnel->dreg, data, sizeof(tunnel->dreg)); + memcpy(&tunnel->dreg, data, data_len); break; - default: - return -1; } return 0; } @@ -137,10 +131,16 @@ nftnl_expr_tunnel_snprintf(char *buf, size_t len, return 0; } +static struct attr_policy tunnel_attr_policy[__NFTNL_EXPR_TUNNEL_MAX] = { + [NFTNL_EXPR_TUNNEL_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_TUNNEL_DREG] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_tunnel = { .name = "tunnel", .alloc_len = sizeof(struct nftnl_expr_tunnel), - .max_attr = NFTA_TUNNEL_MAX, + .nftnl_max_attr = __NFTNL_EXPR_TUNNEL_MAX - 1, + .attr_policy = tunnel_attr_policy, .set = nftnl_expr_tunnel_set, .get = nftnl_expr_tunnel_get, .parse = nftnl_expr_tunnel_parse, diff --git a/src/expr/xfrm.c b/src/expr/xfrm.c index 2db00d5..ba2107d 100644 --- a/src/expr/xfrm.c +++ b/src/expr/xfrm.c @@ -1,9 +1,4 @@ -/* - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - */ +/* SPDX-License-Identifier: GPL-2.0-or-later */ #include <stdio.h> #include <string.h> @@ -33,16 +28,16 @@ nftnl_expr_xfrm_set(struct nftnl_expr *e, uint16_t type, switch(type) { case NFTNL_EXPR_XFRM_KEY: - memcpy(&x->key, data, sizeof(x->key)); + memcpy(&x->key, data, data_len); break; case NFTNL_EXPR_XFRM_DIR: - memcpy(&x->dir, data, sizeof(x->dir)); + memcpy(&x->dir, data, data_len); break; case NFTNL_EXPR_XFRM_SPNUM: - memcpy(&x->spnum, data, sizeof(x->spnum)); + memcpy(&x->spnum, data, data_len); break; case NFTNL_EXPR_XFRM_DREG: - memcpy(&x->dreg, data, sizeof(x->dreg)); + memcpy(&x->dreg, data, data_len); break; default: return -1; @@ -188,10 +183,19 @@ nftnl_expr_xfrm_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy xfrm_attr_policy[__NFTNL_EXPR_XFRM_MAX] = { + [NFTNL_EXPR_XFRM_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_XFRM_SREG] = { .maxlen = 0 }, + [NFTNL_EXPR_XFRM_KEY] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_XFRM_DIR] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_EXPR_XFRM_SPNUM] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_xfrm = { .name = "xfrm", .alloc_len = sizeof(struct nftnl_expr_xfrm), - .max_attr = NFTA_XFRM_MAX, + .nftnl_max_attr = __NFTNL_EXPR_XFRM_MAX - 1, + .attr_policy = xfrm_attr_policy, .set = nftnl_expr_xfrm_set, .get = nftnl_expr_xfrm_get, .parse = nftnl_expr_xfrm_parse, diff --git a/src/expr_ops.c b/src/expr_ops.c index 7248e4f..b85f472 100644 --- a/src/expr_ops.c +++ b/src/expr_ops.c @@ -14,6 +14,7 @@ extern struct expr_ops expr_ops_dup; extern struct expr_ops expr_ops_exthdr; extern struct expr_ops expr_ops_fwd; extern struct expr_ops expr_ops_immediate; +extern struct expr_ops expr_ops_inner; extern struct expr_ops expr_ops_last; extern struct expr_ops expr_ops_limit; extern struct expr_ops expr_ops_log; @@ -58,6 +59,7 @@ static struct expr_ops *expr_ops[] = { &expr_ops_exthdr, &expr_ops_fwd, &expr_ops_immediate, + &expr_ops_inner, &expr_ops_last, &expr_ops_limit, &expr_ops_log, diff --git a/src/flowtable.c b/src/flowtable.c index e6c2475..fbbe0a8 100644 --- a/src/flowtable.c +++ b/src/flowtable.c @@ -26,8 +26,7 @@ struct nftnl_flowtable { uint32_t hooknum; int32_t prio; uint32_t size; - const char **dev_array; - uint32_t dev_array_len; + struct nftnl_str_array dev_array; uint32_t ft_flags; uint32_t use; uint32_t flags; @@ -43,18 +42,12 @@ struct nftnl_flowtable *nftnl_flowtable_alloc(void) EXPORT_SYMBOL(nftnl_flowtable_free); void nftnl_flowtable_free(const struct nftnl_flowtable *c) { - int i; - if (c->flags & (1 << NFTNL_FLOWTABLE_NAME)) xfree(c->name); if (c->flags & (1 << NFTNL_FLOWTABLE_TABLE)) xfree(c->table); - if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) { - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - - xfree(c->dev_array); - } + if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) + nftnl_str_array_clear((struct nftnl_str_array *)&c->dev_array); xfree(c); } @@ -67,8 +60,6 @@ bool nftnl_flowtable_is_set(const struct nftnl_flowtable *c, uint16_t attr) EXPORT_SYMBOL(nftnl_flowtable_unset); void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr) { - int i; - if (!(c->flags & (1 << attr))) return; @@ -87,9 +78,7 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr) case NFTNL_FLOWTABLE_HANDLE: break; case NFTNL_FLOWTABLE_DEVICES: - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - xfree(c->dev_array); + nftnl_str_array_clear(&c->dev_array); break; default: return; @@ -102,6 +91,7 @@ static uint32_t nftnl_flowtable_validate[NFTNL_FLOWTABLE_MAX + 1] = { [NFTNL_FLOWTABLE_HOOKNUM] = sizeof(uint32_t), [NFTNL_FLOWTABLE_PRIO] = sizeof(int32_t), [NFTNL_FLOWTABLE_FAMILY] = sizeof(uint32_t), + [NFTNL_FLOWTABLE_SIZE] = sizeof(uint32_t), [NFTNL_FLOWTABLE_FLAGS] = sizeof(uint32_t), [NFTNL_FLOWTABLE_HANDLE] = sizeof(uint64_t), }; @@ -110,28 +100,16 @@ EXPORT_SYMBOL(nftnl_flowtable_set_data); int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr, const void *data, uint32_t data_len) { - const char **dev_array; - int len = 0, i; - nftnl_assert_attr_exists(attr, NFTNL_FLOWTABLE_MAX); nftnl_assert_validate(data, nftnl_flowtable_validate, attr, data_len); switch(attr) { case NFTNL_FLOWTABLE_NAME: - if (c->flags & (1 << NFTNL_FLOWTABLE_NAME)) - xfree(c->name); - - c->name = strdup(data); - if (!c->name) - return -1; - break; + return nftnl_set_str_attr(&c->name, &c->flags, + attr, data, data_len); case NFTNL_FLOWTABLE_TABLE: - if (c->flags & (1 << NFTNL_FLOWTABLE_TABLE)) - xfree(c->table); - - c->table = strdup(data); - if (!c->table) - return -1; + return nftnl_set_str_attr(&c->table, &c->flags, + attr, data, data_len); break; case NFTNL_FLOWTABLE_HOOKNUM: memcpy(&c->hooknum, data, sizeof(c->hooknum)); @@ -143,24 +121,8 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr, memcpy(&c->family, data, sizeof(c->family)); break; case NFTNL_FLOWTABLE_DEVICES: - dev_array = (const char **)data; - while (dev_array[len] != NULL) - len++; - - if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) { - for (i = 0; i < c->dev_array_len; i++) - xfree(c->dev_array[i]); - xfree(c->dev_array); - } - - c->dev_array = calloc(len + 1, sizeof(char *)); - if (!c->dev_array) + if (nftnl_str_array_set(&c->dev_array, data) < 0) return -1; - - for (i = 0; i < len; i++) - c->dev_array[i] = strdup(dev_array[i]); - - c->dev_array_len = len; break; case NFTNL_FLOWTABLE_SIZE: memcpy(&c->size, data, sizeof(c->size)); @@ -238,7 +200,7 @@ const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c, return &c->family; case NFTNL_FLOWTABLE_DEVICES: *data_len = 0; - return &c->dev_array[0]; + return c->dev_array.array; case NFTNL_FLOWTABLE_SIZE: *data_len = sizeof(int32_t); return &c->size; @@ -333,12 +295,11 @@ void nftnl_flowtable_nlmsg_build_payload(struct nlmsghdr *nlh, if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) { struct nlattr *nest_dev; + const char *dev; nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS); - for (i = 0; i < c->dev_array_len; i++) { - mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, - c->dev_array[i]); - } + nftnl_str_array_foreach(dev, &c->dev_array, i) + mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev); mnl_attr_nest_end(nlh, nest_dev); } @@ -410,43 +371,6 @@ static int nftnl_flowtable_parse_hook_cb(const struct nlattr *attr, void *data) return MNL_CB_OK; } -static int nftnl_flowtable_parse_devs(struct nlattr *nest, - struct nftnl_flowtable *c) -{ - const char **dev_array, **tmp; - int len = 0, size = 8; - struct nlattr *attr; - - dev_array = calloc(8, sizeof(char *)); - if (!dev_array) - return -1; - - mnl_attr_for_each_nested(attr, nest) { - if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME) - goto err; - dev_array[len++] = strdup(mnl_attr_get_str(attr)); - if (len >= size) { - tmp = realloc(dev_array, size * 2 * sizeof(char *)); - if (!tmp) - goto err; - - size *= 2; - memset(&tmp[len], 0, (size - len) * sizeof(char *)); - dev_array = tmp; - } - } - - c->dev_array = dev_array; - c->dev_array_len = len; - - return 0; -err: - while (len--) - xfree(dev_array[len]); - xfree(dev_array); - return -1; -} - static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c) { struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1] = {}; @@ -464,7 +388,8 @@ static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtabl c->flags |= (1 << NFTNL_FLOWTABLE_PRIO); } if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { - ret = nftnl_flowtable_parse_devs(tb[NFTA_FLOWTABLE_HOOK_DEVS], c); + ret = nftnl_parse_devs(&c->dev_array, + tb[NFTA_FLOWTABLE_HOOK_DEVS]); if (ret < 0) return -1; c->flags |= (1 << NFTNL_FLOWTABLE_DEVICES); @@ -563,17 +488,6 @@ static const char *nftnl_hooknum2str(int family, int hooknum) return "unknown"; } -static inline int nftnl_str2hooknum(int family, const char *hook) -{ - int hooknum; - - for (hooknum = 0; hooknum < NF_INET_NUMHOOKS; hooknum++) { - if (strcmp(hook, nftnl_hooknum2str(family, hooknum)) == 0) - return hooknum; - } - return -1; -} - EXPORT_SYMBOL(nftnl_flowtable_parse); int nftnl_flowtable_parse(struct nftnl_flowtable *c, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err) @@ -595,6 +509,7 @@ static int nftnl_flowtable_snprintf_default(char *buf, size_t remain, const struct nftnl_flowtable *c) { int ret, offset = 0, i; + const char *dev; ret = snprintf(buf, remain, "flow table %s %s use %u size %u flags %x", c->table, c->name, c->use, c->size, c->ft_flags); @@ -610,9 +525,9 @@ static int nftnl_flowtable_snprintf_default(char *buf, size_t remain, ret = snprintf(buf + offset, remain, " dev { "); SNPRINTF_BUFFER_SIZE(ret, remain, offset); - for (i = 0; i < c->dev_array_len; i++) { + nftnl_str_array_foreach(dev, &c->dev_array, i) { ret = snprintf(buf + offset, remain, " %s ", - c->dev_array[i]); + dev); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } ret = snprintf(buf + offset, remain, " } "); @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2014 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" diff --git a/src/libnftnl.map b/src/libnftnl.map index ad8f2af..8fffff1 100644 --- a/src/libnftnl.map +++ b/src/libnftnl.map @@ -47,8 +47,6 @@ global: nftnl_chain_get_s32; nftnl_chain_get_u64; nftnl_chain_get_str; - nftnl_chain_parse; - nftnl_chain_parse_file; nftnl_chain_snprintf; nftnl_chain_fprintf; nftnl_chain_nlmsg_build_payload; @@ -174,8 +172,6 @@ global: nftnl_set_elems_nlmsg_build_payload; nftnl_set_elems_nlmsg_parse; - nftnl_set_elems_foreach; - nftnl_set_elems_iter_create; nftnl_set_elems_iter_cur; nftnl_set_elems_iter_next; diff --git a/src/obj/counter.c b/src/obj/counter.c index ebf3e74..c9462cd 100644 --- a/src/obj/counter.c +++ b/src/obj/counter.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -29,13 +25,11 @@ nftnl_obj_counter_set(struct nftnl_obj *e, uint16_t type, switch(type) { case NFTNL_OBJ_CTR_BYTES: - memcpy(&ctr->bytes, data, sizeof(ctr->bytes)); + memcpy(&ctr->bytes, data, data_len); break; case NFTNL_OBJ_CTR_PKTS: - memcpy(&ctr->pkts, data, sizeof(ctr->pkts)); + memcpy(&ctr->pkts, data, data_len); break; - default: - return -1; } return 0; } @@ -118,11 +112,17 @@ static int nftnl_obj_counter_snprintf(char *buf, size_t len, uint32_t flags, ctr->pkts, ctr->bytes); } +static struct attr_policy obj_ctr_attr_policy[__NFTNL_OBJ_CTR_MAX] = { + [NFTNL_OBJ_CTR_BYTES] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_OBJ_CTR_PKTS] = { .maxlen = sizeof(uint64_t) }, +}; + struct obj_ops obj_ops_counter = { .name = "counter", .type = NFT_OBJECT_COUNTER, .alloc_len = sizeof(struct nftnl_obj_counter), - .max_attr = NFTA_COUNTER_MAX, + .nftnl_max_attr = __NFTNL_OBJ_CTR_MAX - 1, + .attr_policy = obj_ctr_attr_policy, .set = nftnl_obj_counter_set, .get = nftnl_obj_counter_get, .parse = nftnl_obj_counter_parse, diff --git a/src/obj/ct_expect.c b/src/obj/ct_expect.c index 810ba9a..65c6d08 100644 --- a/src/obj/ct_expect.c +++ b/src/obj/ct_expect.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2019 by Stéphane Veyret <sveyret@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <arpa/inet.h> @@ -21,22 +17,20 @@ static int nftnl_obj_ct_expect_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_CT_EXPECT_L3PROTO: - memcpy(&exp->l3proto, data, sizeof(exp->l3proto)); + memcpy(&exp->l3proto, data, data_len); break; case NFTNL_OBJ_CT_EXPECT_L4PROTO: - memcpy(&exp->l4proto, data, sizeof(exp->l4proto)); + memcpy(&exp->l4proto, data, data_len); break; case NFTNL_OBJ_CT_EXPECT_DPORT: - memcpy(&exp->dport, data, sizeof(exp->dport)); + memcpy(&exp->dport, data, data_len); break; case NFTNL_OBJ_CT_EXPECT_TIMEOUT: - memcpy(&exp->timeout, data, sizeof(exp->timeout)); + memcpy(&exp->timeout, data, data_len); break; case NFTNL_OBJ_CT_EXPECT_SIZE: - memcpy(&exp->size, data, sizeof(exp->size)); + memcpy(&exp->size, data, data_len); break; - default: - return -1; } return 0; } @@ -187,11 +181,21 @@ static int nftnl_obj_ct_expect_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy +obj_ct_expect_attr_policy[__NFTNL_OBJ_CT_EXPECT_MAX] = { + [NFTNL_OBJ_CT_EXPECT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_CT_EXPECT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_OBJ_CT_EXPECT_DPORT] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_CT_EXPECT_TIMEOUT] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_CT_EXPECT_SIZE] = { .maxlen = sizeof(uint8_t) }, +}; + struct obj_ops obj_ops_ct_expect = { .name = "ct_expect", .type = NFT_OBJECT_CT_EXPECT, .alloc_len = sizeof(struct nftnl_obj_ct_expect), - .max_attr = NFTA_CT_EXPECT_MAX, + .nftnl_max_attr = __NFTNL_OBJ_CT_EXPECT_MAX - 1, + .attr_policy = obj_ct_expect_attr_policy, .set = nftnl_obj_ct_expect_set, .get = nftnl_obj_ct_expect_get, .parse = nftnl_obj_ct_expect_parse, diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c index a31bd6f..6e16f08 100644 --- a/src/obj/ct_helper.c +++ b/src/obj/ct_helper.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2017 Red Hat GmbH * Author: Florian Westphal <fw@strlen.de> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -32,13 +28,11 @@ static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type, snprintf(helper->name, sizeof(helper->name), "%s", (const char *)data); break; case NFTNL_OBJ_CT_HELPER_L3PROTO: - memcpy(&helper->l3proto, data, sizeof(helper->l3proto)); + memcpy(&helper->l3proto, data, data_len); break; case NFTNL_OBJ_CT_HELPER_L4PROTO: - memcpy(&helper->l4proto, data, sizeof(helper->l4proto)); + memcpy(&helper->l4proto, data, data_len); break; - default: - return -1; } return 0; } @@ -141,11 +135,22 @@ static int nftnl_obj_ct_helper_snprintf(char *buf, size_t len, helper->name, helper->l3proto, helper->l4proto); } +/* from kernel's include/net/netfilter/nf_conntrack_helper.h */ +#define NF_CT_HELPER_NAME_LEN 16 + +static struct attr_policy +obj_ct_helper_attr_policy[__NFTNL_OBJ_CT_HELPER_MAX] = { + [NFTNL_OBJ_CT_HELPER_NAME] = { .maxlen = NF_CT_HELPER_NAME_LEN }, + [NFTNL_OBJ_CT_HELPER_L3PROTO] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_CT_HELPER_L4PROTO] = { .maxlen = sizeof(uint8_t) }, +}; + struct obj_ops obj_ops_ct_helper = { .name = "ct_helper", .type = NFT_OBJECT_CT_HELPER, .alloc_len = sizeof(struct nftnl_obj_ct_helper), - .max_attr = NFTA_CT_HELPER_MAX, + .nftnl_max_attr = __NFTNL_OBJ_CT_HELPER_MAX - 1, + .attr_policy = obj_ct_helper_attr_policy, .set = nftnl_obj_ct_helper_set, .get = nftnl_obj_ct_helper_get, .parse = nftnl_obj_ct_helper_parse, diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c index 65b48bd..22ce918 100644 --- a/src/obj/ct_timeout.c +++ b/src/obj/ct_timeout.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2018 by Harsha Sharma <harshasharmaiitr@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -21,7 +17,7 @@ #include "obj.h" -static const char *const tcp_state_to_name[] = { +static const char *const tcp_state_to_name[NFTNL_CTTIMEOUT_TCP_MAX] = { [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = "SYN_SENT", [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = "SYN_RECV", [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = "ESTABLISHED", @@ -35,7 +31,7 @@ static const char *const tcp_state_to_name[] = { [NFTNL_CTTIMEOUT_TCP_UNACK] = "UNACKNOWLEDGED", }; -static uint32_t tcp_dflt_timeout[] = { +static uint32_t tcp_dflt_timeout[NFTNL_CTTIMEOUT_TCP_MAX] = { [NFTNL_CTTIMEOUT_TCP_SYN_SENT] = 120, [NFTNL_CTTIMEOUT_TCP_SYN_RECV] = 60, [NFTNL_CTTIMEOUT_TCP_ESTABLISHED] = 432000, @@ -49,12 +45,12 @@ static uint32_t tcp_dflt_timeout[] = { [NFTNL_CTTIMEOUT_TCP_UNACK] = 300, }; -static const char *const udp_state_to_name[] = { +static const char *const udp_state_to_name[NFTNL_CTTIMEOUT_UDP_MAX] = { [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = "UNREPLIED", [NFTNL_CTTIMEOUT_UDP_REPLIED] = "REPLIED", }; -static uint32_t udp_dflt_timeout[] = { +static uint32_t udp_dflt_timeout[NFTNL_CTTIMEOUT_UDP_MAX] = { [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30, [NFTNL_CTTIMEOUT_UDP_REPLIED] = 180, }; @@ -150,17 +146,18 @@ static int nftnl_obj_ct_timeout_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_CT_TIMEOUT_L3PROTO: - memcpy(&timeout->l3proto, data, sizeof(timeout->l3proto)); + memcpy(&timeout->l3proto, data, data_len); break; case NFTNL_OBJ_CT_TIMEOUT_L4PROTO: - memcpy(&timeout->l4proto, data, sizeof(timeout->l4proto)); + memcpy(&timeout->l4proto, data, data_len); break; case NFTNL_OBJ_CT_TIMEOUT_ARRAY: + if (data_len < sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX) + return -1; + memcpy(timeout->timeout, data, sizeof(uint32_t) * NFTNL_CTTIMEOUT_ARRAY_MAX); break; - default: - return -1; } return 0; } @@ -307,11 +304,18 @@ static int nftnl_obj_ct_timeout_snprintf(char *buf, size_t remain, return offset; } +static struct attr_policy +obj_ct_timeout_attr_policy[__NFTNL_OBJ_CT_TIMEOUT_MAX] = { + [NFTNL_OBJ_CT_TIMEOUT_L3PROTO] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_CT_TIMEOUT_L4PROTO] = { .maxlen = sizeof(uint8_t) }, +}; + struct obj_ops obj_ops_ct_timeout = { .name = "ct_timeout", .type = NFT_OBJECT_CT_TIMEOUT, .alloc_len = sizeof(struct nftnl_obj_ct_timeout), - .max_attr = NFTA_CT_TIMEOUT_MAX, + .nftnl_max_attr = __NFTNL_OBJ_CT_TIMEOUT_MAX - 1, + .attr_policy = obj_ct_timeout_attr_policy, .set = nftnl_obj_ct_timeout_set, .get = nftnl_obj_ct_timeout_get, .parse = nftnl_obj_ct_timeout_parse, diff --git a/src/obj/limit.c b/src/obj/limit.c index d7b1aed..fe1a88f 100644 --- a/src/obj/limit.c +++ b/src/obj/limit.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * Copyright (c) 2017 Pablo M. Bermudo Garay <pablombg@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -28,22 +24,20 @@ static int nftnl_obj_limit_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_LIMIT_RATE: - memcpy(&limit->rate, data, sizeof(limit->rate)); + memcpy(&limit->rate, data, data_len); break; case NFTNL_OBJ_LIMIT_UNIT: - memcpy(&limit->unit, data, sizeof(limit->unit)); + memcpy(&limit->unit, data, data_len); break; case NFTNL_OBJ_LIMIT_BURST: - memcpy(&limit->burst, data, sizeof(limit->burst)); + memcpy(&limit->burst, data, data_len); break; case NFTNL_OBJ_LIMIT_TYPE: - memcpy(&limit->type, data, sizeof(limit->type)); + memcpy(&limit->type, data, data_len); break; case NFTNL_OBJ_LIMIT_FLAGS: - memcpy(&limit->flags, data, sizeof(limit->flags)); + memcpy(&limit->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -159,11 +153,20 @@ static int nftnl_obj_limit_snprintf(char *buf, size_t len, limit->burst, limit->type, limit->flags); } +static struct attr_policy obj_limit_attr_policy[__NFTNL_OBJ_LIMIT_MAX] = { + [NFTNL_OBJ_LIMIT_RATE] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_OBJ_LIMIT_UNIT] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_OBJ_LIMIT_BURST] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_LIMIT_TYPE] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_LIMIT_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct obj_ops obj_ops_limit = { .name = "limit", .type = NFT_OBJECT_LIMIT, .alloc_len = sizeof(struct nftnl_obj_limit), - .max_attr = NFTA_LIMIT_MAX, + .nftnl_max_attr = __NFTNL_OBJ_LIMIT_MAX - 1, + .attr_policy = obj_limit_attr_policy, .set = nftnl_obj_limit_set, .get = nftnl_obj_limit_get, .parse = nftnl_obj_limit_parse, diff --git a/src/obj/quota.c b/src/obj/quota.c index 6c7559a..0eda0a5 100644 --- a/src/obj/quota.c +++ b/src/obj/quota.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -28,16 +24,14 @@ static int nftnl_obj_quota_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_QUOTA_BYTES: - memcpy("a->bytes, data, sizeof(quota->bytes)); + memcpy("a->bytes, data, data_len); break; case NFTNL_OBJ_QUOTA_CONSUMED: - memcpy("a->consumed, data, sizeof(quota->consumed)); + memcpy("a->consumed, data, data_len); break; case NFTNL_OBJ_QUOTA_FLAGS: - memcpy("a->flags, data, sizeof(quota->flags)); + memcpy("a->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -135,11 +129,18 @@ static int nftnl_obj_quota_snprintf(char *buf, size_t len, quota->bytes, quota->flags); } +static struct attr_policy obj_quota_attr_policy[__NFTNL_OBJ_QUOTA_MAX] = { + [NFTNL_OBJ_QUOTA_BYTES] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_OBJ_QUOTA_CONSUMED] = { .maxlen = sizeof(uint64_t) }, + [NFTNL_OBJ_QUOTA_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct obj_ops obj_ops_quota = { .name = "quota", .type = NFT_OBJECT_QUOTA, .alloc_len = sizeof(struct nftnl_obj_quota), - .max_attr = NFTA_QUOTA_MAX, + .nftnl_max_attr = __NFTNL_OBJ_QUOTA_MAX - 1, + .attr_policy = obj_quota_attr_policy, .set = nftnl_obj_quota_set, .get = nftnl_obj_quota_get, .parse = nftnl_obj_quota_parse, diff --git a/src/obj/secmark.c b/src/obj/secmark.c index e5c24b3..25b04e2 100644 --- a/src/obj/secmark.c +++ b/src/obj/secmark.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -30,8 +26,6 @@ static int nftnl_obj_secmark_set(struct nftnl_obj *e, uint16_t type, case NFTNL_OBJ_SECMARK_CTX: snprintf(secmark->ctx, sizeof(secmark->ctx), "%s", (const char *)data); break; - default: - return -1; } return 0; } @@ -107,11 +101,16 @@ static int nftnl_obj_secmark_snprintf(char *buf, size_t len, return snprintf(buf, len, "context %s ", secmark->ctx); } +static struct attr_policy obj_secmark_attr_policy[__NFTNL_OBJ_SECMARK_MAX] = { + [NFTNL_OBJ_SECMARK_CTX] = { .maxlen = NFT_SECMARK_CTX_MAXLEN }, +}; + struct obj_ops obj_ops_secmark = { .name = "secmark", .type = NFT_OBJECT_SECMARK, .alloc_len = sizeof(struct nftnl_obj_secmark), - .max_attr = NFTA_SECMARK_MAX, + .nftnl_max_attr = __NFTNL_OBJ_SECMARK_MAX - 1, + .attr_policy = obj_secmark_attr_policy, .set = nftnl_obj_secmark_set, .get = nftnl_obj_secmark_get, .parse = nftnl_obj_secmark_parse, diff --git a/src/obj/synproxy.c b/src/obj/synproxy.c index baef5c2..65fbcf7 100644 --- a/src/obj/synproxy.c +++ b/src/obj/synproxy.c @@ -19,16 +19,14 @@ static int nftnl_obj_synproxy_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_SYNPROXY_MSS: - synproxy->mss = *((uint16_t *)data); + memcpy(&synproxy->mss, data, data_len); break; case NFTNL_OBJ_SYNPROXY_WSCALE: - synproxy->wscale = *((uint8_t *)data); + memcpy(&synproxy->wscale, data, data_len); break; case NFTNL_OBJ_SYNPROXY_FLAGS: - synproxy->flags = *((uint32_t *)data); + memcpy(&synproxy->flags, data, data_len); break; - default: - return -1; } return 0; } @@ -134,11 +132,18 @@ static int nftnl_obj_synproxy_snprintf(char *buf, size_t len, return offset; } +static struct attr_policy obj_synproxy_attr_policy[__NFTNL_OBJ_SYNPROXY_MAX] = { + [NFTNL_OBJ_SYNPROXY_MSS] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_SYNPROXY_WSCALE] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_OBJ_SYNPROXY_FLAGS] = { .maxlen = sizeof(uint32_t) }, +}; + struct obj_ops obj_ops_synproxy = { .name = "synproxy", .type = NFT_OBJECT_SYNPROXY, .alloc_len = sizeof(struct nftnl_obj_synproxy), - .max_attr = NFTA_SYNPROXY_MAX, + .nftnl_max_attr = __NFTNL_OBJ_SYNPROXY_MAX - 1, + .attr_policy = obj_synproxy_attr_policy, .set = nftnl_obj_synproxy_set, .get = nftnl_obj_synproxy_get, .parse = nftnl_obj_synproxy_parse, diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c index d2503dc..8941e39 100644 --- a/src/obj/tunnel.c +++ b/src/obj/tunnel.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2018 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <stdio.h> @@ -29,55 +25,53 @@ nftnl_obj_tunnel_set(struct nftnl_obj *e, uint16_t type, switch (type) { case NFTNL_OBJ_TUNNEL_ID: - memcpy(&tun->id, data, sizeof(tun->id)); + memcpy(&tun->id, data, data_len); break; case NFTNL_OBJ_TUNNEL_IPV4_SRC: - memcpy(&tun->src_v4, data, sizeof(tun->src_v4)); + memcpy(&tun->src_v4, data, data_len); break; case NFTNL_OBJ_TUNNEL_IPV4_DST: - memcpy(&tun->dst_v4, data, sizeof(tun->dst_v4)); + memcpy(&tun->dst_v4, data, data_len); break; case NFTNL_OBJ_TUNNEL_IPV6_SRC: - memcpy(&tun->src_v6, data, sizeof(struct in6_addr)); + memcpy(&tun->src_v6, data, data_len); break; case NFTNL_OBJ_TUNNEL_IPV6_DST: - memcpy(&tun->dst_v6, data, sizeof(struct in6_addr)); + memcpy(&tun->dst_v6, data, data_len); break; case NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL: - memcpy(&tun->flowlabel, data, sizeof(tun->flowlabel)); + memcpy(&tun->flowlabel, data, data_len); break; case NFTNL_OBJ_TUNNEL_SPORT: - memcpy(&tun->sport, data, sizeof(tun->sport)); + memcpy(&tun->sport, data, data_len); break; case NFTNL_OBJ_TUNNEL_DPORT: - memcpy(&tun->dport, data, sizeof(tun->dport)); + memcpy(&tun->dport, data, data_len); break; case NFTNL_OBJ_TUNNEL_FLAGS: - memcpy(&tun->tun_flags, data, sizeof(tun->tun_flags)); + memcpy(&tun->tun_flags, data, data_len); break; case NFTNL_OBJ_TUNNEL_TOS: - memcpy(&tun->tun_tos, data, sizeof(tun->tun_tos)); + memcpy(&tun->tun_tos, data, data_len); break; case NFTNL_OBJ_TUNNEL_TTL: - memcpy(&tun->tun_ttl, data, sizeof(tun->tun_ttl)); + memcpy(&tun->tun_ttl, data, data_len); break; case NFTNL_OBJ_TUNNEL_VXLAN_GBP: - memcpy(&tun->u.tun_vxlan.gbp, data, sizeof(tun->u.tun_vxlan.gbp)); + memcpy(&tun->u.tun_vxlan.gbp, data, data_len); break; case NFTNL_OBJ_TUNNEL_ERSPAN_VERSION: - memcpy(&tun->u.tun_erspan.version, data, sizeof(tun->u.tun_erspan.version)); + memcpy(&tun->u.tun_erspan.version, data, data_len); break; case NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX: - memcpy(&tun->u.tun_erspan.u.v1_index, data, sizeof(tun->u.tun_erspan.u.v1_index)); + memcpy(&tun->u.tun_erspan.u.v1_index, data, data_len); break; case NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID: - memcpy(&tun->u.tun_erspan.u.v2.hwid, data, sizeof(tun->u.tun_erspan.u.v2.hwid)); + memcpy(&tun->u.tun_erspan.u.v2.hwid, data, data_len); break; case NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR: - memcpy(&tun->u.tun_erspan.u.v2.dir, data, sizeof(tun->u.tun_erspan.u.v2.dir)); + memcpy(&tun->u.tun_erspan.u.v2.dir, data, data_len); break; - default: - return -1; } return 0; } @@ -181,7 +175,7 @@ static void nftnl_obj_tunnel_build(struct nlmsghdr *nlh, const struct nftnl_obj *e) { struct nftnl_obj_tunnel *tun = nftnl_obj_data(e); - struct nlattr *nest; + struct nlattr *nest, *nest_inner; if (e->flags & (1 << NFTNL_OBJ_TUNNEL_ID)) mnl_attr_put_u32(nlh, NFTA_TUNNEL_KEY_ID, htonl(tun->id)); @@ -220,16 +214,16 @@ nftnl_obj_tunnel_build(struct nlmsghdr *nlh, const struct nftnl_obj *e) mnl_attr_put_u32(nlh, NFTA_TUNNEL_KEY_FLAGS, htonl(tun->tun_flags)); if (e->flags & (1 << NFTNL_OBJ_TUNNEL_VXLAN_GBP)) { nest = mnl_attr_nest_start(nlh, NFTA_TUNNEL_KEY_OPTS); + nest_inner = mnl_attr_nest_start(nlh, NFTA_TUNNEL_KEY_OPTS_VXLAN); mnl_attr_put_u32(nlh, NFTA_TUNNEL_KEY_VXLAN_GBP, htonl(tun->u.tun_vxlan.gbp)); + mnl_attr_nest_end(nlh, nest_inner); mnl_attr_nest_end(nlh, nest); } if (e->flags & (1 << NFTNL_OBJ_TUNNEL_ERSPAN_VERSION) && (e->flags & (1 << NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX) || (e->flags & (1 << NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID) && e->flags & (1u << NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR)))) { - struct nlattr *nest_inner; - nest = mnl_attr_nest_start(nlh, NFTA_TUNNEL_KEY_OPTS); nest_inner = mnl_attr_nest_start(nlh, NFTA_TUNNEL_KEY_OPTS_ERSPAN); mnl_attr_put_u32(nlh, NFTA_TUNNEL_KEY_ERSPAN_VERSION, @@ -538,11 +532,31 @@ static int nftnl_obj_tunnel_snprintf(char *buf, size_t len, return snprintf(buf, len, "id %u ", tun->id); } +static struct attr_policy obj_tunnel_attr_policy[__NFTNL_OBJ_TUNNEL_MAX] = { + [NFTNL_OBJ_TUNNEL_ID] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_IPV4_SRC] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_IPV4_DST] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_IPV6_SRC] = { .maxlen = sizeof(struct in6_addr) }, + [NFTNL_OBJ_TUNNEL_IPV6_DST] = { .maxlen = sizeof(struct in6_addr) }, + [NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_SPORT] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_TUNNEL_DPORT] = { .maxlen = sizeof(uint16_t) }, + [NFTNL_OBJ_TUNNEL_FLAGS] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_TOS] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_OBJ_TUNNEL_TTL] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_OBJ_TUNNEL_VXLAN_GBP] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_ERSPAN_VERSION] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID] = { .maxlen = sizeof(uint8_t) }, + [NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR] = { .maxlen = sizeof(uint8_t) }, +}; + struct obj_ops obj_ops_tunnel = { .name = "tunnel", .type = NFT_OBJECT_TUNNEL, .alloc_len = sizeof(struct nftnl_obj_tunnel), - .max_attr = NFTA_TUNNEL_KEY_MAX, + .nftnl_max_attr = __NFTNL_OBJ_TUNNEL_MAX - 1, + .attr_policy = obj_tunnel_attr_policy, .set = nftnl_obj_tunnel_set, .get = nftnl_obj_tunnel_get, .parse = nftnl_obj_tunnel_parse, diff --git a/src/object.c b/src/object.c index 232b97a..bfcceb9 100644 --- a/src/object.c +++ b/src/object.c @@ -1,10 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" @@ -69,32 +65,60 @@ bool nftnl_obj_is_set(const struct nftnl_obj *obj, uint16_t attr) return obj->flags & (1 << attr); } +EXPORT_SYMBOL(nftnl_obj_unset); +void nftnl_obj_unset(struct nftnl_obj *obj, uint16_t attr) +{ + if (!(obj->flags & (1 << attr))) + return; + + switch (attr) { + case NFTNL_OBJ_TABLE: + xfree(obj->table); + break; + case NFTNL_OBJ_NAME: + xfree(obj->name); + break; + case NFTNL_OBJ_USERDATA: + xfree(obj->user.data); + break; + case NFTNL_OBJ_TYPE: + case NFTNL_OBJ_FAMILY: + case NFTNL_OBJ_USE: + case NFTNL_OBJ_HANDLE: + break; + default: + break; + } + + obj->flags &= ~(1 << attr); +} + static uint32_t nftnl_obj_validate[NFTNL_OBJ_MAX + 1] = { + [NFTNL_OBJ_TYPE] = sizeof(uint32_t), [NFTNL_OBJ_FAMILY] = sizeof(uint32_t), [NFTNL_OBJ_USE] = sizeof(uint32_t), [NFTNL_OBJ_HANDLE] = sizeof(uint64_t), }; EXPORT_SYMBOL(nftnl_obj_set_data); -void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, - const void *data, uint32_t data_len) +int nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, + const void *data, uint32_t data_len) { if (attr < NFTNL_OBJ_MAX) nftnl_assert_validate(data, nftnl_obj_validate, attr, data_len); switch (attr) { case NFTNL_OBJ_TABLE: - xfree(obj->table); - obj->table = strdup(data); + return nftnl_set_str_attr(&obj->table, &obj->flags, + attr, data, data_len); break; case NFTNL_OBJ_NAME: - xfree(obj->name); - obj->name = strdup(data); - break; + return nftnl_set_str_attr(&obj->name, &obj->flags, + attr, data, data_len); case NFTNL_OBJ_TYPE: obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); if (!obj->ops) - return; + return -1; break; case NFTNL_OBJ_FAMILY: memcpy(&obj->family, data, sizeof(obj->family)); @@ -111,16 +135,26 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, obj->user.data = malloc(data_len); if (!obj->user.data) - return; + return -1; memcpy(obj->user.data, data, data_len); obj->user.len = data_len; break; default: - if (obj->ops) - obj->ops->set(obj, attr, data, data_len); - break; + if (!obj->ops || + attr < NFTNL_OBJ_BASE || + attr > obj->ops->nftnl_max_attr || + !obj->ops->attr_policy) + return -1; + + if (obj->ops->attr_policy[attr].maxlen && + obj->ops->attr_policy[attr].maxlen < data_len) + return -1; + + if (obj->ops->set(obj, attr, data, data_len) < 0) + return -1; } obj->flags |= (1 << attr); + return 0; } void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) __visible; @@ -130,37 +164,37 @@ void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data) } EXPORT_SYMBOL(nftnl_obj_set_u8); -void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) +int nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val) { - nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); + return nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t)); } EXPORT_SYMBOL(nftnl_obj_set_u16); -void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) +int nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val) { - nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); + return nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t)); } EXPORT_SYMBOL(nftnl_obj_set_u32); -void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) +int nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val) { - nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); + return nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t)); } EXPORT_SYMBOL(nftnl_obj_set_u64); -void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) +int nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val) { - nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); + return nftnl_obj_set_data(obj, attr, &val, sizeof(uint64_t)); } EXPORT_SYMBOL(nftnl_obj_set_str); -void nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) +int nftnl_obj_set_str(struct nftnl_obj *obj, uint16_t attr, const char *str) { - nftnl_obj_set_data(obj, attr, str, 0); + return nftnl_obj_set_data(obj, attr, str, strlen(str) + 1); } EXPORT_SYMBOL(nftnl_obj_get_data); -const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, +const void *nftnl_obj_get_data(const struct nftnl_obj *obj, uint16_t attr, uint32_t *data_len) { if (!(obj->flags & (1 << attr))) @@ -198,42 +232,42 @@ const void *nftnl_obj_get_data(struct nftnl_obj *obj, uint16_t attr, } EXPORT_SYMBOL(nftnl_obj_get); -const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr) +const void *nftnl_obj_get(const struct nftnl_obj *obj, uint16_t attr) { uint32_t data_len; return nftnl_obj_get_data(obj, attr, &data_len); } EXPORT_SYMBOL(nftnl_obj_get_u8); -uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr) +uint8_t nftnl_obj_get_u8(const struct nftnl_obj *obj, uint16_t attr) { const void *ret = nftnl_obj_get(obj, attr); return ret == NULL ? 0 : *((uint8_t *)ret); } EXPORT_SYMBOL(nftnl_obj_get_u16); -uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr) +uint16_t nftnl_obj_get_u16(const struct nftnl_obj *obj, uint16_t attr) { const void *ret = nftnl_obj_get(obj, attr); return ret == NULL ? 0 : *((uint16_t *)ret); } EXPORT_SYMBOL(nftnl_obj_get_u32); -uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr) +uint32_t nftnl_obj_get_u32(const struct nftnl_obj *obj, uint16_t attr) { const void *ret = nftnl_obj_get(obj, attr); return ret == NULL ? 0 : *((uint32_t *)ret); } EXPORT_SYMBOL(nftnl_obj_get_u64); -uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr) +uint64_t nftnl_obj_get_u64(const struct nftnl_obj *obj, uint16_t attr) { const void *ret = nftnl_obj_get(obj, attr); return ret == NULL ? 0 : *((uint64_t *)ret); } EXPORT_SYMBOL(nftnl_obj_get_str); -const char *nftnl_obj_get_str(struct nftnl_obj *obj, uint16_t attr) +const char *nftnl_obj_get_str(const struct nftnl_obj *obj, uint16_t attr) { return nftnl_obj_get(obj, attr); } @@ -348,40 +382,22 @@ int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) return 0; } -static int nftnl_obj_do_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, - const void *data, struct nftnl_parse_err *err, - enum nftnl_parse_input input) -{ - struct nftnl_parse_err perr = {}; - int ret; - - switch (type) { - case NFTNL_PARSE_JSON: - case NFTNL_PARSE_XML: - default: - ret = -1; - errno = EOPNOTSUPP; - break; - } - - if (err != NULL) - *err = perr; - - return ret; -} - EXPORT_SYMBOL(nftnl_obj_parse); int nftnl_obj_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err) { - return nftnl_obj_do_parse(obj, type, data, err, NFTNL_PARSE_BUFFER); + errno = EOPNOTSUPP; + + return -1; } EXPORT_SYMBOL(nftnl_obj_parse_file); int nftnl_obj_parse_file(struct nftnl_obj *obj, enum nftnl_parse_type type, FILE *fp, struct nftnl_parse_err *err) { - return nftnl_obj_do_parse(obj, type, fp, err, NFTNL_PARSE_FILE); + errno = EOPNOTSUPP; + + return -1; } static int nftnl_obj_snprintf_dflt(char *buf, size_t remain, @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -115,21 +111,11 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, switch(attr) { case NFTNL_RULE_TABLE: - if (r->flags & (1 << NFTNL_RULE_TABLE)) - xfree(r->table); - - r->table = strdup(data); - if (!r->table) - return -1; - break; + return nftnl_set_str_attr(&r->table, &r->flags, + attr, data, data_len); case NFTNL_RULE_CHAIN: - if (r->flags & (1 << NFTNL_RULE_CHAIN)) - xfree(r->chain); - - r->chain = strdup(data); - if (!r->chain) - return -1; - break; + return nftnl_set_str_attr(&r->chain, &r->flags, + attr, data, data_len); case NFTNL_RULE_HANDLE: memcpy(&r->handle, data, sizeof(r->handle)); break; @@ -510,39 +496,22 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r) return 0; } -static int nftnl_rule_do_parse(struct nftnl_rule *r, enum nftnl_parse_type type, - const void *data, struct nftnl_parse_err *err, - enum nftnl_parse_input input) -{ - int ret; - struct nftnl_parse_err perr = {}; - - switch (type) { - case NFTNL_PARSE_JSON: - case NFTNL_PARSE_XML: - default: - ret = -1; - errno = EOPNOTSUPP; - break; - } - if (err != NULL) - *err = perr; - - return ret; -} - EXPORT_SYMBOL(nftnl_rule_parse); int nftnl_rule_parse(struct nftnl_rule *r, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err) { - return nftnl_rule_do_parse(r, type, data, err, NFTNL_PARSE_BUFFER); + errno = EOPNOTSUPP; + + return -1; } EXPORT_SYMBOL(nftnl_rule_parse_file); int nftnl_rule_parse_file(struct nftnl_rule *r, enum nftnl_parse_type type, FILE *fp, struct nftnl_parse_err *err) { - return nftnl_rule_do_parse(r, type, fp, err, NFTNL_PARSE_FILE); + errno = EOPNOTSUPP; + + return -1; } static int nftnl_rule_snprintf_default(char *buf, size_t remain, @@ -600,34 +569,33 @@ static int nftnl_rule_snprintf_default(char *buf, size_t remain, sep = " "; } - ret = snprintf(buf + offset, remain, "\n"); - SNPRINTF_BUFFER_SIZE(ret, remain, offset); - list_for_each_entry(expr, &r->expr_list, head) { - ret = snprintf(buf + offset, remain, " [ %s ", expr->ops->name); + ret = snprintf(buf + offset, remain, + "\n [ %s ", expr->ops->name); SNPRINTF_BUFFER_SIZE(ret, remain, offset); ret = nftnl_expr_snprintf(buf + offset, remain, expr, type, flags); SNPRINTF_BUFFER_SIZE(ret, remain, offset); - ret = snprintf(buf + offset, remain, "]\n"); + ret = snprintf(buf + offset, remain, "]"); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } if (r->user.len) { - ret = snprintf(buf + offset, remain, " userdata = { "); + ret = snprintf(buf + offset, remain, "\n userdata = { "); SNPRINTF_BUFFER_SIZE(ret, remain, offset); for (i = 0; i < r->user.len; i++) { char *c = r->user.data; - ret = snprintf(buf + offset, remain, "%c", - isalnum(c[i]) ? c[i] : 0); + ret = snprintf(buf + offset, remain, + isprint(c[i]) ? "%c" : "\\x%02hhx", + c[i]); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } - ret = snprintf(buf + offset, remain, " }\n"); + ret = snprintf(buf + offset, remain, " }"); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } diff --git a/src/ruleset.c b/src/ruleset.c index 185aa48..ac50aa6 100644 --- a/src/ruleset.c +++ b/src/ruleset.c @@ -1,13 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * (C) 2013 by Arturo Borrero Gonzalez <arturo@debian.org> * (C) 2013 by Alvaro Neira Ayuso <alvaroneay@gmail.com> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -54,8 +50,10 @@ void nftnl_set_free(const struct nftnl_set *s) if (s->flags & (1 << NFTNL_SET_USERDATA)) xfree(s->user.data); - list_for_each_entry_safe(expr, next, &s->expr_list, head) + list_for_each_entry_safe(expr, next, &s->expr_list, head) { + list_del(&expr->head); nftnl_expr_free(expr); + } list_for_each_entry_safe(elem, tmp, &s->element_list, head) { list_del(&elem->head); @@ -105,8 +103,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr) break; case NFTNL_SET_EXPR: case NFTNL_SET_EXPRESSIONS: - list_for_each_entry_safe(expr, tmp, &s->expr_list, head) + list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { + list_del(&expr->head); nftnl_expr_free(expr); + } break; default: return; @@ -124,6 +124,7 @@ static uint32_t nftnl_set_validate[NFTNL_SET_MAX + 1] = { [NFTNL_SET_DATA_LEN] = sizeof(uint32_t), [NFTNL_SET_OBJ_TYPE] = sizeof(uint32_t), [NFTNL_SET_FAMILY] = sizeof(uint32_t), + [NFTNL_SET_ID] = sizeof(uint32_t), [NFTNL_SET_POLICY] = sizeof(uint32_t), [NFTNL_SET_DESC_SIZE] = sizeof(uint32_t), [NFTNL_SET_TIMEOUT] = sizeof(uint64_t), @@ -141,21 +142,11 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, switch(attr) { case NFTNL_SET_TABLE: - if (s->flags & (1 << NFTNL_SET_TABLE)) - xfree(s->table); - - s->table = strdup(data); - if (!s->table) - return -1; - break; + return nftnl_set_str_attr(&s->table, &s->flags, + attr, data, data_len); case NFTNL_SET_NAME: - if (s->flags & (1 << NFTNL_SET_NAME)) - xfree(s->name); - - s->name = strdup(data); - if (!s->name) - return -1; - break; + return nftnl_set_str_attr(&s->name, &s->flags, + attr, data, data_len); case NFTNL_SET_HANDLE: memcpy(&s->handle, data, sizeof(s->handle)); break; @@ -190,8 +181,16 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, memcpy(&s->desc.size, data, sizeof(s->desc.size)); break; case NFTNL_SET_DESC_CONCAT: + if (data_len > sizeof(s->desc.field_len)) + return -1; + memcpy(&s->desc.field_len, data, data_len); - while (s->desc.field_len[++s->desc.field_count]); + for (s->desc.field_count = 0; + s->desc.field_count < NFT_REG32_COUNT; + s->desc.field_count++) { + if (!s->desc.field_len[s->desc.field_count]) + break; + } break; case NFTNL_SET_TIMEOUT: memcpy(&s->timeout, data, sizeof(s->timeout)); @@ -210,8 +209,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, s->user.len = data_len; break; case NFTNL_SET_EXPR: - list_for_each_entry_safe(expr, tmp, &s->expr_list, head) + list_for_each_entry_safe(expr, tmp, &s->expr_list, head) { + list_del(&expr->head); nftnl_expr_free(expr); + } expr = (void *)data; list_add(&expr->head, &s->expr_list); @@ -742,46 +743,30 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s) return 0; out_set_expr: - list_for_each_entry_safe(expr, next, &s->expr_list, head) + list_for_each_entry_safe(expr, next, &s->expr_list, head) { + list_del(&expr->head); nftnl_expr_free(expr); - - return -1; -} - -static int nftnl_set_do_parse(struct nftnl_set *s, enum nftnl_parse_type type, - const void *data, struct nftnl_parse_err *err, - enum nftnl_parse_input input) -{ - int ret; - struct nftnl_parse_err perr = {}; - - switch (type) { - case NFTNL_PARSE_JSON: - case NFTNL_PARSE_XML: - default: - ret = -1; - errno = EOPNOTSUPP; - break; } - if (err != NULL) - *err = perr; - - return ret; + return -1; } EXPORT_SYMBOL(nftnl_set_parse); int nftnl_set_parse(struct nftnl_set *s, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err) { - return nftnl_set_do_parse(s, type, data, err, NFTNL_PARSE_BUFFER); + errno = EOPNOTSUPP; + + return -1; } EXPORT_SYMBOL(nftnl_set_parse_file); int nftnl_set_parse_file(struct nftnl_set *s, enum nftnl_parse_type type, FILE *fp, struct nftnl_parse_err *err) { - return nftnl_set_do_parse(s, type, fp, err, NFTNL_PARSE_FILE); + errno = EOPNOTSUPP; + + return -1; } static int nftnl_set_snprintf_default(char *buf, size_t remain, diff --git a/src/set_elem.c b/src/set_elem.c index 95009ac..848adf1 100644 --- a/src/set_elem.c +++ b/src/set_elem.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -126,12 +122,12 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, memcpy(&s->set_elem_flags, data, sizeof(s->set_elem_flags)); break; case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */ - memcpy(&s->key.val, data, data_len); - s->key.len = data_len; + if (nftnl_data_cpy(&s->key, data, data_len) < 0) + return -1; break; case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */ - memcpy(&s->key_end.val, data, data_len); - s->key_end.len = data_len; + if (nftnl_data_cpy(&s->key_end, data, data_len) < 0) + return -1; break; case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */ memcpy(&s->data.verdict, data, sizeof(s->data.verdict)); @@ -145,8 +141,8 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr, return -1; break; case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */ - memcpy(s->data.val, data, data_len); - s->data.len = data_len; + if (nftnl_data_cpy(&s->data, data, data_len) < 0) + return -1; break; case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */ memcpy(&s->timeout, data, sizeof(s->timeout)); @@ -735,18 +731,19 @@ int nftnl_set_elem_snprintf_default(char *buf, size_t remain, SNPRINTF_BUFFER_SIZE(ret, remain, offset); if (e->user.len) { - ret = snprintf(buf + offset, remain, " userdata = {"); + ret = snprintf(buf + offset, remain, " userdata = { "); SNPRINTF_BUFFER_SIZE(ret, remain, offset); for (i = 0; i < e->user.len; i++) { char *c = e->user.data; - ret = snprintf(buf + offset, remain, "%c", - isalnum(c[i]) ? c[i] : 0); + ret = snprintf(buf + offset, remain, + isprint(c[i]) ? "%c" : "\\x%02hhx", + c[i]); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } - ret = snprintf(buf + offset, remain, " }\n"); + ret = snprintf(buf + offset, remain, " }"); SNPRINTF_BUFFER_SIZE(ret, remain, offset); } diff --git a/src/str_array.c b/src/str_array.c new file mode 100644 index 0000000..5669c61 --- /dev/null +++ b/src/str_array.c @@ -0,0 +1,67 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * (C) 2024 Red Hat GmbH + * Author: Phil Sutter <phil@nwl.cc> + */ +#include <libmnl/libmnl.h> +#include <linux/netfilter/nf_tables.h> + +#include "str_array.h" +#include "utils.h" + +void nftnl_str_array_clear(struct nftnl_str_array *sa) +{ + while (sa->len > 0) + free(sa->array[--sa->len]); + free(sa->array); +} + +int nftnl_str_array_set(struct nftnl_str_array *sa, const char * const *array) +{ + int len = 0; + + while (array[len]) + len++; + + nftnl_str_array_clear(sa); + sa->array = calloc(len + 1, sizeof(char *)); + if (!sa->array) + return -1; + + while (sa->len < len) { + sa->array[sa->len] = strdup(array[sa->len]); + if (!sa->array[sa->len]) { + nftnl_str_array_clear(sa); + return -1; + } + sa->len++; + } + return 0; +} + +int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest) +{ + struct nlattr *attr; + int len = 0; + + mnl_attr_for_each_nested(attr, nest) { + if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME) + return -1; + len++; + } + + nftnl_str_array_clear(sa); + sa->array = calloc(len + 1, sizeof(char *)); + if (!sa->array) + return -1; + + mnl_attr_for_each_nested(attr, nest) { + sa->array[sa->len] = strdup(mnl_attr_get_str(attr)); + if (!sa->array[sa->len]) { + nftnl_str_array_clear(sa); + return -1; + } + sa->len++; + } + return 0; +} diff --git a/src/table.c b/src/table.c index 59e7053..9870dca 100644 --- a/src/table.c +++ b/src/table.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * * This code has been sponsored by Sophos Astaro <http://www.sophos.com> */ #include "internal.h" @@ -74,6 +70,9 @@ void nftnl_table_unset(struct nftnl_table *t, uint16_t attr) case NFTNL_TABLE_NAME: xfree(t->name); break; + case NFTNL_TABLE_USERDATA: + xfree(t->user.data); + break; case NFTNL_TABLE_FLAGS: case NFTNL_TABLE_HANDLE: case NFTNL_TABLE_FAMILY: @@ -88,6 +87,8 @@ static uint32_t nftnl_table_validate[NFTNL_TABLE_MAX + 1] = { [NFTNL_TABLE_FLAGS] = sizeof(uint32_t), [NFTNL_TABLE_FAMILY] = sizeof(uint32_t), [NFTNL_TABLE_HANDLE] = sizeof(uint64_t), + [NFTNL_TABLE_USE] = sizeof(uint32_t), + [NFTNL_TABLE_OWNER] = sizeof(uint32_t), }; EXPORT_SYMBOL(nftnl_table_set_data); @@ -99,13 +100,8 @@ int nftnl_table_set_data(struct nftnl_table *t, uint16_t attr, switch (attr) { case NFTNL_TABLE_NAME: - if (t->flags & (1 << NFTNL_TABLE_NAME)) - xfree(t->name); - - t->name = strdup(data); - if (!t->name) - return -1; - break; + return nftnl_set_str_attr(&t->name, &t->flags, + attr, data, data_len); case NFTNL_TABLE_HANDLE: memcpy(&t->handle, data, sizeof(t->handle)); break; @@ -327,36 +323,22 @@ int nftnl_table_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_table *t) return 0; } -static int nftnl_table_do_parse(struct nftnl_table *t, enum nftnl_parse_type type, - const void *data, struct nftnl_parse_err *err, - enum nftnl_parse_input input) -{ - int ret; - - switch (type) { - case NFTNL_PARSE_JSON: - case NFTNL_PARSE_XML: - default: - ret = -1; - errno = EOPNOTSUPP; - break; - } - - return ret; -} - EXPORT_SYMBOL(nftnl_table_parse); int nftnl_table_parse(struct nftnl_table *t, enum nftnl_parse_type type, const char *data, struct nftnl_parse_err *err) { - return nftnl_table_do_parse(t, type, data, err, NFTNL_PARSE_BUFFER); + errno = EOPNOTSUPP; + + return -1; } EXPORT_SYMBOL(nftnl_table_parse_file); int nftnl_table_parse_file(struct nftnl_table *t, enum nftnl_parse_type type, FILE *fp, struct nftnl_parse_err *err) { - return nftnl_table_do_parse(t, type, fp, err, NFTNL_PARSE_FILE); + errno = EOPNOTSUPP; + + return -1; } static int nftnl_table_snprintf_default(char *buf, size_t size, diff --git a/src/trace.c b/src/trace.c index f426437..f7eb45e 100644 --- a/src/trace.c +++ b/src/trace.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2015 Red Hat GmbH * Author: Florian Westphal <fw@strlen.de> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include "internal.h" diff --git a/src/udata.c b/src/udata.c index 0cc3520..a195657 100644 --- a/src/udata.c +++ b/src/udata.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2016 by Pablo Neira Ayuso <pablo@netfilter.org> * (C) 2016 by Carlos Falgueras GarcÃa <carlosfg@riseup.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <libnftnl/udata.h> @@ -42,6 +38,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf) return (uint32_t)(buf->end - buf->data); } +static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf) +{ + return buf->size - nftnl_udata_buf_len(buf); +} + EXPORT_SYMBOL(nftnl_udata_buf_data); void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf) { @@ -74,7 +75,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len, { struct nftnl_udata *attr; - if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata)) + if (len > UINT8_MAX || + nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata)) return false; attr = (struct nftnl_udata *)buf->end; diff --git a/src/utils.c b/src/utils.c index 3617837..5f2c5bf 100644 --- a/src/utils.c +++ b/src/utils.c @@ -1,11 +1,7 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> * (C) 2013 by Arturo Borrero Gonzalez <arturo@debian.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published - * by the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. */ #include <internal.h> @@ -39,146 +35,6 @@ const char *nftnl_family2str(uint32_t family) return nftnl_family_str[family]; } -int nftnl_str2family(const char *family) -{ - int i; - - for (i = 0; i < NFPROTO_NUMPROTO; i++) { - if (nftnl_family_str[i] == NULL) - continue; - - if (strcmp(nftnl_family_str[i], family) == 0) - return i; - } - - errno = EAFNOSUPPORT; - return -1; -} - -static struct { - int len; - int64_t min; - uint64_t max; -} basetype[] = { - [NFTNL_TYPE_U8] = { .len = sizeof(uint8_t), .max = UINT8_MAX }, - [NFTNL_TYPE_U16] = { .len = sizeof(uint16_t), .max = UINT16_MAX }, - [NFTNL_TYPE_U32] = { .len = sizeof(uint32_t), .max = UINT32_MAX }, - [NFTNL_TYPE_U64] = { .len = sizeof(uint64_t), .max = UINT64_MAX }, - [NFTNL_TYPE_S8] = { .len = sizeof(int8_t), .min = INT8_MIN, .max = INT8_MAX }, - [NFTNL_TYPE_S16] = { .len = sizeof(int16_t), .min = INT16_MIN, .max = INT16_MAX }, - [NFTNL_TYPE_S32] = { .len = sizeof(int32_t), .min = INT32_MIN, .max = INT32_MAX }, - [NFTNL_TYPE_S64] = { .len = sizeof(int64_t), .min = INT64_MIN, .max = INT64_MAX }, -}; - -int nftnl_get_value(enum nftnl_type type, void *val, void *out) -{ - union { - uint8_t u8; - uint16_t u16; - uint32_t u32; - int8_t s8; - int16_t s16; - int32_t s32; - } values; - void *valuep = NULL; - int64_t sval; - uint64_t uval; - - switch (type) { - case NFTNL_TYPE_U8: - case NFTNL_TYPE_U16: - case NFTNL_TYPE_U32: - case NFTNL_TYPE_U64: - memcpy(&uval, val, sizeof(uval)); - if (uval > basetype[type].max) { - errno = ERANGE; - return -1; - } - break; - case NFTNL_TYPE_S8: - case NFTNL_TYPE_S16: - case NFTNL_TYPE_S32: - case NFTNL_TYPE_S64: - memcpy(&sval, val, sizeof(sval)); - if (sval < basetype[type].min || - sval > (int64_t)basetype[type].max) { - errno = ERANGE; - return -1; - } - break; - } - - switch (type) { - case NFTNL_TYPE_U8: - values.u8 = uval; - valuep = &values.u8; - break; - case NFTNL_TYPE_U16: - values.u16 = uval; - valuep = &values.u16; - break; - case NFTNL_TYPE_U32: - values.u32 = uval; - valuep = &values.u32; - break; - case NFTNL_TYPE_U64: - valuep = &uval; - break; - case NFTNL_TYPE_S8: - values.s8 = sval; - valuep = &values.s8; - break; - case NFTNL_TYPE_S16: - values.s16 = sval; - valuep = &values.s16; - break; - case NFTNL_TYPE_S32: - values.s32 = sval; - valuep = &values.s32; - break; - case NFTNL_TYPE_S64: - valuep = &sval; - break; - } - memcpy(out, valuep, basetype[type].len); - return 0; -} - -int nftnl_strtoi(const char *string, int base, void *out, enum nftnl_type type) -{ - int ret; - int64_t sval = 0; - uint64_t uval = -1; - char *endptr; - - switch (type) { - case NFTNL_TYPE_U8: - case NFTNL_TYPE_U16: - case NFTNL_TYPE_U32: - case NFTNL_TYPE_U64: - uval = strtoll(string, &endptr, base); - ret = nftnl_get_value(type, &uval, out); - break; - case NFTNL_TYPE_S8: - case NFTNL_TYPE_S16: - case NFTNL_TYPE_S32: - case NFTNL_TYPE_S64: - sval = strtoull(string, &endptr, base); - ret = nftnl_get_value(type, &sval, out); - break; - default: - errno = EINVAL; - return -1; - } - - if (*endptr) { - errno = EINVAL; - return -1; - } - - return ret; -} - const char *nftnl_verdict2str(uint32_t verdict) { switch (verdict) { @@ -209,28 +65,6 @@ const char *nftnl_verdict2str(uint32_t verdict) } } -int nftnl_str2verdict(const char *verdict, int *verdict_num) -{ - if (strcmp(verdict, "accept") == 0) { - *verdict_num = NF_ACCEPT; - return 0; - } else if (strcmp(verdict, "drop") == 0) { - *verdict_num = NF_DROP; - return 0; - } else if (strcmp(verdict, "return") == 0) { - *verdict_num = NFT_RETURN; - return 0; - } else if (strcmp(verdict, "jump") == 0) { - *verdict_num = NFT_JUMP; - return 0; - } else if (strcmp(verdict, "goto") == 0) { - *verdict_num = NFT_GOTO; - return 0; - } - - return -1; -} - enum nftnl_cmd_type nftnl_flag2cmd(uint32_t flags) { if (flags & NFTNL_OF_EVENT_NEW) @@ -241,38 +75,6 @@ enum nftnl_cmd_type nftnl_flag2cmd(uint32_t flags) return NFTNL_CMD_UNSPEC; } -static const char *cmd2tag[NFTNL_CMD_MAX] = { - [NFTNL_CMD_ADD] = "add", - [NFTNL_CMD_INSERT] = "insert", - [NFTNL_CMD_DELETE] = "delete", - [NFTNL_CMD_REPLACE] = "replace", - [NFTNL_CMD_FLUSH] = "flush", -}; - -const char *nftnl_cmd2tag(enum nftnl_cmd_type cmd) -{ - if (cmd >= NFTNL_CMD_MAX) - return "unknown"; - - return cmd2tag[cmd]; -} - -uint32_t nftnl_str2cmd(const char *cmd) -{ - if (strcmp(cmd, "add") == 0) - return NFTNL_CMD_ADD; - else if (strcmp(cmd, "insert") == 0) - return NFTNL_CMD_INSERT; - else if (strcmp(cmd, "delete") == 0) - return NFTNL_CMD_DELETE; - else if (strcmp(cmd, "replace") == 0) - return NFTNL_CMD_REPLACE; - else if (strcmp(cmd, "flush") == 0) - return NFTNL_CMD_FLUSH; - - return NFTNL_CMD_UNSPEC; -} - int nftnl_fprintf(FILE *fp, const void *obj, uint32_t cmd, uint32_t type, uint32_t flags, int (*snprintf_cb)(char *buf, size_t bufsiz, const void *obj, @@ -330,3 +132,17 @@ void __noreturn __abi_breakage(const char *file, int line, const char *reason) "%s:%d reason: %s\n", file, line, reason); exit(EXIT_FAILURE); } + +int nftnl_set_str_attr(const char **dptr, uint32_t *flags, + uint16_t attr, const void *data, uint32_t data_len) +{ + if (*flags & (1 << attr)) + xfree(*dptr); + + *dptr = strndup(data, data_len); + if (!*dptr) + return -1; + + *flags |= (1 << attr); + return 0; +} diff --git a/tests/nft-chain-test.c b/tests/nft-chain-test.c index d678d46..0d0544a 100644 --- a/tests/nft-chain-test.c +++ b/tests/nft-chain-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -23,9 +18,25 @@ static void print_err(const char *msg) printf("\033[31mERROR:\e[0m %s\n", msg); } -static void cmp_nftnl_chain(struct nftnl_chain *a, struct nftnl_chain *b) +static void cmp_devices(const char * const *adevs, + const char * const *bdevs) { + int i; + + if (!adevs && !bdevs) + return; + if (!!adevs ^ !!bdevs) + print_err("Chain devices mismatches"); + for (i = 0; adevs[i] && bdevs[i]; i++) { + if (strcmp(adevs[i], bdevs[i])) + break; + } + if (adevs[i] || bdevs[i]) + print_err("Chain devices mismatches"); +} +static void cmp_nftnl_chain(struct nftnl_chain *a, struct nftnl_chain *b) +{ if (strcmp(nftnl_chain_get_str(a, NFTNL_CHAIN_NAME), nftnl_chain_get_str(b, NFTNL_CHAIN_NAME)) != 0) print_err("Chain name mismatches"); @@ -59,13 +70,17 @@ static void cmp_nftnl_chain(struct nftnl_chain *a, struct nftnl_chain *b) if (strcmp(nftnl_chain_get_str(a, NFTNL_CHAIN_TYPE), nftnl_chain_get_str(b, NFTNL_CHAIN_TYPE)) != 0) print_err("Chain type mismatches"); - if (strcmp(nftnl_chain_get_str(a, NFTNL_CHAIN_DEV), + if (nftnl_chain_is_set(a, NFTNL_CHAIN_DEV) && + strcmp(nftnl_chain_get_str(a, NFTNL_CHAIN_DEV), nftnl_chain_get_str(b, NFTNL_CHAIN_DEV)) != 0) print_err("Chain device mismatches"); + cmp_devices(nftnl_chain_get_array(a, NFTNL_CHAIN_DEVICES), + nftnl_chain_get_array(b, NFTNL_CHAIN_DEVICES)); } int main(int argc, char *argv[]) { + const char *devs[] = { "eth0", "eth1", "eth2", NULL }; struct nftnl_chain *a, *b; char buf[4096]; struct nlmsghdr *nlh; @@ -89,8 +104,20 @@ int main(int argc, char *argv[]) nftnl_chain_set_str(a, NFTNL_CHAIN_DEV, "eth0"); /* cmd extracted from include/linux/netfilter/nf_tables.h */ - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, AF_INET, - 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, AF_INET, 0, 1234); + nftnl_chain_nlmsg_build_payload(nlh, a); + + if (nftnl_chain_nlmsg_parse(nlh, b) < 0) + print_err("parsing problems"); + + cmp_nftnl_chain(a, b); + + /* repeat test with multiple devices */ + + nftnl_chain_unset(a, NFTNL_CHAIN_DEV); + nftnl_chain_set_array(a, NFTNL_CHAIN_DEVICES, devs); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, AF_INET, 0, 1234); nftnl_chain_nlmsg_build_payload(nlh, a); if (nftnl_chain_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_bitwise-test.c b/tests/nft-expr_bitwise-test.c index f134728..784619e 100644 --- a/tests/nft-expr_bitwise-test.c +++ b/tests/nft-expr_bitwise-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -27,81 +22,35 @@ static void print_err(const char *test, const char *msg) printf("\033[31mERROR:\e[0m [%s] %s\n", test, msg); } -static void cmp_nftnl_expr_bool(struct nftnl_expr *rule_a, - struct nftnl_expr *rule_b) +static void cmp_nftnl_expr_mask_xor(struct nftnl_expr *rule_a, + struct nftnl_expr *rule_b) { uint32_t maska, maskb; uint32_t xora, xorb; if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) != nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG)) - print_err("bool", "Expr BITWISE_DREG mismatches"); + print_err("mask & xor", "Expr BITWISE_DREG mismatches"); if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) != nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG)) - print_err("bool", "Expr BITWISE_SREG mismatches"); + print_err("mask & xor", "Expr BITWISE_SREG mismatches"); if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) != nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP)) - print_err("bool", "Expr BITWISE_OP mismatches"); + print_err("mask & xor", "Expr BITWISE_OP mismatches"); if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) != nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN)) - print_err("bool", "Expr BITWISE_LEN mismatches"); + print_err("mask & xor", "Expr BITWISE_LEN mismatches"); nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_MASK, &maska); nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_MASK, &maskb); if (maska != maskb) - print_err("bool", "Size of BITWISE_MASK mismatches"); + print_err("mask & xor", "Size of BITWISE_MASK mismatches"); nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_XOR, &xora); nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_XOR, &xorb); if (xora != xorb) - print_err("bool", "Size of BITWISE_XOR mismatches"); + print_err("mask & xor", "Size of BITWISE_XOR mismatches"); } -static void cmp_nftnl_expr_lshift(struct nftnl_expr *rule_a, - struct nftnl_expr *rule_b) -{ - uint32_t data_a, data_b; - - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG)) - print_err("lshift", "Expr BITWISE_DREG mismatches"); - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG)) - print_err("lshift", "Expr BITWISE_SREG mismatches"); - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP)) - print_err("lshift", "Expr BITWISE_OP mismatches"); - if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) != - nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN)) - print_err("lshift", "Expr BITWISE_LEN mismatches"); - nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a); - nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b); - if (data_a != data_b) - print_err("lshift", "Expr BITWISE_DATA mismatches"); -} - -static void cmp_nftnl_expr_rshift(struct nftnl_expr *rule_a, - struct nftnl_expr *rule_b) -{ - uint32_t data_a, data_b; - - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG)) - print_err("rshift", "Expr BITWISE_DREG mismatches"); - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG)) - print_err("rshift", "Expr BITWISE_SREG mismatches"); - if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) != - nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP)) - print_err("rshift", "Expr BITWISE_OP mismatches"); - if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) != - nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN)) - print_err("rshift", "Expr BITWISE_LEN mismatches"); - nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a); - nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b); - if (data_a != data_b) - print_err("rshift", "Expr BITWISE_DATA mismatches"); -} - -static void test_bool(void) +static void test_mask_xor(void) { struct nftnl_rule *a, *b = NULL; struct nftnl_expr *ex = NULL; @@ -115,10 +64,10 @@ static void test_bool(void) a = nftnl_rule_alloc(); b = nftnl_rule_alloc(); if (a == NULL || b == NULL) - print_err("bool", "OOM"); + print_err("mask & xor", "OOM"); ex = nftnl_expr_alloc("bitwise"); if (ex == NULL) - print_err("bool", "OOM"); + print_err("mask & xor", "OOM"); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456); @@ -129,111 +78,170 @@ static void test_bool(void) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) - print_err("bool", "parsing problems"); + print_err("mask & xor", "parsing problems"); iter_a = nftnl_expr_iter_create(a); iter_b = nftnl_expr_iter_create(b); if (iter_a == NULL || iter_b == NULL) - print_err("bool", "OOM"); + print_err("mask & xor", "OOM"); rule_a = nftnl_expr_iter_next(iter_a); rule_b = nftnl_expr_iter_next(iter_b); if (rule_a == NULL || rule_b == NULL) - print_err("bool", "OOM"); + print_err("mask & xor", "OOM"); if (nftnl_expr_iter_next(iter_a) != NULL || nftnl_expr_iter_next(iter_b) != NULL) - print_err("bool", "More 1 expr."); + print_err("mask & xor", "More 1 expr."); nftnl_expr_iter_destroy(iter_a); nftnl_expr_iter_destroy(iter_b); - cmp_nftnl_expr_bool(rule_a,rule_b); + cmp_nftnl_expr_mask_xor(rule_a,rule_b); nftnl_rule_free(a); nftnl_rule_free(b); } -static void test_lshift(void) +static void cmp_nftnl_expr_shift(const char *opname, + const struct nftnl_expr *rule_a, + const struct nftnl_expr *rule_b) { - struct nftnl_rule *a, *b = NULL; - struct nftnl_expr *ex = NULL; + uint32_t data_a, data_b; + + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG)) + print_err(opname, "Expr BITWISE_DREG mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG)) + print_err(opname, "Expr BITWISE_SREG mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP)) + print_err(opname, "Expr BITWISE_OP mismatches"); + if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) != + nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN)) + print_err(opname, "Expr BITWISE_LEN mismatches"); + nftnl_expr_get(rule_a, NFTNL_EXPR_BITWISE_DATA, &data_a); + nftnl_expr_get(rule_b, NFTNL_EXPR_BITWISE_DATA, &data_b); + if (data_a != data_b) + print_err(opname, "Expr BITWISE_DATA mismatches"); +} + +static void test_shift(enum nft_bitwise_ops op) +{ + struct nftnl_rule *a, *b; + struct nftnl_expr *ex; struct nlmsghdr *nlh; char buf[4096]; - struct nftnl_expr_iter *iter_a, *iter_b = NULL; - struct nftnl_expr *rule_a, *rule_b = NULL; + struct nftnl_expr_iter *iter_a, *iter_b; + struct nftnl_expr *rule_a, *rule_b; + const char *opname = op == NFT_BITWISE_LSHIFT ? "lshift" : "rshift"; a = nftnl_rule_alloc(); b = nftnl_rule_alloc(); if (a == NULL || b == NULL) - print_err("lshift", "OOM"); + print_err(opname, "OOM"); ex = nftnl_expr_alloc("bitwise"); if (ex == NULL) - print_err("lshift", "OOM"); + print_err(opname, "OOM"); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456); - nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_LSHIFT); + nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, op); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 13); nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) - print_err("lshift", "parsing problems"); + print_err(opname, "parsing problems"); iter_a = nftnl_expr_iter_create(a); iter_b = nftnl_expr_iter_create(b); if (iter_a == NULL || iter_b == NULL) - print_err("lshift", "OOM"); + print_err(opname, "OOM"); rule_a = nftnl_expr_iter_next(iter_a); rule_b = nftnl_expr_iter_next(iter_b); if (rule_a == NULL || rule_b == NULL) - print_err("lshift", "OOM"); + print_err(opname, "OOM"); if (nftnl_expr_iter_next(iter_a) != NULL || nftnl_expr_iter_next(iter_b) != NULL) - print_err("lshift", "More 1 expr."); + print_err(opname, "More 1 expr."); nftnl_expr_iter_destroy(iter_a); nftnl_expr_iter_destroy(iter_b); - cmp_nftnl_expr_lshift(rule_a,rule_b); + cmp_nftnl_expr_shift(opname, rule_a, rule_b); nftnl_rule_free(a); nftnl_rule_free(b); } +static void test_lshift(void) +{ + test_shift(NFT_BITWISE_LSHIFT); +} + static void test_rshift(void) { - struct nftnl_rule *a, *b = NULL; - struct nftnl_expr *ex = NULL; + test_shift(NFT_BITWISE_RSHIFT); +} + +static void cmp_nftnl_expr_bool(const char *opname, + const struct nftnl_expr *rule_a, + const struct nftnl_expr *rule_b) +{ + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_DREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_DREG)) + print_err(opname, "Expr BITWISE_DREG mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG)) + print_err(opname, "Expr BITWISE_SREG mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_SREG2) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_SREG2)) + print_err(opname, "Expr BITWISE_SREG2 mismatches"); + if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_BITWISE_OP) != + nftnl_expr_get_u32(rule_b, NFTNL_EXPR_BITWISE_OP)) + print_err(opname, "Expr BITWISE_OP mismatches"); + if (nftnl_expr_get_u16(rule_a, NFTNL_EXPR_BITWISE_LEN) != + nftnl_expr_get_u16(rule_b, NFTNL_EXPR_BITWISE_LEN)) + print_err(opname, "Expr BITWISE_LEN mismatches"); +} + +static void test_bool(enum nft_bitwise_ops op) +{ + struct nftnl_rule *a, *b; + struct nftnl_expr *ex; struct nlmsghdr *nlh; char buf[4096]; - struct nftnl_expr_iter *iter_a, *iter_b = NULL; - struct nftnl_expr *rule_a, *rule_b = NULL; + struct nftnl_expr_iter *iter_a, *iter_b; + struct nftnl_expr *rule_a, *rule_b; + const char *opname = + op == NFT_BITWISE_AND ? "and" : + op == NFT_BITWISE_OR ? "or" : "xor"; a = nftnl_rule_alloc(); b = nftnl_rule_alloc(); if (a == NULL || b == NULL) - print_err("rshift", "OOM"); + print_err(opname, "OOM"); ex = nftnl_expr_alloc("bitwise"); if (ex == NULL) - print_err("rshift", "OOM"); + print_err(opname, "OOM"); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG, 0x12345678); + nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_SREG2, 0x90abcdef); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DREG, 0x78123456); - nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, NFT_BITWISE_RSHIFT); + nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_OP, op); nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_LEN, 0x56781234); - nftnl_expr_set_u32(ex, NFTNL_EXPR_BITWISE_DATA, 17); nftnl_rule_add_expr(a, ex); @@ -241,34 +249,49 @@ static void test_rshift(void) nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) - print_err("rshift", "parsing problems"); + print_err(opname, "parsing problems"); iter_a = nftnl_expr_iter_create(a); iter_b = nftnl_expr_iter_create(b); if (iter_a == NULL || iter_b == NULL) - print_err("rshift", "OOM"); + print_err(opname, "OOM"); rule_a = nftnl_expr_iter_next(iter_a); rule_b = nftnl_expr_iter_next(iter_b); if (rule_a == NULL || rule_b == NULL) - print_err("rshift", "OOM"); + print_err(opname, "OOM"); if (nftnl_expr_iter_next(iter_a) != NULL || nftnl_expr_iter_next(iter_b) != NULL) - print_err("rshift", "More 1 expr."); + print_err(opname, "More 1 expr."); nftnl_expr_iter_destroy(iter_a); nftnl_expr_iter_destroy(iter_b); - cmp_nftnl_expr_rshift(rule_a,rule_b); + cmp_nftnl_expr_bool(opname, rule_a, rule_b); nftnl_rule_free(a); nftnl_rule_free(b); } +static void test_and(void) +{ + test_bool(NFT_BITWISE_AND); +} + +static void test_or(void) +{ + test_bool(NFT_BITWISE_OR); +} + +static void test_xor(void) +{ + test_bool(NFT_BITWISE_XOR); +} + int main(int argc, char *argv[]) { - test_bool(); + test_mask_xor(); if (!test_ok) exit(EXIT_FAILURE); @@ -280,6 +303,18 @@ int main(int argc, char *argv[]) if (!test_ok) exit(EXIT_FAILURE); + test_and(); + if (!test_ok) + exit(EXIT_FAILURE); + + test_or(); + if (!test_ok) + exit(EXIT_FAILURE); + + test_xor(); + if (!test_ok) + exit(EXIT_FAILURE); + printf("%s: \033[32mOK\e[0m\n", argv[0]); return EXIT_SUCCESS; } diff --git a/tests/nft-expr_byteorder-test.c b/tests/nft-expr_byteorder-test.c index 5994e5b..dfd6973 100644 --- a/tests/nft-expr_byteorder-test.c +++ b/tests/nft-expr_byteorder-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -72,7 +67,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_cmp-test.c b/tests/nft-expr_cmp-test.c index ec00bb9..e5f5c9b 100644 --- a/tests/nft-expr_cmp-test.c +++ b/tests/nft-expr_cmp-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -68,7 +63,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_counter-test.c b/tests/nft-expr_counter-test.c index 519bc1f..b9b5501 100644 --- a/tests/nft-expr_counter-test.c +++ b/tests/nft-expr_counter-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -60,7 +55,7 @@ int main(int argc, char *argv[]) nftnl_expr_set_u64(ex, NFTNL_EXPR_CTR_PACKETS, 0xf0123456789abcde); nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_ct-test.c b/tests/nft-expr_ct-test.c index e98fbab..b6b192e 100644 --- a/tests/nft-expr_ct-test.c +++ b/tests/nft-expr_ct-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -62,7 +57,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_dup-test.c b/tests/nft-expr_dup-test.c index 3c37d4a..1865d49 100644 --- a/tests/nft-expr_dup-test.c +++ b/tests/nft-expr_dup-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -59,7 +54,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_exthdr-test.c b/tests/nft-expr_exthdr-test.c index fef2dd0..514eebe 100644 --- a/tests/nft-expr_exthdr-test.c +++ b/tests/nft-expr_exthdr-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -68,7 +63,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_fwd-test.c b/tests/nft-expr_fwd-test.c index 4fdf53d..a52caa9 100644 --- a/tests/nft-expr_fwd-test.c +++ b/tests/nft-expr_fwd-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -55,7 +50,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_hash-test.c b/tests/nft-expr_hash-test.c index 7be6e9e..e2e59e9 100644 --- a/tests/nft-expr_hash-test.c +++ b/tests/nft-expr_hash-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Laura Garcia <nevola@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -76,7 +71,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_immediate-test.c b/tests/nft-expr_immediate-test.c index c25eedb..e054c23 100644 --- a/tests/nft-expr_immediate-test.c +++ b/tests/nft-expr_immediate-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -93,7 +88,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex_val); nftnl_rule_add_expr(a, ex_ver); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_limit-test.c b/tests/nft-expr_limit-test.c index 2838941..4347f9c 100644 --- a/tests/nft-expr_limit-test.c +++ b/tests/nft-expr_limit-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -73,7 +68,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_log-test.c b/tests/nft-expr_log-test.c index b7aa302..2fc5ad6 100644 --- a/tests/nft-expr_log-test.c +++ b/tests/nft-expr_log-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -68,7 +63,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c index 9e6e051..de84ea8 100644 --- a/tests/nft-expr_lookup-test.c +++ b/tests/nft-expr_lookup-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -76,7 +71,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_masq-test.c b/tests/nft-expr_masq-test.c index 3f9903d..1705dc0 100644 --- a/tests/nft-expr_masq-test.c +++ b/tests/nft-expr_masq-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -62,7 +57,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_match-test.c b/tests/nft-expr_match-test.c index 39a49d8..bc9f6ac 100644 --- a/tests/nft-expr_match-test.c +++ b/tests/nft-expr_match-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -59,7 +54,7 @@ int main(int argc, char *argv[]) char buf[4096]; struct nftnl_expr_iter *iter_a, *iter_b; struct nftnl_expr *rule_a, *rule_b; - char data[16] = "0123456789abcdef"; + char data[] = "0123456789abcdef"; a = nftnl_rule_alloc(); b = nftnl_rule_alloc(); @@ -74,7 +69,7 @@ int main(int argc, char *argv[]) nftnl_expr_set(ex, NFTNL_EXPR_MT_INFO, strdup(data), sizeof(data)); nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_meta-test.c b/tests/nft-expr_meta-test.c index 8fb7873..43c665f 100644 --- a/tests/nft-expr_meta-test.c +++ b/tests/nft-expr_meta-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -60,7 +55,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c index fd3a488..983e1af 100644 --- a/tests/nft-expr_nat-test.c +++ b/tests/nft-expr_nat-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -81,7 +76,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_numgen-test.c b/tests/nft-expr_numgen-test.c index 0d0a3bb..666043e 100644 --- a/tests/nft-expr_numgen-test.c +++ b/tests/nft-expr_numgen-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Laura Garcia <nevola@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -68,7 +63,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_objref-test.c b/tests/nft-expr_objref-test.c index 08e27ce..36c869e 100644 --- a/tests/nft-expr_objref-test.c +++ b/tests/nft-expr_objref-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -52,7 +47,7 @@ int main(int argc, char *argv[]) b = nftnl_rule_alloc(); if (a == NULL || b == NULL) print_err("OOM"); - ex = nftnl_expr_alloc("lookup"); + ex = nftnl_expr_alloc("objref"); if (ex == NULL) print_err("OOM"); diff --git a/tests/nft-expr_payload-test.c b/tests/nft-expr_payload-test.c index 371372c..8c41bab 100644 --- a/tests/nft-expr_payload-test.c +++ b/tests/nft-expr_payload-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -69,7 +64,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) print_err("parsing problems"); diff --git a/tests/nft-expr_queue-test.c b/tests/nft-expr_queue-test.c index 81d7dd2..b114cea 100644 --- a/tests/nft-expr_queue-test.c +++ b/tests/nft-expr_queue-test.c @@ -1,13 +1,8 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Eric Leblond <eric@regit.org> * * Based on test framework by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -67,7 +62,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_quota-test.c b/tests/nft-expr_quota-test.c index 2320551..193afc8 100644 --- a/tests/nft-expr_quota-test.c +++ b/tests/nft-expr_quota-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -59,7 +54,7 @@ int main(int argc, char *argv[]) nftnl_expr_set_u32(ex, NFTNL_EXPR_QUOTA_FLAGS, 0x12345678); nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_range-test.c b/tests/nft-expr_range-test.c index b92dfc0..c441a2e 100644 --- a/tests/nft-expr_range-test.c +++ b/tests/nft-expr_range-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -75,7 +70,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_redir-test.c b/tests/nft-expr_redir-test.c index 6c8caec..d2de222 100644 --- a/tests/nft-expr_redir-test.c +++ b/tests/nft-expr_redir-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -62,7 +57,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_reject-test.c b/tests/nft-expr_reject-test.c index d8189ea..cadd322 100644 --- a/tests/nft-expr_reject-test.c +++ b/tests/nft-expr_reject-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -61,7 +56,7 @@ int main(int argc, char *argv[]) nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-expr_target-test.c b/tests/nft-expr_target-test.c index ba56b27..a483e7a 100644 --- a/tests/nft-expr_target-test.c +++ b/tests/nft-expr_target-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -58,7 +53,7 @@ int main(int argc, char *argv[]) char buf[4096]; struct nftnl_expr_iter *iter_a, *iter_b; struct nftnl_expr *rule_a, *rule_b; - char data[16] = "0123456789abcdef"; + char data[] = "0123456789abcdef"; a = nftnl_rule_alloc(); b = nftnl_rule_alloc(); @@ -74,7 +69,7 @@ int main(int argc, char *argv[]) nftnl_expr_set(ex, NFTNL_EXPR_TG_INFO, strdup(data), sizeof(data)); nftnl_rule_add_expr(a, ex); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-flowtable-test.c b/tests/nft-flowtable-test.c index 8ab8d4c..49bc0a1 100644 --- a/tests/nft-flowtable-test.c +++ b/tests/nft-flowtable-test.c @@ -13,6 +13,23 @@ static void print_err(const char *msg) printf("\033[31mERROR:\e[0m %s\n", msg); } +static void cmp_devices(const char * const *adevs, + const char * const *bdevs) +{ + int i; + + if (!adevs && !bdevs) + return; + if (!!adevs ^ !!bdevs) + print_err("Flowtable devices mismatches"); + for (i = 0; adevs[i] && bdevs[i]; i++) { + if (strcmp(adevs[i], bdevs[i])) + break; + } + if (adevs[i] || bdevs[i]) + print_err("Flowtable devices mismatches"); +} + static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtable *b) { if (strcmp(nftnl_flowtable_get_str(a, NFTNL_FLOWTABLE_NAME), @@ -44,10 +61,13 @@ static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtabl if (nftnl_flowtable_get_u64(a, NFTNL_FLOWTABLE_HANDLE) != nftnl_flowtable_get_u64(b, NFTNL_FLOWTABLE_HANDLE)) print_err("Flowtable handle mismatches"); + cmp_devices(nftnl_flowtable_get_array(a, NFTNL_FLOWTABLE_DEVICES), + nftnl_flowtable_get_array(b, NFTNL_FLOWTABLE_DEVICES)); } int main(int argc, char *argv[]) { + const char *devs[] = { "eth0", "eth1", "eth2", NULL }; struct nftnl_flowtable *a, *b; char buf[4096]; struct nlmsghdr *nlh; @@ -66,6 +86,7 @@ int main(int argc, char *argv[]) nftnl_flowtable_set_u32(a, NFTNL_FLOWTABLE_SIZE, 0x89016745); nftnl_flowtable_set_u32(a, NFTNL_FLOWTABLE_FLAGS, 0x45016723); nftnl_flowtable_set_u64(a, NFTNL_FLOWTABLE_HANDLE, 0x2345016789); + nftnl_flowtable_set_array(a, NFTNL_FLOWTABLE_DEVICES, devs); nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWFLOWTABLE, AF_INET, 0, 1234); diff --git a/tests/nft-object-test.c b/tests/nft-object-test.c index d2ca444..77300e6 100644 --- a/tests/nft-object-test.c +++ b/tests/nft-object-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> diff --git a/tests/nft-rule-test.c b/tests/nft-rule-test.c index dee3530..d865d26 100644 --- a/tests/nft-rule-test.c +++ b/tests/nft-rule-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -48,6 +43,12 @@ static void cmp_nftnl_rule(struct nftnl_rule *a, struct nftnl_rule *b) if (nftnl_rule_get_u32(a, NFTNL_RULE_COMPAT_FLAGS) != nftnl_rule_get_u32(b, NFTNL_RULE_COMPAT_FLAGS)) print_err("Rule compat_flags mismatches"); + if (nftnl_rule_get_u32(a, NFTNL_RULE_ID) != + nftnl_rule_get_u32(b, NFTNL_RULE_ID)) + print_err("Rule id mismatches"); + if (nftnl_rule_get_u32(a, NFTNL_RULE_POSITION_ID) != + nftnl_rule_get_u32(b, NFTNL_RULE_POSITION_ID)) + print_err("Rule position_id mismatches"); if (nftnl_rule_get_u64(a, NFTNL_RULE_POSITION) != nftnl_rule_get_u64(b, NFTNL_RULE_POSITION)) print_err("Rule compat_position mismatches"); @@ -84,13 +85,15 @@ int main(int argc, char *argv[]) nftnl_rule_set_u64(a, NFTNL_RULE_HANDLE, 0x1234567812345678); nftnl_rule_set_u32(a, NFTNL_RULE_COMPAT_PROTO, 0x12345678); nftnl_rule_set_u32(a, NFTNL_RULE_COMPAT_FLAGS, 0x12345678); + nftnl_rule_set_u32(a, NFTNL_RULE_ID, 0x12345678); + nftnl_rule_set_u32(a, NFTNL_RULE_POSITION_ID, 0x12345678); nftnl_rule_set_u64(a, NFTNL_RULE_POSITION, 0x1234567812345678); nftnl_rule_set_data(a, NFTNL_RULE_USERDATA, nftnl_udata_buf_data(udata), nftnl_udata_buf_len(udata)); nftnl_udata_buf_free(udata); - nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234); nftnl_rule_nlmsg_build_payload(nlh, a); if (nftnl_rule_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-set-test.c b/tests/nft-set-test.c index 173c17f..1cb66e4 100644 --- a/tests/nft-set-test.c +++ b/tests/nft-set-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -26,6 +21,9 @@ static void print_err(const char *msg) static void cmp_nftnl_set(struct nftnl_set *a, struct nftnl_set *b) { + const uint8_t *data_a, *data_b; + uint32_t datalen_a, datalen_b; + if (strcmp(nftnl_set_get_str(a, NFTNL_SET_TABLE), nftnl_set_get_str(b, NFTNL_SET_TABLE)) != 0) print_err("Set table mismatches"); @@ -50,11 +48,18 @@ static void cmp_nftnl_set(struct nftnl_set *a, struct nftnl_set *b) if (strcmp(nftnl_set_get_str(a, NFTNL_SET_USERDATA), nftnl_set_get_str(b, NFTNL_SET_USERDATA)) != 0) print_err("Set userdata mismatches"); + + data_a = nftnl_set_get_data(a, NFTNL_SET_DESC_CONCAT, &datalen_a); + data_b = nftnl_set_get_data(b, NFTNL_SET_DESC_CONCAT, &datalen_b); + if (datalen_a != datalen_b || + memcmp(data_a, data_b, datalen_a)) + print_err("Set desc concat mismatches"); } int main(int argc, char *argv[]) { struct nftnl_set *a, *b = NULL; + uint8_t field_lengths[16]; char buf[4096]; struct nlmsghdr *nlh; @@ -73,8 +78,15 @@ int main(int argc, char *argv[]) nftnl_set_set_u32(a, NFTNL_SET_FAMILY, 0x12345678); nftnl_set_set_str(a, NFTNL_SET_USERDATA, "testing user data"); + memset(field_lengths, 0xff, sizeof(field_lengths)); + if (!nftnl_set_set_data(a, NFTNL_SET_DESC_CONCAT, field_lengths, 17)) + print_err("oversized NFTNL_SET_DESC_CONCAT data accepted"); + if (nftnl_set_set_data(a, NFTNL_SET_DESC_CONCAT, field_lengths, 16)) + print_err("setting NFTNL_SET_DESC_CONCAT failed"); + + /* cmd extracted from include/linux/netfilter/nf_tables.h */ - nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_NEWSET, AF_INET, 0, 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWSET, AF_INET, 0, 1234); nftnl_set_nlmsg_build_payload(nlh, a); if (nftnl_set_nlmsg_parse(nlh, b) < 0) diff --git a/tests/nft-table-test.c b/tests/nft-table-test.c index 1031ffe..79e10ef 100644 --- a/tests/nft-table-test.c +++ b/tests/nft-table-test.c @@ -1,11 +1,6 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* * (C) 2013 by Ana Rey Botello <anarey@gmail.com> - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * */ #include <stdio.h> @@ -34,7 +29,7 @@ static void cmp_nftnl_table(struct nftnl_table *a, struct nftnl_table *b) print_err("table flags mismatches"); if (nftnl_table_get_u32(a, NFTNL_TABLE_FAMILY) != nftnl_table_get_u32(b, NFTNL_TABLE_FAMILY)) - print_err("tabke family mismatches"); + print_err("table family mismatches"); } int main(int argc, char *argv[]) @@ -55,8 +50,7 @@ int main(int argc, char *argv[]) nftnl_table_set_u32(a, NFTNL_TABLE_FLAGS, 0); /* cmd extracted from include/linux/netfilter/nf_tables.h */ - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, AF_INET, 0, - 1234); + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, AF_INET, 0, 1234); nftnl_table_nlmsg_build_payload(nlh, a); if (nftnl_table_nlmsg_parse(nlh, b) < 0) |