summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* set_elem: nftnl_set_elems_parse() returns 0 if set is emptyPablo Neira Ayuso2018-02-141-1/+1
| | | | | | | Instead of -1, which results n misleading error propagate to the caller with errno == 0 (success). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-del: fix set deletionPablo Neira Ayuso2018-02-141-9/+24
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: do not call nftnl_batch_is_supported()Pablo Neira Ayuso2018-02-1414-207/+69
| | | | | | | | This is only required by Linux kernel <= 3.16.x, that's too old and at that time nft was very limited in term of features, so let's remove this check from example files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: secpath supportFlorian Westphal2018-01-162-1/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* build: libnftnl 1.0.9 releaselibnftnl-1.0.9Pablo Neira Ayuso2017-12-302-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: change char * pointer to constant (const char *)Harsha Sharma2017-12-303-4/+4
| | | | | | | | As the parameter for function is pointer to constant, change it to constant. This fix gcc compilation warning in libnftnl with make check. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix exporting symbols with clangArmin K2017-12-3013-269/+273
| | | | | | | | | | | | | When EXPORT_SYMBOL is located after function definition, clang won't properly export the function, resulting in a library with no symbols when built with clang. Based on libmnl commit dcdb47373a37 ("Move declaration of visibility attributes before definition.") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()Pablo Neira Ayuso2017-12-281-3/+4
| | | | | | | | | | | | | | | | | | expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: Check return value of mnl_attr_parse_nested()Phil Sutter2017-12-151-1/+2
| | | | | | | | This is done everywhere else as well, so certainly not a bad thing here either. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Don't return garbage in nftnl_set_elems_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | This might happen if netlink message is malformed (no nested attributes are present), so treat this as an error and return -1 instead of garbage to caller. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: Avoid reading garbage in nftnl_ruleset_cb()Phil Sutter2017-12-151-5/+5
| | | | | | | | | | If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid this by using a C99-style initializer for 'ctx' which sets all omitted fields to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: Avoid returning garbage in nftnl_obj_do_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | It may happen that 'perr' variable does not get initialized, so making parameter 'err' point to it in any case is error-prone. Avoid this by initializing 'perr' upon declaration. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gen: Remove a pointless call to mnl_nlmsg_get_payload()Phil Sutter2017-12-151-2/+2
| | | | | | | | | It is a common idiom in all *_nlmsg_parse() functions, but nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the compiler probably can't eliminate it since there could be a side-effect. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: Add a missing break in nftnl_data_reg_snprintfPhil Sutter2017-12-151-0/+2
| | | | | | | | | The code works fine as-is, but if reg_type == DATA_VALUE && output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case and therefore pointlessly check output_format again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Introduce nftnl_expr_fprintf()Phil Sutter2017-10-173-0/+19
| | | | | | | | Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.0.8 releaselibnftnl-1.0.8Pablo Neira Ayuso2017-10-041-1/+1
| | | | | | | 907a9f8e5a93 ("src: get rid of aliases and compat") already updated LIBVERSION when symbol aliases have been dropped. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: do not nul-terminate internal helper functionsPablo Neira Ayuso2017-10-049-29/+0
| | | | | | | Public API already does this for us, no need to do this again from internal helper functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: no need to nul-terminate buffer for nftnl_fprintf() callsPablo Neira Ayuso2017-10-048-27/+0
| | | | | | | This function bails out with -1 if we cannot print, and this buffer is internally allocated. No need for this overly deffensive initialization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: no need to nul-terminate buffer from expression ->snprintf indirectionPablo Neira Ayuso2017-10-0429-87/+0
| | | | | | | ->snprintf() is always called via nftnl_expr_snprintf() wrapper, which is already dealing with this corner case for us. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* buffer: use nftnl_expr_snprintf() from nftnl_buf_expr()Pablo Neira Ayuso2017-10-041-2/+3
| | | | | | | | This helper function deals with no ->snprintf() indirection in expression and safe buffer nul-termination, use it. Fixes: 059b9bf6fb31 ("src: Use nftnl_buf to export XML/JSON rules") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-2744-3/+182
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Change parameters of SNPRINTF_BUFFER_SIZE macro.Varsha Rao2017-09-2728-389/+403
| | | | | | | | | SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so that it accepts three arguments ret, remain and offset. Parameters size and len are not required instead parameter remain keeps track of available space in the buffer. Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
* chain: Don't print unset policy value in netlink debugPhil Sutter2017-09-081-5/+13
| | | | | | | | The policy field was printed unconditionally, but if it wasn't set the default value 0 was printed as 'policy drop' which is not correct. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix memory leaks detected by ValgrindShyam Saini2017-09-043-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ==11688== HEAP SUMMARY: ==11688== in use at exit: 40 bytes in 1 blocks ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11688== ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11688== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11688== by 0x40133B: main (nft-chain-add.c:103) ==11688== ==11688== LEAK SUMMARY: ==11688== definitely lost: 40 bytes in 1 blocks ==11688== indirectly lost: 0 bytes in 0 blocks ==11688== possibly lost: 0 bytes in 0 blocks ==11688== still reachable: 0 bytes in 0 blocks ==11688== suppressed: 0 bytes in 0 blocks ==11831== HEAP SUMMARY: ==11831== in use at exit: 40 bytes in 1 blocks ==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated ==11831== ==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==11831== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441) ==11831== by 0x401154: main (nft-chain-del.c:79) ==11831== ==11831== LEAK SUMMARY: ==11831== definitely lost: 40 bytes in 1 blocks ==11831== indirectly lost: 0 bytes in 0 blocks ==11831== possibly lost: 0 bytes in 0 blocks ==11831== still reachable: 0 bytes in 0 blocks ==11831== suppressed: 0 bytes in 0 blocks Signed-off-by: Shyam Saini <mayhs11saini@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-046-2/+259
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rt: tcpmss get supportFlorian Westphal2017-08-212-1/+3
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: tcp option set supportFlorian Westphal2017-08-213-6/+38
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: free user dataEric Leblond2017-07-061-0/+2
| | | | | | | | | | | | This was causing a memory leak when using set. Catched by an ASAN run: ==21004==ERROR: LeakSanitizer: detected memory leaks Direct leak of 12 byte(s) in 2 object(s) allocated from: #0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58) #1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
* ct: rename eventmask to eventFlorian Westphal2017-06-071-1/+1
| | | | | | Pablo suggested this for consistency; ct status isn't named statusmask either. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct eventmask supportFlorian Westphal2017-03-162-1/+4
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-166-2/+236
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: extend set/get api for u8/u16 typesFlorian Westphal2017-03-163-0/+34
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: exthdr: Display NFT_EXTHDR_F_PRESENT in debug outputPhil Sutter2017-03-131-2/+4
| | | | | | | This allows to assert it in testsuite also. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* fib: Add support for NFTA_FIB_F_PRESENT flagPhil Sutter2017-03-132-2/+7
| | | | | | | Reflect existence of flag in debug output so testsuite can check for it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add nftnl_udata_put_u32() and nftnl_udata_get_u32()Pablo Neira Ayuso2017-03-063-0/+20
| | | | | | | Add new helper function to put and to fetch tlv that comes with u32 payload. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: hash: support of symmetric hashLaura Garcia Liebana2017-03-064-6/+58
| | | | | | | | | | | | | | | | | | | | | This patch provides symmetric hash support according to source ip address and port, and destination ip address and port. The new attribute NFTA_HASH_TYPE has been included to support different types of hashing functions. Currently supported NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash. The main difference between both types are: - jhash requires an expression with sreg, symhash doesn't. - symhash supports modulus and offset, but not seed. Examples: nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2 nft add rule ip nat prerouting ct mark set symhash mod 2 Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use nftnl_buf to export XML/JSON rulesElise Lennion2017-03-033-75/+86
| | | | | | | | | | This completes the use of nftnl_buf and its auxiliary functions to export XML/JSON rules. Highly based on work from Shivani Bhardwaj <shivanib134@gmail.com>. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: fix crash when object ops is nullFlorian Westphal2017-02-271-1/+2
| | | | | | | | | when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-nullFlorian Westphal2017-02-271-1/+4
| | | | | | | | | If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: remove unused variable uval8Alexander Alemayhu2017-02-231-1/+0
| | | | | | | | | | | | | Was added but not used in d7b451fe1a45 (src: add TCP option matching requirements, 2017-02-07). Fixes the following warning: expr/exthdr.c: In function ‘nftnl_expr_exthdr_json_parse’: expr/exthdr.c:244:10: warning: unused variable ‘uval8’ [-Wunused-variable] uint8_t uval8; ^~~~~ Signed-off-by: Alexander Alemayhu <alexander@alemayhu.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: ct: add zone supportFlorian Westphal2017-02-191-1/+2
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add NFTA_RULE_ID attributePablo Neira Ayuso2017-02-162-1/+38
| | | | | | This patch adds the new NFTA_RULE_ID attribute. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: return nlmsghdr in nftnl_batch_{begin,end}()Pablo Neira Ayuso2017-02-162-8/+8
| | | | | | Useful to append netlink attributes after the batch headers. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: get rid of nftnl_batch_build_hdr()Pablo Neira Ayuso2017-02-162-25/+20
| | | | | | | Add __nftnl_nlmsg_build_hdr() so nftnl_batch_build_hdr() and nftnl_nlmsg_build_hdr() share the same code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* exthdr: Add missing exthdr flags casesPhil Sutter2017-02-161-0/+4
| | | | | | | | | Looks like some chunks went by the board while merging with exthdr->op patch. Fixes: 4196376330468 ("exthdr: Add support for exthdr flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* exthdr: Add support for exthdr flagsPhil Sutter2017-02-152-0/+18
| | | | | | | | Along with the actual support for exthdr expression specific flags, this also declares NFT_EXTHDR_F_PRESENT used for exthdr existence match. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2017-02-151-15/+25
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add TCP option matching requirementsManuel Messner2017-02-123-5/+62
| | | | | | | This patch is a requirement of the TCP option patch. Signed-off-by: Manuel Messner <mm@skelett.io> Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: Remove the use of nftnl_mnl_batch_put()Elise Lennion2017-01-164-92/+60
| | | | | | | | use nftnl_batch_begin() and nftnl_batch_end() instead, to keep examples consistent and avoid code duplication. Signed-off-by: Elise Lennion <elise.lennion@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Add const qualifiers to *2str translation arraysTobias Klauser2017-01-166-6/+6
| | | | | | | | | | | | | | | | Add const qualifiers to the "to string" translation arrays used by various *2str() functions. This fixes GCC warnings such as the following when compiling with -Wwrite-strings: expr/byteorder.c:176:25: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] In order to catch these in the future, also add -Wwrite-strings to default CFLAGS. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-16 18:28:54 +0000