Phil Sutter [Fri, 4 Oct 2019 19:44:14 +0000 (21:44 +0200)]
obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()
Array 'tb' has only 'attr_max' elements, the loop overstepped its
boundary by one. Copy array_size() macro from include/utils.h in
nftables.git to make sure code does the right thing.
Fixes: 0adceeab1597a ("src: add ct timeout support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 4 Oct 2019 19:33:48 +0000 (21:33 +0200)]
set: Don't bypass checks in nftnl_set_set_u{32,64}()
By calling nftnl_set_set(), any data size checks are effectively
bypassed. Better call nftnl_set_set_data() directly, passing the real
size for validation.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 27 Sep 2019 12:24:40 +0000 (14:24 +0200)]
set: Export nftnl_set_list_lookup_byname()
Rename and optimize internal function nftnl_set_lookup() for external
use. Just like with nftnl_chain_list, use a hash table for fast set name
lookups.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Anatoly Pugachev reported crash on 'nft list tables' on sparc
and provided following gdb backtrace:
Starting program: /opt/nft/sbin/nft list tables
Program received signal SIGBUS, Bus error.
0xfff8000100946490 in nftnl_udata_get_u32 (attr=0x10000106e30) at udata.c:127
127 return *data;
We can't deref attr->value directly, it causes unaligned access.
Static linking userspace programs such as nftables against libnftnl
currently doesn't work out of the box, because libnftnl is linked
against libmnl, but this isn't expressed in libnftnl pkg-config
file:
CCLD nft
[...]/bfin-buildroot-uclinux-uclibc/sysroot/usr/lib/libnftnl.a(table.o): In function `_nft_table_nlmsg_parse':
table.c:(.text+0x480): undefined reference to `_mnl_attr_parse'
table.c:(.text+0x492): undefined reference to `_mnl_attr_get_str'
table.c:(.text+0x4a8): undefined reference to `_mnl_attr_get_u32'
table.c:(.text+0x4ca): undefined reference to `_mnl_attr_get_u32'
[...]
The Libs.private field is specifically designed for such usage:
>From pkg-config documentation:
Requires.private:
A list of packages required by this package. The difference from
Requires is that the packages listed under Requires.private are not
taken into account when a flag list is computed for dynamically
linked executable (i.e., when --static was not specified). In the
situation where each .pc file corresponds to a library,
Requires.private shall be used exclusively to specify the
dependencies between the libraries.
Therefore, this patch adds a reference to libmnl in the Requires.private
field of libnftnl pkg-config file.
[baruch: use Requires.private; update commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Currently, the expiration of every element in a set or map
is a read-only parameter generated at kernel side.
This change will permit to set a certain expiration date
per element that will be required, for example, during
stateful replication among several nodes.
This patch allows to propagate NFTA_SET_ELEM_EXPIRATION
from userspace to the kernel in order to set the
configured value.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Can't use them currently: they are exported only under their old names.
Fixes: 44d11498479a08 ("src: get rid of _attr_ infix in new nftnl_ definitions") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 14 Jan 2019 16:42:50 +0000 (17:42 +0100)]
src: chain: Fix nftnl_chain_rule_insert_at()
Extrapolating from iptables nomenclature, one would expect that "insert"
means to prepend the new item to the referenced one, not append. Change
nftnl_chain_rule_insert_at() to do just that and introduce
nftnl_chain_rule_append_at() to insert a rule after the referenced one.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Sun, 30 Dec 2018 16:02:13 +0000 (17:02 +0100)]
src: chain: Add missing nftnl_chain_rule_del()
Although identical to nftnl_rule_list_del(), this function adheres to
the common naming style of per chain rule list routines introduced
earlier, therefore helps with deprecating the global rule list API at a
later point.
Fixes: e33798478176f ("chain: Support per chain rules list") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 20 Dec 2018 20:03:28 +0000 (21:03 +0100)]
flowtable: Add missing break
In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
case fell through and the same value was copied into ft_flags field.
This can't be right.
Fixes: 41fe3d38ba34b ("flowtable: support for flags") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 20 Dec 2018 20:03:27 +0000 (21:03 +0100)]
object: Avoid obj_ops array overrun
In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
the future by defining the array size.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 11 Dec 2018 17:44:00 +0000 (18:44 +0100)]
chain: Hash chain list by name
Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
theory this could replace the linked list completely but has been left
in place so that nftnl_chain_list_add_tail() still does what it's
supposed to and iterators return chains in original order.
Speed was tested using a simple script which creates a dump file
containing a number of custom chains and for each of them two rules in
INPUT chain jumping to it. The following table compares run-time of
iptables-legacy-restore with iptables-nft-restore before and after this
patch:
Phil Sutter [Thu, 6 Dec 2018 16:17:52 +0000 (17:17 +0100)]
chain: Add lookup functions for chain list and rules in chain
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
These functions are not very useful, rule comparison from this layer
does not work well with implicit set definitions.
This infrastructure was added as an attempt to support for deletion by
name from this layer, which should be done from higher level libnftables
library. Finally, we never had a client for this code in
git.netfilter.org.
Let's remove it and bump libversion for safety reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Matt Turner [Wed, 17 Oct 2018 19:32:54 +0000 (12:32 -0700)]
src: Use memcpy() to handle potentially unaligned data
Rolf Eike Beer <eike@sf-mail.de> reported that nft-expr_quota-test fails
with a SIGBUS on SPARC due to unaligned accesses. This patch resolves
that and fixes additional sources of unaligned accesses matching the
same pattern. Both nft-expr_quota-test and nft-expr_objref-test
generated unaligned accesses on DEC Alpha.
Bug: https://bugs.gentoo.org/666448 Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes compilation error
"../include/obj.h:43:21: error: ‘NFTNL_CTTIMEOUT_ARRAY_MAX’
undeclared here (not in a function);
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use an internal array and expose maximum size so we can just use the
same array size for all protocol timeouts. This simplifies handling
a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first
place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 22 Jun 2018 12:18:59 +0000 (14:18 +0200)]
expr/exthdr: Fix JSON parsing on big endian
When setting NFTNL_EXPR_EXTHDR_TYPE, one needs to call
nftnl_expr_set_u8() and not nftnl_expr_set_u32(). Otherwise 'type'
variable is assigned to uint32_t parameter before being passed to
nftnl_expr_exthdr_set() as void pointer which casts it to uint8_t.
On big endian systems, the latter would only consider the most
significant byte instead of the least significant one.
Phil Sutter [Fri, 22 Jun 2018 12:18:58 +0000 (14:18 +0200)]
expr/data_reg: Fix JSON parsing on big endian
Since reg->len is a 32bit variable, one needs to pass NFTNL_TYPE_U32 to
nftnl_jansson_parse_val(). Otherwise, only the most significant byte in
that variable is being written to.
Since the value could potentially be larger than 255, increase node_name
buffer to avoid a compiler warning.
Phil Sutter [Fri, 22 Jun 2018 12:18:57 +0000 (14:18 +0200)]
utils: Fix nftnl_get_value() on big endian
This function basically did:
| memcpy(out, val, <len of requested type>);
which works only for little endian integer types. Fix this by assigning
the 64bit input value to a variable of the right size and use that as
input for above memcpy() call.
Yang Zheng [Tue, 20 Mar 2018 14:53:22 +0000 (22:53 +0800)]
examples: add nft-ct-helper-{add,get,del}
nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table.
Examples:
% ./nft-ct-helper-get ip filter
<nothing>
% ./nft-ct-helper-add ip filter sip-5060 sip udp
% ./nft-ct-helper-get ip filter
table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ]
% ./nft-ct-helper-del ip filter sip-5060
% ./nft-ct-helper-get ip filter
<nothing>
Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
