| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This got lost in 29fd6a1df9 when merging major changes in master
to next-3.14.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
For some reason this was only printed in custom chains. Print it for
any chain, this is useful for debugging purposes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch includes changes to adapt this branch to the library
rename that happened in the master branch.
Conflicts:
src/Makefile.am
src/expr/cmp.c
src/expr/ct.c
src/expr/data_reg.c
src/expr/meta.c
tests/jsonfiles/01-table.json
tests/jsonfiles/02-table.json
tests/jsonfiles/64-ruleset.json
tests/xmlfiles/01-table.xml
tests/xmlfiles/02-table.xml
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was seen with a sufficiently-old /usr/include/linux
(from Linux 2.6.32).
In file included from common.c:10:
/usr/include/linux/netlink.h:34: error: expected
specifier-qualifier-list before 'sa_family_t'
The solution is to include <linux/*> last of all system headers.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
We plan to use this library name for the higher layer library.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
CC expr/ct.lo
expr/ct.c:194:12: warning: 'str2ctdir' defined but not used [-Wunused-function]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implements a string to represent directions in the CT expression:
* original (0)
* reply (1)
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Patrick reports that the XML/JSON formats of the data_reg object
are not accuarate.
This patch updates these formats, so they are now as follow:
* <data_reg type=value> with raw data (this doesn't change).
* <data_reg type=verdict> with a concrete verdict (eg drop accept) and an
optional <chain>, with destination.
In XML:
<data_reg type="verdict">
<verdict>goto</verdict>
<chain>output</chain>
</data_reg>
In JSON:
"data_reg" : {
"type" : "verdict",
"verdict" : "goto"
"chain" : "output",
}
The default output format is updated to reflect these changes (minor collateral
thing).
When parsing set_elems, to know if we need to add the NFT_SET_ELEM_ATTR_CHAIN
flag, a basic check for the chain not being NULL is done, instead of evaluating
if the result of the parsing was DATA_CHAIN. The DATA_CHAIN symbol is no longer
used in the data_reg XML/JSON parsing zone.
While at it, I updated the error reporting stuff regarding data_reg/verdict, in
order to leave a consistent state in the library.
A JSON testfile is updated as well.
Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some verdicts have a negative value.
The caller of nft_str2verdict() checking if return was < 0 clash with
enum nft_verdict.
While at it, add error reporting of invalid verdicts.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| | |
It's not used out of the scope of expr/meta.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'dir' attribute is optional as stated in the kernel sources.
Previous to this patch, using XML/JSON to manage this expr produces some
undefined and erroneous behaviours.
While at it, fix also the default output format.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to missing NFT_CT_L3PROTOCOL key in ctkey2str_array, a segfault is
produced when the str2ctkey() loop reaches that position, since strcmp()
will try to compare a NULL value.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
The dreg attribute is optional as stated at:
linux/net/netfilter/nft_lookup.c
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are some cases where a reg is not mandatory, for example:
* dreg in lookup
* dreg/sreg in meta (last version)
So, lets change the function nft_mxml_reg_parse() to add
an optional/mandatory flag.
dreg in lookup is optional as stated at:
net/netfilter/nft_lookup.c:nft_lookup_init()
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Don't print data_type and data_len if they aren't set.
Also, they are optional when parsing.
Printing and parsing unconditionally leads to false values and other errors.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the incorrect data type (from uint8_t to uint32_t) in
several private data area of the expressions.
It also cleans up this by translating several unsigned int to uint32_t.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds a new API to parse rule-set expressed in XML/JSON from
a file. A new enum nft_parse_input type is added for this purpose.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The intention behind this patch is to prepare the introduction of
the new API that will allow us to parse files that contain the rule-sets
expressed in XML/JSON format. This adds the NFT_PARSE_BUFFER that
indicates that the input is provided in a buffer, which is what we
currently support.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add missing support in the API function to parse a JSON set_elem.
I've renamed the main JSON parsing function to prevent clashing.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
We know the top node we are building. Let the user also know it.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I have added a new structure for reporting some errors in parser
that we can't cover with errno.
In this patch, we have three errors that we can't cover with errno:
NFT_PARSE_EBADINPUT : Bad XML/JSON format in the input
NFT_PARSE_EMISSINGNODE : Missing node in our input
NFT_PARSE_EBADTYPE : Wrong type value in a node
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
I have changed this parameter for having consistence with the
xml helper function. This patch is a cleanup.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds userspace support for setting properties of tracked connections.
Currently, the connection mark is supported. This can be used to implemented the
same functionality as iptables -j CONNMARK --save-mark.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libnftables should not mask kernel errors. Let user specify any combination of
parameters and leave the error-checking to the kernel. The kernel will return
-EINVAL and users will know that they have to fix their code. This patch also a
removes a redundant variable that was passed to the snprintf-functions (flag).
A second iteration might be needed. I was not sure how to deal with
snprintf_default in the case of both sreg and dreg.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since nftables now uses nft_rule_expr_get_u32(), the internal size must
also be a uint32_t.
Fixes complete breakage of any cmp or meta expression.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a copy of the include/linux/netfilter.h kernel header
that defines NFPROTO_INET, so libnftables compiles with relatively
old kernel headers in the system.
chain.c: In function 'nft_hooknum2str':
chain.c:53:7: error: 'NFPROTO_INET' undeclared (first use in this function)
This required to reorder and remove unneeded headers in src/expr/data_reg.c
to avoid a compilation warning due to redefinition of __visible.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds userspace support for the meta expression in the set flavour.
This expression indicates that the packet has to be set with a property,
currently one of mark, priority or nftrace.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds support for table's attribute "use" which let us know about
how many chains are in the table, if any.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|/
|
|
|
|
|
| |
This patch adds a support of the queue target.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Add new function nft_nlmsg_build_hdr which consolidates all existing
functions to build headers per object. They basically look the same.
This patch still provides aliases for consistency in the naming
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
These are needed to set the family value for chain and table.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
I fixed it by using the correct value.
Signed-off-by: Ana Rey <anarey@gmail.com>
Acked-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test of libnftable, It shows:
ERROR: Expr NFT_EXPR_TG_INFO size mismatches size a: 32 b: 36
The problem was in nft_rule_expr_target_parse function. With the
attached patch, we use mnl_attr_get_payload_len() in instead of
mnl_attr_get_len().
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If I run my automatic unit test for libnftables, It shows:
"ERROR: Expr NFT_EXPR_LOG_PREFIX mismatches"
a: test
b: test
^^
garbage
The problem was in nft_rule_expr_log_build function. With
the attached patch, we use mnl_attr_put_strz() instead of
mnl_attr_put_str() as in other functions in the library.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Ana Rey reported a leak in the log expression. Fix it by using
the new .free interface added in (3cf788a expr: fix leak in target
and match expressions).
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Expression flags were incorrectly set.
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Fix missing files that were not included in the tarball
that distcheck generates.
This also includes AC_EXEEXT, otherwise configure complains about
undefined CHECK_GCC_FVISIBILITY.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Release internal data area for match and target expressions.
==30104== 68 bytes in 1 blocks are definitely lost in loss record 1 of 1
==30104== at 0x4C2B514: calloc (vg_replace_malloc.c:593)
==30104== by 0x400C2F: main (nft-expr_match-test.c:65)
Reported-by: Ana Rey Botello <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Unify parse and output types that are redundant to all
existing nftables objects. Thus, all NFT_*_O_[XML|JSON|DEFAULT]
are merged into NFT_OUTPUT_[JSON|XML] and NFT_PARSE_[JSON|XML].
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
In file included from utils.c:11:0:
./internal.h:93:17: error: unknown type name 'FILE'
int nft_fprintf(FILE *fp, void *obj, uint32_t type, uint32_t flags, int
(*snprintf_cb)(char *buf, size_t bufsiz, void *obj, uint32_t type,
uint32_t flags));
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now it's possible to print directly from libnftables to a file or
other stream. The caller must explicitly print the trailing '\n'
in this call.
The error reporting of fprintf (< 0) is respected. However, we have
already print some information in case that the default (plain text)
output is used, that output is mostly intended for debugging so it
should not be a problem.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This factorization of JSON/XML open & close tag allows reutilice
code in future patches (for example, the fprintf API functions).
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by John Sager, nft_set_attr_get_u32 can cause a
segfault because nft_set_attr_get can return NULL. Check for
a non-NULL pointer before dereferencing.
This closes netfilter bugzilla #868.
[ I have mangled this patch to solve possible null pointer
dereference with get operations with rule objects --pablo ]
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the reject expression.
Tested-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This is a leftover from the time we had per rule flags, obsoleted
by the new rule batching approach. Kill it as it is unused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
my fault, spotted by Phil Oester.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
commit 10e0890e ('src: operational limit match') creates huge
array, increasing libnftables binary size. Use switch statement
instead.
Based on patch from Florian Westphal, for nft.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
If this fails to parse a set element, stop the processing.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|