Jan Engelhardt [Wed, 16 Sep 2015 17:12:47 +0000 (19:12 +0200)]
build: bump library versioning
Commit libnftnl-1.0.3-31-g5ea54b2 removed a symbol. Such requires a
bumped to n+1:0:0. The symbol groups can be merged again to save time
processing them as the groups are relative to a particular SONAME
(of which we have a new one).
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch restores the original nft_* definitions from the header files to
avoid sudden compilation breakage of the existing clients of this library.
Then, moving forward the idea is to deprecate the old nft_* symbols anytime
soon using __attribute__((deprecated)) from the header files to warn our users
that they need to update their code.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: introduce nftnl_* aliases for all existing functions
This patch introduces the nftnl_ symbols as aliases for the existing nft_
symbols through the EXPORT_SYMBOL(...) macro.
We would like to use the nft_* prefix from our upcoming higher level library,
meanwhile with this move we avoid that old binaries break because of missing
symbol dependencies.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
expr: immediate: fix leak in expression destroy path
The verdict can be a chain string, make sure we release it when the expression
is destroyed. This patch adds a new nft_free_data() for this purpose and use it
from the immediate expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
You can fetch a pointer to the next spare area in the current page to add a new
netlink message to the batch.
void *nft_batch_buffer(struct nft_batch *batch);
Once you have added a netlink message, you have to call:
nft_batch_update(batch);
this internally updates the pointer to the next spare data area in the page.
Every page has a limit threshold after which you start using the overrun area.
page .------.
| |
| |
. . page area
| |
| |
|------|<--- limit
| |
| | overrun area
| |
'______'<--- real page size
If we write over the limit, then the next call to nft_batch_update() results in
a new empty page added to the batch. With careful page size and limit
selection, we ensure that a netlink message always fit into the page, so we
avoid the overhead of canceling the netlink message that doesn't fit in.
Once your batch is complete, if you want to send it out to kernel-space, you
can convert them to iovec via:
nft_batch_iovec(batch, iov, iov_len);
Then, after having sent the batch, you can release it via:
nft_batch_free(batch);
This class relies on the libmnl batching infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Patrick McHardy [Sun, 12 Apr 2015 19:17:52 +0000 (20:17 +0100)]
expr: seperate expression parsing and building functions
The expression build function currently assumes to be only used from
rule context and actually builds rule attributes. Fix that and only
build the expression. Also it seems to have been exported by accident,
undo that.
Additionally, move the expression parsing function from rule parsing
and also remove any assumptions about being used in rule context.
expr/dynset.c: In function 'nft_rule_expr_dynset_json_parse':
expr/dynset.c:194:3: warning: implicit declaration of function 'nft_rule_expr_dynset_str' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:194:31: note: each undeclared identifier is reported only once for each function it appears in
expr/dynset.c:197:3: warning: implicit declaration of function 'nft_rule_expr_dynset_u32' [-Wimplicit-function-declaration]
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:197:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:200:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^
expr/dynset.c: In function 'nft_rule_expr_dynset_xml_parse':
expr/dynset.c:220:31: error: 'NFT_EXPR_DYNSET_SET' undeclared (first use in this function)
nft_rule_expr_dynset_str(e, NFT_EXPR_DYNSET_SET, set_name);
^
expr/dynset.c:224:31: error: 'NFT_EXPR_DYNSET_SREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_SREG, sreg);
^
expr/dynset.c:228:31: error: 'NFT_EXPR_DYNSET_DREG' undeclared (first use in this function)
nft_rule_expr_dynset_u32(e, NFT_EXPR_DYNSET_DREG, dreg);
^ Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Patrick McHardy [Thu, 26 Mar 2015 12:48:36 +0000 (12:48 +0000)]
list: fix prefetch dummy
../include/linux_list.h:385:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
set.c:266:2: note: in expansion of macro 'list_for_each_entry'
list_for_each_entry(elem, &set->element_list, head) {
src: restore static array with expression operations
We cannot use __attribute__((constructor)) to register the supported
expressions in runtime when the library is statically linked. This lead
us to some explicit libnftnl_init() function that needs to be called
from the main() function of the client program.
This patch reverts 4dd0772 ("expr: use __attribute__((constructor)) to
register expression").
Reported-by: Laurent Bercot <ska-devel@skarnet.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Tue, 24 Feb 2015 08:10:32 +0000 (09:10 +0100)]
ruleset: fix crash if we free sets included in the set_list
When we parse a ruleset which has a rule using a set. First step is to
parse the set, set up an ID and add it to a set list. Later, we use this
set list to find the set associated to the rule and we set up the set ID
to the expression (lookup expression) of the rule.
The problem is that if we return this set to the callback function
nft_ruleset_parse_file_cb() and we free this set, we have a crash when
we try to iterate in the set list.
This patch solves it, cloning the set and adding the new set to the set
list.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The internal.h file started being a small file with private definitions.
Its size has been increasing over time more and more, so let's split
this in small header files that map to the corresponding class where the
functions belong to.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 11 Feb 2015 21:12:22 +0000 (22:12 +0100)]
ruleset: fix leak in json/xml in set lists
==18632== 285 (16 direct, 269 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==18632== at 0x4C272B8: calloc (vg_replace_malloc.c:566)
==18632== by 0x5043822: nft_set_list_alloc (set.c:977)
==18632== by 0x5045483: nft_ruleset_json_parse (ruleset.c:442)
==18632== by 0x50458BE: nft_ruleset_do_parse (ruleset.c:696)
==18632== by 0x408AEC: do_command (rule.c:1317)
==18632== by 0x406B05: nft_run (main.c:194)
==18632== by 0x40667C: main (main.c:360)
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Wed, 11 Feb 2015 21:12:21 +0000 (22:12 +0100)]
rule: don't release the tree parameter from nft_jansson_parse_rule()
We release the tree that we receive from the parameter in
nft_jansson_parse_rule. With this patch, we're going to release the tree
where we create it. Therefore, we will have a code more traceable and
readable.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The idea is to invoke the callback function that is passed as parameter is
called for each object that is parsed from the corresponding input. Each
callback has access to the nft_parse_ctx structure that provides the necessary
context such as the command, the object type and the object itself.
This change also adds support to update the content of a set incrementally.
Where we explicitly indicate that we want to add a table.
We support all the actions that we can do with nft, they are:
- Add, delete and flush tables and chains.
- Add, delete, replace and insert rules.
- Add and delete sets.
- Add and delete set elements.
- Flush ruleset.
Alvaro Neira [Fri, 23 Jan 2015 14:49:51 +0000 (15:49 +0100)]
set: refactor code in json parse function
This patch refactors code to parse the set in two functions
nft_jansson_parse_set_info and nft_jansson_parse_set. These changes are
used in follow up patches.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Mon, 12 Jan 2015 13:46:15 +0000 (14:46 +0100)]
ruleset: refactor nft_ruleset_*_parse_ruleset()
Refactor the parsing ruleset element functions calls in xml/json to do
that calls in the functions nft_ruleset_*_parse_ruleset. This patch is
used in follow up patches.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Mon, 12 Jan 2015 13:46:14 +0000 (14:46 +0100)]
src: don't create iterator with empty list
Currently, we create iterator without test if the list is empty. If the
list is empty, we have a crash when we set up the current element. With
this patch, we test if the list is empty before to create the iterator.
If the list is empty the iterator return NULL.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Giuseppe Longo [Thu, 20 Nov 2014 12:15:57 +0000 (13:15 +0100)]
buffer: include stdarg header
This fixes the following warnings:
buffer.c: In function 'nft_buf_put':
buffer.c:53:2: warning: implicit declaration of function 'va_start' [-Wimplicit-function-declaration]
va_start(ap, fmt);
^
buffer.c:56:2: warning: implicit declaration of function 'va_end' [-Wimplicit-function-declaration]
va_end(ap);
^
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
data_reg is unnecessarily long name and it always has to be
wrapped by another data node. This will allow us to represent
data not only as registers if needed.
Get rid of 'cmpdata' and 'immediatedata' too and use 'data'
instead to wrap 'reg' so these are consistent with the bitwise
expression. No reason for such specific tag per expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Add new buffer class to consolidate the existing code to export objects
in XML/JSON and use it. We save ~700 LOC with this change.
The rule and set objects are not yet consolidated. It seems this would
require some specific glue code per representation type since lists are
arranged differently.
This also consolidates the tag names, so we make sure the same are used
from XML and JSON by placing them in include/buffer.h.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Mon, 20 Oct 2014 11:52:18 +0000 (13:52 +0200)]
utils: fix arp family number
NFPROTO_ARP = 3 in kernel space.
We need the same value here in userspace in order to correctly communicate
with the kernel.
The failure solved by this patch made that {XML|JSON}-parsed tables of ARP
family unable to be directly injected into kernel.
To prevent future errors, this patch changes raw and AF_* values by the mathing
NFPROTO_* couterpart as seen in linux/netfilter.h in both functions:
* nft_family2str()
* nft_str2family()
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Arturo Borrero [Fri, 10 Oct 2014 19:43:44 +0000 (21:43 +0200)]
src: cleanup in mxml and jansson regarding set_id parsing
jansson.c: In function 'nft_jansson_expr_parse':
jansson.c:212:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign]
In file included from jansson.c:10:0:
./internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *'
jansson.c:195:18: warning: unused variable 'set_cur' [-Wunused-variable]
mxml.c: In function 'nft_mxml_expr_parse':
mxml.c:97:6: warning: pointer targets in passing argument 3 of 'nft_set_lookup_id' differ in signedness [-Wpointer-sign]
In file included from mxml.c:12:0:
internal.h:95:5: note: expected 'uint32_t *' but argument is of type 'int *'
mxml.c:68:18: warning: unused variable 'set_cur' [-Wunused-variable]
Spotted with: gcc (Debian 4.7.2-5) 4.7.2
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alvaro Neira [Fri, 3 Oct 2014 18:02:40 +0000 (20:02 +0200)]
src: internal set id allocation from nft_ruleset_parse*()
Extends this function to attach the set to the rule through the set_idi.
If it doesn't exist in the list, maybe the set already exists in the
kernel. In that case, we don't set any id.
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The generation object currently only contains the uint32_t that
indicates the generation ID. I could have just add the API to return
the uint32_t ID instead, but I think this API is easier to extend
without adding new APIs.
We can probably include meaningful statistics in the generation
message in the future without much hassle.
This patch also extends examples/nft-events.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: get rid of cached copies of x_tables.h and xt_LOG.h
Keeping the full cached copy the of x_tables.h file in tree is too much
for just the XT_EXTENSION_MAXNAMELEN constant. Similarly, xt_LOG.h is not
actually required by the tests, we can use any whatever syntetic data
to make sure the setter and getter provide the same result. So, let's
get rid of these headers from the library tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ana Rey [Tue, 5 Aug 2014 18:30:18 +0000 (20:30 +0200)]
expr: meta: Add pkttype support
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com> Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When ELF binaries and shared libraries are used, the internal
functions of libnftnl such as xfree() are not visible to the outside
world (their visibility is 'hidden'). Therefore, the fact that other
programs (especially nftables) may have symbols with the same name
does not cause any problem.
However, when doing static linking on a non-ELF platform (such as
Blackfin, which uses the FLAT binary format), there is no way of
encoding this visibility. Therefore, the xfree() symbols of libnftnl
becomes visible to the outside world, causing a conflict with the
xfree() symbol defined by nftables.
To solve this, this patch convers xfree as a macro instead of
a function.
Reported-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
