| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
A common idiom among snprintf callbacks was to copy the unsigned
parameter 'size' (or 'len') into a signed variable for further use.
Though since snprintf() itself casts it to unsigned and
SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not
needed. Drop the local variable and rename the parameter accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The function nftnl_data_reg_snprintf is exclusively called with
NFTNL_OUTPUT_DEFAULT as parameter, others are not supported - just drop
it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
There is but a single supported output type left, so check it in expr.c
and drop all the single option switch statements in individual
expressions.
Since the parameter is now unused (and to ensure code correctness), drop
'type' parameter from struct expr_ops' snprintf callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Subsequent calls to snprintf() sometimes reuse 'len' variable although
they should refer to the updated value in 'remain' instead.
Fixes: 676ea569bbe5a ("src: Change parameters of SNPRINTF_BUFFER_SIZE macro.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
No point in printing the unset register value (which is zero then).
Fixes: af0c182670837 ("expr: masq: Add support for port selection")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
These functions were used by removed JSON parser only.
Fixes: 80077787f8f21 ("src: remove json support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Function str2tunnel_key() was never used.
Fixes: 42468fb6df61a ("expr: add support for matching tunnel metadata")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Function str2socket_key() was never used.
Fixes: 038d226f2e6cc ("src: Add support for native socket matching")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
This patch adds support for the dynset flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that
an element stores when added from the packet path.
This patch adds support for the set expression list, which generalizes
NFTNL_EXPR_DYNSET_EXPR.
This patch also adds nftnl_expr_add_expr() to add new expressions to
elements and nftnl_set_expr_expr_foreach() to iterate over the list of
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Introduce a flag to allow toggling the '0x' prefix when printing data
values, then use the existing routines to print data registers from
set_elem code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Registers are formatted as 'reg %u' everywhere apart from in bitwise
expressions where they are formatted as 'reg=%u'. Change bitwise to
match.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add missing NFT_SOCKET_WILDCARD definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
his patch allows you to refer to chains via the chain ID. The semantics
are similar to the NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==22778==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37
#2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859
#3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891
#4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441
[...]
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==4876==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f4e2c16b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:45
#2 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:35
Direct leak of 16 byte(s) in 2 object(s) allocated from:
#0 0x7f4018aa0810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4016b660af in nftnl_expr_objref_set expr/objref.c:53
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel
support for this new feature might be reworked, keep this back.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Print combination of registers and flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
The kernel supports passing mask and xor values for bitwise boolean
operations via registers. These are mutually exclusive with the
existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and
NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The kernel supports bitwise shifts. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Add code to set and get the new op and data attributes. The existing
boolean bitwise expressions will only use the op attribute.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Move the code for printing boolean expressions into a separate function.
Another function will be added for shifts later.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Almost everything in this header is unused. The command defines
used in utils.c don't seem to be justified and have just been
replaced by their strings
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Cc: Martin Willi <martin@strongswan.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Ander Juaristi <a@juaristi.eus>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This only affects debug output, the key was properly handled in
productive code paths already.
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This only affects debug output, the key was properly handled in
productive code paths already.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The 'id' key returns the id of the connection entry
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.
Fixes: bb4b75aea5c0 ("expr: add map lookups for hash statements")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
A better way to implement this from userspace has been found without
specific code in the kernel side, revert this.
Fixes: b97f45c2ebaa ("expr: add map lookups for numgen statements")
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions are not very useful, rule comparison from this layer
does not work well with implicit set definitions.
This infrastructure was added as an attempt to support for deletion by
name from this layer, which should be done from higher level libnftables
library. Finally, we never had a client for this code in
git.netfilter.org.
Let's remove it and bump libversion for safety reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails
with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
that and fixes additional sources of unaligned accesses matching the
same pattern. Both nft-expr_quota-test and nft-expr_objref-test
generated unaligned accesses on DEC Alpha.
Bug: https://bugs.gentoo.org/666448
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
We have better json support in libnftables these days.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Joint work with Máté Eckl.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This code, which is enabled via --with-json-parsing, doesn't compile.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
When setting NFTNL_EXPR_EXTHDR_TYPE, one needs to call
nftnl_expr_set_u8() and not nftnl_expr_set_u32(). Otherwise 'type'
variable is assigned to uint32_t parameter before being passed to
nftnl_expr_exthdr_set() as void pointer which casts it to uint8_t.
On big endian systems, the latter would only consider the most
significant byte instead of the least significant one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Since reg->len is a 32bit variable, one needs to pass NFTNL_TYPE_U32 to
nftnl_jansson_parse_val(). Otherwise, only the most significant byte in
that variable is being written to.
Since the value could potentially be larger than 255, increase node_name
buffer to avoid a compiler warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|