summaryrefslogtreecommitdiffstats
path: root/src/obj
Commit message (Collapse)AuthorAgeFilesLines
* obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parserPhil Sutter2019-10-171-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()") which fixed array out of bounds access but missed the logic behind it: The nested attribute type values are incremented by one when being transferred between kernel and userspace, the zero type value is reserved for "unspecified". Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the type values in nftnl_obj_ct_timeout_build(). Return path was broken as it overstepped its nlattr array but apart from that worked: Type values were decremented by one in timeout_parse_attr_data(). This patch moves the type value mangling into parse_timeout_attr_policy_cb() (which still overstepped nlattr array). Consequently, when copying values from nlattr array into ct timeout object in timeout_parse_attr_data(), loop is adjusted to start at index 0 and the type value decrement is dropped there. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()Phil Sutter2019-10-151-1/+1
| | | | | | | | | | Array 'tb' has only 'attr_max' elements, the loop overstepped its boundary by one. Copy array_size() macro from include/utils.h in nftables.git to make sure code does the right thing. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj/tunnel: Fix for undefined behaviourPhil Sutter2019-10-151-3/+3
| | | | | | | | | | | | Cppcheck complains: Shifting signed 32-bit value by 31 bits is undefined behaviour. Indeed, NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR enum value is 31. Make sure behaviour is as intended by shifting unsigned 1. Fixes: ea63a05272f54 ("obj: add tunnel support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: Check return code of mnl_attr_parse_nested()Phil Sutter2019-10-151-3/+6
| | | | | | | | | Don't ignore nested attribute parsing errors, this may hide bugs in users' code. Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: synproxy stateful object supportFernando Fernandez Mancera2019-09-101-0/+161
| | | | | | | This patch adds synproxy stateful object support. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct expectation supportStéphane Veyret2019-06-191-0/+213
| | | | | | | | Add support for ct expectation objects, used to define specific expectations. Signed-off-by: Stéphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Use memcpy() to handle potentially unaligned dataMatt Turner2018-10-196-28/+28
| | | | | | | | | | | | Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails with a SIGBUS on SPARC due to unaligned accesses. This patch resolves that and fixes additional sources of unaligned accesses matching the same pattern. Both nft-expr_quota-test and nft-expr_objref-test generated unaligned accesses on DEC Alpha. Bug: https://bugs.gentoo.org/666448 Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: secmark: remove json stubPablo Neira Ayuso2018-10-151-22/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove json supportPablo Neira Ayuso2018-10-156-205/+0
| | | | | | We have better json support in libnftables these days. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add support for new secmark objectChristian Göttsche2018-10-091-0/+159
| | | | | | | The new object will hold security context strings. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: don't skip zero value timeoutPablo Neira Ayuso2018-08-311-4/+3
| | | | | | It's a valid configuration, don't assume this means timeout is unset. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: use fixed size arrayPablo Neira Ayuso2018-08-311-23/+5
| | | | | | | | | Use an internal array and expose maximum size so we can just use the same array size for all protocol timeouts. This simplifies handling a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first place. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: ct_timeout: fix gcc4 build errorFlorian Westphal2018-08-211-1/+3
| | | | | | gcc 4.9 only allows for-loop initialisation declarations in C99 or C11 modes. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: remove cttimeout.h leftoverPablo Neira Ayuso2018-08-141-1/+0
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add ct timeout supportHarsha Sharma2018-08-131-0/+368
| | | | | | | | Add support for ct timeout objects, used to assign connection tracking timeout policies. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* obj: add tunnel supportPablo Neira Ayuso2018-08-061-0/+581
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Buffer is null terminated.Varsha Rao2017-09-274-0/+12
| | | | | | | In _snprintf() functions definition the buffer is null terminated. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: limit stateful object supportPablo M. Bermudo Garay2017-09-041-0/+238
| | | | | | | This patch adds support for a new type of stateful object: limit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: ct helper supportFlorian Westphal2017-03-161-0/+210
| | | | | | | | add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support for stateful objectsPablo Neira Ayuso2016-12-092-0/+389
This patch allows you to add, to delete and to get stateful objects, this support two object types: counter and quota. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>