Add include header for NFTNL_CTTIMEOUT_ARRAY_MAX. Fixes compilation error
"../include/obj.h:43:21: error: ‘NFTNL_CTTIMEOUT_ARRAY_MAX’
undeclared here (not in a function);
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Use an internal array and expose maximum size so we can just use the
same array size for all protocol timeouts. This simplifies handling
a bit and we don't need to set NFTNL_OBJ_CT_TIMEOUT_L4PROTO in first
place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Fri, 22 Jun 2018 12:18:59 +0000 (14:18 +0200)]
expr/exthdr: Fix JSON parsing on big endian
When setting NFTNL_EXPR_EXTHDR_TYPE, one needs to call
nftnl_expr_set_u8() and not nftnl_expr_set_u32(). Otherwise 'type'
variable is assigned to uint32_t parameter before being passed to
nftnl_expr_exthdr_set() as void pointer which casts it to uint8_t.
On big endian systems, the latter would only consider the most
significant byte instead of the least significant one.
Phil Sutter [Fri, 22 Jun 2018 12:18:58 +0000 (14:18 +0200)]
expr/data_reg: Fix JSON parsing on big endian
Since reg->len is a 32bit variable, one needs to pass NFTNL_TYPE_U32 to
nftnl_jansson_parse_val(). Otherwise, only the most significant byte in
that variable is being written to.
Since the value could potentially be larger than 255, increase node_name
buffer to avoid a compiler warning.
Phil Sutter [Fri, 22 Jun 2018 12:18:57 +0000 (14:18 +0200)]
utils: Fix nftnl_get_value() on big endian
This function basically did:
| memcpy(out, val, <len of requested type>);
which works only for little endian integer types. Fix this by assigning
the 64bit input value to a variable of the right size and use that as
input for above memcpy() call.
Yang Zheng [Tue, 20 Mar 2018 14:53:22 +0000 (22:53 +0800)]
examples: add nft-ct-helper-{add,get,del}
nft-ct-helper-{add,get,del}: add, get, or delete ct helper objects from the specified table.
Examples:
% ./nft-ct-helper-get ip filter
<nothing>
% ./nft-ct-helper-add ip filter sip-5060 sip udp
% ./nft-ct-helper-get ip filter
table filter name sip-5060 use 0 [ ct_helper name sip family 2 protocol 17 ]
% ./nft-ct-helper-del ip filter sip-5060
% ./nft-ct-helper-get ip filter
<nothing>
Signed-off-by: Yang Zheng <tomsun.0.7@gmail.com> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This is only required by Linux kernel <= 3.16.x, that's too old and at
that time nft was very limited in term of features, so let's remove this
check from example files.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Armin K [Sat, 23 Dec 2017 20:12:04 +0000 (21:12 +0100)]
src: Fix exporting symbols with clang
When EXPORT_SYMBOL is located after function definition, clang won't
properly export the function, resulting in a library with no symbols
when built with clang.
Based on libmnl commit dcdb47373a37 ("Move declaration of visibility
attributes before definition.")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1205 Signed-off-by: Armin K <krejzi@email.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()
expr/data_reg.c: In function 'nftnl_data_reg_json_parse':
expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=]
sprintf(node_name, "data%d", i);
^~
expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647]
sprintf(node_name, "data%d", i);
Buffer overflow is triggerable when reg->len > 396, but len never goes
over 128 due to type validation just a bit before.
Use snprintf() and make sure buffer is large enough to store the
"data256" string.
Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:24 +0000 (20:40 +0100)]
set_elem: Don't return garbage in nftnl_set_elems_parse()
This might happen if netlink message is malformed (no nested attributes
are present), so treat this as an error and return -1 instead of
garbage to caller.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:23 +0000 (20:40 +0100)]
ruleset: Avoid reading garbage in nftnl_ruleset_cb()
If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is
left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid
this by using a C99-style initializer for 'ctx' which sets all omitted
fields to zero.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:22 +0000 (20:40 +0100)]
object: Avoid returning garbage in nftnl_obj_do_parse()
It may happen that 'perr' variable does not get initialized, so making
parameter 'err' point to it in any case is error-prone. Avoid this by
initializing 'perr' upon declaration.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:21 +0000 (20:40 +0100)]
gen: Remove a pointless call to mnl_nlmsg_get_payload()
It is a common idiom in all *_nlmsg_parse() functions, but
nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the
compiler probably can't eliminate it since there could be a side-effect.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Thu, 14 Dec 2017 19:40:20 +0000 (20:40 +0100)]
data_reg: Add a missing break in nftnl_data_reg_snprintf
The code works fine as-is, but if reg_type == DATA_VALUE &&
output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case
and therefore pointlessly check output_format again.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src: Change parameters of SNPRINTF_BUFFER_SIZE macro.
SNPRINTF_BUFFER_SIZE() macro declaration and definition is changed so
that it accepts three arguments ret, remain and offset. Parameters size
and len are not required instead parameter remain keeps track of
available space in the buffer.
Shyam Saini [Tue, 29 Aug 2017 12:49:36 +0000 (18:19 +0530)]
examples: Fix memory leaks detected by Valgrind
==11688== HEAP SUMMARY:
==11688== in use at exit: 40 bytes in 1 blocks
==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11688==
==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11688== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11688== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11688== by 0x40133B: main (nft-chain-add.c:103)
==11688==
==11688== LEAK SUMMARY:
==11688== definitely lost: 40 bytes in 1 blocks
==11688== indirectly lost: 0 bytes in 0 blocks
==11688== possibly lost: 0 bytes in 0 blocks
==11688== still reachable: 0 bytes in 0 blocks
==11688== suppressed: 0 bytes in 0 blocks
==11831== HEAP SUMMARY:
==11831== in use at exit: 40 bytes in 1 blocks
==11831== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
==11831==
==11831== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==11831== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11831== by 0x5068955: mnl_nlmsg_batch_start (nlmsg.c:441)
==11831== by 0x401154: main (nft-chain-del.c:79)
==11831==
==11831== LEAK SUMMARY:
==11831== definitely lost: 40 bytes in 1 blocks
==11831== indirectly lost: 0 bytes in 0 blocks
==11831== possibly lost: 0 bytes in 0 blocks
==11831== still reachable: 0 bytes in 0 blocks
==11831== suppressed: 0 bytes in 0 blocks
Direct leak of 12 byte(s) in 2 object(s) allocated from:
#0 0x4cde58 in malloc (/usr/local/sbin/nft+0x4cde58)
#1 0x7ffff79b8c19 in nftnl_set_set_data /home/eric/git/netfilter/libnftnl/src/set.c:179
This patch provides symmetric hash support according to source
ip address and port, and destination ip address and port.
The new attribute NFTA_HASH_TYPE has been included to support
different types of hashing functions. Currently supported
NFT_HASH_JENKINS through jhash and NFT_HASH_SYM through symhash.
The main difference between both types are:
- jhash requires an expression with sreg, symhash doesn't.
- symhash supports modulus and offset, but not seed.
Examples:
nft add rule ip nat prerouting ct mark set jhash ip saddr mod 2
nft add rule ip nat prerouting ct mark set symhash mod 2
Signed-off-by: Laura Garcia Liebana <laura.garcia@zevenet.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal [Sun, 19 Feb 2017 17:19:03 +0000 (18:19 +0100)]
object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null
If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL.
In this case we must not set NFTNL_OBJ_TYPE flag, else we later get
crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops.
Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
