summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* include: missing C++ linkage in headersPablo Neira Ayuso2018-07-034-0/+32
| | | | | | | | A few files (batch.h / common.h / set.h / udata.h) are missing the usual. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1268 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr/exthdr: Fix JSON parsing on big endianPhil Sutter2018-06-261-1/+1
| | | | | | | | | | | When setting NFTNL_EXPR_EXTHDR_TYPE, one needs to call nftnl_expr_set_u8() and not nftnl_expr_set_u32(). Otherwise 'type' variable is assigned to uint32_t parameter before being passed to nftnl_expr_exthdr_set() as void pointer which casts it to uint8_t. On big endian systems, the latter would only consider the most significant byte instead of the least significant one. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr/data_reg: Fix JSON parsing on big endianPhil Sutter2018-06-261-2/+2
| | | | | | | | | | | Since reg->len is a 32bit variable, one needs to pass NFTNL_TYPE_U32 to nftnl_jansson_parse_val(). Otherwise, only the most significant byte in that variable is being written to. Since the value could potentially be larger than 255, increase node_name buffer to avoid a compiler warning. Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: Fix nftnl_get_value() on big endianPhil Sutter2018-06-261-2/+42
| | | | | | | | | | | | This function basically did: | memcpy(out, val, <len of requested type>); which works only for little endian integer types. Fix this by assigning the 64bit input value to a variable of the right size and use that as input for above memcpy() call. Signed-off-by: Phil Sutter <phil@nwl.cc>
* build: libnftnl 1.1.1 releaselibnftnl-1.1.1Florian Westphal2018-06-082-3/+3
| | | | | | Check for libmnl >= 1.0.3 just like nftables does. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: rt: print tcpmssPablo Neira Ayuso2018-06-071-1/+1
| | | | | | | | | | | | | | rt_key2str() should also return the 'tcpmss' case. Instead of: [ rt load unknown => reg 1 ] print: [ rt load tcpmss => reg 1 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: extend fwd to support address and protocolPablo Neira Ayuso2018-06-063-4/+62
| | | | | | To support forwarding through neighbour layer from ingress. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add connlimit supportPablo Neira Ayuso2018-06-066-1/+236
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add support for native socket matchingMáté Eckl2018-06-015-0/+241
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: updated nf_tables.hMáté Eckl2018-05-293-17/+19
| | | | | | | Joint work with Pablo. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: add nftnl_rule_list_insert_at()Pablo Neira Ayuso2018-05-283-0/+11
| | | | | | Allow to add rule object before any existing rule. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add map lookups for hash statementsLaura Garcia Liebana2018-05-233-0/+55
| | | | | | | | | | | This patch introduces two new attributes for hash expression to allow map lookups where the hash is the key. The new attributes are NFTNL_EXPR_HASH_SET_NAME and NFTNL_EXPR_HASH_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Add test for assigning helper objects via ruleHarsha Sharma2018-05-082-1/+159
| | | | | | | | | | | | | | | | | | Usage: ./nft-rule-ct-helper-add ip filter input sip-5060 ./nft-rule-get ip filter ip filter input 7 6 [ objref type 3 name sip-5060 ] nft list ruleset ... chain input { ct helper set "sip-5060" } Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add map lookups for numgen statementsLaura Garcia Liebana2018-05-083-0/+55
| | | | | | | | | | | This patch introduces two new attributes for numgen to allow map lookups where the number generator will be the key. Two new attributes needs to be included: NFTNL_EXPR_NG_SET_NAME and NFTNL_EXPR_NG_SET_ID in order to identify the given map. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump LIBVERSIONlibnftnl-1.1.0Florian Westphal2018-05-011-1/+1
| | | | | | AC_INIT version was already bumped in 7693a5e293962, not needed. Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: refuse to put more than UINT8_MAX bytesFlorian Westphal2018-04-291-1/+1
| | | | | | ->len is uint8_t, so we can't handle more than this. Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: objref: do not print idPablo Neira Ayuso2018-04-111-2/+2
| | | | | | | The lookup expression does not do this either, so let's be consistent and remove it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-flowtable-add: do not use nftnl_flowtable_set_array()Pablo Neira Ayuso2018-03-201-1/+1
| | | | | Fixes: 62d6fff78b2c ("src: remove set/get array api") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add nft-ct-helper-{add,get,del}Yang Zheng2018-03-204-1/+436
| | | | | | | | | | | | | | | | | | nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table. Examples: % ./nft-ct-helper-get ip filter <nothing> % ./nft-ct-helper-add ip filter sip-5060 sip udp % ./nft-ct-helper-get ip filter table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ] % ./nft-ct-helper-del ip filter sip-5060 % ./nft-ct-helper-get ip filter <nothing> Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove set/get array apiFlorian Westphal2018-03-122-14/+0
| | | | | | one-line wrapper, callers can use nftnl_flowtable_get/set instead. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: support for NFT_CT_{SRC,DST}_{IP,IP6}Pablo Neira Ayuso2018-03-112-3/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: fix parsing for set handle attributesHarsha Sharma2018-03-111-1/+1
| | | | | | | Correct one typo for parsing set handles. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: bump library version to 1.1.0Pablo Neira Ayuso2018-03-061-1/+1
| | | | | | So new nftables doesn't break compilation with old libnftnl versions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for objectsHarsha Sharma2018-03-054-1/+23
| | | | | | | | This patch add code to allocate object handles and delete objects via object handles. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: parse new handle attribute for setsHarsha Sharma2018-03-054-0/+22
| | | | | | | This patch adds code to allocate set handles and delete sets via set handle. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
* src: parse new handle attribute for tablesHarsha Sharma2018-03-054-2/+43
| | | | | | | This patch adds code to parse new handle attribute for tables. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add flowtable regression testPablo Neira Ayuso2018-03-052-0/+85
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: support for flagsPablo Neira Ayuso2018-03-053-3/+23
| | | | | | This new attribute allows you to specify the flowtable flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: allow to specify sizePablo Neira Ayuso2018-03-053-2/+27
| | | | | | This new attribute allows you to specify the flowtable size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add flow offload expressionPablo Neira Ayuso2018-03-055-0/+202
| | | | | | | This patch adds the new "flow_offload" expression to select what flows are offloaded to an existing flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add flowtable supportPablo Neira Ayuso2018-03-0510-0/+1351
| | | | | | | This patch allows you to add, delete and list flowtable through the existing netlink interface. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: nftnl_set_elems_parse() returns 0 if set is emptyPablo Neira Ayuso2018-02-141-1/+1
| | | | | | | Instead of -1, which results n misleading error propagate to the caller with errno == 0 (success). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-set-del: fix set deletionPablo Neira Ayuso2018-02-141-9/+24
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: do not call nftnl_batch_is_supported()Pablo Neira Ayuso2018-02-1414-207/+69
| | | | | | | | This is only required by Linux kernel <= 3.16.x, that's too old and at that time nft was very limited in term of features, so let's remove this check from example files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* meta: secpath supportFlorian Westphal2018-01-162-1/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* build: libnftnl 1.0.9 releaselibnftnl-1.0.9Pablo Neira Ayuso2017-12-302-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: change char * pointer to constant (const char *)Harsha Sharma2017-12-303-4/+4
| | | | | | | | As the parameter for function is pointer to constant, change it to constant. This fix gcc compilation warning in libnftnl with make check. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix exporting symbols with clangArmin K2017-12-3013-269/+273
| | | | | | | | | | | | | When EXPORT_SYMBOL is located after function definition, clang won't properly export the function, resulting in a library with no symbols when built with clang. Based on libmnl commit dcdb47373a37 ("Move declaration of visibility attributes before definition.") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()Pablo Neira Ayuso2017-12-281-3/+4
| | | | | | | | | | | | | | | | | | expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: Check return value of mnl_attr_parse_nested()Phil Sutter2017-12-151-1/+2
| | | | | | | | This is done everywhere else as well, so certainly not a bad thing here either. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Don't return garbage in nftnl_set_elems_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | This might happen if netlink message is malformed (no nested attributes are present), so treat this as an error and return -1 instead of garbage to caller. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: Avoid reading garbage in nftnl_ruleset_cb()Phil Sutter2017-12-151-5/+5
| | | | | | | | | | If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid this by using a C99-style initializer for 'ctx' which sets all omitted fields to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* object: Avoid returning garbage in nftnl_obj_do_parse()Phil Sutter2017-12-151-1/+1
| | | | | | | | | It may happen that 'perr' variable does not get initialized, so making parameter 'err' point to it in any case is error-prone. Avoid this by initializing 'perr' upon declaration. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* gen: Remove a pointless call to mnl_nlmsg_get_payload()Phil Sutter2017-12-151-2/+2
| | | | | | | | | It is a common idiom in all *_nlmsg_parse() functions, but nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the compiler probably can't eliminate it since there could be a side-effect. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* data_reg: Add a missing break in nftnl_data_reg_snprintfPhil Sutter2017-12-151-0/+2
| | | | | | | | | The code works fine as-is, but if reg_type == DATA_VALUE && output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case and therefore pointlessly check output_format again. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Introduce nftnl_expr_fprintf()Phil Sutter2017-10-173-0/+19
| | | | | | | | Implement expression printing into a FILE pointer analogous to nftnl_rule_fprintf(). Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.0.8 releaselibnftnl-1.0.8Pablo Neira Ayuso2017-10-041-1/+1
| | | | | | | 907a9f8e5a93 ("src: get rid of aliases and compat") already updated LIBVERSION when symbol aliases have been dropped. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: do not nul-terminate internal helper functionsPablo Neira Ayuso2017-10-049-29/+0
| | | | | | | Public API already does this for us, no need to do this again from internal helper functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: no need to nul-terminate buffer for nftnl_fprintf() callsPablo Neira Ayuso2017-10-048-27/+0
| | | | | | | This function bails out with -1 if we cannot print, and this buffer is internally allocated. No need for this overly deffensive initialization. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: no need to nul-terminate buffer from expression ->snprintf indirectionPablo Neira Ayuso2017-10-0429-87/+0
| | | | | | | ->snprintf() is always called via nftnl_expr_snprintf() wrapper, which is already dealing with this corner case for us. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>