summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* src: return value on setters that internally allocate memoryPablo Neira Ayuso2016-06-1513-60/+79
| | | | | | | | So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: assert when setting unknown attributesPablo Neira Ayuso2016-06-157-15/+22
| | | | | | | | | | | | If this attribute is not supported by the library, we should rise an assertion so the client knows something is wrong, instead of silently going through. The only case I can think may hit this problem is version mismatch between library and tools. This should not ever really happen, so better bail out from the library itself in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix leak in nftnl_*_unset()Carlos Falgueras García2016-06-142-0/+4
| | | | | | | Fix leak of NFTNL_*_USERDATA from unset() functions. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: don't use deprecated definition NFT_EXPR_PAYLOAD_SREGPablo Neira Ayuso2016-06-101-1/+1
| | | | | | Use NFTNL_EXPR_PAYLOAD_SREG instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: nft-table-upd: don't use deprecated aliasesPablo Neira Ayuso2016-06-071-10/+10
| | | | | | Convert this example not to use the deprecated aliases anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: update LIBVERSION to prepare a new releaselibnftnl-1.0.6Pablo Neira Ayuso2016-05-302-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump Current and Age accordingly, given that we got new interfaces. This git repository shows these changes in the map file since previous release: $ git diff libnftnl-1.0.5..HEAD src/libnftnl.map --- a/src/libnftnl.map +++ b/src/libnftnl.map @@ -498,3 +498,33 @@ global: local: *; }; + +LIBNFTNL_4.1 { + nftnl_trace_alloc; + nftnl_trace_free; + + nftnl_trace_is_set; + + nftnl_trace_get_u16; + nftnl_trace_get_u32; + nftnl_trace_get_u64; + nftnl_trace_get_str; + nftnl_trace_get_data; + + nftnl_trace_nlmsg_parse; + + nftnl_udata_buf_alloc; + nftnl_udata_buf_free; + nftnl_udata_buf_len; + nftnl_udata_buf_data; + nftnl_udata_buf_put; + nftnl_udata_start; + nftnl_udata_end; + nftnl_udata_put; + nftnl_udata_put_strz; + nftnl_udata_type; + nftnl_udata_len; + nftnl_udata_get; + nftnl_udata_next; + nftnl_udata_parse; +} LIBNFTNL_4; Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Copy user data memoryCarlos Falgueras García2016-05-301-2/+8
| | | | | | | All attributes are passed by copy, so user data should be copied too. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Fix memory leakCarlos Falgueras García2016-05-251-0/+3
| | | | | | | | | | | | User data must be freed. How to reproduce: > nft add table t > nft add set t s {type ipv4_addr\;} > valgrind nft add element t s {1.1.1.1} Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix segfault due to invalid free of rule user dataCarlos Falgueras García2016-05-251-1/+5
| | | | | | | | | | If the user allocates a nftnl_udata_buf and then passes the TLV data to nftnl_rule_set_data, the pointer stored in rule.user.data is not the begining of the allocated block. In this situation, if it calls to nftnl_rule_free, it tries to free this pointer and segfault is thrown. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Free nftnl_udata_buf before exitCarlos Falgueras García2016-05-251-0/+1
| | | | | Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: gitignore: Fix mistake in gitignore regexpCarlos Falgueras García2016-05-201-2/+2
| | | | | | | | | If a whole directory was ignored, files inside it will not be checked. Fixes: f3d37ef ("libnftnl: Add to .gitignore all auto-generated files") Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-05-202-4/+19
| | | | | | | | | | | | Refresh the cached header file. This includes a small fix to avoid this compilation warning after refreshing the header: trace.c: In function 'nftnl_trace_parse_attr_cb': trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: Add to .gitignore all auto-generated filesCarlos Falgueras García2016-05-171-0/+7
| | | | | | | | It ignores files inside test/ and examples/ except all c code (*.c) and the Makefile.am. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: missing constification of _get() functionsPablo Neira Ayuso2016-05-132-16/+16
| | | | | | These functions don't modify the chain object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: missing static in several array definitionsPablo Neira Ayuso2016-05-092-2/+2
| | | | | | | They are not used out of the scope of the C file where they are defined, so we can statify them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove unnecessary inline in _snprintf functionsPablo Neira Ayuso2016-05-096-18/+13
| | | | | | | These functions are passed as parameter, so we basically get nothing with this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: constify object arguments to various functionsPatrick McHardy2016-05-0947-276/+312
| | | | | | | | | flow table support needs constant object arguments to printing functions to avoid ugly casts. While at it, also constify object arguments to message construction, destructor and a few helper functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: allow any set name lengthPablo Neira Ayuso2016-05-052-16/+24
| | | | | | | | Unfortunately libnftnl restricts the set names in the lookup and dynset expressions to 16 bytes. Remove this restriction so this can work with the upcoming 4.7 Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: load modules when adding chains or tablesDaniel Wagner2016-04-292-2/+2
| | | | | | | | Tell the kernel to load the necessary modules by adding the NLM_F_CREATE flag. Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: ct: fix typo unknow vs unknownArturo Borrero2016-04-191-1/+1
| | | | | | | Reported by Debian's lintian tool. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: fix leaks in NFTNL_RULE_USERDATAPablo Neira Ayuso2016-04-151-0/+5
| | | | | | | Fix leaks in nftnl_rule_free() and nftnl_rule_set_data(). Reported-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: expr-nat: Use different values to testShivani Bhardwaj2016-04-151-6/+6
| | | | | | | | Tests are more effective if different values are set so, use different values for every expression. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: nft-rule-test: check for NFTNL_RULE_USERDATACarlos Falgueras García2016-04-141-0/+21
| | | | | | | Modify nft-rule-test.c to check TLV attribute inclusion in nftnl_rule. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add TLV user data infrastructureCarlos Falgueras García2016-04-147-0/+245
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These functions allow to create a buffer (struct nftnl_udata_buf) of user data attributes in TLV format (struct nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store several TLVs sequentially into an object. Example: struct nftnl_udata_buf *buf; struct nftnl_udata *attr; const char *str = "Hello World!"; buf = nftnl_udata_buf_alloc(UDATA_SIZE); if (!buf) { perror("OOM"); exit(EXIT_FAILURE); } if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) { perror("Can't put attribute \"%s\"", str); exit(EXIT_FAILURE); } nftnl_udata_for_each(buf, attr) printf("%s\n", (char *)nftnl_udata_attr_value(attr)); nftnl_udata_buf_free(buf); Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: fix missing NFTNL_TRACE_JUMP_TARGET in nftnl_trace_get_str()Patrick McHardy2016-03-101-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* trace: fix multiple copy and paste errorsPatrick McHardy2016-03-041-38/+13
| | | | | | Fix duplicated and incorrect assignments. Signed-off-by: Patrick McHardy <kaber@trash.net>
* expr: masq: Add support for port selectionShivani Bhardwaj2016-03-034-3/+71
| | | | | | | Complete masquerading support by allowing port range selection. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: meta: add prandom supportFlorian Westphal2016-02-022-1/+4
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: add forward expressionPablo Neira Ayuso2016-02-017-0/+300
| | | | | | Add forward expression for the netdev family. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct: add packet and byte counter supportFlorian Westphal2016-01-142-1/+5
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add support for flagsPablo Neira Ayuso2016-01-134-4/+35
| | | | | | | This patch adds the limit flags, the first client of this is the inversion flag that allows us to match overlimit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add trace infrastructure supportFlorian Westphal2015-11-277-0/+574
| | | | | | | | | parses trace monitor netlink messages from the kernel and builds nftnl_trace struct that contains the dissected information. Provides getters to access these attributes. Signed-off-by: Florian Westphal <fw@strlen.de>
* payload: add payload mangling supportPatrick McHardy2015-11-253-4/+77
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: rename EXPORT_SYMBOL to EXPORT_SYMBOL_ALIASFlorian Westphal2015-11-2412-218/+220
| | | | | | | Future symbols don't need backwards-compat aliases. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add support to print netdev familyVijay Subramanian2015-11-061-0/+1
| | | | | | | | When we lookup the family, return "netdev" for NFPROTO_NETDEV instead of "unknown". Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: fix segfault in 'device' XML parsingArturo Borrero2015-10-131-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | Reported by valgrind: [...] ==14065== Process terminating with default action of signal 11 (SIGSEGV) ==14065== Access not within mapped region at address 0x0 ==14065== at 0x4C2C022: strlen (vg_replace_strmem.c:454) ==14065== by 0x4E41A93: nftnl_chain_set_str (chain.c:259) ==14065== by 0x4E427F7: nftnl_mxml_chain_parse (chain.c:770) ==14065== by 0x4E48F96: nftnl_ruleset_parse_chains (ruleset.c:314) ==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_ruleset (ruleset.c:625) ==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_cmd (ruleset.c:668) ==14065== by 0x4E4959A: nftnl_ruleset_xml_parse (ruleset.c:706) ==14065== by 0x4E4959A: nftnl_ruleset_do_parse (ruleset.c:734) ==14065== by 0x4013C9: test_xml (nft-parsing-test.c:166) ==14065== by 0x4016F4: execute_test (nft-parsing-test.c:214) ==14065== by 0x400EBA: main (nft-parsing-test.c:330) [...] While at it, fix a bit the coding style. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: Fix nft-table-upd exampleVijay Subramanian2015-10-121-13/+41
| | | | | | | | | | | | examples/nft-table-upd does not work currently since NFT_MSG_NEWTABLE needs to use batching mode of netlink message delivery. This patch adds batching to nft-table-upd example. While here, also add support for netdev family. Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Fix compilation with JSON and XML parsing enabledVijay Subramanian2015-10-122-9/+6
| | | | | | | | Fix missing/incorrect variables. Also remove unsed variables to avoid warnings. Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: dup: fix missing space in text outputPablo Neira Ayuso2015-09-291-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add dup expression supportPablo Neira Ayuso2015-09-217-0/+337
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add per-byte limiting supportPablo Neira Ayuso2015-09-214-3/+49
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: limit: add burst attributePablo Neira Ayuso2015-09-215-2/+36
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.0.5libnftnl-1.0.5Pablo Neira Ayuso2015-09-171-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump library versioningJan Engelhardt2015-09-172-13/+4
| | | | | | | | | | Commit libnftnl-1.0.3-31-g5ea54b2 removed a symbol. Such requires a bumped to n+1:0:0. The symbol groups can be merged again to save time processing them as the groups are relative to a particular SONAME (of which we have a new one). Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.0.4libnftnl-1.0.4Pablo Neira Ayuso2015-09-162-2/+2
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _attr_ infix in new nftnl_ definitionsPablo Neira Ayuso2015-09-0740-602/+602
| | | | | | | The function names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: get rid of _ATTR_ infix in new nfntl_ definitionsPablo Neira Ayuso2015-09-0737-677/+677
| | | | | | | The constant names are already large, trim off the _ATTR_ infix in the attribute definitions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename NFTNL_RULE_EXPR_ATTR to NFTNL_EXPR_Pablo Neira Ayuso2015-09-072-28/+28
| | | | | | So we get a shorter constant definition for expression attributes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: rename nftnl_rule_expr to nftnl_exprPablo Neira Ayuso2015-09-0755-1229/+1229
| | | | | | | Use a shorter name for this, morever this can be used from sets so the _rule_ is misleading. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add compat header file definitionsPablo Neira Ayuso2015-09-0710-1/+696
| | | | | | | | | | | This patch restores the original nft_* definitions from the header files to avoid sudden compilation breakage of the existing clients of this library. Then, moving forward the idea is to deprecate the old nft_* symbols anytime soon using __attribute__((deprecated)) from the header files to warn our users that they need to update their code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>