Jeremy Sowden [Sat, 27 Aug 2022 17:17:17 +0000 (18:17 +0100)]
rule, set_elem: fix printing of user data
Hitherto, alphanumeric characters have been printed as-is, but anything
else was replaced by '\0'. However, this effectively truncates the
output. Instead, print any printable character as-is and print anything
else as a hexadecimal escape sequence:
userdata = { \x01\x04\x01\x00\x00\x00 }
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
When building with clang and glibc and -D_FORTIFY_SOURCE=2 is passed to
clang, the snprintf member of the expr_ops and obj_ops structures will
be incorrectly replaced with __builtin_snprintf_chk() which results in
"error: no member named '__builtin___snprintf_chk'" errors at build
time.
This patch changes the member name from 'snprintf' to 'output' to
prevent the replacement.
This bug can be emulated using GCC by undefining the __va_arg_pack macro
before stdio.h is included.
This patch is based on the notes provided in
https://bugs.gentoo.org/807766.
Signed-off-by: Nicholas Vinson <nvinson234@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
This patch reworks 228e8b174627 ("set_elem: Fix printing of verdict map
elements"), check if NFTNL_SET_ELEM_VERDICT is set then print the set
element verdict.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Tue, 9 Mar 2021 15:03:58 +0000 (16:03 +0100)]
ruleset: Eliminate tag and separator helpers
Those were used for JSON and XML output only with the exception of
separator helper which at the same time served as conditional nop if no
"previous" object as passed. Replace it by a string variable updated at
the end of each loop iteration and just drop the other helpers.
Phil Sutter [Tue, 9 Mar 2021 12:41:44 +0000 (13:41 +0100)]
Get rid of single option switch statements
Replace each by a conditional testing the only valid case.
There is one odd example, namely src/set.c: When printing a set with
type NFTNL_OUTPUT_XML, the relevant function would return 0 instead of
-1 like all others. Just drop it assuming nothing depends on that
(faulty) behaviour.
Cc: Arturo Borrero <arturo.borrero.glez@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Tue, 9 Mar 2021 10:26:47 +0000 (11:26 +0100)]
Drop pointless local variable in snprintf callbacks
A common idiom among snprintf callbacks was to copy the unsigned
parameter 'size' (or 'len') into a signed variable for further use.
Though since snprintf() itself casts it to unsigned and
SNPRINTF_BUFFER_SIZE() does not allow it to become negative, this is not
needed. Drop the local variable and rename the parameter accordingly.
Phil Sutter [Sat, 26 Dec 2020 18:44:48 +0000 (19:44 +0100)]
set_elem: Fix printing of verdict map elements
Elements' data was printed as type DATA_VALUE no matter the actual type.
For verdicts, this meant no printing at all (because reg->len is either
zero or garbage).
To fix this, nftnl_set_elem_snprintf_default() needs type info held in
struct nftnl_set. Pass it via parameter to that function, make it
non-static and call it from nftnl_set_snprintf_default() instead of the
generic nftnl_set_elem_snprintf(). This way no changes have to be done
to exported functions, also the output type is already defined when
nftnl_set_snprintf_default() runs so checking type value again is
pointless.
NFTNL_EXPR_DYNSET_EXPR defines the stateful expression type that
an element stores when added from the packet path.
This patch adds support for the set expression list, which generalizes
NFTNL_EXPR_DYNSET_EXPR.
This patch also adds nftnl_expr_add_expr() to add new expressions to
elements and nftnl_set_expr_expr_foreach() to iterate over the list of
expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
NFTNL_SET_EXPR defines the stateful expression type that this set stores
in each element. This provides the set definition in terms of stateful
expressions. The expression that is passed via NFNTL_SET_ELEM_EXPR must
equal to this set stateful expression type, otherwise the kernel bails
out.
This patch adds support for the set expression list, which generalizes
NFTNL_SET_EXPR.
This patch also adds nftnl_set_add_expr() to add new expressions to a set
and nftnl_set_elem_expr_foreach() to iterate over the list of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
NFTNL_SET_ELEM_EXPR defines the stateful expression type that this
element stores. This is useful to restore runtime set element stateful
expressions (when saving, then reboot and restore).
This patch adds support for the set element expression list, which
generalizes NFTNL_SET_ELEM_EXPR.
This patch also adds nftnl_set_elem_add_expr() to add new expressions to
set elements and nftnl_set_elem_expr_foreach() to iterate over the list
of expressions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 14 Dec 2020 16:53:47 +0000 (17:53 +0100)]
set_elem: Use nftnl_data_reg_snprintf()
Introduce a flag to allow toggling the '0x' prefix when printing data
values, then use the existing routines to print data registers from
set_elem code.
flowtable: relax logic to build NFTA_FLOWTABLE_HOOK
The logic to build NFTA_FLOWTABLE_HOOK enforces the presence of the hook
number and priority to include the devices. Relax this to allow for
incremental device updates.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f3212406518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f321041703e in nftnl_expr_alloc /home/pablo/devel/scm/git-netfilter/libnftnl/src/expr.c:37
#2 0x7f3211d51c16 in netlink_gen_limit_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:859
#3 0x7f3211d5220c in netlink_gen_stmt_stateful /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:891
#4 0x7f3211d58630 in netlink_gen_meter_stmt /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_linearize.c:1441
[...]
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x7f4e2c16b810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:45
#2 0x7f4e2a39906f in nftnl_expr_objref_set expr/objref.c:35
Direct leak of 16 byte(s) in 2 object(s) allocated from:
#0 0x7f4018aa0810 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a810)
#1 0x7f4016b660af in nftnl_expr_objref_set expr/objref.c:53
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jeremy Sowden [Mon, 24 Feb 2020 13:12:01 +0000 (13:12 +0000)]
bitwise: add support for passing mask and xor via registers.
The kernel supports passing mask and xor values for bitwise boolean
operations via registers. These are mutually exclusive with the
existing data attributes: e.g., setting both NFTA_EXPR_BITWISE_MASK and
NFTA_EXPR_BITWISE_MREG is an error. Add support to libnftnl.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
The original intention in eb58f53372e7 ("src: add flowtable support")
was to introduce this helper function. Add helper to set and to get
array of strings.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Phil Sutter <phil@nwl.cc>
Phil Sutter [Fri, 14 Feb 2020 17:20:29 +0000 (18:20 +0100)]
src: Fix for reading garbage in nftnl_chain getters
In {s,u}{32,64} type getters nftnl_assert() is called to make sure
returned data length matches expectations. Therefore all attributes must
set data_len, which NFTNL_CHAIN_DEVICES didn't.
While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as
well to make code a bit more consistent although the problem was fixed
for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading
garbage") already (but in the other direction).
Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc>
Stefano Brivio [Thu, 30 Jan 2020 00:16:34 +0000 (01:16 +0100)]
set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END
The new set element attribute maps to the netlink attribute
NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY
maps to NFTA_SET_ELEM_KEY, and represents the key data used
to express the upper bound of a range, in concatenations.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stefano Brivio [Thu, 30 Jan 2020 00:16:33 +0000 (01:16 +0100)]
set: Add support for NFTA_SET_DESC_CONCAT attributes
If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
as NFTA_SET_DESC_CONCAT attributes: it describes the length of
single concatenated fields, in bytes.
Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
from the kernel.
This is the libnftnl counterpart for nftables patch:
src: Add support for NFTNL_SET_DESC_CONCAT
v4:
- move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr
to avoid ABI breakage (Pablo Neira Ayuso)
v3:
- use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
- pass field length in bytes instead of bits, fields would get
unnecessarily big otherwise
v2:
- fixed grammar in commit message
- removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
we're simply passing values to htonl() (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Almost everything in this header is unused. The command defines
used in utils.c don't seem to be justified and have just been
replaced by their strings
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 4 Dec 2019 14:45:43 +0000 (15:45 +0100)]
examples: Replace use of deprecated symbols
Do not use unqualified setters to avoid the warnings. Pass a (false)
zero length value to nftnl_flowtable_set_data() when assigning to
NFTNL_FLOWTABLE_DEVICES as the length value is unused and not even
usable. Maybe one should introduce a dedicated
nftnl_flowtable_set_devices() at a later point.
Fixes: 7349a70634fa0 ("Deprecate untyped data setters") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Phil Sutter [Mon, 2 Dec 2019 22:12:34 +0000 (23:12 +0100)]
chain: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: e3ac19b5ec162 ("chain: multi-device support") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Mon, 2 Dec 2019 22:08:07 +0000 (23:08 +0100)]
flowtable: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Marshalling code around that attribute has been dropped by commit d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is
lost during the test.
Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a
later point, leave the test code in place but just comment it out.
Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter [Wed, 30 Oct 2019 17:31:59 +0000 (18:31 +0100)]
Deprecate untyped data setters
These functions make assumptions on size of passed data pointer and
therefore tend to hide programming mistakes. Instead either one of the
type-specific setters or the generic *_set_data() setter should be used.
Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / libnftnl.git / log
