| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
In case kernel provided the information do include it in debug dump:
nft --debug=netlink list ruleset
family 2 s t 0 backend nft_set_rhash_type
family 2 __set0 t 3 size 3 backend nft_set_hash_fast_type count 3
family 2 __set1 t 3 size 2 backend nft_set_bitmap_type count 2
[..]
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The VXLAN options must be nested inside the NFTA_TUNNEL_KEY_OPTS_VXLAN
netlink attribute.
Fixes: ea63a05272f5 ("obj: add tunnel support")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After commit 80077787f8f2 ("src: remove json support"), these internal
functions are no longer used:
nftnl_str2hooknum
nftnl_str2ntoh
nftnl_str2cmp
str2ctkey
str2ctdir
str2exthdr_op
str2exthdr_type
str2meta_key
nftnl_str2nat
nftnl_str2range
str2rt_key
nftnl_str2hooknum
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Fixes: 005369151ed5 ("include: updated nf_tables.h")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The debug printing of the payload expr shows the tunnel header name as
unknown. Since after the first version we added two new payload bases
inner and tunnel, I prefer to make this change to meet possible future
extensions rather than setting NFT_PAYLOAD_TUN_HEADER as the new bound.
Reproduce:
nft --debug netlink add rule inet t c meta l4proto udp vxlan vni 0x123456
Before patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
...
After patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ]
...
[ Remove defensive check in original patch --pablo ]
Fixes: 3f3909afd76d ("expr: add inner support")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The 'data' arrays in match and target expression tests were undersized
as they did not cover for the terminating NUL-char of the string used to
initialize them. When passing such array to strdup(), the latter reads
until after the defined array boundary.
Fixes: 93483364369d8 ("src: get rid of cached copies of x_tables.h and xt_LOG.h")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Just to cover setter and getter code for that attribute.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assuming max data_len of 16 * 4B and no zero bytes in 'data':
The while loop will increment field_count, use it as index for the
field_len array and afterwards make sure it hasn't increased to
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
the check, get incremented to 16 and used as index to the 16 fields long
array.
Use a less fancy for-loop to avoid the increment vs. check problem.
Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
We already have tests for mask-and-xor operations with constant RHS
operands. Add tests for new operations with variable RHS operands.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Deduplicate shift tests: instead of having separate implementations
for left- and right-shifts, have one and pass the operation to it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto, the kernel has only supported boolean operations of the form:
dst = (src & mask) ^ xor
where `src` is held in a register, and `mask` and `xor` are immediate
values. User space has converted AND, OR and XOR operations to this
form, and so one operand has had to be immediate. The kernel now
supports performing AND, OR and XOR operations directly, on one register
and an immediate value or on two registers, so we make that support
available to user space.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In the next patch we add support for doing AND, OR and XOR operations
directly in the kernel, so rename some functions and an enum constant
related to mask-and-xor boolean operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The kernel now has native support for AND, OR and XOR bitwise
operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the copyright notice in header comments by an equivalent
SPDX-License-Identifier string. Drop a following empty line if at the
bottom of the comment. Leave any other header comment content in place.
This also fixes for an incomplete notice in examples/nft-ruleset-get.c
since commit c335442eefcca ("src: incorrect header refers to GPLv2
only").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This data structure holds an array of allocated strings for use in
nftnl_chain and nftnl_flowtable structs. For convenience, implement
functions to clear, populate and iterate over contents.
While at it, extend chain and flowtable tests to cover these attributes,
too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Fetch what we have in the kernel tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since commit c759027a526ac, printed rules may or may not end with a
newline depending on whether userdata was present or not. Deal with this
inconsistency by avoiding the trailing newline in all cases.
Fixes: c759027a526ac ("rule, set_elem: remove trailing \n in userdata snprintf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
nftnl_.*_do_parse() are of no use anymore, remove them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This was not handled in the switch statement so far.
Also, use proper max value, SET_MAX is larger than what is needed for
parsing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 99be0e6d066d7 ("table: add userdata support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 76b82c425818e ("chain: add userdata and comment support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
When limit->unit is not a known timespan, use the largest possible unit
and print the value along with it. This enables libnftnl debug output to
correctly print arbitrary quotients, like '3/5 minutes' for instance.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1214
Suggested-by: Cyril <boite.pour.spam@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Coincidentally NFTNL_EXPR_BASE starts at 1 which comes right after
NFTA_*_UNSPEC which is zero. And NFTNL_EXPR_ attribute values were
mapping to NFTA_* attributes.
Use NFTA_* for netlink attribute types instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary. Use it for
memcpy() calls to cover for caller passing data with lower size than the
attribute's storage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function consolidates the necessary code when assigning to string
pointer attributes, namely:
* Conditional free of the previous value
* Allocation of new value
* Checking for memory allocation errors
* Setting respective flag bit
A new feature previously missing in all call sites is respecting
data_len in case the buffer up to that point did not contain a NUL-char.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Every object type defines an attr_policy array, so deny setting
attributes for object types which don't have it present or if it
specifies a non-zero maxlen which is lower than the given data_len.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Just like with struct expr_ops::attr_policy, enable object types to
inform about restrictions on attribute use. This way generic object code
may perform sanity checks before dispatching to object ops.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Refer to obj_ops::nftnl_max_attr field value for the maximum supported
attribute value to reject invalid ones upfront.
Consequently drop default cases from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Just like with struct expr_ops::max_attr, make it hold the maximum
object attribute (NFTNL_OBJ_*) value supported by this object type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Similar to other setters, let callers know if memory allocation fails.
Though return value with all setters, as all of them may be used to set
object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE
was not set before).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
This worked by accident as all callers passed a local variable 'attr' as
parameter '_attr'.
Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Analogous to commit dc240913458d5 ("src: Use memcpy() to handle
potentially unaligned data").
Fixes: 609a13fc2999e ("src: synproxy stateful object support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Pass 'strlen() + 1' as length parameter when setting string attributes,
just like other string setters do.
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 985955fe41f53 ("table: add table owner support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 26298a9ffc2e2 ("set: add set ID support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: cdaea7f1ced05 ("flowtable: allow to specify size")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Next patch needs NF_LOG_PREFIXLEN define.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Having the new expr_ops::nftnl_max_attr field in place, the valid range
of attribute type values is known now. Reject illegal ones upfront.
Consequently drop the default case from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Probably a c'n'p bug, the test would allocate a lookup expression
instead of the objref one to be tested.
Fixes: b4edb4fc558ac ("expr: add stateful object reference expression")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove several internal code that have no use these days:
- nftnl_str2family
- nftnl_strtoi
- nftnl_get_value
- enum nftnl_type
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
