| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to
clang, the snprintf member of the expr_ops and obj_ops structures will
be incorrectly replaced with __builtin_snprintf_chk() which results in
"error: no member named '__builtin___snprintf_chk'" errors at build
time.
This patch changes the member name from 'snprintf' to 'output' to
prevent the replacement.
This bug can be emulated using GCC by undefining the __va_arg_pack macro
before stdio.h is included.
This patch is based on the notes provided in
https://bugs.gentoo.org/807766.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nftnl_set_elem_nlmsg_build_payload() is already available through .map
file and headers, add missing EXPORT_SYMBOL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Adds print debug support for tcp reset feature.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Update string array to print the "inner" header string, instead of
printing "unknown".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map
elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set
element verdict.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Expose a function to build one single set element netlink message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Honor NFTA_LAST_SET netlink attribute, it tells us if a packet has ever
updated this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This new expression displays when last matching has happened.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add NFT_SOCKET_CGROUPSV2 key type and NFTA_SOCKET_LEVEL attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
libnftnl is GPLv2+, fix incorrect headers.
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Those were used for JSON and XML output only with the exception of
separator helper which at the same time served as conditional nop if no
"previous" object as passed. Replace it by a string variable updated at
the end of each loop iteration and just drop the other helpers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace each by a conditional testing the only valid case.
There is one odd example, namely src/set.c: When printing a set with
type NFTNL_OUTPUT_XML, the relevant function would return 0 instead of
-1 like all others. Just drop it assuming nothing depends on that
(faulty) behaviour.
Cc: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
A common idiom among snprintf callbacks was to copy the unsigned
parameter 'size' (or 'len') into a signed variable for further use.
Though since snprintf() itself casts it to unsigned and
SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not
needed. Drop the local variable and rename the parameter accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Objects don't support any other output type than NFTNL_OUTPUT_DEFAULT,
so just drop the parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
The function nftnl_data_reg_snprintf is exclusively called with
NFTNL_OUTPUT_DEFAULT as parameter, others are not supported - just drop
it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is but a single supported output type left, so check it in expr.c
and drop all the single option switch statements in individual
expressions.
Since the parameter is now unused (and to ensure code correctness), drop
'type' parameter from struct expr_ops' snprintf callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Instead of the remaining buffer length, the used buffer length was
passed to object's snprintf callback (and the final snprintf call).
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Have to pass shrinking 'remain' variable to consecutive snprintf calls
instead of the unchanged 'len' parameter.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Have to pass shrinking 'remain' variable to consecutive snprintf calls
instead of the unchanged 'len' parameter.
Fixes: c4b6aa09b85d2 ("src: add ct expectation support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Subsequent calls to snprintf() sometimes reuse 'len' variable although
they should refer to the updated value in 'remain' instead.
Fixes: 676ea569bbe5a ("src: Change parameters of SNPRINTF_BUFFER_SIZE macro.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Elements' data was printed as type DATA_VALUE no matter the actual type.
For verdicts, this meant no printing at all (because reg->len is either
zero or garbage).
To fix this, nftnl_set_elem_snprintf_default() needs type info held in
struct nftnl_set. Pass it via parameter to that function, make it
non-static and call it from nftnl_set_snprintf_default() instead of the
generic nftnl_set_elem_snprintf(). This way no changes have to be done
to exported functions, also the output type is already defined when
nftnl_set_snprintf_default() runs so checking type value again is
pointless.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
No point in printing the unset register value (which is zero then).
Fixes: af0c182670837 ("expr: masq: Add support for port selection")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Introduce 'sep' variable to track whether something was printed already.
While being at it, introduce PRIu64 for 'handle' and 'position'
attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
These functions were used by removed JSON parser only.
Fixes: 80077787f8f21 ("src: remove json support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Function str2tunnel_key() was never used.
Fixes: 42468fb6df61a ("expr: add support for matching tunnel metadata")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Function str2socket_key() was never used.
Fixes: 038d226f2e6cc ("src: Add support for native socket matching")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
Add support for NFTA_TABLE_OWNER.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for the dynset flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that
an element stores when added from the packet path.
This patch adds support for the set expression list, which generalizes
NFTNL_EXPR_DYNSET_EXPR.
This patch also adds nftnl_expr_add_expr() to add new expressions to
elements and nftnl_set_expr_expr_foreach() to iterate over the list of
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_EXPR defines the stateful expression type that this set stores
in each element. This provides the set definition in terms of stateful
expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must
equal to this set stateful expression type, otherwise the kernel bails
out.
This patch adds support for the set expression list, which generalizes
NFTNL_SET_EXPR.
This patch also adds nftnl_set_add_expr() to add new expressions to a set
and nftnl_set_elem_expr_foreach() to iterate over the list of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFTNL_SET_ELEM_EXPR defines the stateful expression type that this
element stores. This is useful to restore runtime set element stateful
expressions (when saving, then reboot and restore).
This patch adds support for the set element expression list, which
generalizes NFTNL_SET_ELEM_EXPR.
This patch also adds nftnl_set_elem_add_expr() to add new expressions to
set elements and nftnl_set_elem_expr_foreach() to iterate over the list
of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Elements of concatenated range sets hold the upper boundary in an extra
data_reg, print it using dash as a somewhat intuitive separator.
Fixes: 04cc28d8d6923 ("set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Introduce a flag to allow toggling the '0x' prefix when printing data
values, then use the existing routines to print data registers from
set_elem code.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Registers are formatted as 'reg %u' everywhere apart from in bitwise
expressions where they are formatted as 'reg=%u'. Change bitwise to
match.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add a function to remove expression from the rule list.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This function allows you to build the netlink attributes for
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add missing NFT_SOCKET_WILDCARD definition.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Adds NFTNL_CHAIN_USERDATA, in order to support userdata for chains.
Adds NFTNL_UDATA_CHAIN_COMMENT chain userdata type to support storing a
comment.
Relies on NFTA_CHAIN_USERDATA.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds NFTNL_OBJ_USERDATA to support userdata for objects.
Also adds NFTNL_UDATA_OBJ_COMMENT to support comments for objects,
stored in userdata space.
Bumps libnftnl.map to 15 as nftnl_obj_get_data needs to be exported to
enable getting object attributes/data.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds NFT_TABLE_USERDATA and NFTNL_UDATA_TABLE_COMMENT to
support for table comments.
Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Was not exported so far due to a typo. While at it, add const qualifier
to element structure.
Will be used to optionally dump set contents / elements from nft
frontend.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
his patch allows you to refer to chains via the chain ID. The semantics
are similar to the NFTA_RULE_ID attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==22778==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37
#2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859
#3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891
#4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441
[...]
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
==4876==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f4e2c16b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:45
#2 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:35
Direct leak of 16 byte(s) in 2 object(s) allocated from:
#0 0x7f4018aa0810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4016b660af in nftnl_expr_objref_set expr/objref.c:53
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This reverts commit 75b8778e5bf630a3fc13e5d76bc64838135f02a9. Kernel
support for this new feature might be reworked, keep this back.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Print combination of registers and flags.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This patch adds support for the NFTA_SET_EXPR netlink attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Extend nftnl_set_elem_set() and nftnl_set_elem_nlmsg_build_payload() to
support for the NFTNL_SET_ELEM_EXPR attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
