summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* expr: immediate: Fix verdict comparisonCarlos Falgueras García2016-08-261-2/+9
| | | | | | | | | | | | An immediate expression of type 'DATA_VERDICT' can have set a chain (jump or goto), in this cases we must compare its 'union nftnl_data_reg' using 'DATA_CHAIN' flag instead of 'DATA_VERDICT' Before this patch compare expressions "jump -> chain_a" and "jump -> chain_b" returns they are equals. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: data_reg: Fix DATA_CHAIN comparisonCarlos Falgueras García2016-08-241-0/+1
| | | | | | | | Split DATA_VERDICT and DATA_CHAIN comparison. A verdict can have a NULL chain (accept, drop, etc) so segfault will happen when strcmp is called. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add number generation expressionLaura Garcia Liebana2016-08-223-0/+254
| | | | | | | Support for the nft ng expression within libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add quota expressionPablo Neira Ayuso2016-08-223-0/+213
| | | | | | This patch adds support for the new quota expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix comparison between rules if number of expressions differCarlos Falgueras García2016-08-181-0/+1
| | | | | | | | | | | | | | Before this patch, comparison between rules with distinct number of expressions indicate that they are equals, however, they are not. Example: r1[e1, e2] == r2[e1, e2, e3] Fix this by checking that the number of expression is the same. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Implement rule comparisonCarlos Falgueras García2016-08-1727-0/+522
| | | | | | | | | | | | | | | | | | | | This patch implements the function: bool nftnl_rule_cmp(const struct nftnl_rule *r1, const struct nftnl_rule *r2) for rule comparison. Expressions within rules need to be compared, so also has been created the function: bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2); Also includes all expression comparators. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: add hash expressionLaura Garcia Liebana2016-08-173-0/+297
| | | | | | | Support for the nft hash expression in libnftnl. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: cmp: Use cmp2str() instead of directly access to arrayCarlos Falgueras García2016-08-151-1/+1
| | | | | | | Uses cmp2str() which checks array bounds. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Fix out of bound access in nftnl_family2strCarlos Falgueras García2016-08-151-1/+1
| | | | | | | Checks array limits before access it and adds a missed translation. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "common: Avoid integer overflow in nftnl_batch_is_supported()"Pablo Neira Ayuso2016-08-121-3/+0
| | | | | | | | | This patch accidentally slipped through. The sequence number (uint32_t)-1 is fine in case time() fails. So this reverts commit d26feca2c9c19b650b5a7554b5a412ceca990b7a. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set()Phil Sutter2016-08-121-0/+2
| | | | | | | The called function otherwise accesses uninitialized data. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Avoid returning uninitialized dataPhil Sutter2016-08-124-4/+4
| | | | | | | | | Although the 'err' pointer should be interesting for users only if the parser returned non-zero, having it point to uninitialized data is generally a bad thing. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* common: Avoid integer overflow in nftnl_batch_is_supported()Phil Sutter2016-08-121-0/+3
| | | | | | | | | | | time() may return -1 which is then assigned to an unsigned integer type and used as sequence number. The following code increments that number multiple times, so it may overflow and get libmnl confused. To avoid this, fall back to a starting sequence number of zero in case the call to time() failed. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr/limit: Drop unreachable code in limit_to_type()Phil Sutter2016-08-121-1/+0
| | | | | | | | | The function returns from inside the switch() in any case, so the final return statement is never reached. Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr/ct: prevent array index overrun in ctkey2str()Phil Sutter2016-08-121-1/+1
| | | | | | | | | | The array has NFT_CT_MAX fields, so indices must be less than that number. Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers") Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: prevent memleak in nftnl_jansson_parse_set_info()Phil Sutter2016-08-121-5/+5
| | | | | | | | | During list populating, in error case the function returns without freeing the newly allocated 'elem' object, thereby losing any references to it. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: Fix lookup builderCarlos Falgueras García2016-08-101-2/+1
| | | | | | Deleted wrong braces that cause unwanted behaviour. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
* rule: Implement internal iterator for expressionsCarlos Falgueras García2016-08-101-6/+12
| | | | | | | Introduce nftnl_expr_iter_init() to allow stack allocated iterators for internal use. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
* src: Constify iteratorsCarlos Falgueras García2016-08-105-18/+25
| | | | | | | | Iterators do not modify objects which they iterate, so input pointer must be const. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: don't set data_len to zero when returning pointersPablo Neira Ayuso2016-08-012-2/+0
| | | | | | | | nft already assumes that passing NULL as data_len is valid, otherwise it crashes. Fix this by leave data_len unset in this specific case. Fixes: bda7102 ("src: Fix nftnl_*_get_data() to return the real attribute length") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: lookup: print flags only if they are availablePablo Neira Ayuso2016-07-211-2/+4
| | | | | | Follow same approach as with other objects, print what it is set only. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix nftnl_*_get_data() to return the real attribute lengthCarlos Falgueras García2016-07-1110-3/+25
| | | | | | | | | | | All getters must set the memory size of the attributes, ie. this includes the nul-termination in strings. For references to opaque objects hidden behind the curtain, report a zero size. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix missing nul-termination in nftnl_*_set_str()Carlos Falgueras García2016-07-065-5/+5
| | | | | | | | The string length must be one character longer to include the nul-termination. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set: Add new attribute into 'set' to store user dataCarlos Falgueras García2016-07-011-0/+29
| | | | | | | | The new structure 'user' holds a pointer to user data and its length. The kernel must have the flag NFTA_SET_USERDATA to support this feature. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: lookup: give support for inverted matchingArturo Borrero2016-06-241-3/+29
| | | | | | | | Inverted matching support was included in the kernel, let's give support here as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: fix return in several error paths of nftnl_set_elems_parse2()Pablo Neira Ayuso2016-06-221-2/+6
| | | | | | | | They don't set ret to anything, and ret is not initialized, so we return garbage. Fixes: 59cb13b ("src: fix missing error checking in parser functions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: fix missing error checking in parser functionsCarlos Falgueras García2016-06-223-24/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bail out on errors in several nftnl_*_nlmsg_parse() functions. We can overwrite the previous error value, and may execute code which should not. Bad way: int f() { int ret; ret = g(); ret = h(); return ret; } Good way: int f() { int ret; ret = g(); if (ret < 0) return ret; ret = h(); if (ret < 0) return ret; return 0; } Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: Check correct attributeCarlos Falgueras García2016-06-161-1/+1
| | | | | | | Fix nftnl_chain_set_data() with NFTNL_CHAIN_DEV. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: dynamically allocate namePablo Neira Ayuso2016-06-151-6/+17
| | | | | | | | | Just in case we ever support chain with larger names in the future, this will ensure the library doesn't break. Although I don't expect allocating more bytes for this anytime soon, but let's be conservative here. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check for flags before releasing attributesPablo Neira Ayuso2016-06-159-41/+46
| | | | | | | Now that unsetters don't set pointers to NULL, check if the attribute is set before trying to release it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: simplify unsettersPablo Neira Ayuso2016-06-156-48/+16
| | | | | | | If the attribute is set as we already check at the beginning of this function, then we can release the object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: data_reg: get rid of leftover perror() callsPablo Neira Ayuso2016-06-151-6/+3
| | | | | | Let the client of this library decide when to display error messages. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: check for strdup() errors from setters and parsersPablo Neira Ayuso2016-06-1511-10/+71
| | | | | | And pass up an error to the caller. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: return value on setters that internally allocate memoryPablo Neira Ayuso2016-06-157-40/+59
| | | | | | | | So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: assert when setting unknown attributesPablo Neira Ayuso2016-06-156-15/+13
| | | | | | | | | | | | If this attribute is not supported by the library, we should rise an assertion so the client knows something is wrong, instead of silently going through. The only case I can think may hit this problem is version mismatch between library and tools. This should not ever really happen, so better bail out from the library itself in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Fix leak in nftnl_*_unset()Carlos Falgueras García2016-06-142-0/+4
| | | | | | | Fix leak of NFTNL_*_USERDATA from unset() functions. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: payload: don't use deprecated definition NFT_EXPR_PAYLOAD_SREGPablo Neira Ayuso2016-06-101-1/+1
| | | | | | Use NFTNL_EXPR_PAYLOAD_SREG instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Copy user data memoryCarlos Falgueras García2016-05-301-2/+8
| | | | | | | All attributes are passed by copy, so user data should be copied too. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set_elem: Fix memory leakCarlos Falgueras García2016-05-251-0/+3
| | | | | | | | | | | | User data must be freed. How to reproduce: > nft add table t > nft add set t s {type ipv4_addr\;} > valgrind nft add element t s {1.1.1.1} Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: Fix segfault due to invalid free of rule user dataCarlos Falgueras García2016-05-251-1/+5
| | | | | | | | | | If the user allocates a nftnl_udata_buf and then passes the TLV data to nftnl_rule_set_data, the pointer stored in rule.user.data is not the begining of the allocated block. In this situation, if it calls to nftnl_rule_free, it tries to free this pointer and segfault is thrown. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* include: refresh nf_tables.h cache copyPablo Neira Ayuso2016-05-201-0/+2
| | | | | | | | | | | | Refresh the cached header file. This includes a small fix to avoid this compilation warning after refreshing the header: trace.c: In function 'nftnl_trace_parse_attr_cb': trace.c:87:2: warning: enumeration value 'NFTA_TRACE_PAD' not handled in switch [-Wswitch] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* chain: missing constification of _get() functionsPablo Neira Ayuso2016-05-131-8/+8
| | | | | | These functions don't modify the chain object. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: missing static in several array definitionsPablo Neira Ayuso2016-05-092-2/+2
| | | | | | | They are not used out of the scope of the C file where they are defined, so we can statify them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: remove unnecessary inline in _snprintf functionsPablo Neira Ayuso2016-05-096-18/+13
| | | | | | | These functions are passed as parameter, so we basically get nothing with this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: constify object arguments to various functionsPatrick McHardy2016-05-0935-223/+255
| | | | | | | | | flow table support needs constant object arguments to printing functions to avoid ugly casts. While at it, also constify object arguments to message construction, destructor and a few helper functions. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftnl: allow any set name lengthPablo Neira Ayuso2016-05-052-16/+24
| | | | | | | | Unfortunately libnftnl restricts the set names in the lookup and dynset expressions to 16 bytes. Remove this restriction so this can work with the upcoming 4.7 Linux kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* expr: ct: fix typo unknow vs unknownArturo Borrero2016-04-191-1/+1
| | | | | | | Reported by Debian's lintian tool. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* rule: fix leaks in NFTNL_RULE_USERDATAPablo Neira Ayuso2016-04-151-0/+5
| | | | | | | Fix leaks in nftnl_rule_free() and nftnl_rule_set_data(). Reported-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* udata: add TLV user data infrastructureCarlos Falgueras García2016-04-143-0/+151
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These functions allow to create a buffer (struct nftnl_udata_buf) of user data attributes in TLV format (struct nftnl_udata). It is inspired by libmnl/src/attr.c. It can be used to store several TLVs sequentially into an object. Example: struct nftnl_udata_buf *buf; struct nftnl_udata *attr; const char *str = "Hello World!"; buf = nftnl_udata_buf_alloc(UDATA_SIZE); if (!buf) { perror("OOM"); exit(EXIT_FAILURE); } if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) { perror("Can't put attribute \"%s\"", str); exit(EXIT_FAILURE); } nftnl_udata_for_each(buf, attr) printf("%s\n", (char *)nftnl_udata_attr_value(attr)); nftnl_udata_buf_free(buf); Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* trace: fix missing NFTNL_TRACE_JUMP_TARGET in nftnl_trace_get_str()Patrick McHardy2016-03-101-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>