rpms/libnftnl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libnftnl-1.1.5-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:38:46 -04:00 committed by Andrew Lukoshko
parent 4e3b75a411
commit 6b5a2e187f
24 changed files with 808 additions and 2471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libnftnl-1.1.1.tar.bz2 SOURCES/libnftnl-1.1.5.tar.bz2

2
.libnftnl.metadata
View File

@ -1 +1 @@
d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2 a923bae5b028a30c5c8aa4c0f71445885867274b SOURCES/libnftnl-1.1.5.tar.bz2

1348
SOURCES/0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
View File

File diff suppressed because it is too large Load Diff

47
SOURCES/0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch Normal file
View File

@ -0,0 +1,47 @@
From 3f0616b15e32def6d01b4535ac0efb51caa07662 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 2 Dec 2019 18:55:39 +0100
Subject: [PATCH] tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1717129
Upstream Status: libnftnl commit b2388765e0c44
commit b2388765e0c4405442faa13845419f6a35d0134c
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 18:29:56 2019 +0100
tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
Marshalling code around that attribute has been dropped by commit
d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is
lost during the test.
Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a
later point, leave the test code in place but just comment it out.
Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/nft-flowtable-test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/nft-flowtable-test.c b/tests/nft-flowtable-test.c
index 3edb00d..8ab8d4c 100644
--- a/tests/nft-flowtable-test.c
+++ b/tests/nft-flowtable-test.c
@@ -33,9 +33,11 @@ static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtabl
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_USE) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_USE))
print_err("Flowtable use mismatches");
+#if 0
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_SIZE) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_SIZE))
print_err("Flowtable size mismatches");
+#endif
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_FLAGS) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_FLAGS))
print_err("Flowtable flags mismatches");
--
1.8.3.1

313
SOURCES/0002-chain-Support-per-chain-rules-list.patch
View File

@ -1,313 +0,0 @@
From 8fcb95ed6dcd47c94a924b4018177d8a833d6983 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Support per chain rules list
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit e33798478176f
commit e33798478176f97edf2649cd61444e0375fdc12b
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:51 2018 +0100
chain: Support per chain rules list
The implementation basically copies expr_list in struct nftnl_rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/internal.h | 1 +
include/libnftnl/chain.h | 15 +++++++
include/rule.h | 26 ++++++++++++
src/chain.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
src/libnftnl.map | 10 +++++
src/rule.c | 22 ----------
6 files changed, 155 insertions(+), 23 deletions(-)
create mode 100644 include/rule.h
diff --git a/include/internal.h b/include/internal.h
index 7e97c4a..323f825 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -13,5 +13,6 @@
#include "expr.h"
#include "expr_ops.h"
#include "buffer.h"
+#include "rule.h"
#endif /* _LIBNFTNL_INTERNAL_H_ */
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 237683e..f04f610 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -13,6 +13,7 @@ extern "C" {
#endif
struct nftnl_chain;
+struct nftnl_rule;
struct nftnl_chain *nftnl_chain_alloc(void);
void nftnl_chain_free(const struct nftnl_chain *);
@@ -54,6 +55,10 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr);
int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+
struct nlmsghdr;
void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t);
@@ -68,6 +73,16 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ui
#define nftnl_chain_nlmsg_build_hdr nftnl_nlmsg_build_hdr
int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data);
+
+struct nftnl_rule_iter;
+
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter);
+
struct nftnl_chain_list;
struct nftnl_chain_list *nftnl_chain_list_alloc(void);
diff --git a/include/rule.h b/include/rule.h
new file mode 100644
index 0000000..5edcb6c
--- /dev/null
+++ b/include/rule.h
@@ -0,0 +1,26 @@
+#ifndef _LIBNFTNL_RULE_INTERNAL_H_
+#define _LIBNFTNL_RULE_INTERNAL_H_
+
+struct nftnl_rule {
+ struct list_head head;
+
+ uint32_t flags;
+ uint32_t family;
+ const char *table;
+ const char *chain;
+ uint64_t handle;
+ uint64_t position;
+ uint32_t id;
+ struct {
+ void *data;
+ uint32_t len;
+ } user;
+ struct {
+ uint32_t flags;
+ uint32_t proto;
+ } compat;
+
+ struct list_head expr_list;
+};
+
+#endif
diff --git a/src/chain.c b/src/chain.c
index eff5186..c374923 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -27,6 +27,7 @@
#include <linux/netfilter_arp.h>
#include <libnftnl/chain.h>
+#include <libnftnl/rule.h>
#include <buffer.h>
struct nftnl_chain {
@@ -45,6 +46,8 @@ struct nftnl_chain {
uint64_t bytes;
uint64_t handle;
uint32_t flags;
+
+ struct list_head rule_list;
};
static const char *nftnl_hooknum2str(int family, int hooknum)
@@ -90,12 +93,25 @@ static const char *nftnl_hooknum2str(int family, int hooknum)
EXPORT_SYMBOL(nftnl_chain_alloc);
struct nftnl_chain *nftnl_chain_alloc(void)
{
- return calloc(1, sizeof(struct nftnl_chain));
+ struct nftnl_chain *c;
+
+ c = calloc(1, sizeof(struct nftnl_chain));
+ if (c == NULL)
+ return NULL;
+
+ INIT_LIST_HEAD(&c->rule_list);
+
+ return c;
}
EXPORT_SYMBOL(nftnl_chain_free);
void nftnl_chain_free(const struct nftnl_chain *c)
{
+ struct nftnl_rule *r, *tmp;
+
+ list_for_each_entry_safe(r, tmp, &c->rule_list, head)
+ nftnl_rule_free(r);
+
if (c->flags & (1 << NFTNL_CHAIN_NAME))
xfree(c->name);
if (c->flags & (1 << NFTNL_CHAIN_TABLE))
@@ -406,6 +422,24 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type);
}
+EXPORT_SYMBOL(nftnl_chain_rule_add);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add_tail(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
+ list_add(&rule->head, &pos->head);
+}
+
static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
{
const struct nlattr **tb = data;
@@ -875,6 +909,74 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type,
nftnl_chain_do_snprintf);
}
+EXPORT_SYMBOL(nftnl_rule_foreach);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data)
+{
+ struct nftnl_rule *cur, *tmp;
+ int ret;
+
+ list_for_each_entry_safe(cur, tmp, &c->rule_list, head) {
+ ret = cb(cur, data);
+ if (ret < 0)
+ return ret;
+ }
+ return 0;
+}
+
+struct nftnl_rule_iter {
+ const struct nftnl_chain *c;
+ struct nftnl_rule *cur;
+};
+
+static void nftnl_rule_iter_init(const struct nftnl_chain *c,
+ struct nftnl_rule_iter *iter)
+{
+ iter->c = c;
+ if (list_empty(&c->rule_list))
+ iter->cur = NULL;
+ else
+ iter->cur = list_entry(c->rule_list.next, struct nftnl_rule,
+ head);
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_create);
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c)
+{
+ struct nftnl_rule_iter *iter;
+
+ iter = calloc(1, sizeof(struct nftnl_rule_iter));
+ if (iter == NULL)
+ return NULL;
+
+ nftnl_rule_iter_init(c, iter);
+
+ return iter;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_next);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter)
+{
+ struct nftnl_rule *rule = iter->cur;
+
+ if (rule == NULL)
+ return NULL;
+
+ /* get next rule, if any */
+ iter->cur = list_entry(iter->cur->head.next, struct nftnl_rule, head);
+ if (&iter->cur->head == iter->c->rule_list.next)
+ return NULL;
+
+ return rule;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_destroy);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
+{
+ xfree(iter);
+}
+
struct nftnl_chain_list {
struct list_head list;
};
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 89414f2..96d5b5f 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -336,3 +336,13 @@ global:
local: *;
};
+
+LIBNFTNL_12 {
+ nftnl_chain_rule_add;
+ nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_insert_at;
+ nftnl_rule_foreach;
+ nftnl_rule_iter_create;
+ nftnl_rule_iter_next;
+ nftnl_rule_iter_destroy;
+} LIBNFTNL_11;
diff --git a/src/rule.c b/src/rule.c
index 2c70420..6a43d3e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -30,28 +30,6 @@
#include <libnftnl/set.h>
#include <libnftnl/expr.h>
-struct nftnl_rule {
- struct list_head head;
-
- uint32_t flags;
- uint32_t family;
- const char *table;
- const char *chain;
- uint64_t handle;
- uint64_t position;
- uint32_t id;
- struct {
- void *data;
- uint32_t len;
- } user;
- struct {
- uint32_t flags;
- uint32_t proto;
- } compat;
-
- struct list_head expr_list;
-};
-
EXPORT_SYMBOL(nftnl_rule_alloc);
struct nftnl_rule *nftnl_rule_alloc(void)
{
--
1.8.3.1

39
SOURCES/0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch Normal file
View File

@ -0,0 +1,39 @@
From e744735b92ee312cd2ad08776f3c56962ab53710 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] flowtable: Fix memleak in error path of
nftnl_flowtable_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit ba1b02594e8d0
commit ba1b02594e8d05e4c791925a50f9309f89b55c80
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 22:57:40 2019 +0100
flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()
In error case, allocated dev_array is not freed.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index 324e80f..db31943 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -419,6 +419,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
err:
while (len--)
xfree(dev_array[len]);
+ xfree(dev_array);
return -1;
}
--
1.8.3.1

107
SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
View File

@ -1,107 +0,0 @@
From 75b3a238485745de01cf6264703ba6c192d7f721 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Add lookup functions for chain list and rules in chain
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 1a829ec0c3285
commit 1a829ec0c3285baac712352c3a046a4f76013e70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:52 2018 +0100
chain: Add lookup functions for chain list and rules in chain
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 2 ++
src/chain.c | 28 ++++++++++++++++++++++++++++
src/libnftnl.map | 3 +++
3 files changed, 33 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index f04f610..64e10e9 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -76,6 +76,7 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
int nftnl_rule_foreach(struct nftnl_chain *c,
int (*cb)(struct nftnl_rule *r, void *data),
void *data);
+struct nftnl_rule *nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index);
struct nftnl_rule_iter;
@@ -89,6 +90,7 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
void nftnl_chain_list_free(struct nftnl_chain_list *list);
int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list);
int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, int (*cb)(struct nftnl_chain *t, void *data), void *data);
+struct nftnl_chain *nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list, const char *chain);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list);
diff --git a/src/chain.c b/src/chain.c
index c374923..22bb45c 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -925,6 +925,20 @@ int nftnl_rule_foreach(struct nftnl_chain *c,
return 0;
}
+EXPORT_SYMBOL(nftnl_rule_lookup_byindex);
+struct nftnl_rule *
+nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index)
+{
+ struct nftnl_rule *r;
+
+ list_for_each_entry(r, &c->rule_list, head) {
+ if (!index)
+ return r;
+ index--;
+ }
+ return NULL;
+}
+
struct nftnl_rule_iter {
const struct nftnl_chain *c;
struct nftnl_rule *cur;
@@ -1047,6 +1061,20 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list,
return 0;
}
+EXPORT_SYMBOL(nftnl_chain_list_lookup_byname);
+struct nftnl_chain *
+nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
+ const char *chain)
+{
+ struct nftnl_chain *c;
+
+ list_for_each_entry(c, &chain_list->list, head) {
+ if (!strcmp(chain, c->name))
+ return c;
+ }
+ return NULL;
+}
+
struct nftnl_chain_list_iter {
const struct nftnl_chain_list *list;
struct nftnl_chain *cur;
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 96d5b5f..0d3be32 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -345,4 +345,7 @@ LIBNFTNL_12 {
nftnl_rule_iter_create;
nftnl_rule_iter_next;
nftnl_rule_iter_destroy;
+
+ nftnl_chain_list_lookup_byname;
+ nftnl_rule_lookup_byindex;
} LIBNFTNL_11;
--
1.8.3.1

38
SOURCES/0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch Normal file
View File

@ -0,0 +1,38 @@
From a5241b8fcd2f62d8e71bf9dfebfbcf27a8a61e46 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] chain: Fix memleak in error path of nftnl_chain_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit 32a8c5f52355e
commit 32a8c5f52355ef69bf74c28e27345b2e03d948e7
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:00:20 2019 +0100
chain: Fix memleak in error path of nftnl_chain_parse_devs()
In error case, dev_array is not freed when it should.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/chain.c b/src/chain.c
index d4050d2..9cc8735 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -636,6 +636,7 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
err:
while (len--)
xfree(dev_array[len]);
+ xfree(dev_array);
return -1;
}
--
1.8.3.1

143
SOURCES/0004-chain-Hash-chain-list-by-name.patch
View File

@ -1,143 +0,0 @@
From a3af0aff50cd3e899cb5205d4d5330a96aeffaa5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Hash chain list by name
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 7170f0929ef50
commit 7170f0929ef50a1a45d9fd5d058ea6178c8e56ef
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Dec 11 18:44:00 2018 +0100
chain: Hash chain list by name
Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
theory this could replace the linked list completely but has been left
in place so that nftnl_chain_list_add_tail() still does what it's
supposed to and iterators return chains in original order.
Speed was tested using a simple script which creates a dump file
containing a number of custom chains and for each of them two rules in
INPUT chain jumping to it. The following table compares run-time of
iptables-legacy-restore with iptables-nft-restore before and after this
patch:
count legacy nft-old nft-new
----------------------------------------------
10000 26s 38s 31s
50000 137s 339s 149s
So while it is still not as quick, it now scales nicely (at least in
this very primitive test).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/chain.c b/src/chain.c
index 22bb45c..ae074fd 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -32,6 +32,7 @@
struct nftnl_chain {
struct list_head head;
+ struct hlist_node hnode;
const char *name;
const char *type;
@@ -991,20 +992,27 @@ void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
xfree(iter);
}
+#define CHAIN_NAME_HSIZE 512
+
struct nftnl_chain_list {
+
struct list_head list;
+ struct hlist_head name_hash[CHAIN_NAME_HSIZE];
};
EXPORT_SYMBOL(nftnl_chain_list_alloc);
struct nftnl_chain_list *nftnl_chain_list_alloc(void)
{
struct nftnl_chain_list *list;
+ int i;
list = calloc(1, sizeof(struct nftnl_chain_list));
if (list == NULL)
return NULL;
INIT_LIST_HEAD(&list->list);
+ for (i = 0; i < CHAIN_NAME_HSIZE; i++)
+ INIT_HLIST_HEAD(&list->name_hash[i]);
return list;
}
@@ -1016,6 +1024,7 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list)
list_for_each_entry_safe(r, tmp, &list->list, head) {
list_del(&r->head);
+ hlist_del(&r->hnode);
nftnl_chain_free(r);
}
xfree(list);
@@ -1027,15 +1036,31 @@ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list)
return list_empty(&list->list);
}
+static uint32_t djb_hash(const char *key)
+{
+ uint32_t i, hash = 5381;
+
+ for (i = 0; i < strlen(key); i++)
+ hash = ((hash << 5) + hash) + key[i];
+
+ return hash;
+}
+
EXPORT_SYMBOL(nftnl_chain_list_add);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add(&r->head, &list->list);
}
EXPORT_SYMBOL(nftnl_chain_list_add_tail);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add_tail(&r->head, &list->list);
}
@@ -1043,6 +1068,7 @@ EXPORT_SYMBOL(nftnl_chain_list_del);
void nftnl_chain_list_del(struct nftnl_chain *r)
{
list_del(&r->head);
+ hlist_del(&r->hnode);
}
EXPORT_SYMBOL(nftnl_chain_list_foreach);
@@ -1066,9 +1092,11 @@ struct nftnl_chain *
nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
const char *chain)
{
+ int key = djb_hash(chain) % CHAIN_NAME_HSIZE;
struct nftnl_chain *c;
+ struct hlist_node *n;
- list_for_each_entry(c, &chain_list->list, head) {
+ hlist_for_each_entry(c, n, &chain_list->name_hash[key], hnode) {
if (!strcmp(chain, c->name))
return c;
}
--
1.8.3.1

61
SOURCES/0004-flowtable-Correctly-check-realloc-call.patch Normal file
View File

@ -0,0 +1,61 @@
From 8f24f6eed8d905fb6b64d003ae3f4f1e657301aa Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] flowtable: Correctly check realloc() call
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit 835d645f40525
commit 835d645f4052551c5c1829c37a07c882f2260f65
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:08:07 2019 +0100
flowtable: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index db31943..9ba3b6d 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -388,7 +388,7 @@ static int nftnl_flowtable_parse_hook_cb(const struct nlattr *attr, void *data)
static int nftnl_flowtable_parse_devs(struct nlattr *nest,
struct nftnl_flowtable *c)
{
- const char **dev_array;
+ const char **dev_array, **tmp;
int len = 0, size = 8;
struct nlattr *attr;
@@ -401,14 +401,13 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= size) {
- dev_array = realloc(dev_array,
- size * 2 * sizeof(char *));
- if (!dev_array)
+ tmp = realloc(dev_array, size * 2 * sizeof(char *));
+ if (!tmp)
goto err;
size *= 2;
- memset(&dev_array[len], 0,
- (size - len) * sizeof(char *));
+ memset(&tmp[len], 0, (size - len) * sizeof(char *));
+ dev_array = tmp;
}
}
--
1.8.3.1

61
SOURCES/0005-chain-Correctly-check-realloc-call.patch Normal file
View File

@ -0,0 +1,61 @@
From 2facd747b6bbcd3716841e6213b7b9e9b94c556a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] chain: Correctly check realloc() call
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit d95a703746d53
commit d95a703746d5394d56a9f464e343594e4882da0d
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:12:34 2019 +0100
chain: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/chain.c b/src/chain.c
index 9cc8735..b9a16fc 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -605,7 +605,7 @@ static int nftnl_chain_parse_hook_cb(const struct nlattr *attr, void *data)
static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
{
- const char **dev_array;
+ const char **dev_array, **tmp;
int len = 0, size = 8;
struct nlattr *attr;
@@ -618,14 +618,13 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= size) {
- dev_array = realloc(dev_array,
- size * 2 * sizeof(char *));
- if (!dev_array)
+ tmp = realloc(dev_array, size * 2 * sizeof(char *));
+ if (!tmp)
goto err;
size *= 2;
- memset(&dev_array[len], 0,
- (size - len) * sizeof(char *));
+ memset(&tmp[len], 0, (size - len) * sizeof(char *));
+ dev_array = tmp;
}
}
--
1.8.3.1

40
SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch
View File

@ -1,40 +0,0 @@
From 34e115c1a9657f07ed8a39b81c6b21fba1faa319 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] object: Avoid obj_ops array overrun
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 16c44d9f42170
commit 16c44d9f42170264c4d484478c76e940951f1b70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:27 2018 +0100
object: Avoid obj_ops array overrun
In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
the future by defining the array size.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/object.c b/src/object.c
index d8278f3..7fb9bab 100644
--- a/src/object.c
+++ b/src/object.c
@@ -25,7 +25,7 @@
#include <buffer.h>
#include "obj.h"
-static struct obj_ops *obj_ops[] = {
+static struct obj_ops *obj_ops[__NFT_OBJECT_MAX] = {
[NFT_OBJECT_COUNTER] = &obj_ops_counter,
[NFT_OBJECT_QUOTA] = &obj_ops_quota,
[NFT_OBJECT_CT_HELPER] = &obj_ops_ct_helper,
--
1.8.3.1

40
SOURCES/0006-flowtable-Add-missing-break.patch
View File

@ -1,40 +0,0 @@
From d3d9966d79cc7d6d11124302dd06b7d7522e7305 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Add missing break
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 404ef7222d055
commit 404ef7222d055aacdbd4d73dc0d8731fa8f6cbe4
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:28 2018 +0100
flowtable: Add missing break
In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
case fell through and the same value was copied into ft_flags field.
This can't be right.
Fixes: 41fe3d38ba34b ("flowtable: support for flags")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index c1ddae4..aa6ce59 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -163,6 +163,7 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
break;
case NFTNL_FLOWTABLE_SIZE:
memcpy(&c->size, data, sizeof(c->size));
+ break;
case NFTNL_FLOWTABLE_FLAGS:
memcpy(&c->ft_flags, data, sizeof(c->ft_flags));
break;
--
1.8.3.1

84
SOURCES/0006-include-resync-nf_tables.h-cache-copy.patch Normal file
View File

@ -0,0 +1,84 @@
From 83cc5382243253156b5813f0d6b9527cbede5aa3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 13 Feb 2020 17:47:45 +0100
Subject: [PATCH] include: resync nf_tables.h cache copy
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795223
Upstream Status: libnftnl commit 131a6c2fa4ccc
commit 131a6c2fa4cccaa04a7b93b686f10f5ba6f11b3d
Author: Stefano Brivio <sbrivio@redhat.com>
Date: Thu Jan 30 01:16:32 2020 +0100
include: resync nf_tables.h cache copy
Get this header in sync with nf-next as of merge commit
b3a608222336 (5.6-rc1-ish).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/nf_tables.h | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index bb9b049..312c7b2 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -48,6 +48,7 @@ enum nft_registers {
#define NFT_REG_SIZE 16
#define NFT_REG32_SIZE 4
+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
/**
* enum nft_verdicts - nf_tables internal verdicts
@@ -301,15 +302,29 @@ enum nft_set_policies {
* enum nft_set_desc_attributes - set element description
*
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
*/
enum nft_set_desc_attributes {
NFTA_SET_DESC_UNSPEC,
NFTA_SET_DESC_SIZE,
+ NFTA_SET_DESC_CONCAT,
__NFTA_SET_DESC_MAX
};
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
/**
+ * enum nft_set_field_attributes - attributes of concatenated fields
+ *
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
+ */
+enum nft_set_field_attributes {
+ NFTA_SET_FIELD_UNSPEC,
+ NFTA_SET_FIELD_LEN,
+ __NFTA_SET_FIELD_MAX
+};
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
+
+/**
* enum nft_set_attributes - nf_tables set netlink attributes
*
* @NFTA_SET_TABLE: table name (NLA_STRING)
@@ -370,6 +385,7 @@ enum nft_set_elem_flags {
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
* @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
*/
enum nft_set_elem_attributes {
NFTA_SET_ELEM_UNSPEC,
@@ -382,6 +398,7 @@ enum nft_set_elem_attributes {
NFTA_SET_ELEM_EXPR,
NFTA_SET_ELEM_PAD,
NFTA_SET_ELEM_OBJREF,
+ NFTA_SET_ELEM_KEY_END,
__NFTA_SET_ELEM_MAX
};
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
--
1.8.3.1

57
SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch
View File

@ -1,57 +0,0 @@
From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix use after free in two spots
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 822dc96815e96
commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:29 2018 +0100
flowtable: Fix use after free in two spots
When freeing flowtable devices array, the loop freeing each device
string incorrectly included the call to free the device array itself.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index aa6ce59..61ff29b 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
case NFTNL_FLOWTABLE_FLAGS:
break;
case NFTNL_FLOWTABLE_DEVICES:
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
break;
default:
return;
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
len++;
if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
}
c->dev_array = calloc(len + 1, sizeof(char *));
--
1.8.3.1

252
SOURCES/0007-set-Add-support-for-NFTA_SET_DESC_CONCAT-attributes.patch Normal file
View File

@ -0,0 +1,252 @@
From db234c0c95ac45b5ff8602d8686d2bb1bbaa7883 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 13 Feb 2020 17:47:45 +0100
Subject: [PATCH] set: Add support for NFTA_SET_DESC_CONCAT attributes
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795223
Upstream Status: libnftnl commit 7cd41b5387acf
commit 7cd41b5387acf84088e9299a796f7c2c72339a1a
Author: Stefano Brivio <sbrivio@redhat.com>
Date: Thu Jan 30 01:16:33 2020 +0100
set: Add support for NFTA_SET_DESC_CONCAT attributes
If NFTNL_SET_DESC_CONCAT data is passed, pass that to the kernel
as NFTA_SET_DESC_CONCAT attributes: it describes the length of
single concatenated fields, in bytes.
Similarly, parse NFTA_SET_DESC_CONCAT attributes if received
from the kernel.
This is the libnftnl counterpart for nftables patch:
src: Add support for NFTNL_SET_DESC_CONCAT
v4:
- move NFTNL_SET_DESC_CONCAT to the end of enum nftnl_set_attr
to avoid ABI breakage (Pablo Neira Ayuso)
v3:
- use NFTNL_SET_DESC_CONCAT and NFTA_SET_DESC_CONCAT instead of a
stand-alone NFTA_SET_SUBKEY attribute (Pablo Neira Ayuso)
- pass field length in bytes instead of bits, fields would get
unnecessarily big otherwise
v2:
- fixed grammar in commit message
- removed copy of array bytes in nftnl_set_nlmsg_build_subkey_payload(),
we're simply passing values to htonl() (Phil Sutter)
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/set.h | 1 +
include/set.h | 2 +
src/set.c | 111 ++++++++++++++++++++++++++++++++++++++++---------
3 files changed, 95 insertions(+), 19 deletions(-)
diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
index db3fa68..bbbf58d 100644
--- a/include/libnftnl/set.h
+++ b/include/libnftnl/set.h
@@ -29,6 +29,7 @@ enum nftnl_set_attr {
NFTNL_SET_USERDATA,
NFTNL_SET_OBJ_TYPE,
NFTNL_SET_HANDLE,
+ NFTNL_SET_DESC_CONCAT,
__NFTNL_SET_MAX
};
#define NFTNL_SET_MAX (__NFTNL_SET_MAX - 1)
diff --git a/include/set.h b/include/set.h
index 446acd2..895ffdb 100644
--- a/include/set.h
+++ b/include/set.h
@@ -25,6 +25,8 @@ struct nftnl_set {
enum nft_set_policies policy;
struct {
uint32_t size;
+ uint8_t field_len[NFT_REG32_COUNT];
+ uint8_t field_count;
} desc;
struct list_head element_list;
diff --git a/src/set.c b/src/set.c
index 78447c6..651dcfa 100644
--- a/src/set.c
+++ b/src/set.c
@@ -89,6 +89,7 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
case NFTNL_SET_ID:
case NFTNL_SET_POLICY:
case NFTNL_SET_DESC_SIZE:
+ case NFTNL_SET_DESC_CONCAT:
case NFTNL_SET_TIMEOUT:
case NFTNL_SET_GC_INTERVAL:
break;
@@ -174,6 +175,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
case NFTNL_SET_DESC_SIZE:
memcpy(&s->desc.size, data, sizeof(s->desc.size));
break;
+ case NFTNL_SET_DESC_CONCAT:
+ memcpy(&s->desc.field_len, data, data_len);
+ while (s->desc.field_len[++s->desc.field_count]);
+ break;
case NFTNL_SET_TIMEOUT:
memcpy(&s->timeout, data, sizeof(s->timeout));
break;
@@ -266,6 +271,9 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr,
case NFTNL_SET_DESC_SIZE:
*data_len = sizeof(uint32_t);
return &s->desc.size;
+ case NFTNL_SET_DESC_CONCAT:
+ *data_len = s->desc.field_count;
+ return s->desc.field_len;
case NFTNL_SET_TIMEOUT:
*data_len = sizeof(uint64_t);
return &s->timeout;
@@ -351,13 +359,42 @@ err:
return NULL;
}
+static void nftnl_set_nlmsg_build_desc_size_payload(struct nlmsghdr *nlh,
+ struct nftnl_set *s)
+{
+ mnl_attr_put_u32(nlh, NFTA_SET_DESC_SIZE, htonl(s->desc.size));
+}
+
+static void nftnl_set_nlmsg_build_desc_concat_payload(struct nlmsghdr *nlh,
+ struct nftnl_set *s)
+{
+ struct nlattr *nest;
+ int i;
+
+ nest = mnl_attr_nest_start(nlh, NFTA_SET_DESC_CONCAT);
+ for (i = 0; i < NFT_REG32_COUNT && i < s->desc.field_count; i++) {
+ struct nlattr *nest_elem;
+
+ nest_elem = mnl_attr_nest_start(nlh, NFTA_LIST_ELEM);
+ mnl_attr_put_u32(nlh, NFTA_SET_FIELD_LEN,
+ htonl(s->desc.field_len[i]));
+ mnl_attr_nest_end(nlh, nest_elem);
+ }
+ mnl_attr_nest_end(nlh, nest);
+}
+
static void
nftnl_set_nlmsg_build_desc_payload(struct nlmsghdr *nlh, struct nftnl_set *s)
{
struct nlattr *nest;
nest = mnl_attr_nest_start(nlh, NFTA_SET_DESC);
- mnl_attr_put_u32(nlh, NFTA_SET_DESC_SIZE, htonl(s->desc.size));
+
+ if (s->flags & (1 << NFTNL_SET_DESC_SIZE))
+ nftnl_set_nlmsg_build_desc_size_payload(nlh, s);
+ if (s->flags & (1 << NFTNL_SET_DESC_CONCAT))
+ nftnl_set_nlmsg_build_desc_concat_payload(nlh, s);
+
mnl_attr_nest_end(nlh, nest);
}
@@ -387,7 +424,7 @@ void nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_set *s)
mnl_attr_put_u32(nlh, NFTA_SET_ID, htonl(s->id));
if (s->flags & (1 << NFTNL_SET_POLICY))
mnl_attr_put_u32(nlh, NFTA_SET_POLICY, htonl(s->policy));
- if (s->flags & (1 << NFTNL_SET_DESC_SIZE))
+ if (s->flags & (1 << NFTNL_SET_DESC_SIZE | 1 << NFTNL_SET_DESC_CONCAT))
nftnl_set_nlmsg_build_desc_payload(nlh, s);
if (s->flags & (1 << NFTNL_SET_TIMEOUT))
mnl_attr_put_u64(nlh, NFTA_SET_TIMEOUT, htobe64(s->timeout));
@@ -445,39 +482,75 @@ static int nftnl_set_parse_attr_cb(const struct nlattr *attr, void *data)
return MNL_CB_OK;
}
-static int nftnl_set_desc_parse_attr_cb(const struct nlattr *attr, void *data)
+static int
+nftnl_set_desc_concat_field_parse_attr_cb(const struct nlattr *attr, void *data)
+{
+ int type = mnl_attr_get_type(attr);
+ struct nftnl_set *s = data;
+
+ if (type != NFTA_SET_FIELD_LEN)
+ return MNL_CB_OK;
+
+ if (mnl_attr_validate(attr, MNL_TYPE_U32))
+ return MNL_CB_ERROR;
+
+ s->desc.field_len[s->desc.field_count] = ntohl(mnl_attr_get_u32(attr));
+ s->desc.field_count++;
+
+ return MNL_CB_OK;
+}
+
+static int
+nftnl_set_desc_concat_parse_attr_cb(const struct nlattr *attr, void *data)
{
- const struct nlattr **tb = data;
int type = mnl_attr_get_type(attr);
+ struct nftnl_set *s = data;
+
+ if (type != NFTA_LIST_ELEM)
+ return MNL_CB_OK;
+
+ return mnl_attr_parse_nested(attr,
+ nftnl_set_desc_concat_field_parse_attr_cb,
+ s);
+}
+
+static int nftnl_set_desc_parse_attr_cb(const struct nlattr *attr, void *data)
+{
+ int type = mnl_attr_get_type(attr), err;
+ struct nftnl_set *s = data;
if (mnl_attr_type_valid(attr, NFTA_SET_DESC_MAX) < 0)
return MNL_CB_OK;
switch (type) {
case NFTA_SET_DESC_SIZE:
- if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
abi_breakage();
+ break;
+ }
+
+ s->desc.size = ntohl(mnl_attr_get_u32(attr));
+ s->flags |= (1 << NFTNL_SET_DESC_SIZE);
+ break;
+ case NFTA_SET_DESC_CONCAT:
+ err = mnl_attr_parse_nested(attr,
+ nftnl_set_desc_concat_parse_attr_cb,
+ s);
+ if (err != MNL_CB_OK)
+ abi_breakage();
+
+ s->flags |= (1 << NFTNL_SET_DESC_CONCAT);
+ break;
+ default:
break;
}
- tb[type] = attr;
return MNL_CB_OK;
}
-static int nftnl_set_desc_parse(struct nftnl_set *s,
- const struct nlattr *attr)
+static int nftnl_set_desc_parse(struct nftnl_set *s, const struct nlattr *attr)
{
- struct nlattr *tb[NFTA_SET_DESC_MAX + 1] = {};
-
- if (mnl_attr_parse_nested(attr, nftnl_set_desc_parse_attr_cb, tb) < 0)
- return -1;
-
- if (tb[NFTA_SET_DESC_SIZE]) {
- s->desc.size = ntohl(mnl_attr_get_u32(tb[NFTA_SET_DESC_SIZE]));
- s->flags |= (1 << NFTNL_SET_DESC_SIZE);
- }
-
- return 0;
+ return mnl_attr_parse_nested(attr, nftnl_set_desc_parse_attr_cb, s);
}
EXPORT_SYMBOL(nftnl_set_nlmsg_parse);
--
1.8.3.1

62
SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
View File

@ -1,62 +0,0 @@
From c3c2777d4b62db4b49fd3dcf8293562defa95112 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 8ef66870832d5
commit 8ef66870832d56881703a7798ecdff9e19917b15
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:30 2018 +0100
flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Allocated strings in dev_array were not freed. Fix this by freeing them
on error path and assigning them to c->dev_array directly in regular
path.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 61ff29b..1762bd1 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -364,7 +364,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
mnl_attr_for_each_nested(attr, nest) {
if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
- return -1;
+ goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= 8)
break;
@@ -375,14 +375,18 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
c->dev_array = calloc(len + 1, sizeof(char *));
if (!c->dev_array)
- return -1;
+ goto err;
c->dev_array_len = len;
for (i = 0; i < len; i++)
- c->dev_array[i] = strdup(dev_array[i]);
+ c->dev_array[i] = dev_array[i];
return 0;
+err:
+ while (len--)
+ xfree(dev_array[len]);
+ return -1;
}
static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c)
--
1.8.3.1

125
SOURCES/0008-set_elem-Introduce-support-for-NFTNL_SET_ELEM_KEY_EN.patch Normal file
View File

@ -0,0 +1,125 @@
From 0ac992b8118bce817e0f1da3e2581c4cde95ca80 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 13 Feb 2020 17:47:45 +0100
Subject: [PATCH] set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795223
Upstream Status: libnftnl commit 04cc28d8d6923
commit 04cc28d8d6923ea66b08ae9a74d81d8b6ac5b2d7
Author: Stefano Brivio <sbrivio@redhat.com>
Date: Thu Jan 30 01:16:34 2020 +0100
set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END
The new set element attribute maps to the netlink attribute
NFTA_SET_ELEM_KEY_END in the same way as NFTNL_SET_ELEM_KEY
maps to NFTA_SET_ELEM_KEY, and represents the key data used
to express the upper bound of a range, in concatenations.
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/set.h | 1 +
include/set_elem.h | 1 +
src/set_elem.c | 24 ++++++++++++++++++++++++
3 files changed, 26 insertions(+)
diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
index bbbf58d..6843adf 100644
--- a/include/libnftnl/set.h
+++ b/include/libnftnl/set.h
@@ -105,6 +105,7 @@ enum {
NFTNL_SET_ELEM_USERDATA,
NFTNL_SET_ELEM_EXPR,
NFTNL_SET_ELEM_OBJREF,
+ NFTNL_SET_ELEM_KEY_END,
__NFTNL_SET_ELEM_MAX
};
#define NFTNL_SET_ELEM_MAX (__NFTNL_SET_ELEM_MAX - 1)
diff --git a/include/set_elem.h b/include/set_elem.h
index cc4d529..52f185a 100644
--- a/include/set_elem.h
+++ b/include/set_elem.h
@@ -8,6 +8,7 @@ struct nftnl_set_elem {
uint32_t set_elem_flags;
uint32_t flags;
union nftnl_data_reg key;
+ union nftnl_data_reg key_end;
union nftnl_data_reg data;
struct nftnl_expr *expr;
uint64_t timeout;
diff --git a/src/set_elem.c b/src/set_elem.c
index d3ce807..2203193 100644
--- a/src/set_elem.c
+++ b/src/set_elem.c
@@ -75,6 +75,7 @@ void nftnl_set_elem_unset(struct nftnl_set_elem *s, uint16_t attr)
break;
case NFTNL_SET_ELEM_FLAGS:
case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */
+ case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */
case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */
case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */
@@ -118,6 +119,10 @@ int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr,
memcpy(&s->key.val, data, data_len);
s->key.len = data_len;
break;
+ case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */
+ memcpy(&s->key_end.val, data, data_len);
+ s->key_end.len = data_len;
+ break;
case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
memcpy(&s->data.verdict, data, sizeof(s->data.verdict));
break;
@@ -193,6 +198,9 @@ const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t
case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */
*data_len = s->key.len;
return &s->key.val;
+ case NFTNL_SET_ELEM_KEY_END: /* NFTA_SET_ELEM_KEY_END */
+ *data_len = s->key_end.len;
+ return &s->key_end.val;
case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
*data_len = sizeof(s->data.verdict);
return &s->data.verdict;
@@ -287,6 +295,14 @@ void nftnl_set_elem_nlmsg_build_payload(struct nlmsghdr *nlh,
mnl_attr_put(nlh, NFTA_DATA_VALUE, e->key.len, e->key.val);
mnl_attr_nest_end(nlh, nest1);
}
+ if (e->flags & (1 << NFTNL_SET_ELEM_KEY_END)) {
+ struct nlattr *nest1;
+
+ nest1 = mnl_attr_nest_start(nlh, NFTA_SET_ELEM_KEY_END);
+ mnl_attr_put(nlh, NFTA_DATA_VALUE, e->key_end.len,
+ e->key_end.val);
+ mnl_attr_nest_end(nlh, nest1);
+ }
if (e->flags & (1 << NFTNL_SET_ELEM_VERDICT)) {
struct nlattr *nest1, *nest2;
@@ -373,6 +389,7 @@ static int nftnl_set_elem_parse_attr_cb(const struct nlattr *attr, void *data)
abi_breakage();
break;
case NFTA_SET_ELEM_KEY:
+ case NFTA_SET_ELEM_KEY_END:
case NFTA_SET_ELEM_DATA:
case NFTA_SET_ELEM_EXPR:
if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
@@ -421,6 +438,13 @@ static int nftnl_set_elems_parse2(struct nftnl_set *s, const struct nlattr *nest
goto out_set_elem;
e->flags |= (1 << NFTNL_SET_ELEM_KEY);
}
+ if (tb[NFTA_SET_ELEM_KEY_END]) {
+ ret = nftnl_parse_data(&e->key_end, tb[NFTA_SET_ELEM_KEY_END],
+ &type);
+ if (ret < 0)
+ goto out_set_elem;
+ e->flags |= (1 << NFTNL_SET_ELEM_KEY_END);
+ }
if (tb[NFTA_SET_ELEM_DATA]) {
ret = nftnl_parse_data(&e->data, tb[NFTA_SET_ELEM_DATA], &type);
if (ret < 0)
--
1.8.3.1

49
SOURCES/0009-flowtable-Fix-for-reading-garbage.patch
View File

@ -1,49 +0,0 @@
From 4ec80cc7d08a48a19d112da760e36fa9e47e9106 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix for reading garbage
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit f8eed54150fd4
commit f8eed54150fd49ed814e63a5db39eda67d4b3938
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:31 2018 +0100
flowtable: Fix for reading garbage
nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
destination in all cases, so initialize it to 0.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 1762bd1..3c3ba66 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -245,7 +245,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_str);
uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const uint32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(uint32_t));
@@ -256,7 +256,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_u32);
int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const int32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(int32_t));
--
1.8.3.1

57
SOURCES/0009-src-Fix-for-reading-garbage-in-nftnl_chain-getters.patch Normal file
View File

@ -0,0 +1,57 @@
From 6854ec003b42cf02d4b40c0942d49ede9f6d94c0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 19 Feb 2020 12:00:31 +0100
Subject: [PATCH] src: Fix for reading garbage in nftnl_chain getters
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1758673
Upstream Status: libnftnl commit 629ee38dca486
commit 629ee38dca48651bc8c0eedf2f3a0066a6c0aa5b
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Feb 14 18:20:29 2020 +0100
src: Fix for reading garbage in nftnl_chain getters
In {s,u}{32,64} type getters nftnl_assert() is called to make sure
returned data length matches expectations. Therefore all attributes must
set data_len, which NFTNL_CHAIN_DEVICES didn't.
While being at it, do the same change for NFTNL_FLOWTABLE_DEVICES as
well to make code a bit more consistent although the problem was fixed
for flowtables with commit f8eed54150fd4 ("flowtable: Fix for reading
garbage") already (but in the other direction).
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/chain.c | 1 +
src/flowtable.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/chain.c b/src/chain.c
index b9a16fc..6e90763 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -365,6 +365,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
*data_len = strlen(c->dev) + 1;
return c->dev;
case NFTNL_CHAIN_DEVICES:
+ *data_len = 0;
return &c->dev_array[0];
}
return NULL;
diff --git a/src/flowtable.c b/src/flowtable.c
index 9ba3b6d..bf3e443 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -231,6 +231,7 @@ const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c,
*data_len = sizeof(int32_t);
return &c->family;
case NFTNL_FLOWTABLE_DEVICES:
+ *data_len = 0;
return &c->dev_array[0];
case NFTNL_FLOWTABLE_SIZE:
*data_len = sizeof(int32_t);
--
1.8.3.1

72
SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
View File

@ -1,72 +0,0 @@
From 36faead4c4a8ab0a87ee766bab6a062e8610067a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Add missing nftnl_chain_rule_del()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit de5a23d26828a
commit de5a23d26828a1e1f2d3351b0414925857546496
Author: Phil Sutter <phil@nwl.cc>
Date: Sun Dec 30 17:02:13 2018 +0100
src: chain: Add missing nftnl_chain_rule_del()
Although identical to nftnl_rule_list_del(), this function adheres to
the common naming style of per chain rule list routines introduced
earlier, therefore helps with deprecating the global rule list API at a
later point.
Fixes: e33798478176f ("chain: Support per chain rules list")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 64e10e9..163a824 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -56,6 +56,7 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
diff --git a/src/chain.c b/src/chain.c
index ae074fd..6dc8f36 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -429,6 +429,12 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
list_add(&rule->head, &c->rule_list);
}
+EXPORT_SYMBOL(nftnl_chain_rule_del);
+void nftnl_chain_rule_del(struct nftnl_rule *r)
+{
+ list_del(&r->head);
+}
+
EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
{
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0d3be32..0dad6a2 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -340,6 +340,7 @@ local: *;
LIBNFTNL_12 {
nftnl_chain_rule_add;
nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
--
1.8.3.1

71
SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
View File

@ -1,71 +0,0 @@
From fca027631250013cae7323e058575deb72b8510a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Fix nftnl_chain_rule_insert_at()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit 278a3b779a731
commit 278a3b779a731b3565595259b07b9065f6a6f425
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Jan 14 17:42:50 2019 +0100
src: chain: Fix nftnl_chain_rule_insert_at()
Extrapolating from iptables nomenclature, one would expect that "insert"
means to prepend the new item to the referenced one, not append. Change
nftnl_chain_rule_insert_at() to do just that and introduce
nftnl_chain_rule_append_at() to insert a rule after the referenced one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 163a824..31b48cf 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -59,6 +59,7 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
struct nlmsghdr;
diff --git a/src/chain.c b/src/chain.c
index 6dc8f36..7326c2a 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -444,6 +444,12 @@ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
{
+ list_add_tail(&rule->head, &pos->head);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_append_at);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
list_add(&rule->head, &pos->head);
}
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0dad6a2..192eef8 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -342,6 +342,7 @@ LIBNFTNL_12 {
nftnl_chain_rule_add_tail;
nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
+ nftnl_chain_rule_append_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
nftnl_rule_iter_next;
--
1.8.3.1

150
SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
View File

@ -1,150 +0,0 @@
From 3eb9b26b8b79b0bd5b153cfdad8eb10c86ae2b64 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 31 Jan 2019 19:03:53 +0100
Subject: [PATCH] src: rule: Support NFTA_RULE_POSITION_ID attribute
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1670565
Upstream Status: libnftnl commit 7a7137adf6c14
commit 7a7137adf6c143f7cccc6440a5340a43033b61e7
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Jan 15 20:59:04 2019 +0100
src: rule: Support NFTA_RULE_POSITION_ID attribute
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/rule.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
include/rule.h | 1 +
src/rule.c | 20 ++++++++++++++++++++
4 files changed, 24 insertions(+)
diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
index 8501c86..78bfead 100644
--- a/include/libnftnl/rule.h
+++ b/include/libnftnl/rule.h
@@ -28,6 +28,7 @@ enum nftnl_rule_attr {
NFTNL_RULE_POSITION,
NFTNL_RULE_USERDATA,
NFTNL_RULE_ID,
+ NFTNL_RULE_POSITION_ID,
__NFTNL_RULE_MAX
};
#define NFTNL_RULE_MAX (__NFTNL_RULE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 91449ef..adfae98 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -218,6 +218,7 @@ enum nft_chain_attributes {
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
*/
enum nft_rule_attributes {
NFTA_RULE_UNSPEC,
@@ -230,6 +231,7 @@ enum nft_rule_attributes {
NFTA_RULE_USERDATA,
NFTA_RULE_PAD,
NFTA_RULE_ID,
+ NFTA_RULE_POSITION_ID,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
diff --git a/include/rule.h b/include/rule.h
index 5edcb6c..036c722 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -11,6 +11,7 @@ struct nftnl_rule {
uint64_t handle;
uint64_t position;
uint32_t id;
+ uint32_t position_id;
struct {
void *data;
uint32_t len;
diff --git a/src/rule.c b/src/rule.c
index 6a43d3e..d9b97b6 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -87,6 +87,7 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr)
case NFTNL_RULE_POSITION:
case NFTNL_RULE_FAMILY:
case NFTNL_RULE_ID:
+ case NFTNL_RULE_POSITION_ID:
break;
case NFTNL_RULE_USERDATA:
xfree(r->user.data);
@@ -103,6 +104,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = {
[NFTNL_RULE_FAMILY] = sizeof(uint32_t),
[NFTNL_RULE_POSITION] = sizeof(uint64_t),
[NFTNL_RULE_ID] = sizeof(uint32_t),
+ [NFTNL_RULE_POSITION_ID] = sizeof(uint32_t),
};
EXPORT_SYMBOL(nftnl_rule_set_data);
@@ -158,6 +160,9 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
r->id = *((uint32_t *)data);
break;
+ case NFTNL_RULE_POSITION_ID:
+ memcpy(&r->position_id, data, sizeof(r->position_id));
+ break;
}
r->flags |= (1 << attr);
return 0;
@@ -222,6 +227,9 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
*data_len = sizeof(uint32_t);
return &r->id;
+ case NFTNL_RULE_POSITION_ID:
+ *data_len = sizeof(uint32_t);
+ return &r->position_id;
}
return NULL;
}
@@ -313,6 +321,8 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r)
}
if (r->flags & (1 << NFTNL_RULE_ID))
mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id));
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID))
+ mnl_attr_put_u32(nlh, NFTA_RULE_POSITION_ID, htonl(r->position_id));
}
EXPORT_SYMBOL(nftnl_rule_add_expr);
@@ -352,6 +362,7 @@ static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data)
abi_breakage();
break;
case NFTA_RULE_ID:
+ case NFTA_RULE_POSITION_ID:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
break;
@@ -483,6 +494,10 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r)
r->id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_ID]));
r->flags |= (1 << NFTNL_RULE_ID);
}
+ if (tb[NFTA_RULE_POSITION_ID]) {
+ r->position_id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_POSITION_ID]));
+ r->flags |= (1 << NFTNL_RULE_POSITION_ID);
+ }
r->family = nfg->nfgen_family;
r->flags |= (1 << NFTNL_RULE_FAMILY);
@@ -729,6 +744,11 @@ static int nftnl_rule_snprintf_default(char *buf, size_t size,
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
}
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID)) {
+ ret = snprintf(buf + offset, remain, "%u ", r->position_id);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+
ret = snprintf(buf + offset, remain, "\n");
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
--
1.8.3.1

59
SPECS/libnftnl.spec
View File

@ -1,4 +1,4 @@
%define rpmversion 1.1.1 %define rpmversion 1.1.5
%define specrelease 4%{?dist} %define specrelease 4%{?dist}
Name: libnftnl Name: libnftnl
@ -12,18 +12,15 @@ BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libmnl-devel BuildRequires: libmnl-devel
Patch0: 0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch Patch0: 0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch
Patch1: 0002-chain-Support-per-chain-rules-list.patch Patch1: 0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch
Patch2: 0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch Patch2: 0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch
Patch3: 0004-chain-Hash-chain-list-by-name.patch Patch3: 0004-flowtable-Correctly-check-realloc-call.patch
Patch4: 0005-object-Avoid-obj_ops-array-overrun.patch Patch4: 0005-chain-Correctly-check-realloc-call.patch
Patch5: 0006-flowtable-Add-missing-break.patch Patch5: 0006-include-resync-nf_tables.h-cache-copy.patch
Patch6: 0007-flowtable-Fix-use-after-free-in-two-spots.patch Patch6: 0007-set-Add-support-for-NFTA_SET_DESC_CONCAT-attributes.patch
Patch7: 0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch Patch7: 0008-set_elem-Introduce-support-for-NFTNL_SET_ELEM_KEY_EN.patch
Patch8: 0009-flowtable-Fix-for-reading-garbage.patch Patch8: 0009-src-Fix-for-reading-garbage-in-nftnl_chain-getters.patch
Patch9: 0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
Patch10: 0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
Patch11: 0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
%description %description
A library for low-level interaction with nftables Netlink's API over libmnl. A library for low-level interaction with nftables Netlink's API over libmnl.
@ -51,10 +48,6 @@ make %{?_smp_mflags}
%check %check
make %{?_smp_mflags} check make %{?_smp_mflags} check
cd tests
# JSON parsing would fail since it's not compiled in, so disable here
sed -i -e '/^\.\/nft-parsing-test /d' test-script.sh
sh ./test-script.sh
%install %install
%make_install %make_install
@ -74,6 +67,38 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_includedir}/libnftnl %{_includedir}/libnftnl
%changelog %changelog
* Wed Feb 19 2020 Phil Sutter <psutter@redhat.com> [1.1.5-4.el8]
- src: Fix for reading garbage in nftnl_chain getters (Phil Sutter) [1758673]
* Fri Feb 14 2020 Phil Sutter <psutter@redhat.com> [1.1.5-3.el8]
- set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END (Phil Sutter) [1795223]
- set: Add support for NFTA_SET_DESC_CONCAT attributes (Phil Sutter) [1795223]
- include: resync nf_tables.h cache copy (Phil Sutter) [1795223]
* Fri Dec 06 2019 Phil Sutter <psutter@redhat.com> [1.1.5-2.el8]
- chain: Correctly check realloc() call (Phil Sutter) [1778952]
- flowtable: Correctly check realloc() call (Phil Sutter) [1778952]
- chain: Fix memleak in error path of nftnl_chain_parse_devs() (Phil Sutter) [1778952]
- flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() (Phil Sutter) [1778952]
* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [1.1.5-1.el8]
- Rebase onto upstream version 1.1.5 (Phil Sutter) [1717129]
* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> [1.1.4-3.el8]
- set: Export nftnl_set_list_lookup_byname() (Phil Sutter) [1762563]
* Thu Oct 17 2019 Phil Sutter <psutter@redhat.com> [1.1.4-2.el8]
- obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser (Phil Sutter) [1758673]
- set_elem: Validate nftnl_set_elem_set() parameters (Phil Sutter) [1758673]
- obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() (Phil Sutter) [1758673]
- set: Don't bypass checks in nftnl_set_set_u{32,64}() (Phil Sutter) [1758673]
- obj/tunnel: Fix for undefined behaviour (Phil Sutter) [1758673]
- set_elem: Fix return code of nftnl_set_elem_set() (Phil Sutter) [1758673]
- obj: ct_timeout: Check return code of mnl_attr_parse_nested() (Phil Sutter) [1758673]
* Fri Oct 04 2019 Phil Sutter <psutter@redhat.com> [1.1.4-1.el8]
- Rebase to upstream version 1.1.4 (Phil Sutter) [1717129]
* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8] * Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565] - src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]