This is only required by Linux kernel <= 3.16.x, that's too old and at
that time nft was very limited in term of features, so let's remove this
check from example files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Armin K [Sat, 23 Dec 2017 20:12:04 +0000 (21:12 +0100)]
src: Fix exporting symbols with clang
When EXPORT_SYMBOL is located after function definition, clang won't
properly export the function, resulting in a library with no symbols
when built with clang.
Based on libmnl commit dcdb47373a37 ("Move declaration of visibility
attributes before definition.")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()
expr/data_reg.c: In function 'nftnl_data_reg_json_parse':
expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=]
sprintf(node_name, "data%d", i);
^~
expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647]
sprintf(node_name, "data%d", i);
Buffer overflow is triggerable when reg->len > 396, but len never goes
over 128 due to type validation just a bit before.
Use snprintf() and make sure buffer is large enough to store the
"data256" string.
Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:24 +0000 (20:40 +0100)]
set_elem: Don't return garbage in nftnl_set_elems_parse()
This might happen if netlink message is malformed (no nested attributes
are present), so treat this as an error and return -1 instead of
garbage to caller.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:23 +0000 (20:40 +0100)]
ruleset: Avoid reading garbage in nftnl_ruleset_cb()
If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is
left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid
this by using a C99-style initializer for 'ctx' which sets all omitted
fields to zero.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:22 +0000 (20:40 +0100)]
object: Avoid returning garbage in nftnl_obj_do_parse()
It may happen that 'perr' variable does not get initialized, so making
parameter 'err' point to it in any case is error-prone. Avoid this by
initializing 'perr' upon declaration.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:21 +0000 (20:40 +0100)]
gen: Remove a pointless call to mnl_nlmsg_get_payload()
It is a common idiom in all *_nlmsg_parse() functions, but
nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the
compiler probably can't eliminate it since there could be a side-effect.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:20 +0000 (20:40 +0100)]
data_reg: Add a missing break in nftnl_data_reg_snprintf
The code works fine as-is, but if reg_type == DATA_VALUE &&
output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case
and therefore pointlessly check output_format again.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Change parameters of SNPRINTF_BUFFER_SIZE macro.
SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so
that it accepts three arguments ret, remain and offset. Parameters size
and len are not required instead parameter remain keeps track of
available space in the buffer.
Shyam Saini [Tue, 29 Aug 2017 12:49:36 +0000 (18:19 +0530)]
examples: Fix memory leaks detected by Valgrind
==11688== HEAP SUMMARY:
==11688== in use at exit: 40 bytes in 1 blocks
==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11688==
==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11688== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11688== by 0x40133B: main (nft-chain-add.c:103)
==11688==
==11688== LEAK SUMMARY:
==11688== definitely lost: 40 bytes in 1 blocks
==11688== indirectly lost: 0 bytes in 0 blocks
==11688== possibly lost: 0 bytes in 0 blocks
==11688== still reachable: 0 bytes in 0 blocks
==11688== suppressed: 0 bytes in 0 blocks
==11831== HEAP SUMMARY:
==11831== in use at exit: 40 bytes in 1 blocks
==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11831==
==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11831== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11831== by 0x401154: main (nft-chain-del.c:79)
==11831==
==11831== LEAK SUMMARY:
==11831== definitely lost: 40 bytes in 1 blocks
==11831== indirectly lost: 0 bytes in 0 blocks
==11831== possibly lost: 0 bytes in 0 blocks
==11831== still reachable: 0 bytes in 0 blocks
==11831== suppressed: 0 bytes in 0 blocks
Direct leak of 12 byte(s) in 2 object(s) allocated from:
#0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58)
#1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sun, 19 Feb 2017 17:19:03 +0000 (18:19 +0100)]
object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null
If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
This machinery was introduced to avoid sudden compilation breakage of
old nftables releases. With the upcoming release of 0.7 (and 0.6 which
is now 6 months old) this is not required anymore. Moreover, users gain
nothing from older releases since they are half-boiled and buggy.
So let's get rid of aliases now. Bump LIBVERSION and update map file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expr: objref: add support for stateful object maps
If the NFT_SET_OBJECT flag is set, then this set stores a mapping
between any random user-defined arbitrary key and one stateful object.
Very useful for performance lookups.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This new attribute specifies the stateful object type this set stores.
Similar to data type, but specific to store objects. You must set the
NFT_SET_OBJECT flag to use this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
examples: nft-set-add: update it to add a set that stores port numbers
This patch updates the existing example to add a set that stores port
numbers. In order to interoperate with the nft tool, we use the datatype
numbers defined there.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Register this simple expression with no attributes. Make sure libnftnl
doesn't crash when no build and parse indirections are defined, as it
is the case for this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add range expression available that is scheduled for linux kernel 4.9.
This range expression allows us to check if a given value placed in a
register is within/outside a specified interval.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
If NFTNL_EXPR_LOG_FLAGS is not set, it's unnecessary to print out the
flags value. Furthermore, it's better to print out string message
instead of the hex value.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expr: queue: add NFTA_QUEUE_SREG_QNUM attr support
After adding _SREG_QNUM attr, queuenum is not must option anymore,
so we must test NFTNL_EXPR_QUEUE_NUM first before dumpping queue num
in snprintf_default. Also add a tailing space in snprintf_default,
this is consistent with other expressions.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add support to pass through an offset value to the counter
initialization. With this feature, the sysadmin is able to apply a value
to be added to the generated number.
Example:
meta mark set numgen inc mod 2 offset 100
This will generate marks with series 100, 101, 100, 101, ...
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Sync this with the kernel header file we currently have in tree.
This patch addresses the compilation warning and breakage as result of
this header update, specifically the "attibute" typo in trace and
missing default case in expr/numgen.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
An immediate expression of type 'DATA_VERDICT' can have set a chain (jump
or goto), in this cases we must compare its 'union nftnl_data_reg' using
'DATA_CHAIN' flag instead of 'DATA_VERDICT'
Before this patch compare expressions "jump -> chain_a" and
"jump -> chain_b" returns they are equals.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
