| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Unfortunately libnftnl restricts the set names in the lookup and dynset
expressions to 16 bytes. Remove this restriction so this can work with
the upcoming 4.7 Linux kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Reported by Debian's lintian tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Fix leaks in nftnl_rule_free() and nftnl_rule_set_data().
Reported-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These functions allow to create a buffer (struct nftnl_udata_buf) of
user data attributes in TLV format (struct nftnl_udata). It is inspired
by libmnl/src/attr.c. It can be used to store several TLVs sequentially
into an object.
Example:
struct nftnl_udata_buf *buf;
struct nftnl_udata *attr;
const char *str = "Hello World!";
buf = nftnl_udata_buf_alloc(UDATA_SIZE);
if (!buf) {
perror("OOM");
exit(EXIT_FAILURE);
}
if (!nftnl_udata_put_strz(buf, MY_TYPE, str)) {
perror("Can't put attribute \"%s\"", str);
exit(EXIT_FAILURE);
}
nftnl_udata_for_each(buf, attr)
printf("%s\n", (char *)nftnl_udata_attr_value(attr));
nftnl_udata_buf_free(buf);
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Fix duplicated and incorrect assignments.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Add forward expression for the netdev family.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds the limit flags, the first client of this is the
inversion flag that allows us to match overlimit.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
parses trace monitor netlink messages from the kernel and builds
nftnl_trace struct that contains the dissected information.
Provides getters to access these attributes.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Future symbols don't need backwards-compat aliases.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When we lookup the family, return "netdev" for NFPROTO_NETDEV instead of
"unknown".
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reported by valgrind:
[...]
==14065== Process terminating with default action of signal 11 (SIGSEGV)
==14065== Access not within mapped region at address 0x0
==14065== at 0x4C2C022: strlen (vg_replace_strmem.c:454)
==14065== by 0x4E41A93: nftnl_chain_set_str (chain.c:259)
==14065== by 0x4E427F7: nftnl_mxml_chain_parse (chain.c:770)
==14065== by 0x4E48F96: nftnl_ruleset_parse_chains (ruleset.c:314)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_ruleset (ruleset.c:625)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse_cmd (ruleset.c:668)
==14065== by 0x4E4959A: nftnl_ruleset_xml_parse (ruleset.c:706)
==14065== by 0x4E4959A: nftnl_ruleset_do_parse (ruleset.c:734)
==14065== by 0x4013C9: test_xml (nft-parsing-test.c:166)
==14065== by 0x4016F4: execute_test (nft-parsing-test.c:214)
==14065== by 0x400EBA: main (nft-parsing-test.c:330)
[...]
While at it, fix a bit the coding style.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fix missing/incorrect variables.
Also remove unsed variables to avoid warnings.
Signed-off-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Commit libnftnl-1.0.3-31-g5ea54b2 removed a symbol. Such requires a
bumped to n+1:0:0. The symbol groups can be merged again to save time
processing them as the groups are relative to a particular SONAME
(of which we have a new one).
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The function names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The constant names are already large, trim off the _ATTR_ infix in the
attribute definitions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
So we get a shorter constant definition for expression attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a shorter name for this, morever this can be used from sets so the _rule_
is misleading.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
So we can use the nft_* prefix anytime soon for our upcoming higher level
library.
After this patch, the nft_* symbols become an alias of the nftnl_* symbols.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch introduces the nftnl_ symbols as aliases for the existing nft_
symbols through the EXPORT_SYMBOL(...) macro.
We would like to use the nft_* prefix from our upcoming higher level library,
meanwhile with this move we avoid that old binaries break because of missing
symbol dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The verdict can be a chain string, make sure we release it when the expression
is destroyed. This patch adds a new nft_free_data() for this purpose and use it
from the immediate expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Free object attributes before overwrite it. Fix 'nlmsg_parse' methods of
following objects: 'table', 'chain', 'rule', 'set' and 'set_element'.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This fixes --debug netlink output when a redir target is included.
Signed-off-by: Balazs Scheidler <balazs.scheidler@balabit.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add support for the new NFT_CHAIN_ATTR_DEV attribute that indicates that the
basechain is attached to a net_device.
This partially reworks 1dd9ba1ea23c ("table: add netdev family support").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
This adds support for the new 'netdev' family tables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new batch class to libnftnl, it basically generalizes what we
already have.
A batch is composed of one or more page objects. Every page may contain one or
more netlink messages.
batch
* .------. .------. .------.
| | | | | | |
`----> | page |-->| page |-->...-->| page |
| | | | | |
`------' `------' `------'
You can create a batch via:
batch = nft_batch_alloc(...);
This batch initially comes with one initial page.
You can fetch a pointer to the next spare area in the current page to add a new
netlink message to the batch.
void *nft_batch_buffer(struct nft_batch *batch);
Once you have added a netlink message, you have to call:
nft_batch_update(batch);
this internally updates the pointer to the next spare data area in the page.
Every page has a limit threshold after which you start using the overrun area.
page .------.
| |
| |
. . page area
| |
| |
|------|<--- limit
| |
| | overrun area
| |
'______'<--- real page size
If we write over the limit, then the next call to nft_batch_update() results in
a new empty page added to the batch. With careful page size and limit
selection, we ensure that a netlink message always fit into the page, so we
avoid the overhead of canceling the netlink message that doesn't fit in.
Once your batch is complete, if you want to send it out to kernel-space, you
can convert them to iovec via:
nft_batch_iovec(batch, iov, iov_len);
Then, after having sent the batch, you can release it via:
nft_batch_free(batch);
This class relies on the libmnl batching infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Support expression templates for the dynset expression for dynamic
expression instantiation.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
This patch supports attaching a struct nft_rule_expr to a set element
and adds netlink attribute encoding and decoding.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The expression build function currently assumes to be only used from
rule context and actually builds rule attributes. Fix that and only
build the expression. Also it seems to have been exported by accident,
undo that.
Additionally, move the expression parsing function from rule parsing
and also remove any assumptions about being used in rule context.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expr/dynset.c: In function 'nft_rule_expr_dynset_json_parse':
expr/dynset.c:194:3: warning: implicit declaration of function 'nft_rule_expr_dynset_str' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: note: each undeclared identifier is reported only once for each function it appears in
expr/dynset.c:197:3: warning: implicit declaration of function 'nft_rule_expr_dynset_u32' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:197:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:200:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^
expr/dynset.c: In function 'nft_rule_expr_dynset_xml_parse':
expr/dynset.c:220:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:224:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:228:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We cannot use __attribute__((constructor)) to register the supported
expressions in runtime when the library is statically linked. This lead
us to some explicit libnftnl_init() function that needs to be called
from the main() function of the client program.
This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to
register expression").
Reported-by: Laurent Bercot <ska-devel@skarnet.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If we try to import a ruleset in json or xml and the library was not
compile with support for those, this shows a misleading error.
To resolve this problem, this patch sets up EOPNOTSUPP by default when
we create the nft_parse_err structure.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
This function releases the ruleset objects attached in the parse context
structure, ie. struct nft_parse_ctx.
Moreover, this patch updates the nft_parse_ruleset_file to use it.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
If the root node name is missing, we have a crash.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Fix crash when we try to release a tree that is not initialized.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we parse a ruleset which has a rule using a set. First step is to
parse the set, set up an ID and add it to a set list. Later, we use this
set list to find the set associated to the rule and we set up the set ID
to the expression (lookup expression) of the rule.
The problem is that if we return this set to the callback function
nft_ruleset_parse_file_cb() and we free this set, we have a crash when
we try to iterate in the set list.
This patch solves it, cloning the set and adding the new set to the set
list.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
