| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The debug printing of the payload expr shows the tunnel header name as
unknown. Since after the first version we added two new payload bases
inner and tunnel, I prefer to make this change to meet possible future
extensions rather than setting NFT_PAYLOAD_TUN_HEADER as the new bound.
Reproduce:
nft --debug netlink add rule inet t c meta l4proto udp vxlan vni 0x123456
Before patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
...
After patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ]
...
[ Remove defensive check in original patch --pablo ]
Fixes: 3f3909afd76d ("expr: add inner support")
Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assuming max data_len of 16 * 4B and no zero bytes in 'data':
The while loop will increment field_count, use it as index for the
field_len array and afterwards make sure it hasn't increased to
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
the check, get incremented to 16 and used as index to the 16 fields long
array.
Use a less fancy for-loop to avoid the increment vs. check problem.
Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hitherto, the kernel has only supported boolean operations of the form:
dst = (src & mask) ^ xor
where `src` is held in a register, and `mask` and `xor` are immediate
values. User space has converted AND, OR and XOR operations to this
form, and so one operand has had to be immediate. The kernel now
supports performing AND, OR and XOR operations directly, on one register
and an immediate value or on two registers, so we make that support
available to user space.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
In the next patch we add support for doing AND, OR and XOR operations
directly in the kernel, so rename some functions and an enum constant
related to mask-and-xor boolean operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the copyright notice in header comments by an equivalent
SPDX-License-Identifier string. Drop a following empty line if at the
bottom of the comment. Leave any other header comment content in place.
This also fixes for an incomplete notice in examples/nft-ruleset-get.c
since commit c335442eefcca ("src: incorrect header refers to GPLv2
only").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This data structure holds an array of allocated strings for use in
nftnl_chain and nftnl_flowtable structs. For convenience, implement
functions to clear, populate and iterate over contents.
While at it, extend chain and flowtable tests to cover these attributes,
too.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Since commit c759027a526ac, printed rules may or may not end with a
newline depending on whether userdata was present or not. Deal with this
inconsistency by avoiding the trailing newline in all cases.
Fixes: c759027a526ac ("rule, set_elem: remove trailing \n in userdata snprintf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
nftnl_.*_do_parse() are of no use anymore, remove them.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This was not handled in the switch statement so far.
Also, use proper max value, SET_MAX is larger than what is needed for
parsing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 99be0e6d066d7 ("table: add userdata support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Cosmetics, but support unsetting anything that may be set.
Fixes: 76b82c425818e ("chain: add userdata and comment support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
When limit->unit is not a known timespan, use the largest possible unit
and print the value along with it. This enables libnftnl debug output to
correctly print arbitrary quotients, like '3/5 minutes' for instance.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1214
Suggested-by: Cyril <boite.pour.spam@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Coincidentally NFTNL_EXPR_BASE starts at 1 which comes right after
NFTA_*_UNSPEC which is zero. And NFTNL_EXPR_ attribute values were
mapping to NFTA_* attributes.
Use NFTA_* for netlink attribute types instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
With attr_policy in place, data_len has an upper boundary. Use it for
memcpy() calls to cover for caller passing data with lower size than the
attribute's storage.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function consolidates the necessary code when assigning to string
pointer attributes, namely:
* Conditional free of the previous value
* Allocation of new value
* Checking for memory allocation errors
* Setting respective flag bit
A new feature previously missing in all call sites is respecting
data_len in case the buffer up to that point did not contain a NUL-char.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Every object type defines an attr_policy array, so deny setting
attributes for object types which don't have it present or if it
specifies a non-zero maxlen which is lower than the given data_len.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Just like with struct expr_ops::attr_policy, enable object types to
inform about restrictions on attribute use. This way generic object code
may perform sanity checks before dispatching to object ops.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Refer to obj_ops::nftnl_max_attr field value for the maximum supported
attribute value to reject invalid ones upfront.
Consequently drop default cases from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
Just like with struct expr_ops::max_attr, make it hold the maximum
object attribute (NFTNL_OBJ_*) value supported by this object type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Similar to other setters, let callers know if memory allocation fails.
Though return value with all setters, as all of them may be used to set
object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE
was not set before).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Analogous to commit dc240913458d5 ("src: Use memcpy() to handle
potentially unaligned data").
Fixes: 609a13fc2999e ("src: synproxy stateful object support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
Pass 'strlen() + 1' as length parameter when setting string attributes,
just like other string setters do.
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 985955fe41f53 ("table: add table owner support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 26298a9ffc2e2 ("set: add set ID support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 5573d0146c1ae ("src: support for stateful objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: cdaea7f1ced05 ("flowtable: allow to specify size")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
| |
Fixes: 53c0ff324598c ("src: add nft_*_attr_{set|get}_data interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
Having the new expr_ops::nftnl_max_attr field in place, the valid range
of attribute type values is known now. Reject illegal ones upfront.
Consequently drop the default case from callbacks' switches which handle
all supported attributes.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove several internal code that have no use these days:
- nftnl_str2family
- nftnl_strtoi
- nftnl_get_value
- enum nftnl_type
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use the current remaining space in the buffer to ensure more userdata
attributes still fit in, buf->size is the total size of the userdata
buffer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Check for chain name attribute to release chain name, for consistency
with other existing attributes.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use _MAX definitions for timeout attribute arrays and check that
timeout array is not larger than NFTNL_CTTIMEOUT_ARRAY_MAX.
Fixes: 0adceeab1597 ("src: add ct timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
Use safe nftnl_data_cpy() to copy key into union nftnl_data_reg.
Follow up for commit:
bc2afbde9eae ("expr: fix buffer overflows in data value setters")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.
Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions nftnl_chain_parse(), nftnl_chain_parse_file(),
nftnl_set_elems_foreach(), and nftnl_obj_unset() are no longer defined
and removed from the code.
The functions nftnl_chain_parse(), nftnl_chain_parse_file() were removed
with commit 80077787f8f2 ("src: remove json support").
The function nftnl_set_elems_foreach() does not appear to have ever been
defined.
However, libnftnl.map still lists these functions which causes libnftnl
to fail to link with ld.lld as the option --undefined-version is
disabled by default.
Fixes Gentoo bug 914710 (https://bugs.gentoo.org/914710)
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
For consistency with existing objects, implement this interface.
This is already defined in libnftnl.map so the intention was to
provide it.
Fixes: 5573d0146c1a ("src: support for stateful objects")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values. Example:
@th,160,1272 gt 0
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]
Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
As with all the other entities (like table or set), the getter functions
for objects now take a `const struct nftnl_obj*` as first parameter.
The getters for all specific object types (like counter or limit), which
are called in the default switch-case, already do.
Signed-off-by: corubba <corubba@gmx.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When freeing elements, remove them also to prevent a potential UAF.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
| |
libnftnl support for broute meta statement introduced in:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
The logic to build NFTA_CHAIN_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This patch adds support for the inner expression which allows you to
match on the inner tunnel headers, eg. VxLAN.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use nftnl_nlmsg_build_hdr() instead of nftnl_*_nlmsg_build_hdr().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The res_id member of struct nfgenmsg is supposed to be in network
byte order (big endian). Call htons() in __nftnl_nlmsg_build_hdr()
to ensure that this is true on little endian systems.
There is a kernel workaround that was introduced in 4.3 to address
this issue:
commit a9de9777d613500b089a7416f936bf3ae5f070d2
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri Aug 28 21:01:43 2015 +0200
netfilter: nfnetlink: work around wrong endianess in res_id field
And current oldest stable kernel branch in 4.9, merge this to fix
the incorrect endianness from userspace.
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
nftnl_str2base() not used anymore, remove it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
