summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* bitwise: add support for new netlink attributes.Jeremy Sowden2020-01-182-1/+50
| | | | | | | | Add code to set and get the new op and data attributes. The existing boolean bitwise expressions will only use the op attribute. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: update nf_tables.h.Jeremy Sowden2020-01-182-3/+25
| | | | | | | | The kernel UAPI header includes a couple of new bitwise netlink attributes and an enum. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: add helper to print boolean expressions.Jeremy Sowden2020-01-181-3/+11
| | | | | | | | Move the code for printing boolean expressions into a separate function. Another function will be added for shifts later. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bitwise: fix some incorrect indentation.Jeremy Sowden2020-01-182-8/+8
| | | | | Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update gitignore.Jeremy Sowden2020-01-181-0/+9
| | | | | | | Add ctags and etags tag files, and Emacs back-up files. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove buffer.hBrett Mastbergen2020-01-0513-130/+10
| | | | | | | | | Almost everything in this header is unused. The command defines used in utils.c don't seem to be justified and have just been replaced by their strings Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: add slave device matchingFlorian Westphal2020-01-032-1/+7
| | | | | Cc: Martin Willi <martin@strongswan.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* udata: support for TLV attribute nestingPablo Neira Ayuso2019-12-173-0/+27
| | | | | | | This patch adds nftnl_udata_nest_start() and nftnl_udata_nest_end() to build attribute nests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add NFTNL_UDATA_SET_*TYPEOF* definitionsPablo Neira Ayuso2019-12-161-0/+9
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: typo in object.h C++ wrapperPablo Neira Ayuso2019-12-111-1/+1
| | | | | | | s/__cplusplusg/__cplusplus/ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1389 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Replace use of deprecated symbolsPhil Sutter2019-12-0421-43/+44
| | | | | | | | | | | | | Do not use unqualified setters to avoid the warnings. Pass a (false) zero length value to nftnl_flowtable_set_data() when assigning to NFTNL_FLOWTABLE_DEVICES as the length value is unused and not even usable. Maybe one should introduce a dedicated nftnl_flowtable_set_devices() at a later point. Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
* chain: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Correctly check realloc() callPhil Sutter2019-12-031-6/+5
| | | | | | | | | | | If realloc() fails, it returns NULL but the original pointer is untouchted and therefore still has to be freed. Unconditionally overwriting the old pointer is therefore a bad idea, use a temporary variable instead. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Fix memleak in error path of nftnl_chain_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, dev_array is not freed when it should. Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()Phil Sutter2019-12-031-0/+1
| | | | | | | | In error case, allocated dev_array is not freed. Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZEPhil Sutter2019-12-021-0/+2
| | | | | | | | | | | | | Marshalling code around that attribute has been dropped by commit d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is lost during the test. Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a later point, leave the test code in place but just comment it out. Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.5 releaselibnftnl-1.1.5Pablo Neira Ayuso2019-12-021-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Define __visible even if not supported by compilerPhil Sutter2019-11-211-0/+1
| | | | | | | | | Since __visible is now used directly, provide a fallback empty definition if HAVE_VISIBILITY_HIDDEN is not defined. Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: remove NFTA_FLOWTABLE_SIZEPablo Neira Ayuso2019-11-182-8/+0
| | | | | | | | Never defined in upstream Linux kernel uAPI, remove it. Reported-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Eric Garver <eric@garver.life>
* flowtable: add support for handle attributeEric Jallot2019-11-064-8/+53
| | | | | | | Add code to implement NFTA_FLOWTABLE_HANDLE Signed-off-by: Eric Jallot <ejallot@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Deprecate untyped data settersPhil Sutter2019-10-3114-14/+14
| | | | | | | | | These functions make assumptions on size of passed data pointer and therefore tend to hide programming mistakes. Instead either one of the type-specific setters or the generic *_set_data() setter should be used. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: Fix symbol export for clangManuel Messner2019-10-311-27/+27
| | | | | | | | | | | | | | | | | | | | | | clang does not allow attribute declarations after definitions: flowtable.c:41:1: warning: attribute declaration must precede definition [-Wignored-attributes] EXPORT_SYMBOL(nftnl_flowtable_alloc); ^ ../include/utils.h:13:41: note: expanded from macro 'EXPORT_SYMBOL' # define EXPORT_SYMBOL(x) typeof(x) (x) __visible; ^ ../include/utils.h:12:35: note: expanded from macro '__visible' # define __visible __attribute__((visibility("default"))) ^ flowtable.c:37:25: note: previous definition is here struct nftnl_flowtable *nftnl_flowtable_alloc(void) Move attribute declarations before the symbol definitions just like it's done in other source files Signed-off-by: Marvin Schmidt <marvin_schmidt@gmx.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl.map: Export nftnl_{obj,flowtable}_set_data()Phil Sutter2019-10-311-0/+2
| | | | | | | | In order to deprecate nftnl_{obj,flowtable}_set() functions, these must to be made available. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: multi-device supportPablo Neira Ayuso2019-10-283-1/+111
| | | | | | Add support for NFTA_HOOK_DEVS. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* flowtable: device array dynamic allocationPablo Neira Ayuso2019-10-281-14/+17
| | | | | | Remove artificial upper limit of 8 devices per flowtable. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parserPhil Sutter2019-10-171-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()") which fixed array out of bounds access but missed the logic behind it: The nested attribute type values are incremented by one when being transferred between kernel and userspace, the zero type value is reserved for "unspecified". Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the type values in nftnl_obj_ct_timeout_build(). Return path was broken as it overstepped its nlattr array but apart from that worked: Type values were decremented by one in timeout_parse_attr_data(). This patch moves the type value mangling into parse_timeout_attr_policy_cb() (which still overstepped nlattr array). Consequently, when copying values from nlattr array into ct timeout object in timeout_parse_attr_data(), loop is adjusted to start at index 0 and the type value decrement is dropped there. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Validate nftnl_set_elem_set() parametersPhil Sutter2019-10-163-1/+13
| | | | | | | | | | | | | Copying from nftnl_table_set_data(), validate input to nftnl_set_elem_set() as well. Given that for some attributes the function assumes passed data size, this seems necessary. Since data size expected for NFTNL_SET_ELEM_VERDICT attribute is sizeof(uint32_t), change type of 'verdict' field in union nftnl_data_reg accordingly. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()Phil Sutter2019-10-152-1/+9
| | | | | | | | | | Array 'tb' has only 'attr_max' elements, the loop overstepped its boundary by one. Copy array_size() macro from include/utils.h in nftables.git to make sure code does the right thing. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Don't bypass checks in nftnl_set_set_u{32,64}()Phil Sutter2019-10-151-2/+2
| | | | | | | | | By calling nftnl_set_set(), any data size checks are effectively bypassed. Better call nftnl_set_set_data() directly, passing the real size for validation. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/tunnel: Fix for undefined behaviourPhil Sutter2019-10-151-3/+3
| | | | | | | | | | | | Cppcheck complains: Shifting signed 32-bit value by 31 bits is undefined behaviour. Indeed, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR enum value is 31. Make sure behaviour is as intended by shifting unsigned 1. Fixes: ea63a05272f54 ("obj: add tunnel support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Fix return code of nftnl_set_elem_set()Phil Sutter2019-10-151-1/+1
| | | | | | | The function returned -1 on success. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: Check return code of mnl_attr_parse_nested()Phil Sutter2019-10-151-3/+6
| | | | | | | | | Don't ignore nested attribute parsing errors, this may hide bugs in users' code. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Export nftnl_set_list_lookup_byname()Phil Sutter2019-10-105-20/+42
| | | | | | | | | Rename and optimize internal function nftnl_set_lookup() for external use. Just like with nftnl_chain_list, use a hash table for fast set name lookups. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: synproxy stateful object supportFernando Fernandez Mancera2019-09-106-1/+177
| | | | | | | This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_DYNSET_OP_DELETE knownAnder Juaristi2019-08-272-1/+3
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_TIME_{NS, DAY, HOUR} knownAnder Juaristi2019-08-272-1/+10
| | | | | Signed-off-by: Ander Juaristi <a@juaristi.eus> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.4 releaselibnftnl-1.1.4Pablo Neira Ayuso2019-08-191-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_BRI_IIF{VPROTO, PVID} knownwenxu2019-08-141-1/+3
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: resync nf_tables.h cache copyPablo Neira Ayuso2019-08-131-38/+82
| | | | | | Get this header in sync with 5.3-rc1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: meta: Make NFT_META_{I,O}IFKIND knownPhil Sutter2019-07-182-1/+7
| | | | | | | | This only affects debug output, the key was properly handled in productive code paths already. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: fix sigbus crash on sparcFlorian Westphal2019-07-131-2/+4
| | | | | | | | | | | | | | | | Anatoly Pugachev reported crash on 'nft list tables' on sparc and provided following gdb backtrace: Starting program: /opt/nft/sbin/nft list tables Program received signal SIGBUS, Bus error. 0xfff8000100946490 in nftnl_udata_get_u32 (attr=0x10000106e30) at udata.c:127 127 return *data; We can't deref attr->value directly, it causes unaligned access. Reported-by: Anatoly Pugachev <matorola@gmail.com> Tested-by: Anatoly Pugachev <matorola@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add synproxy supportFernando Fernandez Mancera2019-07-065-0/+196
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add Requires.private field to libnftnl.pcThomas Petazzoni2019-07-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Static linking userspace programs such as nftables against libnftnl currently doesn't work out of the box, because libnftnl is linked against libmnl, but this isn't expressed in libnftnl pkg-config file: CCLD nft [...]/bfin-buildroot-uclinux-uclibc/sysroot/usr/lib/libnftnl.a(table.o): In function `_nft_table_nlmsg_parse': table.c:(.text+0x480): undefined reference to `_mnl_attr_parse' table.c:(.text+0x492): undefined reference to `_mnl_attr_get_str' table.c:(.text+0x4a8): undefined reference to `_mnl_attr_get_u32' table.c:(.text+0x4ca): undefined reference to `_mnl_attr_get_u32' [...] The Libs.private field is specifically designed for such usage: >From pkg-config documentation: Requires.private: A list of packages required by this package. The difference from Requires is that the packages listed under Requires.private are not taken into account when a flag list is computed for dynamically linked executable (i.e., when --static was not specified). In the situation where each .pc file corresponds to a library, Requires.private shall be used exclusively to specify the dependencies between the libraries. Therefore, this patch adds a reference to libmnl in the Requires.private field of libnftnl pkg-config file. [baruch: use Requires.private; update commit log] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for matching IPv4 optionsStephen Suryaputra2019-07-042-0/+7
| | | | | | | | | Add capability to have rules matching IPv4 options. This is developed mainly to support dropping of IP packets with loose and/or strict source route route options. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add ct id supportBrett Mastbergen2019-06-212-0/+3
| | | | | | | The 'id' key returns the id of the connection entry Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: enable set expiration date for set elementsLaura Garcia Liebana2019-06-211-0/+5
| | | | | | | | | | | | | | | | Currently, the expiration of every element in a set or map is a read-only parameter generated at kernel side. This change will permit to set a certain expiration date per element that will be required, for example, during stateful replication among several nodes. This patch allows to propagate NFTA_SET_ELEM_EXPIRATION from userspace to the kernel in order to set the configured value. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add ct expectation examplesStéphane Veyret2019-06-195-0/+600
| | | | | | | | | | Add examples for ct expectations. Add, list and delete ct expectation objects from specified table. Add expectation object to rule. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectation supportStéphane Veyret2019-06-196-1/+244
| | | | | | | | Add support for ct expectation objects, used to define specific expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.1.3 releaselibnftnl-1.1.3Pablo Neira Ayuso2019-05-273-2/+3
| | | | | | Moreover, add missing include/rule.h file to Makefile.am. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: Remove redundant declaration of nftnl_gen_nlmsg_parse()Phil Sutter2019-05-141-1/+0
| | | | | | | | | The duplicated declaration was there since the functions initial introduction as 'nft_gen_nlmsg_parse()'. Fixes: 2e66fb09d6936 ("src: add ruleset generation class") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>