summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* set: dump set backend name (hash, rbtree...) and elem count, if availableHEADmasterFlorian Westphal11 days4-0/+41
| | | | | | | | | | | | In case kernel provided the information do include it in debug dump: nft --debug=netlink list ruleset family 2 s t 0 backend nft_set_rhash_type family 2 __set0 t 3 size 3 backend nft_set_hash_fast_type count 3 family 2 __set1 t 3 size 2 backend nft_set_bitmap_type count 2 [..] Signed-off-by: Florian Westphal <fw@strlen.de>
* build: libnftnl 1.2.9 releaselibnftnl-1.2.9Pablo Neira Ayuso2025-04-141-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tunnel: add missing inner nested netlink attribute for vxlan optionsFernando Fernandez Mancera2025-04-141-3/+3
| | | | | | | | | The VXLAN options must be nested inside the NFTA_TUNNEL_KEY_OPTS_VXLAN netlink attribute. Fixes: ea63a05272f5 ("obj: add tunnel support") Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove unused str2XXX helpersZhongqiu Duan2025-03-1910-158/+0
| | | | | | | | | | | | | | | | | | | | | After commit 80077787f8f2 ("src: remove json support"), these internal functions are no longer used: nftnl_str2hooknum nftnl_str2ntoh nftnl_str2cmp str2ctkey str2ctdir str2exthdr_op str2exthdr_type str2meta_key nftnl_str2nat nftnl_str2range str2rt_key nftnl_str2hooknum Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: ct: print key name of id fieldZhongqiu Duan2025-03-191-1/+1
| | | | | | Fixes: 005369151ed5 ("include: updated nf_tables.h") Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* expr: payload: print tunnel headerZhongqiu Duan2025-03-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | The debug printing of the payload expr shows the tunnel header name as unknown. Since after the first version we added two new payload bases inner and tunnel, I prefer to make this change to meet possible future extensions rather than setting NFT_PAYLOAD_TUN_HEADER as the new bound. Reproduce: nft --debug netlink add rule inet t c meta l4proto udp vxlan vni 0x123456 Before patch: ... [ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ] ... After patch: ... [ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ] ... [ Remove defensive check in original patch --pablo ] Fixes: 3f3909afd76d ("expr: add inner support") Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: Fix for ASANPhil Sutter2024-12-042-2/+2
| | | | | | | | | | The 'data' arrays in match and target expression tests were undersized as they did not cover for the terminating NUL-char of the string used to initialize them. When passing such array to strdup(), the latter reads until after the defined array boundary. Fixes: 93483364369d8 ("src: get rid of cached copies of x_tables.h and xt_LOG.h") Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Extend set test by NFTNL_SET_DESC_CONCATPhil Sutter2024-12-041-0/+17
| | | | | | Just to cover setter and getter code for that attribute. Signed-off-by: Phil Sutter <phil@nwl.cc>
* set: Fix for array overrun when setting NFTNL_SET_DESC_CONCATPhil Sutter2024-12-041-2/+4
| | | | | | | | | | | | | | Assuming max data_len of 16 * 4B and no zero bytes in 'data': The while loop will increment field_count, use it as index for the field_len array and afterwards make sure it hasn't increased to NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass the check, get incremented to 16 and used as index to the 16 fields long array. Use a less fancy for-loop to avoid the increment vs. check problem. Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: bitwise: add tests for new boolean operationsJeremy Sowden2024-11-191-0/+105
| | | | | | | | We already have tests for mask-and-xor operations with constant RHS operands. Add tests for new operations with variable RHS operands. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: bitwise: refactor shift testsJeremy Sowden2024-11-191-109/+44
| | | | | | | | Deduplicate shift tests: instead of having separate implementations for left- and right-shifts, have one and pass the operation to it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: bitwise: add support for kernel space AND, OR and XOR operationsJeremy Sowden2024-11-192-2/+56
| | | | | | | | | | | | | | | | Hitherto, the kernel has only supported boolean operations of the form: dst = (src & mask) ^ xor where `src` is held in a register, and `mask` and `xor` are immediate values. User space has converted AND, OR and XOR operations to this form, and so one operand has had to be immediate. The kernel now supports performing AND, OR and XOR operations directly, on one register and an immediate value or on two registers, so we make that support available to user space. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: bitwise: rename some boolean operation functionsJeremy Sowden2024-11-192-21/+21
| | | | | | | | | In the next patch we add support for doing AND, OR and XOR operations directly in the kernel, so rename some functions and an enum constant related to mask-and-xor boolean operations. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: add new bitwise boolean attributes to nf_tables.hJeremy Sowden2024-11-191-3/+15
| | | | | | | | The kernel now has native support for AND, OR and XOR bitwise operations. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use SPDX License Identifiers in headersPhil Sutter2024-10-30126-662/+126
| | | | | | | | | | | | | Replace the copyright notice in header comments by an equivalent SPDX-License-Identifier string. Drop a following empty line if at the bottom of the comment. Leave any other header comment content in place. This also fixes for an incomplete notice in examples/nft-ruleset-get.c since commit c335442eefcca ("src: incorrect header refers to GPLv2 only"). Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Introduce struct nftnl_str_arrayPhil Sutter2024-10-299-159/+176
| | | | | | | | | | | | This data structure holds an array of allocated strings for use in nftnl_chain and nftnl_flowtable structs. For convenience, implement functions to clear, populate and iterate over contents. While at it, extend chain and flowtable tests to cover these attributes, too. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h copyPablo Neira Ayuso2024-10-121-9/+37
| | | | | | Fetch what we have in the kernel tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: libnftnl 1.2.8 releaselibnftnl-1.2.8Pablo Neira Ayuso2024-10-021-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Don't append a newline when printing a rulePhil Sutter2024-10-011-6/+4
| | | | | | | | | Since commit c759027a526ac, printed rules may or may not end with a newline depending on whether userdata was present or not. Deal with this inconsistency by avoiding the trailing newline in all cases. Fixes: c759027a526ac ("rule, set_elem: remove trailing \n in userdata snprintf") Signed-off-by: Phil Sutter <phil@nwl.cc>
* src: remove scaffolding around deprecated parser functionsPablo Neira Ayuso2024-09-254-91/+24
| | | | | | nftnl_.*_do_parse() are of no use anymore, remove them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: dynset: validate expressions are of nested typeFlorian Westphal2024-09-231-2/+3
| | | | | | | | This was not handled in the switch statement so far. Also, use proper max value, SET_MAX is larger than what is needed for parsing. Signed-off-by: Florian Westphal <fw@strlen.de>
* build: libnftnl 1.2.7 releaselibnftnl-1.2.7Pablo Neira Ayuso2024-07-151-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* table: Support unsetting NFTNL_TABLE_USERDATA attributePhil Sutter2024-07-101-0/+3
| | | | | | | Cosmetics, but support unsetting anything that may be set. Fixes: 99be0e6d066d7 ("table: add userdata support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* chain: Support unsetting NFTNL_CHAIN_USERDATA attributePhil Sutter2024-07-101-0/+3
| | | | | | | Cosmetics, but support unsetting anything that may be set. Fixes: 76b82c425818e ("chain: add userdata and comment support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: limit: Prepare for odd time unitsPhil Sutter2024-07-051-11/+39
| | | | | | | | | | When limit->unit is not a known timespan, use the largest possible unit and print the value along with it. This enables libnftnl debug output to correctly print arbitrary quotients, like '3/5 minutes' for instance. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1214 Suggested-by: Cyril <boite.pour.spam@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: use NFTA_* netlink attributes to build fields, not NFTNL_EXPR_*Pablo Neira Ayuso2024-06-232-6/+6
| | | | | | | | | | Coincidentally NFTNL_EXPR_BASE starts at 1 which comes right after NFTA_*_UNSPEC which is zero. And NFTNL_EXPR_ attribute values were mapping to NFTA_* attributes. Use NFTA_* for netlink attribute types instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Respect data_len when setting attributesPhil Sutter2024-04-1138-133/+133
| | | | | | | | With attr_policy in place, data_len has an upper boundary but it may be lower than the attribute's storage area in which case memcpy() would read garbage. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Respect data_len when setting attributesPhil Sutter2024-04-117-35/+35
| | | | | | | | With attr_policy in place, data_len has an upper boundary. Use it for memcpy() calls to cover for caller passing data with lower size than the attribute's storage. Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: Introduce and use nftnl_set_str_attr()Phil Sutter2024-04-117-85/+40
| | | | | | | | | | | | | | | The function consolidates the necessary code when assigning to string pointer attributes, namely: * Conditional free of the previous value * Allocation of new value * Checking for memory allocation errors * Setting respective flag bit A new feature previously missing in all call sites is respecting data_len in case the buffer up to that point did not contain a NUL-char. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Enforce attr_policy compliance in nftnl_obj_set_data()Phil Sutter2024-04-111-1/+6
| | | | | | | | Every object type defines an attr_policy array, so deny setting attributes for object types which don't have it present or if it specifies a non-zero maxlen which is lower than the given data_len. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Introduce struct obj_ops::attr_policyPhil Sutter2024-04-1110-0/+83
| | | | | | | | Just like with struct expr_ops::attr_policy, enable object types to inform about restrictions on attribute use. This way generic object code may perform sanity checks before dispatching to object ops. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Call obj_ops::set with legal attributes onlyPhil Sutter2024-04-1110-19/+3
| | | | | | | | | | Refer to obj_ops::nftnl_max_attr field value for the maximum supported attribute value to reject invalid ones upfront. Consequently drop default cases from callbacks' switches which handle all supported attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Repurpose struct obj_ops::max_attr fieldPhil Sutter2024-04-1111-10/+19
| | | | | | | Just like with struct expr_ops::max_attr, make it hold the maximum object attribute (NFTNL_OBJ_*) value supported by this object type. Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Return value on settersPhil Sutter2024-04-112-24/+31
| | | | | | | | | Similar to other setters, let callers know if memory allocation fails. Though return value with all setters, as all of them may be used to set object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE was not set before). Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: Fix for wrong variable use in nftnl_assert_validate()Phil Sutter2024-04-111-2/+5
| | | | | | | | This worked by accident as all callers passed a local variable 'attr' as parameter '_attr'. Fixes: 7756d31990cd4 ("src: add assertion infrastructure to validate attribute types") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: synproxy: Use memcpy() to handle potentially unaligned dataPhil Sutter2024-04-111-3/+3
| | | | | | | | Analogous to commit dc240913458d5 ("src: Use memcpy() to handle potentially unaligned data"). Fixes: 609a13fc2999e ("src: synproxy stateful object support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Do not call nftnl_obj_set_data() with zero data_lenPhil Sutter2024-04-111-1/+1
| | | | | | | | Pass 'strlen() + 1' as length parameter when setting string attributes, just like other string setters do. Fixes: 5573d0146c1ae ("src: support for stateful objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* table: Validate NFTNL_TABLE_OWNER, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 985955fe41f53 ("table: add table owner support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* set: Validate NFTNL_SET_ID, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 26298a9ffc2e2 ("set: add set ID support") Signed-off-by: Phil Sutter <phil@nwl.cc>
* obj: Validate NFTNL_OBJ_TYPE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 5573d0146c1ae ("src: support for stateful objects") Signed-off-by: Phil Sutter <phil@nwl.cc>
* flowtable: Validate NFTNL_FLOWTABLE_SIZE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: cdaea7f1ced05 ("flowtable: allow to specify size") Signed-off-by: Phil Sutter <phil@nwl.cc>
* table: Validate NFTNL_TABLE_USE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") Signed-off-by: Phil Sutter <phil@nwl.cc>
* chain: Validate NFTNL_CHAIN_USE, tooPhil Sutter2024-04-111-0/+1
| | | | | Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface") Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Enforce attr_policy compliance in nftnl_expr_set()Phil Sutter2024-03-061-0/+7
| | | | | | | | | | | | | Every expression type defines an attr_policy array, so deny setting attributes if not present. Also deny if maxlen field is non-zero and lower than the given data_len. Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero maxlen "nop" is also used for deprecated attributes, just to not silently ignore them. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Introduce struct expr_ops::attr_policyPhil Sutter2024-03-0640-0/+316
| | | | | | | | | | | | | | | | | Similar to kernel's nla_policy, enable expressions to inform about restrictions on attribute use. This allows the generic expression code to perform sanity checks before dispatching to expression ops. For now, this holds only the maximum data len which may be passed to nftnl_expr_set(). While one may debate whether accepting e.g. uint32_t for sreg/dreg attributes is correct, it is necessary to not break nftables. Note that this introduces artificial restrictions on name lengths which were caught by the kernel (if nftables didn't). Signed-off-by: Phil Sutter <phil@nwl.cc>
* include: Sync nf_log.h with kernel headersPhil Sutter2024-03-061-0/+3
| | | | | | Next patch needs NF_LOG_PREFIXLEN define. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Call expr_ops::set with legal types onlyPhil Sutter2024-03-0634-66/+3
| | | | | | | | | | Having the new expr_ops::nftnl_max_attr field in place, the valid range of attribute type values is known now. Reject illegal ones upfront. Consequently drop the default case from callbacks' switches which handle all supported attributes. Signed-off-by: Phil Sutter <phil@nwl.cc>
* expr: Repurpose struct expr_ops::max_attr fieldPhil Sutter2024-03-0641-40/+79
| | | | | | | | | Instead of holding the maximum kernel space (NFTA_*) attribute value, use it to hold the maximum expression attribute (NFTNL_EXPR_*) value instead. This will be used for index boundary checks in an attribute policy array later. Signed-off-by: Phil Sutter <phil@nwl.cc>
* tests: Fix objref test casePhil Sutter2024-03-061-1/+1
| | | | | | | | Probably a c'n'p bug, the test would allocate a lookup expression instead of the objref one to be tested. Fixes: b4edb4fc558ac ("expr: add stateful object reference expression") Signed-off-by: Phil Sutter <phil@nwl.cc>
* utils: remove unused codePablo Neira Ayuso2024-02-262-213/+0
| | | | | | | | | | | Remove several internal code that have no use these days: - nftnl_str2family - nftnl_strtoi - nftnl_get_value - enum nftnl_type Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>