| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
Having the new expr_ops::nftnl_max_attr field in place, the valid range
of attribute type values is known now. Reject illegal ones upfront.
Consequently drop the default case from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
| |
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
Remove several internal code that have no use these days:
- nftnl_str2family
- nftnl_strtoi
- nftnl_get_value
- enum nftnl_type
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use the current remaining space in the buffer to ensure more userdata
attributes still fit in, buf->size is the total size of the userdata
buffer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Check for chain name attribute to release chain name, for consistency
with other existing attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Use _MAX definitions for timeout attribute arrays and check that
timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX.
Fixes: 0adceeab1597 ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg.
Follow up for commit:
bc2afbde9eae ("expr: fix buffer overflows in data value setters")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.
Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions nftnl_chain_parse(), nftnl_chain_parse_file(),
nftnl_set_elems_foreach(), and nftnl_obj_unset() are no longer defined
and removed from the code.
The functions nftnl_chain_parse(), nftnl_chain_parse_file() were removed
with commit 80077787f8f2 ("src: remove json support").
The function nftnl_set_elems_foreach() does not appear to have ever been
defined.
However, libnftnl.map still lists these functions which causes libnftnl
to fail to link with ld.lld as the option --undefined-version is
disabled by default.
Fixes Gentoo bug 914710 (https://bugs.gentoo.org/914710)
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
For consistency with existing objects, implement this interface.
This is already defined in libnftnl.map so the intention was to
provide it.
Fixes: 5573d0146c1a ("src: support for stateful objects")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values. Example:
@th,160,1272 gt 0
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]
Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
| |
As with all the other entities (like table or set), the getter functions
for objects now take a `const struct nftnl_obj*` as first parameter.
The getters for all specific object types (like counter or limit), which
are called in the default switch-case, already do.
Signed-off-by: corubba <corubba@gmx.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
When freeing elements, remove them also to prevent a potential UAF.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
libnftnl support for broute meta statement introduced in:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The logic to build NFTA_CHAIN_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch adds support for the inner expression which allows you to
match on the inner tunnel headers, eg. VxLAN.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Use nftnl_nlmsg_build_hdr() instead of nftnl_*_nlmsg_build_hdr().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The res_id member of struct nfgenmsg is supposed to be in network
byte order (big endian). Call htons() in __nftnl_nlmsg_build_hdr()
to ensure that this is true on little endian systems.
There is a kernel workaround that was introduced in 4.3 to address
this issue:
commit a9de9777d613500b089a7416f936bf3ae5f070d2
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri Aug 28 21:01:43 2015 +0200
netfilter: nfnetlink: work around wrong endianess in res_id field
And current oldest stable kernel branch in 4.9, merge this to fix
the incorrect endianness from userspace.
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
nftnl_str2base() not used anymore, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
212479ad2c92 ("rule, set_elem: fix printing of user data") uncovered
another an extra line break in the userdata printing, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto, alphanumeric characters have been printed as-is, but anything
else was replaced by '\0'. However, this effectively truncates the
output. Instead, print any printable character as-is and print anything
else as a hexadecimal escape sequence:
userdata = { \x01\x04\x01\x00\x00\x00 }
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to
clang, the snprintf member of the expr_ops and obj_ops structures will
be incorrectly replaced with __builtin_snprintf_chk() which results in
"error: no member named '__builtin___snprintf_chk'" errors at build
time.
This patch changes the member name from 'snprintf' to 'output' to
prevent the replacement.
This bug can be emulated using GCC by undefining the __va_arg_pack macro
before stdio.h is included.
This patch is based on the notes provided in
https://bugs.gentoo.org/807766.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
nftnl_set_elem_nlmsg_build_payload() is already available through .map
file and headers, add missing EXPORT_SYMBOL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Adds print debug support for tcp reset feature.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
| |
Update string array to print the "inner" header string, instead of
printing "unknown".
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map
elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set
element verdict.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Expose a function to build one single set element netlink message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Honor NFTA_LAST_SET netlink attribute, it tells us if a packet has ever
updated this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This new expression displays when last matching has happened.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Add NFT_SOCKET_CGROUPSV2 key type and NFTA_SOCKET_LEVEL attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
libnftnl is GPLv2+, fix incorrect headers.
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Those were used for JSON and XML output only with the exception of
separator helper which at the same time served as conditional nop if no
"previous" object as passed. Replace it by a string variable updated at
the end of each loop iteration and just drop the other helpers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace each by a conditional testing the only valid case.
There is one odd example, namely src/set.c: When printing a set with
type NFTNL_OUTPUT_XML, the relevant function would return 0 instead of
-1 like all others. Just drop it assuming nothing depends on that
(faulty) behaviour.
Cc: Arturo Borrero <arturo.borrero.glez@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
| |
A common idiom among snprintf callbacks was to copy the unsigned
parameter 'size' (or 'len') into a signed variable for further use.
Though since snprintf() itself casts it to unsigned and
SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not
needed. Drop the local variable and rename the parameter accordingly.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Objects don't support any other output type than NFTNL_OUTPUT_DEFAULT,
so just drop the parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
The function nftnl_data_reg_snprintf is exclusively called with
NFTNL_OUTPUT_DEFAULT as parameter, others are not supported - just drop
it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
| |
There is but a single supported output type left, so check it in expr.c
and drop all the single option switch statements in individual
expressions.
Since the parameter is now unused (and to ensure code correctness), drop
'type' parameter from struct expr_ops' snprintf callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Instead of the remaining buffer length, the used buffer length was
passed to object's snprintf callback (and the final snprintf call).
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Have to pass shrinking 'remain' variable to consecutive snprintf calls
instead of the unchanged 'len' parameter.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Have to pass shrinking 'remain' variable to consecutive snprintf calls
instead of the unchanged 'len' parameter.
Fixes: c4b6aa09b85d2 ("src: add ct expectation support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Subsequent calls to snprintf() sometimes reuse 'len' variable although
they should refer to the updated value in 'remain' instead.
Fixes: 676ea569bbe5a ("src: Change parameters of SNPRINTF_BUFFER_SIZE macro.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Elements' data was printed as type DATA_VALUE no matter the actual type.
For verdicts, this meant no printing at all (because reg->len is either
zero or garbage).
To fix this, nftnl_set_elem_snprintf_default() needs type info held in
struct nftnl_set. Pass it via parameter to that function, make it
non-static and call it from nftnl_set_snprintf_default() instead of the
generic nftnl_set_elem_snprintf(). This way no changes have to be done
to exported functions, also the output type is already defined when
nftnl_set_snprintf_default() runs so checking type value again is
pointless.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
No point in printing the unset register value (which is zero then).
Fixes: af0c182670837 ("expr: masq: Add support for port selection")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
|
| |
Introduce 'sep' variable to track whether something was printed already.
While being at it, introduce PRIu64 for 'handle' and 'position'
attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
These functions were used by removed JSON parser only.
Fixes: 80077787f8f21 ("src: remove json support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Function str2tunnel_key() was never used.
Fixes: 42468fb6df61a ("expr: add support for matching tunnel metadata")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
|
| |
Function str2socket_key() was never used.
Fixes: 038d226f2e6cc ("src: Add support for native socket matching")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
|
|
| |
Add support for NFTA_TABLE_OWNER.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|