Phil Sutter [Wed, 2 Oct 2024 14:44:49 +0000 (16:44 +0200)]
utils: Introduce nftnl_parse_str_attr()
Wrap the common parsing of string attributes in a function. Apart from
slightly reducing code size, this unifies callers in conditional freeing
of the field in case it was set before (missing in twelve spots) and
error checking for failing strdup()-calls (missing in four spots).
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Phil Sutter [Tue, 7 Oct 2025 15:45:25 +0000 (17:45 +0200)]
utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
The asterisk left in place becomes part of the prefix by accident and is thus
both included when matching interface names as well as dumped back to user
space.
Fixes: f30eae26d813e ("utils: Add helpers for interface name wildcards") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 1 Oct 2024 10:59:29 +0000 (12:59 +0200)]
utils: Add helpers for interface name wildcards
Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES
identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to
and from the human-readable asterisk-suffix notation.
Only vxlan gbp can work before this patch because
NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR is off by one in the internal object
flags.
Replace them by NFTNL_OBJ_TUNNEL_OPTS and add two new opaque
nftnl_tunnel_opts and nftnl_tunnel_opt structs to represent tunnel
options.
- nftnl_tunnel_opt_alloc() allocates one tunnel option.
- nftnl_tunnel_opt_set() to sets it up.
- nftnl_tunnel_opt_get() to get the option attribute.
Then, to manage the list of options:
- nftnl_tunnel_opts_alloc() allocates a list of tunnel options.
- nftnl_tunnel_opts_add() adds a option to the list.
Although vxlan and erspan support for a single tunnel option at this
stage, this API prepares for supporting gevene which allows for more
tunnel options.
Joint work with Fernando.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
set: dump set backend name (hash, rbtree...) and elem count, if available
In case kernel provided the information do include it in debug dump:
nft --debug=netlink list ruleset
family 2 s t 0 backend nft_set_rhash_type
family 2 __set0 t 3 size 3 backend nft_set_hash_fast_type count 3
family 2 __set1 t 3 size 2 backend nft_set_bitmap_type count 2
[..]
Zhongqiu Duan [Tue, 18 Mar 2025 16:02:04 +0000 (16:02 +0000)]
expr: payload: print tunnel header
The debug printing of the payload expr shows the tunnel header name as
unknown. Since after the first version we added two new payload bases
inner and tunnel, I prefer to make this change to meet possible future
extensions rather than setting NFT_PAYLOAD_TUN_HEADER as the new bound.
Reproduce:
nft --debug netlink add rule inet t c meta l4proto udp vxlan vni 0x123456
Before patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ unknown header + 4 => reg 1 ] ]
...
After patch:
...
[ inner type 1 hdrsize 8 flags f [ payload load 3b @ tunnel header + 4 => reg 1 ] ]
...
[ Remove defensive check in original patch --pablo ]
Phil Sutter [Wed, 27 Nov 2024 17:54:53 +0000 (18:54 +0100)]
tests: Fix for ASAN
The 'data' arrays in match and target expression tests were undersized
as they did not cover for the terminating NUL-char of the string used to
initialize them. When passing such array to strdup(), the latter reads
until after the defined array boundary.
Fixes: 93483364369d8 ("src: get rid of cached copies of x_tables.h and xt_LOG.h") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 27 Nov 2024 15:30:08 +0000 (16:30 +0100)]
set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT
Assuming max data_len of 16 * 4B and no zero bytes in 'data':
The while loop will increment field_count, use it as index for the
field_len array and afterwards make sure it hasn't increased to
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
the check, get incremented to 16 and used as index to the 16 fields long
array.
Use a less fancy for-loop to avoid the increment vs. check problem.
Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jeremy Sowden [Wed, 13 Nov 2024 21:27:08 +0000 (22:27 +0100)]
expr: bitwise: add support for kernel space AND, OR and XOR operations
Hitherto, the kernel has only supported boolean operations of the form:
dst = (src & mask) ^ xor
where `src` is held in a register, and `mask` and `xor` are immediate
values. User space has converted AND, OR and XOR operations to this
form, and so one operand has had to be immediate. The kernel now
supports performing AND, OR and XOR operations directly, on one register
and an immediate value or on two registers, so we make that support
available to user space.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jeremy Sowden [Wed, 13 Nov 2024 21:39:12 +0000 (22:39 +0100)]
expr: bitwise: rename some boolean operation functions
In the next patch we add support for doing AND, OR and XOR operations
directly in the kernel, so rename some functions and an enum constant
related to mask-and-xor boolean operations.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 16 Oct 2024 16:47:32 +0000 (18:47 +0200)]
Use SPDX License Identifiers in headers
Replace the copyright notice in header comments by an equivalent
SPDX-License-Identifier string. Drop a following empty line if at the
bottom of the comment. Leave any other header comment content in place.
This also fixes for an incomplete notice in examples/nft-ruleset-get.c
since commit c335442eefcca ("src: incorrect header refers to GPLv2
only").
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 30 Aug 2021 12:38:27 +0000 (14:38 +0200)]
Introduce struct nftnl_str_array
This data structure holds an array of allocated strings for use in
nftnl_chain and nftnl_flowtable structs. For convenience, implement
functions to clear, populate and iterate over contents.
While at it, extend chain and flowtable tests to cover these attributes,
too.
Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 1 Oct 2024 16:01:43 +0000 (18:01 +0200)]
rule: Don't append a newline when printing a rule
Since commit c759027a526ac, printed rules may or may not end with a
newline depending on whether userdata was present or not. Deal with this
inconsistency by avoiding the trailing newline in all cases.
Fixes: c759027a526ac ("rule, set_elem: remove trailing \n in userdata snprintf") Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Wed, 10 Apr 2024 12:29:07 +0000 (14:29 +0200)]
expr: limit: Prepare for odd time units
When limit->unit is not a known timespan, use the largest possible unit
and print the value along with it. This enables libnftnl debug output to
correctly print arbitrary quotients, like '3/5 minutes' for instance.
expr: use NFTA_* netlink attributes to build fields, not NFTNL_EXPR_*
Coincidentally NFTNL_EXPR_BASE starts at 1 which comes right after
NFTA_*_UNSPEC which is zero. And NFTNL_EXPR_ attribute values were
mapping to NFTA_* attributes.
Use NFTA_* for netlink attribute types instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 7 Mar 2024 13:49:08 +0000 (14:49 +0100)]
expr: Respect data_len when setting attributes
With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.
Phil Sutter [Thu, 7 Mar 2024 13:34:18 +0000 (14:34 +0100)]
obj: Respect data_len when setting attributes
With attr_policy in place, data_len has an upper boundary. Use it for
memcpy() calls to cover for caller passing data with lower size than the
attribute's storage.
Phil Sutter [Thu, 7 Mar 2024 12:56:14 +0000 (13:56 +0100)]
obj: Enforce attr_policy compliance in nftnl_obj_set_data()
Every object type defines an attr_policy array, so deny setting
attributes for object types which don't have it present or if it
specifies a non-zero maxlen which is lower than the given data_len.
Phil Sutter [Thu, 7 Mar 2024 12:46:26 +0000 (13:46 +0100)]
obj: Introduce struct obj_ops::attr_policy
Just like with struct expr_ops::attr_policy, enable object types to
inform about restrictions on attribute use. This way generic object code
may perform sanity checks before dispatching to object ops.
Phil Sutter [Thu, 14 Mar 2024 15:54:55 +0000 (16:54 +0100)]
obj: Return value on setters
Similar to other setters, let callers know if memory allocation fails.
Though return value with all setters, as all of them may be used to set
object type-specific attributes which may fail (e.g. if NFTNL_OBJ_TYPE
was not set before).
Phil Sutter [Fri, 15 Dec 2023 15:32:30 +0000 (16:32 +0100)]
expr: Enforce attr_policy compliance in nftnl_expr_set()
Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.
Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.
Phil Sutter [Fri, 15 Dec 2023 15:30:52 +0000 (16:30 +0100)]
expr: Introduce struct expr_ops::attr_policy
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Phil Sutter [Wed, 13 Dec 2023 13:56:49 +0000 (14:56 +0100)]
expr: Repurpose struct expr_ops::max_attr field
Instead of holding the maximum kernel space (NFTA_*) attribute value,
use it to hold the maximum expression attribute (NFTNL_EXPR_*) value
instead. This will be used for index boundary checks in an attribute
policy array later.
set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.
Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Nicholas Vinson [Wed, 27 Dec 2023 03:05:17 +0000 (22:05 -0500)]
chain: Removed non-defined functions
The functions nftnl_chain_parse(), nftnl_chain_parse_file(),
nftnl_set_elems_foreach(), and nftnl_obj_unset() are no longer defined
and removed from the code.
The functions nftnl_chain_parse(), nftnl_chain_parse_file() were removed
with commit 80077787f8f2 ("src: remove json support").
The function nftnl_set_elems_foreach() does not appear to have ever been
defined.
However, libnftnl.map still lists these functions which causes libnftnl
to fail to link with ld.lld as the option --undefined-version is
disabled by default.
corubba [Sat, 9 Dec 2023 22:03:01 +0000 (23:03 +0100)]
object: getters take const struct
As with all the other entities (like table or set), the getter functions
for objects now take a `const struct nftnl_obj*` as first parameter.
The getters for all specific object types (like counter or limit), which
are called in the default switch-case, already do.
Signed-off-by: corubba <corubba@gmx.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
libnftnl support for broute meta statement introduced in:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230224095251.11249-1-sriram.yagnaraman@est.tech/
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The logic to build NFTA_CHAIN_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Ian Pilcher [Tue, 18 Oct 2022 16:45:28 +0000 (11:45 -0500)]
libnftnl: Fix res_id byte order
The res_id member of struct nfgenmsg is supposed to be in network
byte order (big endian). Call htons() in __nftnl_nlmsg_build_hdr()
to ensure that this is true on little endian systems.
There is a kernel workaround that was introduced in 4.3 to address
this issue:
Jeremy Sowden [Sat, 27 Aug 2022 17:17:17 +0000 (18:17 +0100)]
rule, set_elem: fix printing of user data
Hitherto, alphanumeric characters have been printed as-is, but anything
else was replaced by '\0'. However, this effectively truncates the
output. Instead, print any printable character as-is and print anything
else as a hexadecimal escape sequence:
userdata = { \x01\x04\x01\x00\x00\x00 }
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to
clang, the snprintf member of the expr_ops and obj_ops structures will
be incorrectly replaced with __builtin_snprintf_chk() which results in
"error: no member named '__builtin___snprintf_chk'" errors at build
time.
This patch changes the member name from 'snprintf' to 'output' to
prevent the replacement.
This bug can be emulated using GCC by undefining the __va_arg_pack macro
before stdio.h is included.
This patch is based on the notes provided in
https://bugs.gentoo.org/807766.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map
elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set
element verdict.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
